-
Notifications
You must be signed in to change notification settings - Fork 780
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build OpenSSL so Ruby 2.0 installs Just Work on Mountain Lion #273
Build OpenSSL so Ruby 2.0 installs Just Work on Mountain Lion #273
Conversation
Ready to roll!
|
/cc @sstephenson @sferik 😁 |
👍 from me me. I pulled down your branch and successfully installed Ruby 2.0.0-rc1 on my Mac running OS X 10.8 (Mountain Lion) and OpenSSL 0.9.8r.
One question: should there be that extra new line after "Installed openssl…"? |
The newline is due to nesting a package install. The nested openssl install emits a trailing newline: https://github.com/sstephenson/ruby-build/blob/master/bin/ruby-build#L116 |
As a quick sanity check, if Verifying that we're using a bundled openssl config dir as well: 2.0.0-dev ~ ruby -ropenssl -e 'puts OpenSSL::Config::DEFAULT_CONFIG_FILE'
/usr/local/etc/openssl/openssl.cnf
2.0.0-dev ~ rbenv shell 2.0.0-rc1
2.0.0-rc1 ~ ruby -ropenssl -e 'puts OpenSSL::Config::DEFAULT_CONFIG_FILE'
/Users/jeremy/.rbenv/versions/2.0.0-rc1/openssl/ssl/openssl.cnf |
This looks good Jeremy. The only thing that gives me pause is pulling root certs from curl.haxx.se. On one hand, we're freed from the responsibility of bundling a fresh set of certificates ourselves. On the other hand, we're blindly installing root certificates that change relatively frequently (http://curl.haxx.se/ca/cacert.pem says Dec 29 2012) without verifying their checksum. What do you think about reading the system's certificates from Keychain instead? |
Looks like we can get a pem-formatted dump of the system root certificates with this command:
We can see the CA labels by running the same command without
|
Also, I think it's fine for us to scope this to OS X only—every other system comes with a package manager capable of installing OpenSSL and a trusted set of root certificates. Let's not take on more than we have to. |
# Check for Mountain Lion's broken OpenSSL build. | ||
if [[ $(type sw_vers) ]] && | ||
[[ "$(sw_vers -productVersion)" = 10.8.* ]] && | ||
[[ "$(openssl version)" = "OpenSSL 0.9.8r 8 Feb 2011" ]] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lion's OpenSSL displays the exact same version string:
$ sw_vers -productVersion
10.7.3
$ openssl version
OpenSSL 0.9.8r 8 Feb 2011
This is probably an issue on all versions of OS X, yeah?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably. I'm not sure how far back it goes. I think it'd be fine to always bundle OpenSSL on Mac if the builtin's what's available. Might be nice to check for brew --prefix openssl
too—quicker install for many folks who've already have OpenSSL, but don't have it in their $PATH
.
We're not doing any work to support non-osx platforms. They're supported as a side effect. What would we remove in order to narrow the scope? Missing |
Agreed re. dumping system certs. Forgot we'd investigated that! |
It'd let us remove the external certificate dependency—we only know how to pull system certs on OS X. I think it'd be enough to check for presence of if type sw_vers >/dev/null && [ "$(openssl -version)" = "OpenSSL 0.9.8r 8 Feb 2011" ]; then |
Ah, yes indeed. Dig it. |
Man, the slowest part of install feels like capi & rdoc/ri generation. Gotta shut that off. #156. |
@sstephenson Limited to OS X and added a check for Homebrew. |
Killed the Homebrew support. Scope creep with dubious aesthetics. |
Apple ships a patched, incompatible OpenSSL. We build a compatible OpenSSL from source.
Awesome, thanks @jeremy. |
OPENSSLDIR="${OPENSSLDIR:-$OPENSSL_PREFIX_PATH/ssl}" | ||
|
||
# Tell Ruby to use this openssl for its extension. | ||
RUBY_CONFIGURE_OPTS="--with-openssl-dir=$OPENSSL_PREFIX_PATH $RUBY_CONFIGURE_OPTS" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't nest quoting here, so we're leaving OPENSSL_PREFIX_PATH
unquoted. No good. @sstephenson suggested switching to a config opts array + little api to add opts.
Ditto for $OPENSSLDIR
below.
It would be nice if we could get this merged before we ship a release that includes 2.0.0-rc2 (this may be the last RC), so people can test it out before 2.0.0 final ships on February 24. |
Working on it today. Latest is in https://github.com/sstephenson/ruby-build/compare/static-openssl-for-ruby-2.0-on-mountain-lion |
🤘 Awesome work! |
…es some people are having, pending understanding why static linking isn't working.
Just ran into this issue this afternoon while running @jeremy Just asking because I noticed your "Kill Homebrew support" comment... |
@mjijackson I had some support for automatically using the Homebrew openssl package, if available, but felt it was premature. It's unrelated to whether you installed rbenv using Homebrew or not. |
@jeremy here is a similar encounter for me on mountain lion with 2.0.0-p195 where it blames an openssl issue. is there a work-around? |
@jbayer I am on 10.8.4 using Homebrew. I was getting the same error as you posted in your gist when trying to install2.0.0-p195 . I was successful in installing 2.0.0-p195 after forcing the link for openssl: "brew link openssl --force" |
@wpdavenport confirmed that the "brew link openssl --force" option worked for me with 2.0.0-p195 on OSX 10.8.4. thanks for the help! |
@wpdavenport I can also confirm that |
Instead of force linking OpenSSL (which could lead to issues elsewhere), you might just want to use the
|
I followed the original work-around instructions and all of the tips that people and posted and these too but I'm still getting the same issue. :/ |
@BethAnderson did you brew install openssl and tried the very helpful env var trick mentioned by @alloy? If you --force linked you can always unlink again. |
I did those both, yes. Just tried: export CC=clang ...and it built, then I changed the symlink in /usr/bin/ruby. |
@BethAnderson for me it just worked with those two steps (install openssl, configure flag pointing to brewed openssl) I didn't change the default compiler or anything. I'm on OSX 10.8.4 with rbenv / rbenv installer. Sorry. :( |
@musha68k Not sure why it didn't work and why it did work when I tried that. Just need to get bundler to pick up the correct Ruby version now though. |
@BethAnderson using rbenv just put 2.0.0-p195 in project/.ruby-version and bundler should take over from there. |
@musha68k Awesome, thanks! :) 👍 |
This is also a problem on Lion. I have just installed rbenv and ruby-build, and when I install Ruby 2.0.0-p247 with rbenv, I am seeing the problems with Apple's OpenSSL ("Ignore OpenSSL broken by Apple"), and ruby-build is not using its own OpenSSL. Why is this fix for Mountain Lion only? |
This worked: Would be nice if ruby-build and rbenv would do the right thing in Lion without the env var. |
Ruby 2.0 won't compile the OpenSSL extension on Mountain Lion because Apple shipped a crippled OpenSSL distribution. The fix is to build your own OpenSSL and link to that instead:
That's a lot of hassle for what will soon be a very common case. We can fix it by bundling a working OpenSSL.
TODO:
--openssldir
to$PREFIX/openssl/ssl
c_rehash
certs so openssl sees the new cacert.pem