kramdown-rfc icon indicating copy to clipboard operation
kramdown-rfc copied to clipboard

Published 20 hours ago verified publisher icon cabo

certified gem no longer works

Open martinthomson opened this issue 3 years ago • 4 comments

This is not directly a problem, but I was running certified-update (as the gem recommends when you install it), which now breaks with Ruby 3.0.

Is this dependency necessary in later versions of ruby? Or is the oldest ruby version what dictates what happens.

martinthomson avatar Nov 25 '21 04:11 martinthomson

I just did a little research and it seems like you don't need certified in ruby 2.6 or later. It's a little murky as things get older - the documentation says that you get HTTPS in 2.0.0, but it's not clear if that does certificate validation by default. What is the minimum version that needs to be supported?

martinthomson avatar Nov 25 '21 04:11 martinthomson

Right, certified is abandonware; it would be trivial to fork it and make a Ruby 3.0 compatible version.

Whether you need certified or not depends on how Ruby was installed on your system. The openssl version compiled with Ruby needs a set of root certificates; Ruby does not try to maintain its own set (neither does openssl), so there are some platform-specific ways to get one, which historically did not always work. So I'm not sure that Ruby 2.6 and above work properly on all platforms. Can you point me to resources that elucidate that?

(We do not really need that many roots, mainly for tools/datatracker within ietf.org, and rfc-editor.org, which currently all point to Starfield. Of course, if you set XML_RESOURCE_ORG_HOST or similar, you need the root for wherever that points.)

Upstream kramdown requires Ruby 2.3 or higher. The oldest OS that I think needs to be supported on the Mac is High Sierra (2017), which comes with 2.3 (as does Mojave (2018); I'd recommend installing a recent Ruby but I think it should work with stock Ruby). Sierra (2016) comes with 2.0, which is no longer supported by upstream. (I haven't examined the various Linuxes; these often come with very weird Ruby packages, but most people who run Linux will know how to get recent software.) In kramdown-rfc itself, there is some backwards compatibility code for down to 2.3, although I must admit I haven't been rigorously testing that.

cabo avatar Nov 25 '21 06:11 cabo

I'm only using empirical evidence here: I tried it. It's quite possible that distros are doing good things with their openssl or ruby installations that lead to good outcomes. So if other places don't work, that's awful, but you gotta do what you gotta do.

I don't think that the set of roots is hard. What certified does is probably fine. Daniel is, after all, very trustworthy. (I can see what it takes to get the roots from the NSS repo more directly, if you aren't comfortable with pulling from that repo.)

martinthomson avatar Nov 25 '21 06:11 martinthomson

https://en.wikibooks.org/wiki/Ruby_Programming/RubyGems#How_to_install_different_versions_of_gems_depending_on_which_version_of_ruby_the_installee_is_using is an interesting avenue to explore. Perhaps a little heavyweight though.

martinthomson avatar Aug 04 '22 05:08 martinthomson