Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pgloader: Use OpenSSL 1.0.2 (incompatible with OpenSSL 1.1) #89533

Closed

Conversation

OmnipotentEntity
Copy link
Contributor

See dimitri/pgloader#1081 and dimitri/pgloader#794

Motivation for this change

This commit fixes an issue with logging into a local postgresql installation via user based authentication. The following error occurs when using OpenSSL 1.1:

KABOOM!
FATAL error: Failed to connect to pgsql at "myserver.address" (port 5432) as user "user": The alien function "CRYPTO_num_locks" is undefined.
An unhandled error condition has been signalled:
   Failed to connect to pgsql at "myserver.address" (port 5432) as user "user": The alien function "CRYPTO_num_locks" is undefined.

Using OpenSSL 1.0.2 works fine as a workaround. I do not know of any tracking issue where they are seeking to fix this behavior upstream.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/193

@puzzlewolf
Copy link
Contributor

Hey. OpenSSL 1.0.2 is marked as vulnerable:

Known issues:
 - Support for OpenSSL 1.0.2 ended with 2019.

Honestly, I believe this issue should raised with upstream. I don't think depending on an unsupported OpenSSL is a good idea 😟

@OmnipotentEntity
Copy link
Contributor Author

That's a fair point. I'm having some difficulty getting the newest version compiled and working because it's attempting to use the network to download quicklisp and packages, and I've never had to build a package using quicklisp, and if I'm going to file a bug, I'd like to ensure that it's still a problem in HEAD.

Any ideas?

@puzzlewolf
Copy link
Contributor

puzzlewolf commented Jun 18, 2020

Sorry, I haven't even heard of quicklisp before :D

You could create a PR, mark it as work-in-progress, and try and find someone who can help you :)
Edit: On github, it's called draft pull request, you can find it in the dropdown menu of the create PR button.

Did you already come across pkgs/development/lisp-modules/quicklisp-to-nix-output/pgloader.nix? It looks like a decent starting point.

@pacien
Copy link
Contributor

pacien commented Aug 5, 2020

This package should perhaps be marked as broken until the compatibility issue with OpenSSL 1.1 is fixed upstream.

In the meantime, users can still use the program by running something like:

NIXPKGS_ALLOW_BROKEN=1 \
NIXPKGs_ALLOW_INSECURE=1 \
nix-shell -p 'pgloader.override { openssl = openssl_1_0_2; }'

@OmnipotentEntity
Copy link
Contributor Author

Closing because I cannot reproduce on the currently packaged version 3.6.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants