Forum: JRuby feature request: package jruby-openssl gem

Bec38d63650c8912b6ba9b557fb953b9?d=identicon&s=25 Roger Pack (rogerdpack)
on 2010-08-05 23:04
Currently seeing the message "warning, you do not have the jruby-openssl
gem installed" every time you use jruby to do a gem installation leaves
a feeling of...hackishness.

Suggestion: since ruby-debug, rake, et all, are all pre-bundled, perhaps
it would be possible to bundle
jruby-openssl
gem as well, but only load it "on demand" (like when SSL is actually
used?)

That would be kind.
-r
Bee69cfed999cd13e3bff73d472a39ee?d=identicon&s=25 Hassan Schroeder (Guest)
on 2010-08-05 23:30
(Received via mailing list)
On Thu, Aug 5, 2010 at 2:04 PM, Roger Pack <lists@ruby-forum.com> wrote:
> Currently seeing the message "warning, you do not have the jruby-openssl
> gem installed" every time you use jruby to do a gem installation leaves
> a feeling of...hackishness.

+1 -- low-priority but I've also been meaning to look into this; it
seems
rather bizarre getting messages like:

$ jruby -S gem list --local jruby-openssl

*** LOCAL GEMS ***

jruby-openssl (0.6)
$ jruby script/console
config.gem: Unpacked gem jruby-openssl-0.6 in vendor/gems has no
specification file. Run 'rake gems:refresh_specs' to fix this.
Loading development environment (Rails 2.3.4)
...
JRuby limited openssl loaded. http://jruby.org/openssl
gem install jruby-openssl for full support.

Eh? I mean, seriously, wtf??

--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
twitter: @hassan

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
5993756d2b69ce0bc16df3318c240d54?d=identicon&s=25 Wayne Meissner (Guest)
on 2010-08-05 23:36
(Received via mailing list)
I'm pretty sure the reason jruby-openssl is not bundled is a legal one
- the US has fairly retarded laws regarding exporting crypto software
outside the country ... even when said software originated outside the
country.

On 6 August 2010 07:29, Hassan Schroeder <hassan.schroeder@gmail.com>
wrote:
> *** LOCAL GEMS ***
> Eh? I mean, seriously, wtf??
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
18d3c84ca5a017fe3e96490afaea28aa?d=identicon&s=25 Richard Conroy (Guest)
on 2010-08-06 00:09
(Received via mailing list)
On Thu, Aug 5, 2010 at 10:36 PM, Wayne Meissner <wmeissner@gmail.com>
wrote:

> I'm pretty sure the reason jruby-openssl is not bundled is a legal one
> - the US has fairly retarded laws regarding exporting crypto software
> outside the country ... even when said software originated outside the
> country.
>
>
Yeah I thought it was something like that. Or a clash with the licensing
terms of the SSL library
(bouncy castle) that Java uses and is at the core of jruby-openssl.
F1d37642fdaa1662ff46e4c65731e9ab?d=identicon&s=25 Charles Nutter (headius)
on 2010-08-07 16:11
(Received via mailing list)
Yup, this and the licensing are the two reasons we're not comfortable
bundling BouncyCastle (the crypto libraries we use to implement SSL).
If someone wants to devote lawyer time to clearing up the stupid US
crypto export restrictions for us, we'd love to sort this stuff out :)

One thing we have slowly improved is how much functionality we can
support without BC in play, but we'll probably never be able to do all
of it.

- Charlie

On Thu, Aug 5, 2010 at 4:36 PM, Wayne Meissner <wmeissner@gmail.com>
wrote:
>>
>> specification file. Run 'rake gems:refresh_specs' to fix this.
>>
>
>    http://xircles.codehaus.org/manage_email
>
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
F1d37642fdaa1662ff46e4c65731e9ab?d=identicon&s=25 Charles Nutter (headius)
on 2010-08-07 16:13
(Received via mailing list)
On Thu, Aug 5, 2010 at 4:29 PM, Hassan Schroeder
<hassan.schroeder@gmail.com> wrote:
> specification file. Run 'rake gems:refresh_specs' to fix this.
> Loading development environment (Rails 2.3.4)
> ...
> JRuby limited openssl loaded. http://jruby.org/openssl
> gem install jruby-openssl for full support.
>
> Eh? I mean, seriously, wtf??

Yeah, that's pretty ugly. The need to bundle jruby-ossl in every app
is at the very least annoying. I think we'd at least like to fix cases
like this where bundling/unpacking still acts oddly and doesn't find
ossl.

- Charlie

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Bec38d63650c8912b6ba9b557fb953b9?d=identicon&s=25 Roger Pack (rogerdpack)
on 2010-08-07 16:38
A thoughts:
 only display the warnings when somebody actually *uses* missing
functionality, not at require time.
Thanks.
F1d37642fdaa1662ff46e4c65731e9ab?d=identicon&s=25 Charles Nutter (headius)
on 2010-08-07 17:52
(Received via mailing list)
Yes, perhaps. The thing I worry about here is if a library is
insufficiently tested without jruby-ossl installed, it's possible that
much later on it will fail. That's a testing problem, perhaps, but
being silent in general about a missing library seems like it would
make it more likely people would forget when they don't have it
installed.

We're open to improvements here, though. The logic for this is all in
Ruby:

http://github.com/jruby/jruby/blob/master/lib/ruby...

Starting with the stub.rb file, which gets loaded when you require
'openssl'.

- Charlie

On Sat, Aug 7, 2010 at 9:38 AM, Roger Pack <lists@ruby-forum.com> wrote:
>
>    http://xircles.codehaus.org/manage_email
>
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
6c06915d9aa00cd5c7d4acfb27cdd4e9?d=identicon&s=25 NAKAMURA, Hiroshi (Guest)
on 2010-08-09 11:58
(Received via mailing list)
Hi all,

I'm not a lawyer, too!

On Sat, Aug 7, 2010 at 23:10, Charles Oliver Nutter
<headius@headius.com> wrote:
> Yup, this and the licensing are the two reasons we're not comfortable
> bundling BouncyCastle (the crypto libraries we use to implement SSL).
> If someone wants to devote lawyer time to clearing up the stupid US
> crypto export restrictions for us, we'd love to sort this stuff out :)

Interesting. I've never thought about it that US export control is a
reason. Is it about "Cryptography"? Or something other than that?

JRuby OpenSSL does not implement "Cryptography" by itself (it uses JCE
and BC for that) so we can distribute it as a part of JRuby if it does
not include JCE (not included already, of course) and BC? Is there any
lawyer-minded person?

Anyway, we made BC out to its own gem from jruby-openssl gem (Version
0.7.1)
http://soap4r.blogspot.com/2010/08/jruby-ossl-071-...
Half of jruby-openssl features requires BC jars (PKey, ASN1, X509,
PKCS7 and SSL) but rest features does not (Random, HMAC, BN, Digest
and Cipher).  And the rest features works without installing BC gem.

I think I can reduce "jruby-openssl" warning if jruby can bundle
jruby-openssl (or just include as an ext to reduce rubygems loading
overhead?). Let me know if you need.

Regards,
// NaHi

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Bec38d63650c8912b6ba9b557fb953b9?d=identicon&s=25 Roger Pack (rogerdpack)
on 2010-08-09 13:09
Charles Nutter wrote:
> Yup, this and the licensing are the two reasons we're not comfortable
> bundling BouncyCastle (the crypto libraries we use to implement SSL).
> If someone wants to devote lawyer time to clearing up the stupid US
> crypto export restrictions for us, we'd love to sort this stuff out :)

One option may be to have the one click installers install that gem at
install time.  Thus avoiding the warning messages later, and hopefully
avoiding restrictions by not "distributing it with openssl" or what not.
In this point I am definitely no lawyer, but hey, some OSS does it like
that.
526d60de6472502bb570a9df2842b33b?d=identicon&s=25 Nick Sieger (Guest)
on 2010-08-09 18:43
(Received via mailing list)
On Mon, Aug 9, 2010 at 4:58 AM, NAKAMURA, Hiroshi <nakahiro@gmail.com>
wrote:
> Interesting. I've never thought about it that US export control is a
> PKCS7 and SSL) but rest features does not (Random, HMAC, BN, Digest
> and Cipher).  And the rest features works without installing BC gem.
>
> I think I can reduce "jruby-openssl" warning if jruby can bundle
> jruby-openssl (or just include as an ext to reduce rubygems loading
> overhead?). Let me know if you need.

My thoughts exactly. Now that we've moved bouncy-castle-jars to an
external dependency, we can bundle the jruby-ossl code in JRuby.

>
---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
F1d37642fdaa1662ff46e4c65731e9ab?d=identicon&s=25 Charles Nutter (headius)
on 2010-08-12 21:22
(Received via mailing list)
On Mon, Aug 9, 2010 at 11:42 AM, Nick Sieger <nicksieger@gmail.com>
wrote:
> On Mon, Aug 9, 2010 at 4:58 AM, NAKAMURA, Hiroshi <nakahiro@gmail.com> wrote:
>> Interesting. I've never thought about it that US export control is a
>> reason. Is it about "Cryptography"? Or something other than that?

It is entirely related to cryptography. Several of the algorithms that
BC implements are considered "strong cryptography" which the current
US export laws seek to keep out of the hands of "terrorists" and the
like. Of course it's nonsense, because all these algorithms are freely
available through a million other channels.

If we had a lawyer on hand, (s)he might be able to tell us whether BC
actually poses an export problem, since it's actually an off-shore
hosted project (Australia, I think) and we're just re-packaging it. To
date, we have not had a legal resource that could clarify things for
us.

>>
>> I think I can reduce "jruby-openssl" warning if jruby can bundle
>> jruby-openssl (or just include as an ext to reduce rubygems loading
>> overhead?). Let me know if you need.
>
> My thoughts exactly. Now that we've moved bouncy-castle-jars to an
> external dependency, we can bundle the jruby-ossl code in JRuby.

This is an excellent idea! If we could ship jruby-ossl directly in
JRuby and only provide the warning (as an error, really) when you hit
crypto stuff that requires BC, it may be the perfect compromise. We
should proceed to do that.

- Charlie

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
526d60de6472502bb570a9df2842b33b?d=identicon&s=25 Nick Sieger (Guest)
on 2010-08-12 22:00
(Received via mailing list)
On Thu, Aug 12, 2010 at 2:21 PM, Charles Oliver Nutter
<headius@headius.com> wrote:
>
> If we had a lawyer on hand, (s)he might be able to tell us whether BC
> actually poses an export problem, since it's actually an off-shore
> hosted project (Australia, I think) and we're just re-packaging it. To
> date, we have not had a legal resource that could clarify things for
> us.

The closest we got was that if we hosted the strong-crypto files on a
website that was registered and/or "certified" with the government,
we'd be ok. Exactly where we register this fact, I have no idea.

Not sure how hosting the files on rubygems.org gets around this (does
it just shift responsibility?).

/Nick

>>> and Cipher).  And the rest features works without installing BC gem.
> crypto stuff that requires BC, it may be the perfect compromise. We
>
---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
F1d37642fdaa1662ff46e4c65731e9ab?d=identicon&s=25 Charles Nutter (headius)
on 2010-08-13 01:06
(Received via mailing list)
On Thu, Aug 12, 2010 at 3:00 PM, Nick Sieger <nicksieger@gmail.com>
wrote:
> The closest we got was that if we hosted the strong-crypto files on a
> website that was registered and/or "certified" with the government,
> we'd be ok. Exactly where we register this fact, I have no idea.
>
> Not sure how hosting the files on rubygems.org gets around this (does
> it just shift responsibility?).

I don't know that they're doing anything special. The files are
actually hosted on rubygems.org-controlled servers, so legally I think
they'd need to register as providing those libraries...if BC actually
required registration (which is still pretty fuzzy to me).

At any rate, it seems like it's rubygems.org's problem (perhaps
similar to any maven servers that have BC or other crypto stuff) and
if we just reduce our exposure by pushing BC libs as a gem, we may be
in OK shape.

I know we also talked about trying to implement more of jruby-ossl
using built-in crypto stuff that does ship with the JVM/JDK. Anything
we can do to reduce dependencies on BC will be a big help.

- Charlie

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
6c06915d9aa00cd5c7d4acfb27cdd4e9?d=identicon&s=25 Hiroshi Nakamura (Guest)
on 2010-08-23 12:52
(Received via mailing list)
Hi Nick and Charles,

On Fri, Aug 13, 2010 at 04:21, Charles Oliver Nutter
<headius@headius.com> wrote:
>
> If we had a lawyer on hand, (s)he might be able to tell us whether BC
> actually poses an export problem, since it's actually an off-shore
> hosted project (Australia, I think) and we're just re-packaging it. To
> date, we have not had a legal resource that could clarify things for
> us.

Thanks for the explanation.  I understood.  Let's leave this issue as it
is now.

>>>
> should proceed to do that.
Thanks for confirmation.  I'll create a ticket and a branch for the
migration.
 - merge JRuby-OSSL repo to JRuby repo
 - without BC jars inclusion

Please track the progress at the ticket I'll create.

Regards,
// NaHi

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Bec38d63650c8912b6ba9b557fb953b9?d=identicon&s=25 Roger Pack (rogerdpack)
on 2010-08-23 15:32
>>>>
>> should proceed to do that.
> Thanks for confirmation.  I'll create a ticket and a branch for the
> migration.
>  - merge JRuby-OSSL repo to JRuby repo
>  - without BC jars inclusion

Thanks!
-r
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.