Bug 199181 - [CMake] Bump cmake_minimum_required version to 3.10
Summary: [CMake] Bump cmake_minimum_required version to 3.10
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CMake (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Fujii Hironori
URL:
Keywords:
Depends on:
Blocks: 199108
  Show dependency treegraph
 
Reported: 2019-06-24 18:58 PDT by Fujii Hironori
Modified: 2019-06-27 01:15 PDT (History)
3 users (show)

See Also:


Attachments
Patch (4.98 KB, patch)
2019-06-24 19:00 PDT, Fujii Hironori
no flags Details | Formatted Diff | Diff
Patch (5.05 KB, patch)
2019-06-26 17:59 PDT, Fujii Hironori
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Fujii Hironori 2019-06-24 18:58:17 PDT
[CMake] Bump cmake_minimum_required version to 3.10

(In reply to Michael Catanzaro from bug #199108 comment #8)
> (In reply to Fujii Hironori from bug #199108 comment #7)
> > We can bump cmake_minimum_required version to 3.10 now.
> 
> Yeah that's true. Go for it. If any EWS complain, go for it anyway and we'll
> get them fixed.
Comment 1 Fujii Hironori 2019-06-24 19:00:47 PDT
Created attachment 372815 [details]
Patch
Comment 2 Adrian Perez 2019-06-25 15:16:01 PDT
For the sake of checking things a bit, today I updated one of the
EWS bots to Debian Buster (to be officially released in 2019-07-06,
in a few days), which includes CMake 3.13 and the following popped up:

  webkit-patch[599]: Received URLError: "[SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:727)" while loading None

According to the following Debian bug report it is caused by more
strict checks by (the now updated) OpenSSL 1.1.1 and in particular
the when the server uses SHA1 for signatures in certificates:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907807

Can hold this for some days and while trying to find some solution?
We can alternatively use CMake 3.13 from the Stretch Backports repo,
but eventually we *will* need to update our bots to Buster (or any
other distro which ships a newer OpenSSL) so a solution for this
issue will be needed anyway, and I would rather start looking into
it now.
Comment 3 Fujii Hironori 2019-06-25 21:07:53 PDT
Thank you for working on this, Adrian.

(In reply to Adrian Perez from comment #2)
> For the sake of checking things a bit, today I updated one of the
> EWS bots to Debian Buster (to be officially released in 2019-07-06,
> in a few days), which includes CMake 3.13 and the following popped up:
> 
>   webkit-patch[599]: Received URLError: "[SSL: WRONG_SIGNATURE_TYPE] wrong
> signature type (_ssl.c:727)" while loading None
> 
> According to the following Debian bug report it is caused by more
> strict checks by (the now updated) OpenSSL 1.1.1 and in particular
> the when the server uses SHA1 for signatures in certificates:
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907807

Debian openssl package is applying this patch.
https://salsa.debian.org/ondrej/openssl/blob/553fc8e61f30cd1f7a59dd38c61e1dd4bf58437d/debian/patches/Set-systemwide-default-settings-for-libssl-users.patch

What about removing "CipherString = DEFAULT@SECLEVEL=2" line from /etc/ssl/openssl.cnf ?


> Can hold this for some days and while trying to find some solution?

Sure.
Comment 4 Adrian Perez 2019-06-26 03:38:57 PDT
(In reply to Fujii Hironori from comment #3)
> Thank you for working on this, Adrian.
> 
> (In reply to Adrian Perez from comment #2)
> > For the sake of checking things a bit, today I updated one of the
> > EWS bots to Debian Buster (to be officially released in 2019-07-06,
> > in a few days), which includes CMake 3.13 and the following popped up:
> > 
> >   webkit-patch[599]: Received URLError: "[SSL: WRONG_SIGNATURE_TYPE] wrong
> > signature type (_ssl.c:727)" while loading None
> > 
> > According to the following Debian bug report it is caused by more
> > strict checks by (the now updated) OpenSSL 1.1.1 and in particular
> > the when the server uses SHA1 for signatures in certificates:
> > 
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907807
> 
> Debian openssl package is applying this patch.
> https://salsa.debian.org/ondrej/openssl/blob/
> 553fc8e61f30cd1f7a59dd38c61e1dd4bf58437d/debian/patches/Set-systemwide-
> default-settings-for-libssl-users.patch
> 
> What about removing "CipherString = DEFAULT@SECLEVEL=2" line from
> /etc/ssl/openssl.cnf ?

Good find! After commenting this line, the server can be contacted
again. I have contacted Aakash, who probably can take a look at the
server in case some fix can be deployed there as well. In the meantime,
I think it's okay to edit the openssl.cnf file in the clients.

> > Can hold this for some days and while trying to find some solution?
> 
> Sure.

I am starting today with the updates to the machines where we run
bots, and will let you know once we can land this. Thanks!
Comment 5 Konstantin Tokarev 2019-06-26 06:03:42 PDT
>We can alternatively use CMake 3.13 from the Stretch Backports repo,
but eventually we *will* need to update our bots to Buster 

Note that Stretch Backports receive WebKit updates, so it may be a good idea to support this configuration
Comment 6 Adrian Perez 2019-06-26 06:58:08 PDT
Now we have CMake 3.13 in all our Debian bots (one of them updated
to Buster, the rest from Stretch backports for now), and CMake
3.10 in the Ubuntu bots.

Fujii, I think we can try to land this patch now :-)
Comment 7 Fujii Hironori 2019-06-26 17:59:23 PDT
Created attachment 372979 [details]
Patch
Comment 8 Don Olmstead 2019-06-26 18:54:55 PDT
Comment on attachment 372979 [details]
Patch

r=me

Looks like there needs to be some more work on the bots before this lands.
Comment 9 Fujii Hironori 2019-06-27 01:15:00 PDT
Comment on attachment 372979 [details]
Patch

Clearing flags on attachment: 372979

Committed r246874: <https://trac.webkit.org/changeset/246874>
Comment 10 Fujii Hironori 2019-06-27 01:15:04 PDT
All reviewed patches have been landed.  Closing bug.