Use OpenSSL 3.5.x LTS version with next stable version #2599
Conversation
…ad of requiring SHA argument
3.0 LTS version will be EOL at 2026. We should move 3.5.x version at next stable version.
There was a problem hiding this comment.
Pull request overview
This pull request updates the OpenSSL dependency from version 3.0.18 (which reaches end-of-life in September 2026) to the newer 3.5.4 LTS version for Ruby's next stable development versions. The update includes an enhancement to the update-openssl script that automates SHA256 checksum computation by downloading the tarball directly from GitHub releases.
Changes:
- Updated OpenSSL version from 3.0.18 to 3.5.4 for ruby-dev and 4.1-dev build definitions
- Enhanced update-openssl script to automatically download and compute SHA256 checksums instead of requiring them as input
- Added necessary Ruby requires (open-uri, digest/sha2, tempfile) to support automatic checksum computation
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| share/ruby-build/ruby-dev | Updated OpenSSL dependency to version 3.5.4 with new SHA256 checksum |
| share/ruby-build/4.1-dev | Updated OpenSSL dependency to version 3.5.4 with new SHA256 checksum |
| script/update-openssl | Modified to automatically download OpenSSL tarball and compute SHA256 instead of requiring manual input |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| URI.open(url) do |remote_file| | ||
| IO.copy_stream(remote_file, tmpfile) |
There was a problem hiding this comment.
Using URI.open to download content from the internet without explicit error handling could result in unclear error messages if the download fails (network issues, 404 errors, SSL certificate problems). Consider wrapping this in a begin-rescue block to provide more user-friendly error messages, especially since this changes the script from requiring a pre-computed SHA256 to automatically downloading and computing it.
| URI.open(url) do |remote_file| | |
| IO.copy_stream(remote_file, tmpfile) | |
| begin | |
| URI.open(url) do |remote_file| | |
| IO.copy_stream(remote_file, tmpfile) | |
| end | |
| rescue OpenURI::HTTPError => e | |
| abort "Failed to download #{url}: #{e.message}" | |
| rescue SocketError, IOError, SystemCallError => e | |
| abort "Network error while downloading #{url}: #{e.class}: #{e.message}" |
|
|
||
| raise "Usage: #{$0} NEW_VERSION" unless ARGV.size == 1 | ||
| new_version = ARGV[0] | ||
|
|
There was a problem hiding this comment.
The open-uri library enables Kernel.open to automatically open URIs, which can be a security concern. While the URL is constructed from a version parameter and targets a specific GitHub pattern, consider using URI.open explicitly (which you are doing) and potentially adding validation that the version parameter only contains expected characters (digits and dots) to prevent any potential URL manipulation.
| unless new_version.match?(/\A\d+(?:\.\d+)*[a-z]?\z/) | |
| raise "Invalid OpenSSL version: #{new_version.inspect}" | |
| end |
3.0 LTS version will be EOL at Sep, 2026. We should move 3.5.x version at next stable version.
I'm not sure we also migrate OpenSSL 3.5 for Ruby 3.3-4.0 yet. I will consider that in this year.