taskwarrior-tui: macOS 10.9 buildbot failure; crates.io-index fetch failing with trust/SSL error

[mascguy (Christopher Nielsen)]

After fixing depdendency pandoc to build on older macOS releases, taskwarrior-tui is now failing to build on our macOS 10.9 buildbot.

I'm seeing the following error:

    Updating crates.io index
error: failed to get `anyhow` as a dependency of package `taskwarrior-tui v0.13.24 (/opt/local/var/macports/build/_opt_bblocal_var_buildworker_ports_build_ports_office_taskwarrior-tui/taskwarrior-tui/work/taskwarrior-tui-0.13.24)`

Caused by:
  failed to fetch `https://github.com/rust-lang/crates.io-index`

Caused by:
  network failure seems to have happened
  if a proxy or similar is necessary `net.git-fetch-with-cli` may help here
  https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli

Caused by:
  internal security trust error; class=Ssl (16)

​https://build.macports.org/builders/ports-10.9_x86_64-builder/builds/147498/steps/install-port/logs/stdio

[Wowfunhappy (Jonathan)]

If it's just an https error, you could use a proxy as a temporary workaround.

(Alternately, the problem may go away if you manually trust Github's certificate in keychain access. There are no underlying protocol/cipher suite compatibilities between Github and Mavericks, Mavericks's certificate store is just old.)

[mascguy (Christopher Nielsen)]

Replying to Wowfunhappy:

If it's just an https error, you could use a proxy as a temporary workaround.

(Alternately, the problem may go away if you manually trust Github's certificate in keychain access. There are no underlying protocol/cipher suite compatibilities between Github and Mavericks, Mavericks's certificate store is just old.)

Ryan, is this fixable on our buildbots? Or would you expect this to work as-is...?

[ryandesign (Ryan Carsten Schmidt)]

I noticed this too; see [2e957955a41cf003a347d94c948a31c6ba242b8f/macports-base].

This is why ports should not fetch things at build time. Instead, specify everything that needs to be fetched as distfiles. This allows the buildbot to mirror the files, and we can then make those files available via our mirrors without https to those systems no longer able to communicate via https.

[mascguy (Christopher Nielsen)]

Replying to ryandesign:

I noticed this too; see [2e957955a41cf003a347d94c948a31c6ba242b8f/macports-base].

This is why ports should not fetch things at build time. Instead, specify everything that needs to be fetched as distfiles. This allows the buildbot to mirror the files, and we can then make those files available via our mirrors without https to those systems no longer able to communicate via https.

So per your comment on that commit - which states that the 10.9 buildbot was manually patched on 4/1/2021-ish - should we still be seeing these issues?

[ryandesign (Ryan Carsten Schmidt)]

My patch was manually applied to the 10.9 buildbot worker and was part of MacPorts 2.7.0 which is now on all the buildbot workers. My patch changed MacPorts so that a port that requests to fetch with git on 10.9 will do so using MacPorts git rather than macOS git. This port does not request to fetch via git, so my fix is not applicable to this port. The fix is for this port to do its fetching in the fetch phase by specifying all needed distfiles, rather than by attempting to fetch anything manually during the build phase.

[kencu (Ken)]

if you make a build dep to git and set this env var CARGO_NET_GIT_FETCH_WITH_CLI it will likely work; they all worked for me on older systems with that.

Of course, fetch during fetch etc if you can, goes without saying..........

[mascguy (Christopher Nielsen)]

Herby, can you fix this, per the comments from Ryan and Ken?

[herbygillot (Herby Gillot)]

The reason why taskwarrior-tui is set up to fetch dependencies on its own is because it pulls one of its dependencies (task-hookrs (1)) directly from Github via git. Crates downloaded via HTTP from the official crates.io site are specified using cargo.crates, but the portgroup also provides cargo.crates_github for pulling crates from Github repos.

Unfortunately, cargo.crates_github consistently fails to pull task-hookrs in such a way that satisfies cargo to build taskwarrior-tui in a frozen state. My guess is that further patching might be required on Cargo.lock. So as a result, this software fails to build. Hence the reason why the Portfile as it currently is just lets cargo fetch dependencies on its own and build unfrozen.

1. ​https://github.com/kdheepak/taskwarrior-tui/blob/53edf4ea025186e3f4b8612b7e0683e6abfcd279/Cargo.toml#L41

[mascguy (Christopher Nielsen)]

Herby, could we at least make Ken's recommended change (comment:6), to fix the failure on 10.9?

if you make a build dep to git and set this env var CARGO_NET_GIT_FETCH_WITH_CLI it will likely work; they all worked for me on older systems with that.

[Christopher Nielsen <mascguy@…>]

In 01fd34009cc63f2381c2b2ccefa22ba603fdedcd/macports-ports (master):

taskwarrior-tui: fix trust issue occurring on some buildbots

Fixes: #62937

[mascguy (Christopher Nielsen)]

Replying to kencu:

if you make a build dep to git and set this env var CARGO_NET_GIT_FETCH_WITH_CLI it will likely work; they all worked for me on older systems with that.

Ken, your fix worked beautifully. Thanks for the tip!