Upgrade Bundler to resolve CVE-2019-3881

[Pontus4]

Bundler 2 doesn't do require "forwardable".

[walro]

Judging by the failures, it seems like we need to add some "wait for MySQL" step

Edit: Interesting that we didn't encounter this issue before

[walro]

Judging by the failures, it seems like we need to add some "wait for MySQL" step

Ah, never mind. I thought it tried to connect to a MySQL that was not ready yet, but I see now it fails to SSL-related reasons.

A workaround could be to "revert" to the old non-encrypted way of connecting. Why this all of a sudden broke, I would check changes in Bundler (perhaps CAs are not added anymore?) or changes to the run environment.

To get some more info, you could open a branch that runs on Bundler 1 and see how that behaves.

[walro]

Yet another thing to check is MySQL versions, look at which MySQL version that we ran last time this worked and compare to what's running now. The same holds for various gems, we have a very loose gemspec here so there might be dramatic changes from one run to another.

[walro]

Additionally, I think we should change our actions config to allow other jobs to continue, even if there is a fail in the matrix (fail-fast: false I believe)

[Pontus4]

The only gem difference is that the last successful run used sequel 5.43.0 while this is using 5.44.0. Feels very suspicious, but I can't find anything related to this issue in the changelog... https://github.com/jeremyevans/sequel/blob/master/CHANGELOG

UPDATE: I tried to lock sequel to 5.43.0, but it didn't help.

[Pontus4]

To get some more info, you could open a branch that runs on Bundler 1 and see how that behaves.

Same problems with Bundler 1.

[Pontus4]

A lot has happened between the two Ubuntu versions, but I haven't found anything interesting yet...

https://github.com/actions/virtual-environments/compare/ubuntu18/20210330.1...ubuntu18/20210510.0

[Pontus4]

The last successful run probably ran on MySQL 5.7.33, which also fails now...

[walro]

I think the problem here is the latest update for Java 8.

In particular:

security-libs/javax.net.ssl ➜ Disable TLS 1.0 and 1.1 TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).

These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms security property in the java.security configuration file.

As I understand it, the MySQL 5.7 image does only support TLS 1.0 and 1.1, so a solution is to re-enable TLS 1.1 or disable SSL authentication.

[Pontus4]

As I understand it, the MySQL 5.7 image does only support TLS 1.0 and 1.1, so a solution is to re-enable TLS 1.1 or disable SSL authentication.

I thought I'd try the first alternative first, but I'm not sure how to edit properties like that in the CI environment...

Update: I haven't found anything about changing this setting through the JRUBY_OPTS. The only other solution I can come up with is to manipulate the java.security file with some regexp.

[Pontus4]

disable SSL authentication

What do you mean here @walro? Where could it be disabled?

[walro]

What do you mean here @walro? Where could it be disabled?

I was thinking it might be possible to start MySQL without SSL support, the client is hopefully smart enough to not attempt connecting via SSL then.

[Pontus4]

I was thinking it might be possible to start MySQL without SSL support, the client is hopefully smart enough to not attempt connecting via SSL then.

Sweet, it worked 👍