diff --git a/build-scripts/compile-options b/build-scripts/compile-options index 39a3f20cb..0fd1acdfa 100644 --- a/build-scripts/compile-options +++ b/build-scripts/compile-options @@ -5,27 +5,24 @@ # Autodect PROJECT if not set -if [ x"$PROJECT" = x ] -then +if [ x"$PROJECT" = x ]; then case x"$JOB_NAME" in - *-community-*) PROJECT=community;; - *-enterprise-*) PROJECT=nova;; - *-hub-*) PROJECT=nova;; - *-agent-*) PROJECT=nova;; + *-community-*) PROJECT=community ;; + *-enterprise-*) PROJECT=nova ;; + *-hub-*) PROJECT=nova ;; + *-agent-*) PROJECT=nova ;; esac fi # If still not set, then either we are running outside Jenkins, or this # is not a main "build" type job (it could be the bootstrap job). # Do directory-based auto-detection. -if [ x"$PROJECT" = x ] -then - if [ -d $BASEDIR/nova ] - then - PROJECT=nova - else - PROJECT=community - fi +if [ x"$PROJECT" = x ]; then + if [ -d $BASEDIR/nova ]; then + PROJECT=nova + else + PROJECT=community + fi fi export PROJECT @@ -34,20 +31,9 @@ export PROJECT # When running manually, you can just export this variable. # It's a flag: if it's set to 1 - then we use system OpenSSL. # Otherwise, we build it. -if [ x"$SYSTEM_SSL" = x ] -then - # default to using cfengine openssl - SYSTEM_SSL=0 - # We don't bundle OpenSSL on some redhat-derived systems due to incompatability with libpam and our openssl. - _OS_MAJOR_VERSION="$(echo "$OS_VERSION" | cut -d. -f1)" - if [ "$OS" = "rhel" ] && expr "$_OS_MAJOR_VERSION" ">=" "8" >/dev/null - then - SYSTEM_SSL=1 - fi - if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ] - then - if expr "$_OS_MAJOR_VERSION" ">=" "15" - then +if [ -z "$SYSTEM_SSL" ]; then + if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]; then + if [ "$OS_VERSION_MAJOR" -ge "15" ]; then SYSTEM_SSL=1 fi fi @@ -120,11 +106,13 @@ esac var_append DEPS "$EMBEDDED_DB pcre2" -if ! [ x"$SYSTEM_SSL" = x1 ] -then - # FIXME: Why do we need zlib? - # ANSWER: Openssl uses it optionally, TODO DISABLE - var_append DEPS "zlib openssl" +if [ "$SYSTEM_SSL" != 1 ]; then + # zlib is a compression library which is a dependency of OpenSSL. + # TODO: can we remove zlib dependency? (CFE-4013) + var_append DEPS "zlib" + + # A toolkit for TLS + var_append DEPS "openssl" fi # libsasl needed for solaris diff --git a/build-scripts/package b/build-scripts/package index a6589179b..578e6be0b 100755 --- a/build-scripts/package +++ b/build-scripts/package @@ -149,18 +149,12 @@ case "$PACKAGING" in echo "error: unable to determine selinux-policy package version" exit 1 fi - OPENSSL_VERSION=$(rpm -q --provides openssl-libs | grep OPENSSL_ | sed 's/^.*_\([0-9.]*\).*$/\1/' | sort -n | tail -1) - if [ -z "$OPENSSL_VERSION" ]; then - echo "error: unable to determine openssl package version" - exit 1 - fi fi sed \ -e "s/@@VERSION@@/$RPM_VERSION/g" \ -e "s/@@RELEASE@@/$safe_prefix$RPM_RELEASE/g" \ -e "s/@@SELINUX_POLICY_VERSION@@/$SELINUX_POLICY_VERSION/g" \ - -e "s/@@OPENSSL_VERSION@@/$OPENSSL_VERSION/g" \ -e "/^%pre\$/r $PREINSTALL" \ -e "/^%post\$/r $POSTINSTALL" \ -e "/^%preun\$/r $PREREMOVE" \ diff --git a/ci/cfengine-build-host-setup.cf b/ci/cfengine-build-host-setup.cf index 2672f0ab9..e37f64391 100644 --- a/ci/cfengine-build-host-setup.cf +++ b/ci/cfengine-build-host-setup.cf @@ -123,9 +123,6 @@ bundle agent cfengine_build_host_setup "platform-python-devel" -> { "cfbs shebang", "ENT-11338" } comment => "py3_shebang_fix macro needs /usr/bin/pathfix.py from platform-python-devel package"; - suse_15:: - "libopenssl-devel" -> { "ENT-12528" } - comment => "like redhat, suse 15+ needs to build with system openssl."; (redhat_8|centos_8|redhat_9).(yum_dnf_conf_ok):: "java-1.8.0-openjdk-headless" package_policy => "delete", @@ -133,7 +130,6 @@ bundle agent cfengine_build_host_setup "java-17-openjdk"; "pkgconf" comment => "pkgconfig renamed to pkgconf in rhel8"; "selinux-policy-devel" comment => "maybe add to _7 and _6?"; - "openssl-devel"; (redhat_9).(yum_dnf_conf_ok):: "perl-Sys-Hostname" comment => "Needed by __04_examples_outputs_check_outputs_cf"; diff --git a/ci/fix-buildhost.sh b/ci/fix-buildhost.sh index 2569da40f..1b6c1a31f 100755 --- a/ci/fix-buildhost.sh +++ b/ci/fix-buildhost.sh @@ -14,11 +14,10 @@ if [ "$(uname)" = "HP-UX" ] || [ "$(uname)" = "SunOS" ]; then . /etc/profile fi fi - -# while ENT-13750 is in progress we need to ensure that OTHER builds include openssl devel packages on redhat-based platforms +# ENT-13750 we return to vendored openssl on rpm platforms so remove possibly installed development packages if command -v zypper >/dev/null 2>/dev/null; then - sudo zypper install -y libopenssl-devel || true + sudo zypper remove -y libopenssl-devel || true fi if command -v yum >/dev/null 2>/dev/null; then - sudo yum install -y openssl-devel || true + sudo yum erase -y openssl-devel || true fi diff --git a/deps-packaging/apache/cfbuild-apache.spec b/deps-packaging/apache/cfbuild-apache.spec index c2a6cf283..c5bd708ae 100644 --- a/deps-packaging/apache/cfbuild-apache.spec +++ b/deps-packaging/apache/cfbuild-apache.spec @@ -1,4 +1,4 @@ -%define apache_version 2.4.67 +%define apache_version 2.4.68 %global __os_install_post %{nil} Summary: CFEngine Build Automation -- apache diff --git a/deps-packaging/apache/distfiles b/deps-packaging/apache/distfiles index e2962e04d..8801b00aa 100644 --- a/deps-packaging/apache/distfiles +++ b/deps-packaging/apache/distfiles @@ -1 +1 @@ -10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77 httpd-2.4.67.tar.gz +ed9a9d4500fb48bb28eaffb3ba71d06ccf86d498fa13ab9f781da010cc488498 httpd-2.4.68.tar.gz diff --git a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec index bc9a1045d..bdf2e2a9f 100644 --- a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec +++ b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec @@ -1,4 +1,4 @@ -%define curl_version 8.17.0 +%define curl_version 8.20.0 Summary: CFEngine Build Automation -- libcurl Name: cfbuild-libcurl-hub @@ -18,12 +18,7 @@ AutoReqProv: no mkdir -p %{_builddir} %setup -q -n curl-%{curl_version} -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} > 7 -%define ssl_prefix /usr -%else %define ssl_prefix %{prefix} -%endif ./configure \ --with-sysroot=%{prefix} \ diff --git a/deps-packaging/libcurl-hub/distfiles b/deps-packaging/libcurl-hub/distfiles index 06c2470ca..024e5bcdd 100644 --- a/deps-packaging/libcurl-hub/distfiles +++ b/deps-packaging/libcurl-hub/distfiles @@ -1 +1 @@ -e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910 curl-8.17.0.tar.gz +fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0 curl-8.20.0.tar.gz diff --git a/deps-packaging/libcurl/cfbuild-libcurl.spec b/deps-packaging/libcurl/cfbuild-libcurl.spec index 634c854b4..90e6d8585 100644 --- a/deps-packaging/libcurl/cfbuild-libcurl.spec +++ b/deps-packaging/libcurl/cfbuild-libcurl.spec @@ -1,4 +1,4 @@ -%define curl_version 8.17.0 +%define curl_version 8.20.0 Summary: CFEngine Build Automation -- libcurl Name: cfbuild-libcurl @@ -18,7 +18,7 @@ AutoReqProv: no mkdir -p %{_builddir} %setup -q -n curl-%{curl_version} -%if "%{_system_ssl}" == "1" +%if 0%{?SYSTEM_SSL} %define ssl_prefix /usr %else %define ssl_prefix %{prefix} diff --git a/deps-packaging/libcurl/distfiles b/deps-packaging/libcurl/distfiles index 06c2470ca..024e5bcdd 100644 --- a/deps-packaging/libcurl/distfiles +++ b/deps-packaging/libcurl/distfiles @@ -1 +1 @@ -e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910 curl-8.17.0.tar.gz +fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0 curl-8.20.0.tar.gz diff --git a/deps-packaging/openldap/cfbuild-openldap.spec b/deps-packaging/openldap/cfbuild-openldap.spec index 91ba0ddef..f6782f096 100644 --- a/deps-packaging/openldap/cfbuild-openldap.spec +++ b/deps-packaging/openldap/cfbuild-openldap.spec @@ -21,12 +21,7 @@ mkdir -p %{_builddir} %patch0 -p0 -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} > 7 -CPPFLAGS=-I%{buildprefix}/include:/usr/include -%else CPPFLAGS=-I%{buildprefix}/include -%endif # # glibc-2.8 errorneously hides peercred(3) under #ifdef __USE_GNU. @@ -41,7 +36,6 @@ CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE" --disable-slapd \ --disable-backends \ --with-tls=openssl \ - --without-gssapi \ CPPFLAGS="$CPPFLAGS" %build diff --git a/deps-packaging/openldap/mingw/debian/rules b/deps-packaging/openldap/mingw/debian/rules index 61ce10e5a..ccd7a87bf 100755 --- a/deps-packaging/openldap/mingw/debian/rules +++ b/deps-packaging/openldap/mingw/debian/rules @@ -27,8 +27,6 @@ build-stamp: --disable-slapd \ --disable-backends \ --with-tls=openssl \ - --with-openssl=$(PREFIX) \ - --without-gssapi \ CC="$(DEB_HOST_GNU_TYPE)-gcc -static-libgcc" \ AR=$(DEB_HOST_GNU_TYPE)-ar \ CPPFLAGS="$(CPPFLAGS) -I$(PREFIX)/include" diff --git a/deps-packaging/openssl/cfbuild-openssl.spec b/deps-packaging/openssl/cfbuild-openssl.spec index d42326cfc..c8d38083c 100644 --- a/deps-packaging/openssl/cfbuild-openssl.spec +++ b/deps-packaging/openssl/cfbuild-openssl.spec @@ -1,4 +1,4 @@ -%define openssl_version 3.6.2 +%define openssl_version 3.6.3 Summary: CFEngine Build Automation -- openssl Name: cfbuild-openssl diff --git a/deps-packaging/openssl/distfiles b/deps-packaging/openssl/distfiles index 7757c3c4a..c44c5e0ee 100644 --- a/deps-packaging/openssl/distfiles +++ b/deps-packaging/openssl/distfiles @@ -1 +1 @@ -aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f openssl-3.6.2.tar.gz +243a86649cf6f23eeb6a2ff2456e09e5d77dd9018a54d3d96b0c6bdd6ba6c7f1 openssl-3.6.3.tar.gz diff --git a/deps-packaging/openssl/source b/deps-packaging/openssl/source index 325946a65..f36cdd0b3 100644 --- a/deps-packaging/openssl/source +++ b/deps-packaging/openssl/source @@ -1 +1 @@ -https://github.com/openssl/openssl/releases/download/openssl-3.6.2/ +https://github.com/openssl/openssl/releases/download/openssl-3.6.3/ diff --git a/deps-packaging/rsync/cfbuild-rsync.spec b/deps-packaging/rsync/cfbuild-rsync.spec index cfe5de28d..d6a13998b 100644 --- a/deps-packaging/rsync/cfbuild-rsync.spec +++ b/deps-packaging/rsync/cfbuild-rsync.spec @@ -1,4 +1,4 @@ -%define rsync_version 3.4.3 +%define rsync_version 3.4.4 Summary: CFEngine Build Automation -- rsync Name: cfbuild-rsync diff --git a/deps-packaging/rsync/distfiles b/deps-packaging/rsync/distfiles index 2d0543c64..0424dd772 100644 --- a/deps-packaging/rsync/distfiles +++ b/deps-packaging/rsync/distfiles @@ -1 +1 @@ -c72e63ca3021cbc80ba86ec30102773f4c5631fbc492b52e773b3958f82a53d3 rsync-3.4.3.tar.gz +bd88cf82fa653da32314fb229136407c5c90f80d1758d8f4b091767877d8fa96 rsync-3.4.4.tar.gz diff --git a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in index a50e5a865..d0327bfaf 100644 --- a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in +++ b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in @@ -27,23 +27,6 @@ Requires(post): /usr/sbin/usermod, /bin/sed Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} == 8 -Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit) -Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) -Requires: openssl -%endif - -# We build against systems with the latest available dependencies such as OpenSSL. -# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires. -# OPENSSL_VERSION is determined in build-scripts/package script. -# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail. -%if %{?rhel}%{!?rhel:0} > 8 -Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: openssl -%endif - # cfbs/Build requires Python 3.5+ (not available on RHEL 6) %if %{?rhel}%{!?rhel:0} == 7 Requires: python3 >= 3.5 @@ -100,10 +83,6 @@ rm -f %{prefix}/ssl/misc/tsget rm -f %{prefix}/ssl/openssl.cnf.dist rm -f %{prefix}/ssl/misc/tsget.pl -# Add an openssl symlink if openssl binary doesn't exist -if ! [ -f $RPM_BUILD_ROOT%{prefix}/bin/openssl ]; then - ln -s `which openssl` $RPM_BUILD_ROOT%{prefix}/bin/openssl -fi # Hub does not need cf-upgrade, it is only present in host packages rm -f $RPM_BUILD_ROOT%{prefix}/bin/cf-upgrade @@ -237,16 +216,11 @@ exit 0 # init.d script enterprise part %{prefix}/bin/cfengine3-nova-hub-init-d.sh -# OpenSSL tools (we don't bundle OpenSSL on RHEL 8) -# Note that prefix/bin/openssl is outside of `if`, since -# on RHEL8 it's a symlink to a system-wide openssl binary %{prefix}/bin/openssl -%if %{?rhel}%{!?rhel:0} <= 7 %dir %{prefix}/ssl %{prefix}/ssl/openssl.cnf %{prefix}/ssl/ct_log_list.cnf %{prefix}/ssl/ct_log_list.cnf.dist -%endif %prefix/bin/git %prefix/bin/gitk diff --git a/packaging/cfengine-nova/cfengine-nova.spec.in b/packaging/cfengine-nova/cfengine-nova.spec.in index 3f5e417c2..21a788e6e 100644 --- a/packaging/cfengine-nova/cfengine-nova.spec.in +++ b/packaging/cfengine-nova/cfengine-nova.spec.in @@ -23,21 +23,6 @@ Recommends: gzip Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} == 8 -Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit) -Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) -%endif - -# We build against systems with the latest available dependencies such as OpenSSL. -# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires. -# OPENSSL_VERSION is determined in build-scripts/package script. -# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail. -%if %{?rhel}%{!?rhel:0} > 8 -Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -%endif - AutoReqProv: no %if %{?with_debugsym}%{!?with_debugsym:0}