Updated dependencies (3.24.x)

build-scripts/compile-options

@@ -5,27 +5,24 @@
 
 # Autodect PROJECT if not set
 
-if [ x"$PROJECT" = x ]
-then
+if [ x"$PROJECT" = x ]; then
     case x"$JOB_NAME" in
-        *-community-*)   PROJECT=community;;
-        *-enterprise-*)  PROJECT=nova;;
-        *-hub-*)         PROJECT=nova;;
-        *-agent-*)       PROJECT=nova;;
+    *-community-*) PROJECT=community ;;
+    *-enterprise-*) PROJECT=nova ;;
+    *-hub-*) PROJECT=nova ;;
+    *-agent-*) PROJECT=nova ;;
     esac
 fi
 
 # If still not set, then either we are running outside Jenkins, or this
 # is not a main "build" type job (it could be the bootstrap job).
 # Do directory-based auto-detection.
-if [ x"$PROJECT" = x ]
-then
-   if [ -d $BASEDIR/nova ]
-   then
-       PROJECT=nova
-   else
-       PROJECT=community
-   fi
+if [ x"$PROJECT" = x ]; then
+    if [ -d $BASEDIR/nova ]; then
+        PROJECT=nova
+    else
+        PROJECT=community
+    fi
 fi
 
 export PROJECT
@@ -34,20 +31,9 @@ export PROJECT
 # When running manually, you can just export this variable.
 # It's a flag: if it's set to 1 - then we use system OpenSSL.
 # Otherwise, we build it.
-if [ x"$SYSTEM_SSL" = x ]
-then
-    # default to using cfengine openssl
-    SYSTEM_SSL=0
-    # We don't bundle OpenSSL on some redhat-derived systems due to incompatability with libpam and our openssl.
-    _OS_MAJOR_VERSION="$(echo "$OS_VERSION" | cut -d. -f1)"
-    if [ "$OS" = "rhel" ] && expr "$_OS_MAJOR_VERSION" ">=" "8" >/dev/null
-    then
-        SYSTEM_SSL=1
-    fi
-    if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]
-    then
-        if expr "$_OS_MAJOR_VERSION" ">=" "15"
-        then
+if [ -z "$SYSTEM_SSL" ]; then
+    if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]; then
+        if [ "$OS_VERSION_MAJOR" -ge "15" ]; then
             SYSTEM_SSL=1
         fi
     fi
@@ -120,11 +106,13 @@ esac
 
 var_append DEPS "$EMBEDDED_DB pcre2"
 
-if ! [ x"$SYSTEM_SSL" = x1 ]
-then
-  # FIXME: Why do we need zlib?
-  # ANSWER: Openssl uses it optionally, TODO DISABLE
-  var_append DEPS "zlib openssl"
+if [ "$SYSTEM_SSL" != 1 ]; then
+    # zlib is a compression library which is a dependency of OpenSSL.
+    # TODO: can we remove zlib dependency? (CFE-4013)
+    var_append DEPS "zlib"
+
+    # A toolkit for TLS
+    var_append DEPS "openssl"
 fi
 
 # libsasl needed for solaris

build-scripts/package

@@ -149,18 +149,12 @@ case "$PACKAGING" in
             echo "error: unable to determine selinux-policy package version"
             exit 1
         fi
-        OPENSSL_VERSION=$(rpm -q --provides openssl-libs | grep OPENSSL_ | sed 's/^.*_\([0-9.]*\).*$/\1/' | sort -n | tail -1)
-        if [ -z "$OPENSSL_VERSION" ]; then
-            echo "error: unable to determine openssl package version"
-            exit 1
-        fi
     fi
 
     sed \
         -e "s/@@VERSION@@/$RPM_VERSION/g" \
         -e "s/@@RELEASE@@/$safe_prefix$RPM_RELEASE/g" \
         -e "s/@@SELINUX_POLICY_VERSION@@/$SELINUX_POLICY_VERSION/g" \
-        -e "s/@@OPENSSL_VERSION@@/$OPENSSL_VERSION/g" \
         -e "/^%pre\$/r $PREINSTALL" \
         -e "/^%post\$/r $POSTINSTALL" \
         -e "/^%preun\$/r $PREREMOVE" \

ci/cfengine-build-host-setup.cf

@@ -123,17 +123,13 @@ bundle agent cfengine_build_host_setup
       "platform-python-devel" -> { "cfbs shebang", "ENT-11338" }
         comment => "py3_shebang_fix macro needs /usr/bin/pathfix.py from platform-python-devel package";
 
-    suse_15::
-      "libopenssl-devel" -> { "ENT-12528" }
-        comment => "like redhat, suse 15+ needs to build with system openssl.";
 
     (redhat_8|centos_8|redhat_9).(yum_dnf_conf_ok)::
       "java-1.8.0-openjdk-headless" package_policy => "delete",
         comment => "Installing Development Tools includes this jdk1.8 which we do not want.";
       "java-17-openjdk";
       "pkgconf" comment => "pkgconfig renamed to pkgconf in rhel8";
       "selinux-policy-devel" comment => "maybe add to _7 and _6?";
-      "openssl-devel";
 
     (redhat_9).(yum_dnf_conf_ok)::
       "perl-Sys-Hostname" comment => "Needed by __04_examples_outputs_check_outputs_cf";

ci/fix-buildhost.sh

@@ -14,11 +14,10 @@ if [ "$(uname)" = "HP-UX" ] || [ "$(uname)" = "SunOS" ]; then
     . /etc/profile
   fi
 fi
-
-# while ENT-13750 is in progress we need to ensure that OTHER builds include openssl devel packages on redhat-based platforms
+# ENT-13750 we return to vendored openssl on rpm platforms so remove possibly installed development packages
 if command -v zypper >/dev/null 2>/dev/null; then
-  sudo zypper install -y libopenssl-devel || true
+  sudo zypper remove -y libopenssl-devel || true
 fi
 if command -v yum >/dev/null 2>/dev/null; then
-  sudo yum install -y openssl-devel || true
+  sudo yum erase -y openssl-devel || true
 fi

deps-packaging/apache/cfbuild-apache.spec

@@ -1,4 +1,4 @@
-%define apache_version 2.4.67
+%define apache_version 2.4.68
 %global __os_install_post %{nil}
 
 Summary: CFEngine Build Automation -- apache

deps-packaging/apache/distfiles

@@ -1 +1 @@
-10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77  httpd-2.4.67.tar.gz
+ed9a9d4500fb48bb28eaffb3ba71d06ccf86d498fa13ab9f781da010cc488498  httpd-2.4.68.tar.gz

deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec

@@ -1,4 +1,4 @@
-%define curl_version 8.17.0
+%define curl_version 8.20.0
 
 Summary: CFEngine Build Automation -- libcurl
 Name: cfbuild-libcurl-hub
@@ -18,12 +18,7 @@ AutoReqProv: no
 mkdir -p %{_builddir}
 %setup -q -n curl-%{curl_version}
 
-# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} > 7
-%define ssl_prefix /usr
-%else
 %define ssl_prefix %{prefix}
-%endif
 
 ./configure \
     --with-sysroot=%{prefix} \

deps-packaging/libcurl-hub/distfiles

@@ -1 +1 @@
-e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910  curl-8.17.0.tar.gz
+fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0  curl-8.20.0.tar.gz

deps-packaging/libcurl/cfbuild-libcurl.spec

@@ -1,4 +1,4 @@
-%define curl_version 8.17.0
+%define curl_version 8.20.0
 
 Summary: CFEngine Build Automation -- libcurl
 Name: cfbuild-libcurl
@@ -18,7 +18,7 @@ AutoReqProv: no
 mkdir -p %{_builddir}
 %setup -q -n curl-%{curl_version}
 
-%if "%{_system_ssl}" == "1"
+%if 0%{?SYSTEM_SSL}
 %define ssl_prefix /usr
 %else
 %define ssl_prefix %{prefix}

deps-packaging/libcurl/distfiles

@@ -1 +1 @@
-e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910  curl-8.17.0.tar.gz
+fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0  curl-8.20.0.tar.gz

deps-packaging/openldap/cfbuild-openldap.spec

@@ -21,12 +21,7 @@ mkdir -p %{_builddir}
 
 %patch0 -p0
 
-# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} > 7
-CPPFLAGS=-I%{buildprefix}/include:/usr/include
-%else
 CPPFLAGS=-I%{buildprefix}/include
-%endif
 
 #
 # glibc-2.8 errorneously hides peercred(3) under #ifdef __USE_GNU.
@@ -41,7 +36,6 @@ CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE"
             --disable-slapd \
             --disable-backends \
             --with-tls=openssl \
-            --without-gssapi \
             CPPFLAGS="$CPPFLAGS"
 
 %build

deps-packaging/openldap/mingw/debian/rules

@@ -27,8 +27,6 @@ build-stamp:
 	    --disable-slapd \
 	    --disable-backends \
 	    --with-tls=openssl \
-	    --with-openssl=$(PREFIX) \
-	    --without-gssapi \
 	    CC="$(DEB_HOST_GNU_TYPE)-gcc -static-libgcc" \
 	    AR=$(DEB_HOST_GNU_TYPE)-ar \
 	    CPPFLAGS="$(CPPFLAGS) -I$(PREFIX)/include"

deps-packaging/openssl/cfbuild-openssl.spec

@@ -1,4 +1,4 @@
-%define openssl_version 3.6.2
+%define openssl_version 3.6.3
 
 Summary: CFEngine Build Automation -- openssl
 Name: cfbuild-openssl

deps-packaging/openssl/distfiles

@@ -1 +1 @@
-aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f  openssl-3.6.2.tar.gz
+243a86649cf6f23eeb6a2ff2456e09e5d77dd9018a54d3d96b0c6bdd6ba6c7f1  openssl-3.6.3.tar.gz

deps-packaging/openssl/source

@@ -1 +1 @@
-https://github.com/openssl/openssl/releases/download/openssl-3.6.2/
+https://github.com/openssl/openssl/releases/download/openssl-3.6.3/

deps-packaging/rsync/cfbuild-rsync.spec

@@ -1,4 +1,4 @@
-%define rsync_version 3.4.3
+%define rsync_version 3.4.4
 
 Summary: CFEngine Build Automation -- rsync
 Name: cfbuild-rsync

deps-packaging/rsync/distfiles

@@ -1 +1 @@
-c72e63ca3021cbc80ba86ec30102773f4c5631fbc492b52e773b3958f82a53d3  rsync-3.4.3.tar.gz
+bd88cf82fa653da32314fb229136407c5c90f80d1758d8f4b091767877d8fa96  rsync-3.4.4.tar.gz

packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in

@@ -27,23 +27,6 @@ Requires(post): /usr/sbin/usermod, /bin/sed
 Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
-# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} == 8
-Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
-Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)
-Requires: openssl
-%endif
-
-# We build against systems with the latest available dependencies such as OpenSSL.
-# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires.
-# OPENSSL_VERSION is determined in build-scripts/package script.
-# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail.
-%if %{?rhel}%{!?rhel:0} > 8
-Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-Requires: openssl
-%endif
-
 # cfbs/Build requires Python 3.5+ (not available on RHEL 6)
 %if %{?rhel}%{!?rhel:0} == 7
 Requires: python3 >= 3.5
@@ -100,10 +83,6 @@ rm -f %{prefix}/ssl/misc/tsget
 rm -f %{prefix}/ssl/openssl.cnf.dist
 rm -f %{prefix}/ssl/misc/tsget.pl
 
-# Add an openssl symlink if openssl binary doesn't exist
-if ! [ -f $RPM_BUILD_ROOT%{prefix}/bin/openssl ]; then
-  ln -s `which openssl` $RPM_BUILD_ROOT%{prefix}/bin/openssl
-fi
 
 # Hub does not need cf-upgrade, it is only present in host packages
 rm -f $RPM_BUILD_ROOT%{prefix}/bin/cf-upgrade
@@ -237,16 +216,11 @@ exit 0
 # init.d script enterprise part
 %{prefix}/bin/cfengine3-nova-hub-init-d.sh
 
-# OpenSSL tools (we don't bundle OpenSSL on RHEL 8)
-# Note that prefix/bin/openssl is outside of `if`, since
-# on RHEL8 it's a symlink to a system-wide openssl binary
 %{prefix}/bin/openssl
-%if %{?rhel}%{!?rhel:0} <= 7
 %dir %{prefix}/ssl
 %{prefix}/ssl/openssl.cnf
 %{prefix}/ssl/ct_log_list.cnf
 %{prefix}/ssl/ct_log_list.cnf.dist
-%endif
 
 %prefix/bin/git
 %prefix/bin/gitk

packaging/cfengine-nova/cfengine-nova.spec.in

@@ -23,21 +23,6 @@ Recommends: gzip
 Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
-# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} == 8
-Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
-Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)
-%endif
-
-# We build against systems with the latest available dependencies such as OpenSSL.
-# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires.
-# OPENSSL_VERSION is determined in build-scripts/package script.
-# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail.
-%if %{?rhel}%{!?rhel:0} > 8
-Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-%endif
-
 AutoReqProv: no
 
 %if %{?with_debugsym}%{!?with_debugsym:0}