From 47d94d0c15fc244d4ba99cdb431aac6a150e04a9 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 21 Feb 2026 22:17:34 +0100 Subject: [PATCH 1/4] Add Ruby 4 build --- configs/components/ruby-4.0.rb | 299 ++++++++++++++++++++++++ configs/projects/agent-runtime-ruby4.rb | 109 +++++++++ 2 files changed, 408 insertions(+) create mode 100644 configs/components/ruby-4.0.rb create mode 100644 configs/projects/agent-runtime-ruby4.rb diff --git a/configs/components/ruby-4.0.rb b/configs/components/ruby-4.0.rb new file mode 100644 index 00000000..ac34a15c --- /dev/null +++ b/configs/components/ruby-4.0.rb @@ -0,0 +1,299 @@ +##### +# Component release information: +# https://github.com/ruby/ruby/releases +# https://www.ruby-lang.org/en/downloads/releases/ +# Notes: +# The file name of the ruby component must match the ruby_version +##### +component 'ruby-4.0' do |pkg, settings, platform| + pkg.version '4.0.1' + pkg.sha256sum '3924be2d05db30f4e35f859bf028be85f4b7dd01714142fd823e4af5de2faf9d' + + ruby_dir = settings[:ruby_dir] + ruby_bindir = settings[:ruby_bindir] + host_ruby = settings[:host_ruby] + + # rbconfig-update is used to munge rbconfigs after the fact. + pkg.add_source('file://resources/files/ruby/rbconfig-update.rb') + + # Most ruby configuration happens in the base ruby config: + instance_eval File.read('configs/components/_base-ruby.rb') + + ######### + # PATCHES + ######### + + # base = 'resources/patches/ruby_32' + + # pkg.apply_patch "#{base}/rbinstall_gem_path.patch" if platform.is_cross_compiled? + + # pkg.apply_patch "#{base}/reline_disable_terminfo.patch" if platform.is_aix? + + # if platform.is_windows? + # pkg.apply_patch "#{base}/windows_mingw32_mkmf.patch" + # pkg.apply_patch "#{base}/ruby-faster-load_32.patch" + # pkg.apply_patch "#{base}/revert_speed_up_rebuilding_loaded_feature_index.patch" + # pkg.apply_patch "#{base}/revert-ruby-double-load-symlink.patch" + # pkg.apply_patch "#{base}/revert_ruby_utf8_default_encoding.patch" + # end + + # if platform.is_fips? + # # This is needed on Ruby < 3.3 until the fix is backported (if ever) + # # See: https://bugs.ruby-lang.org/issues/20000 + # pkg.apply_patch "#{base}/openssl3_fips.patch" + # end + + #################### + # ENVIRONMENT, FLAGS + #################### + + cflags = settings[:cflags] + cppflags = settings[:cppflags] + if platform.is_macos? + pkg.environment 'optflags', cflags + pkg.environment 'CFLAGS', cflags + pkg.environment 'CPPFLAGS', cppflags + pkg.environment 'LDFLAGS', settings[:ldflags] + pkg.environment 'CC', settings[:cc] + pkg.environment 'CXX', settings[:cxx] + pkg.environment 'MACOSX_DEPLOYMENT_TARGET', settings[:deployment_target] + pkg.environment 'PATH', '$(PATH):/opt/homebrew/bin:/usr/local/bin' + elsif platform.is_windows? + optflags = "#{cflags} -O3" + pkg.environment 'optflags', optflags + pkg.environment 'CFLAGS', optflags + pkg.environment 'MAKE', 'make' + elsif platform.is_cross_compiled? + pkg.environment 'CROSS_COMPILING', 'true' + elsif platform.is_aix? + # When using the default -ggdb3 I was seeing linker errors like, so use -g0 instead: + # + # ld: 0711-759 INTERNAL ERROR: Source file dwarf.c, line 528. + # Depending on where this product was acquired, contact your service + # representative or the approved supplier. + # collect2: error: ld returned 16 exit status + + pkg.environment 'optflags', '-O2 -fPIC -g0 ' + elsif platform.is_solaris? + pkg.environment 'optflags', '-O1' + else + pkg.environment 'optflags', '-O2' + end + + special_flags = " --prefix=#{ruby_dir} --with-opt-dir=#{settings[:prefix]} " + + if (platform.is_debian? && platform.os_version.to_i >= 13) || (platform.is_ubuntu? && platform.os_version.to_f >= 25.04 || platform.is_sles? && platform.os_version.to_i >= 16) + # A problem with --enable-dtrace, which I suspect may be because of GCC on the Trixie image. + # Check if this is still needed next time we bump Ruby and/or bump the Debian 13 + # container to the release version. + cflags += ' -Wno-error=implicit-function-declaration ' + end + + special_flags += " CFLAGS='#{cflags}' LDFLAGS='#{settings[:ldflags]}' CPPFLAGS='#{settings[:cppflags]}' " if settings[:supports_pie] + + # Ruby's build process requires a "base" ruby and we need a ruby to install + # gems into the /opt/puppetlabs/puppet/lib directory. + # + # For cross-compiles, the base ruby must be executable on the host we're + # building on (usually Intel), not the arch we're building for (such as + # SPARC). This is usually pl-ruby. + # + # For native compiles, we don't want ruby's build process to use whatever ruby + # is in the PATH, as it's probably too old to build ruby 3.2. And we don't + # want to use/maintain pl-ruby if we don't have to. Instead set baseruby to + # "no" which will force ruby to build and use miniruby. + special_flags += if platform.is_cross_compiled? + " --with-baseruby=#{host_ruby} " + else + ' --with-baseruby=no ' + end + + if platform.is_aix? + # This normalizes the build string to something like AIX 7.1.0.0 rather + # than AIX 7.1.0.2 or something + special_flags += " --build=#{settings[:platform_triple]} " + elsif platform.is_cross_compiled? && platform.is_macos? + # When the target arch is aarch64, ruby incorrectly selects the 'ucontext' coroutine + # implementation instead of 'arm64', so specify 'amd64' explicitly + # https://github.com/ruby/ruby/blob/c9c2245c0a25176072e02db9254f0e0c84c805cd/configure.ac#L2329-L2330 + special_flags += ' --with-coroutine=arm64 ' + elsif platform.is_solaris? && platform.architecture == 'sparc' + unless platform.is_cross_compiled? + # configure seems to enable dtrace because the executable is present, + # explicitly disable it and don't enable it below + special_flags += ' --enable-dtrace=no ' + end + special_flags += '--enable-close-fds-by-recvmsg-with-peek ' + + elsif platform.is_windows? + # ruby's configure script guesses the build host is `cygwin`, because we're using + # cygwin opensshd & bash. So mkmf will convert compiler paths, e.g. -IC:/... to + # cygwin paths, -I/cygdrive/c/..., which confuses mingw-w64. So specify the build + # target explicitly. + special_flags += " CPPFLAGS='-DFD_SETSIZE=2048' debugflags=-g " + + special_flags += if platform.architecture == 'x64' + ' --build x86_64-w64-mingw32 ' + else + ' --build i686-w64-mingw32 ' + end + elsif platform.is_macos? + special_flags += " --with-openssl-dir=#{settings[:prefix]} " + end + + without_dtrace = [ + 'aix-7.2-ppc', + 'el-7-ppc64le', + 'macos-all-arm64', + 'macos-all-x86_64', + 'redhatfips-7-x86_64', + 'sles-12-ppc64le', + 'solaris-11-sparc', + 'solaris-113-sparc', + 'windows-all-x64', + 'windowsfips-2016-x64' + ] + + special_flags += ' --enable-dtrace ' unless without_dtrace.include? platform.name + + ########### + # CONFIGURE + ########### + + # TODO: Remove this once PA-1607 is resolved. + # TODO: Can we use native autoconf? The dependencies seemed a little too extensive + if platform.is_aix? + pkg.configure { ['/opt/freeware/bin/autoconf'] } + else + pkg.configure { ['bash autogen.sh'] } + end + + pkg.configure do + [ + "bash configure \ + --enable-shared \ + --disable-install-doc \ + --disable-install-rdoc \ + #{settings[:host]} \ + #{special_flags}" + ] + end + + if platform.name =~ /windowsfips-2016/ + # We need the below patch since during ruby build step for windowsfips-2016-x64 agent-runtime builds, + # the rbconfig.rb file that gets generated contains '\r' trailing character in 'ruby_version' config. + # We patch rbconfig.rb to remove the '\r' character. + # This patch has to run after the build step since rbconfig.rb is generated during the build step. + # This is sort of a hacky way to do this. We need to find why the '\r' character gets appended to + # 'ruby_version' field in the future so that this patch can be removed - PA-6902. + pkg.add_source("#{base}/rbconfig_win.patch") + pkg.build do + ['TMP=/var/tmp /usr/bin/patch.exe --binary --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../rbconfig_win.patch'] + end + end + + ######### + # INSTALL + ######### + + if platform.is_windows? + # Ruby 3.2 copies bin/gem to $ruby_bindir/gem.cmd, but generates bat files for + # other gems like bundle.bat, irb.bat, etc. Just rename the cmd.cmd to cmd.bat + # as we used to in ruby 2.7 and earlier. + # + # Note that this step must happen after the install step above. + pkg.install do + %w[gem].map do |name| + "mv #{ruby_bindir}/#{name}.cmd #{ruby_bindir}/#{name}.bat" + end + end + + # Required when using `stack-protection-strong` and older versions of mingw-w64-gcc + pkg.install_file File.join(settings[:gcc_bindir], 'libssp-0.dll'), File.join(settings[:bindir], 'libssp-0.dll') + end + + target_doubles = { + 'powerpc-ibm-aix7.2.0.0' => 'powerpc-aix7.2.0.0', + 'aarch64-redhat-linux' => 'aarch64-linux', + 'ppc64-redhat-linux' => 'powerpc64-linux', + 'ppc64le-redhat-linux' => 'powerpc64le-linux', + 'powerpc64le-suse-linux' => 'powerpc64le-linux', + 'powerpc64le-linux-gnu' => 'powerpc64le-linux', + 'i386-pc-solaris2.10' => 'i386-solaris2.10', + 'sparc-sun-solaris2.10' => 'sparc-solaris2.10', + 'i386-pc-solaris2.11' => 'i386-solaris2.11', + 'sparc-sun-solaris2.11' => 'sparc-solaris2.11', + 'arm-linux-gnueabihf' => 'arm-linux-eabihf', + 'arm-linux-gnueabi' => 'arm-linux-eabi', + 'x86_64-w64-mingw32' => 'x64-mingw32', + 'i686-w64-mingw32' => 'i386-mingw32' + } + rbconfig_topdir = if target_doubles.key?(settings[:platform_triple]) + File.join(ruby_dir, 'lib', 'ruby', '4.0.0', target_doubles[settings[:platform_triple]]) + else + "$$(#{ruby_bindir}/ruby -e \"puts RbConfig::CONFIG[\\\"topdir\\\"]\")" + end + + # When cross compiling or building on non-linux, we sometimes need to patch + # the rbconfig.rb in the "host" ruby so that later when we try to build gems + # with native extensions, like ffi, the "host" ruby's mkmf will use the CC, + # etc specified below. For example, if we're building on mac Intel for ARM, + # then the CC override allows us to build ffi_c.so for ARM as well. The + # "host" ruby is configured in _shared-agent-settings + rbconfig_changes = {} + if platform.is_aix? + rbconfig_changes['CC'] = 'gcc' + elsif platform.is_cross_compiled? || (platform.is_solaris? && platform.architecture != 'sparc') + # REMIND: why are we overriding rbconfig for solaris intel? + rbconfig_changes['CC'] = 'gcc' + rbconfig_changes['warnflags'] = + '-Wall -Wextra -Wno-unused-parameter -Wno-parentheses -Wno-long-long -Wno-missing-field-initializers -Wno-tautological-compare -Wno-parentheses-equality -Wno-constant-logical-operand -Wno-self-assign -Wunused-variable -Wimplicit-int -Wpointer-arith -Wwrite-strings -Wdeclaration-after-statement -Wimplicit-function-declaration -Wdeprecated-declarations -Wno-packed-bitfield-compat -Wsuggest-attribute=noreturn -Wsuggest-attribute=format -Wno-maybe-uninitialized' + if platform.name =~ /el-7-ppc64/ + # EL 7 on POWER will fail with -Wl,--compress-debug-sections=zlib so this + # will remove that entry + # Matches both endians + rbconfig_changes['DLDFLAGS'] = + '-Wl,-rpath=/opt/puppetlabs/puppet/lib -L/opt/puppetlabs/puppet/lib -Wl,-rpath,/opt/puppetlabs/puppet/lib' + elsif platform.name =~ /sles-12-ppc64le/ + # the ancient gcc version on sles-12-ppc64le does not understand -fstack-protector-strong, so remove the `strong` part + rbconfig_changes['LDFLAGS'] = + '-L. -Wl,-rpath=/opt/puppetlabs/puppet/lib -fstack-protector -rdynamic -Wl,-export-dynamic -L/opt/puppetlabs/puppet/lib' + end + elsif platform.is_macos? + rbconfig_changes['CC'] = "#{settings[:cc]} #{cflags}" + elsif platform.is_windows? + rbconfig_changes['CC'] = if platform.architecture == 'x64' + 'x86_64-w64-mingw32-gcc' + else + 'i686-w64-mingw32-gcc' + end + end + + pkg.add_source('file://resources/files/ruby_vendor_gems/operating_system.rb') + defaults_dir = File.join(settings[:libdir], 'ruby/4.0.0/rubygems/defaults') + pkg.directory(defaults_dir) + pkg.install_file '../operating_system.rb', File.join(defaults_dir, 'operating_system.rb') + + certs_dir = File.join(settings[:libdir], 'ruby/4.0.0/rubygems/ssl_certs/puppetlabs.net') + pkg.directory(certs_dir) + + pkg.add_source('file://resources/files/rubygems/COMODO_RSA_Certification_Authority.pem') + pkg.install_file '../COMODO_RSA_Certification_Authority.pem', + File.join(certs_dir, 'COMODO_RSA_Certification_Authority.pem') + + pkg.add_source('file://resources/files/rubygems/GlobalSignRootCA_R3.pem') + pkg.install_file '../GlobalSignRootCA_R3.pem', File.join(certs_dir, 'GlobalSignRootCA_R3.pem') + + pkg.add_source('file://resources/files/rubygems/DigiCertGlobalRootG2.pem') + pkg.install_file '../DigiCertGlobalRootG2.pem', File.join(certs_dir, 'DigiCertGlobalRootG2.pem') + + if rbconfig_changes.any? + pkg.install do + [ + "#{host_ruby} ../rbconfig-update.rb \"#{rbconfig_changes.to_s.gsub('"', '\"')}\" #{rbconfig_topdir}", + "cp original_rbconfig.rb #{settings[:datadir]}/doc/rbconfig-#{pkg.get_version}-orig.rb", + "cp new_rbconfig.rb #{rbconfig_topdir}/rbconfig.rb" + ] + end + end +end diff --git a/configs/projects/agent-runtime-ruby4.rb b/configs/projects/agent-runtime-ruby4.rb new file mode 100644 index 00000000..d433e3e2 --- /dev/null +++ b/configs/projects/agent-runtime-ruby4.rb @@ -0,0 +1,109 @@ +project 'agent-runtime-main' do |proj| + # Set preferred component versions if they differ from defaults: + proj.setting :ruby_version, '4.0' # Leave the .Z out for Ruby 3.2 + proj.setting :rubygem_highline_version, '3.1.2' + + ######## + # Load shared agent settings + ######## + + instance_eval File.read(File.join(File.dirname(__FILE__), '_shared-agent-settings.rb')) + + ######## + # Settings specific to this branch + ######## + + # Directory for gems shared by puppet and puppetserver + proj.setting(:puppet_gem_vendor_dir, File.join(proj.libdir, 'ruby', 'vendor_gems')) + + # Ruby 2.7 loads openssl on installation. Because pl-ruby was not + # built with openssl support, we switch to compile with system + # rubies. + # Solaris 11 seems to work with pl-ruby, and 10 is handled in _shared-agent-settings.rb. + proj.setting(:host_ruby, '/usr/bin/ruby') if platform.is_cross_compiled_linux? + + # Ruby 2.6 (RubyGems 3.0.1) removed the --ri and --rdoc + # options. Switch to using --no-document which is available starting + # with RubyGems 2.0.0preview2. This should also cover cross-compiled + # platforms that use older rubies. + proj.setting(:gem_install, "#{proj.host_gem} install --no-document --local") + + ######## + # Components + # Use full blocks here, rather than single line logic so that + # automation can insert components as needed. + ######## + + # rubocop:disable Style/IfUnlessModifier + proj.component 'runtime-agent' + proj.component 'libffi' + proj.component 'libyaml' + proj.component "openssl-#{proj.openssl_version}" + + proj.component 'puppet-ca-bundle' + proj.component "ruby-#{proj.ruby_version}" + + proj.component 'rubygem-concurrent-ruby' + proj.component 'rubygem-deep_merge' + proj.component 'rubygem-erubi' + proj.component 'rubygem-fast_gettext' + proj.component 'rubygem-ffi' + proj.component 'rubygem-gettext' + proj.component 'rubygem-hiera-eyaml' + proj.component 'rubygem-highline' + proj.component 'rubygem-hocon' + proj.component 'rubygem-locale' + proj.component 'rubygem-net-ssh' + proj.component 'rubygem-optimist' + proj.component 'rubygem-semantic_puppet' + proj.component 'rubygem-scanf' + proj.component 'rubygem-text' + proj.component 'rubygem-thor' + + # We add rexml explicitly in here because even though ruby 3 ships with rexml as its default gem, the version + # of rexml it ships with can contain CVEs. So, we add it here to update to a higher version free from the CVEs. + proj.component 'rubygem-rexml' + + unless platform.is_windows? + proj.component 'augeas' + proj.component 'ruby-augeas' + proj.component 'libxml2' + proj.component 'rubygem-sys-filesystem' + end + + if platform.is_macos? + proj.component 'readline' + proj.component 'rubygem-CFPropertyList' + proj.component 'rubygem-base64' + end + + unless platform.is_aix? || platform.is_windows? + proj.component 'ruby-shadow' + end + + # We only build ruby-selinux for EL, Fedora, Debian and Ubuntu (amd64/i386) + if platform.is_el? || platform.is_fedora? || platform.is_debian? || (platform.is_ubuntu? && platform.architecture !~ /ppc64el$/) + proj.component 'ruby-selinux' + end + + # libedit is used instead of readline on these platforms + if platform.is_solaris? + proj.component 'libedit' + end + + if platform.is_cross_compiled? + proj.component 'pl-ruby-patch' + end + + if platform.is_windows? || platform.is_solaris? || platform.is_aix? + proj.component 'rubygem-minitar' + end + + if platform.is_linux? + proj.component 'virt-what' + proj.component 'dmidecode' unless platform.architecture =~ /ppc64/ + # DBus exists outside of Linux, but it's the most common platform to find it on + proj.component 'rubygem-ruby-dbus' + end + # rubocop:enable Style/IfUnlessModifier +end From 7f2167f69fbc62fa6c890ab7a769ea819fa52be8 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 21 Feb 2026 23:16:26 +0100 Subject: [PATCH 2/4] Add openssl 3.5 builds --- configs/components/openssl-3.5.rb | 187 +++++++++++++++++++++ configs/projects/_shared-agent-settings.rb | 2 - configs/projects/agent-runtime-main.rb | 1 + configs/projects/agent-runtime-ruby4.rb | 1 + 4 files changed, 189 insertions(+), 2 deletions(-) create mode 100644 configs/components/openssl-3.5.rb diff --git a/configs/components/openssl-3.5.rb b/configs/components/openssl-3.5.rb new file mode 100644 index 00000000..3645fbcb --- /dev/null +++ b/configs/components/openssl-3.5.rb @@ -0,0 +1,187 @@ +##### +# Component release information: +# https://github.com/openssl/openssl/releases +# 3.5 isn't latest openssl, but latest LTS: https://openssl-library.org/policies/releasestrat/index.html +##### +component 'openssl' do |pkg, settings, platform| + pkg.version '3.5.5' + pkg.sha256sum 'b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89' + pkg.url "https://github.com/openssl/openssl/releases/download/openssl-#{pkg.get_version}/openssl-#{pkg.get_version}.tar.gz" + pkg.mirror "#{settings[:buildsources_url]}/openssl-#{pkg.get_version}.tar.gz" + + ############################# + # ENVIRONMENT, FLAGS, TARGETS + ############################# + + if platform.name =~ /^(amazon-|el-|redhat-|redhatfips-|fedora-)/ + pkg.build_requires 'perl-core' + elsif platform.is_solaris? + # perl is installed in platform definition + else + pkg.build_requires 'perl' + end + + target = sslflags = '' + cflags = settings[:cflags] + ldflags = settings[:ldflags] + + if platform.is_windows? + pkg.environment 'PATH', "$(shell cygpath -u #{settings[:gcc_bindir]}):$(PATH)" + pkg.environment 'CYGWIN', settings[:cygwin] + pkg.environment 'MAKE', platform[:make] + + target = platform.architecture == 'x64' ? 'mingw64' : 'mingw' + elsif platform.is_aix? + # REMIND: why not PATH? + pkg.environment 'CC', '/opt/freeware/bin/gcc' + + cflags = "#{settings[:cflags]} -static-libgcc" + # see https://github.com/openssl/openssl/issues/18007 about -latomic + # see https://www.ibm.com/docs/en/aix/7.2?topic=l-ld-command about -R, which is equivalent to -rpath + ldflags = "#{settings[:ldflags]} -Wl,-R#{settings[:libdir]} -latomic -lm" + target = 'aix-gcc' + elsif platform.is_solaris? + pkg.environment 'PATH', '/opt/csw/bin:$(PATH):/usr/local/bin:/usr/ccs/bin:/usr/sfw/bin' + if !platform.is_cross_compiled? && platform.architecture == 'sparc' + pkg.environment 'CC', '/opt/pl-build-tools/bin/gcc' + gcc_lib = "/opt/pl-build-tools/#{settings[:platform_triple]}/lib" + else + pkg.environment 'CC', '/opt/csw/bin/gcc' + gcc_lib = "/opt/csw/#{settings[:platform_triple]}/lib" + end + cflags = "#{settings[:cflags]} -fPIC" + ldflags = "-R#{gcc_lib} -Wl,-rpath=#{settings[:libdir]} -L#{gcc_lib}" + target = platform.architecture =~ /86/ ? 'solaris-x86-gcc' : 'solaris-sparcv9-gcc' + elsif platform.is_macos? + pkg.environment 'PATH', '$(PATH):/opt/homebrew/bin:/usr/local/bin' + pkg.environment 'CFLAGS', settings[:cflags] + pkg.environment 'CC', settings[:cc] + pkg.environment 'MACOSX_DEPLOYMENT_TARGET', settings[:deployment_target] + + target = if platform.architecture == 'arm64' + 'darwin64-arm64' + else + 'darwin64-x86_64' + end + elsif platform.is_linux? + pkg.environment 'PATH', '/opt/pl-build-tools/bin:$(PATH):/usr/local/bin' + + ldflags = "#{settings[:ldflags]} -Wl,-z,relro" + case platform.architecture + when /86$/ + target = 'linux-elf' + sslflags = '386' + when /aarch64$/ + target = 'linux-aarch64' + when /ppc64le|ppc64el/ # Little-endian + target = 'linux-ppc64le' + when /64$/ + target = 'linux-x86_64' + when 'armhf' + target = 'linux-armv4' + end + end + + #################### + # BUILD REQUIREMENTS + #################### + + pkg.build_requires "runtime-#{settings[:runtime_project]}" + + ########### + # CONFIGURE + ########### + + # Defining --libdir ensures that we avoid the multilib (lib/ vs. lib64/) problem, + # since configure uses the existence of a lib64 directory to determine + # if it should install its own libs into a multilib dir. Yay OpenSSL! + configure_flags = [ + "--prefix=#{settings[:prefix]}", + '--libdir=lib', + "--openssldir=#{settings[:prefix]}/ssl", + 'shared', + 'no-gost', + target, + sslflags, + 'no-camellia', + 'no-md2', + 'no-ssl3', + 'no-ssl3-method', + 'no-dtls1-method', + 'no-dtls1_2-method', + 'no-aria', + # 'no-bf', pgcrypto is requires this cipher in postgres for puppetdb + # 'no-cast', pgcrypto is requires this cipher in postgres for puppetdb + # 'no-des', pgcrypto is requires this cipher in postgres for puppetdb, + # should pgcrypto cease needing it, it will also be needed by ntlm + # and should only be enabled if "use_legacy_openssl_algos" is true. + 'no-rc5', + 'no-mdc2', + # 'no-rmd160', this is causing failures with pxp, remove once pxp-agent does not need it + 'no-whirlpool' + ] + + if settings[:use_legacy_openssl_algos] + pkg.apply_patch 'resources/patches/openssl/openssl-3-activate-legacy-algos.patch' + else + configure_flags << 'no-legacy' << 'no-md4' + end + + # Individual projects may provide their own openssl configure flags: + project_flags = settings[:openssl_extra_configure_flags] || [] + perl_exec = '' + perl_exec = '/opt/freeware/bin/perl' if platform.is_aix? + configure_flags << project_flags + + pkg.environment 'CFLAGS', cflags + pkg.environment 'LDFLAGS', ldflags + pkg.configure do + ["#{perl_exec} ./Configure #{configure_flags.join(' ')}"] + end + + ####### + # BUILD + ####### + + build_commands = [] + + if platform.is_windows? && platform.architecture == 'x86' + # mingw-w32 5.2.0 has a bug in include/winnt.h that declares GetCurrentFiber + # with __CRT_INLINE, which results in the function not being inlined and + # generates a linker error: undefined reference to `GetCurrentFiber'. + # This only affects 32-bit builds + # See https://github.com/openssl/openssl/issues/513 + # See https://github.com/mingw-w64/mingw-w64/commit/8da1aae7a7ff5bf996878dc8fe30a0e01e210e5a + pkg.add_source('file://resources/patches/windows/FORCEINLINE-i686-w64-mingw32-winnt.h') + build_commands << "#{platform.patch} --dir #{settings[:gcc_root]}/#{settings[:platform_triple]} --strip=2 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../FORCEINLINE-i686-w64-mingw32-winnt.h" + end + + build_commands << "#{platform[:make]} depend" + build_commands << platform[:make] + + pkg.build do + build_commands + end + + ######### + # INSTALL + ######### + + install_prefix = platform.is_windows? ? '' : 'INSTALL_PREFIX=/' + install_commands = [] + + if platform.is_aix? + # "Removes any currently unused modules in kernel and library memory." + install_commands << 'slibclean' + end + + # Skip man and html docs + install_commands << "#{platform[:make]} #{install_prefix} install_sw install_ssldirs" + install_commands << "rm -f #{settings[:prefix]}/bin/c_rehash" + + pkg.install do + install_commands + end + + pkg.install_file 'LICENSE.txt', "#{settings[:prefix]}/share/doc/openssl-#{pkg.get_version}/LICENSE" +end diff --git a/configs/projects/_shared-agent-settings.rb b/configs/projects/_shared-agent-settings.rb index 96e4cc47..11c15b4c 100644 --- a/configs/projects/_shared-agent-settings.rb +++ b/configs/projects/_shared-agent-settings.rb @@ -148,8 +148,6 @@ # Load default compiler settings instance_eval File.read('configs/projects/_shared-compiler-settings.rb') -proj.setting(:openssl_version, '3.0') - if platform.is_windows? proj.setting(:gcc_root, '/usr/x86_64-w64-mingw32/sys-root/mingw') proj.setting(:gcc_bindir, "#{proj.gcc_root}/bin") diff --git a/configs/projects/agent-runtime-main.rb b/configs/projects/agent-runtime-main.rb index a5c9add0..2b048b8a 100644 --- a/configs/projects/agent-runtime-main.rb +++ b/configs/projects/agent-runtime-main.rb @@ -2,6 +2,7 @@ # Set preferred component versions if they differ from defaults: proj.setting :ruby_version, '3.2' # Leave the .Z out for Ruby 3.2 proj.setting :rubygem_highline_version, '3.0.1' + proj.setting :openssl_version, '3.0' ######## # Load shared agent settings diff --git a/configs/projects/agent-runtime-ruby4.rb b/configs/projects/agent-runtime-ruby4.rb index d433e3e2..d55e611e 100644 --- a/configs/projects/agent-runtime-ruby4.rb +++ b/configs/projects/agent-runtime-ruby4.rb @@ -2,6 +2,7 @@ # Set preferred component versions if they differ from defaults: proj.setting :ruby_version, '4.0' # Leave the .Z out for Ruby 3.2 proj.setting :rubygem_highline_version, '3.1.2' + proj.setting :openssl_version, '3.5' ######## # Load shared agent settings From 224898b6a0609f4c5b1b199380ff799883d836fb Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sun, 22 Feb 2026 00:13:36 +0100 Subject: [PATCH 3/4] Update rubygem components Component updates: - rubygem-aws-partitions: version 1.1215.0 -> 1.1217.0 - rubygem-openfact: version 5.4.0 -> 5.5.0 - rubygem-openvox-strings: version 6.0.0 -> 7.0.0 Project component additions: - openbolt-runtime: rubygem-multi_json --- configs/components/rubygem-aws-partitions.rb | 4 ++-- configs/components/rubygem-openfact.rb | 4 ++-- configs/components/rubygem-openvox-strings.rb | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/configs/components/rubygem-aws-partitions.rb b/configs/components/rubygem-aws-partitions.rb index b86fdfc4..f9657054 100644 --- a/configs/components/rubygem-aws-partitions.rb +++ b/configs/components/rubygem-aws-partitions.rb @@ -5,8 +5,8 @@ ##### component 'rubygem-aws-partitions' do |pkg, _settings, _platform| ### Maintained by update_gems automation ### - pkg.version '1.1215.0' - pkg.sha256sum '462be54e811a42a5d6b9cf0403e9a79dd46fac2031a9e98019328c49ad584b87' + pkg.version '1.1217.0' + pkg.sha256sum '43af21fc153744f13383f692b9d37319d5858f71c3c7cd7169d100928fc6d17b' ### End automated maintenance section ### instance_eval File.read('configs/components/_base-rubygem.rb') diff --git a/configs/components/rubygem-openfact.rb b/configs/components/rubygem-openfact.rb index 6c727a4a..a7557d8a 100644 --- a/configs/components/rubygem-openfact.rb +++ b/configs/components/rubygem-openfact.rb @@ -5,8 +5,8 @@ ##### component 'rubygem-openfact' do |pkg, _settings, _platform| ### Maintained by update_gems automation ### - pkg.version '5.4.0' - pkg.sha256sum '9fac640c1124289a8a62fff51a793c9367cddd352a50a6d11fdff875e1b7ee21' + pkg.version '5.5.0' + pkg.sha256sum '20621ef1f923de6cc9e8b900dfb51b9836ef83252098bd1acdcac183ec834fde' pkg.build_requires 'rubygem-base64' pkg.build_requires 'rubygem-hocon' pkg.build_requires 'rubygem-thor' diff --git a/configs/components/rubygem-openvox-strings.rb b/configs/components/rubygem-openvox-strings.rb index b50d7782..7f38c082 100644 --- a/configs/components/rubygem-openvox-strings.rb +++ b/configs/components/rubygem-openvox-strings.rb @@ -6,8 +6,8 @@ ##### component 'rubygem-openvox-strings' do |pkg, _settings, _platform| ### Maintained by update_gems automation ### - pkg.version '6.0.0' - pkg.sha256sum '3fd42dfd91d7d42ece6edb4254876937ec5634a65f951d912abcaec30156dc88' + pkg.version '7.0.0' + pkg.sha256sum '721346006242976650f92553adfffcef076cad84ee63e93d64044e602333db00' pkg.build_requires 'rubygem-openvox' pkg.build_requires 'rubygem-rgen' pkg.build_requires 'rubygem-yard' From e27b7e94a939326c5e5ef20ef8c6273e77ad1505 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sun, 22 Feb 2026 00:50:23 +0100 Subject: [PATCH 4/4] hiera-eyaml: Update 4.3.0->5.0.0 --- configs/components/rubygem-hiera-eyaml.rb | 5 +++-- configs/projects/agent-runtime-main.rb | 1 + configs/projects/agent-runtime-ruby4.rb | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/configs/components/rubygem-hiera-eyaml.rb b/configs/components/rubygem-hiera-eyaml.rb index 91f8db5d..61dbd13d 100644 --- a/configs/components/rubygem-hiera-eyaml.rb +++ b/configs/components/rubygem-hiera-eyaml.rb @@ -5,8 +5,9 @@ ##### component 'rubygem-hiera-eyaml' do |pkg, settings, _platform| ### Maintained by update_gems automation ### - pkg.version '4.3.0' - pkg.sha256sum '19eba2ea9d70b2d56de064df9e3242860d8070d47ff9c9a6348b7fe94708ab0a' + pkg.version '5.0.0' + pkg.sha256sum 'efdbc2d6d48897fc288047a391403b15c00cdf43de6765903997d4b65ae48895' + pkg.build_requires 'rubygem-base64' pkg.build_requires 'rubygem-highline' pkg.build_requires 'rubygem-optimist' ### End automated maintenance section ### diff --git a/configs/projects/agent-runtime-main.rb b/configs/projects/agent-runtime-main.rb index 2b048b8a..fb4f76d5 100644 --- a/configs/projects/agent-runtime-main.rb +++ b/configs/projects/agent-runtime-main.rb @@ -51,6 +51,7 @@ proj.component 'rubygem-fast_gettext' proj.component 'rubygem-ffi' proj.component 'rubygem-gettext' + proj.component 'rubygem-base64' # needs to come before hiera-eyaml. Otherwise vanagon tries to install a deb/rpm called rubygem-base64 proj.component 'rubygem-hiera-eyaml' proj.component 'rubygem-highline' proj.component 'rubygem-hocon' diff --git a/configs/projects/agent-runtime-ruby4.rb b/configs/projects/agent-runtime-ruby4.rb index d55e611e..369e0386 100644 --- a/configs/projects/agent-runtime-ruby4.rb +++ b/configs/projects/agent-runtime-ruby4.rb @@ -50,6 +50,7 @@ proj.component 'rubygem-fast_gettext' proj.component 'rubygem-ffi' proj.component 'rubygem-gettext' + proj.component 'rubygem-base64' # needs to come before hiera-eyaml. Otherwise vanagon tries to install a deb/rpm called rubygem-base64 proj.component 'rubygem-hiera-eyaml' proj.component 'rubygem-highline' proj.component 'rubygem-hocon' @@ -75,7 +76,6 @@ if platform.is_macos? proj.component 'readline' proj.component 'rubygem-CFPropertyList' - proj.component 'rubygem-base64' end unless platform.is_aix? || platform.is_windows?