From f18809da32d91988db47db890c6c0aded60c98ae Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 24 Oct 2025 13:15:15 -0500 Subject: [PATCH 1/6] Added RedHat 10 platform support Ticket: ENT-13016 Changelog: title (cherry picked from commit 75a79e38e08ec9768cdeef1b301db615c73aa38c) --- build-scripts/labels.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/build-scripts/labels.txt b/build-scripts/labels.txt index 01b45ef52..d71820d62 100644 --- a/build-scripts/labels.txt +++ b/build-scripts/labels.txt @@ -8,6 +8,8 @@ PACKAGES_HUB_arm_64_linux_debian_12 PACKAGES_HUB_x86_64_linux_redhat_7 PACKAGES_HUB_x86_64_linux_redhat_8 PACKAGES_HUB_x86_64_linux_redhat_9 +PACKAGES_HUB_x86_64_linux_redhat_10 +PACKAGES_HUB_arm_64_linux_redhat_10 PACKAGES_HUB_x86_64_linux_ubuntu_20 PACKAGES_HUB_x86_64_linux_ubuntu_22 @@ -24,6 +26,8 @@ PACKAGES_x86_64_linux_redhat_6 PACKAGES_x86_64_linux_redhat_7 PACKAGES_x86_64_linux_redhat_8 PACKAGES_x86_64_linux_redhat_9 +PACKAGES_x86_64_linux_redhat_10 +PACKAGES_arm_64_linux_redhat_10 PACKAGES_x86_64_linux_suse_12 PACKAGES_x86_64_linux_suse_15 From 2d0cfda3d0729575da5c9542dd63b0e7542777ba Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 24 Oct 2025 13:25:57 -0500 Subject: [PATCH 2/6] Adjusted apache patch spec file for newer Patch N style Ticket: ENT-13016 Changelog: none (cherry picked from commit 614f9dc0954258b39eb79dc5c2476f8f00013b91) --- deps-packaging/apache/cfbuild-apache.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deps-packaging/apache/cfbuild-apache.spec b/deps-packaging/apache/cfbuild-apache.spec index b04405a42..7db73d125 100644 --- a/deps-packaging/apache/cfbuild-apache.spec +++ b/deps-packaging/apache/cfbuild-apache.spec @@ -8,6 +8,7 @@ Release: 1 Source0: httpd-%{apache_version}.tar.gz Source1: httpd.conf Patch0: apachectl.patch +Patch1: fixed-implicit-decl-gettid.patch License: MIT Group: Other Url: https://cfengine.com @@ -21,7 +22,8 @@ AutoReqProv: no mkdir -p %{_builddir} %setup -q -n httpd-%{apache_version} -%patch0 -p0 +%patch -P 0 +%patch -P 1 -p1 CPPFLAGS=-I%{buildprefix}/include From 54cd4b183eda29c895052c11c1cfcf6ae53ff35f Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 24 Oct 2025 13:26:29 -0500 Subject: [PATCH 3/6] Removed not needed libtool control la files in dependencies Ticket: ENT-13016 Changelog: none (cherry picked from commit 6fc52e4db4a61a754d0450963c8b1b11ed941107) --- deps-packaging/libyaml/cfbuild-libyaml.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps-packaging/libyaml/cfbuild-libyaml.spec b/deps-packaging/libyaml/cfbuild-libyaml.spec index b2de6669f..8ad3ebe70 100644 --- a/deps-packaging/libyaml/cfbuild-libyaml.spec +++ b/deps-packaging/libyaml/cfbuild-libyaml.spec @@ -33,6 +33,7 @@ $MAKE %install rm -rf ${RPM_BUILD_ROOT} $MAKE DESTDIR=${RPM_BUILD_ROOT} install +rm -rf ${RPM_BUILD_ROOT}%{prefix}/lib/libyaml.la %clean rm -rf $RPM_BUILD_ROOT @@ -65,7 +66,6 @@ CFEngine Build Automation -- lmdb -- development files %dir %{prefix}/lib %{prefix}/lib/pkgconfig %{prefix}/lib/*.a -%{prefix}/lib/*.la %changelog From 2a4b6c10b4b66d55ec4153bbf5774921cd20b942 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 24 Oct 2025 13:27:35 -0500 Subject: [PATCH 4/6] Adjusted rpm deps and packaging to allow /var/cfengine/lib as an RPATH entry Adjusted rpm packaging to allow empty manifest lists such as debug symbols Some dependencies don't generate symbols even when BUILD_TYPE=DEBUG aka with_debugsym 0 and __strip /bin/true as options to rpmbuild. Ticket: ENT-13016 Changelog: none (cherry picked from commit 920d7391da65a2fbeca1472a11fa731af565227d) Conflicts: build-scripts/package deps-packaging/pkg-build-rpm Removed some docs/debugs from master and KEPT system_ssl option here as our openssl is too different in 3.24.x from distributions we build for and causes conflicts in libraries, e.g. ENT-12528 --- build-scripts/package | 2 ++ deps-packaging/pkg-build-rpm | 14 ++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/build-scripts/package b/build-scripts/package index a026cdaca..a6589179b 100755 --- a/build-scripts/package +++ b/build-scripts/package @@ -178,6 +178,8 @@ case "$PACKAGING" in # - argv[2] = a b # Also note that $RPMBUILD_OPTIONS might have spaces # which must be preserved + # rhel-10 rpmbuild is more picky about /var/cfengine/lib RPATH we need + export QA_RPATHS=2 # this is a set of bit flags, we just want 0x0002 here eval "$RPMBUILD_CMD" -bb \ --define "'_topdir $BASEDIR/$PKG'" \ --define "'buildprefix $BUILDPREFIX'" \ diff --git a/deps-packaging/pkg-build-rpm b/deps-packaging/pkg-build-rpm index 6dba9a512..6f55e0317 100755 --- a/deps-packaging/pkg-build-rpm +++ b/deps-packaging/pkg-build-rpm @@ -76,11 +76,15 @@ if [ $TARGET != native ]; then exit 42 fi +# deps packages may result in binaries without debug symbols even when debugsym=yes aka BUILD_TYPE=DEBUG +# to avoid rpmbuild errors when this occurs, allow empties +RPMBUILD_OPTIONS="$RPMBUILD_OPTIONS --define '_empty_manifest_terminate_build 0'" + case "$TESTS" in no) - RPMBUILD_OPTIONS="--define 'with_testsuite 0'";; + RPMBUILD_OPTIONS="$RPMBUILD_OPTIONS --define 'with_testsuite 0'";; yes) - RPMBUILD_OPTIONS="--define 'with_testsuite 1'";; + RPMBUILD_OPTIONS="$RPMBUILD_OPTIONS --define 'with_testsuite 1'";; *) fatal "Unknown tests option: $TESTS";; esac @@ -112,6 +116,12 @@ fi # example cmd --define 'a b': # - argv[1] = --define # - argv[2] = a b + +# We have /var/cfengine/lib in RPATHS which should be OK +# We asked in https://github.com/rpm-software-management/rpm/issues/3982, and it seems allowing this is OK +# 0x0002 - contains an invalid RPATH - in our case /var/cfengine/lib is OK so allow it as an exception +# Here we only want to specify this one flag: 0x0002. Sadly these scripts run on POSIX shell (especially e.g. aix71 runs as /bin/sh which is ksh) so no bitwise operators. Add them together manually to a decimal integer. +export QA_RPATHS=2 # 0x0002 all by itself, no &(ands) eval $RPMBUILD_CMD -bb \ --define "'_system_ssl $SYSTEM_SSL'" \ --define "'_topdir $BASEDIR/$PKGNAME'" \ From 6cf2f5a189133064d660a1e2ddb92d0fa8b3548a Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 29 Oct 2025 13:59:19 -0500 Subject: [PATCH 5/6] Added Debian 13 platform support Ticket: ENT-13164 Changelog: title (cherry picked from commit 400b3cf1478bba5282d312c738253f5c4682d9d5) --- build-scripts/labels.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/build-scripts/labels.txt b/build-scripts/labels.txt index d71820d62..b6f880e9f 100644 --- a/build-scripts/labels.txt +++ b/build-scripts/labels.txt @@ -4,6 +4,8 @@ PACKAGES_HUB_x86_64_linux_debian_11 PACKAGES_HUB_arm_64_linux_debian_11 PACKAGES_HUB_x86_64_linux_debian_12 PACKAGES_HUB_arm_64_linux_debian_12 +PACKAGES_HUB_x86_64_linux_debian_13 +PACKAGES_HUB_arm_64_linux_debian_13 PACKAGES_HUB_x86_64_linux_redhat_7 PACKAGES_HUB_x86_64_linux_redhat_8 @@ -21,6 +23,8 @@ PACKAGES_x86_64_linux_debian_11 PACKAGES_arm_64_linux_debian_11 PACKAGES_x86_64_linux_debian_12 PACKAGES_arm_64_linux_debian_12 +PACKAGES_x86_64_linux_debian_13 +PACKAGES_arm_64_linux_debian_13 PACKAGES_x86_64_linux_redhat_6 PACKAGES_x86_64_linux_redhat_7 From f606833072faf67414f98011c9f91e9076d50572 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 5 Nov 2025 13:20:21 -0600 Subject: [PATCH 6/6] Added recent openssl commit which allows older platforms e.g. centos-6 to build Without this change many assembler errors are produced due to insufficient detection of SHA512 Extensions availability. Issue: https://github.com/openssl/openssl/issues/28463 Fix commit: https://github.com/openssl/openssl/commit/241d4826f8ee39c92d9b3233146c3e12314871ec Changelog: none Ticket: ENT-13491 (cherry picked from commit 91c96af1c6cad9d297ce4fa32524ee84161327c1) --- .../0010-Update-sha512-x86_64-pl.patch | 44 +++++++++++++++++++ deps-packaging/openssl/cfbuild-openssl.spec | 2 + 2 files changed, 46 insertions(+) create mode 100644 deps-packaging/openssl/0010-Update-sha512-x86_64-pl.patch diff --git a/deps-packaging/openssl/0010-Update-sha512-x86_64-pl.patch b/deps-packaging/openssl/0010-Update-sha512-x86_64-pl.patch new file mode 100644 index 000000000..bb86d6074 --- /dev/null +++ b/deps-packaging/openssl/0010-Update-sha512-x86_64-pl.patch @@ -0,0 +1,44 @@ +commit 241d4826f8ee39c92d9b3233146c3e12314871ec +Author: rainerjung +Date: Tue Sep 9 00:10:40 2025 +0200 + + Update sha512-x86_64.pl + + Do not use new assembler code for CPUs with SHA512 support in case the assembler only supports avx but not avx2. + + Reviewed-by: Shane Lontis + Reviewed-by: Paul Dale + (Merged from https://github.com/openssl/openssl/pull/28488) + +diff --git a/crypto/sha/asm/sha512-x86_64.pl b/crypto/sha/asm/sha512-x86_64.pl +index cdc585c..029468d 100755 +--- a/crypto/sha/asm/sha512-x86_64.pl ++++ b/crypto/sha/asm/sha512-x86_64.pl +@@ -574,7 +574,9 @@ $TABLE: + .quad 0x0001020304050607,0x08090a0b0c0d0e0f + .quad 0x0001020304050607,0x08090a0b0c0d0e0f + .asciz "SHA512 block transform for x86_64, CRYPTOGAMS by " ++___ + ++$code.=<<___ if ($avx>1); + # $K512 duplicates data every 16 bytes. + # The Intel(R) SHA512 implementation requires reads of 32 consecutive bytes. + .align 64 +@@ -620,6 +622,8 @@ ${TABLE}_single: + .quad 0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c + .quad 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a + .quad 0x5fcb6fab3ad6faec, 0x6c44198c4a475817 ++___ ++$code.=<<___; + .previous + ___ + } +@@ -2379,7 +2383,7 @@ ___ + }} + }}}}} + +-if ($SZ==8) { ++if ($SZ==8 && $avx>1) { + $code.=<<___; + .type ${func}_sha512ext,\@function,3 + .align 64 diff --git a/deps-packaging/openssl/cfbuild-openssl.spec b/deps-packaging/openssl/cfbuild-openssl.spec index 2cce6d7ab..25b818f64 100644 --- a/deps-packaging/openssl/cfbuild-openssl.spec +++ b/deps-packaging/openssl/cfbuild-openssl.spec @@ -7,6 +7,7 @@ Release: 1 Source0: openssl-%{openssl_version}.tar.gz Patch0: 0006-Add-latomic-on-AIX-7.patch Patch1: 0008-Define-_XOPEN_SOURCE_EXTENDED-as-1.patch +Patch2: 0010-Update-sha512-x86_64-pl.patch License: MIT Group: Other Url: https://cfengine.com @@ -22,6 +23,7 @@ mkdir -p %{_builddir} %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build