From b9ddd6c483c9033f2c2c898a7ba89a2fa0521a1c Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 8 Sep 2016 08:45:11 -0400 Subject: [PATCH] Prepare for EPEL 7 uplift - Use %{?epel} tag to maintain a single specfile - Relax openssl requirement to 1.0.1+ for EPEL 7 - Don't use weak dependencies in EPEL --- 0001-Use-Fedora-OpenSSL-build-flags.patch | 76 +++++++++++++++++++++++ nodejs-openssl-fix-no-srp.patch | 23 +++++++ nodejs-tarball.sh | 36 +++++++++-- nodejs.spec | 53 +++++++++++++--- 4 files changed, 177 insertions(+), 11 deletions(-) create mode 100644 0001-Use-Fedora-OpenSSL-build-flags.patch create mode 100644 nodejs-openssl-fix-no-srp.patch diff --git a/0001-Use-Fedora-OpenSSL-build-flags.patch b/0001-Use-Fedora-OpenSSL-build-flags.patch new file mode 100644 index 0000000..61e9740 --- /dev/null +++ b/0001-Use-Fedora-OpenSSL-build-flags.patch @@ -0,0 +1,76 @@ +From 6ecf32b36eab498da24a5e23d08713e19ab341a5 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Thu, 8 Sep 2016 12:54:20 -0400 +Subject: [PATCH] Use Fedora OpenSSL build flags + +--- + deps/openssl/config/Makefile | 5 ++++- + deps/openssl/openssl.gypi | 9 ++++++--- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/deps/openssl/config/Makefile b/deps/openssl/config/Makefile +index c8155b16d8dcfbc7ade7cd463248236d989b0599..7a319fd13b06b0520b3e118691381f27fdccf1a0 100644 +--- a/deps/openssl/config/Makefile ++++ b/deps/openssl/config/Makefile +@@ -1,8 +1,11 @@ + PERL = perl + CONFIGURE = ./Configure +-COPT = no-shared no-symlinks ++COPT = no-shared no-symlinks \ ++ zlib sctp enable-camellia enable-seed enable-tlsext enable-rfc3779 \ ++ enable-cms enable-md2 enable-rc5 \ ++ no-mdc2 no-ec2m no-gost no-srp + + ARCHS = aix-gcc aix64-gcc BSD-x86 BSD-x86_64 VC-WIN32 \ + VC-WIN64A darwin64-x86_64-cc darwin-i386-cc linux-aarch64 \ + linux-armv4 linux-elf linux-x32 linux-x86_64 linux-ppc \ + linux-ppc64 linux32-s390x linux64-s390x solaris-x86-gcc \ +diff --git a/deps/openssl/openssl.gypi b/deps/openssl/openssl.gypi +index 3620e45c41074647ef54f040a539c0d1c4f9b7d9..549e87348fb8c929f80ffd651df1bf6591b071d2 100644 +--- a/deps/openssl/openssl.gypi ++++ b/deps/openssl/openssl.gypi +@@ -383,11 +383,10 @@ + 'openssl/crypto/evp/m_dss1.c', + 'openssl/crypto/evp/m_ecdsa.c', + 'openssl/crypto/evp/m_md2.c', + 'openssl/crypto/evp/m_md4.c', + 'openssl/crypto/evp/m_md5.c', +- 'openssl/crypto/evp/m_mdc2.c', + 'openssl/crypto/evp/m_null.c', + 'openssl/crypto/evp/m_ripemd.c', + 'openssl/crypto/evp/m_sha.c', + 'openssl/crypto/evp/m_sha1.c', + 'openssl/crypto/evp/m_sigver.c', +@@ -420,12 +419,10 @@ + 'openssl/crypto/lhash/lhash.c', + 'openssl/crypto/md4/md4_dgst.c', + 'openssl/crypto/md4/md4_one.c', + 'openssl/crypto/md5/md5_dgst.c', + 'openssl/crypto/md5/md5_one.c', +- 'openssl/crypto/mdc2/mdc2_one.c', +- 'openssl/crypto/mdc2/mdc2dgst.c', + 'openssl/crypto/mem.c', + 'openssl/crypto/mem_dbg.c', + 'openssl/crypto/modes/cbc128.c', + 'openssl/crypto/modes/ccm128.c', + 'openssl/crypto/modes/cfb128.c', +@@ -1261,10 +1258,16 @@ + # Heartbeat is a TLS extension, that couldn't be turned off or + # asked to be not advertised. Unfortunately this is unacceptable for + # Microsoft's IIS, which seems to be ignoring whole ClientHello after + # seeing this extension. + 'OPENSSL_NO_HEARTBEATS', ++ ++ # Taken from Fedora package: ++ 'OPENSSL_NO_SRP', ++ 'OPENSSL_NO_GOST', ++ 'OPENSSL_NO_MDC2', ++ 'OPENSSL_NO_EC2M', + ], + 'openssl_default_defines_win': [ + 'MK1MF_BUILD', + 'WIN32_LEAN_AND_MEAN', + 'OPENSSL_SYSNAME_WIN32', +-- +2.7.4 + diff --git a/nodejs-openssl-fix-no-srp.patch b/nodejs-openssl-fix-no-srp.patch new file mode 100644 index 0000000..50f1227 --- /dev/null +++ b/nodejs-openssl-fix-no-srp.patch @@ -0,0 +1,23 @@ +From 249270c8047486892b64a169ff16567b506ec1cb Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Fri, 22 Jul 2016 21:48:05 +0200 +Subject: [PATCH] Correct misspelt OPENSSL_NO_SRP + +RT#4619 +--- + ssl/statem/statem_clnt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +index b0f508c..5fb0080 100644 +--- a/ssl/statem/statem_clnt.c ++++ b/ssl/statem/statem_clnt.c +@@ -2451,7 +2451,7 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) + + static int tls_construct_cke_srp(SSL *s, unsigned char **p, int *len, int *al) + { +-#ifndef OPENSSL_NO_SRT ++#ifndef OPENSSL_NO_SRP + if (s->srp_ctx.A != NULL) { + /* send off the data */ + *len = BN_num_bytes(s->srp_ctx.A); diff --git a/nodejs-tarball.sh b/nodejs-tarball.sh index e7e9613..947f7d6 100755 --- a/nodejs-tarball.sh +++ b/nodejs-tarball.sh @@ -1,7 +1,35 @@ #!/bin/sh - +SCRIPTROOT=$(pwd) version=$(rpm -q --specfile --qf='%{version}\n' nodejs.spec | head -n1) -wget http://nodejs.org/dist/v${version}/node-v${version}.tar.gz + +if [ ! -e node-v${version}.tar.gz ]; then + wget http://nodejs.org/dist/v${version}/node-v${version}.tar.gz +fi + tar -zxf node-v${version}.tar.gz -rm -rf node-v${version}/deps/openssl -tar -zcf node-v${version}-stripped.tar.gz node-v${version} +rm -rf node-v${version}/deps/openssl/openssl + +rm -rf openssl +fedpkg clone -a openssl +pushd openssl +fedpkg prep +openssl_version=$(rpm -q --specfile --qf='%{version}\n' openssl.spec | head -n1) + +pushd openssl-${openssl_version} +git init +git add . +git commit -m "Initial commit" --no-gpg-sign +./config +pushd include/openssl +#../../../../copy_symlink.sh *.h +popd # include/openssl + +git add include/ crypto/opensslconf.h +git commit -m "Include headers" --no-gpg-sign +git clean -f +popd # openssl-${openssl_version} + +popd # openssl +mv openssl/openssl-${openssl_version} node-v${version}/deps/openssl/openssl + +tar -zcf node-v${version}-hobbled.tar.gz node-v${version} diff --git a/nodejs.spec b/nodejs.spec index 4ad2912..b2f68a9 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -63,7 +63,9 @@ Name: nodejs Epoch: 1 Version: %{nodejs_version} # Keep this release > 100 for F25+ due to a complicated npm upgrade bug -Release: 103%{?dist} +# Always increase this release, never reset it to 1 until and unless we +# bump epoch again +Release: 103%{?dist}.8 Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD Group: Development/Languages @@ -72,9 +74,9 @@ URL: http://nodejs.org/ ExclusiveArch: %{nodejs_arches} # nodejs bundles openssl, but we use the system version in Fedora -# because openssl contains prohibited code, we remove openssl completely from -# the tarball, using the script in Source100 -Source0: node-v%{nodejs_version}-stripped.tar.gz +# because openssl contains prohibited code, we replace the bundled copy in the +# tarball with the current latest Fedora version, using the script in Source100 +Source0: node-v%{nodejs_version}-hobbled.tar.gz Source100: %{name}-tarball.sh # The native module Requires generator remains in the nodejs SRPM, so it knows @@ -90,6 +92,9 @@ Patch1: nodejs-disable-gyp-deps.patch # http://patch-tracker.debian.org/patch/series/view/nodejs/0.10.26~dfsg1-1/2014_donotinclude_root_certs.patch Patch2: nodejs-use-system-certs.patch +# When building against the bundled OpenSSL, use the same flags as Fedora would +Patch3: 0001-Use-Fedora-OpenSSL-build-flags.patch + # build fails at configure when we build node v6.3.0 with shared libraries, # so we need to patch node.gyp too # this patch might be redundant in another release, since it seems to work with current upstream master @@ -102,8 +107,14 @@ BuildRequires: libicu-devel BuildRequires: zlib-devel BuildRequires: gcc >= 4.8.0 BuildRequires: gcc-c++ >= 4.8.0 -# Node.js requires some features from openssl 1.0.1 for SPDY support + +%if 0%{?fedora} +# Node.js requires some features from openssl 1.0.2 BuildRequires: openssl-devel >= 1:1.0.2 +%else +# EPEL currently builds with the OpenSSL pulled from Fedora and +# copied into the buildroot +%endif # we need the system certificate store when Patch2 is applied Requires: ca-certificates @@ -152,10 +163,21 @@ Provides: bundled(v8) = %{v8_version} Provides: bundled(http-parser) = %{http_parser_version} # Make sure we keep NPM up to date when we update Node.js +%if 0%{?rhel} +Requires: npm = %{npm_epoch}:%{npm_version} +%else Recommends: npm = %{npm_epoch}:%{npm_version} +%endif + Conflicts: npm < %{npm_epoch}:%{npm_version} +# On EPEL, we don't yet have a sufficiently-new version of OpenSSL, so +# we have to carry it bundled +%if 0%{?rhel} +Provides: bundled(openssl) = 1.0.2h +%endif + %description Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. @@ -218,11 +240,23 @@ The API documentation for the Node.js JavaScript runtime. rm -rf deps/uv \ deps/zlib +%if 0%{?rhel} +# On RHEL, we need to build the bundled (hobbled) OpenSSL +pushd deps/openssl/openssl +#./config +popd +%else +# On Fedora, we link with the system version, so completely +# delete the bundled openssl to be certain it doesn't get used. +rm -rf deps/openssl +%global CONFIGURE_OPENSSL --shared-openssl +%endif + # remove bundled CA certificates %patch2 -p1 rm -f src/node_root_certs.h -#%patch3 -p1 +%patch3 -p1 %build # build with debugging symbols and add defines from libuv (#892601) @@ -232,7 +266,7 @@ export CFLAGS='%{optflags} -g -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -fno-de export CXXFLAGS='%{optflags} -g -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -fno-delete-null-pointer-checks' ./configure --prefix=%{_prefix} \ - --shared-openssl \ + %{?CONFIGURE_OPENSSL} \ --shared-zlib \ --shared-libuv \ --without-dtrace \ @@ -372,6 +406,11 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Thu Sep 08 2016 Stephen Gallagher - 1:6.%.0-104 +- Prepare for EPEL 7 uplift +- Use %%{?epel} tag to maintain a single specfile +- Don't use weak dependencies in EPEL + * Mon Aug 29 2016 Zuzana Svetlikova - 1:6.5.0-103 - Update to 6.5.0