Commit Graph

721 Commits

Author SHA1 Message Date
Vít Ondruch
c913e4326c Drop patch which was needed for alexandria
It seems it build just fine now.
2024-06-06 19:13:11 +02:00
Vít Ondruch
93638d9e58 Upgrade to Ruby 3.3.2.
Resolves: rhbz#2284020
2024-06-06 16:07:59 +02:00
Vít Ondruch
677893973e Make sure fortification flags are applied
This is example of current build options:

~~~
gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fPIC -m64 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-strict-overflow -fvisibility=hidden -fexcess-precision=standard -DRUBY_EXPORT -I. -I.ext/include/x86_64-linux -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/include -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1 -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/prism -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/enc/unicode/15.0.0      -o dmyext.o -c /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/dmyext.c
~~~

Please note that there are included Fedora options:

~~~
-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3
~~~

as well as upstream options:

~~~
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
~~~

The problem is that the configure script cannot properly detect
`_FORTIFY_SOURCE=3` and instead of replacing that option, it includes
new definition \[[1]\]. This happens since Fedora started to use
`_FORTIFY_SOURCE=3` option. To mitigate this issue, upstream
fortification was disabled (this might or might not stay disabled
"forever").

These are the build options with this change applied for comparison:

~~~
gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fPIC -m64 -fstack-protector-strong -fno-strict-overflow -fvisibility=hidden -fexcess-precision=standard -DRUBY_EXPORT -I. -I.ext/include/x86_64-linux -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/include -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1 -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/prism -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/enc/unicode/15.0.0      -o dmyext.o -c /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/dmyext.c
~~~

[1]: https://bugs.ruby-lang.org/issues/20520
2024-06-05 16:29:24 +02:00
Vít Ondruch
d9051618e3 Adjust the test to updated checksec output.
`checksec` output since v2.7.0 become more nuanced. Previously, the
`FORTIFY` could become just `Yes` / `No`. Now it can have also `Partial`
state, which better describe our situation.

Currently if e.g. `Fortifiable=28` and `Fortified=11`, that means that the
fortification is just partial and another 17 functions could be
fortified.

Also, check the numbers specifically, because this seems to be the
interesting information. Unfortunatelly, the results differ between
platforms.

Last but not least, use `sed` to analyze the output, because this allows to
always display the processed text. The trick comes from \[[1]\].

On top of this, use XML formatted output, which provides more context to
reader.

[1]: https://unix.stackexchange.com/questions/366/convince-grep-to-output-all-lines-not-just-those-with-matches

Resolves: rhbz#2282953
2024-06-05 09:45:17 +02:00
Vít Ondruch
ff5301a5f3 Fix patch to apply cleanly. 2024-04-24 17:35:38 +02:00
Vít Ondruch
c649282efb Upgrade to Ruby 3.3.1. 2024-04-24 12:31:33 +02:00
Vít Ondruch
4ff7de7007 License review and clarification 2024-04-12 17:28:42 +02:00
Vít Ondruch
5da6a15c57 Ruby bundled NKF, add appropriate bundled provide and test 2024-04-12 17:26:16 +02:00
Vít Ondruch
a34f33bc50 Fix FTBFS caused by OpenSSL 3.2.1 update. 2024-03-06 15:14:30 +01:00
Vít Ondruch
3008410463 Merge #169 Use gem macros for rubygem-rbs subpackage. 2024-01-26 15:04:52 +00:00
Vít Ondruch
ac77c2a354 Use gem macros for rubygem-rbs subpackage.
This were apparenlyt overlooked previously.
2024-01-26 14:16:50 +01:00
Jarek Prokop
aa7e8debee Revert adding AI_ADDRCONFIG flag to getaddrinfo(3) calls.
It is causing problems when network is in certain, valid, configuration.
The point of it is to workaround a glibc bug that is not present for us.
https://bugs.ruby-lang.org/issues/20208

To reproduce, have IPv6 enabled localhost but only IPv4
interfaces (such as eth0, name and count of them may vary based on system)
to disable public interfaces via sysctl:
`$ sysctl "net.ipv6.conf.<interface>.disable_ipv6=1"`
Where <interface> is NOT lo but can be eth0 or other.

Confirm with command `$ ip addr` command that only `lo`
interface has IPv6 address.

and run the following with Ruby 3.3:
~~~
$ ruby -rnet/http -e 'http = Net::HTTP.new("localhost", 8080); http.local_host = Addrinfo.tcp("localhost", 8080).ip_address; p http.get("/")'
~~~
The error is then related to EAFNOSUPPORT:
```
Errno::EAFNOSUPPORT: Failed to open TCP connection to localhost:37337 (Address family not supported by protocol - bind(2) for "::1" port 45395)
```

running above Ruby command with `strace` suggest that
there is an attempt to bind with AF_INET6
using an AF_INET socket, however, only if the reproducer above
attempts to set the `http.local_host` with Addrinfo.

From upstream issue #20208:
"This is calling getaddrinfo to resolve "localhost" for us to use
it as the local side of the connection. Because Ruby does not know
what you intend to do with this IP address, it does not make the request
with AI_ADDRCONFIG. Thus, you get an IPv6 result returned,
since there is an IPv6 addres for localhost!"
2024-01-26 13:54:20 +01:00
Fedora Release Engineering
066e0a3d6d Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-22 12:17:40 +00:00
Jarek Prokop
308b2c0ab2 Fix compiling coroutines with aarch64's branch protection.
Armv8.3+ capable CPUs might segfault with incorrect compilation options.
See related upstream report: https://bugs.ruby-lang.org/issues/20085

We have hit this on COPR which uses [0] c7g.xlarge AWS flavor for aarch64
architecture builds. This machine flavor seems to fall into the ARMv8.3+
range.

Fedora CFLAGS come with `-mbranch-protection=standard` which means that
both BTI and the PAC protections are used. The option is equivalent
to `-mbranch-protection=pac-ret+bti`.

However, since the upstream configure.ac automatically appends
`-mbranch-protection=pac-ret`, the BTI protection is not used
as the last used option seems to overwrite [1] the Fedora
default for this.

To resolve both of these issues, of BTI being skipped and the potential
segfaults a patch is applied.

To fix segfaults an upstream patch was applied [2].

To fix the issue of overridden option I have patched the
configure.ac file to check for the `=standard` first when searching for a usable
`-mbranch-protection` option.

The overriding of our options was reported upstream:
<https://bugs.ruby-lang.org/issues/20154>
In the same issue I provided the extension of compilation option as an
attachment, to showcase a workaround that fixes the situation in Fedora.

[0] <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/Y4GPCGQAZT2LJ5CE7MTIEFKGAPP6O2DW/>
[1] <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/QWLEBS4YQH73HJNNLKCCGIIOU3SSXAYK/>
[2] <02973b78f4>
2024-01-15 16:38:51 +01:00
Vít Ondruch
05a6c9c8f3 Upgrade to Ruby 3.3.0.
Resolves: rhbz#2255918
2024-01-02 18:52:33 +01:00
Vít Ondruch
f195b6a3c8 Drop attempt to disable JIT test on i686
The was renamed test_jit.rb → test_mjit.rb in Ruby 3.2:

ead96e7b44

Therefore this is alread no-op and we can just drop it.
2023-12-07 13:22:00 +01:00
Jarek Prokop
321ed23c22 Update ticket reference for disabled tests on x86.
Tests fail with a LANG=C environment. A new investigation into the
failing tests on x86 revealed exact commits which introduced the issue
and the commits that fixed the situation. Fix is not yet present in Ruby
3.2, therefore the conditional disabling the tests was left in.
A new re-reported ticket replaced the old one. The new upstream ticket
includes better detailed description of the environment causing the
issue.

The tests pass in Rawhide mock (F40), as the LANG there is C.UTF-8
that does not suffer from the issue.

Upstream ticket: https://bugs.ruby-lang.org/issues/20045
2023-12-07 12:01:03 +01:00
Jarek Prokop
ba498ce48c armv7hl is no longer one of arches we build on.
No point in keeping dead conditional around.
2023-11-29 20:11:24 +01:00
Jun Aruga
8d5b538747 ssl: use ffdhe2048 from RFC 7919 as the default DH group parameter
When the dependant openssl-libs was upgraded from 1:3.1.1-4.fc40 to
1:3.1.4-1.fc40, Fedora rawhide started to fail on Koschei.

This commit fixes the following failures in OpenSSL FIPS.

```
+ make -C redhat-linux-build runruby 'TESTRUN_SCRIPT=   -I/builddir/build/BUILD/ruby-3.2.2/tool/lib --enable-gems   /builddir/build/SOURCES/test_openssl_fips.rb /builddir/build/BUILD/ruby-3.2.2 --verbose'
...
  1) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set [/builddir/build/BUILD/ruby-3.2.2/test/openssl/test_fips.rb:38]:
assert_separately failed with error message
pid 93968 exit 1
| /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in `new'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in `new'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:37:in `<class:SSLContext>'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:23:in `<module:SSL>'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:22:in `<module:OpenSSL>'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:21:in `<top (required)>'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in `require_relative'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in `<top (required)>'
| >-from -:in `require'
  2) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled [/builddir/build/BUILD/ruby-3.2.2/test/openssl/test_fips.rb:12]:
assert_separately failed with error message
pid 93969 exit 1
| /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in `new'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in `new'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:37:in `<class:SSLContext>'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:23:in `<module:SSL>'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:22:in `<module:OpenSSL>'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:21:in `<top (required)>'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in `require_relative'
| >-from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in `<top (required)>'
| >-from -:in `require'
Finished tests in 0.166449s, 72.0941 tests/s, 342.4468 assertions/s.
12 tests, 57 assertions, 2 failures, 0 errors, 1 skips
```

The commit was ported from CentOS Stream rpms/ruby stream-ruby-3.1-rhel-9.4.0 branch:
<59242d8ce8>.
2023-11-09 17:58:10 +01:00
Vít Ondruch
5fd12c42e7 Cache Gem.default_dir
RubyGems do internally the same \[[1]\]. This should help with:

1) Performance (not tested)
2) Running RubyGems test suite (main motivation), which actually
   overrides the `@default_dir` \[[2]\] to be able to place test content
   into dedicated directory.

[1]: f8e87eba76/lib/rubygems/defaults.rb (L38)
[2]: f8e87eba76/test/rubygems/helper.rb (L372)
2023-11-03 17:12:13 +01:00
Vít Ondruch
d432c95c15 Remove spaces from changelog NVR. 2023-11-03 12:24:38 +01:00
Jarek Prokop
393e74f1e0 Fix bundled provide net-http-persistent typo. 2023-11-02 16:06:07 +01:00
Jun Aruga
1f35109c5e Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. 2023-09-22 12:54:53 +02:00
Fedora Release Engineering
64dc6dd3e4 Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-21 17:14:32 +00:00
Jarek Prokop
814eaf5324 Re-enable FFI related tests.
libffi since NVR libffi-3.4.4-3.fc39 builds with static trampolines
enabled. This fixes the failures which were the reason for disabling
the tests.

Since it recently landed in Rawhide, we can re-enable the tests.
2023-07-12 10:30:51 +02:00
Pavel Valena
da8822cd33 Use new %patch macro
instead of %patchN, as advised by warning:

%patchN is deprecated (11 usages found), use %patch N (or %patch -P N)
2023-05-03 11:11:47 +02:00
Vít Ondruch
9e39fd242a Upgrade to Ruby 3.2.2.
Resolves: rhbz#2183284
2023-03-31 15:27:47 +02:00
Vít Ondruch
31778c5ebd Use %{_fileattsdir} for RPM macro generator. 2023-03-08 13:11:49 +01:00
Vít Ondruch
8f9fe41ba6 Use %{_rpmmacrodir} for RPM macros. 2023-03-08 13:09:30 +01:00
Vít Ondruch
59f62d6bc9 Upgrade to Ruby 3.2.1.
Resolves: rhbz#2168292
2023-02-10 10:45:13 +01:00
Vít Ondruch
65acd291de yaml and libffi sources are not bundled anymore.
https://bugs.ruby-lang.org/issues/18571
2023-02-09 14:22:39 +01:00
Miro Hrončok
9c8400d99a Don't Suggest rubypick when built without rubypick 2023-01-25 12:06:23 +01:00
Fedora Release Engineering
d46ef9bbf3 Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-20 20:05:46 +00:00
Vít Ondruch
ff0f48acd6 Fix ELN FTBFS due to stronger crypto settings. 2023-01-05 10:30:24 +01:00
Vít Ondruch
22597b6039 Fix compatibilty with rpmlint 2.0+
Revert "ruby.rpmlintrc: Add a filter for "E: shared-lib-without-dependency-information"."

This reverts commit aee17a2180.

This is not needed anymore, because Zuul runs rpmlint 2.0+ already.
2023-01-02 18:20:46 +01:00
Vít Ondruch
c4043528c1 The missing-call-to-chdir-with-chroot test was removed in rpmlint 2.0
83f915a54d
2023-01-02 18:16:58 +01:00
Vít Ondruch
be9fcec798 gem.build_complete is corectly recognized by rpmlint 2.0+ 2023-01-02 18:13:01 +01:00
Vít Ondruch
f2899ee090 Upgrade to Ruby 3.2.0.
For details of the evolution please check `private-ruby-3.2` branch.
2023-01-02 18:09:09 +01:00
Yaakov Selkowitz
25858e766a Add upstream patches to avoid SHA1 usage in ossl 2022-12-22 11:37:52 -05:00
Vít Ondruch
f8ef5964d0 Fix for tzdata-2022g. 2022-12-21 16:11:40 +01:00
Vít Ondruch
b1748af87f Fix CGI causing issue with leading '.' in domain names.
The original issue broke rubygem-actionpack:

https://github.com/rails/rails/issues/46578
https://github.com/rails/rails/pull/46595

rubygem-rack:

https://github.com/rack/rack/pull/1988

And rack-test (where I have not checked details).
2022-12-08 18:06:47 +01:00
Vít Ondruch
2cdb051166 Disable MJIT test cases on i686 due to issues with PCH. 2022-12-08 18:06:11 +01:00
Vít Ondruch
9819174c8d Use --enable-mkmf-verbose configuration opiton instead of patch.
https://github.com/ruby/ruby/pull/5879
2022-11-28 12:20:25 +01:00
Vít Ondruch
649a6e3083 Upgrade to Ruby 3.1.3. 2022-11-28 12:20:25 +01:00
Vít Ondruch
1d0c071aeb Revert "Re-enable package notes."
This reverts commit 588a4ae9f0, because it
causes additional issues:

https://bugzilla.redhat.com/show_bug.cgi?id=2043092#c67
2022-11-22 18:24:53 +01:00
Jun Aruga
79d75fdcdd Bypass git submodule test failure on Git >= 2.38.1. 2022-11-03 10:59:34 +01:00
Vít Ondruch
588a4ae9f0 Re-enable package notes.
The rhbz#2043092 is not resolved. Nevertheless, the generation of
package notes should not break builds of rubygem- packages anymore.
Nevertheless, the additional linker options will keep making issues for
`gem install`ed gems. Nothing new here unfortunately.
2022-09-29 09:27:19 +02:00
Jarek Prokop
c2026da175 Disable Fiddle test cases making use of FFI closure.
Fiddle::Closure object is making use of FFI closure
from libffi. When such object is created (instantiated) in Ruby,
and then the process forks on an SELinux-enabled system, the memory
will become corrupted. That is usually not a problem until the
The garbage collector sweeps the object and tries to free it, in which case the
Ruby process will fail with signal SIGABRT.

Tests in test/fiddle/test_closure.rb, test/fiddle/test_func.rb,
and test/fiddle/test_function.rb use the `Fiddle::Closure` class
directly and fiddle/test_import.rb use the class indirectly through
`bind_function` method, therefore they are disabled to prevent
introducing the problematic object into the Ruby GC during test suite
execution instead of relying on that fork and subsequent
garbage collection will not happen.

If an FFI closure object is allocated in Ruby
and the `fork` function is used afterward, the memory
pointing to the closure gets corrupted, and if Ruby GC
tries to collect the object in that state, a SIGABRT
error occurs.

The minimal Ruby reproducer for the issue is the following:
~~~
$ cat fiddle_fork.rb
require 'fiddle/closure'
require 'fiddle/struct'

Fiddle::Closure.new(Fiddle::TYPE_VOID, [])

fork { }

GC.start
~~~

We allocate an unused Closure object,
so it is free for the GC to pick up. Before we call `GC.start`
we fork the process as that corrupts the memory.

Running this with ruby-3.1.2-167.fc37.x86_64 on SELinux enabled system:
~~~
$ ruby fiddle_fork.rb
Aborted (core dumped)
~~~

Such issues may appear at random (depending on the use of forking and GC)
in larger applications that use Fiddle::Closure but can be spotted by the
following functions appearing in the coredump backtrace:
~~~
0x00007f6284d3e5b3 in dlfree (mem=<optimized out>) at ../src/dlmalloc.c:4350
0x00007f6284d6d0b1 in dealloc () from /usr/lib64/ruby/fiddle.so
0x00007f6295e432ec in finalize_list () from /lib64/libruby.so.3.1
0x00007f6295e43420 in finalize_deferred.lto_priv () from /lib64/libruby.so.3.1
0x00007f6295e4ff1c in gc_start_internal.lto_priv () from /lib64/libruby.so.3.1
~~~

Possible solutions to prevent Ruby from crashing:
* Do not use Fiddle::Closure.
* Use the Fiddle::Closure object only in isolated subprocess that
  will not fork further.
* Enable static trampolines in libffi as noted in bugzilla comment:
  <https://bugzilla.redhat.com/show_bug.cgi?id=2040380#c9>

See related discussion on
<https://bugzilla.redhat.com/show_bug.cgi?id=2040380>

Ruby upstream ticket:
<https://bugs.ruby-lang.org/issues/18914>

Ruby Fiddle ticket:
<https://github.com/ruby/fiddle/issues/102>
2022-09-02 14:54:35 +02:00
Jun Aruga
3f106c188e Add IRB to ruby-bundled-gems recommends.
Resolves: rhbz#2120562
2022-08-29 15:11:15 +02:00
Jun Aruga
bf921512e2 Make RDoc soft dependnecy in IRB.
Resolves: rhbz#2119964
2022-08-29 15:05:44 +02:00