6.6 was declared the latest LTS. Therefore, upgrade to it.
Notable changes to the spec included a few perf changes.
libtraceevent is now a buildrequires as it is no longer shipped within the source [4171925aa9f3f7bf57b100238f148b50c45c3b1b]. Additionally, perf/examples/bpf was removed [5056c99e8d97e1129ff29826971eefbe345b6837] and the bpf include directory reworked[3b573bf318d894b4290e194c4d7dbcba8c1f6ead].
Finally, the configs for both x86_64 and aarch64 were brought to parity with 6.1.
When first migrating to openssl 3, we pretty kept the spec file like the upstream, including ./Configure flags. This change brings us back in line with what we had for AZL 2.0, which was openssl 1.1.1k.
Mostly these are either not really changes or things we had already decided on for AZL 2.0. There are, however, four flags that had been in the upstream that we're keeping (for now):
enable-ktls: This enables the use of Kernel-TLS (if available). See hard-code enable-ktls #6919.
enable-fips: This will likely be removed in a future change; working with an internal team on the right way to do this.
enable-buildtest-c++: Adds some unit tests with C++. Test-only and seems to do no harm so I left it in.
-Wl,--allow-multiple-definition: Necessary due to one or more of the patches we use; will remove in the future if possible.
Change the user-facing option HidepidDisabled to EnableHidepid to allow user to now opt-in to add hidepid settings.
This change inverts the default setting when no option is supplied to configure hidepid=0, which is more generally desired for better software compat for applications and system services. User can now opt-in to configure the tools to set up hidepid=2.
This change also simplifies the hidepid code by only accessing the option from the config right before use. This allows us to remove unnecessary function arguments passed through the various call layers.
Signed-off-by: Chris Co <chrco@microsoft.com>
For this commit, I analyzed all configs which were set to "y"/"m"
in the 5.15 kernel but "is not set" or missing in 6.1. I
determined whether they were supported, refactored, or depricated
in 6.1. In the first two cases, I enable the missing config or
its new equivalent.
This analysis was done by using a Mariner container, copying the
6.1 kernel source and running 'make menuconfig' until the missing
configs could all be explained via a commit in the kernel source.
Initial merge of openssl.spec included some BuildRequires and Requires statements that were not needed and had them formatted counter to our standard. This removes spurious *Requires statements and organizes sorts them with one per line.
Note that it's not easy to actually tell what's required -- some things will simply be there. For example, even without the BuildRequires: gcc, the compiler was already in the chroot we use to build. I made a best attempt from reading docs and experimenting.
The upstream openssl.spec decided whether to enabled ktls based on the architecture of the system.
After confirming that ktls is approved security-wise, this change removes the architecture-specific decision and just uses the flag directly.
The upstream openssl.spec has quite a bit of logic to figure out the correct architecture to pass to Configure, and figure out a couple flags. However, we only support two architectures and they're built on the target system, which Configure will figure out.
This change removes the logic and hard-codes the only flag that was relevant.
The upstream openssl.spec file uses a slightly different mechanism that our standard to specificy general compiler options. This change moves to our standard mechanism.
The upstream openssl spec has a redhat-specific config/compile flag. This change removes that, comments out a relevant patch and adds a patch to disable tests that fail due to the change.
The tests we disable are the dsa tests that use sha1, which is currently disabled due to FIPS. I believe that this is technically supposed to work, because it will pick up the fact that it's disabled and only do the relevant tests (based on this commit), but some of our patches seem to muck with that.
Right now I'm focusing on fixing config flags and will then move on to patches, so disabling the tests makes the most sense for now.
openssl's check section failed because of a conflict between a test patch file and modifications to other patches and config.
This change fixes that patch file and all tests pass.
rlmenge
Chris Gunn
Daniel McIlvaney
Neha Agarwal
Riken Maharjan
Adub17030MS
nicolas guibourge
Mykhailo Bykhovtsev
George Mileka
Tobias Brick
Cameron E Baird
Andrew Phelps
Christopher Co
jslobodzian
Pawel Winogrodzki
Dan Streetman