From 56f8171c01fca13afbfd6e184ed04b505e6d6018 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 2 Apr 2024 16:05:09 +0200 Subject: [PATCH] Rebase to the latest upstream version - Rebase to the latest upstream version - Use NSS as cryptography library (RHEL-22013) Resolves: RHEL-22013 --- ....3.10-fix_sysctl_probe_tests-PR-2050.patch | 165 ------------------ openscap-1.3.9-c99-libxml2.patch | 41 ----- openscap-1.3.9-c99-python.patch | 25 --- openscap-1.3.9-includes.patch | 33 ---- openscap-1.3.9-perlpath.patch | 121 ------------- openscap.spec | 164 ++--------------- sources | 2 +- 7 files changed, 19 insertions(+), 532 deletions(-) delete mode 100644 openscap-1.3.10-fix_sysctl_probe_tests-PR-2050.patch delete mode 100644 openscap-1.3.9-c99-libxml2.patch delete mode 100644 openscap-1.3.9-c99-python.patch delete mode 100644 openscap-1.3.9-includes.patch delete mode 100644 openscap-1.3.9-perlpath.patch diff --git a/openscap-1.3.10-fix_sysctl_probe_tests-PR-2050.patch b/openscap-1.3.10-fix_sysctl_probe_tests-PR-2050.patch deleted file mode 100644 index b0f28e7..0000000 --- a/openscap-1.3.10-fix_sysctl_probe_tests-PR-2050.patch +++ /dev/null @@ -1,165 +0,0 @@ -From f8366b395b977392d724c6cc84c7295590c39ee8 Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Tue, 7 Nov 2023 20:01:44 +0100 -Subject: [PATCH] Fix tests/probes/sysctl_all - -The test will now automatically adapt to the list of readable -variables and won't break every time a new root-readable variable -is introduced in kernel. ---- - tests/probes/sysctl/test_sysctl_probe_all.sh | 144 +++++++------------ - 1 file changed, 50 insertions(+), 94 deletions(-) - -diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh -index f1834059fb..efaa31b9b1 100755 ---- a/tests/probes/sysctl/test_sysctl_probe_all.sh -+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh -@@ -8,98 +8,57 @@ set -e -o pipefail - # non root users - PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin - --# non root users are not able to access some kernel params, so they get excluded --SYSCTL_EXCLUDE=' -- dev.parport.parport0.autoprobe -- dev.tty.legacy_tiocsti -- fs.protected_hardlinks -- fs.protected_fifos -- fs.protected_regular -- fs.protected_symlinks -- kernel.cad_pid -- kernel.unprivileged_userns_apparmor_policy -- kernel.apparmor_display_secid_mode -- kernel.usermodehelper.bset -- kernel.usermodehelper.inheritable -- net.core.bpf_jit_harden -- net.core.bpf_jit_kallsyms -- net.core.bpf_jit_limit -- net.ipv4.tcp_fastopen_key -- stable_secret -- vm.mmap_rnd_bits -- vm.mmap_rnd_compat_bits -- vm.stat_refresh' -- --SYSCTL_EXCLUDE_REGEX="$(printf '\|%s' $SYSCTL_EXCLUDE)" --# strip leading '\|' --SYSCTL_EXCLUDE_REGEX=${SYSCTL_EXCLUDE_REGEX:2} -- - function perform_test { --probecheck "sysctl" || return 255 -- --name=$(basename $0 .sh) -- --result=$(mktemp ${name}.res.out.XXXXXX) --stderr=$(mktemp ${name}.err.out.XXXXXX) --ourNames=$(mktemp ${name}.our.out.XXXXXX) --sysctlNames=$(mktemp ${name}.sysctl.out.XXXXXX) -- --echo "Result file: $result" --echo "Our names file: $ourNames" --echo "Sysctl names file: $sysctlNames" --echo "Errors file: $stderr" -- --$OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev/null 2>$stderr -- --case $(uname) in -- FreeBSD) -- sysctl -aN 2> /dev/null > "$sysctlNames" -- ;; -- Linux) -- # sysctl has duplicities in output -- # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'" -- # kernel parameters might use "/" and "." separators interchangeably - normalizing -- sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_EXCLUDE_REGEX | tr "/" "." | sort -u > "$sysctlNames" -- ;; --esac -- --grep unix-sys:name "$result" | grep -v $SYSCTL_EXCLUDE_REGEX | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" -- --# If procps_ver > 3.3.12 we need to filter *stable_secret and vm.stat_refresh --# options from the sysctl output, for more details see --# https://github.com/OpenSCAP/openscap/issues/1152. --procps_ver="$(package_version procps-ng procps)" -- --lowest_ver=$(echo -e "3.3.12\n$procps_ver" | sort -V | head -n1) --if [ "$procps_ver" != "$lowest_ver" ]; then -- sed -i '/net.ipv6.conf.*stable_secret$/d' "$sysctlNames" -- sed -i '/.*vm.stat_refresh/d' "$sysctlNames" --fi -- --if ! grep -q "hugepages" "$ourNames"; then -- sed -i "/^.*hugepages.*$/d" "$sysctlNames" --fi -- --echo "Diff (sysctlNames / ourNames): ------" --diff "$sysctlNames" "$ourNames" --echo "-------------------------------------" -- --# remove oscap error message related to permissions from stderr --sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr" --sed -i -E "/^E: oscap: +An error.*, Operation not permitted/d" "$stderr" -- --# remove oscap error message related to gibberish binary entries --# that can't fit into 8K buffer and result in errno 14 --# (for example /proc/sys/kernel/spl/hostid could be the case) --sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr" --sed -i "/^.*hugepages.*$/d" "$stderr" -- --echo "Errors (without messages related to permissions):" --cat "$stderr" -- --[ ! -s $stderr ] -- --rm $stderr $result $ourNames $sysctlNames -+ probecheck "sysctl" || return 255 -+ -+ name=$(basename $0 .sh) -+ -+ result=$(mktemp ${name}.res.out.XXXXXX) -+ stderr=$(mktemp ${name}.err.out.XXXXXX) -+ ourNames=$(mktemp ${name}.our.out.XXXXXX) -+ sysctlNames=$(mktemp ${name}.sysctl.out.XXXXXX) -+ -+ echo "Result file: $result" -+ echo "Our names file: $ourNames" -+ echo "Sysctl names file: $sysctlNames" -+ echo "Errors file: $stderr" -+ -+ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev/null 2>$stderr -+ -+ case $(uname) in -+ FreeBSD) -+ sysctl -aN 2> /dev/null > "$sysctlNames" -+ ;; -+ Linux) -+ # sysctl has duplicities in output -+ # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'" -+ # kernel parameters might use "/" and "." separators interchangeably - normalizing -+ sysctl -a --deprecated 2> /dev/null | tr "/" "." | cut -d "=" -f 1 | tr -d " " | sort -u > "$sysctlNames" -+ ;; -+ esac -+ -+ grep unix-sys:name "$result" | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" -+ -+ echo "Diff (sysctlNames / ourNames): ------" -+ diff "$sysctlNames" "$ourNames" -+ echo "-------------------------------------" -+ -+ # remove oscap error message related to permissions from stderr -+ sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr" -+ sed -i -E "/^E: oscap: +An error.*, Operation not permitted/d" "$stderr" -+ -+ # remove oscap error message related to gibberish binary entries -+ # that can't fit into 8K buffer and result in errno 14 -+ # (for example /proc/sys/kernel/spl/hostid could be the case) -+ sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr" -+ sed -i "/^.*hugepages.*$/d" "$stderr" -+ -+ echo "Errors (without messages related to permissions):" -+ cat "$stderr" -+ -+ [ ! -s $stderr ] -+ -+ rm $stderr $result $ourNames $sysctlNames - } - - perform_test diff --git a/openscap-1.3.9-c99-libxml2.patch b/openscap-1.3.9-c99-libxml2.patch deleted file mode 100644 index faa73d4..0000000 --- a/openscap-1.3.9-c99-libxml2.patch +++ /dev/null @@ -1,41 +0,0 @@ -Fix type of libxml2 error callback function - -Current libxml2 uses void(void *user, const xmlError *error), -previously void(void *user, xmlError *error) was used. Switch the -function definition to the current type and add a cast to avoid -incompatible-pointer-types errors with newer compilers building -against older libxml2. - -Submitted upstream: x - -diff --git a/src/source/validate.c b/src/source/validate.c -index da8c46dcb185c3fe..ffc54f55031746fc 100644 ---- a/src/source/validate.c -+++ b/src/source/validate.c -@@ -46,7 +46,7 @@ struct ctxt { - char *filename; - }; - --static void oscap_xml_validity_handler(void *user, xmlErrorPtr error) -+static void oscap_xml_validity_handler(void *user, const xmlError *error) - { - struct ctxt * context = (struct ctxt *) user; - -@@ -111,7 +111,7 @@ static inline int oscap_validate_xml(struct oscap_source *source, const char *sc - goto cleanup; - } - -- xmlSchemaSetParserStructuredErrors(parser_ctxt, oscap_xml_validity_handler, &context); -+ xmlSchemaSetParserStructuredErrors(parser_ctxt, (xmlStructuredErrorFunc) oscap_xml_validity_handler, &context); - - schema = xmlSchemaParse(parser_ctxt); - if (schema == NULL) { -@@ -125,7 +125,7 @@ static inline int oscap_validate_xml(struct oscap_source *source, const char *sc - goto cleanup; - } - -- xmlSchemaSetValidStructuredErrors(ctxt, oscap_xml_validity_handler, &context); -+ xmlSchemaSetValidStructuredErrors(ctxt, (xmlStructuredErrorFunc) oscap_xml_validity_handler, &context); - - doc = oscap_source_get_xmlDoc(source); - if (!doc) diff --git a/openscap-1.3.9-c99-python.patch b/openscap-1.3.9-c99-python.patch deleted file mode 100644 index 5f7548e..0000000 --- a/openscap-1.3.9-c99-python.patch +++ /dev/null @@ -1,25 +0,0 @@ -Python bindings: Do not reuse $result for pointer conversion result - -The $result variable may be a pointer, but SWIG_ConvertPtr returns -an int. This change avoids a compilation failure with current -compilers due to a C type error. - -Submitted upstream: x - -diff --git a/swig/openscap.i b/swig/openscap.i -index 219e1aa3c9ddf28b..6f29fc23c808bcfc 100644 ---- a/swig/openscap.i -+++ b/swig/openscap.i -@@ -64,9 +64,9 @@ - } - - %typemap(in) void * { -- $result = SWIG_ConvertPtr($input,%as_voidptrptr(&$1), 0, $disown); -- if (!SWIG_IsOK($result)) { -- %argument_fail($result, "$type", $symname, $argnum); -+ int ptrres = SWIG_ConvertPtr($input,%as_voidptrptr(&$1), 0, $disown); -+ if (!SWIG_IsOK(ptrres)) { -+ %argument_fail(ptrres, "$type", $symname, $argnum); - } - } - diff --git a/openscap-1.3.9-includes.patch b/openscap-1.3.9-includes.patch deleted file mode 100644 index e314e89..0000000 --- a/openscap-1.3.9-includes.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -ru openscap-1.3.9/src/common/xml_iterate.c openscap-1.3.9.new/src/common/xml_iterate.c ---- openscap-1.3.9/src/common/xml_iterate.c 2023-09-06 16:04:46.000000000 +0200 -+++ openscap-1.3.9.new/src/common/xml_iterate.c 2023-11-27 03:13:21.931933518 +0100 -@@ -22,6 +22,7 @@ - #endif - - #include -+#include - #include "debug_priv.h" - #include "xml_iterate.h" - #include "oscap_helpers.h" -diff -ru openscap-1.3.9/src/OVAL/results/oval_cmp_evr_string.c openscap-1.3.9.new/src/OVAL/results/oval_cmp_evr_string.c ---- openscap-1.3.9/src/OVAL/results/oval_cmp_evr_string.c 2023-09-06 16:04:46.000000000 +0200 -+++ openscap-1.3.9.new/src/OVAL/results/oval_cmp_evr_string.c 2023-11-27 03:18:23.003882498 +0100 -@@ -30,6 +30,7 @@ - #include - #include - #include -+#include - #include "oval_cmp_evr_string_impl.h" - #include "oval_definitions.h" - #include "oval_types.h" -diff -ru openscap-1.3.9/src/source/bz2.c openscap-1.3.9.new/src/source/bz2.c ---- openscap-1.3.9/src/source/bz2.c 2023-09-06 16:04:46.000000000 +0200 -+++ openscap-1.3.9.new/src/source/bz2.c 2023-11-27 03:32:20.069323771 +0100 -@@ -26,6 +26,7 @@ - #endif - - #include -+#include - #include - #include - #ifdef OS_WINDOWS diff --git a/openscap-1.3.9-perlpath.patch b/openscap-1.3.9-perlpath.patch deleted file mode 100644 index ef8ef59..0000000 --- a/openscap-1.3.9-perlpath.patch +++ /dev/null @@ -1,121 +0,0 @@ -From f997cee6f74f4698aadc136b821bc0d5875c59de Mon Sep 17 00:00:00 2001 -From: Stephen L Arnold -Date: Tue, 11 Jul 2023 17:49:10 -0700 -Subject: [PATCH 1/3] make default perl install path respect - CMAKE_INSTALL_PREFIX - -Signed-off-by: Stephen L Arnold ---- - swig/perl/CMakeLists.txt | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/swig/perl/CMakeLists.txt b/swig/perl/CMakeLists.txt -index 057b365bf7..5ce41e9fa8 100644 ---- a/swig/perl/CMakeLists.txt -+++ b/swig/perl/CMakeLists.txt -@@ -1,6 +1,8 @@ - include(UseSWIG) - include(FindPerlLibs) - -+string(SUBSTRING "${PERL_VERSION_STRING}" 0 4 PERL_VERSION_MINOR) -+ - set(CMAKE_SWIG_FLAGS "-module" "openscap_pm") - if (${CMAKE_VERSION} VERSION_LESS "3.8.0") - swig_add_module(openscap_pm perl5 ../openscap.i) -@@ -20,7 +22,7 @@ if (APPLE OR (${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD")) - DESTINATION ${CMAKE_INSTALL_DATADIR}/perl5/vendor_perl) - else() - install(TARGETS ${SWIG_MODULE_openscap_pm_REAL_NAME} -- DESTINATION ${PERL_VENDORLIB}) -+ DESTINATION ${CMAKE_INSTALL_LIBDIR}/perl5/${PERL_VERSION_MINOR}) - install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/openscap_pm.pm -- DESTINATION ${PERL_VENDORARCH}) -+ DESTINATION ${CMAKE_INSTALL_LIBDIR}/perl5/vendor_perl/${PERL_VERSION_MINOR}) - endif() - -From 6549f7f3142fa071966a6b7c97cd1b85edece990 Mon Sep 17 00:00:00 2001 -From: Stephen L Arnold -Date: Thu, 14 Dec 2023 16:06:34 -0800 -Subject: [PATCH 2/3] chg: dev: use cmake vendor paths for perl install - defaults - -* also display both vendor/non-vendor system paths in linux envs - -Signed-off-by: Stephen L Arnold ---- - CMakeLists.txt | 4 ++++ - swig/perl/CMakeLists.txt | 10 ++++++++-- - 2 files changed, 12 insertions(+), 2 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 6244980583..d43993bce5 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -463,6 +463,10 @@ message(STATUS " ") - message(STATUS "Language bindings:") - message(STATUS "python3 bindings: ${ENABLE_PYTHON3}") - message(STATUS "perl bindings: ${ENABLE_PERL}") -+message(STATUS "perl vendorlib: ${PERL_VENDORLIB}") -+message(STATUS "perl vendorarch: ${PERL_VENDORARCH}") -+message(STATUS "perl privlib: ${PERL_PRIVLIB}") -+message(STATUS "perl archlib: ${PERL_ARCHLIB}") - message(STATUS " ") - - message(STATUS "Utilities:") -diff --git a/swig/perl/CMakeLists.txt b/swig/perl/CMakeLists.txt -index 5ce41e9fa8..789394636c 100644 ---- a/swig/perl/CMakeLists.txt -+++ b/swig/perl/CMakeLists.txt -@@ -3,6 +3,12 @@ include(FindPerlLibs) - - string(SUBSTRING "${PERL_VERSION_STRING}" 0 4 PERL_VERSION_MINOR) - -+# process cmake vendor paths to respect install prefix, use as Linux defaults below -+STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORARCH "${PERL_VENDORARCH}") -+STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORLIB "${PERL_VENDORLIB}") -+message(STATUS "perl install libdir: ${PERL_VENDORARCH}") -+message(STATUS "perl install archdir: ${PERL_VENDORLIB}") -+ - set(CMAKE_SWIG_FLAGS "-module" "openscap_pm") - if (${CMAKE_VERSION} VERSION_LESS "3.8.0") - swig_add_module(openscap_pm perl5 ../openscap.i) -@@ -22,7 +28,7 @@ if (APPLE OR (${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD")) - DESTINATION ${CMAKE_INSTALL_DATADIR}/perl5/vendor_perl) - else() - install(TARGETS ${SWIG_MODULE_openscap_pm_REAL_NAME} -- DESTINATION ${CMAKE_INSTALL_LIBDIR}/perl5/${PERL_VERSION_MINOR}) -+ DESTINATION ${PERL_VENDORARCH}/auto/openscap_pm/) - install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/openscap_pm.pm -- DESTINATION ${CMAKE_INSTALL_LIBDIR}/perl5/vendor_perl/${PERL_VERSION_MINOR}) -+ DESTINATION ${PERL_VENDORARCH}) - endif() - -From f70f38ecaf659474e69c902454f3bfcfedc89cc0 Mon Sep 17 00:00:00 2001 -From: Stephen L Arnold -Date: Fri, 15 Dec 2023 16:44:53 -0800 -Subject: [PATCH 3/3] check for default prefix before (possibly) munging with - prefix string - -Signed-off-by: Stephen L Arnold ---- - swig/perl/CMakeLists.txt | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/swig/perl/CMakeLists.txt b/swig/perl/CMakeLists.txt -index 789394636c..ca4d2705e2 100644 ---- a/swig/perl/CMakeLists.txt -+++ b/swig/perl/CMakeLists.txt -@@ -4,8 +4,11 @@ include(FindPerlLibs) - string(SUBSTRING "${PERL_VERSION_STRING}" 0 4 PERL_VERSION_MINOR) - - # process cmake vendor paths to respect install prefix, use as Linux defaults below --STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORARCH "${PERL_VENDORARCH}") --STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORLIB "${PERL_VENDORLIB}") -+if (NOT CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT) -+ STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORARCH "${PERL_VENDORARCH}") -+ STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORLIB "${PERL_VENDORLIB}") -+endif() -+ - message(STATUS "perl install libdir: ${PERL_VENDORARCH}") - message(STATUS "perl install archdir: ${PERL_VENDORLIB}") - diff --git a/openscap.spec b/openscap.spec index bc1fab0..c4cc6e4 100644 --- a/openscap.spec +++ b/openscap.spec @@ -1,6 +1,6 @@ Name: openscap -Version: 1.3.9 -Release: 6%{?dist} +Version: 1.3.10 +Release: 1%{?dist} Epoch: 1 Summary: Set of open source libraries enabling integration of the SCAP line of standards License: LGPL-2.1-or-later @@ -14,70 +14,17 @@ for integration of the SCAP line of standards. SCAP is a line of standards managed by NIST with the goal of providing a standard language for the expression of Computer Network Defense related information.} - -# By default build with checks (time consuming) -%bcond_without check - -# By default fedora package is built with apt -%if 0%{?fedora} -%bcond_without apt -%else -# apt is missing in CentOS (ELN builds) and in EPEL available currently only in 9 -%bcond_with apt -%endif - -# By default fedora package is built with opendbx support -%if 0%{?fedora} -%bcond_without opendbx -%else -# opendbx is missing in RHEL (ELN builds) without rest of the EPEL packages -# conditional allows for example rebuild in COPR + EPEL -%bcond_with opendbx -%endif - -# Fedora arched lib directories -# originally https://github.com/OpenSCAP/openscap/pull/2056 -# accepted was https://github.com/OpenSCAP/openscap/pull/2054 -Patch1: https://github.com/OpenSCAP/openscap/pull/2054.patch#/openscap-1.3.9-perlpath.patch - - -# Implicit declarations due to missing includes -# reported in #PR2060, #PR2061, #PR2062 -# https://github.com/OpenSCAP/openscap/pull/2060 -# https://github.com/OpenSCAP/openscap/pull/2061 -# https://github.com/OpenSCAP/openscap/pull/2062 -Patch2: openscap-1.3.9-includes.patch - -# Fix test test_sysctl_probe_all.sh -# https://github.com/OpenSCAP/openscap/commit/f8366b395b977392d724c6cc84c7295590c39ee8 -Patch3: openscap-1.3.10-fix_sysctl_probe_tests-PR-2050.patch - -# Fix type of libxml2 error callback function -# https://github.com/OpenSCAP/openscap/pull/2069 -Patch4: openscap-1.3.9-c99-libxml2.patch - -# Python bindings: Do not reuse $result for pointer conversion result -# https://github.com/OpenSCAP/openscap/pull/2069 -Patch5: openscap-1.3.9-c99-python.patch - BuildRequires: systemd-rpm-macros - BuildRequires: make - -%if 0%{?fedora} || 0%{?rhel} >= 8 BuildRequires: cmake >= 2.6 BuildRequires: cmake-rpm-macros -%else -BuildRequires: cmake3 -%endif - BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: swig BuildRequires: libxml2-devel BuildRequires: libxslt-devel BuildRequires: rpm-devel -BuildRequires: libgcrypt-devel +BuildRequires: nss-devel BuildRequires: pcre2-devel BuildRequires: libacl-devel BuildRequires: libselinux-devel @@ -91,30 +38,8 @@ BuildRequires: dbus-devel BuildRequires: libyaml-devel BuildRequires: xmlsec1-devel BuildRequires: xmlsec1-openssl-devel - -# Fedora has procps-ng-devel, which provides procps-devel BuildRequires: procps-devel -%if %{with apt} -# apt-libs missing on Centos -BuildRequires: apt-devel -%endif - -%if %{with opendbx} -# opendbx is not available in RHEL -BuildRequires: opendbx-devel -%endif - -# GConf2 not used on purpose as obsolete and blocking anaconda addon -# BuildRequires: GConf2-devel - -%if %{with check} -BuildRequires: perl-interpreter -BuildRequires: perl-XML-XPath -BuildRequires: bzip2 -%endif - - Requires: bash Requires: bzip2-libs Requires: dbus @@ -125,18 +50,12 @@ Requires: libcap Requires: libselinux Requires: openldap Requires: popt -# Fedora has procps-ng, which provides procps Requires: procps -Requires: xmlsec1 xmlsec1-openssl - -%if %{with apt} -# apt-libs missing on Centos -Requires: apt-libs -%endif +Requires: xmlsec1 +Requires: xmlsec1-openssl %description %{common_description} - %package devel Summary: Development files for %{name} Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} @@ -155,31 +74,13 @@ Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} %{?python_provide:%python_provide python%{python3_pkgversion}-openscap } BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools -%if 0%{?fedora} || 0%{?rhel} >= 10 BuildRequires: python-rpm-macros -%endif %description python3 The %{name}-python3 package contains the bindings so that %{name} libraries can be used by python3. %{common_description} -%package perl -Summary: Perl bindings for %{name} -Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} -BuildRequires: coreutils -BuildRequires: findutils -BuildRequires: make -BuildRequires: perl-generators -BuildRequires: perl-interpreter -BuildRequires: perl-devel -BuildRequires: perl-XML-Parser - -%description perl -The perl package contains the bindings so that %{name} -libraries can be used by perl. -%{common_description} - %package scanner Summary: OpenSCAP Scanner Tool (oscap) Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} @@ -225,55 +126,32 @@ The %{name}-engine-sce-devel package contains libraries and header files for developing applications that use %{name}-engine-sce. %{common_description} -%package containers -Summary: Utils for scanning containers -Requires: %{name} = %{epoch}:%{version}-%{release} -Requires: %{name}-scanner -BuildArch: noarch - -%description containers -Tool for scanning Atomic containers. -%{common_description} - %prep %autosetup -p1 %build - -# definition controlling to use out-of-source build by default -# still needed for EPEL8 build -# more info - https://bugzilla.redhat.com/show_bug.cgi?id=1861329 -%undefine __cmake_in_source_build - -# gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon -# as gconf is no longer part of the installation medium %cmake \ + -DWITH_CRYPTO=nss \ -DWITH_PCRE2=ON \ - -DENABLE_PERL=ON \ -DENABLE_DOCS=ON \ + -DENABLE_PERL=OFF \ + -DENABLE_OSCAP_UTIL_DOCKER=OFF \ + -DENABLE_OSCAP_REMEDIATE_SERVICE=OFF \ + -DOPENSCAP_PROBE_LINUX_DPKGINFO=OFF \ -DOPENSCAP_PROBE_UNIX_GCONF=OFF \ + -DOPENSCAP_ENABLE_SHA1=OFF \ + -DOPENSCAP_ENABLE_MD5=OFF \ -DGCONF_LIBRARY= %cmake_build make docs -%check -%if %{with check} -# Skip failing test in sce/test_sce_in_ds.sh -# %{?_smp_mflags} not used as it is failing many other tests -ctest -V -E sce/test_sce_in_ds.sh -%endif - %install %cmake_install find %{buildroot} -name '*.la' -exec rm -f {} ';' # fix python shebangs -%if 0%{?fedora} || 0%{?rhel} >= 10 %{__python3} %{_rpmconfigdir}/redhat/pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm -%else -pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm -%endif %ldconfig_scriptlets @@ -297,11 +175,6 @@ pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm %{python3_sitearch}/* -%files perl -%{perl_vendorarch}/openscap_pm.pm -%{perl_vendorarch}/auto/openscap_pm/openscap_pm.so - - %files devel %doc %{_pkgdocdir}/html/ %{_libdir}/libopenscap.so @@ -321,6 +194,7 @@ pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm %files scanner %{_mandir}/man8/oscap.8* %{_bindir}/oscap +%{_mandir}/man8/oscap-chroot.8* %{_bindir}/oscap-chroot %{_sysconfdir}/bash_completion.d @@ -330,20 +204,18 @@ pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm %{_mandir}/man8/* %exclude %{_mandir}/man8/oscap.8* %exclude %{_mandir}/man8/oscap-docker.8* +%exclude %{_mandir}/man8/oscap-chroot.8* %{_bindir}/* %exclude %{_bindir}/oscap %exclude %{_bindir}/oscap-docker %exclude %{_bindir}/oscap-chroot -%files containers -%{_bindir}/oscap-docker -%{_mandir}/man8/oscap-docker.8* -%{python3_sitelib}/oscap_docker_python/* -%{_bindir}/oscap-podman -%{_mandir}/man8/oscap-podman.8* - %changelog +* Tue Apr 02 2024 Jan Černý - 1:1.3.10-1 +- Rebase to the latest upstream version +- Use NSS as cryptography library (RHEL-22013) + * Sun Jan 21 2024 Michal Ambroz - 1:1.3.9-7 - add conditionals to be able to rebuild with opendbx/apt even on EPEL+RHEL - cosmetics: rename patches, add comments, use buildroot macro instead of env diff --git a/sources b/sources index d577c00..2c75d2f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openscap-1.3.9.tar.gz) = 4c7fd10618c36188ed63d722d6cc7b04b45f4e72ff25b8c8ac066baa650b2f1bbd34c561f487a7f58ae8a506228b7d1d2208d54b976df84e2d2ea532629dc6eb +SHA512 (openscap-1.3.10.tar.gz) = 007556b8f020636f6613c2b1192a8b96dfb21b62994a3e257619d48021ad962f95b724c3ac9709a60dbbf7dba8f2499ff8b9b56a7f2d293ca3a8d6ec8107f595