Skip to content

Update components and update_gems script #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 164 commits into
base: main
Choose a base branch
from
Open

Update components and update_gems script #70

wants to merge 164 commits into from

Conversation

@nmburgan
Copy link
Member

@nmburgan nmburgan commented Nov 17, 2025

  • Update the update_gems script to also update the projects with any new components, and fixes an issue using the v2 RubyGems API.
  • Updates many components, including OpenSSL 3.0.18 which addresses CVE-2025-9230 and GHSA-76r2-c3cg-f5r9.
  • Removes the 7.x runtime and associated Ruby 2.7 references and simplifies some of the code. Should we ever need to build 7.x again, we can branch from a previous commit.
  • Removes references to AIX 7.1 and SLES 11.

@bastelfreak
Copy link
Contributor

bastelfreak commented Nov 17, 2025
edited
Loading

stupid question: if we want to see the different version bumps in the changelog, the easiest way would be one PR per changed component. That's a bit more work during the update (until we automate that part), but I think it will provide a big benefit for the users?

Edit: When I do version bumps I always try to do $component: Update $oldver->$newver, so users can easily compare the version range with their internal CVE database, if they have any.

@nmburgan
Copy link
Member Author

nmburgan commented Nov 17, 2025

We could certainly add that to the script. Probably makes sense if we plan to run this in automation.

@nmburgan
Copy link
Member Author

nmburgan commented Nov 17, 2025

I suppose one problem right now is that not all components are used in both projects. So a lot of updates will be for OpenBolt and not OpenVox. But once I get around to breaking up this repo and incorporating them into the project repos, that won't be a problem.

@nmburgan
Update Augeas to 0.6.0
58cdd16 
These are now released from GitHub. This also removes the _base file and
cleans up the code.
@nmburgan
Update ruby-selinux for supported platforms
baa7d82 
This reforms the ruby-selinux component so that it appropriately defines the SELinux for each platform we currently support. This also removes the _base file and puts it in ruby-selinux.rb.
@nmburgan
Remove 7.x and components
f1c1d8b 
If we need to build 7.x runtimes in the future, we can branch off a previous commit. This removes this project and associated components that only exist for this runtime.
@nmburgan
Remove references to AIX 7.1
fb60766 
If we ever build for AIX in the future, it will be for 7.2 or later, so remove extra logic gating things for 7.1.
@nmburgan
Update curl to 8.17.0
8a5a3c0
@nmburgan
Update libxml2 to 2.15.1
5f90cc9
@nmburgan
Update OpenSSL to 3.0.18
132c5c0 
Addresses CVE-2025-9230 and CVE-2025-9232.
@nmburgan
Add openssl gem to Gemfile
c1a9932 
In Ruby 3.2.9, the openssl gem is out of date. On MacOS with the latest OpenSSL, this breaks. This adds the gem to the gemfile so we don't break during builds. This doesn't affect the build itself, as it is due to OpenSSL 3.6 and we ship 3.0.

This doesn't quite work on Windows, where we have no choice but to use Ruby 3.2.2 in Cygwin.
@nmburgan
Remove remnants of nokogiri
afeb7b1
@nmburgan
Pin Cygwin Ruby to 3.2.2-2
9345558 
This is the only version available besides 3.4. This is really just for the build process and not the build itself. Using 3.4 for this is currently broken.
@nmburgan
Remove references to SLES 11
47fa84a
@nmburgan nmburgan force-pushed the update_update_gems branch 3 times, most recently from c49ca64 to 493100d Compare November 17, 2025 21:56
@nmburgan
Update update_gems task
4cfdb4f 
This updates the update_gems rake task to also add any new gem components to the project files. It will also create a separate commit for each change, so it is more easily ingestible by automation when creating the changelog.
@nmburgan
Copy link
Member Author

nmburgan commented Nov 17, 2025

Quite noisy for the commit log for this PR, but should be much quieter in the future.

@nmburgan
Remove _shared-agent-components.rb
3d90612 
We don't need this since we only have one agent project now. This makes it easier to maintain with automation.
@nmburgan
Add additional dependency checking to update_gems task
e4cc701 
Some of our existing project code has missing dependencies. This script previously only added new ones. Now, it scans the full component list for dependencies.
@nmburgan
Pin public_suffix to 6.0.2
899657d 
A new 7.0 has been released, but the addressable gem requires < 7.
bastelfreak
bastelfreak reviewed Nov 19, 2025
View reviewed changes
bastelfreak
bastelfreak reviewed Nov 19, 2025
View reviewed changes
setup.ps1
$dest="C:\setup-x86_64.exe"
Invoke-WebRequest -Uri $url -OutFile $dest
cmd /c "C:\setup-x86_64.exe -s https://cygwin.osuosl.org -q -P ruby,ruby-devel,gcc-core,make,git,libyaml-devel"
cmd /c "C:\setup-x86_64.exe -s https://cygwin.osuosl.org -q -P ruby=3.2.2-2,ruby-devel=3.2.2-2,gcc-core,make,git,libyaml-devel"
Copy link
Contributor

@bastelfreak bastelfreak Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this 3.2.2? configs/components/ruby-3.2.rb has 3.2.9.

Copy link
Member Author

@nmburgan nmburgan Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only 3.2 version available on Cygwin's repositories. They stay up to date with the latest 3.4, but this is literally the only 3.x version otherwise. Both fortunate for us, and also unfortunate it's stuck at such an old one. This ruby is only used for actually running the scripts, not for any build stuff, although I'm not 100% sure no shared libraries or whatever are used, so I wanted to stick with 3.2.

@nmburgan nmburgan force-pushed the update_update_gems branch 2 times, most recently from 4feebed to 76cd139 Compare November 20, 2025 00:17
@nmburgan
Add rubocop and tons of linting changes
88fdeb1
@nmburgan
rubygem-aws-partitions: Update 1.1184.0 -> 1.1185.0
beb895d
@nmburgan
rubygem-aws-sdk-core: Update 3.237.0 -> 3.238.0
594ad0f
@nmburgan
rubygem-aws-sdk-ec2: Update 1.579.0 -> 1.580.0
8f4dd0f
@nmburgan
rubygem-benchmark: Update component metadata
dafb24b
@nmburgan
rubygem-jwt: Add rubygem-base64 dependency
95b23a5
@nmburgan
rubygem-minitar: Update 0.12.1 -> 1.1.0
d3f499c
@nmburgan
rubygem-puppet-resource_api: Update 1.9.0 -> 2.0.0
7e5ab87
@nmburgan
rubygem-puppet_forge: Update 5.0.4 -> 6.0.0
76dbc54
@nmburgan
rubygem-ruby_smb: Update 1.1.0 -> 3.3.16
579a6ad
@nmburgan
rubygem-rubyntlm: Update 0.6.3 -> 0.6.5
8c57656
@nmburgan
rubygem-openssl-ccm: Add new component
2383f7e
@nmburgan
openbolt-runtime: Add rubygem-openssl-ccm component
765bcf1
@nmburgan
rubygem-openssl-cmac: Add new component
bbc2b06
@nmburgan
openbolt-runtime: Add rubygem-openssl-cmac component
4f982a3
@nmburgan
Remove libxslt
b7b1a35 
Even though the openbolt runtime comment says it's needed for Augeas, it really isn't. It was only needed for Nokogiri.
jay7x
jay7x reviewed Nov 20, 2025
View reviewed changes
@nmburgan
Copy link
Member Author

nmburgan commented Nov 20, 2025

Looks like the latest ruby_smb might break OpenBolt (https://github.com/OpenVoxProject/openbolt/actions/runs/19552520911/job/55987566901?pr=140). Need to do some more investigation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bastelfreak bastelfreak bastelfreak left review comments

@jay7x jay7x jay7x left review comments

+1 more reviewer

@austb austb austb left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nmburgan @bastelfreak @austb @jay7x