From 2ee5eb49801eb1995c829f0e403f8bc175e6af0c Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Mon, 29 Jan 2024 18:20:18 +0900 Subject: [PATCH 1/2] Revise build patch structure to allow patching each middleware or library Just move patches to assets/build/patches/gitlabhq Folder name are matched to assets/runtime/config --- assets/build/install.sh | 2 +- ...fix-feature-checking-for-gitaly-on-a-fresh-install.patch.bak | 0 ...002-fix-condition-for-csr-policy-allow-lfs_v16.3.0.patch.bak | 0 ...-fix_preinstall.mjs-to-avoid-removing-node_modules_dir.patch | 0 .../0004-fix-raketask-gitlab-assets-compile.patch | 0 5 files changed, 1 insertion(+), 1 deletion(-) rename assets/build/patches/{ => gitlabhq}/0001-fix-feature-checking-for-gitaly-on-a-fresh-install.patch.bak (100%) rename assets/build/patches/{ => gitlabhq}/0002-fix-condition-for-csr-policy-allow-lfs_v16.3.0.patch.bak (100%) rename assets/build/patches/{ => gitlabhq}/0003-fix_preinstall.mjs-to-avoid-removing-node_modules_dir.patch (100%) rename assets/build/patches/{ => gitlabhq}/0004-fix-raketask-gitlab-assets-compile.patch (100%) diff --git a/assets/build/install.sh b/assets/build/install.sh index f70ebac6c..37fb485b0 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -84,7 +84,7 @@ exec_as_git git config --global --add safe.directory /home/git/gitlab echo "Cloning gitlab-foss v.${GITLAB_VERSION}..." exec_as_git git clone -q -b v${GITLAB_VERSION} --depth 1 ${GITLAB_CLONE_URL} ${GITLAB_INSTALL_DIR} -find "${GITLAB_BUILD_DIR}/patches/" -name "*.patch" | while read -r patch_file; do +find "${GITLAB_BUILD_DIR}/patches/gitlabhq" -name "*.patch" | while read -r patch_file; do printf "Applying patch %s for gitlab-foss...\n" "${patch_file}" exec_as_git git -C ${GITLAB_INSTALL_DIR} apply --ignore-whitespace < "${patch_file}" done diff --git a/assets/build/patches/0001-fix-feature-checking-for-gitaly-on-a-fresh-install.patch.bak b/assets/build/patches/gitlabhq/0001-fix-feature-checking-for-gitaly-on-a-fresh-install.patch.bak similarity index 100% rename from assets/build/patches/0001-fix-feature-checking-for-gitaly-on-a-fresh-install.patch.bak rename to assets/build/patches/gitlabhq/0001-fix-feature-checking-for-gitaly-on-a-fresh-install.patch.bak diff --git a/assets/build/patches/0002-fix-condition-for-csr-policy-allow-lfs_v16.3.0.patch.bak b/assets/build/patches/gitlabhq/0002-fix-condition-for-csr-policy-allow-lfs_v16.3.0.patch.bak similarity index 100% rename from assets/build/patches/0002-fix-condition-for-csr-policy-allow-lfs_v16.3.0.patch.bak rename to assets/build/patches/gitlabhq/0002-fix-condition-for-csr-policy-allow-lfs_v16.3.0.patch.bak diff --git a/assets/build/patches/0003-fix_preinstall.mjs-to-avoid-removing-node_modules_dir.patch b/assets/build/patches/gitlabhq/0003-fix_preinstall.mjs-to-avoid-removing-node_modules_dir.patch similarity index 100% rename from assets/build/patches/0003-fix_preinstall.mjs-to-avoid-removing-node_modules_dir.patch rename to assets/build/patches/gitlabhq/0003-fix_preinstall.mjs-to-avoid-removing-node_modules_dir.patch diff --git a/assets/build/patches/0004-fix-raketask-gitlab-assets-compile.patch b/assets/build/patches/gitlabhq/0004-fix-raketask-gitlab-assets-compile.patch similarity index 100% rename from assets/build/patches/0004-fix-raketask-gitlab-assets-compile.patch rename to assets/build/patches/gitlabhq/0004-fix-raketask-gitlab-assets-compile.patch From bee0503226c0d474fb22cc82e86a8ef9a53f33af Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Tue, 30 Jan 2024 12:17:18 +0900 Subject: [PATCH 2/2] Allow patching Ruby, add patch for lib/securernadom.rb Backport: fix behavior of `SecureRandom.gen_random_openssl(n)` commit: https://github.com/ruby/ruby/commit/64e503eb62aff0952b655e9a86217e355f786146 This has been merged into the Ruby 3.3 release, but Ruby (at least) 3.0 and later are affected by the issues fixed by this commit. --- assets/build/install.sh | 4 ++ .../0001-avoid-seeding_until-ruby3.3.0.patch | 45 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch diff --git a/assets/build/install.sh b/assets/build/install.sh index 37fb485b0..31a23b691 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -47,6 +47,10 @@ mkdir /tmp/ruby && cd /tmp/ruby curl --remote-name -Ss "${RUBY_SRC_URL}" printf '%s ruby-%s.tar.gz' "${RUBY_SOURCE_SHA256SUM}" "${RUBY_VERSION}" | sha256sum -c - tar xzf ruby-"${RUBY_VERSION}".tar.gz && cd ruby-"${RUBY_VERSION}" +find "${GITLAB_BUILD_DIR}/patches/ruby" -name "*.patch" | while read -r patch_file; do + echo "Applying patch ${patch_file}" + patch -p1 -i "${patch_file}" +done ./configure --disable-install-rdoc --enable-shared make -j"$(nproc)" make install diff --git a/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch b/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch new file mode 100644 index 000000000..5fd7dcbe7 --- /dev/null +++ b/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch @@ -0,0 +1,45 @@ +From 64e503eb62aff0952b655e9a86217e355f786146 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=8D=9C=E9=83=A8=E6=98=8C=E5=B9=B3?= + +Date: Thu, 13 Apr 2023 15:36:24 +0900 +Subject: [PATCH] avoid seeding + +OpenSSL's man page previously stated that "the application is +responsible for seeding the PRNG by calling RAND_add" (see [1]). +So we had this code. However things changed. They no longer +say so, instead "manual (re-)seeding of the default OpenSSL +random generator is not necessary" now (see [2]). It seems all +OpenSSL versions that we support now already behaves like this. +Let's follow that. + +[1]: https://www.openssl.org/docs/man1.0.2/man3/RAND_add.html +[2]: https://www.openssl.org/docs/manmaster/man3/RAND_add.html +--- + lib/securerandom.rb | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/lib/securerandom.rb b/lib/securerandom.rb +index 07ae048634..c5be6ce734 100644 +--- a/lib/securerandom.rb ++++ b/lib/securerandom.rb +@@ -47,17 +47,6 @@ def bytes(n) + private + + def gen_random_openssl(n) +- @pid = 0 unless defined?(@pid) +- pid = $$ +- unless @pid == pid +- now = Process.clock_gettime(Process::CLOCK_REALTIME, :nanosecond) +- OpenSSL::Random.random_add([now, @pid, pid].join(""), 0.0) +- seed = Random.urandom(16) +- if (seed) +- OpenSSL::Random.random_add(seed, 16) +- end +- @pid = pid +- end + return OpenSSL::Random.random_bytes(n) + end + +-- +2.43.0.windows.1 +