updated 12 packages

apache2-2.4.58-1

c-ares-1.21.0-1

ca-certificates-2023.2.62-1

clamav-1.2.1-1

meson-1.2.3-1

nghttp2-1.58.0-1

nodejs-20.9.0-1

nspr-4.35-2

nss-3.94-1

openssl-3.1.4-1

python-urllib3-1.26.18-1

tzdata-2023c-1

a/apache2/apache2-vl.spec

@@ -10,7 +10,7 @@
 
 Name: %{pkgname}
 Summary: Apache HTTP Server
-Version: 2.4.57
+Version: 2.4.58
 Release: 1%{_dist_release}%{?with_systemd:.systemd}
 Group: servers
 Vendor: Project Vine
@@ -85,7 +85,6 @@ Patch46: httpd-2.4.53-separate-systemd-fns.patch
 # Bug fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
 Patch60: httpd-2.4.43-enable-sslv3.patch
-Patch61: httpd-2.4.48-r1878890.patch
 Patch63: httpd-2.4.46-htcacheclean-dont-break.patch
 Patch65: httpd-2.4.51-r1894152.patch
 
@@ -194,7 +193,6 @@ Security (TLS) protocols.
 %patch42 -p1 -b .r1828172+
 
 %patch60 -p1 -b .enable-sslv3
-%patch61 -p1 -b .r1878890
 %patch63 -p1 -b .htcacheclean-dont-break
 %patch65 -p1 -b .r1894152
 %if %{with systemd}
@@ -641,6 +639,9 @@ EOF
 
 
 %changelog
+* Sun Oct 29 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2.4.58-1
+- new upstream release.
+
 * Wed Apr 12 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2.4.57-1
 - new upstream release.
 

c/c-ares/c-ares-vl.spec

@@ -2,7 +2,7 @@
 
 Summary: A library that performs asynchronous DNS operations
 Name: c-ares
-Version: 1.19.1
+Version: 1.21.0
 Release: 1%{?_dist_release}
 Group: system
 Vendor: Project Vine
@@ -121,6 +121,15 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Oct 27 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.21.0-1
+- updated to 1.21.0.
+
+* Mon Oct 09 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.20.1-1
+- updated to 1.20.1.
+
+* Sun Oct 08 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.20.0-1
+- updated to 1.20.0.
+
 * Mon May 22 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.19.1-1
 - updated to 1.19.1.
 

c/ca-certificates/ca-certificates-vl.spec

@@ -1,14 +1,14 @@
 %define pkidir %{_sysconfdir}/pki
 
 # this year
-%define year 2022
+%define year 2023
 
 # latest nss release.
 # reference: https://hg.mozilla.org/projects/nss
-%define nss_version 3_85
+%define nss_version 3_94
 
 # NSS_BUILTINS_LIBRARY_VERSION from https://hg.mozilla.org/projects/nss/file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/nssckbi.h
-%define ckbi_version 2.58
+%define ckbi_version 2.62
 
 %define java_version 1.8.0
 
@@ -134,6 +134,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Mon Oct 30 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2023.2.62-1
+- updated to 2.62.
+
 * Sun Nov 20 2022 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2022.2.58-1
 - updated to 2.58.
 

c/clamav/clamav-vl.spec

@@ -8,7 +8,7 @@
 Summary: Clam AntiVirus
 Summary(ja): Clamアンチウィルススキャナ
 Name: clamav
-Version: 1.0.1
+Version: 1.2.1
 Release: 1%{?_dist_release}%{?with_systemd:.systemd}
 Group: security
 Vendor: Project Vine
@@ -349,6 +349,15 @@ fi
 
 
 %changelog
+* Thu Oct 26 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.2.1-1
+- new upstream release.
+
+* Tue Aug 29 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.2.0-1
+- new upstream release.
+
+* Thu Aug 17 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1-1
+- new upstream release.
+
 * Thu Feb 16 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.0.1-1
 - new upstream release.
 

m/meson/meson-vl.spec

@@ -5,7 +5,7 @@
 Name:           meson
 Summary:        High productivity build system
 Summary(ja):    高生産性ビルドシステム
-Version:        1.1.0
+Version:        1.2.3
 Release:        1%{?_dist_release}
 Group:          programming
 Vendor:         Project Vine
@@ -98,6 +98,18 @@ python3 ./run_tests.py ||:
 
 
 %changelog
+* Mon Oct 02 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.2.2-1
+- new upstream release.
+
+* Thu Aug 17 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.2.1-1
+- new upstream release.
+
+* Tue Jul 18 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.2.0-1
+- new upstream release.
+
+* Fri May 26 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.1.1-1
+- new upstream release.
+
 * Sat Apr 15 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.1.0-1
 - new upstream release.
 

n/nghttp2/nghttp2-vl.spec

@@ -9,7 +9,7 @@
 Summary: Experimental HTTP/2 client, server and proxy
 Summary(ja): HTTP/2クライアント・サーバ・プロキシの実験的実装
 Name: nghttp2
-Version: 1.53.0
+Version: 1.58.0
 Release: 1%{?_dist_release}
 Group: internet
 Vendor: Project Vine
@@ -207,6 +207,24 @@ make %{?_smp_mflags} check
 
 
 %changelog
+* Sat Oct 28 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.58.0-1
+- new upstream release.
+
+* Wed Oct 11 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.57.0-1
+- new upstream release.
+
+* Mon Sep 04 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.56.0-1
+- new upstream release.
+
+* Sat Jul 15 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.55.1-1
+- new upstream release.
+
+* Wed Jul 12 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.55.0-1
+- new upstream release.
+
+* Thu Jun 08 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.54.0-1
+- new upstream release.
+
 * Wed May 10 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.53.0-1
 - new upstream release.
 

n/nodejs/nodejs-vl.spec

@@ -14,7 +14,7 @@
 %define _unpackaged_files_terminate_build 1
 
 Name:           nodejs
-Version:        18.16.0
+Version:        20.9.0
 Release:        1%{?_dist_release}
 Summary:        JavaScript runtime
 Summary(ja):    JavaScript ランタイム
@@ -217,7 +217,6 @@ export LDFLAGS="$LDFLAGS %{libatomic_flag} -fuse-ld=lld"
 %if %{system_http_parser}
 	--shared-http-parser \
 %endif
-	--without-dtrace \
 	--openssl-use-def-ca-store
 
 # Setting BUILDTYPE=Debug builds both release and debug binaries
@@ -300,6 +299,27 @@ cp -p common.gypi %{buildroot}%{_datadir}/node
 
 
 %changelog
+* Wed Oct 25 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 20.9.0-1
+- updated to 20.9.0.
+
+* Tue Oct 17 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 18.18.2-1
+- updated to 18.18.2.
+
+* Wed Oct 11 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 18.18.1-1
+- updated to 18.18.1.
+
+* Tue Sep 19 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 18.18.0-1
+- updated to 18.18.0.
+
+* Thu Aug 10 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 18.17.1-1
+- updated to 18.17.1.
+
+* Fri Jul 21 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 18.17.0-1
+- updated to 18.17.0.
+
+* Wed Jun 21 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 18.16.1-1
+- updated to 18.16.1.
+
 * Thu Apr 13 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 18.16.0-1
 - updated to 18.16.0.
 

n/nspr/nspr-vl.spec

@@ -4,7 +4,7 @@ Summary:	Netscape Portable Runtime
 Summary(ja):    Netscape ポータブルランタイム
 Name:		nspr
 Version:	4.35
-Release:	1%{?_dist_release}
+Release:	2%{?_dist_release}
 Group:		system
 Vendor:		Project Vine
 Distribution:	Vine Linux
@@ -135,6 +135,9 @@ NSPR_VERSION=`./config/nspr-config --version`
 
 
 %changelog
+* Mon Oct 30 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 4.35-2
+- rebuilt with current environment.
+
 * Sun Nov 20 2022 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 4.35-1
 - update to 4.35.
 

n/nss/nss-vl.spec

@@ -1,7 +1,7 @@
 %define build_compat32 %{?_with_compat32:1}%{!?_with_compat32:0}
 
 %define nspr_version 4.35
-%define pem_version 1.0.8
+%define pem_version 1.1.0
 %define unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
 
@@ -27,7 +27,7 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.85
+Version:          3.94
 Release:          1%{?_dist_release}
 Group:            system
 Vendor:           Project Vine
@@ -78,10 +78,8 @@ Patch12:          nss-signtool-format.patch
 # fedora disabled dbm by default
 Patch40:          nss-no-dbm-man-page.patch
 
-# upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1774654
-Patch50:	nss-3.79-fix-client-cert-crash.patch
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1774659
-Patch51:	nss-3.79-dbtool.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1861265
+Patch50:          nss-3.94-fix-ec-encoding.patch
 
 BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:    nspr-devel >= %{nspr_version}
@@ -605,6 +603,9 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 
 
 %changelog
+* Mon Oct 30 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.94-1
+- update to 3.94.
+
 * Sun Nov 20 2022 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.85-1
 - update to 3.85.
 

o/openssl/openssl-vl.spec

@@ -7,9 +7,23 @@
 #                        depends on build configuration options)
 %define soversion 3
 
+%define srpmhash() %{lua:
+local files = rpm.expand("%_specdir/openssl.spec")
+for i, p in ipairs(patches) do
+   files = files.." "..p
+end
+for i, p in ipairs(sources) do
+   files = files.." "..p
+end
+local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum"))
+local hash = sha256sum:read("*a")
+sha256sum:close()
+print(string.sub(hash, 0, 16))
+}
+
 Summary: Secure Sockets Layer Toolkit
 Name: openssl
-Version: 3.0.8
+Version: 3.1.4
 Release: 1%{_dist_release}
 Group: system,security
 Vendor: Project Vine
@@ -21,58 +35,122 @@ URL: https://www.openssl.org/
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
 # The original openssl upstream tarball cannot be shipped in the .src.rpm.
-Source: openssl-%{version}-hobbled.tar.xz
-Source1: hobble-openssl
+Source: https://www.openssl.org/source/openssl-%{version}.tar.gz
 Source2: Makefile.certificate
 Source6: make-dummy-cert
 Source7: renew-dummy-cert
 Source9: configuration-switch.h
 Source10: configuration-prefix.h
-Source12: ec_curve.c
-Source13: ectest.c
+Source14: for-tests.patch
 
 # Patches exported from source git
-# Aarch64 and ppc64le use lib64
-#Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
-# Use more general default values in openssl.cnf
-Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
-# Do not install html docs
-Patch3: 0003-Do-not-install-html-docs.patch
-# Override default paths for the CA directory tree
-Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
-# apps/ca: fix md option help text
-Patch5: 0005-apps-ca-fix-md-option-help-text.patch
-# Disable signature verification with totally unsafe hash algorithms
-Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
-# Add support for PROFILE=SYSTEM system default cipherlist
-Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
-# Add FIPS_mode() compatibility macro
-Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
-# Add check to see if fips flag is enabled in kernel
-#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
-# remove unsupported EC curves
-Patch11: 0011-Remove-EC-curves.patch
-# Disable explicit EC curves
-Patch12: 0012-Disable-explicit-ec.patch
-# Instructions to load legacy provider in openssl.cnf
-#Patch24: 0024-load-legacy-prov.patch
-# Selectively disallow SHA1 signatures rhbz#2070977
-Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch
-# Backport of patch for RHEL for Edge rhbz #2027261
-Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
-# Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1)
-Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
-# Instrument with USDT probes related to SHA-1 deprecation
-#Patch53: 0053-Add-SHA1-probes.patch
-# https://github.com/openssl/openssl/pull/18103
-# The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
-# so the patch should persist
-Patch56: 0056-strcasecmp.patch
-# https://github.com/openssl/openssl/pull/18444
-#Patch58: 0058-replace-expired-certs.patch
-
-# drop test
-Patch1000: drop_bad_test.patch
+# # Aarch64 and ppc64le use lib64
+Patch1:   0001-Aarch64-and-ppc64le-use-lib64.patch
+# # Use more general default values in openssl.cnf
+Patch2:   0002-Use-more-general-default-values-in-openssl.cnf.patch
+# # Do not install html docs
+Patch3:   0003-Do-not-install-html-docs.patch
+# # Override default paths for the CA directory tree
+Patch4:   0004-Override-default-paths-for-the-CA-directory-tree.patch
+# # apps/ca: fix md option help text
+Patch5:   0005-apps-ca-fix-md-option-help-text.patch
+# # Disable signature verification with totally unsafe hash algorithms
+Patch6:   0006-Disable-signature-verification-with-totally-unsafe-h.patch
+# # Add support for PROFILE=SYSTEM system default cipherlist
+Patch7:   0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+#Patch7:   0007-ossl_safe_getenv.patch
+# # Add FIPS_mode() compatibility macro
+Patch8:   0008-Add-FIPS_mode-compatibility-macro.patch
+# # Add check to see if fips flag is enabled in kernel
+Patch9:   0009-Add-Kernel-FIPS-mode-flag-support.patch
+# # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so
+# # that new modifications made to these files by upstream are not lost.
+Patch10:  0010-Add-changes-to-ectest-and-eccurve.patch
+# # remove unsupported EC curves
+Patch11:  0011-Remove-EC-curves.patch
+# # Disable explicit EC curves
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
+Patch12:  0012-Disable-explicit-ec.patch
+# # Skipped tests from former 0011-Remove-EC-curves.patch
+Patch13:  0013-skipped-tests-EC-curves.patch
+# # Instructions to load legacy provider in openssl.cnf
+#Patch24:  0024-load-legacy-prov.patch
+# # We load FIPS provider and set FIPS properties implicitly
+Patch32:  0032-Force-fips.patch
+# # Embed HMAC into the fips.so
+Patch33:  0033-FIPS-embed-hmac.patch
+# # Comment out fipsinstall command-line utility
+Patch34:  0034.fipsinstall_disable.patch
+# # Skip unavailable algorithms running `openssl speed`
+Patch35:  0035-speed-skip-unavailable-dgst.patch
+# # Extra public/private key checks required by FIPS-140-3
+Patch44:  0044-FIPS-140-3-keychecks.patch
+# # Minimize fips services
+Patch45:  0045-FIPS-services-minimize.patch
+# # Execute KATS before HMAC verification
+Patch47:  0047-FIPS-early-KATS.patch
+# # Selectively disallow SHA1 signatures rhbz#2070977
+Patch49:  0049-Allow-disabling-of-SHA1-signatures.patch
+# # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1)
+Patch52:  0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
+# # https://github.com/openssl/openssl/pull/18103
+# # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
+# # so the patch should persist
+Patch56:  0056-strcasecmp.patch
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
+Patch58:  0058-FIPS-limit-rsa-encrypt.patch
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
+Patch61:  0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
+# 0062-fips-Expose-a-FIPS-indicator.patch
+Patch62:  0062-fips-Expose-a-FIPS-indicator.patch
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
+Patch73:  0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
+# [PATCH 29/46] 
+#  0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
+Patch74:  0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
+Patch75:  0075-FIPS-Use-FFDHE2048-in-self-test.patch
+# # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
+Patch76:  0076-FIPS-140-3-DRBG.patch
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2102542
+Patch77:  0077-FIPS-140-3-zeroization.patch
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
+Patch78:  0078-Add-FIPS-indicator-parameter-to-HKDF.patch
+# # https://github.com/openssl/openssl/pull/13817
+Patch79:  0079-RSA-PKCS15-implicit-rejection.patch
+# # We believe that some changes present in CentOS are not necessary
+# # because ustream has a check for FIPS version
+Patch80:  0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
+# [PATCH 36/46] 
+#  0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
+Patch81:  0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
+# [PATCH 37/46] 
+#  0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
+Patch83:  0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
+# [PATCH 38/46] 
+#  0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
+Patch84:  0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
+# 0085-FIPS-RSA-disable-shake.patch
+Patch85:  0085-FIPS-RSA-disable-shake.patch
+# 0088-signature-Add-indicator-for-PSS-salt-length.patch
+Patch88:  0088-signature-Add-indicator-for-PSS-salt-length.patch
+# 0091-FIPS-RSA-encapsulate.patch
+Patch91:  0091-FIPS-RSA-encapsulate.patch
+# [PATCH 42/46] 
+#  0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
+Patch93:  0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
+# [PATCH 43/46] 
+#  0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
+Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
+# [PATCH 44/46] 
+#  0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
+Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
+# 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
+Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
+# # We believe that some changes present in CentOS are not necessary
+# # because ustream has a check for FIPS version
+Patch114: 0114-FIPS-enforce-EMS-support.patch
 
 # security fix
 # none
@@ -176,13 +254,6 @@ supported by OpenSSL.
 %setup -q -n %{name}-%{version}
 %autopatch -p1
 
-# The hobble_openssl is called here redundantly, just to be sure.
-# The tarball has already the sources removed.
-%{SOURCE1} > /dev/null
-
-cp %{SOURCE12} crypto/ec/
-cp %{SOURCE13} test/
-
 
 %build 
 # Figure out which flags we want to use.
@@ -203,11 +274,11 @@ sslflags=enable-ec_nistp_64_gcc_128
 # marked as not requiring an executable stack.
 # Also add -DPURIFY to make using valgrind with openssl easier as we do not
 # want to depend on the uninitialized memory as a source of entropy anyway.
-RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
+RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
 
 export HASHBANGPERL=/usr/bin/perl
 
-perl -pi -e 's|/engines-|/%{name}/engines-|' ./Configurations/unix-Makefile.tmpl
+%define fips %{version}-%{srpmhash}
 
 # ia64, x86_64, ppc are OK by default
 # Configure the build tree.  Override OpenSSL defaults with known-good defaults
@@ -219,7 +290,8 @@ perl -pi -e 's|/engines-|/%{name}/engines-|' ./Configurations/unix-Makefile.tmpl
 	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
 	enable-cms enable-md2 enable-rc5 enable-ktls enable-fips \
 	no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++ \
-	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
+	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""' \
+	-Wl,--allow-multiple-definition
 
 # Do not run this in a production package the FIPS symbols must be patched-in
 #util/mkdef.pl crypto update
@@ -244,6 +316,8 @@ done
 
 # We must revert patch4 before tests otherwise they will fail
 patch -p1 -R < %{PATCH4}
+#We must disable default provider before tests otherwise they will fail
+patch -p1 < %{SOURCE14}
 
 LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
 export LD_LIBRARY_PATH
@@ -251,20 +325,31 @@ OPENSSL_ENABLE_MD5_VERIFY=
 export OPENSSL_ENABLE_MD5_VERIFY
 OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
+
+#embed HMAC into fips provider for test run
+OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
+mv providers/fips.so.mac providers/fips.so
+
+#run tests itself
 make test HARNESS_JOBS=8
 
-%if 0
+
 # Add generation of HMAC checksum of the final stripped library
+# We manually copy standard definition of __spec_install_post
+# and add hmac calculation/embedding to fips.so
 %define __spec_install_post \
     %{?__debug_package:%{__debug_install_post}} \
     %{__arch_install_post} \
     %{__os_install_post} \
+    OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
+    objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
+    mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
+    rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
 %{nil}
-%endif
 
 %define __provides_exclude_from %{_libdir}/openssl
 
-
 %install
 [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
 # Install OpenSSL.
@@ -372,7 +457,7 @@ install -m644 %{SOURCE9} \
 /%{_lib}/libcrypto.so.%{soversion}
 %attr(0755,root,root) /%{_lib}/libssl.so.%{version}
 /%{_lib}/libssl.so.%{soversion}
-%attr(0755,root,root) %{_libdir}/%{name}/engines-%{soversion}
+%attr(0755,root,root) %{_libdir}/engines-%{soversion}
 %attr(0755,root,root) %{_libdir}/ossl-modules
 %ifnarch i686
 %config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
@@ -420,6 +505,18 @@ install -m644 %{SOURCE9} \
 
 
 %changelog
+* Wed Oct 25 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.1.4-1
+- new upstream release.
+
+* Wed Sep 20 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.1.3-1
+- new upstream release.
+
+* Wed Aug 02 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.10-1
+- new upstream release.
+
+* Tue Jul 11 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.9-1
+- new upstream release.
+
 * Wed Feb 08 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.8-1
 - new upstream release.
 

p/python-urllib3/python-urllib3-vl.spec

@@ -5,7 +5,7 @@
 
 Summary:        Python HTTP library with thread-safe connection pooling and file post
 Name:           python-%{srcname}
-Version:        1.26.12
+Version:        1.26.18
 Release:        1%{?_dist_release}
 Group:          programming
 Vendor:         Project Vine
@@ -103,6 +103,9 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \
 
 
 %changelog
+* Thu Oct 26 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.26.18-1
+- new upstream release.
+
 * Sat Oct 22 2022 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> - 1.26.12-1
 - new upstream release.
 

t/tzdata/tzdata-vl.spec

@@ -1,9 +1,9 @@
 Summary: Timezone data
 Summary(ja): タイムゾーンのデータ
 Name: tzdata
-Version: 2022f
-%define tzdata_version 2022f
-%define tzcode_version 2022f
+Version: 2023c
+%define tzdata_version %{version}
+%define tzcode_version %{version}
 Release: 1%{?_dist_release}
 Group: system
 Vendor: Project Vine
@@ -157,6 +157,9 @@ rm -fr $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Oct 27 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2023c-1
+- updated to 2023c.
+
 * Sun Nov 20 2022 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2022f-1
 - updated to 2022f.