This reverts merge request !60

Adapting the patch from https://sourceforge.net/p/graphicsmagick/code/ci/50395430a37188d0d197e71bd85ed6dd0f649ee3/

Patch for CVE-2019-3881

Ian Baum authored 4 years ago and DJ Mountney committed 4 years ago

* Curently on 14, which was set to end of life at on April 30, 2020.
* Adds chef-bin gem
* Automatically accept the chef license EULA
* Update chef libraries in Gemfile to newer versions
* Update trigger jobs to use ruby 2.6 image

Calls to the `copy_file_range()` system call on recent RedHat kernels
now fail with `EOPNOTSUP` instead of `ENOSYS`, which breaks any use of
`IO.copy_stream` (e.g. used by CarrierWave) if NFS is used.

Ruby attempts to detect whether the kernel supports this system call,
but the detection mechanism only checks whether this system call is
defined, not whether it is actually supported. We manually patch this to
disable the `copy_file_range()`.

Relates to:
1. https://bugs.ruby-lang.org/issues/16965
2. https://gitlab.com/gitlab-org/gitlab/-/issues/218999
3. https://bugzilla.redhat.com/show_bug.cgi?id=1783554

Hossein Pursultani authored 4 years ago and DJ Mountney committed 4 years ago

This also includes Psycopg2 which is required by both patroni service
and patronictl commands.

Gitaly now supports the latest version of Git, which integrates
a patch that previously had to be manually added.

See:
  - https://gitlab.com/gitlab-org/git/-/issues/61
  - https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/4294

Part of: https://gitlab.com/gitlab-org/gitaly/-/issues/2829

This hasn't been updated in over a year, and there are a few expired
certificates in this trust chain.

Balasankar C authored 4 years ago and Ian Baum committed 4 years ago

Signed-off-by: Balasankar "Balu" C <balasankarc@autistici.org>

See https://gitlab.com/gitlab-org/git/-/issues/61

This fixes a regression with EOF detecting handling:
* https://github.com/openssl/openssl/issues/11378
* https://github.com/openssl/openssl/pull/11400

This was causing failures in Bitbucket Cloud.

Closes https://gitlab.com/gitlab-org/gitlab/-/issues/212998

Gitaly now supports new version of Git, please see:

https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/4039

Part of: https://gitlab.com/gitlab-org/gitaly/-/issues/2497

Signed-off-by: Takuya Noguchi <takninnovationresearch@gmail.com>

- Add modules_big to repmgr makefile

Ian Baum authored 5 years ago and DJ Mountney committed 5 years ago

* Don't exit 1 if it is set
* Clarify the language when it is found

This should simplify the upgrade process.

Compile using standard syntax

Signed-off-by: Balasankar "Balu" C <balasankarc@autistici.org>

Signed-off-by: Balasankar "Balu" C <balasankarc@autistici.org>

Patch Git with changes made by James Ramsay:
https://gitlab.com/jramsay/git/commit/2acbd22ded110ca02ea2d7b8a57c250d2aa0cf83

Part of: https://gitlab.com/gitlab-org/gitaly/issues/2177

v2.7.2-gitlab has the patch to enable MD5 checksums on top of v2.7.1.
This change is done for a number of reasons:

1. To prepare for future changes in the GitLab Container Registry
2. To get the version number right (e.g. v2.7.2-gitlab instead of
v2.7.1.m)
3. To make the build consistent with the one used by the cloud-native
container.

v2.7.3-gitlab updates the storage driver to use the latest Google SDK:
https://gitlab.com/gitlab-org/container-registry/merge_requests/2

v2.7.4-gitlab fixes an issues with v2.7.3-gitlab with non-default
Google credentials:
https://gitlab.com/gitlab-org/container-registry/merge_requests/7

This registry upgrade hopefully will fix 0-byte upload issues:
https://github.com/googleapis/google-cloud-go/issues/746

We saw high number of 500 errors by users accessing the container
registry (https://gitlab.com/gitlab-org/gitlab/issues/32907) due to
manifest files showing up as 0-byte files. While it's not clear at the
moment whether this is a bug in the storage driver or an issue on
Google's infrastructure, adding a MD5 checksum should ensure Google will
not write a file that doesn't match the intended value.

Note that this patches both the Google Cloud Storage (GCS) driver and
the vendored Google Cloud SDK, since the SDK used (circa 2015) is so old
it doesn't actually have full support for sending MD5 checksums. This
commit grafted on changes from the latest SDK, which significantly
changed the interface.

Note that MD5 checksums are only attached to data sent via the PutObject
interface, which is responsible for writing relatively small payloads
(e.g. manifest files).

- Upgrade Omnibus from OpenSSL 1.0.2r to 1.1.1c

Resolves: https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1260



Signed-off-by: Robert Marshall <rmarshall@gitlab.com>

Signed-off-by: Balasankar "Balu" C <balasankar@gitlab.com>

Signed-off-by: Balasankar "Balu" C <balasankar@gitlab.com>

We have been patching this file, but not running autoreconf, so it
hasn't been doing anything

Robert Marshall authored 5 years ago and Ian Baum committed 5 years ago

- Add updated libedit patches for python 3.7.3
- Add libffi and liblzma dependencies for python building
- Run autoreconf step in build process because of patch
  to configure.ac and pyconfig.h

Related: https://gitlab.com/gitlab-org/omnibus-gitlab/issues/3804



Signed-off-by: Robert Marshall <rmarshall@gitlab.com>

Ruby 2.6 deprecates Net::HTTPServerException in favor of
Net::HTTPClientException (https://bugs.ruby-lang.org/issues/14688). To
avoid a constrant stream of deprecation warnings, patch the gem to use
the newer exception.

Signed-off-by: Balasankar "Balu" C <balasankar@gitlab.com>

Newer versions of glibc contains copy_file_range method, which will
conflict with the one in PostgreSQL source.
Backporting patch from https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=e3fdb7c00e783ed4b490554ab6bbaccad341c244

Signed-off-by: Takuya Noguchi <takninnovationresearch@gmail.com>

We no longer need to patch gitlab-markup as we've added the required
changes natively to the gem.

Signed-off-by: Balasankar "Balu" C <balasankar@gitlab.com>

- Use the upstream git repository mirror for building kerberos
- Use a cleaner method to patch out libkeyutil support that
  was submitted and accepted upstream:
  https://github.com/krb5/krb5/pull/905
- Add OpenSSL as a requirement for Kerberos builds because the
  `--with-tls-impl=IMPL` requires a TLS implementation and we
  already package OpenSSL with Omnibus.
- Remove unused PKINIT Module Support

Resolves: https://gitlab.com/gitlab-org/distribution/team-tasks/issues/295



Signed-off-by: Robert Marshall <rmarshall@gitlab.com>

This reverts merge request !3103

Update the certificates from curl.haxx.se to 2019-01-23

There have been 5 updates (including this) since the last update here.

- Use the upstream git repository mirror for building kerberos
- Use a cleaner method to patch out keyutil ccache support that
  can be submitted to upstream kerberos

Resolves: https://gitlab.com/gitlab-org/distribution/team-tasks/issues/295



Signed-off-by: Robert Marshall <rmarshall@gitlab.com>