Update Release Candidate

aedab8ff · Thomas Gambier · d54d8659 · b5c45134 · aedab8ff · aedab8ff
Commit aedab8ff authored May 06, 2024 by Thomas Gambier 🚴🏼
22 changed files
--- a/component/kerberos/buildout.cfg
+++ b/component/kerberos/buildout.cfg
@@ -10,14 +10,13 @@ parts =
 [kerberos]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://web.mit.edu/kerberos/dist/krb5/1.19/krb5-1.19.2.tar.gz
-md5sum = eb51b7724111e1a458a8c9a261d45a31
+url = https://web.mit.edu/kerberos/dist/krb5/1.20/krb5-1.20.2.tar.gz
+md5sum = 7ac456e97c4959ebe5c836dc2f5aab2c
 configure-command = src/configure
 configure-options =
    --prefix=@@LOCATION@@
    --with-ldap=no
    --without-readline
-    --without-tcl
    --without-keyutils
 environment =
  PATH=${m4:location}/bin:${bison:location}/bin:%(PATH)s

--- a/component/mariadb/buildout.cfg
+++ b/component/mariadb/buildout.cfg
@@ -103,6 +103,10 @@ patch-options = -p1
 patches =
  https://sources.debian.org/data/main/m/mariadb-10.3/1:10.3.34-0+deb10u1/debian/patches/0024-Revert-to-using-system-pcre-library.patch#1c6a0f2634f5a56122299674b77b1131

+[mariadb-10.4:python3]
+patches +=
+  ${:_profile_base_location_}/mariadb-10.4.32-openssl-3.0.patch#ec3e2b57eae5421e052ab89224b29b7e
+
 [mariadb-10.5]
 <= mariadb-common
 version = 10.5.23

--- a/component/mariadb/mariadb-10.4.32-openssl-3.0.patch
+++ b/component/mariadb/mariadb-10.4.32-openssl-3.0.patch
+Changes to support OpenSSL 3.0 based on the following commits :
+
+* 8a9c1e9ccf227e5f8ee9a4716a9b64665a8489e3 MDEV-25785 Add support for OpenSSL 3.0
+* 1dc09ce0fdcf556dfc57de3f012a455c6d54a951 Revert "don't build with OpenSSL 3.0, it doesn't work before MDEV-25785"
+* ef655669816d73a1d92fbf459b768abcc7cac296 MDEV-27778 md5 in FIPS crashes with OpenSSL 3.0.0
+
+diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake
+index a6793cf3c55..1bd46bc0f39 100644
+--- a/cmake/ssl.cmake
+++ b/cmake/ssl.cmake
+@@ -118,7 +118,7 @@ MACRO (MYSQL_CHECK_SSL)
+     ENDIF()
+     FIND_PACKAGE(OpenSSL)
+     SET_PACKAGE_PROPERTIES(OpenSSL PROPERTIES TYPE RECOMMENDED)
+-    IF(OPENSSL_FOUND AND OPENSSL_VERSION AND OPENSSL_VERSION VERSION_LESS "3.0.0")
+    IF(OPENSSL_FOUND)
+       SET(OPENSSL_LIBRARY ${OPENSSL_SSL_LIBRARY})
+       INCLUDE(CheckSymbolExists)
+       SET(SSL_SOURCES "")
+@@ -139,6 +139,13 @@ MACRO (MYSQL_CHECK_SSL)
+       SET(SSL_INTERNAL_INCLUDE_DIRS "")
+       SET(SSL_DEFINES "-DHAVE_OPENSSL")
+ 
+      # Silence "deprecated in OpenSSL 3.0"
+      IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
+         OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
+        SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
+        SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
+      ENDIF()
+
+       SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+       SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
+       SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+@@ -152,6 +159,7 @@ MACRO (MYSQL_CHECK_SSL)
+                           HAVE_X509_check_host)
+       SET(CMAKE_REQUIRED_INCLUDES)
+       SET(CMAKE_REQUIRED_LIBRARIES)
+      SET(CMAKE_REQUIRED_DEFINITIONS)
+     ELSE()
+       IF(WITH_SSL STREQUAL "system")
+         MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
+diff --git a/include/ssl_compat.h b/include/ssl_compat.h
+index 7b4a828a4d9..7a652d46121 100644
+--- a/include/ssl_compat.h
+++ b/include/ssl_compat.h
+@@ -78,7 +78,6 @@
+ #define DH_set0_pqg(D,P,Q,G)            ((D)->p= (P), (D)->g= (G))
+ #endif
+ 
+-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
+ #define EVP_CIPHER_CTX_encrypting(ctx)  ((ctx)->encrypt)
+ #define EVP_CIPHER_CTX_SIZE             sizeof(EVP_CIPHER_CTX)
+ 
+diff --git a/mysql-test/lib/openssl.cnf b/mysql-test/lib/openssl.cnf
+index b9ab37ac3a1..7cd6f748af2 100644
+--- a/mysql-test/lib/openssl.cnf
+++ b/mysql-test/lib/openssl.cnf
+@@ -9,4 +9,4 @@ ssl_conf = ssl_section
+ system_default = system_default_section
+ 
+ [system_default_section]
+-CipherString = ALL:@SECLEVEL=1
+CipherString = ALL:@SECLEVEL=0
+diff --git a/mysql-test/main/ssl_cipher.result b/mysql-test/main/ssl_cipher.result
+index 9308f0f9833..d549ec7d2b4 100644
+--- a/mysql-test/main/ssl_cipher.result
+++ b/mysql-test/main/ssl_cipher.result
+@@ -61,9 +61,9 @@ connect  ssl_con,localhost,root,,,,,SSL;
+ SHOW STATUS LIKE 'Ssl_cipher';
+ Variable_name	Value
+ Ssl_cipher	AES128-SHA
+-SHOW STATUS LIKE 'Ssl_cipher_list';
+-Variable_name	Value
+-Ssl_cipher_list	AES128-SHA
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+VARIABLE_VALUE like '%AES128-SHA%'
+1
+ disconnect ssl_con;
+ connection default;
+ call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
+diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test
+index 3a54aca5145..7150e19809e 100644
+--- a/mysql-test/main/ssl_cipher.test
+++ b/mysql-test/main/ssl_cipher.test
+@@ -98,7 +98,7 @@ let $restart_parameters=--ssl-cipher=AES128-SHA;
+ source include/restart_mysqld.inc;
+ connect (ssl_con,localhost,root,,,,,SSL);
+ SHOW STATUS LIKE 'Ssl_cipher';
+-SHOW STATUS LIKE 'Ssl_cipher_list';
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+ disconnect ssl_con;
+ connection default;
+ 
+diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc
+index a8643f6e5b6..00447e73d79 100644
+--- a/mysys_ssl/my_crypt.cc
+++ b/mysys_ssl/my_crypt.cc
+@@ -29,11 +29,7 @@
+ #include <ssl_compat.h>
+ #include <cstdint>
+ 
+-#ifdef HAVE_WOLFSSL
+ #define CTX_ALIGN 16
+-#else
+-#define CTX_ALIGN 0
+-#endif
+ 
+ class MyCTX
+ {
+@@ -100,8 +96,9 @@ class MyCTX_nopad : public MyCTX
+ {
+ public:
+   const uchar *key;
+-  uint klen, buf_len;
+  uint klen, source_tail_len;
+   uchar oiv[MY_AES_BLOCK_SIZE];
+  uchar source_tail[MY_AES_BLOCK_SIZE];
+ 
+   MyCTX_nopad() : MyCTX() { }
+   ~MyCTX_nopad() = default;
+@@ -112,7 +109,7 @@ class MyCTX_nopad : public MyCTX
+     compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
+     this->key= key;
+     this->klen= klen;
+-    this->buf_len= 0;
+    this->source_tail_len= 0;
+     if (ivlen)
+       memcpy(oiv, iv, ivlen);
+     DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
+@@ -123,26 +120,41 @@ class MyCTX_nopad : public MyCTX
+     return res;
+   }
+ 
+  /** Update last partial source block, stored in source_tail array. */
+  void update_source_tail(const uchar* src, uint slen)
+  {
+    if (!slen)
+      return;
+    uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
+    if (new_tail_len)
+    {
+      if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
+      {
+        memcpy(source_tail + source_tail_len, src, slen);
+      }
+      else
+      {
+        DBUG_ASSERT(slen > new_tail_len);
+        memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
+      }
+    }
+    source_tail_len= new_tail_len;
+  }
+
+   int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
+   {
+-    buf_len+= slen;
+    update_source_tail(src, slen);
+     return MyCTX::update(src, slen, dst, dlen);
+   }
+ 
+   int finish(uchar *dst, uint *dlen)
+   {
+-    buf_len %= MY_AES_BLOCK_SIZE;
+-    if (buf_len)
+    if (source_tail_len)
+     {
+-      uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
+       /*
+         Not much we can do, block ciphers cannot encrypt data that aren't
+         a multiple of the block length. At least not without padding.
+         Let's do something CTR-like for the last partial block.
+-
+-        NOTE this assumes that there are only buf_len bytes in the buf.
+-        If OpenSSL will change that, we'll need to change the implementation
+-        of this class too.
+       */
+       uchar mask[MY_AES_BLOCK_SIZE];
+       uint mlen;
+@@ -154,10 +166,10 @@ class MyCTX_nopad : public MyCTX
+         return rc;
+       DBUG_ASSERT(mlen == sizeof(mask));
+ 
+-      for (uint i=0; i < buf_len; i++)
+-        dst[i]= buf[i] ^ mask[i];
+      for (uint i=0; i < source_tail_len; i++)
+        dst[i]= source_tail[i] ^ mask[i];
+     }
+-    *dlen= buf_len;
+    *dlen= source_tail_len;
+     return MY_AES_OK;
+   }
+ };
+diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc
+index 407dee3bc69..75995bccf90 100644
+--- a/mysys_ssl/my_md5.cc
+++ b/mysys_ssl/my_md5.cc
+@@ -52,12 +52,23 @@ static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
+ 
+ static void md5_init(EVP_MD_CTX *context)
+ {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+  EVP_MD *md5;
+  EVP_MD_CTX_init(context);
+  /* Ok to ignore FIPS: MD5 is not used for crypto here */
+  /* In OpenSSL 3.0.0+ it is a different EVP_MD provider */
+  md5 = EVP_MD_fetch(NULL, "MD5", "fips=no");
+  EVP_DigestInit_ex(context, md5, NULL);
+  EVP_MD_free(md5);
+#else
+   EVP_MD_CTX_init(context);
+ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+   /* Ok to ignore FIPS: MD5 is not used for crypto here */
+  /* In OpenSSL 1.1.1 the non FIPS allowed flag is context specific */
+   EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ #endif
+   EVP_DigestInit_ex(context, EVP_md5(), NULL);
+#endif
+ }
+ 
+ static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
+diff --git a/unittest/mysys/aes-t.c b/unittest/mysys/aes-t.c
+index 34704e06749..cbec2760941 100644
+--- a/unittest/mysys/aes-t.c
+++ b/unittest/mysys/aes-t.c
+@@ -21,27 +21,96 @@
+ #include <string.h>
+ #include <ctype.h>
+ 
+-#define DO_TEST(mode, nopad, slen, fill, dlen, hash)                    \
+-  SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported")     \
+-  {                                                                     \
+-    memset(src, fill, src_len= slen);                                   \
+-    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT,              \
+-                    src, src_len, dst, &dst_len,                        \
+-                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
+-      "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad");     \
+-    if (!nopad)                                                         \
+-      ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
+-    my_md5(md5, (char*)dst, dst_len);                                   \
+-    ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5");  \
+-    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,              \
+-                    dst, dst_len, ddst, &ddst_len,                      \
+-                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
+-       "decrypt " #mode " %u", dst_len);                                \
+-    ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
+
+/** Test streaming encryption, bytewise update.*/
+static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
+                 unsigned int slen, unsigned char *dst, unsigned int *dlen,
+                 const unsigned char *key, unsigned int klen,
+                 const unsigned char *iv, unsigned int ivlen)
+{
+  /* Allocate context on odd address on stack, in order to
+   catch misalignment errors.*/
+  void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
+
+  int res1, res2;
+  uint d1= 0, d2;
+  uint i;
+
+  if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
+    return res1;
+  for (i= 0; i < slen; i++)
+  {
+    uint tmp_d1=0;
+    res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
+    if (res1)
+      return res1;
+    d1+= tmp_d1;
+    dst+= tmp_d1;
+  }
+  res2= my_aes_crypt_finish(ctx, dst, &d2);
+  *dlen= d1 + d2;
+  return res1 ? res1 : res2;
+}
+
+
+#ifndef HAVE_EncryptAes128Ctr
+const uint MY_AES_CTR=0xDEADBEAF;
+#endif
+#ifndef HAVE_EncryptAes128Gcm
+const uint MY_AES_GCM=0xDEADBEAF;
+#endif
+
+#define MY_AES_UNSUPPORTED(x)  (x == 0xDEADBEAF)
+
+static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
+                    char fill, size_t dlen, const char *hash)
+{
+  uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
+  uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
+  uchar src[1000], dst[1100], dst2[1100], ddst[1000];
+  uchar md5[MY_MD5_HASH_SIZE];
+  uint src_len, dst_len, dst_len2, ddst_len;
+  int result;
+
+  if (MY_AES_UNSUPPORTED(mode))
+  {
+    skip(nopad?7:6, "%s not supported", mode_str);
+    return;
+  }
+  memset(src, fill, src_len= slen);
+  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
+                       dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
+  ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
+     nopad ? "nopad" : "pad");
+
+  if (nopad)
+  {
+    result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
+                                src_len, dst2, &dst_len2, key, sizeof(key),
+                                iv, sizeof(iv));
+    ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
+    /* Compare with non-bytewise encryption result*/
+    ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
+       "memcmp bytewise  %s %u", mode_str, src_len);
+  }
+  else
+  {
+    int dst_len_real= my_aes_get_size(mode, src_len);
+    ok(dst_len_real= dst_len, "my_aes_get_size");
+   }
+  my_md5(md5, (char *) dst, dst_len);
+  ok(dst_len == dlen, "md5 len");
+  ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
+  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
+                       dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
+                       sizeof(iv));
+
+  ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
+  ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
+}
+ 
+-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
+-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
+#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
+#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
+ 
+ /* useful macro for debugging */
+ #define PRINT_MD5()                                     \
+@@ -53,25 +122,15 @@
+     printf("\"\n");                                     \
+   } while(0);
+ 
+-#ifndef HAVE_EncryptAes128Ctr
+-const uint MY_AES_CTR=0xDEADBEAF;
+-#endif
+-#ifndef HAVE_EncryptAes128Gcm
+-const uint MY_AES_GCM=0xDEADBEAF;
+-#endif
+ 
+ int
+ main(int argc __attribute__((unused)),char *argv[])
+ {
+-  uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
+-  uchar iv[16]=  {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
+-  uchar src[1000], dst[1100], ddst[1000];
+-  uchar md5[MY_MD5_HASH_SIZE];
+-  uint src_len, dst_len, ddst_len;
+ 
+   MY_INIT(argv[0]);
+ 
+-  plan(87);
+  plan(122);
+
+   DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
+   DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
+   DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
--- a/component/nodejs/buildout.cfg
+++ b/component/nodejs/buildout.cfg
@@ -64,11 +64,13 @@ md5sum = c5ab3e98977dfd639d830625d79eff52
 <= nodejs-base
 version = v14.16.0
 md5sum = 7dc3666f407bf4e12a01ce1be2883d31
+openssl-location = ${openssl-1.1:location}

 [nodejs-12.18.3]
 <= nodejs-base
 version = v12.18.3
 md5sum = 28bf6a4d98b238403fa58a0805f4a979
+openssl-location = ${openssl-1.1:location}
 PATH = ${pkgconfig:location}/bin:${python2.7:location}/bin:%(PATH)s
 configure-command = ./configure


--- a/component/open62541/buildout.cfg
+++ b/component/open62541/buildout.cfg
@@ -17,8 +17,9 @@ max_version = 11
 [open62541]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://github.com/open62541/open62541/archive/refs/heads/pack/v1.3.zip
-md5sum = c2e9938f082b027110fba538de76684c
+tag = v1.3.4
+url = https://github.com/open62541/open62541/archive/refs/heads/pack/${:tag}.zip
+md5sum = b9c1d3ae9d7593941108f46036f29ccc
 patch-options = -p1
 patches =
  ${:_profile_base_location_}/ipv6_bugfix.patch#355bec02adee4ea73ff5a56ba6971ad2

--- a/component/openssl/buildout.cfg
+++ b/component/openssl/buildout.cfg
@@ -14,11 +14,9 @@ extends =
 parts =
  openssl-output

-[openssl]
+[openssl-common]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://www.openssl.org/source/openssl-1.1.1w.tar.gz
-md5sum = 3f76825f195e52d4b10c70040681a275
 location = @@LOCATION@@
 # 'prefix' option to override --openssldir/--prefix (which is useful
 # when combined with DESTDIR). Used by slapos.package.git/obs
@@ -46,12 +44,26 @@ make-targets =
 environment =
  PERL=${perl:location}/bin/perl

+[openssl-3.0]
+<= openssl-common
+url = https://www.openssl.org/source/openssl-3.0.13.tar.gz
+md5sum = c15e53a62711002901d3515ac8b30b86
+
 [openssl-quictls]
-<= openssl
-# XXX tag missing for 1.1.1w
-# url = https://github.com/quictls/openssl/archive/refs/tags/OpenSSL_1_1_1w-quic1.tar.gz
-url = https://github.com/quictls/openssl/archive/612d8e44d687e4b71c4724319d7aa27a733bcbca.tar.gz
-md5sum =4a06f8b195e817c8a0d94ebdbc7c7bb7
+<= openssl-3.0
+url = https://github.com/quictls/openssl/archive/refs/tags/openssl-3.0.13-quic1.tar.gz
+md5sum = ff6a1f5fc5e7ea03aba9c97e7f26d97d
+
+[openssl-1.1]
+<= openssl-common
+url = https://www.openssl.org/source/openssl-1.1.1w.tar.gz
+md5sum = 3f76825f195e52d4b10c70040681a275
+
+[openssl]
+<= openssl-3.0
+
+[openssl:python2]
+<= openssl-1.1

 [openssl-output]
 # Shared binary location to ease migration

--- a/component/openvpn/buildout.cfg
+++ b/component/openvpn/buildout.cfg
 [buildout]
 extends =
+  ../libcap-ng/buildout.cfg
  ../lzo/buildout.cfg
  ../openssl/buildout.cfg
  ../flex/buildout.cfg
@@ -10,10 +11,11 @@ parts =

 [openvpn]
 recipe = slapos.recipe.cmmi
-url = https://swupdate.openvpn.org/community/releases/openvpn-${:version}.tar.xz
-version = 2.4.7
-md5sum = 4ad8a008e1e7f261b3aa0024e79e7fb7
+url = https://build.openvpn.net/downloads/releases/openvpn-${:version}.tar.gz
+version = 2.6.8
+md5sum = 427fe070a4ab9fd78dc64195458dc361
 configure-options =
+  --disable-lz4
  --disable-dependency-tracking
  --disable-plugin-auth-pam
  --enable-iproute2
@@ -21,6 +23,8 @@ environment =
  PATH=${xz-utils:location}/bin:%(PATH)s
  LZO_LIBS=-L${lzo:location}/lib -llzo2
  LZO_CFLAGS=-I${lzo:location}/include
+  LIBCAPNG_LIBS=-L${libcap-ng:location}/lib -lcap-ng
+  LIBCAPNG_CFLAGS=-I${libcap-ng:location}/include
  OPENSSL_LIBS=-L${openssl:location}/lib -lcrypto -lssl
  OPENSSL_CFLAGS=-I${openssl:location}/include
  LDFLAGS =-Wl,-rpath=${lzo:location}/lib -Wl,-rpath=${flex:location}/lib -Wl,-rpath=${openssl:location}/lib

--- a/component/proxysql/buildout.cfg
+++ b/component/proxysql/buildout.cfg
@@ -12,11 +12,11 @@ extends =
  ../libtool/buildout.cfg
  ../m4/buildout.cfg
  ../openssl/buildout.cfg
-  ../patch/buildout.cfg
  ../pcre/buildout.cfg
  ../perl/buildout.cfg
 # https://github.com/libinjection/libinjection/issues/4
  ../python-2.7/buildout.cfg
+  ../util-linux/buildout.cfg
  ../defaults.cfg

 parts =
@@ -28,9 +28,9 @@ max_version = 11
 [proxysql]
 recipe = slapos.recipe.cmmi
 shared = true
-version = v2.3.2
+version = v2.4.8
 url = https://github.com/sysown/proxysql/archive/refs/tags/${:version}.tar.gz
-md5sum = 969129ac43c9f64641509891a116e0e1
+md5sum = 17f31d5764b0e529a3b94f7db82794e4
 configure-command = true
 make-options = GIT_VERSION=${:version}
 # The install target does not honor DESTDIR:
@@ -40,15 +40,11 @@ post-install =
  install -Dt %(location)s/bin %(make-targets)s
 environment =
  PKG_CONFIG_PATH=${openssl:location}/lib/pkgconfig:${gnutls:location}/lib/pkgconfig:${libgcrypt:location}/lib/pkgconfig:${zlib:location}/lib/pkgconfig:${pcre:location}/lib/pkgconfig
-  PATH=${m4:location}/bin:${libtool:location}/bin:${libgcrypt:location}/bin:${curl:location}/bin:${perl:location}/bin:${pkgconfig:location}/bin:${bzip2:location}/bin:${autoconf:location}/bin:${git:location}/bin:${automake:location}/bin:${patch:location}/bin:${cmake:location}/bin:${python2.7:location}/bin:%(PATH)s
-  CXXFLAGS=-I${openssl:location}/include -I${gnutls:location}/include -I${zlib:location}/include
+  PATH=${m4:location}/bin:${libtool:location}/bin:${libgcrypt:location}/bin:${curl:location}/bin:${perl:location}/bin:${pkgconfig:location}/bin:${bzip2:location}/bin:${autoconf:location}/bin:${git:location}/bin:${automake:location}/bin:${cmake:location}/bin:${python2.7:location}/bin:%(PATH)s
+  CXXFLAGS=-I${openssl:location}/include -I${gnutls:location}/include -I${libuuid:location}/include -I${zlib:location}/include
  CFLAGS=-I${gnutls:location}/include
-  LDFLAGS=-L${openssl:location}/lib -Wl,-rpath -Wl,${gnutls:location}/lib -L${gnutls:location}/lib -Wl,-rpath=${curl:location}/lib -L${libtool:location}/lib -L${zlib:location}/lib -Wl,-rpath -Wl,${zlib:location}/lib -L${curl:location}/lib -L${pcre:location}/lib -L${jemalloc:location}/lib -L${libmicrohttpd:location}/lib
+  LDFLAGS=-L${openssl:location}/lib -Wl,-rpath -Wl,${gnutls:location}/lib -L${gnutls:location}/lib -Wl,-rpath=${curl:location}/lib -L${libtool:location}/lib -Wl,-rpath -Wl,${libuuid:location}/lib -L${libuuid:location}/lib -L${zlib:location}/lib -Wl,-rpath -Wl,${zlib:location}/lib -L${curl:location}/lib -L${pcre:location}/lib -L${jemalloc:location}/lib -L${libmicrohttpd:location}/lib
  CMAKE_INCLUDE_PATH=${openssl:location}/include:${gnutls:location}/include:${curl:location}/include:${pcre:location}/include:${jemalloc:location}/include:${libmicrohttpd:location}/include:${zlib:location}/include
  CMAKE_LIBRARY_PATH=${openssl:location}/lib:${gnutls:location}/lib:${curl:location}/lib:${pcre:location}/lib:${jemalloc:location}/lib:${libmicrohttpd:location}/lib:${zlib:location}/lib
  LIBTOOL=libtool
  ACLOCAL_PATH=${pkgconfig:location}/share/aclocal:${libtool:location}/share/aclocal
-patch-options = -p1
-patches =
-# PR #3402 (mariadb_client: backport patch to fix syntax error in cmake 3.20)
-  https://github.com/sysown/proxysql/commit/a3cfa56d257219f7610cd5711045bb5d84485a91.patch#34fd6366d4a75fde821cee93d25eee10
--- a/component/python-cryptography/buildout.cfg
+++ b/component/python-cryptography/buildout.cfg
@@ -12,6 +12,8 @@ recipe = zc.recipe.egg:custom
 egg = cryptography
 environment = python-cryptography-env
 setup-eggs = ${python-cffi:egg}
+cryptography-patches = ${:_profile_base_location_}/cryptography-3.3.2-openssl-3.0.patch#aa055c3cfab6110fd616f2de049e1388
+cryptography-patch-options = -p0
 library-dirs =
  ${openssl:location}/lib/
 rpath =

--- a/component/python-cryptography/cryptography-3.3.2-openssl-3.0.patch
+++ b/component/python-cryptography/cryptography-3.3.2-openssl-3.0.patch
+Minimal changes to support OpenSSL 3.0 based on the following commits :
+
+* f08a7de651f9e6475c8c0a67d2a61ed8b669ddf6 [WIP] 3.0.0 support (#5250)
+* 50ec692749b7e2e62685b443f5e629627b03987e remove unneeded binding (#6150)
+* 77fb53c75e47f50e09b1b3be3a4d10c7e4e34dc2 3.0.0 deprecated func and it isn't useful to us in general (#6148)
+
+diff --git src/_cffi_src/build_openssl.py src/_cffi_src/build_openssl.py
+index 4380c3396..928f5fe4f 100644
+--- src/_cffi_src/build_openssl.py
+++ src/_cffi_src/build_openssl.py
+@@ -105,6 +105,7 @@ ffi = build_ffi_for_binding(
+         "osrandom_engine",
+         "pem",
+         "pkcs12",
+        "provider",
+         "rand",
+         "rsa",
+         "ssl",
+diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
+index f24bee5a4..920a86dea 100644
+--- src/_cffi_src/openssl/cryptography.py
+++ src/_cffi_src/openssl/cryptography.py
+@@ -35,6 +35,8 @@ INCLUDES = """
+ 
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+     (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \
+    (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ 
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+     (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
+@@ -54,6 +56,7 @@ INCLUDES = """
+ 
+ TYPES = """
+ static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
+static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
+ 
+ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111;
+ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
+diff --git src/_cffi_src/openssl/err.py src/_cffi_src/openssl/err.py
+index 0dd741467..c2486953d 100644
+--- src/_cffi_src/openssl/err.py
+++ src/_cffi_src/openssl/err.py
+@@ -19,6 +19,7 @@ static const int EVP_R_UNKNOWN_PBE_ALGORITHM;
+ 
+ static const int ERR_LIB_EVP;
+ static const int ERR_LIB_PEM;
+static const int ERR_LIB_PROV;
+ static const int ERR_LIB_ASN1;
+ static const int ERR_LIB_PKCS12;
+ 
+@@ -40,10 +41,14 @@ void ERR_clear_error(void);
+ void ERR_put_error(int, int, int, const char *, int);
+ 
+ int ERR_GET_LIB(unsigned long);
+-int ERR_GET_FUNC(unsigned long);
+ int ERR_GET_REASON(unsigned long);
+ 
+ """
+ 
+ CUSTOMIZATIONS = """
+/* This define is tied to provider support and is conditionally
+   removed if Cryptography_HAS_PROVIDERS is false */
+#ifndef ERR_LIB_PROV
+#define ERR_LIB_PROV 0
+#endif
+ """
+diff --git src/_cffi_src/openssl/fips.py src/_cffi_src/openssl/fips.py
+index c92bca494..38bfa231f 100644
+--- src/_cffi_src/openssl/fips.py
+++ src/_cffi_src/openssl/fips.py
+@@ -18,7 +18,7 @@ int FIPS_mode(void);
+ """
+ 
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+ static const long Cryptography_HAS_FIPS = 0;
+ int (*FIPS_mode_set)(int) = NULL;
+ int (*FIPS_mode)(void) = NULL;
+diff --git src/_cffi_src/openssl/provider.py src/_cffi_src/openssl/provider.py
+new file mode 100644
+index 000000000..d7d659ea5
+--- /dev/null
+++ src/_cffi_src/openssl/provider.py
+@@ -0,0 +1,40 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+
+INCLUDES = """
+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+#include <openssl/provider.h>
+#include <openssl/proverr.h>
+#endif
+"""
+
+TYPES = """
+static const long Cryptography_HAS_PROVIDERS;
+
+typedef ... OSSL_PROVIDER;
+typedef ... OSSL_LIB_CTX;
+
+static const long PROV_R_BAD_DECRYPT;
+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH;
+"""
+
+FUNCTIONS = """
+OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *);
+int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov);
+"""
+
+CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+static const long Cryptography_HAS_PROVIDERS = 1;
+#else
+static const long Cryptography_HAS_PROVIDERS = 0;
+typedef void OSSL_PROVIDER;
+typedef void OSSL_LIB_CTX;
+static const long PROV_R_BAD_DECRYPT = 0;
+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0;
+OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL;
+int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL;
+#endif
+"""
+diff --git src/cryptography/hazmat/backends/openssl/backend.py src/cryptography/hazmat/backends/openssl/backend.py
+index 45d4a1a1e..1b48355da 100644
+--- src/cryptography/hazmat/backends/openssl/backend.py
+++ src/cryptography/hazmat/backends/openssl/backend.py
+@@ -1307,6 +1307,11 @@ class Backend(object):
+     def _evp_pkey_from_der_traditional_key(self, bio_data, password):
+         key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL)
+         if key != self._ffi.NULL:
+            # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will
+            # successfully load but errors are still put on the stack. Tracked
+            # as https://github.com/openssl/openssl/issues/14996
+            self._consume_errors()
+
+             key = self._ffi.gc(key, self._lib.EVP_PKEY_free)
+             if password is not None:
+                 raise TypeError(
+@@ -1474,6 +1479,11 @@ class Backend(object):
+             else:
+                 self._handle_key_loading_error()
+ 
+        # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will
+        # successfully load but errors are still put on the stack. Tracked
+        # as https://github.com/openssl/openssl/issues/14996
+        self._consume_errors()
+
+         evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+ 
+         if password is not None and userdata.called == 0:
+@@ -1496,11 +1506,22 @@ class Backend(object):
+                 "incorrect format or it may be encrypted with an unsupported "
+                 "algorithm."
+             )
+-        elif errors[0]._lib_reason_match(
+-            self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT
+-        ) or errors[0]._lib_reason_match(
+-            self._lib.ERR_LIB_PKCS12,
+-            self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR,
+
+        elif (
+            errors[0]._lib_reason_match(
+                self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT
+            )
+            or errors[0]._lib_reason_match(
+                self._lib.ERR_LIB_PKCS12,
+                self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR,
+            )
+            or (
+                self._lib.Cryptography_HAS_PROVIDERS
+                and errors[0]._lib_reason_match(
+                    self._lib.ERR_LIB_PROV,
+                    self._lib.PROV_R_BAD_DECRYPT,
+                )
+            )
+         ):
+             raise ValueError("Bad decrypt. Incorrect password?")
+ 
+@@ -2546,7 +2567,15 @@ class Backend(object):
+         if sk_x509_ptr[0] != self._ffi.NULL:
+             sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free)
+             num = self._lib.sk_X509_num(sk_x509_ptr[0])
+-            for i in range(num):
+
+            # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the
+            # certificates.
+            if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
+                indices = range(num)
+            else:
+                indices = reversed(range(num))
+
+            for i in indices:
+                 x509 = self._lib.sk_X509_value(sk_x509, i)
+                 self.openssl_assert(x509 != self._ffi.NULL)
+                 x509 = self._ffi.gc(x509, self._lib.X509_free)
+diff --git src/cryptography/hazmat/backends/openssl/ciphers.py src/cryptography/hazmat/backends/openssl/ciphers.py
+index ad5dad3f7..f4c869a40 100644
+--- src/cryptography/hazmat/backends/openssl/ciphers.py
+++ src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -146,7 +146,14 @@ class _CipherContext(object):
+             res = self._backend._lib.EVP_CipherUpdate(
+                 self._ctx, outbuf, outlen, inbuf, inlen
+             )
+-            self._backend.openssl_assert(res != 0)
+            if res == 0 and isinstance(self._mode, modes.XTS):
+                self._backend._consume_errors()
+                raise ValueError(
+                    "In XTS mode you must supply at least a full block in the "
+                    "first update call. For AES this is 16 bytes."
+                )
+            else:
+                self._backend.openssl_assert(res != 0)
+             data_processed += inlen
+             total_out += outlen[0]
+ 
+@@ -175,6 +182,13 @@ class _CipherContext(object):
+                 errors[0]._lib_reason_match(
+                     self._backend._lib.ERR_LIB_EVP,
+                     self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH,
+                )
+                or (
+                    self._backend._lib.Cryptography_HAS_PROVIDERS
+                    and errors[0]._lib_reason_match(
+                        self._backend._lib.ERR_LIB_PROV,
+                        self._backend._lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH,
+                    )
+                 ),
+                 errors=errors,
+             )
+diff --git src/cryptography/hazmat/bindings/openssl/_conditional.py src/cryptography/hazmat/bindings/openssl/_conditional.py
+index ca50fed13..fdcead1a5 100644
+--- src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ src/cryptography/hazmat/bindings/openssl/_conditional.py
+@@ -271,6 +271,16 @@ def cryptography_has_get_proto_version():
+     ]
+ 
+ 
+def cryptography_has_providers():
+    return [
+        "OSSL_PROVIDER_load",
+        "OSSL_PROVIDER_unload",
+        "ERR_LIB_PROV",
+        "PROV_R_WRONG_FINAL_BLOCK_LENGTH",
+        "PROV_R_BAD_DECRYPT",
+    ]
+
+
+ # This is a mapping of
+ # {condition: function-returning-names-dependent-on-that-condition} so we can
+ # loop over them and delete unsupported names at runtime. It will be removed
+@@ -319,4 +329,5 @@ CONDITIONAL_NAMES = {
+     "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
+     "Cryptography_HAS_SRTP": cryptography_has_srtp,
+     "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version,
+    "Cryptography_HAS_PROVIDERS": cryptography_has_providers,
+ }
+diff --git src/cryptography/hazmat/bindings/openssl/binding.py src/cryptography/hazmat/bindings/openssl/binding.py
+index 7a84a340e..c0b0d8238 100644
+--- src/cryptography/hazmat/bindings/openssl/binding.py
+++ src/cryptography/hazmat/bindings/openssl/binding.py
+@@ -15,15 +15,14 @@ from cryptography.hazmat.bindings._openssl import ffi, lib
+ from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES
+ 
+ _OpenSSLErrorWithText = collections.namedtuple(
+-    "_OpenSSLErrorWithText", ["code", "lib", "func", "reason", "reason_text"]
+    "_OpenSSLErrorWithText", ["code", "lib", "reason", "reason_text"]
+ )
+ 
+ 
+ class _OpenSSLError(object):
+-    def __init__(self, code, lib, func, reason):
+    def __init__(self, code, lib, reason):
+         self._code = code
+         self._lib = lib
+-        self._func = func
+         self._reason = reason
+ 
+     def _lib_reason_match(self, lib, reason):
+@@ -31,7 +30,6 @@ class _OpenSSLError(object):
+ 
+     code = utils.read_only_property("_code")
+     lib = utils.read_only_property("_lib")
+-    func = utils.read_only_property("_func")
+     reason = utils.read_only_property("_reason")
+ 
+ 
+@@ -43,10 +41,9 @@ def _consume_errors(lib):
+             break
+ 
+         err_lib = lib.ERR_GET_LIB(code)
+-        err_func = lib.ERR_GET_FUNC(code)
+         err_reason = lib.ERR_GET_REASON(code)
+ 
+-        errors.append(_OpenSSLError(code, err_lib, err_func, err_reason))
+        errors.append(_OpenSSLError(code, err_lib, err_reason))
+ 
+     return errors
+ 
+@@ -60,7 +57,7 @@ def _errors_with_text(errors):
+ 
+         errors_with_text.append(
+             _OpenSSLErrorWithText(
+-                err.code, err.lib, err.func, err.reason, err_text_reason
+                err.code, err.lib, err.reason, err_text_reason
+             )
+         )
+ 
+@@ -140,6 +137,24 @@ class Binding(object):
+                 # adds all ciphers/digests for EVP
+                 cls.lib.OpenSSL_add_all_algorithms()
+                 cls._register_osrandom_engine()
+                # As of OpenSSL 3.0.0 we must register a legacy cipher provider
+                # to get RC2 (needed for junk asymmetric private key
+                # serialization), RC4, Blowfish, IDEA, SEED, etc. These things
+                # are ugly legacy, but we aren't going to get rid of them
+                # any time soon.
+                if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
+                    cls._legacy_provider = cls.lib.OSSL_PROVIDER_load(
+                        cls.ffi.NULL, b"legacy"
+                    )
+                    _openssl_assert(
+                        cls.lib, cls._legacy_provider != cls.ffi.NULL
+                    )
+                    cls._default_provider = cls.lib.OSSL_PROVIDER_load(
+                        cls.ffi.NULL, b"default"
+                    )
+                    _openssl_assert(
+                        cls.lib, cls._default_provider != cls.ffi.NULL
+                    )
+ 
+     @classmethod
+     def init_static_locks(cls):
--- a/component/qjs-wrapper/buildout.cfg
+++ b/component/qjs-wrapper/buildout.cfg
@@ -19,4 +19,4 @@ path = ${qjs-wrapper-source:location}
 autopilot-wrapper =
 environment =
  C_INCLUDE_PATH=include:${open62541:location}/include:${open62541:location}/deps:${open62541:location}/src/pubsub:${quickjs:location}/include
-  LDFLAGS=-L${open62541:location}/lib -Wl,-rpath=${open62541:location}/lib -L${:autopilot-wrapper}/lib -Wl,-rpath=${:autopilot-wrapper}/lib
+  LDFLAGS=-L${open62541:location}/lib -Wl,-rpath=${open62541:location}/lib -L${:autopilot-wrapper}/lib -Wl,-rpath=${:autopilot-wrapper}/lib -fPIC
--- a/component/serf/buildout.cfg
+++ b/component/serf/buildout.cfg
@@ -5,16 +5,16 @@ extends =
  ../apache/buildout.cfg
  ../util-linux/buildout.cfg
  ../openssl/buildout.cfg
-  ../python-2.7/buildout.cfg
+  ../python3/buildout.cfg
  ../zlib/buildout.cfg

 [serf]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://archive.apache.org/dist/serf/serf-1.3.9.tar.bz2
-md5sum = 370a6340ff20366ab088012cd13f2b57
+url = https://archive.apache.org/dist/serf/serf-1.3.10.tar.bz2
+md5sum = 5320087299084c297eff8e1dacfab1af
 scons-command =
-  ${python2.7:location}/bin/python ${scons:location}/scons.py \
+  ${python3:location}/bin/python3 ${scons:location}/scons.py \
  APR="${apr:location}" \
  APU="${apr-util:location}" \
  OPENSSL="${openssl:location}" \
@@ -27,6 +27,6 @@ make-binary = ${:scons-command}
 [scons]
 recipe = slapos.recipe.build:download-unpacked
 shared = true
-url = https://prdownloads.sourceforge.net/scons/scons-local-2.3.0.tar.gz
-md5sum = d262e6c6da620488d2226fabc8aabf09
+url = https://prdownloads.sourceforge.net/scons/scons-local-4.7.0.tar.gz
+md5sum = 61be0562efe3aac81dfc807bdd94a4b2
 strip-top-level-dir = false
--- a/software/fluentd/buildout.hash.cfg
+++ b/software/fluentd/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [instance-profile]
 filename = instance.cfg
-md5sum = 82c476f22e6b55b674640abef959c3c2
+md5sum = 1fe38a024766347454ad7a3d9fb52d01

 [template-fluentd]
 filename = instance-fluentd.cfg

--- a/software/fluentd/instance-input-schema.json
+++ b/software/fluentd/instance-input-schema.json
@@ -4,10 +4,11 @@
  "description": "Parameters to instantiate Fluentd",
  "additionalProperties": false,
  "properties": {
-    "conf_text": {
-      "description": "Fluentd configuration. You can write it entirely by yourself. See fluentd-agent.conf.jinja2.in",
-      "default": "",
-      "type": "string"
+    "conf-text": {
+      "title": "Configuration",
+      "description": "Fluentd configuration. See: https://docs.fluentd.org/configuration",
+      "type": "string",
+      "textarea": true
    }
  }
 }
--- a/software/fluentd/instance.cfg
+++ b/software/fluentd/instance.cfg
@@ -42,7 +42,7 @@ recipe = slapos.recipe.build
 slapparameter-dict = $${slap-configuration:configuration}
 init =
  import re
-  options['text'] = options['slapparameter-dict'].get('conf_text') or ' '
+  options['text'] = options['slapparameter-dict'].get('conf-text') or ' '
  options['port-list'] = re.findall(r'<source>.*port (\d+).*<\/source>', options['text'], re.DOTALL)

 [fluentd-agent-conf]

--- a/software/fluentd/software.cfg.json
+++ b/software/fluentd/software.cfg.json
+{
+  "name": "Fluentd",
+  "description": "Fluentd",
+  "serialisation": "xml",
+  "software-type": {
+    "default": {
+      "title": "Default",
+      "description": "Fluentd",
+      "request": "instance-input-schema.json",
+      "index": 0
+    }
+  }
+}
--- a/software/fluentd/test/test.py
+++ b/software/fluentd/test/test.py
@@ -88,7 +88,7 @@ class WendelinTutorialTestCase(FluentdTestCase):

  @classmethod
  def getInstanceParameterDict(cls):
-    return {'conf_text': cls._conf,}
+    return {'conf-text': cls._conf,}

  @classmethod
  def measureDict(cls):

--- a/software/js-drone/software-c-astral.cfg
+++ b/software/js-drone/software-c-astral.cfg
@@ -21,7 +21,7 @@ url = https://lab.nexedi.com/nexedi/c-astral-wrapper/-/archive/v2.1/c-astral-wra
 md5sum = cca66724e1b7a61c1b9559fde95c420b
 environment =
  CPLUS_INCLUDE_PATH=${qjs-wrapper-source:location}/include:${mavsdk:location}/include:${mavsdk:location}/include/mavsdk
-  LDFLAGS=-L${mavsdk:location}/lib -Wl,-rpath=${mavsdk:location}/lib
+  LDFLAGS=-L${mavsdk:location}/lib -Wl,-rpath=${mavsdk:location}/lib -fPIC

 [qjs-wrapper]
 autopilot-wrapper = ${c-astral-wrapper:location}

--- a/software/osie-coupler/buildout.hash.cfg
+++ b/software/osie-coupler/buildout.hash.cfg
 [instance-profile]
 filename = instance.cfg.in
-md5sum = 9ca5ddf6bed34861a17e3352dacc4813
+md5sum = 17549c62b5ad20cfe2520fb2ef133c22
--- a/software/osie-coupler/instance.cfg.in
+++ b/software/osie-coupler/instance.cfg.in
@@ -39,7 +39,7 @@ configuration.opc_ua_port = 4840
 configuration.id = 0
 configuration.heart_beat = 0
 configuration.heart_beat_interval = 50
-configuration.heart_beat_id_list =
+configuration.heart_beat_id_list = ""
 configuration.network_address_url_data_type = opc.udp://224.0.0.22:4840/
 configuration.heart_beat_timeout_interval = 100
 configuration.network_interface = ""

--- a/software/osie-coupler/software.cfg
+++ b/software/osie-coupler/software.cfg
@@ -17,15 +17,9 @@ extends =
 # we want this SR to use a fixed gcc (so that we have the same gcc as open62541 component)
 max_version = 0

-# we need open62541's sources even after compiling and linking in [open62541]
-# section. Reasons is that coupler's C application depends on it.
-[open62541-source]
-recipe = slapos.recipe.build:download-unpacked
-shared = true
-url = ${open62541:url}
-md5sum = ${open62541:md5sum}
-
 [open62541]
+pre-configure +=
+  ${git:location}/bin/git clone -b v1.1.6 https://github.com/LiamBindle/MQTT-C.git deps/mqtt-c
 configure-options =
  -DBUILD_SHARED_LIBS=ON
  -DCMAKE_BUILD_TYPE=Release
@@ -44,6 +38,10 @@ configure-options =
  -DUA_ENABLE_PUBSUB_MQTT=ON
 environment +=
  LDFLAGS=-L${mbedtls:location}/lib -Wl,-rpath=${mbedtls:location}/lib
+# we need open62541's sources even after compiling and linking in [open62541]
+# section. Reasons is that coupler's C application depends on it.
+keep-compile-dir = true
+source-location = @@LOCATION@@/.build/open62541-pack-${open62541:tag}

 [osie-repository]
 recipe  = slapos.recipe.build:gitclone
@@ -58,8 +56,8 @@ bin_dir = ${:path}/bin/
 environment =
  PATH=${gcc:prefix}/bin:/usr/bin
  OPEN62541_HOME = ${open62541:location}
-  OPEN62541_SOURCE_HOME = ${open62541-source:location}
-  C_COMPILER_EXTRA_FLAGS = -L ${mbedtls:location}/lib -Wl,-rpath=${mbedtls:location}/lib -l:libopen62541.so -L${open62541:location}/lib -Wl,-rpath=${open62541:location}/lib -I${open62541:location}/include -I${open62541-source:location}/src/pubsub/ -I${open62541-source:location}/deps
+  OPEN62541_SOURCE_HOME = ${open62541:source-location}
+  C_COMPILER_EXTRA_FLAGS = -L ${mbedtls:location}/lib -Wl,-rpath=${mbedtls:location}/lib -l:libopen62541.so -L${open62541:location}/lib -Wl,-rpath=${open62541:location}/lib -I${open62541:location}/include -I${open62541:source-location}/src/pubsub/ -I${open62541:source-location}/deps
 configure-command = true

 [instance-profile]

--- a/stack/slapos.cfg
+++ b/stack/slapos.cfg
@@ -176,7 +176,7 @@ collective.recipe.template = 2.0
 configparser = 4.0.2:whl
 contextlib2 = 0.6.0.post1
 croniter = 0.3.25
-cryptography = 3.3.2
+cryptography = 3.3.2+SlapOSPatched001
 dataclasses = 0.8
 dateparser = 0.7.6
 decorator = 4.3.0