Merge branch 'erp5-component' into erp5

component/apache/buildout.cfg

@@ -18,23 +18,26 @@ extends =
 [apr]
 recipe = hexagonit.recipe.download
 version = 1.5.0
-url = http://mir2.ovh.net/ftp.apache.org/dist/apr/apr-${:version}.tar.bz2
 md5sum = cc93bd2c12d0d037f68e21cc6385dc31
+url = https://archive.apache.org/dist/apr/apr-${:version}.tar.bz2
 
 [apr-util]
 recipe = hexagonit.recipe.download
 version = 1.5.3
-url = http://mir2.ovh.net/ftp.apache.org/dist/apr/apr-util-${:version}.tar.bz2
+url = https://archive.apache.org/dist/apr/apr-util-${:version}.tar.bz2
 md5sum = 6f3417691c7a27090f36e7cf4d94b36e
 
 [apache]
+# apache-antiloris should be rebuilt when apache is rebuilt. to
+# achieve this, please modify 'revision' value below each time you
+# modify anything (but version) in [apache] target.
 # inspired on http://old.aclark.net/team/aclark/blog/a-lamp-buildout-for-wordpress-and-other-php-apps/
 recipe = slapos.recipe.cmmi
 depends =
   ${gdbm:version}
 version = 2.4.10
-revision = 1
-url = http://mir2.ovh.net/ftp.apache.org/dist/httpd/httpd-${:version}.tar.bz2
+revision = 2
+url = https://archive.apache.org/dist/httpd/httpd-${:version}.tar.bz2
 md5sum = 44543dff14a4ebc1e9e2d86780507156
 configure-command = cp -ar ${apr:location}/apr-${apr:version} srclib/apr/; cp -ar ${apr-util:location}/apr-util-${apr-util:version} srclib/apr-util; ./configure
 configure-options = --prefix=${buildout:parts-directory}/${:_buildout_section_name_}
@@ -114,10 +117,14 @@ make-options = -i -a -n antiloris mod_antiloris.la
 make-targets =
 
 [apache-2.2]
+# apache-antiloris-apache-2.2 should be rebuilt when apache-2.2 is
+# rebuilt. to achieve this, please modify 'revision' value below each
+# time you modify anything (but version) in [apache] target.
 # inspired on http://old.aclark.net/team/aclark/blog/a-lamp-buildout-for-wordpress-and-other-php-apps/
 recipe = slapos.recipe.cmmi
 version = 2.2.27
-url = http://mir2.ovh.net/ftp.apache.org/dist/httpd/httpd-${:version}.tar.bz2
+revision = 1
+url = https://archive.apache.org/dist/httpd/httpd-${:version}.tar.bz2
 md5sum = 8faef0decf3fa7e69b2568eb2105a3d8
 patch-options = -p1
 configure-options = --disable-static
@@ -181,6 +188,7 @@ url = http://downloads.sourceforge.net/project/mod-antiloris/mod_antiloris-0.4.t
 md5sum = 66862bf10e9be3a023e475604a28a0b4
 depends =
   ${apache-2.2:version}
+  ${apache-2.2:revision}
 configure-command = ${apache-2.2:location}/bin/apxs
 configure-options = -c mod_antiloris.c
 make-binary = ${:configure-command}

component/coreutils/buildout.cfg

@@ -6,8 +6,8 @@ parts =
 
 [coreutils]
 recipe = slapos.recipe.cmmi
-url = http://ftp.gnu.org/gnu/coreutils/coreutils-8.21.tar.xz
-md5sum = 065ba41828644eca5dd8163446de5d64
+url = http://ftp.gnu.org/gnu/coreutils/coreutils-8.23.tar.xz
+md5sum = abed135279f87ad6762ce57ff6d89c41
 configure-options =
   --prefix=${buildout:parts-directory}/${:_buildout_section_name_} --enable-install-program=tr,basename,uname,cat,cp,ls
 environment =

component/cups/buildout.cfg

@@ -9,8 +9,8 @@ extends =
 # for now we build and install library and header files only.
 [cups]
 recipe = slapos.recipe.cmmi
-url = http://www.cups.org/software/1.7.1/cups-1.7.1-source.tar.bz2
-md5sum = 55277c40fd4b7183dc3671d39c5c42b7
+url = http://www.cups.org/software/1.7.4/cups-1.7.4-source.tar.bz2
+md5sum = 1a2295c2b2d2f422db2e50f40ed2fb99
 configure-options =
   --disable-static
   --disable-dbus

component/gettext/buildout.cfg

@@ -10,8 +10,8 @@ extends =
 
 [gettext]
 recipe = slapos.recipe.cmmi
-url = http://ftp.gnu.org/pub/gnu/gettext/gettext-0.19.1.tar.xz
-md5sum = b52987f49bc99fa8b410270d47a9d52b
+url = http://ftp.gnu.org/pub/gnu/gettext/gettext-0.19.2.tar.xz
+md5sum = 1e6a827f5fbd98b3d40bd16b803acc44
 
 configure-options =
   --disable-static

component/glibmm/buildout.cfg

@@ -17,7 +17,7 @@ pkg_config_depends = ${glib:location}/lib/pkgconfig:${libsigc:location}/lib/pkgc
 configure-options =
   --disable-documentation
 environment =
-  PATH=${perl:location}/bin:${pkgconfig:location}/bin:${xz-utils:location}/bin:%(PATH)s
+  PATH=${perl:location}/bin:${pkgconfig:location}/bin:${xz-utils:location}/bin:${glib:location}/bin:%(PATH)s
   PKG_CONFIG_PATH=${:pkg_config_depends}
   CPPFLAGS=-I${gettext:location}/include
   LDFLAGS=-L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib

component/groonga/buildout.cfg

@@ -11,9 +11,9 @@ extends =
 
 [groonga]
 recipe = slapos.recipe.cmmi
-version = 4.0.3
+version = 4.0.4
 url = http://packages.groonga.org/source/groonga/groonga-${:version}.tar.gz
-md5sum = 6f0cb64c0643fc2dd61df6fc542e17e2
+md5sum = b00411d2efae3ddf03eb1ecb8575177f
 configure-options =
   --disable-static
   --disable-glibtest

component/gtk-2/buildout.cfg

 [buildout]
 extends =
+  ../autoconf/buildout.cfg
+  ../libtool/buildout.cfg
+  ../automake/buildout.cfg
   ../bzip2/buildout.cfg
   ../fontconfig/buildout.cfg
   ../freetype/buildout.cfg
@@ -26,6 +29,11 @@ md5sum = a1304edcdc99282f478b995ee5f8f854
 depends =
   ${libpng:so_version}
 pkg_config_depends = ${libXext:location}/lib/pkgconfig:${libXext:pkg_config_depends}:${libpng:location}/lib/pkgconfig:${fontconfig:location}/lib/pkgconfig:${fontconfig:pkg_config_depends}:${pixman:location}/lib/pkgconfig:${glib:location}/lib/pkgconfig
+patch-options = -p1
+patches =
+  ${:_profile_base_location_}/cairo-fix_gcc4.9_ftbfs.patch#d4c843a655be8f1df548c9492d253359
+pre-configure =
+  autoreconf -vfi
 configure-options =
   --disable-static
   --disable-gtk-doc-html
@@ -35,8 +43,9 @@ configure-options =
   --disable-xcb
   --enable-ft
   --enable-fc
+  --disable-lto
 environment =
-  PATH=${freetype:location}/bin:${pkgconfig:location}/bin:${xz-utils:location}/bin:%(PATH)s
+  PATH=${freetype:location}/bin:${pkgconfig:location}/bin:${xz-utils:location}/bin:${autoconf:location}/bin:${automake:location}/bin:${libtool:location}/bin:%(PATH)s
   PKG_CONFIG_PATH=${:pkg_config_depends}
   CPPFLAGS=-I${zlib:location}/include
   LDFLAGS=-L${bzip2:location}/lib -Wl,-rpath=${bzip2:location}/lib -L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib

component/gtk-2/cairo-fix_gcc4.9_ftbfs.patch

+From c3645d97ebd24c6f7ad850785d585aebc706a11c Mon Sep 17 00:00:00 2001
+From: Bryce Harrington <b.harrington@samsung.com>
+Date: Tue, 08 Jul 2014 20:14:20 +0000
+Subject: configure.ac: Add a --disable-lto configure option
+
+Link-Time Optimization seems to be stable enough with gcc 4.8 and 4.9,
+but has proven to be an issue in the past for many cairo users (webkit,
+efl, ubuntu, opensuse, gentoo, arch...) who carry patches to disable it.
+
+Gentoo's patch[1] adds a --disable-lto option to leave it enabled by
+default but give users the ability to work around lto related build
+problems (c.f. fdo #77060).  Patch appears to have been authored by
+Alexandre Rostovtsev[2].
+
+1: sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.12.16-lto-optional.patch
+2: https://bugs.gentoo.org/show_bug.cgi?id=509552
+
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=60852
+Signed-off-by: Bryce Harrington <b.harrington@samsung.com>
+Reviewed-by: Uli Schlachter <psychon@znc.in>
+---
+diff --git a/build/configure.ac.warnings b/build/configure.ac.warnings
+index f984eb2..a72d948 100644
+--- a/build/configure.ac.warnings
++++ b/build/configure.ac.warnings
+@@ -38,13 +38,18 @@ dnl options.  Namely, the following:
+ 
+ dnl -flto working really needs a test link, not just a compile
+ 
+-safe_MAYBE_WARN="$MAYBE_WARN"
+-MAYBE_WARN="$MAYBE_WARN -flto"
+-AC_TRY_LINK([],[
++AC_ARG_ENABLE(lto,
++  AS_HELP_STRING([--disable-lto],
++                 [Do not try to use Link-Time Optimization]))
++if test "x$enable_lto" != "xno"; then
++   safe_MAYBE_WARN="$MAYBE_WARN"
++   MAYBE_WARN="$MAYBE_WARN -flto"
++   AC_TRY_LINK([],[
+ 	int main(int argc, char **argv) { return 0; }
+-],[],[
++   ],[],[
+ 	MAYBE_WARN="$safe_MAYBE_WARN"
+-])
++   ])
++fi
+ 
+ MAYBE_WARN="$MAYBE_WARN -fno-strict-aliasing -fno-common"
+ 
+--
+cgit v0.9.0.2-2-gbebe

component/haproxy/buildout.cfg

@@ -11,8 +11,8 @@ parts = haproxy
 
 [haproxy]
 recipe = slapos.recipe.cmmi
-url = http://www.haproxy.org/download/1.5/src/haproxy-1.5.2.tar.gz
-md5sum = e854fed32ea751d6db7f366cb910225a
+url = http://www.haproxy.org/download/1.5/src/haproxy-1.5.3.tar.gz
+md5sum = e999a547d57445d5a5ab7eb6a06df9a1
 configure-command = true
 # If the system is running on Linux 2.6, we use "linux26" as the TARGET,
 # otherwise use "generic".

component/imagemagick/buildout.cfg

@@ -25,7 +25,7 @@ extends =
 [imagemagick]
 recipe = slapos.recipe.cmmi
 version = 6.8.9-1
-url = http://ftp.vim.org/ImageMagick/ImageMagick-${:version}.tar.xz
+url = http://ftp.sunet.se/pub/multimedia/graphics/ImageMagick/ImageMagick-${:version}.tar.xz
 md5sum = bde038ae05fb20d29cebf88ab9cbdce5
 depends =
   ${libtiff:version}

component/jasper/CVE-2011-4516-and-CVE-2011-4517.patch

+Description: Fix for CVE-2011-4516 and CVE-2011-4517
+ This patch fixes a possible denial of service and code execution via
+ heap-based buffer overflows.
+Author: Michael Gilbert <michael.s.gilbert@gmail.com>
+Origin: Patch thanks to Red Hat
+Bug-Debian: http://bugs.debian.org/652649
+
+Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+===================================================================
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c	2011-12-19 09:35:34.186909298 -0500
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c	2011-12-19 09:35:51.198909832 -0500
+@@ -744,6 +744,10 @@
+ 		return -1;
+ 	}
+ 	compparms->numrlvls = compparms->numdlvls + 1;
++	if (compparms->numrlvls > JPC_MAXRLVLS) {
++		jpc_cox_destroycompparms(compparms);
++		return -1;
++	}
+ 	if (prtflag) {
+ 		for (i = 0; i < compparms->numrlvls; ++i) {
+ 			if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@
+ 	jpc_crgcomp_t *comp;
+ 	uint_fast16_t compno;
+ 	crg->numcomps = cstate->numcomps;
+-	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
+ 		return -1;
+ 	}
+ 	for (compno = 0, comp = crg->comps; compno < cstate->numcomps;

component/jasper/buildout.cfg

@@ -8,6 +8,11 @@ parts =
 recipe = slapos.recipe.cmmi
 url = http://www.ece.uvic.ca/~mdadams/jasper/software/jasper-1.900.1.zip
 md5sum = a342b2b4495b3e1394e161eb5d85d754
+patch-options = -p1
+patches =
+  ${:_profile_base_location_}/misc-fixes.patch#1202be8418907dfe58f819f7b47da24f
+  ${:_profile_base_location_}/fix-filename-buffer-overflow.patch#38403f9c82a18547beca16c9c6f4ce7a
+  ${:_profile_base_location_}/CVE-2011-4516-and-CVE-2011-4517.patch#a9676718ed016f66a3c76acf764c9e72
 # jasper configure script is not executable by default
 configure-command =
   /bin/sh ./configure --prefix=${buildout:parts-directory}/${:_buildout_section_name_} --disable-static --enable-shared --disable-opengl

component/jasper/fix-filename-buffer-overflow.patch

+Description: Filename buffer overflow fix
+ This patch fixes a security hole by a bad buffer size handling.
+Author: Roland Stigge <stigge@antcom.de>
+Bug-Debian: http://bugs.debian.org/645118
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -77,6 +77,7 @@
+ #include <jasper/jas_config.h>
+ 
+ #include <stdio.h>
++#include <limits.h>
+ #if defined(HAVE_FCNTL_H)
+ #include <fcntl.h>
+ #endif
+@@ -99,6 +100,12 @@ extern "C" {
+ #define O_BINARY	0
+ #endif
+ 
++#ifdef PATH_MAX
++#define JAS_PATH_MAX PATH_MAX
++#else
++#define JAS_PATH_MAX 4096
++#endif
++
+ /*
+  * Stream open flags.
+  */
+@@ -251,7 +258,7 @@ typedef struct {
+ typedef struct {
+ 	int fd;
+ 	int flags;
+-	char pathname[L_tmpnam + 1];
++	char pathname[JAS_PATH_MAX + 1];
+ } jas_stream_fileobj_t;
+ 
+ #define	JAS_STREAM_FILEOBJ_DELONCLOSE	0x01

component/kumo/buildout.cfg

@@ -8,26 +8,14 @@ extends =
 parts = kumo
 find-links = http://www.nexedi.org/static/packages/source/
 
-[kumo-hooks-download]
-url = ${:_profile_base_location_}/${:filename}
-md5sum = 958a595a02de75624728f8d65e39d800
-recipe = hexagonit.recipe.download
-download-only=true
-filename = kumo-hooks.py
-
-[kumo-ipv6-multiip-patch-download]
-recipe = hexagonit.recipe.download
-url = ${:_profile_base_location_}/${:filename}
-filename = kumofs-0.4.13_ipv6support_multiiplistenfix.patch
-md5sum = 53af9f1f1375940841c589a6cbe11425
-download-only = true
-
 [kumo]
-pre-configure-hook = ${kumo-hooks-download:location}/${kumo-hooks-download:filename}:pre_configure_hook
-recipe = erp5.recipe.cmmiforcei686
+recipe = slapos.recipe.cmmi
 url = https://github.com/downloads/etolabo/kumofs/kumofs-0.4.13.tar.gz
 md5sum = 46148e9536222d0ad2ef36777c55714d
-patches = ${kumo-ipv6-multiip-patch-download:location}/${kumo-ipv6-multiip-patch-download:filename}
+pre-configure-hook = ${:_profile_base_location_}/kumo-hooks.py#958a595a02de75624728f8d65e39d800:pre_configure_hook
+patches =
+  ${:_profile_base_location_}/kumofs-0.4.13_ipv6support_multiiplistenfix.patch#53af9f1f1375940841c589a6cbe11425
+  ${:_profile_base_location_}/kumofs-0.4.13_fix_gcc-4.9_ftbfs.patch#c09e04c620ce11c3fdd4afc3459cd355
 patch-options = -p1
 configure-options =
   --enable-tcadb

component/kumo/kumofs-0.4.13_fix_gcc-4.9_ftbfs.patch

+--- kumofs-0.4.13/src/logic/gateway/mod_store.cc	2010-12-14 12:42:27.000000000 +0900
++++ kumofs-0.4.13/src/logic/gateway/mod_store.cc	2014-07-24 09:56:52.445251606 +0900
+@@ -262,19 +262,19 @@
+ #define GATEWAY_CATCH(NAME, response_type) \
+ catch (msgpack::type_error& e) { \
+ 	LOG_ERROR(#NAME " FAILED: type error"); \
+-	response_type res; \
+-	res.error = 1; \
+-	try { (*callback)(user, res, z); } catch (...) { } \
++	response_type r; \
++	r.error = 1; \
++	try { (*callback)(user, r, z); } catch (...) { } \
+ } catch (std::exception& e) { \
+ 	LOG_WARN(#NAME " FAILED: ",e.what()); \
+-	response_type res; \
+-	res.error = 1; \
+-	try { (*callback)(user, res, z); } catch (...) { } \
++	response_type r; \
++	r.error = 1; \
++	try { (*callback)(user, r, z); } catch (...) { } \
+ } catch (...) { \
+ 	LOG_WARN(#NAME " FAILED: unknown error"); \
+-	response_type res; \
+-	res.error = 1; \
+-	try { (*callback)(user, res, z); } catch (...) { } \
++	response_type r; \
++	r.error = 1; \
++	try { (*callback)(user, r, z); } catch (...) { } \
+ }
+ 
+ 

component/libtasn1/buildout.cfg

@@ -4,8 +4,8 @@ parts =
 
 [libtasn1]
 recipe = slapos.recipe.cmmi
-url = ftp://ftp.gnu.org/gnu/libtasn1/libtasn1-3.6.tar.gz
-md5sum = 6ed38e161e11013054f2a2bb4c4da449
+url = ftp://ftp.gnu.org/gnu/libtasn1/libtasn1-4.0.tar.gz
+md5sum = d3d2d9bce3b6668b9827a9df52635be1
 configure-options =
   --disable-static
   --disable-gtk-doc-html

component/libtiff/CVE-2012-4564.patch

+Index: tiff-4.0.3/tools/ppm2tiff.c
+===================================================================
+--- tiff-4.0.3.orig/tools/ppm2tiff.c	2013-06-23 10:36:50.779629492 -0400
++++ tiff-4.0.3/tools/ppm2tiff.c	2013-06-23 10:36:50.775629494 -0400
+@@ -89,6 +89,7 @@
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
++	tmsize_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -237,8 +238,16 @@
+ 	}
+ 	if (TIFFScanlineSize(out) > linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+-	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++	else {
++		scanline_size = TIFFScanlineSize(out);
++		if (scanline_size != 0)
++			buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++		else {
++			fprintf(stderr, "%s: scanline size overflow\n",infile);
++			(void) TIFFClose(out);
++			exit(-2);
++			}
++		}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);

component/libtiff/CVE-2013-1960.patch

+Index: tiff-4.0.3/tools/tiff2pdf.c
+===================================================================
+--- tiff-4.0.3.orig/tools/tiff2pdf.c	2013-06-23 10:36:50.979629486 -0400
++++ tiff-4.0.3/tools/tiff2pdf.c	2013-06-23 10:36:50.975629486 -0400
+@@ -3341,33 +3341,56 @@
+ 	uint32 height){
+ 
+ 	tsize_t i=0;
+-	uint16 ri =0;
+-	uint16 v_samp=1;
+-	uint16 h_samp=1;
+-	int j=0;
+-	
+-	i++;
+-	
+-	while(i<(*striplength)){
++
++	while (i < *striplength) {
++		tsize_t datalen;
++		uint16 ri;
++		uint16 v_samp;
++		uint16 h_samp;
++		int j;
++		int ncomp;
++
++		/* marker header: one or more FFs */
++		if (strip[i] != 0xff)
++			return(0);
++		i++;
++		while (i < *striplength && strip[i] == 0xff)
++			i++;
++		if (i >= *striplength)
++			return(0);
++		/* SOI is the only pre-SOS marker without a length word */
++		if (strip[i] == 0xd8)
++			datalen = 0;
++		else {
++			if ((*striplength - i) <= 2)
++				return(0);
++			datalen = (strip[i+1] << 8) | strip[i+2];
++			if (datalen < 2 || datalen >= (*striplength - i))
++				return(0);
++		}
+ 		switch( strip[i] ){
+-			case 0xd8:
+-				/* SOI - start of image */
++			case 0xd8:	/* SOI - start of image */
+ 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ 				*bufferoffset+=2;
+-				i+=2;
+ 				break;
+-			case 0xc0:
+-			case 0xc1:
+-			case 0xc3:
+-			case 0xc9:
+-			case 0xca:
++			case 0xc0:	/* SOF0 */
++			case 0xc1:	/* SOF1 */
++			case 0xc3:	/* SOF3 */
++			case 0xc9:	/* SOF9 */
++			case 0xca:	/* SOF10 */
+ 				if(no==0){
+-					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-					for(j=0;j<buffer[*bufferoffset+9];j++){
+-						if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) 
+-							h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
+-						if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) 
+-							v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
++					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++					ncomp = buffer[*bufferoffset+9];
++					if (ncomp < 1 || ncomp > 4)
++						return(0);
++					v_samp=1;
++					h_samp=1;
++					for(j=0;j<ncomp;j++){
++						uint16 samp = buffer[*bufferoffset+11+(3*j)];
++						if( (samp>>4) > h_samp) 
++							h_samp = (samp>>4);
++						if( (samp & 0x0f) > v_samp) 
++							v_samp = (samp & 0x0f);
+ 					}
+ 					v_samp*=8;
+ 					h_samp*=8;
+@@ -3381,45 +3404,43 @@
+                                           (unsigned char) ((height>>8) & 0xff);
+ 					buffer[*bufferoffset+6]=
+                                             (unsigned char) (height & 0xff);
+-					*bufferoffset+=strip[i+2]+2;
+-					i+=strip[i+2]+2;
+-
++					*bufferoffset+=datalen+2;
++					/* insert a DRI marker */
+ 					buffer[(*bufferoffset)++]=0xff;
+ 					buffer[(*bufferoffset)++]=0xdd;
+ 					buffer[(*bufferoffset)++]=0x00;
+ 					buffer[(*bufferoffset)++]=0x04;
+ 					buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
+ 					buffer[(*bufferoffset)++]= ri & 0xff;
+-				} else {
+-					i+=strip[i+2]+2;
+ 				}
+ 				break;
+-			case 0xc4:
+-			case 0xdb:
+-				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-				*bufferoffset+=strip[i+2]+2;
+-				i+=strip[i+2]+2;
++			case 0xc4: /* DHT */
++			case 0xdb: /* DQT */
++				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++				*bufferoffset+=datalen+2;
+ 				break;
+-			case 0xda:
++			case 0xda: /* SOS */
+ 				if(no==0){
+-					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-					*bufferoffset+=strip[i+2]+2;
+-					i+=strip[i+2]+2;
++					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++					*bufferoffset+=datalen+2;
+ 				} else {
+ 					buffer[(*bufferoffset)++]=0xff;
+ 					buffer[(*bufferoffset)++]=
+                                             (unsigned char)(0xd0 | ((no-1)%8));
+-					i+=strip[i+2]+2;
+ 				}
+-				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
+-				*bufferoffset+=(*striplength)-i-1;
++				i += datalen + 1;
++				/* copy remainder of strip */
++				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
++				*bufferoffset+= *striplength - i;
+ 				return(1);
+ 			default:
+-				i+=strip[i+2]+2;
++				/* ignore any other marker */
++				break;
+ 		}
++		i += datalen + 1;
+ 	}
+-	
+ 
++	/* failed to find SOS marker */
+ 	return(0);
+ }
+ #endif

component/libtiff/CVE-2013-4231.patch

+Description: Buffer overflow in gif2tiff
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450
+Bug-Debian: http://bugs.debian.org/719303
+
+Index: tiff-4.0.3/tools/gif2tiff.c
+===================================================================
+--- tiff-4.0.3.orig/tools/gif2tiff.c	2013-08-22 11:46:11.960846910 -0400
++++ tiff-4.0.3/tools/gif2tiff.c	2013-08-22 11:46:11.956846910 -0400
+@@ -333,6 +333,8 @@
+     int status = 1;
+ 
+     datasize = getc(infile);
++    if (datasize > 12)
++	return 0;
+     clear = 1 << datasize;
+     eoi = clear + 1;
+     avail = clear + 2;

component/libtiff/CVE-2013-4232.patch

+Description: use after free in tiff2pdf
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449
+Bug-Debian: http://bugs.debian.org/719303
+
+Index: tiff-4.0.3/tools/tiff2pdf.c
+===================================================================
+--- tiff-4.0.3.orig/tools/tiff2pdf.c	2013-08-22 11:46:37.292847242 -0400
++++ tiff-4.0.3/tools/tiff2pdf.c	2013-08-22 11:46:37.292847242 -0400
+@@ -2461,7 +2461,8 @@
+ 					(unsigned long) t2p->tiff_datasize, 
+ 					TIFFFileName(input));
+ 				t2p->t2p_error = T2P_ERR_ERROR;
+-			  _TIFFfree(buffer);
++				_TIFFfree(buffer);
++				return(0);
+ 			} else {
+ 				buffer=samplebuffer;
+ 				t2p->tiff_datasize *= t2p->tiff_samplesperpixel;

component/libtiff/CVE-2013-4244.patch

+Description: OOB write in gif2tiff
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=996468
+
+Index: tiff-4.0.3/tools/gif2tiff.c
+===================================================================
+--- tiff-4.0.3.orig/tools/gif2tiff.c	2013-08-24 11:17:13.546447901 -0400
++++ tiff-4.0.3/tools/gif2tiff.c	2013-08-24 11:17:13.546447901 -0400
+@@ -400,6 +400,10 @@
+     }
+ 
+     if (oldcode == -1) {
++        if (code >= clear) {
++            fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
++            return 0;
++        }
+ 	*(*fill)++ = suffix[code];
+ 	firstchar = oldcode = code;
+ 	return 1;

component/libtiff/buildout.cfg

@@ -12,6 +12,14 @@ recipe = slapos.recipe.cmmi
 version = 4.0.3
 url = http://www.imagemagick.org/download/delegates/tiff-${:version}.tar.gz
 md5sum = 051c1068e6a0627f461948c365290410
+patch-options = -p1
+patches =
+  ${:_profile_base_location_}/CVE-2012-4564.patch#45667ee618dbe78acce1129706556124
+  ${:_profile_base_location_}/CVE-2013-1960.patch#21a3d119cd3eeadd35ccc355fbd748cf
+  ${:_profile_base_location_}/CVE-2013-1961.patch#bb219740a815b9b47698b83d0ae9f82a
+  ${:_profile_base_location_}/CVE-2013-4231.patch#f6ff024c8df861a6dbb5a0ecd8a0f853
+  ${:_profile_base_location_}/CVE-2013-4232.patch#b439184b3a5f434a3e3235f611b54a89
+  ${:_profile_base_location_}/CVE-2013-4244.patch#2acff059c6156953aadb436b475e5acb
 configure-options =
   --disable-static
   --without-x

component/mariadb/buildout.cfg

@@ -18,9 +18,12 @@ parts =
   mariadb
 
 [mariadb]
+# mroonga-mariadb should be rebuilt when mariadb is rebuilt. to
+# achieve this, please modify 'revision' value below each time you
+# modify anything (but version) in [mariadb] target.
 recipe = slapos.recipe.cmmi
 version = 10.0.12
-revision = 1
+revision = 2
 url = https://downloads.mariadb.org/f/mariadb-${:version}/source/mariadb-${:version}.tar.gz/from/http:/ftp.osuosl.org/pub/mariadb
 md5sum = 6e9a7c075526f8f2f83ad8e0933bab2f
 # compile directory is required to build mysql plugins.
@@ -46,6 +49,7 @@ configure-options =
   -DCMAKE_C_FLAGS="-I${libaio:location}/include -I${libxml2:location}/include -I${ncurses:location}/include -I${openssl:location}/include -I${readline5:location}/include -I${zlib:location}/include"
   -DCMAKE_CXX_FLAGS="-I${libaio:location}/include -I${libxml2:location}/include -I${ncurses:location}/include -I${openssl:location}/include -I${readline5:location}/include -I${zlib:location}/include"
   -DCMAKE_INSTALL_RPATH=${libaio:location}/lib:${libxml2:location}/lib:${ncurses:location}/lib:${openssl:location}/lib:${readline5:location}/lib:${zlib:location}/lib
+  -DWITHOUT_TOKUDB=true
 environment =
   CMAKE_PROGRAM_PATH=${cmake:location}/bin
   CMAKE_INCLUDE_PATH=${libaio:location}/include:${libxml2:location}/include:${ncurses:location}/include:${openssl:location}/include:${readline5:location}/include:${zlib:location}/include
@@ -56,8 +60,8 @@ environment =
 # mroonga - a storage engine for MySQL. It provides fast fulltext search feature to all MySQL users.
 # http://mroonga.github.com/
 recipe = slapos.recipe.cmmi
-url = http://packages.groonga.org/source/mroonga/mroonga-4.03.tar.gz
-md5sum = 19ab2721d2d41c234e018a879f392990
+url = http://packages.groonga.org/source/mroonga/mroonga-4.04.tar.gz
+md5sum = a89987dad7b3e1d99014492e6135eec6
 configure-options =
   --with-mysql-source=${mariadb:location}__compile__/mariadb-${mariadb:version}
   --with-mysql-config=${mariadb:location}/bin/mysql_config

component/messagepack/buildout.cfg

@@ -3,7 +3,7 @@ parts = messagepack
 find-links = http://www.nexedi.org/static/packages/source/
 
 [messagepack]
-recipe = erp5.recipe.cmmiforcei686
+recipe = slapos.recipe.cmmi
 url = http://downloads.sourceforge.net/project/msgpack/msgpack/cpp/msgpack-0.5.4.tar.gz
 md5sum = 18d96a3178f7cad73c0ca44f6284ae7d
 configure-options =

component/openssl/buildout.cfg

@@ -16,8 +16,8 @@ parts =
 
 [openssl]
 recipe = slapos.recipe.cmmi
-url = https://www.openssl.org/source/openssl-1.0.1h.tar.gz
-md5sum = 8d6d684a9430d5cc98a62a5d8fbda8cf
+url = https://www.openssl.org/source/openssl-1.0.1i.tar.gz
+md5sum = c8dc151a671b9b92ff3e4c118b174972
 depends =
   ${ca-certificates:version}
 patch-binary = ${patch:location}/bin/patch

component/pil-python/buildout.cfg

@@ -11,7 +11,7 @@ parts =
 recipe = zc.recipe.egg:custom
 egg = PIL
 include-dirs =
-  ${freetype:location}/include
+  ${freetype:location}/include/freetype2
   ${libjpeg:location}/include
   ${zlib:location}/include
 library-dirs =

component/powerdns/buildout.cfg

+[buildout]
+extends =
+  ../autoconf/buildout.cfg
+  ../automake/buildout.cfg
+  ../bison/buildout.cfg
+  ../flex/buildout.cfg
+  ../gcc/buildout.cfg
+  ../git/buildout.cfg
+  ../boost-lib/buildout.cfg
+  ../libtool/buildout.cfg
+  ../make/buildout.cfg
+  ../mariadb/buildout.cfg
+  ../pkgconfig/buildout.cfg
+  ../ragel/buildout.cfg
+  ../zlib/buildout.cfg
+
+parts =
+  powerdns
+
+[powerdns]
+recipe = slapos.recipe.cmmi
+url = http://downloads.powerdns.com/releases/pdns-3.3.1.tar.gz
+md5sum = 074e2ff211fd12ecad25b5c1cc190dd4
+configure-options =
+  --prefix=${buildout:parts-directory}/${:_buildout_section_name_}
+  --with-modules="geo"
+  --with-dynmodules=""
+  --without-lua
+environment =
+  PATH=${make:location}/bin:${libtool:location}/bin:${pkgconfig:location}/bin:${bison:location}/bin:${flex:location}/bin:${git:location}/bin:${ragel:location}/bin:%(PATH)s
+  LDFLAGS = -L${boost-lib:location}/lib -Wl,-rpath=${boost-lib:location}/lib -L${zlib:location}/lib -Wl,-rpath -Wl,${zlib:location}/lib -lz
+  CPPFLAGS=-I${boost-lib:location}/include
+make-target =
+  install

component/python-2.7/buildout.cfg

@@ -39,6 +39,10 @@ prefix = ${buildout:parts-directory}/${:_buildout_section_name_}
 version = 2.7
 executable = ${:prefix}/bin/python${:version}
 
+patch-options = -p1
+patches =
+  ${:_profile_base_location_}/tls_sni.patch#c95af105e6e96aaa58a50137595872a0
+  ${:_profile_base_location_}/tls_sni_httplib.patch#5c9d00d23b85169df792a936a056cbcc
 url =
   http://python.org/ftp/python/${:package_version}/Python-${:package_version}${:package_version_suffix}.tar.xz
 configure-options =

component/python-2.7/tls_sni.patch

+Description: Support TLS SNI extension in ssl module
+Author: markk
+Bug-Python: http://bugs.python.org/issue5639
+
+--- a/Lib/ssl.py
++++ b/Lib/ssl.py
+@@ -202,6 +202,7 @@
+     def __init__(self, sock, keyfile=None, certfile=None,
+                  server_side=False, cert_reqs=CERT_NONE,
+                  ssl_version=PROTOCOL_SSLv23, ca_certs=None,
++                 server_hostname=None,
+                  do_handshake_on_connect=True,
+                  suppress_ragged_eofs=True, ciphers=None):
+         # Can't use sock.type as other flags (such as SOCK_NONBLOCK) get
+@@ -238,6 +239,7 @@
+             self._sslobj = _ssl.sslwrap(self._sock, server_side,
+                                         keyfile, certfile,
+                                         cert_reqs, ssl_version, ca_certs,
++                                        server_hostname,
+                                         ciphers)
+             if do_handshake_on_connect:
+                 self.do_handshake()
+@@ -246,6 +248,7 @@
+         self.cert_reqs = cert_reqs
+         self.ssl_version = ssl_version
+         self.ca_certs = ca_certs
++        self.server_hostname = server_hostname
+         self.ciphers = ciphers
+         self.do_handshake_on_connect = do_handshake_on_connect
+         self.suppress_ragged_eofs = suppress_ragged_eofs
+@@ -411,7 +414,7 @@
+             raise ValueError("attempt to connect already-connected SSLSocket!")
+         self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile,
+                                     self.cert_reqs, self.ssl_version,
+-                                    self.ca_certs, self.ciphers)
++                                    self.ca_certs, self.server_hostname, self.ciphers)
+         try:
+             if return_errno:
+                 rc = socket.connect_ex(self, addr)
+@@ -452,6 +455,7 @@
+                               cert_reqs=self.cert_reqs,
+                               ssl_version=self.ssl_version,
+                               ca_certs=self.ca_certs,
++                              server_hostname=None,
+                               ciphers=self.ciphers,
+                               do_handshake_on_connect=self.do_handshake_on_connect,
+                               suppress_ragged_eofs=self.suppress_ragged_eofs),
+@@ -566,7 +570,7 @@
+         sock = sock._sock
+ 
+     ssl_sock = _ssl.sslwrap(sock, 0, keyfile, certfile, CERT_NONE,
+-                            PROTOCOL_SSLv23, None)
++                            PROTOCOL_SSLv23, None, None, None)
+     try:
+         sock.getpeername()
+     except socket_error:
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -267,7 +267,7 @@
+                enum py_ssl_server_or_client socket_type,
+                enum py_ssl_cert_requirements certreq,
+                enum py_ssl_version proto_version,
+-               char *cacerts_file, char *ciphers)
++               char *cacerts_file, char *server_hostname, char *ciphers)
+ {
+     PySSLObject *self;
+     char *errstr = NULL;
+@@ -389,6 +389,14 @@
+ 
+     PySSL_BEGIN_ALLOW_THREADS
+     self->ssl = SSL_new(self->ctx); /* New ssl struct */
++#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
++    /* If SNI isn't supported, we just don't call it and fail silently,
++     * as there's not much else we can do.
++     */
++    if ((socket_type == PY_SSL_CLIENT) &&
++             (proto_version != PY_SSL_VERSION_SSL2) && server_hostname)
++        SSL_set_tlsext_host_name(self->ssl, server_hostname);
++#endif
+     PySSL_END_ALLOW_THREADS
+     SSL_set_fd(self->ssl, Sock->sock_fd);       /* Set the socket for SSL */
+ #ifdef SSL_MODE_AUTO_RETRY
+@@ -431,15 +439,16 @@
+     char *key_file = NULL;
+     char *cert_file = NULL;
+     char *cacerts_file = NULL;
++    char *server_hostname = NULL;
+     char *ciphers = NULL;
+ 
+-    if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap",
++    if (!PyArg_ParseTuple(args, "O!i|zziizzz:sslwrap",
+                           PySocketModule.Sock_Type,
+                           &Sock,
+                           &server_side,
+                           &key_file, &cert_file,
+                           &verification_mode, &protocol,
+-                          &cacerts_file, &ciphers))
++                          &cacerts_file, &server_hostname, &ciphers))
+         return NULL;
+ 
+     /*
+@@ -452,13 +461,13 @@
+ 
+     return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
+                                        server_side, verification_mode,
+-                                       protocol, cacerts_file,
++                                       protocol, cacerts_file, server_hostname,
+                                        ciphers);
+ }
+ 
+ PyDoc_STRVAR(ssl_doc,
+ "sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
+-"                              cacertsfile, ciphers]) -> sslobject");
++"                              cacertsfile, ciphers, server_hostname]) -> sslobject");
+ 
+ /* SSL object methods */
+ 

component/python-2.7/tls_sni_httplib.patch

+Author: Arnaud Fontaine <arnaud.fontaine@nexedi.com>
+Description: Enable TLS SNI support for httplib
+
+--- a/Lib/httplib.py	2014-07-31 14:50:21.178088529 +0900
++++ b/Lib/httplib.py	2014-07-31 20:11:09.279081382 +0900
+@@ -1195,7 +1195,12 @@
+             if self._tunnel_host:
+                 self.sock = sock
+                 self._tunnel()
+-            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
++                server_hostname = self._tunnel_host
++            else:
++                server_hostname = self.host
++
++            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file,
++                                        server_hostname=server_hostname)
+ 
+     __all__.append("HTTPSConnection")
+ 
+--- a/Lib/ssl.py	2014-07-31 19:33:21.911968158 +0900
++++ b/Lib/ssl.py	2014-07-31 19:33:57.428391985 +0900
+@@ -481,14 +481,15 @@
+                 server_side=False, cert_reqs=CERT_NONE,
+                 ssl_version=PROTOCOL_SSLv23, ca_certs=None,
+                 do_handshake_on_connect=True,
+-                suppress_ragged_eofs=True, ciphers=None):
++                suppress_ragged_eofs=True, ciphers=None,
++                server_hostname=None):
+ 
+     return SSLSocket(sock, keyfile=keyfile, certfile=certfile,
+                      server_side=server_side, cert_reqs=cert_reqs,
+                      ssl_version=ssl_version, ca_certs=ca_certs,
+                      do_handshake_on_connect=do_handshake_on_connect,
+                      suppress_ragged_eofs=suppress_ragged_eofs,
+-                     ciphers=ciphers)
++                     ciphers=ciphers, server_hostname=server_hostname)
+ 
+ 
+ # some utility functions

component/ragel/buildout.cfg

+[buildout]
+extends =
+  ../../component/gcc/buildout.cfg
+  ../../component/make/buildout.cfg
+
+parts =
+  ragel
+
+[ragel]
+recipe = slapos.recipe.cmmi
+url = http://www.complang.org/ragel/ragel-6.8.tar.gz
+md5sum = 1bb39745ac23da449019f9f2cb4b0d01
+configure-options =
+  --prefix=${buildout:parts-directory}/${:_buildout_section_name_}
+environment =
+  PATH=${make:location}/bin:%(PATH)s
+make-target =
+  
+  install

component/stunnel/buildout.cfg

@@ -6,8 +6,8 @@ parts =
 
 [stunnel]
 recipe = slapos.recipe.cmmi
-url = https://www.stunnel.org/downloads/stunnel-5.01.tar.gz
-md5sum = 7b63266b6fa05da696729e245100da65
+url = https://www.stunnel.org/downloads/stunnel-5.02.tar.gz
+md5sum = bb48b1c18cfc0a42708ef996b1a26926
 configure-options =
   --enable-ipv6
   --disable-libwrap

component/xorg/buildout.cfg

@@ -115,8 +115,8 @@ environment =
 
 [libXext]
 recipe = slapos.recipe.cmmi
-url = http://www.x.org/releases/X11R7.7/src/everything/libXext-1.3.1.tar.bz2
-md5sum = 71251a22bc47068d60a95f50ed2ec3cf
+url = http://ftp.x.org/pub/individual/lib/libXext-1.3.3.tar.bz2
+md5sum = 52df7c4c1f0badd9f82ab124fb32eb97
 pkg_config_depends = ${libX11:location}/lib/pkgconfig:${libX11:pkg_config_depends}
 environment =
   PKG_CONFIG_PATH=${:pkg_config_depends}
@@ -149,8 +149,8 @@ environment =
 
 [libX11]
 recipe = slapos.recipe.cmmi
-url = http://www.x.org/releases/X11R7.7/src/everything/libX11-1.5.0.tar.bz2
-md5sum = 78b4b3bab4acbdf0abcfca30a8c70cc6
+url = http://ftp.x.org/pub/individual/lib/libX11-1.6.2.tar.bz2
+md5sum = c35d6ad95b06635a524579e88622fdb5
 pkg_config_depends = ${inputproto:location}/lib/pkgconfig:${kbproto:location}/lib/pkgconfig:${libXau:location}/lib/pkgconfig:${libxcb:location}/lib/pkgconfig:${xextproto:location}/lib/pkgconfig:${xorg-libpthread-stubs:location}/lib/pkgconfig:${xorg-util-macros:location}/share/pkgconfig:${xproto:location}/lib/pkgconfig:${xtrans:location}/share/pkgconfig
 configure-options =
   --disable-static

setup.py

@@ -127,6 +127,7 @@ setup(name=name,
           'ipv4toipv6 = slapos.recipe.6tunnel:FourToSix',
           'ipv6toipv4 = slapos.recipe.6tunnel:SixToFour',
           'java = slapos.recipe.java:Recipe',
+          'jsondump = slapos.recipe.jsondump:Recipe',
           'kumofs = slapos.recipe.kumofs:Recipe',
           'kvm = slapos.recipe.kvm:Recipe',
           'kvm.frontend = slapos.recipe.kvm_frontend:Recipe',
@@ -180,6 +181,7 @@ setup(name=name,
           'siptester = slapos.recipe.siptester:SipTesterRecipe',
           'slapconfiguration = slapos.recipe.slapconfiguration:Recipe',
           'slapconfiguration.serialised = slapos.recipe.slapconfiguration:Serialised',
+          'slapconfiguration.jsondump = slapos.recipe.slapconfiguration:JsonDump',
           'slapcontainer = slapos.recipe.container:Recipe',
           'slapmonitor = slapos.recipe.slapmonitor:MonitorRecipe',
           'slapmonitor-xml = slapos.recipe.slapmonitor:MonitorXMLRecipe',

slapos/recipe/erp5testnode/template/erp5testnode.cfg.in

@@ -21,9 +21,7 @@ server_url = %(server_url)s
 
 # Binaries
 git_binary = %(git_binary)s
-slapgrid_partition_binary = %(slapgrid_partition_binary)s
-slapgrid_software_binary = %(slapgrid_software_binary)s
-slapproxy_binary = %(slapproxy_binary)s
+slapos_binary = %(slapos_binary)s
 zip_binary = %(zip_binary)s
 
 [environment]

slapos/recipe/jsondump.py

+
+from slapos.recipe.librecipe import GenericBaseRecipe
+
+import json
+import os
+
+class Recipe(GenericBaseRecipe):
+
+    def install(self):
+        parameter_dict = {
+            key: value
+            for key, value in self.options.items()
+            if key not in ['json-output', 'recipe']
+        }
+
+        with os.fdopen(os.open(self.options['json-output'], os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600), 'w') as fout:
+            fout.write(json.dumps(parameter_dict, indent=2, sort_keys=True))
+
+        return [self.options['json-output']]
+
+    update = install
+

slapos/recipe/slapconfiguration.py

@@ -24,6 +24,10 @@
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 #
 ##############################################################################
+
+import json
+import os
+
 import slapos.slap
 from slapos.recipe.librecipe import unwrap
 from ConfigParser import RawConfigParser
@@ -87,6 +91,15 @@ class Recipe(object):
   OPTCRE_match = RawConfigParser.OPTCRE.match
 
   def __init__(self, buildout, name, options):
+      parameter_dict = self.fetch_parameter_dict(options)
+
+      match = self.OPTCRE_match
+      for key, value in parameter_dict.iteritems():
+          if match(key) is not None:
+              continue
+          options['configuration.' + key] = value
+
+  def fetch_parameter_dict(self, options):
       slap = slapos.slap.slap()
       slap.initializeConnection(
           options['url'],
@@ -138,12 +151,7 @@ class Recipe(object):
           options['ipv6-random'] = list(ipv6_set)[0].encode('UTF-8')
 
       options['tap'] = tap_set
-      parameter_dict = self._expandParameterDict(options, parameter_dict)
-      match = self.OPTCRE_match
-      for key, value in parameter_dict.iteritems():
-          if match(key) is not None:
-              continue
-          options['configuration.' + key] = value
+      return self._expandParameterDict(options, parameter_dict)
 
   def _expandParameterDict(self, options, parameter_dict):
       options['configuration'] = parameter_dict
@@ -158,3 +166,16 @@ class Serialised(Recipe):
           return parameter_dict
       else:
           return {}
+
+class JsonDump(Recipe):
+  def __init__(self, buildout, name, options):
+    parameter_dict = self.fetch_parameter_dict(options)
+    self._json_output = options['json-output']
+    with os.fdopen(os.open(self._json_output, os.O_WRONLY | os.O_CREAT, 0600), 'w') as fout:
+      fout.write(json.dumps(parameter_dict, indent=2, sort_keys=True))
+
+    def install(self):
+        return [self._json_output]
+
+    update = install
+

software/apache-frontend/README.apache_frontend.txt

@@ -25,6 +25,7 @@ These parameters are :
   * "-frontend-type" : the type to deploy frontends with. (default to 2)
   * "-frontend-quantity" : The quantity of frontends to request (default to "default")
   * "-frontend-i-state": The state of frontend i
+  * "-frontend-config-i-foo": Frontend i will be requested with parameter foo
   * "-frontend-software-release-url": Software release to be used for frontends, default to the current software release
   * "-sla-i-foo" : where "i" is the number of the concerned frontend (between 1 and "-frontend-quantity") and "foo" a sla parameter.
 ex:
@@ -38,6 +39,12 @@ will request the third frontend on COMP-1234. All frontends will be of software
 Note: the way slaves are transformed to a parameter avoid modifying more than 3 lines in the frontend logic.
 Important NOTE: The way you ask for slave to a replicate frontend is the same as the one you would use for the software given in "-frontend-quantity". Do not forget to use "replicate" for software type. XXXXX So far it is not possible to do a simple request on a replicate frontend if you do not know the software_guid or other sla-parameter of the master instance. In fact we do not know yet the software type of the "requested" frontends. TO BE IMPLEMENTED
 
+XXX Should be moved to specific JSON File
+Extra-parameter per frontend with default :
+ram-cache-size = 1G
+disk-cache-size = 8G
+
+
 How to deploy a frontend server
 ===============================
 

software/apache-frontend/common.cfg

@@ -67,20 +67,20 @@ mode = 0644
 [template-apache-frontend]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-apache-frontend.cfg
-md5sum = 5388e77d520135b7491f1aeddac5f4e0
+md5sum = 53de57ef78345cedd3c715a105539ca3
 output = ${buildout:directory}/template-apache-frontend.cfg
 mode = 0644
 
 [template-apache-replicate]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/instance-apache-replicate.cfg.in
-md5sum = 8ec70e6276daaed240faa5059514929c
+md5sum = da22cc3b2095766c5e14b29afab2b760
 mode = 0644
 
 [template-slave-list]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/apache-custom-slave-list.cfg.in
-md5sum = c896e60c95ca387a75a163d817155d98
+md5sum = bae669cdc917c68186a387903478a53d
 mode = 640
 
 [template-slave-configuration]
@@ -98,7 +98,7 @@ mode = 640
 [template-apache-frontend-configuration]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/apache.conf.in
-md5sum = 72922908c1f4e72c92bb03e072660c7c
+md5sum = ce88924c53f09c9a3ef12ec4d8a8ad16
 mode = 640
 
 [template-apache-cached-configuration]
@@ -160,7 +160,7 @@ md5sum = 8cde04bfd0c0e9bd56744b988275cfd8
 [template-trafficserver-records-config]
 recipe = hexagonit.recipe.download
 url = ${:_profile_base_location_}/templates/trafficserver/${:filename}
-md5sum = 950a19be225a25309a3bda3f61fb5f6a
+md5sum = a892d3e71988a8293e44382cbf10810f
 location = ${buildout:parts-directory}/${:_buildout_section_name_}
 filename = records.config.jinja2
 download-only = true

software/apache-frontend/instance-apache-frontend.cfg

@@ -118,8 +118,10 @@ configuration.apache_custom_https = ""
 configuration.apache_custom_http = ""
 configuration.apache-key =
 configuration.apache-certificate =
+configuration.apache-ca-certificate =
 configuration.open-port = 80 443
 configuration.extra_slave_instance_list =
+configuration.disk-cache-size = 8G
 
 [frontend-configuration]
 template-log-access = ${template-log-access:target}
@@ -175,7 +177,7 @@ extra-context =
     section logrotate_dict logrotate
     section frontend_configuration frontend-configuration
     section apache_configuration apache-configuration
-    section connection_information_dict publish-connection-informations
+    key monitor_url monitor-parameters:url
 
 [dynamic-custom-group-template-slave-list]
 < = jinja2-template-base
@@ -255,6 +257,7 @@ extra-context =
     key access_control_string apache-configuration:access-control-string
     key login_certificate ca-frontend:cert-file
     key login_key ca-frontend:key-file
+    key login_ca_crt ca-custom-frontend:rendered
     key ca_dir  certificate-authority:ca-dir
     key ca_crl certificate-authority:ca-crl
     key access_log apache-configuration:access-log
@@ -379,6 +382,13 @@ cert-content = $${instance-parameter:configuration.apache-certificate}
 # Put domain name
 name = $${instance-parameter:configuration.domain}
 
+[ca-custom-frontend]
+< = jinja2-template-base
+template = ${template-empty:target}
+rendered = $${cadirectory:certs}/apache_frontend.ca.crt
+extra-context =
+    key content instance-parameter:configuration.apache-ca-certificate
+
 [cron]
 recipe = slapos.cookbook:cron
 dcrond-binary = ${dcron:location}/sbin/crond
@@ -456,7 +466,7 @@ local-ip = $${instance-parameter:ipv4-random}
 input-port = 23432
 hostname = $${slap-parameter:frontend-name}
 remap = map / http://$${instance-parameter:ipv4-random}:$${apache-configuration:cache-through-port}
-disk-cache-config = $${trafficserver-directory:cache-path} 8G volume=$${slap-parameter:frontend-name}
+disk-cache-config = $${trafficserver-directory:cache-path} $${instance-parameter:configuration.disk-cache-size} volume=$${slap-parameter:frontend-name}
 plugin-config = ${trafficserver:location}/libexec/trafficserver/rfc5861.so
 
 [trafficserver-configuration-directory]
@@ -481,7 +491,7 @@ environment = TS_ROOT=$${buildout:directory}
 template = ${template-trafficserver-records-config:location}/${template-trafficserver-records-config:filename}
 rendered = $${trafficserver-directory:configuration}/records.config
 mode = 700
-context =
+extra-context =
     import os_module os
     section ats_directory trafficserver-directory
     section ats_configuration trafficserver-variable

software/apache-frontend/templates/apache-custom-slave-list.cfg.in

@@ -189,7 +189,7 @@ extra-context =
     raw http_port {{ http_port }}
 {{ '\n' }}
 
-{%     do slave_publish_dict.update(**{'slave-reference':slave_instance.get('slave_reference'), 'public-ipv4':public_ipv4, 'domain':slave_instance.get('custom_domain'), 'url':"http://%s" % slave_instance.get('custom_domain'), 'site_url':"http://%s" % slave_instance.get('custom_domain')}) %}
+{%     do slave_publish_dict.update(**{'slave-reference':slave_instance.get('slave_reference'), 'public-ipv4':public_ipv4, 'domain':slave_instance.get('custom_domain'), 'url':"http://%s" % slave_instance.get('custom_domain'), 'site_url':"http://%s" % slave_instance.get('custom_domain'), 'secure_access': 'https://%s' % slave_instance.get('custom_domain')}) %}
 
 {%   endif -%}
 
@@ -237,10 +237,7 @@ private-ipv4 = {{ local_ipv4 }}
 {% if extra_slave_instance_list -%}
 slave-instance-information-list = {{ json_module.dumps(slave_instance_information_list) }}
 {% endif -%}
-{% do connection_information_dict.pop('recipe') %}
-{% for key, value in connection_information_dict.iteritems() -%}
-{{ key }} = {{ value }}
-{% endfor %}
+monitor_url = {{ monitor_url }}
 
 {% do part_list.append('cached-rewrite-rules') -%}
 [cached-rewrite-rules]

software/erp5testnode/instance-default.cfg

@@ -41,9 +41,7 @@ test-suite-master-url = $${slap-parameter:test-suite-master-url}
 instance-dict = $${slap-parameter:instance-dict}
 software-path-list = $${slap-parameter:software-path-list}
 git-binary = ${git:location}/bin/git
-slapgrid-partition-binary = ${buildout:bin-directory}/slapgrid-cp
-slapgrid-software-binary = ${buildout:bin-directory}/slapgrid-sr
-slapproxy-binary = ${buildout:bin-directory}/slapproxy
+slapos-binary = ${buildout:bin-directory}/slapos
 testnode = ${buildout:bin-directory}/testnode
 zip-binary = ${zip:location}/bin/zip
 httpd-pid-file = $${basedirectory:run}/httpd.pid