Upgrade to Ruby 3.3.8.

- CVE-2025-25186: Fix Net::IMAP vulnerable to possible DoS by memory exhaustion
  Resolves: rhbz#2345556
- CVE-2025-27219: Denial of Service in CGI::Cookie.parse
  Resolves: rhbz#2357516
- CVE-2025-27221: userinfo leakage in URI#join, URI#merge and URI#+

rpm_test_helper.rb

@@ -0,0 +1,166 @@
+require 'tmpdir'
+require 'tempfile'
+require 'fileutils'
+# Available in Ruby upstream sources under tool/lib/envutil.rb
+# Required for finding and setting up the built ruby binary.
+require 'envutil'
+
+module RPMTestHelper
+  def setup
+    @tmpdir = Dir.mktmpdir
+    @tempfiles = []
+  end
+
+  def teardown
+    @tempfiles.each do |file|
+      file.close
+      file.unlink
+    end
+
+    FileUtils.rmtree(@tmpdir)
+  end
+
+  GENERATOR_SCRIPT = ENV['GENERATOR_SCRIPT'].clone.freeze
+  if GENERATOR_SCRIPT.nil? || GENERATOR_SCRIPT == ''
+    raise "GENERATOR_SCRIPT is not specified." \
+      "Specify the ENV variable with absolute path to the generator."
+  end
+
+  Dependency = Struct.new('Dependency', :name, :requirements) do
+    def to_rpm_str
+      "rubygem(#{self.name})"
+    end
+  end
+
+  def make_gemspec(gem_info)
+    file = Tempfile.new('req_gemspec', @tmpdir)
+    # Fake gemspec with enough to pass most checks
+    # Rubygems uses to validate the format.
+    gemspec_contents = <<~EOF
+      # -*- encoding: utf-8 -*-
+      # stub: #{gem_info.name} #{gem_info.version} ruby lib
+
+      Gem::Specification.new do |s|
+        s.name = "#{gem_info.name}".freeze
+        s.version = "#{gem_info.version}"
+
+        s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
+        s.require_paths = ["lib".freeze]
+        s.authors = ["John Doe".freeze]
+        s.bindir = "bin".freeze
+        s.date = "2023-12-15"
+        s.description = "Fake gemspec helper for testing Rubygem Generators".freeze
+        s.email = ["example@example.com".freeze]
+        s.files = ["LICENSE.txt".freeze, "lib/#{gem_info.name}.rb".freeze, "#{gem_info.name}.gemspec".freeze]
+        s.homepage = "https://pkgs.fedoraproject.org/rpms/ruby".freeze
+        s.licenses = ["MIT".freeze]
+        s.required_ruby_version = Gem::Requirement.new(">= 2.5.0".freeze)
+        s.rubygems_version = "3.3.5".freeze
+        s.summary = "Fake gemspec for testing Rubygem Generators".freeze
+
+        if s.respond_to? :specification_version then
+          s.specification_version = 4
+        end
+
+        if s.respond_to? :add_runtime_dependency then
+          #{gem_info.gemspec_runtime_dep_str}
+        else
+          #{gem_info.gemspec_dep_str}
+        end
+      end
+    EOF
+
+    file.write gemspec_contents
+    file.rewind
+    @tempfiles << file
+    file
+  end
+
+  # Caller is expected to close subprocess stdin via #close_write
+  # in order to let subprocess proceed if the process is reading
+  # from STDIN in a loop.
+  def rb_subprocess(*args)
+    args = [GENERATOR_SCRIPT] if args.empty?
+    ruby = EnvUtil.rubybin
+    f = IO.popen([ruby] + args, 'r+') #, external_encoding: external_encoding)
+    yield(f)
+  ensure
+    f.close unless !f || f.closed?
+  end
+
+  def run_generator_single_file(gem_info)
+    lines = []
+    gemspec_f = make_gemspec(gem_info)
+
+    rb_subprocess do |io|
+      io.write gemspec_f.path
+      io.close_write
+      lines = io.readlines
+    end
+
+    lines
+  end
+
+  def helper_rubygems_dependency
+    "ruby(rubygems)"
+  end
+
+  class GemInfo
+    attr_accessor :name, :version, :dependencies
+
+    def initialize(name: 'foo', version: '1.2.3', dependencies: [])
+      @name = name
+      @version = version
+      @dependencies = dependencies
+    end
+
+    def dependencies=(other)
+      raise ArgumentError, "#{self.class.name}##{__method__.to_s}: Expected array of `Dependency' elements" \
+        unless other.is_a?(Array) && other.all? { |elem| elem.respond_to?(:name) && elem.respond_to?(:requirements) }
+
+      @dependencies = other
+    end
+
+    def to_rpm_str
+      "rubygem(#{self.name})"
+    end
+
+    def gemspec_dep_str
+      return '' if self.dependencies.nil? || self.dependencies.empty?
+      @dependencies.inject("") do |memo, dep|
+        memo += if dep.requirements && !dep.requirements.empty?
+                  %Q|s.add_dependency(%q<#{dep.name}>.freeze, #{handle_dep_requirements(dep.requirements)})|
+                else
+                  %Q|s.add_dependency(%q<#{dep.name}>.freeze)|
+                end
+
+        memo += "\n"
+      end
+    end
+
+    def gemspec_runtime_dep_str
+      return '' if self.dependencies.nil? || self.dependencies.empty?
+
+      @dependencies.inject("") do |memo, dep|
+        memo += if dep.requirements && !dep.requirements.empty?
+                  %Q|s.add_runtime_dependency(%q<#{dep.name}>.freeze, #{handle_dep_requirements(dep.requirements)})|
+                else
+                  %Q|s.add_runtime_dependency(%q<#{dep.name}>.freeze)|
+                end
+
+        memo += "\n"
+      end
+    end
+
+    private
+
+    def handle_dep_requirements(reqs)
+      raise ArgumentError, "#{self.class.name}##{__method__.to_s}: Reqs must be an array." \
+        unless reqs.is_a? Array
+      raise ArgumentError, "#{self.class.name}##{__method__.to_s}: Reqs must not be empty for this method." \
+        if reqs.empty?
+
+      '[ "' + reqs.join('", "') + '" ]'
+    end
+  end
+end

ruby-2.1.0-Enable-configuration-of-archlibdir.patch

@@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
 index d261ea57b5..3c13076b82 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3470,6 +3470,11 @@ AS_IF([test ${multiarch+set}], [
+@@ -3482,6 +3482,11 @@ AS_IF([test ${multiarch+set}], [
  ])
  
  archlibdir='${libdir}/${arch}'

ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch

@@ -14,7 +14,7 @@ diff --git a/configure.ac b/configure.ac
 index c42436c23d..d261ea57b5 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4309,7 +4309,8 @@ AS_CASE(["$ruby_version_dir_name"],
+@@ -4321,7 +4321,8 @@ AS_CASE(["$ruby_version_dir_name"],
  ruby_version_dir=/'${ruby_version_dir_name}'
  
  if test -z "${ruby_version_dir_name}"; then

ruby-2.1.0-always-use-i386.patch

@@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
 index 3c13076b82..93af30321d 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4373,6 +4373,8 @@ AC_SUBST(vendorarchdir)dnl
+@@ -4385,6 +4385,8 @@ AC_SUBST(vendorarchdir)dnl
  AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
  AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl
  

ruby-2.1.0-custom-rubygems-location.patch

@@ -15,7 +15,7 @@ diff --git a/configure.ac b/configure.ac
 index 93af30321d..bc13397e0e 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4345,6 +4345,10 @@ AC_ARG_WITH(vendorarchdir,
+@@ -4357,6 +4357,10 @@ AC_ARG_WITH(vendorarchdir,
              [vendorarchdir=$withval],
              [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}])
  
@@ -26,7 +26,7 @@ index 93af30321d..bc13397e0e 100644
  AS_IF([test "${LOAD_RELATIVE+set}"], [
      AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
      RUBY_EXEC_PREFIX=''
-@@ -4369,6 +4373,7 @@ AC_SUBST(sitearchdir)dnl
+@@ -4381,6 +4385,7 @@ AC_SUBST(sitearchdir)dnl
  AC_SUBST(vendordir)dnl
  AC_SUBST(vendorlibdir)dnl
  AC_SUBST(vendorarchdir)dnl

ruby-2.3.0-ruby_version.patch

@@ -20,7 +20,7 @@ diff --git a/configure.ac b/configure.ac
 index 80b137e380..63cd3b4f8b 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4259,9 +4259,6 @@ AS_CASE(["$target_os"],
+@@ -4271,9 +4271,6 @@ AS_CASE(["$target_os"],
      rubyw_install_name='$(RUBYW_INSTALL_NAME)'
      ])
  
@@ -30,7 +30,7 @@ index 80b137e380..63cd3b4f8b 100644
  rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'}
  AC_ARG_WITH(rubyarchprefix,
  	    AS_HELP_STRING([--with-rubyarchprefix=DIR],
-@@ -4284,57 +4281,63 @@ AC_ARG_WITH(ridir,
+@@ -4296,57 +4293,63 @@ AC_ARG_WITH(ridir,
  AC_SUBST(ridir)
  AC_SUBST(RI_BASE_NAME)
  
@@ -122,7 +122,7 @@ index 80b137e380..63cd3b4f8b 100644
  
  AS_IF([test "${LOAD_RELATIVE+set}"], [
      AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
-@@ -4351,6 +4354,7 @@ AC_SUBST(sitearchincludedir)dnl
+@@ -4363,6 +4366,7 @@ AC_SUBST(sitearchincludedir)dnl
  AC_SUBST(arch)dnl
  AC_SUBST(sitearch)dnl
  AC_SUBST(ruby_version)dnl
@@ -227,7 +227,7 @@ diff --git a/test/rubygems/test_gem.rb b/test/rubygems/test_gem.rb
 index b25068405d..e9fef4a311 100644
 --- a/test/rubygems/test_gem.rb
 +++ b/test/rubygems/test_gem.rb
-@@ -1351,7 +1351,8 @@ def test_self_use_paths
+@@ -1365,7 +1365,8 @@ def test_self_use_paths
  
    def test_self_user_dir
      parts = [@userhome, ".gem", Gem.ruby_engine]
@@ -237,7 +237,7 @@ index b25068405d..e9fef4a311 100644
  
      FileUtils.mkdir_p File.join(parts)
  
-@@ -1427,7 +1428,7 @@ def test_self_vendor_dir
+@@ -1441,7 +1442,7 @@ def test_self_vendor_dir
      vendordir(File.join(@tempdir, "vendor")) do
        expected =
          File.join RbConfig::CONFIG["vendordir"], "gems",
@@ -262,7 +262,7 @@ diff --git a/configure.ac b/configure.ac
 index a00f2b6776..999e2d6d5d 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -135,7 +135,7 @@ RUBY_BASE_NAME=`echo ruby | sed "$program_transform_name"`
+@@ -136,7 +136,7 @@ RUBY_BASE_NAME=`echo ruby | sed "$program_transform_name"`
  RUBYW_BASE_NAME=`echo rubyw | sed "$program_transform_name"`
  AC_SUBST(RUBY_BASE_NAME)
  AC_SUBST(RUBYW_BASE_NAME)

ruby-3.3.0-Revert-Optimize-allocations-in-Hash-compare_by_identity.patch

@@ -1,92 +0,0 @@
-From 8944a064d0fd7947b8c2b6c761be3e3a0c9073af Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
-Date: Fri, 22 Dec 2023 14:16:48 +0100
-Subject: [PATCH 1/2] Revert "compare_by_identity: remove alloc for non-empty
- Hash"
-
-This reverts commit 11fa76b1b521072c200c78ea023960221ff426d6.
----
- hash.c | 13 ++++---------
- 1 file changed, 4 insertions(+), 9 deletions(-)
-
-diff --git a/hash.c b/hash.c
-index 78e9d9a2d6..f6525ba4a5 100644
---- a/hash.c
-+++ b/hash.c
-@@ -4377,16 +4377,13 @@ rb_hash_compare_by_id(VALUE hash)
-     if (hash_iterating_p(hash)) {
-         rb_raise(rb_eRuntimeError, "compare_by_identity during iteration");
-     }
-+    ar_force_convert_table(hash, __FILE__, __LINE__);
-+    HASH_ASSERT(RHASH_ST_TABLE_P(hash));
- 
-     if (RHASH_TABLE_EMPTY_P(hash)) {
-         // Fast path: There's nothing to rehash, so we don't need a `tmp` table.
--        // We're most likely an AR table, so this will need an allocation.
--        ar_force_convert_table(hash, __FILE__, __LINE__);
--        HASH_ASSERT(RHASH_ST_TABLE_P(hash));
--
-         RHASH_ST_TABLE(hash)->type = &identhash;
--    }
--    else {
-+    } else {
-         // Slow path: Need to rehash the members of `self` into a new
-         // `tmp` table using the new `identhash` compare/hash functions.
-         tmp = hash_alloc(0);
-@@ -4394,10 +4391,8 @@ rb_hash_compare_by_id(VALUE hash)
-         identtable = RHASH_ST_TABLE(tmp);
- 
-         rb_hash_foreach(hash, rb_hash_rehash_i, (VALUE)tmp);
--        rb_hash_free(hash);
- 
--        // We know for sure `identtable` is an st table,
--        // so we can skip `ar_force_convert_table` here.
-+        rb_hash_free(hash);
-         RHASH_ST_TABLE_SET(hash, identtable);
-         RHASH_ST_CLEAR(tmp);
-     }
-
-From f5c415300ffe63e41e46c6b88b8634a3bad0c7c2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
-Date: Fri, 22 Dec 2023 14:17:14 +0100
-Subject: [PATCH 2/2] Revert "compare_by_identity: remove alloc for empty Hash"
-
-This reverts commit b5c6c0122f5b010cb5f43e7a236c4ba2b1d56a2a.
----
- hash.c | 21 +++++++--------------
- 1 file changed, 7 insertions(+), 14 deletions(-)
-
-diff --git a/hash.c b/hash.c
-index f6525ba4a5..cf83675c70 100644
---- a/hash.c
-+++ b/hash.c
-@@ -4380,22 +4380,15 @@ rb_hash_compare_by_id(VALUE hash)
-     ar_force_convert_table(hash, __FILE__, __LINE__);
-     HASH_ASSERT(RHASH_ST_TABLE_P(hash));
- 
--    if (RHASH_TABLE_EMPTY_P(hash)) {
--        // Fast path: There's nothing to rehash, so we don't need a `tmp` table.
--        RHASH_ST_TABLE(hash)->type = &identhash;
--    } else {
--        // Slow path: Need to rehash the members of `self` into a new
--        // `tmp` table using the new `identhash` compare/hash functions.
--        tmp = hash_alloc(0);
--        hash_st_table_init(tmp, &identhash, RHASH_SIZE(hash));
--        identtable = RHASH_ST_TABLE(tmp);
-+    tmp = hash_alloc(0);
-+    hash_st_table_init(tmp, &identhash, RHASH_SIZE(hash));
-+    identtable = RHASH_ST_TABLE(tmp);
- 
--        rb_hash_foreach(hash, rb_hash_rehash_i, (VALUE)tmp);
-+    rb_hash_foreach(hash, rb_hash_rehash_i, (VALUE)tmp);
- 
--        rb_hash_free(hash);
--        RHASH_ST_TABLE_SET(hash, identtable);
--        RHASH_ST_CLEAR(tmp);
--    }
-+    rb_hash_free(hash);
-+    RHASH_ST_TABLE_SET(hash, identtable);
-+    RHASH_ST_CLEAR(tmp);
- 
-     return hash;
- }

ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.patch

@@ -0,0 +1,302 @@
+From 3d405634f43d39079ee93cdc59ed7fc0a5e8917a Mon Sep 17 00:00:00 2001
+From: KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au>
+Date: Sun, 9 Jun 2024 21:15:39 +1000
+Subject: [PATCH] Extract hardening CFLAGS to a special $hardenflags variable
+
+This changes the automatic detection of -fstack-protector,
+-D_FORTIFY_SOURCE, and -mbranch-protection to write to $hardenflags
+instead of $XCFLAGS. The definition of $cflags is changed to
+"$hardenflags $orig_cflags $optflags $debugflags $warnflags" to match.
+
+Furthermore, these flags are _prepended_ to $hardenflags, rather than
+appended.
+
+The implications of doing this are as follows:
+
+* If a CRuby builder specifies cflags="-mbranch-protection=foobar" at
+  the ./configure script, and the configure script detects that
+  -mbranch-protection=pac-ret is accepted, then GCC will be invoked as
+  "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar". Since
+  the last flags take precedence, that means that user-supplied values
+  of these flags in $cflags will take priority.
+* Likewise, if a CRuby builder explicitly specifies
+  "hardenflags=-mbranch-protection=foobar", because we _prepend_ to
+  $hardenflags in our autoconf script, we will still invoke GCC as
+  "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar".
+* If a CRuby builder specifies CFLAGS="..." at the configure line,
+  automatic detection of hardening flags is ignored as before.
+* C extensions will _also_ be built with hardening flags now as well
+  (this was not the case by default before because the detected flags
+  went into $XCFLAGS).
+
+Additionally, as part of this work, I changed how the detection of
+PAC/BTI in Context.S works. Rather than appending the autodetected
+option to ASFLAGS, we simply compile a set of test programs with the
+actual CFLAGS in use to determine what PAC/BTI settings were actually
+chosen by the builder. Context.S is made aware of these choices through
+some custom macros.
+
+The result of this work is that:
+
+* Ruby will continue to choose some sensible defaults for hardening
+  options for the C compiler
+* Distributors are able to specify CFLAGS that are consistent with their
+  distribution and override these defaults
+* Context.S will react to whatever -mbranch-protection is actually in
+  use, not what was autodetected
+* Extensions get built with hardening flags too.
+
+[Bug #20154]
+[Bug #20520]
+---
+ configure.ac                  | 81 ++++++++++++++++++++++++++++++-----
+ coroutine/arm64/Context.S     | 14 +++---
+ template/Makefile.in          |  1 +
+ tool/m4/ruby_append_option.m4 |  4 ++
+ tool/m4/ruby_try_cflags.m4    | 17 ++++++++
+ 5 files changed, 100 insertions(+), 17 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index f35fad6a362611..0da15772d36671 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -354,7 +354,7 @@ test -z "$warnflags" ||
+ AS_IF([test -z "${CFLAGS+set}"], [
+     cflags=`echo " $cflags " | sed "$cflagspat;s/^ *//;s/ *$//"`
+     orig_cflags="$cflags"
+-    cflags="$cflags "'${optflags} ${debugflags} ${warnflags}'
++    cflags='${hardenflags} '"$cflags "'${optflags} ${debugflags} ${warnflags}'
+ ])
+ dnl AS_IF([test -z "${CXXFLAGS+set}"], [
+ dnl     cxxflags=`echo " $cxxflags " | sed "$cflagspat;s/^ *//;s/ *$//"`
+@@ -802,7 +802,7 @@ AS_IF([test "$GCC" = yes], [
+ 		  [fortify_source=$enableval])
+     AS_IF([test "x$fortify_source" != xno], [
+         RUBY_TRY_CFLAGS([$optflags -D_FORTIFY_SOURCE=2],
+-                        [RUBY_APPEND_OPTION(XCFLAGS, -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2)], [],
++                        [RUBY_PREPEND_OPTION(hardenflags, -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2)], [],
+                         [@%:@include <stdio.h>])
+     ])
+ 
+@@ -823,20 +823,24 @@ AS_IF([test "$GCC" = yes], [
+     AC_MSG_CHECKING([for -fstack-protector])
+     AC_MSG_RESULT(["$stack_protector"])
+     AS_CASE(["$stack_protector"], [-*], [
+-	RUBY_APPEND_OPTION(XCFLAGS, $stack_protector)
+-	RUBY_APPEND_OPTION(XLDFLAGS, $stack_protector)
+-	RUBY_APPEND_OPTION(LDFLAGS, $stack_protector)
++        RUBY_PREPEND_OPTION(hardenflags, $stack_protector)
++        RUBY_APPEND_OPTION(XLDFLAGS, $stack_protector)
++        RUBY_APPEND_OPTION(LDFLAGS, $stack_protector)
+     ])
+ 
+     # aarch64 branch protection
+     AS_CASE(["$target_cpu"], [aarch64], [
+ 	AS_FOR(option, opt, [-mbranch-protection=pac-ret -msign-return-address=all], [
+-            RUBY_TRY_CFLAGS(option, [branch_protection=yes], [branch_protection=no])
++            # Try these flags in the _prepended_ position - i.e. we want to try building a program
++            # with CFLAGS="-mbranch-protection=pac-ret $CFLAGS". If the builder has provided different
++            # branch protection flags in CFLAGS, we don't want to overwrite those. We just want to
++            # find some branch protection flags which work if none were provided.
++            RUBY_TRY_CFLAGS_PREPEND(option, [branch_protection=yes], [branch_protection=no])
+             AS_IF([test "x$branch_protection" = xyes], [
+-                # C compiler and assembler must be consistent for -mbranch-protection
+-                # since they both check `__ARM_FEATURE_PAC_DEFAULT` definition.
+-                RUBY_APPEND_OPTION(XCFLAGS, option)
+-                RUBY_APPEND_OPTION(ASFLAGS, option)
++                # _prepend_ the options to CFLAGS, so that user-provided flags will overwrite them.
++                # These CFLAGS are used during the configure script to compile further test programs;
++                # however, $harden_flags is prepended separately to CFLAGS at the end of the script.
++                RUBY_PREPEND_OPTION(hardenflags, $opt)
+                 break
+             ])
+         ])
+@@ -985,6 +989,59 @@ test -z "${ac_env_CFLAGS_set}" -a -n "${cflags+set}" && eval CFLAGS="\"$cflags $
+ test -z "${ac_env_CXXFLAGS_set}" -a -n "${cxxflags+set}" && eval CXXFLAGS="\"$cxxflags $ARCH_FLAG\""
+ }
+ 
++# The lines above expand out the $cflags/$optflags/$debugflags/$hardenflags variables into the
++# CFLAGS variable. So, at this point, we have a $CFLAGS var with the actual compiler flags we're
++# going to use.
++# That means this is the right time to check what branch protection flags are going to be in use
++# and define appropriate macros for use in Context.S based on this
++AS_CASE(["$target_cpu"], [aarch64], [
++    AC_CACHE_CHECK([whether __ARM_FEATURE_BTI_DEFAULT is defined],
++        rb_cv_aarch64_bti_enabled,
++        AC_COMPILE_IFELSE(
++            [AC_LANG_PROGRAM([[
++                @%:@ifndef __ARM_FEATURE_BTI_DEFAULT
++                @%:@error "__ARM_FEATURE_BTI_DEFAULT not defined"
++                @%:@endif
++            ]])],
++        [rb_cv_aarch64_bti_enabled=yes],
++        [rb_cv_aarch64_bti_enabled=no])
++    )
++    AS_IF([test "$rb_cv_aarch64_bti_enabled" = yes],
++          AC_DEFINE(RUBY_AARCH64_BTI_ENABLED, 1))
++    AC_CACHE_CHECK([whether __ARM_FEATURE_PAC_DEFAULT is defined],
++        rb_cv_aarch64_pac_enabled,
++        AC_COMPILE_IFELSE(
++            [AC_LANG_PROGRAM([[
++                @%:@ifndef __ARM_FEATURE_PAC_DEFAULT
++                @%:@error "__ARM_FEATURE_PAC_DEFAULT not defined"
++                @%:@endif
++            ]])],
++        [rb_cv_aarch64_pac_enabled=yes],
++        [rb_cv_aarch64_pac_enabled=no])
++    )
++    AS_IF([test "$rb_cv_aarch64_pac_enabled" = yes],
++          AC_DEFINE(RUBY_AARCH64_PAC_ENABLED, 1))
++    # Context.S will only ever sign its return address with the A-key; it doesn't support
++    # the B-key at the moment.
++    AS_IF([test "$rb_cv_aarch64_pac_enabled" = yes], [
++        AC_CACHE_CHECK([whether __ARM_FEATURE_PAC_DEFAULT specifies the b-key bit 0x02],
++            rb_cv_aarch64_pac_b_key,
++            AC_COMPILE_IFELSE(
++                [AC_LANG_PROGRAM([[
++                    @%:@ifdef __ARM_FEATURE_PAC_DEFAULT
++                    @%:@if __ARM_FEATURE_PAC_DEFAULT & 0x02
++                    @%:@error "__ARM_FEATURE_PAC_DEFAULT specifies B key"
++                    @%:@endif
++                    @%:@endif
++                ]])],
++            [rb_cv_aarch64_pac_b_key=no],
++            [rb_cv_aarch64_pac_b_key=yes])
++        )
++        AS_IF([test "$rb_cv_aarch64_pac_b_key" = yes],
++            AC_MSG_ERROR(-mbranch-protection flag specified b-key but Ruby's Context.S does not support this yet.))
++    ])
++])
++
+ AC_CACHE_CHECK([whether compiler has statement and declarations in expressions],
+   rb_cv_have_stmt_and_decl_in_expr,
+   [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[ __extension__ ({ int a = 0; a; }); ]])],
+@@ -4215,12 +4272,13 @@ AS_IF([test "${ARCH_FLAG}"], [
+ rb_cv_warnflags=`echo "$rb_cv_warnflags" | sed 's/^ *//;s/ *$//'`
+ warnflags="$rb_cv_warnflags"
+ AC_SUBST(cppflags)dnl
+-AC_SUBST(cflags, ["${orig_cflags:+$orig_cflags }"'${optflags} ${debugflags} ${warnflags}'])dnl
++AC_SUBST(cflags, ['${hardenflags} '"${orig_cflags:+$orig_cflags }"' ${optflags} ${debugflags} ${warnflags}'])dnl
+ AC_SUBST(cxxflags)dnl
+ AC_SUBST(optflags)dnl
+ AC_SUBST(debugflags)dnl
+ AC_SUBST(warnflags)dnl
+ AC_SUBST(strict_warnflags)dnl
++AC_SUBST(hardenflags)dnl
+ AC_SUBST(XCFLAGS)dnl
+ AC_SUBST(XLDFLAGS)dnl
+ AC_SUBST(EXTLDFLAGS)dnl
+@@ -4688,6 +4746,7 @@ config_summary "DLDFLAGS"            "$DLDFLAGS"
+ config_summary "optflags"            "$optflags"
+ config_summary "debugflags"          "$debugflags"
+ config_summary "warnflags"           "$warnflags"
++config_summary "hardenflags"         "$hardenflags"
+ config_summary "strip command"       "$STRIP"
+ config_summary "install doc"         "$DOCTARGETS"
+ config_summary "YJIT support"        "$YJIT_SUPPORT"
+diff --git a/coroutine/arm64/Context.S b/coroutine/arm64/Context.S
+index 5251ab214df1f0..54611a247e2f66 100644
+--- a/coroutine/arm64/Context.S
++++ b/coroutine/arm64/Context.S
+@@ -5,6 +5,8 @@
+ ##  Copyright, 2018, by Samuel Williams.
+ ##
+ 
++#include "ruby/config.h"
++
+ #define TOKEN_PASTE(x,y) x##y
+ #define PREFIXED_SYMBOL(prefix,name) TOKEN_PASTE(prefix,name)
+ 
+@@ -27,10 +29,10 @@
+ .global PREFIXED_SYMBOL(SYMBOL_PREFIX,coroutine_transfer)
+ PREFIXED_SYMBOL(SYMBOL_PREFIX,coroutine_transfer):
+ 
+-#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT != 0)
++#if defined(RUBY_AARCH64_PAC_ENABLED)
+ 	# paciasp (it also acts as BTI landing pad, so no need to insert BTI also)
+ 	hint #25
+-#elif defined(__ARM_FEATURE_BTI_DEFAULT) && (__ARM_FEATURE_BTI_DEFAULT != 0)
++#elif defined(RUBY_AARCH64_BTI_ENABLED)
+ 	# For the the case PAC is not enabled but BTI is.
+ 	# bti c
+ 	hint #34
+@@ -73,7 +75,7 @@ PREFIXED_SYMBOL(SYMBOL_PREFIX,coroutine_transfer):
+ 	# Pop stack frame
+ 	add sp, sp, 0xa0
+ 
+-#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT != 0)
++#if defined(RUBY_AARCH64_PAC_ENABLED)
+ 	# autiasp: Authenticate x30 (LR) with SP and key A
+ 	hint #29
+ #endif
+@@ -85,18 +87,18 @@ PREFIXED_SYMBOL(SYMBOL_PREFIX,coroutine_transfer):
+ .section .note.GNU-stack,"",%progbits
+ #endif
+ 
+-#if __ARM_FEATURE_BTI_DEFAULT != 0 || __ARM_FEATURE_PAC_DEFAULT != 0
++#if defined(RUBY_AARCH64_BTI_ENABLED) || defined(RUBY_AARCH64_PAC_ENABLED)
+ /*  See "ELF for the Arm 64-bit Architecture (AArch64)"
+     https://github.com/ARM-software/abi-aa/blob/2023Q3/aaelf64/aaelf64.rst#program-property */
+ #  define GNU_PROPERTY_AARCH64_FEATURE_1_BTI (1<<0)
+ #  define GNU_PROPERTY_AARCH64_FEATURE_1_PAC (1<<1)
+ 
+-#  if __ARM_FEATURE_BTI_DEFAULT != 0
++#  if defined(RUBY_AARCH64_BTI_ENABLED)
+ #    define BTI_FLAG GNU_PROPERTY_AARCH64_FEATURE_1_BTI
+ #  else
+ #    define BTI_FLAG 0
+ #  endif
+-#  if __ARM_FEATURE_PAC_DEFAULT != 0
++#  if defined(RUBY_AARCH64_PAC_ENABLED)
+ #    define PAC_FLAG GNU_PROPERTY_AARCH64_FEATURE_1_PAC
+ #  else
+ #    define PAC_FLAG 0
+diff --git a/template/Makefile.in b/template/Makefile.in
+index 033ac56cb38886..abb4469777ce8a 100644
+--- a/template/Makefile.in
++++ b/template/Makefile.in
+@@ -89,6 +89,7 @@ cflags = @cflags@
+ optflags = @optflags@
+ debugflags = @debugflags@
+ warnflags = @warnflags@ @strict_warnflags@
++hardenflags = @hardenflags@
+ cppflags = @cppflags@
+ incflags = @incflags@
+ RUBY_DEVEL = @RUBY_DEVEL@ # "yes" or empty
+diff --git a/tool/m4/ruby_append_option.m4 b/tool/m4/ruby_append_option.m4
+index ff828d2162c22f..98359fa1f95f52 100644
+--- a/tool/m4/ruby_append_option.m4
++++ b/tool/m4/ruby_append_option.m4
+@@ -3,3 +3,7 @@ AC_DEFUN([RUBY_APPEND_OPTION],
+ 	[# RUBY_APPEND_OPTION($1)
+ 	AS_CASE([" [$]{$1-} "],
+ 	[*" $2 "*], [], ['  '], [ $1="$2"], [ $1="[$]$1 $2"])])dnl
++AC_DEFUN([RUBY_PREPEND_OPTION],
++	[# RUBY_APPEND_OPTION($1)
++	AS_CASE([" [$]{$1-} "],
++	[*" $2 "*], [], ['  '], [ $1="$2"], [ $1="$2 [$]$1"])])dnl
+diff --git a/tool/m4/ruby_try_cflags.m4 b/tool/m4/ruby_try_cflags.m4
+index b74718fe5e1cef..b397642aad9ca2 100644
+--- a/tool/m4/ruby_try_cflags.m4
++++ b/tool/m4/ruby_try_cflags.m4
+@@ -22,3 +22,20 @@ AC_DEFUN([RUBY_TRY_CFLAGS], [
+ 	AC_MSG_RESULT(no)],
+ 	[$4], [$5])
+ ])dnl
++
++AC_DEFUN([_RUBY_TRY_CFLAGS_PREPEND], [
++    RUBY_WERROR_FLAG([
++    CFLAGS="$1 [$]CFLAGS"
++    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$4]], [[$5]])],
++	[$2], [$3])
++    ])dnl
++])dnl
++AC_DEFUN([RUBY_TRY_CFLAGS_PREPEND], [
++    AC_MSG_CHECKING([whether ]$1[ is accepted as CFLAGS])dnl
++    _RUBY_TRY_CFLAGS_PREPEND([$1],
++	[$2
++	AC_MSG_RESULT(yes)],
++	[$3
++	AC_MSG_RESULT(no)],
++	[$4], [$5])
++])dnl

ruby-3.4.0-Revert-Set-AI_ADDRCONFIG-when-making-getaddrinfo.patch

@@ -1,241 +0,0 @@
-From c3655b89e7c06555a2e0bf13affb8a63a49f4296 Mon Sep 17 00:00:00 2001
-From: Jarek Prokop <jprokop@redhat.com>
-Date: Fri, 26 Jan 2024 11:19:48 +0100
-Subject: [PATCH] Revert "Set AI_ADDRCONFIG when making getaddrinfo(3) calls
- for outgoing conns (#7295)"
-
-This reverts commit d2ba8ea54a4089959afdeecdd963e3c4ff391748.
-
-The purpose of the commit is to workaround a GLIBC bug [0] still present
-in older Ubuntu [1]. C8S/RHEL 8 has the fix for some time [2] and the
-Ruby workaround is causing problems for us [3]. Therefore we can
-revert it for EL8, EL9, and Fedora distros.
-
-[0] https://sourceware.org/bugzilla/show_bug.cgi?id=26600
-[1] https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1961697
-[2] https://bugzilla.redhat.com/show_bug.cgi?id=1868106
-[3] https://bugs.ruby-lang.org/issues/20208
----
- ext/socket/extconf.rb   |   2 -
- ext/socket/ipsocket.c   |  11 +--
- test/socket/test_tcp.rb | 164 ----------------------------------------
- 3 files changed, 2 insertions(+), 175 deletions(-)
-
-diff --git a/ext/socket/extconf.rb b/ext/socket/extconf.rb
-index 544bed5298..1ca52da366 100644
---- a/ext/socket/extconf.rb
-+++ b/ext/socket/extconf.rb
-@@ -607,8 +607,6 @@ def %(s) s || self end
- EOS
-   end
- 
--  have_const('AI_ADDRCONFIG', headers)
--
-   case with_config("lookup-order-hack", "UNSPEC")
-   when "INET"
-     $defs << "-DLOOKUP_ORDER_HACK_INET"
-diff --git a/ext/socket/ipsocket.c b/ext/socket/ipsocket.c
-index 0a693655b4..0c13620258 100644
---- a/ext/socket/ipsocket.c
-+++ b/ext/socket/ipsocket.c
-@@ -54,22 +54,15 @@ init_inetsock_internal(VALUE v)
-     VALUE connect_timeout = arg->connect_timeout;
-     struct timeval tv_storage;
-     struct timeval *tv = NULL;
--    int remote_addrinfo_hints = 0;
- 
-     if (!NIL_P(connect_timeout)) {
-         tv_storage = rb_time_interval(connect_timeout);
-         tv = &tv_storage;
-     }
- 
--    if (type == INET_SERVER) {
--      remote_addrinfo_hints |= AI_PASSIVE;
--    }
--#ifdef HAVE_CONST_AI_ADDRCONFIG
--    remote_addrinfo_hints |= AI_ADDRCONFIG;
--#endif
--
-     arg->remote.res = rsock_addrinfo(arg->remote.host, arg->remote.serv,
--                                     family, SOCK_STREAM, remote_addrinfo_hints);
-+                                     family, SOCK_STREAM,
-+                                     (type == INET_SERVER) ? AI_PASSIVE : 0);
- 
- 
-     /*
-diff --git a/test/socket/test_tcp.rb b/test/socket/test_tcp.rb
-index 35d361f060..7f9dc53cae 100644
---- a/test/socket/test_tcp.rb
-+++ b/test/socket/test_tcp.rb
-@@ -140,168 +140,4 @@ def test_accept_multithread
-       server_threads.each(&:join)
-     end
-   end
--
--  def test_ai_addrconfig
--    # This test verifies that we pass AI_ADDRCONFIG to the DNS resolver when making
--    # an outgoing connection.
--    # The verification of this is unfortunately incredibly convoluted. We perform the
--    # test by setting up a fake DNS server to receive queries. Then, we construct
--    # an environment which has only IPv4 addresses and uses that fake DNS server. We
--    # then attempt to make an outgoing TCP connection. Finally, we verify that we
--    # only received A and not AAAA queries on our fake resolver.
--    # This test can only possibly work on Linux, and only when run as root. If either
--    # of these conditions aren't met, the test will be skipped.
--
--    # The construction of our IPv6-free environment must happen in a child process,
--    # which we can put in its own network & mount namespaces.
--
--    omit "This test is disabled.  It is retained to show the original intent of [ruby-core:110870]"
--
--    IO.popen("-") do |test_io|
--      if test_io.nil?
--        begin
--          # Child program
--          require 'fiddle'
--          require 'resolv'
--          require 'open3'
--
--          libc = Fiddle.dlopen(nil)
--          begin
--            unshare = Fiddle::Function.new(libc['unshare'], [Fiddle::TYPE_INT], Fiddle::TYPE_INT)
--          rescue Fiddle::DLError
--            # Test can't run because we don't have unshare(2) in libc
--            # This will be the case on not-linux, and also on very old glibc versions (or
--            # possibly other libc's that don't expose this syscall wrapper)
--            $stdout.write(Marshal.dump({result: :skip, reason: "unshare(2) or mount(2) not in libc"}))
--            exit
--          end
--
--          # Move our test process into a new network & mount namespace.
--          # This environment will be configured to be IPv6 free and point DNS resolution
--          # at a fake DNS server.
--          # (n.b. these flags are CLONE_NEWNS | CLONE_NEWNET)
--          ret = unshare.call(0x00020000 | 0x40000000)
--          errno = Fiddle.last_error
--          if ret == -1 && errno == Errno::EPERM::Errno
--            # Test can't run because we're not root.
--            $stdout.write(Marshal.dump({result: :skip, reason: "insufficient permissions to unshare namespaces"}))
--            exit
--          elsif ret == -1 && (errno == Errno::ENOSYS::Errno || errno == Errno::EINVAL::Errno)
--            # No unshare(2) in the kernel (or kernel too old to know about this namespace type)
--            $stdout.write(Marshal.dump({result: :skip, reason: "errno #{errno} calling unshare(2)"}))
--            exit
--          elsif ret == -1
--            # Unexpected failure
--            raise "errno #{errno} calling unshare(2)"
--          end
--
--          # Set up our fake DNS environment. Clean out /etc/hosts...
--          fake_hosts_file = Tempfile.new('ruby_test_hosts')
--          fake_hosts_file.write <<~HOSTS
--            127.0.0.1 localhost
--            ::1 localhost
--          HOSTS
--          fake_hosts_file.flush
--
--          # Have /etc/resolv.conf point to 127.0.0.1...
--          fake_resolv_conf = Tempfile.new('ruby_test_resolv')
--          fake_resolv_conf.write <<~RESOLV
--            nameserver 127.0.0.1
--          RESOLV
--          fake_resolv_conf.flush
--
--          # Also stub out /etc/nsswitch.conf; glibc can have other resolver modules
--          # (like systemd-resolved) configured in there other than just using dns,
--          # so rewrite it to remove any `hosts:` lines and add one which just uses
--          # dns.
--          real_nsswitch_conf = File.read('/etc/nsswitch.conf') rescue ""
--          fake_nsswitch_conf = Tempfile.new('ruby_test_nsswitch')
--          real_nsswitch_conf.lines.reject { _1 =~ /^\s*hosts:/ }.each do |ln|
--            fake_nsswitch_conf.puts ln
--          end
--          fake_nsswitch_conf.puts "hosts: files myhostname dns"
--          fake_nsswitch_conf.flush
--
--          # This is needed to make sure our bind-mounds aren't visible outside this process.
--          system 'mount', '--make-rprivate', '/', exception: true
--          # Bind-mount the fake files over the top of the real files.
--          system 'mount', '--bind', '--make-private', fake_hosts_file.path, '/etc/hosts', exception: true
--          system 'mount', '--bind', '--make-private', fake_resolv_conf.path, '/etc/resolv.conf', exception: true
--          system 'mount', '--bind', '--make-private', fake_nsswitch_conf.path, '/etc/nsswitch.conf', exception: true
--
--          # Create a dummy interface with only an IPv4 address
--          system 'ip', 'link', 'add', 'dummy0', 'type', 'dummy', exception: true
--          system 'ip', 'addr', 'add', '192.168.1.2/24', 'dev', 'dummy0', exception: true
--          system 'ip', 'link', 'set', 'dummy0', 'up', exception: true
--          system 'ip', 'link', 'set', 'lo', 'up', exception: true
--
--          # Disable IPv6 on this interface (this is needed to disable the link-local
--          # IPv6 address)
--          File.open('/proc/sys/net/ipv6/conf/dummy0/disable_ipv6', 'w') do |f|
--            f.puts "1"
--          end
--
--          # Create a fake DNS server which will receive the DNS queries triggered by TCPSocket.new
--          fake_dns_server_socket = UDPSocket.new
--          fake_dns_server_socket.bind('127.0.0.1', 53)
--          received_dns_queries = []
--          fake_dns_server_thread = Thread.new do
--            Socket.udp_server_loop_on([fake_dns_server_socket]) do |msg, msg_src|
--              request = Resolv::DNS::Message.decode(msg)
--              received_dns_queries << request
--              response = request.dup.tap do |r|
--                r.qr = 0
--                r.rcode = 3 # NXDOMAIN
--              end
--              msg_src.reply response.encode
--            end
--          end
--
--          # Make a request which will hit our fake DNS swerver - this needs to be in _another_
--          # process because glibc will cache resolver info across the fork otherwise.
--          load_path_args = $LOAD_PATH.flat_map { ['-I', _1] }
--          Open3.capture3('/proc/self/exe', *load_path_args, '-rsocket', '-e', <<~RUBY)
--            TCPSocket.open('www.example.com', 4444)
--          RUBY
--
--          fake_dns_server_thread.kill
--          fake_dns_server_thread.join
--
--          have_aaaa_qs = received_dns_queries.any? do |query|
--            query.question.any? do |question|
--              question[1] == Resolv::DNS::Resource::IN::AAAA
--            end
--          end
--
--          have_a_q = received_dns_queries.any? do |query|
--            query.question.any? do |question|
--              question[0].to_s == "www.example.com"
--            end
--          end
--
--          if have_aaaa_qs
--            $stdout.write(Marshal.dump({result: :fail, reason: "got AAAA queries, expected none"}))
--          elsif !have_a_q
--            $stdout.write(Marshal.dump({result: :fail, reason: "got no A query for example.com"}))
--          else
--            $stdout.write(Marshal.dump({result: :success}))
--          end
--        rescue => ex
--          $stdout.write(Marshal.dump({result: :fail, reason: ex.full_message}))
--        ensure
--          # Make sure the child process does not transfer control back into the test runner.
--          exit!
--        end
--      else
--        test_result = Marshal.load(test_io.read)
--
--        case test_result[:result]
--        when :skip
--          omit test_result[:reason]
--        when :fail
--          fail test_result[:reason]
--        end
--      end
--    end
--  end
- end if defined?(TCPSocket)
--- 
-2.43.0
-

ruby-3.4.0-fix-branch-protection-compilation-for-arm.patch

@@ -1,59 +0,0 @@
-From 8af8f327457738620d2c85bd65db8cc5594585db Mon Sep 17 00:00:00 2001
-From: Yuta Saito <kateinoigakukun@gmail.com>
-Date: Wed, 27 Dec 2023 06:22:45 +0000
-Subject: [PATCH 1/2] [Bug #20085] Use consistent default options for
- `-mbranch-protection`
-
-We need to use the same options for both C compiler and assembler
-when `-mbranch-protection` is guessed by configure. Otherwise,
-`coroutine/arm64/Context.{h,S}` will use incompatible PAC strategies.
----
- configure.ac | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 9286946fc1..18b4247991 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -830,7 +830,10 @@ AS_IF([test "$GCC" = yes], [
- 	AS_FOR(option, opt, [-mbranch-protection=pac-ret -msign-return-address=all], [
-             RUBY_TRY_CFLAGS(option, [branch_protection=yes], [branch_protection=no])
-             AS_IF([test "x$branch_protection" = xyes], [
-+                # C compiler and assembler must be consistent for -mbranch-protection
-+                # since they both check `__ARM_FEATURE_PAC_DEFAULT` definition.
-                 RUBY_APPEND_OPTION(XCFLAGS, option)
-+                RUBY_APPEND_OPTION(ASFLAGS, option)
-                 break
-             ])
-         ])
--- 
-2.43.0
-
-
-From 80281e14e411e8e5fe4955effbb2c650a2f52667 Mon Sep 17 00:00:00 2001
-From: Jarek Prokop <jprokop@redhat.com>
-Date: Fri, 12 Jan 2024 18:33:34 +0100
-Subject: [PATCH 2/2] aarch64: Prepend -mbranch-protection=standard option when
- checking branch protection.
-
-Related Upstream issue: https://bugs.ruby-lang.org/issues/20154
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 18b4247991..5ea8ada8f7 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -827,7 +827,7 @@ AS_IF([test "$GCC" = yes], [
- 
-     # aarch64 branch protection
-     AS_CASE(["$target_cpu"], [aarch64], [
--	AS_FOR(option, opt, [-mbranch-protection=pac-ret -msign-return-address=all], [
-+	AS_FOR(option, opt, [-mbranch-protection=standard -mbranch-protection=pac-ret -msign-return-address=all], [
-             RUBY_TRY_CFLAGS(option, [branch_protection=yes], [branch_protection=no])
-             AS_IF([test "x$branch_protection" = xyes], [
-                 # C compiler and assembler must be consistent for -mbranch-protection
--- 
-2.43.0
-

ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch

@@ -0,0 +1,47 @@
+From ae215a47ae1a6527bb7b8566e5bcc9430652462f Mon Sep 17 00:00:00 2001
+From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
+Date: Fri, 5 Jan 2024 15:58:59 +0100
+Subject: [PATCH] Only set min_version on OpenSSL < 1.1.0
+
+Both Red Hat and Debian-like systems configure the minimum TLS version
+to be 1.2 by default, but allow users to change this via configs.
+
+On Red Hat and derivatives this happens via crypto-policies[1], which in
+writes settings in /etc/crypto-policies/back-ends/opensslcnf.config.
+Most notably, it sets TLS.MinProtocol there. For Debian there's
+MinProtocol in /etc/ssl/openssl.cnf. Both default to TLSv1.2, which is
+considered a secure default.
+
+In constrast, the SSLContext has a hard coded OpenSSL::SSL::TLS1_VERSION
+for min_version. TLS 1.0 and 1.1 are considered insecure. By always
+setting this in the default parameters, the system wide default can't be
+respected, even if a developer wants to.
+
+This takes the approach that's also done for ciphers: it's only set for
+OpenSSL < 1.1.0.
+
+[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
+---
+ lib/openssl/ssl.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
+index e557b8b48..83ecacafb 100644
+--- a/ext/openssl/lib/openssl/ssl.rb
++++ b/ext/openssl/lib/openssl/ssl.rb
+@@ -22,7 +22,6 @@ module OpenSSL
+   module SSL
+     class SSLContext
+       DEFAULT_PARAMS = { # :nodoc:
+-        :min_version => OpenSSL::SSL::TLS1_VERSION,
+         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
+         :verify_hostname => true,
+         :options => -> {
+@@ -55,6 +54,7 @@ class SSLContext
+       if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
+            OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
+         DEFAULT_PARAMS.merge!(
++          min_version: OpenSSL::SSL::TLS1_VERSION,
+           ciphers: %w{
+             ECDHE-ECDSA-AES128-GCM-SHA256
+             ECDHE-RSA-AES128-GCM-SHA256

ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch

@@ -1,256 +0,0 @@
-From d3933fc753187a055a4904af82f5f3794c88c416 Mon Sep 17 00:00:00 2001
-From: Sorah Fukumori <her@sorah.jp>
-Date: Mon, 1 Jan 2024 20:45:54 +0900
-Subject: [PATCH] [ruby/net-http] Renew test certificates
-
-The private key is replaced with a public known test key published at
-[RFC 9500].
-
-Also lifetime has been extended to 10 years from 4 years.
-
-[RFC 9500]: https://www.rfc-editor.org/rfc/rfc9500.html
-
-https://github.com/ruby/net-http/commit/4ab6c4a500
----
- test/net/fixtures/Makefile   |  6 +--
- test/net/fixtures/cacert.pem | 44 ++++++++--------
- test/net/fixtures/server.crt | 99 +++++++-----------------------------
- test/net/fixtures/server.key | 55 ++++++++++----------
- 4 files changed, 71 insertions(+), 133 deletions(-)
-
-diff --git a/test/net/fixtures/Makefile b/test/net/fixtures/Makefile
-index b2bc9c7368ee2..88c232e3b6c16 100644
---- a/test/net/fixtures/Makefile
-+++ b/test/net/fixtures/Makefile
-@@ -5,11 +5,11 @@ regen_certs:
- 	make server.crt
- 
- cacert.pem: server.key
--	openssl req -new -x509 -days 1825 -key server.key -out cacert.pem -text -subj "/C=JP/ST=Shimane/L=Matz-e city/O=Ruby Core Team/CN=Ruby Test CA/emailAddress=security@ruby-lang.org"
-+	openssl req -new -x509 -days 3650 -key server.key -out cacert.pem -subj "/C=JP/ST=Shimane/L=Matz-e city/O=Ruby Core Team/CN=Ruby Test CA/emailAddress=security@ruby-lang.org"
- 
- server.csr:
--	openssl req -new -key server.key -out server.csr -text -subj "/C=JP/ST=Shimane/O=Ruby Core Team/OU=Ruby Test/CN=localhost"
-+	openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Shimane/O=Ruby Core Team/OU=Ruby Test/CN=localhost"
- 
- server.crt: server.csr cacert.pem
--	openssl x509 -days 1825 -CA cacert.pem -CAkey server.key -set_serial 00 -in server.csr -req -text -out server.crt
-+	openssl x509 -days 3650 -CA cacert.pem -CAkey server.key -set_serial 00 -in server.csr -req -out server.crt
- 	rm server.csr
-diff --git a/test/net/fixtures/cacert.pem b/test/net/fixtures/cacert.pem
-index f623bd62ed375..24c83f1c65225 100644
---- a/test/net/fixtures/cacert.pem
-+++ b/test/net/fixtures/cacert.pem
-@@ -1,24 +1,24 @@
- -----BEGIN CERTIFICATE-----
--MIID7TCCAtWgAwIBAgIJAIltvxrFAuSnMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
--VQQGEwJKUDEQMA4GA1UECAwHU2hpbWFuZTEUMBIGA1UEBwwLTWF0ei1lIGNpdHkx
--FzAVBgNVBAoMDlJ1YnkgQ29yZSBUZWFtMRUwEwYDVQQDDAxSdWJ5IFRlc3QgQ0Ex
--JTAjBgkqhkiG9w0BCQEWFnNlY3VyaXR5QHJ1YnktbGFuZy5vcmcwHhcNMTkwMTAy
--MDI1ODI4WhcNMjQwMTAxMDI1ODI4WjCBjDELMAkGA1UEBhMCSlAxEDAOBgNVBAgM
--B1NoaW1hbmUxFDASBgNVBAcMC01hdHotZSBjaXR5MRcwFQYDVQQKDA5SdWJ5IENv
--cmUgVGVhbTEVMBMGA1UEAwwMUnVieSBUZXN0IENBMSUwIwYJKoZIhvcNAQkBFhZz
--ZWN1cml0eUBydWJ5LWxhbmcub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
--CgKCAQEAznlbjRVhz1NlutHVrhcGnK8W0qug2ujKXv1njSC4U6nJF6py7I9EeehV
--SaKePyv+I9z3K1LnfUHOtUbdwdKC77yN66A6q2aqzu5q09/NSykcZGOIF0GuItYI
--3nvW3IqBddff2ffsyR+9pBjfb5AIPP08WowF9q4s1eGULwZc4w2B8PFhtxYANd7d
--BvGLXFlcufv9tDtzyRi4t7eqxCRJkZQIZNZ6DHHIJrNxejOILfHLarI12yk8VK6L
--2LG4WgGqyeePiRyd1o1MbuiAFYqAwpXNUbRKg5NaZGwBHZk8UZ+uFKt1QMBURO5R
--WFy1c349jbWszTqFyL4Lnbg9HhAowQIDAQABo1AwTjAdBgNVHQ4EFgQU9tEiKdU9
--I9derQyc5nWPnc34nVMwHwYDVR0jBBgwFoAU9tEiKdU9I9derQyc5nWPnc34nVMw
--DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAxj7F/u3C3fgq24N7hGRA
--of7ClFQxGmo/IGT0AISzW3HiVYiFaikKhbO1NwD9aBpD8Zwe62sCqMh8jGV/b0+q
--aOORnWYNy2R6r9FkASAglmdF6xn3bhgGD5ls4pCvcG9FynGnGc24g6MrjFNrBYUS
--2iIZsg36i0IJswo/Dy6HLphCms2BMCD3DeWtfjePUiTmQHJo6HsQIKP/u4N4Fvee
--uMBInei2M4VU74fLXbmKl1F9AEX7JDP3BKSZG19Ch5pnUo4uXM1uNTGsi07P4Y0s
--K44+SKBC0bYEFbDK0eQWMrX3kIhkPxyIWhxdq9/NqPYjShuSEAhA6CSpmRg0pqc+
--mA==
-+MIID+zCCAuOgAwIBAgIUGMvHl3EhtKPKcgc3NQSAYfFuC+8wDQYJKoZIhvcNAQEL
-+BQAwgYwxCzAJBgNVBAYTAkpQMRAwDgYDVQQIDAdTaGltYW5lMRQwEgYDVQQHDAtN
-+YXR6LWUgY2l0eTEXMBUGA1UECgwOUnVieSBDb3JlIFRlYW0xFTATBgNVBAMMDFJ1
-+YnkgVGVzdCBDQTElMCMGCSqGSIb3DQEJARYWc2VjdXJpdHlAcnVieS1sYW5nLm9y
-+ZzAeFw0yNDAxMDExMTQ3MjNaFw0zMzEyMjkxMTQ3MjNaMIGMMQswCQYDVQQGEwJK
-+UDEQMA4GA1UECAwHU2hpbWFuZTEUMBIGA1UEBwwLTWF0ei1lIGNpdHkxFzAVBgNV
-+BAoMDlJ1YnkgQ29yZSBUZWFtMRUwEwYDVQQDDAxSdWJ5IFRlc3QgQ0ExJTAjBgkq
-+hkiG9w0BCQEWFnNlY3VyaXR5QHJ1YnktbGFuZy5vcmcwggEiMA0GCSqGSIb3DQEB
-+AQUAA4IBDwAwggEKAoIBAQCw+egZQ6eumJKq3hfKfED4dE/tL4FI5sjqont9ABVI
-++1GSqyi1bFBgsRjM0THllIdMbKmJtWwnKW8J+5OgNN8y6Xxv8JmM/Y5vQt2lis0f
-+qXmG8UTz0VTWdlAXXmhUs6lSADvAaIe4RVrCsZ97L3ZQTryY7JRVcbB4khUN3Gp0
-+yg+801SXzoFTTa+UGIRLE66jH51aa5VXu99hnv1OiH8tQrjdi8mH6uG/icq4XuIe
-+NWMF32wHqIOOPvQcWV3M5D2vxJEj702Ku6k9OQXkAo17qRSEonWW4HtLbtmS8He1
-+JNPc/n3dVUm+fM6NoDXPoLP7j55G9zKyqGtGAWXAj1MTAgMBAAGjUzBRMB0GA1Ud
-+DgQWBBSJGVleDvFp9cu9R+E0/OKYzGkwkTAfBgNVHSMEGDAWgBSJGVleDvFp9cu9
-+R+E0/OKYzGkwkTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBl
-+8GLB8skAWlkSw/FwbUmEV3zyqu+p7PNP5YIYoZs0D74e7yVulGQ6PKMZH5hrZmHo
-+orFSQU+VUUirG8nDGj7Rzce8WeWBxsaDGC8CE2dq6nC6LuUwtbdMnBrH0LRWAz48
-+jGFF3jHtVz8VsGfoZTZCjukWqNXvU6hETT9GsfU+PZqbqcTVRPH52+XgYayKdIbD
-+r97RM4X3+aXBHcUW0b76eyyi65RR/Xtvn8ioZt2AdX7T2tZzJyXJN3Hupp77s6Ui
-+AZR35SToHCZeTZD12YBvLBdaTPLZN7O/Q/aAO9ZiJaZ7SbFOjz813B2hxXab4Fob
-+2uJX6eMWTVxYK5D4M9lm
- -----END CERTIFICATE-----
-diff --git a/test/net/fixtures/server.crt b/test/net/fixtures/server.crt
-index 5ca78a6d146a0..5d2923795dabc 100644
---- a/test/net/fixtures/server.crt
-+++ b/test/net/fixtures/server.crt
-@@ -1,82 +1,21 @@
--Certificate:
--    Data:
--        Version: 3 (0x2)
--        Serial Number: 2 (0x2)
--    Signature Algorithm: sha256WithRSAEncryption
--        Issuer: C=JP, ST=Shimane, L=Matz-e city, O=Ruby Core Team, CN=Ruby Test CA/emailAddress=security@ruby-lang.org
--        Validity
--            Not Before: Jan  2 03:27:13 2019 GMT
--            Not After : Jan  1 03:27:13 2024 GMT
--        Subject: C=JP, ST=Shimane, O=Ruby Core Team, OU=Ruby Test, CN=localhost
--        Subject Public Key Info:
--            Public Key Algorithm: rsaEncryption
--                Public-Key: (2048 bit)
--                Modulus:
--                    00:e8:da:9c:01:2e:2b:10:ec:49:cd:5e:07:13:07:
--                    9c:70:9e:c6:74:bc:13:c2:e1:6f:c6:82:fd:e3:48:
--                    e0:2c:a5:68:c7:9e:42:de:60:54:65:e6:6a:14:57:
--                    7a:30:d0:cc:b5:b6:d9:c3:d2:df:c9:25:97:54:67:
--                    cf:f6:be:5e:cb:8b:ee:03:c5:e1:e2:f9:e7:f7:d1:
--                    0c:47:f0:b8:da:33:5a:ad:41:ad:e7:b5:a2:7b:b7:
--                    bf:30:da:60:f8:e3:54:a2:bc:3a:fd:1b:74:d9:dc:
--                    74:42:e9:29:be:df:ac:b4:4f:eb:32:f4:06:f1:e1:
--                    8c:4b:a8:8b:fb:29:e7:b1:bf:1d:01:ee:73:0f:f9:
--                    40:dc:d5:15:79:d9:c6:73:d0:c0:dd:cb:e4:da:19:
--                    47:80:c6:14:04:72:fd:9a:7c:8f:11:82:76:49:04:
--                    79:cc:f2:5c:31:22:95:13:3e:5d:40:a6:4d:e0:a3:
--                    02:26:7d:52:3b:bb:ed:65:a1:0f:ed:6b:b0:3c:d4:
--                    de:61:15:5e:d3:dd:68:09:9f:4a:57:a5:c2:a9:6d:
--                    86:92:c5:f4:a4:d4:b7:13:3b:52:63:24:05:e2:cc:
--                    e3:8a:3c:d4:35:34:2b:10:bb:58:72:e7:e1:8d:1d:
--                    74:8c:61:16:20:3d:d0:1c:4e:8f:6e:fd:fe:64:10:
--                    4f:41
--                Exponent: 65537 (0x10001)
--        X509v3 extensions:
--            X509v3 Basic Constraints: 
--                CA:FALSE
--            Netscape Comment: 
--                OpenSSL Generated Certificate
--            X509v3 Subject Key Identifier: 
--                ED:28:C2:7E:AB:4B:C8:E8:FE:55:6D:66:95:31:1C:2D:60:F9:02:36
--            X509v3 Authority Key Identifier: 
--                keyid:F6:D1:22:29:D5:3D:23:D7:5E:AD:0C:9C:E6:75:8F:9D:CD:F8:9D:53
--
--    Signature Algorithm: sha256WithRSAEncryption
--         1d:b8:c5:8b:72:41:20:65:ad:27:6f:15:63:06:26:12:8d:9c:
--         ad:ca:f4:db:97:b4:90:cb:ff:35:94:bb:2a:a7:a1:ab:1e:35:
--         2d:a5:3f:c9:24:b0:1a:58:89:75:3e:81:0a:2c:4f:98:f9:51:
--         fb:c0:a3:09:d0:0a:9b:e7:a2:b7:c3:60:40:c8:f4:6d:b2:6a:
--         56:12:17:4c:00:24:31:df:9c:60:ae:b1:68:54:a9:e6:b5:4a:
--         04:e6:92:05:86:d9:5a:dc:96:30:a5:58:de:14:99:0f:e5:15:
--         89:3e:9b:eb:80:e3:bd:83:c3:ea:33:35:4b:3e:2f:d3:0d:64:
--         93:67:7f:8d:f5:3f:0c:27:bc:37:5a:cc:d6:47:16:af:5a:62:
--         d2:da:51:f8:74:06:6b:24:ad:28:68:08:98:37:7d:ed:0e:ab:
--         1e:82:61:05:d0:ba:75:a0:ab:21:b0:9a:fd:2b:54:86:1d:0d:
--         1f:c2:d4:77:1f:72:26:5e:ad:8a:9f:09:36:6d:44:be:74:c2:
--         5a:3e:ff:5c:9d:75:d6:38:7b:c5:39:f9:44:6e:a1:d1:8e:ff:
--         63:db:c4:bb:c6:91:92:ca:5c:60:9b:1d:eb:0a:de:08:ee:bf:
--         da:76:03:65:62:29:8b:f8:7f:c7:86:73:1e:f6:1f:2d:89:69:
--         fd:be:bd:6e
- -----BEGIN CERTIFICATE-----
--MIID4zCCAsugAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSlAx
--EDAOBgNVBAgMB1NoaW1hbmUxFDASBgNVBAcMC01hdHotZSBjaXR5MRcwFQYDVQQK
--DA5SdWJ5IENvcmUgVGVhbTEVMBMGA1UEAwwMUnVieSBUZXN0IENBMSUwIwYJKoZI
--hvcNAQkBFhZzZWN1cml0eUBydWJ5LWxhbmcub3JnMB4XDTE5MDEwMjAzMjcxM1oX
--DTI0MDEwMTAzMjcxM1owYDELMAkGA1UEBhMCSlAxEDAOBgNVBAgMB1NoaW1hbmUx
--FzAVBgNVBAoMDlJ1YnkgQ29yZSBUZWFtMRIwEAYDVQQLDAlSdWJ5IFRlc3QxEjAQ
--BgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
--AOjanAEuKxDsSc1eBxMHnHCexnS8E8Lhb8aC/eNI4CylaMeeQt5gVGXmahRXejDQ
--zLW22cPS38kll1Rnz/a+XsuL7gPF4eL55/fRDEfwuNozWq1Bree1onu3vzDaYPjj
--VKK8Ov0bdNncdELpKb7frLRP6zL0BvHhjEuoi/sp57G/HQHucw/5QNzVFXnZxnPQ
--wN3L5NoZR4DGFARy/Zp8jxGCdkkEeczyXDEilRM+XUCmTeCjAiZ9Uju77WWhD+1r
--sDzU3mEVXtPdaAmfSlelwqlthpLF9KTUtxM7UmMkBeLM44o81DU0KxC7WHLn4Y0d
--dIxhFiA90BxOj279/mQQT0ECAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC
--AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFO0o
--wn6rS8jo/lVtZpUxHC1g+QI2MB8GA1UdIwQYMBaAFPbRIinVPSPXXq0MnOZ1j53N
--+J1TMA0GCSqGSIb3DQEBCwUAA4IBAQAduMWLckEgZa0nbxVjBiYSjZytyvTbl7SQ
--y/81lLsqp6GrHjUtpT/JJLAaWIl1PoEKLE+Y+VH7wKMJ0Aqb56K3w2BAyPRtsmpW
--EhdMACQx35xgrrFoVKnmtUoE5pIFhtla3JYwpVjeFJkP5RWJPpvrgOO9g8PqMzVL
--Pi/TDWSTZ3+N9T8MJ7w3WszWRxavWmLS2lH4dAZrJK0oaAiYN33tDqsegmEF0Lp1
--oKshsJr9K1SGHQ0fwtR3H3ImXq2Knwk2bUS+dMJaPv9cnXXWOHvFOflEbqHRjv9j
--28S7xpGSylxgmx3rCt4I7r/adgNlYimL+H/HhnMe9h8tiWn9vr1u
-+MIIDYTCCAkkCAQAwDQYJKoZIhvcNAQELBQAwgYwxCzAJBgNVBAYTAkpQMRAwDgYD
-+VQQIDAdTaGltYW5lMRQwEgYDVQQHDAtNYXR6LWUgY2l0eTEXMBUGA1UECgwOUnVi
-+eSBDb3JlIFRlYW0xFTATBgNVBAMMDFJ1YnkgVGVzdCBDQTElMCMGCSqGSIb3DQEJ
-+ARYWc2VjdXJpdHlAcnVieS1sYW5nLm9yZzAeFw0yNDAxMDExMTQ3MjNaFw0zMzEy
-+MjkxMTQ3MjNaMGAxCzAJBgNVBAYTAkpQMRAwDgYDVQQIDAdTaGltYW5lMRcwFQYD
-+VQQKDA5SdWJ5IENvcmUgVGVhbTESMBAGA1UECwwJUnVieSBUZXN0MRIwEAYDVQQD
-+DAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw+egZ
-+Q6eumJKq3hfKfED4dE/tL4FI5sjqont9ABVI+1GSqyi1bFBgsRjM0THllIdMbKmJ
-+tWwnKW8J+5OgNN8y6Xxv8JmM/Y5vQt2lis0fqXmG8UTz0VTWdlAXXmhUs6lSADvA
-+aIe4RVrCsZ97L3ZQTryY7JRVcbB4khUN3Gp0yg+801SXzoFTTa+UGIRLE66jH51a
-+a5VXu99hnv1OiH8tQrjdi8mH6uG/icq4XuIeNWMF32wHqIOOPvQcWV3M5D2vxJEj
-+702Ku6k9OQXkAo17qRSEonWW4HtLbtmS8He1JNPc/n3dVUm+fM6NoDXPoLP7j55G
-+9zKyqGtGAWXAj1MTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACtGNdj5TEtnJBYp
-+M+LhBeU3oNteldfycEm993gJp6ghWZFg23oX8fVmyEeJr/3Ca9bAgDqg0t9a0npN
-+oWKEY6wVKqcHgu3gSvThF5c9KhGbeDDmlTSVVNQmXWX0K2d4lS2cwZHH8mCm2mrY
-+PDqlEkSc7k4qSiqigdS8i80Yk+lDXWsm8CjsiC93qaRM7DnS0WPQR0c16S95oM6G
-+VklFKUSDAuFjw9aVWA/nahOucjn0w5fVW6lyIlkBslC1ChlaDgJmvhz+Ol3iMsE0
-+kAmFNu2KKPVrpMWaBID49QwQTDyhetNLaVVFM88iUdA9JDoVMEuP1mm39JqyzHTu
-+uBrdP4Q=
- -----END CERTIFICATE-----
-diff --git a/test/net/fixtures/server.key b/test/net/fixtures/server.key
-index 7f2380e71e637..6a83d5bcf4a52 100644
---- a/test/net/fixtures/server.key
-+++ b/test/net/fixtures/server.key
-@@ -1,28 +1,27 @@
-------BEGIN PRIVATE KEY-----
--MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDo2pwBLisQ7EnN
--XgcTB5xwnsZ0vBPC4W/Ggv3jSOAspWjHnkLeYFRl5moUV3ow0My1ttnD0t/JJZdU
--Z8/2vl7Li+4DxeHi+ef30QxH8LjaM1qtQa3ntaJ7t78w2mD441SivDr9G3TZ3HRC
--6Sm+36y0T+sy9Abx4YxLqIv7Keexvx0B7nMP+UDc1RV52cZz0MDdy+TaGUeAxhQE
--cv2afI8RgnZJBHnM8lwxIpUTPl1Apk3gowImfVI7u+1loQ/ta7A81N5hFV7T3WgJ
--n0pXpcKpbYaSxfSk1LcTO1JjJAXizOOKPNQ1NCsQu1hy5+GNHXSMYRYgPdAcTo9u
--/f5kEE9BAgMBAAECggEBAOHkwhc7DLh8IhTDNSW26oMu5OP2WU1jmiYAigDmf+OQ
--DBgrZj+JQBci8qINQxL8XLukSZn5hvQCLc7Kbyu1/wyEEUFDxSGGwwzclodr9kho
--LX2LDASPZrOSzD2+fPi2wTKmXKuS6Uc44OjQfZkYMNkz9r4Vkm8xGgOD3VipjIYX
--QXlhhdqkXZcNABsihCV52GKkDFSVm8jv95YJc5xhoYCy/3a4/qPdF0aT2R7oYUej
--hKrxVDskyooe8Zg/JTydZNV5GQEDmW01/K3r6XGT26oPi1AqMU1gtv/jkW56CRQQ
--1got8smnqM+AV7Slf9R6DauIPdQJ2S8wsr/o8ISBsOECgYEA9YrqEP2gAYSGFXRt
--liw0WI2Ant8BqXS6yvq1jLo/qWhLw/ph4Di73OQ2mpycVTpgfGr2wFPQR1XJ+0Fd
--U+Ir/C3Q7FK4VIGHK7B0zNvZr5tEjlFfeRezo2JMVw5YWeSagIFcSwK+KqCTH9qc
--pw/Eb8nB/4XNcpTZu7Fg0Wc+ooUCgYEA8sVaicn1Wxkpb45a4qfrA6wOr5xdJ4cC
--A5qs7vjX2OdPIQOmoQhdI7bCWFXZzF33wA4YCws6j5wRaySLIJqdms8Gl9QnODy1
--ZlA5gwKToBC/jqPmWAXSKb8EH7cHilaxU9OKnQ7CfwlGLHqjMtjrhR7KHlt3CVRs
--oRmvsjZVXI0CgYAmPedslAO6mMhFSSfULrhMXmV82OCqYrrA6EEkVNGbcdnzAOkD
--gfKIWabDd8bFY10po4Mguy0CHzNhBXIioWQWV5BlbhC1YKMLw+S9DzSdLAKGY9gJ
--xQ4+UQ3wtRQ/k+IYR413RUsW2oFvgZ3KSyNeAb9MK6uuv84VdG/OzVSs/QKBgQDn
--kap//l2EbObiWyaERunckdVcW0lcN+KK75J/TGwPoOwQsLvTpPe65kxRGGrtDsEQ
--uCDk/+v3KkZPLgdrrTAih9FhJ+PVN8tMcb+6IM4SA4fFFr/UPJEwct0LJ3oQ0grJ
--y+HPWFHb/Uurh7t99/4H98uR02sjQh1wOeEmm78mzQKBgQDm+LzGH0se6CXQ6cdZ
--g1JRZeXkDEsrW3hfAsW62xJQmXcWxBoblP9OamMY+A06rM5og3JbDk5Zm6JsOaA8
--wS2gw4ilp46jors4eQey8ux7kB9LzdBoDBBElnsbjLO8oBNZlVcYXg+6BOl/CUi7
--2whRF0FEjKA8ehrNhAq+VFfFNw==
-------END PRIVATE KEY-----
-+-----BEGIN RSA PRIVATE KEY-----
-+MIIEowIBAAKCAQEAsPnoGUOnrpiSqt4XynxA+HRP7S+BSObI6qJ7fQAVSPtRkqso
-+tWxQYLEYzNEx5ZSHTGypibVsJylvCfuToDTfMul8b/CZjP2Ob0LdpYrNH6l5hvFE
-+89FU1nZQF15oVLOpUgA7wGiHuEVawrGfey92UE68mOyUVXGweJIVDdxqdMoPvNNU
-+l86BU02vlBiESxOuox+dWmuVV7vfYZ79Toh/LUK43YvJh+rhv4nKuF7iHjVjBd9s
-+B6iDjj70HFldzOQ9r8SRI+9NirupPTkF5AKNe6kUhKJ1luB7S27ZkvB3tSTT3P59
-+3VVJvnzOjaA1z6Cz+4+eRvcysqhrRgFlwI9TEwIDAQABAoIBAEEYiyDP29vCzx/+
-+dS3LqnI5BjUuJhXUnc6AWX/PCgVAO+8A+gZRgvct7PtZb0sM6P9ZcLrweomlGezI
-+FrL0/6xQaa8bBr/ve/a8155OgcjFo6fZEw3Dz7ra5fbSiPmu4/b/kvrg+Br1l77J
-+aun6uUAs1f5B9wW+vbR7tzbT/mxaUeDiBzKpe15GwcvbJtdIVMa2YErtRjc1/5B2
-+BGVXyvlJv0SIlcIEMsHgnAFOp1ZgQ08aDzvilLq8XVMOahAhP1O2A3X8hKdXPyrx
-+IVWE9bS9ptTo+eF6eNl+d7htpKGEZHUxinoQpWEBTv+iOoHsVunkEJ3vjLP3lyI/
-+fY0NQ1ECgYEA3RBXAjgvIys2gfU3keImF8e/TprLge1I2vbWmV2j6rZCg5r/AS0u
-+pii5CvJ5/T5vfJPNgPBy8B/yRDs+6PJO1GmnlhOkG9JAIPkv0RBZvR0PMBtbp6nT
-+Y3yo1lwamBVBfY6rc0sLTzosZh2aGoLzrHNMQFMGaauORzBFpY5lU50CgYEAzPHl
-+u5DI6Xgep1vr8QvCUuEesCOgJg8Yh1UqVoY/SmQh6MYAv1I9bLGwrb3WW/7kqIoD
-+fj0aQV5buVZI2loMomtU9KY5SFIsPV+JuUpy7/+VE01ZQM5FdY8wiYCQiVZYju9X
-+Wz5LxMNoz+gT7pwlLCsC4N+R8aoBk404aF1gum8CgYAJ7VTq7Zj4TFV7Soa/T1eE
-+k9y8a+kdoYk3BASpCHJ29M5R2KEA7YV9wrBklHTz8VzSTFTbKHEQ5W5csAhoL5Fo
-+qoHzFFi3Qx7MHESQb9qHyolHEMNx6QdsHUn7rlEnaTTyrXh3ifQtD6C0yTmFXUIS
-+CW9wKApOrnyKJ9nI0HcuZQKBgQCMtoV6e9VGX4AEfpuHvAAnMYQFgeBiYTkBKltQ
-+XwozhH63uMMomUmtSG87Sz1TmrXadjAhy8gsG6I0pWaN7QgBuFnzQ/HOkwTm+qKw
-+AsrZt4zeXNwsH7QXHEJCFnCmqw9QzEoZTrNtHJHpNboBuVnYcoueZEJrP8OnUG3r
-+UjmopwKBgAqB2KYYMUqAOvYcBnEfLDmyZv9BTVNHbR2lKkMYqv5LlvDaBxVfilE0
-+2riO4p6BaAdvzXjKeRrGNEKoHNBpOSfYCOM16NjL8hIZB1CaV3WbT5oY+jp7Mzd5
-+7d56RZOE+ERK2uz/7JX9VSsM/LbH9pJibd4e8mikDS9ntciqOH/3
-+-----END RSA PRIVATE KEY-----

ruby.spec

@@ -1,6 +1,6 @@
 %global major_version 3
 %global minor_version 3
-%global teeny_version 0
+%global teeny_version 8
 %global major_minor_version %{major_version}.%{minor_version}
 
 %global ruby_version %{major_minor_version}.%{teeny_version}
@@ -10,7 +10,7 @@
 #%%global milestone rc1
 
 # Keep the revision enabled for pre-releases from GIT.
-#%%global revision 5124f9ac75
+#%%global revision ef084cc8f4
 
 %global ruby_archive %{name}-%{ruby_version}
 
@@ -27,29 +27,32 @@
 %global rubygems_dir %{_datadir}/rubygems
 
 # Bundled libraries versions
-%global rubygems_version 3.5.3
+%global rubygems_version 3.5.22
 %global rubygems_molinillo_version 0.8.0
-%global rubygems_net_http_version 0.4.0
+%global rubygems_net_http_version 0.4.1
 %global rubygems_net_protocol_version 0.2.2
 %global rubygems_optparse_version 0.4.0
-%global rubygems_resolv_version 0.3.0
+%global rubygems_resolv_version 0.4.0
+%global rubygems_securerandom_version 0.3.1
 %global rubygems_timeout_version 0.4.1
 %global rubygems_tsort_version 0.2.0
+%global rubygems_uri_version 0.13.1
 
 # Default gems.
-%global bundler_version 2.5.3
+%global bundler_version 2.5.22
 %global bundler_connection_pool_version 2.4.1
 %global bundler_fileutils_version 1.7.2
-%global bundler_net_http_persistent_version 4.0.2
+%global bundler_net_http_persistent_version 4.0.4
 %global bundler_pub_grub_version 0.5.0
+%global bundler_securerandom_version 0.3.1
 %global bundler_thor_version 1.3.0
 %global bundler_tsort_version 0.2.0
-%global bundler_uri_version 0.13.0
+%global bundler_uri_version 0.13.1
 
 %global abbrev_version 0.1.2
 %global base64_version 0.2.0
 %global benchmark_version 0.3.0
-%global cgi_version 0.4.1
+%global cgi_version 0.4.2
 %global csv_version 3.2.8
 %global date_version 3.3.4
 %global delegate_version 0.3.1
@@ -71,7 +74,7 @@
 %global ipaddr_version 1.2.6
 %global logger_version 1.6.0
 %global mutex_m_version 0.2.0
-%global net_http_version 0.4.0
+%global net_http_version 0.4.1
 %global net_protocol_version 0.2.2
 %global nkf_version 0.1.3
 %global observer_version 0.1.2
@@ -85,7 +88,7 @@
 %global prettyprint_version 0.2.0
 %global pstore_version 0.1.3
 %global readline_version 0.0.4
-%global reline_version 0.4.1
+%global reline_version 0.5.10
 %global resolv_version 0.3.0
 %global resolv_replace_version 0.1.1
 %global rinda_version 0.2.0
@@ -94,9 +97,9 @@
 %global set_version 1.1.0
 %global shellwords_version 0.2.0
 %global singleton_version 0.2.0
-%global stringio_version 3.1.0
-%global strscan_version 3.0.7
-%global syntax_suggest_version 2.0.0
+%global stringio_version 3.1.1
+%global strscan_version 3.0.9
+%global syntax_suggest_version 2.0.1
 %global syslog_version 0.1.2
 %global tempfile_version 0.2.1
 %global time_version 0.3.0
@@ -104,27 +107,27 @@
 %global tmpdir_version 0.2.0
 %global tsort_version 0.2.0
 %global un_version 0.3.0
-%global uri_version 0.13.0
+%global uri_version 0.13.2
 %global weakref_version 0.1.3
 %global win32ole_version 1.8.10
 %global yaml_version 0.3.0
 %global prism_version 0.19.0
-%global zlib_version 3.1.0
+%global zlib_version 3.1.1
 
 # Gemified default gems.
 %global bigdecimal_version 3.1.5
 %global io_console_version 0.7.1
-%global irb_version 1.11.0
-%global json_version 2.7.1
+%global irb_version 1.13.1
+%global json_version 2.7.2
 %global psych_version 5.1.2
-%global rdoc_version 6.6.2
+%global rdoc_version 6.6.3.1
 
 # Bundled gems.
-%global debug_version 1.9.1
-%global net_ftp_version 0.3.3
-%global net_imap_version 0.4.9
+%global debug_version 1.9.2
+%global net_ftp_version 0.3.4
+%global net_imap_version 0.4.19
 %global net_pop_version 0.1.2
-%global net_smtp_version 0.4.0
+%global net_smtp_version 0.5.1
 %global matrix_version 0.4.2
 %global minitest_version 5.20.0
 %global power_assert_version 2.0.3
@@ -132,11 +135,14 @@
 %global racc_version 1.7.3
 %global rake_version 13.1.0
 %global rbs_version 3.4.0
-%global rexml_version 3.2.6
-%global rss_version 0.3.0
+%global rexml_version 3.3.9
+%global rss_version 0.3.1
 %global test_unit_version 3.6.1
 %global typeprof_version 0.21.9
 
+# Bundled nkf version
+%global bundled_nkf_version 2.1.5
+
 %global tapset_libdir %(echo %{_libdir} | sed 's/64//')*
 
 %if 0%{?fedora} >= 19
@@ -167,14 +173,49 @@
 Summary: An interpreter of object-oriented scripting language
 Name: ruby
 Version: %{ruby_version}%{?development_release}
-Release: 4%{?dist}
-# BSD-3-Clause: missing/{crypt,mt19937,setproctitle}.c
+Release: 19%{?dist}
+# Licenses, which are likely not included in binary RPMs:
+# Apache-2.0:
+#   benchmark/gc/redblack.rb
+#     But this file might be BSD-2-Clause licensed after all:
+#     https://bugs.ruby-lang.org/issues/20420
+# GPL-1.0-or-later: ext/win32/lib/win32/sspi.rb
+# GPL-1.0-or-later OR Artistic-1.0-Perl: win32/win32.c, include/ruby/win32.h,
+#   ext/win32ole/win32ole.c
+#
+# !!! Problematic licenses:
+# LicenseRef-scancode-unicode-mappings: ext/json/generator/generator.c
+#   https://bugs.ruby-lang.org/issues/11844#note-19
+#   https://github.com/flori/json/issues/277
+#   https://github.com/flori/json/pull/567
+#
+# Licenses under review:
+#   .bundle/gems/net-imap-0.4.19/LICENSE.txt
+#   https://gitlab.com/fedora/legal/fedora-license-data/-/issues/506
+#
+# Approved license without SPDX identifier:
+#   ext/pty/pty.c
+#   https://gitlab.com/fedora/legal/fedora-license-data/-/issues/503
+#
+# BSD-3-Clause: missing/{crypt,mt19937,setproctitle}.c, addr2line.c:2652
+# CC0: ccan/{build_assert/build_assert.h,check_type/check_type.h,
+#   container_of/container_of.h,str/str.h}
+#   Allowed based on 'grandfather clause':
+#   https://gitlab.com/fedora/legal/fedora-license-data/-/blob/7d9720b2cfd8ccb98d1975312942d99588a0da7c/data/CC0-1.0.toml#L11-14
+#   https://gitlab.com/fedora/legal/fedora-license-data/-/issues/499
+# dtoa: missing/dtoa.c
+# GPL-3.0-or-later WITH Bison-exception-2.2: parse.{c,h}, ext/ripper/ripper.c
+# HPND-Markus-Kuhn: missing/langinfo.c
 # ISC: missing/strl{cat,cpy}.c
-# Public Domain for example for: include/ruby/st.h, strftime.c, missing/*, ...
-# MIT and CCO: ccan/*
-# zlib: ext/digest/md5/md5.*, ext/nkf/nkf-utf8/nkf.c
+# LicenseRef-Fedora-Public-Domain: include/ruby/st.h, strftime.c, missing/*, ...
+#   https://gitlab.com/fedora/legal/fedora-license-data/-/merge_requests/145
+# MIT: ccan/list/list.h
+# Ruby OR BSD-2-Clause OR GPL-1.0-or-later: lib/net/protocol.rb
 # Unicode-DFS-2015: some of enc/trans/**/*.src
-License: (Ruby OR BSD-2-Clause) AND BSD-3-Clause AND ISC AND Public Domain AND MIT and CC0 AND zlib AND Unicode-DFS-2015
+#   There is also license review ticket here:
+#   https://gitlab.com/fedora/legal/fedora-license-data/-/issues/500
+# zlib: ext/digest/md5/md5.*, ext/nkf/nkf-utf8/nkf.c
+License: (Ruby OR BSD-2-Clause) AND (Ruby OR BSD-2-Clause OR GPL-1.0-or-later) AND BSD-3-Clause AND (GPL-3.0-or-later WITH Bison-exception-2.2) AND ISC AND LicenseRef-Fedora-Public-Domain AND MIT AND CC0 AND zlib AND Unicode-DFS-2015 AND HPND-Markus-Kuhn
 URL: https://www.ruby-lang.org/
 Source0: https://cache.ruby-lang.org/pub/%{name}/%{major_minor_version}/%{ruby_archive}.tar.xz
 Source1: operating_system.rb
@@ -194,16 +235,21 @@ Source13: test_abrt.rb
 Source14: test_systemtap.rb
 # Ruby OpenSSL FIPS tests.
 Source15: test_openssl_fips.rb
+# RPM gem Requires dependency generator tests.
+Source16: rpm_test_helper.rb
+Source17: test_rubygems_req.rb
+Source18: test_rubygems_prov.rb
+Source19: test_rubygems_con.rb
 
 # The load directive is supported since RPM 4.12, i.e. F21+. The build process
 # fails on older Fedoras.
 %{load:%{SOURCE4}}
 %{load:%{SOURCE5}}
 
-%global __local_generator_requires make -C %{_builddir}/%{buildsubdir}/%{_vpath_builddir} -s runruby TESTRUN_SCRIPT="--enable-gems %{SOURCE9}"
-%global __local_generator_provides make -C %{_builddir}/%{buildsubdir}/%{_vpath_builddir} -s runruby TESTRUN_SCRIPT="--enable-gems %{SOURCE10}"
-%global __local_generator_conflicts make -C %{_builddir}/%{buildsubdir}/%{_vpath_builddir} -s runruby TESTRUN_SCRIPT="--enable-gems %{SOURCE11}"
-%global __local_generator_path ^%{gem_dir}/specifications/.*\.gemspec$
+%define __local_generator_requires make -C %{_builddir}/%{buildsubdir}/%{_vpath_builddir} -s runruby TESTRUN_SCRIPT="--enable-gems %{SOURCE9}"
+%define __local_generator_provides make -C %{_builddir}/%{buildsubdir}/%{_vpath_builddir} -s runruby TESTRUN_SCRIPT="--enable-gems %{SOURCE10}"
+%define __local_generator_conflicts make -C %{_builddir}/%{buildsubdir}/%{_vpath_builddir} -s runruby TESTRUN_SCRIPT="--enable-gems %{SOURCE11}"
+%define __local_generator_path ^%{gem_dir}/specifications/.*\.gemspec$
 
 # Fix ruby_version abuse.
 # https://bugs.ruby-lang.org/issues/11002
@@ -232,29 +278,16 @@ Patch6: ruby-2.7.0-Initialize-ABRT-hook.patch
 # Disable syntax_suggest test suite, which tries to download its dependencies.
 # https://bugs.ruby-lang.org/issues/19297
 Patch9: ruby-3.3.0-Disable-syntax-suggest-test-case.patch
-# Revert patches causing segfaults in alexandria package.
-# https://bugs.ruby-lang.org/issues/20079
-Patch10: ruby-3.3.0-Revert-Optimize-allocations-in-Hash-compare_by_identity.patch
-# Fix net-http test errors due to expired certificate
-# https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416
-# https://bugs.ruby-lang.org/issues/20106
-Patch11: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
 # Armv8.3+ capable CPUs might segfault with incorrect compilation options.
 # See related upstream report: https://bugs.ruby-lang.org/issues/20085
 # https://bugs.ruby-lang.org/issues/20154
-Patch12: ruby-3.4.0-fix-branch-protection-compilation-for-arm.patch
-# Revert adding AI_ADDRCONFIG flag to getaddrinfo(3) calls.
-# It is causing problems when network is in certain, valid, configuration.
-# When loopback interface is IPv6 capable, but no regular network interface
-# is IPv6 capable, in some situations (such as in TestNetHTTPLocalBind)
-# this might result in creating IPv4 socket and then binding it
-# to IPv6 family connection.
-# That is incorrect behavior and such operation will result in
-# Errno::EAFNOSUPPORT exception.
-# The point of the upstream change is to workaround a glibc bug
-# that is not present for us. Therefore we can safely revert the change.
-# https://bugs.ruby-lang.org/issues/20208
-Patch13: ruby-3.4.0-Revert-Set-AI_ADDRCONFIG-when-making-getaddrinfo.patch
+# Make sure hardeding flags are correctly applied.
+# https://bugs.ruby-lang.org/issues/20520
+Patch12: ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.patch
+# Fix Ruby OpenSSL to respect crypto-policies TLS minimal version.
+# https://github.com/ruby/openssl/pull/710
+# https://github.com/ruby/ruby/commit/6213ab1a51387fd9cdcb5e87908722f3bbdf78cb
+Patch13: ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %{?with_rubypick:Suggests: rubypick}
@@ -332,6 +365,11 @@ Provides: bundled(ccan-check_type)
 Provides: bundled(ccan-container_of)
 Provides: bundled(ccan-list)
 
+# https://github.com/nurse/nkf
+# Please note that nkf going to be promoted to bundled gem in Ruby 3.4:
+# https://github.com/ruby/ruby/commit/2e3a7f70ae71650be6ea38a483f66ce17ca5eb1d
+Provides: bundled(nkf) = %{bundled_nkf_version}
+
 # StdLib default gems.
 Provides: bundled(rubygem-did_you_mean) = %{did_you_mean_version}
 Provides: bundled(rubygem-openssl) = %{openssl_version}
@@ -362,7 +400,8 @@ Version:    %{rubygems_version}
 #   lib/rubygems/timeout/
 #   lib/rubygems/tsort/
 # MIT: lib/rubygems/resolver/molinillo
-License:    (Ruby OR MIT) AND BSD-2-Clause AND (BSD-2-Clause OR Ruby) AND MIT
+# Ruby OR BSD-2-Clause OR GPL-1.0-or-later: lib/net/protocol.rb
+License:    (Ruby OR MIT) AND BSD-2-Clause AND (BSD-2-Clause OR Ruby) AND (Ruby OR BSD-2-Clause OR GPL-1.0-or-later) AND MIT
 Requires:   ruby(release)
 Recommends: rubygem(bundler) >= %{bundler_version}
 Recommends: rubygem(rdoc) >= %{rdoc_version}
@@ -377,6 +416,7 @@ Provides:   bundled(rubygem-net-http) = %{rubygems_net_http_version}
 Provides:   bundled(rubygem-net-protocol) = %{rubygems_net_protocol_version}
 Provides:   bundled(rubygem-optparse) = %{rubygems_optparse_version}
 Provides:   bundled(rubygem-resolv) = %{rubygems_resolv_version}
+Provides:   bundled(rubygem-securerandom) = %{rubygems_securerandom_version}
 Provides:   bundled(rubygem-timeout) = %{rubygems_timeout_version}
 Provides:   bundled(rubygem-tsort) = %{rubygems_tsort_version}
 
@@ -473,7 +513,8 @@ This package contains documentation for %{name}.
 %package -n rubygem-bigdecimal
 Summary:    BigDecimal provides arbitrary-precision floating point decimal arithmetic
 Version:    %{bigdecimal_version}
-License:    Ruby OR BSD-2-Clause
+# dtoa: missing/dtoa.c
+License:    (Ruby OR BSD-2-Clause) AND dtoa
 Provides:   bundled(rubygem-bigdecimal) = %{bigdecimal_version}
 
 %description -n rubygem-bigdecimal
@@ -548,6 +589,7 @@ Provides:   bundled(rubygem-connection_pool) = %{bundler_connection_pool_version
 Provides:   bundled(rubygem-fileutils) = %{bundler_fileutils_version}
 Provides:   bundled(rubygem-net-http-persistent) = %{bundler_net_http_persistent_version}
 Provides:   bundled(rubygem-pub_grub) = %{bundler_pub_grub_version}
+Provides:   bundled(rubygem-securerandom) = %{bundler_securerandom_version}
 Provides:   bundled(rubygem-thor) = %{bundler_thor_version}
 Provides:   bundled(rubygem-uri) = %{bundler_uri_version}
 BuildArch:  noarch
@@ -724,8 +766,6 @@ analysis result in RBS format, a standard type description format for Ruby
 %patch 4 -p1
 %patch 6 -p1
 %patch 9 -p1
-%patch 10 -p1
-%patch 11 -p1
 %patch 12 -p1
 %patch 13 -p1
 
@@ -942,16 +982,16 @@ checksec --file=%{_vpath_builddir}/libruby.so.%{ruby_version} | \
 # Molinillo.
 make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
   module Gem; module Resolver; end; end; \
-  require 'rubygems/resolver/molinillo/lib/molinillo/gem_metadata'; \
+  require 'rubygems/vendor/molinillo/lib/molinillo/gem_metadata'; \
   puts '%%{rubygems_molinillo_version}: %{rubygems_molinillo_version}'; \
-  puts %Q[Gem::Resolver::Molinillo::VERSION: #{Gem::Resolver::Molinillo::VERSION}]; \
-  exit 1 if Gem::Resolver::Molinillo::VERSION != '%{rubygems_molinillo_version}'; \
+  puts %Q[Gem::Molinillo::VERSION: #{Gem::Molinillo::VERSION}]; \
+  exit 1 if Gem::Molinillo::VERSION != '%{rubygems_molinillo_version}'; \
 \""
 
 # Net::HTTP.
 make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
   module Gem; module Net; end; end; \
-  require 'rubygems/net-http/lib/net/http'; \
+  require 'rubygems/vendor/net-http/lib/net/http'; \
   puts '%%{rubygems_net_http_version}: %{rubygems_net_http_version}'; \
   puts %Q[Gem::Net::HTTP::VERSION: #{Gem::Net::HTTP::VERSION}]; \
   exit 1 if Gem::Net::HTTP::VERSION != '%{rubygems_net_http_version}'; \
@@ -960,7 +1000,7 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
 # Net::Protocol.
 make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
   module Gem; module Net; end; end; \
-  require 'rubygems/net-protocol/lib/net/protocol'; \
+  require 'rubygems/vendor/net-protocol/lib/net/protocol'; \
   puts '%%{rubygems_net_protocol_version}: %{rubygems_net_protocol_version}'; \
   puts %Q[Gem::Net::Protocol::VERSION: #{Gem::Net::Protocol::VERSION}]; \
   exit 1 if Gem::Net::Protocol::VERSION != '%{rubygems_net_protocol_version}'; \
@@ -969,7 +1009,7 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
 # OptParse.
 make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
   module Gem; end; \
-  require 'rubygems/optparse/lib/optparse'; \
+  require 'rubygems/vendor/optparse/lib/optparse'; \
   puts '%%{rubygems_optparse_version}: %{rubygems_optparse_version}'; \
   puts %Q[Gem::OptionParser::Version: #{Gem::OptionParser::Version}]; \
   exit 1 if Gem::OptionParser::Version != '%{rubygems_optparse_version}'; \
@@ -978,16 +1018,25 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
 # Resolv.
 make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
   module Gem; end; \
-  require 'rubygems/resolv/lib/resolv'; \
+  require 'rubygems/vendor/resolv/lib/resolv'; \
   puts '%%{rubygems_resolv_version}: %{rubygems_resolv_version}'; \
   puts %Q[Gem::Resolv::VERSION: #{Gem::Resolv::VERSION}]; \
   exit 1 if Gem::Resolv::VERSION != '%{rubygems_resolv_version}'; \
 \""
 
+# SecureRandom.
+make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
+  module Gem; module Random; end; end; \
+  require 'rubygems/vendor/securerandom/lib/securerandom'; \
+  puts '%%{rubygems_securerandom_version}: %{rubygems_securerandom_version}'; \
+  puts %Q[Gem::SecureRandom::VERSION: #{Gem::SecureRandom::VERSION}]; \
+  exit 1 if Gem::SecureRandom::VERSION != '%{rubygems_securerandom_version}'; \
+\""
+
 # Timeout.
 make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
   module Gem; end; \
-  require 'rubygems/timeout/lib/timeout'; \
+  require 'rubygems/vendor/timeout/lib/timeout'; \
   puts '%%{rubygems_timeout_version}: %{rubygems_timeout_version}'; \
   puts %Q[Gem::Timeout::VERSION: #{Gem::Timeout::VERSION}]; \
   exit 1 if Gem::Timeout::VERSION != '%{rubygems_timeout_version}'; \
@@ -996,12 +1045,21 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
 # TSort
 make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
   module Gem; end; \
-  require 'rubygems/tsort/lib/tsort'; \
+  require 'rubygems/vendor/tsort/lib/tsort'; \
   puts '%%{rubygems_tsort_version}: %{rubygems_tsort_version}'; \
   puts %Q[Gem::TSort::VERSION: #{Gem::TSort::VERSION}]; \
   exit 1 if Gem::TSort::VERSION != '%{rubygems_tsort_version}'; \
 \""
 
+# URI.
+make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
+  module Gem; end; \
+  require 'rubygems/vendor/uri/lib/uri/version'; \
+  puts '%%{rubygems_uri_version}: %{rubygems_uri_version}'; \
+  puts %Q[Gem::URI::VERSION: #{Gem::URI::VERSION}]; \
+  exit 1 if Gem::URI::VERSION != '%{rubygems_uri_version}'; \
+\""
+
 # Check Bundler bundled dependencies versions.
 
 # connection_pool.
@@ -1041,6 +1099,15 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
   exit 1 if Gem::Net::HTTP::Persistent::VERSION != '%{bundler_net_http_persistent_version}'; \
 \""
 
+# SecureRandom.
+make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
+  module Bundler; module Random; end; end; \
+  require 'bundler/vendor/securerandom/lib/securerandom'; \
+  puts '%%{bundler_securerandom_version}: %{bundler_securerandom_version}'; \
+  puts %Q[Bundler::SecureRandom::VERSION: #{Bundler::SecureRandom::VERSION}]; \
+  exit 1 if Bundler::SecureRandom::VERSION != '%{bundler_securerandom_version}'; \
+\""
+
 # Thor.
 make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
   module Bundler; end; \
@@ -1068,6 +1135,16 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
   exit 1 if Bundler::URI::VERSION != '%{bundler_uri_version}'; \
 \""
 
+# Check bundled libraries versions.
+
+# Nkf.
+make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
+  require 'nkf'; \
+  puts '%%{bundled_nkf_version}: %{bundled_nkf_version}'; \
+  puts %Q[NKF::NKF_VERSION: #{NKF::NKF_VERSION}]; \
+  exit 1 if NKF::NKF_VERSION != '%{bundled_nkf_version}'; \
+\""
+
 
 # test_debug(TestRubyOptions) fails due to LoadError reported in debug mode,
 # when abrt.rb cannot be required (seems to be easier way then customizing
@@ -1084,6 +1161,21 @@ ln -sfr probes.d %{_vpath_builddir}/
 make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=%{SOURCE14}
 %endif
 
+# Test dependency generators for RPM
+GENERATOR_SCRIPT="%{SOURCE9}" \
+make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
+  -I%{_builddir}/%{buildsubdir}/tool/lib -I%{_sourcedir} --enable-gems \
+  %{SOURCE17} --verbose"
+GENERATOR_SCRIPT="%{SOURCE10}" \
+make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
+  -I%{_builddir}/%{buildsubdir}/tool/lib -I%{_sourcedir} --enable-gems \
+  %{SOURCE18} --verbose"
+GENERATOR_SCRIPT="%{SOURCE11}" \
+make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
+  -I%{_builddir}/%{buildsubdir}/tool/lib -I%{_sourcedir} --enable-gems \
+  %{SOURCE19} --verbose"
+
+
 DISABLE_TESTS=""
 MSPECOPTS=""
 
@@ -1508,12 +1600,15 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 # net-imap
 %dir %{gem_instdir net-imap}
 %{gem_instdir net-imap}/Gemfile
+%license %{gem_instdir net-imap}/BSDL
+%license %{gem_instdir net-imap}/COPYING
 %license %{gem_instdir net-imap}/LICENSE.txt
 %doc %{gem_instdir net-imap}/README.md
 %{gem_instdir net-imap}/Rakefile
 %{gem_instdir net-imap}/docs
 %{gem_libdir net-imap}
 %{gem_instdir net-imap}/rakelib
+%{gem_instdir net-imap}/sample
 %{gem_spec net-imap}
 
 # net-pop
@@ -1663,6 +1758,47 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 
 
 %changelog
+* Thu Apr 10 2025 Vít Ondruch <vondruch@redhat.com> - 3.3.8-19
+- Upgrade to Ruby 3.3.8.
+- CVE-2025-25186: Fix Net::IMAP vulnerable to possible DoS by memory exhaustion
+  Resolves: rhbz#2345556
+- CVE-2025-27219: Denial of Service in CGI::Cookie.parse
+  Resolves: rhbz#2357516
+- CVE-2025-27221: userinfo leakage in URI#join, URI#merge and URI#+
+
+* Tue Jan 28 2025 Jun Aruga <jaruga@redhat.com> - 3.3.7-17
+- Upgrade to Ruby 3.3.7.
+- Fix Ruby OpenSSL to respect crypto-policies TLS minimal version.
+
+* Mon Nov 11 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.6-16
+- Upgrade to Ruby 3.3.6.
+
+* Tue Sep 03 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.5-14
+- Upgrade to Ruby 3.3.5.
+  Resolves: rhbz#2309364
+
+* Wed Jul 10 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.4-11
+- Upgrade to Ruby 3.3.4.
+  Resolves: rhbz#2292052
+
+* Tue Jun 18 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.2-10
+- Make sure hardening configuration flags are correctly applied.
+
+* Thu Jun 06 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.2-9
+- Upgrade to Ruby 3.3.2.
+  Resolves: rhbz#2284020
+
+* Tue May 28 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.1-8
+- Make sure fortification flags are applied.
+
+* Tue Apr 23 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.1-7
+- Upgrade to Ruby 3.3.1.
+  Resolves: rhbz#2276680
+
+* Fri Apr 12 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.0-6
+- Add `bundled` provide for NKF.
+- License review and fixes of SPDX syntax.
+
 * Fri Jan 26 2024 Jarek Prokop <jprokop@redhat.com> - 3.3.0-4
 - Do not set AI_ADDRCONFIG by default when calling getaddrinfo(3).
 

rubygems.con

@@ -19,7 +19,7 @@ module RubyGemsReq
   end
 
   # Report conflicting gem dependencies including their version.
-  def self.gem_depenencies(specification)
+  def self.gem_dependencies(specification)
     specification.runtime_dependencies.each do |dependency|
       conflict_strings = Helpers::requirement_versions_to_rpm(dependency.requirement).map do |requirement|
         requirement_string = "rubygem(#{dependency.name}) #{requirement}"
@@ -39,7 +39,7 @@ module RubyGemsReq
       begin
         specification = Gem::Specification.load filename
 
-        gem_depenencies(specification)
+        gem_dependencies(specification)
       rescue => e
         # Ignore all errors.
       end

rubygems.req

@@ -58,7 +58,7 @@ module RubyGemsReq
   end
 
   # Report all gem dependencies including their version.
-  def self.gem_depenencies(specification)
+  def self.gem_dependencies(specification)
     specification.runtime_dependencies.each do |dependency|
       dependency_name = "rubygem(#{dependency.name})"
       requirements = Helpers::requirement_versions_to_rpm(dependency.requirement)
@@ -75,7 +75,7 @@ module RubyGemsReq
         specification = Gem::Specification.load filename
 
         rubygems_dependency(specification)
-        gem_depenencies(specification)
+        gem_dependencies(specification)
       rescue => e
         # Ignore all errors.
       end

sources

@@ -1 +1 @@
-SHA512 (ruby-3.3.0.tar.xz) = 7959c5753bfa0bfc4d6d74060869aabbe9815c1c97930659da11b917ee0803ddbbd80e869e00c48b8694b4ba48709c3b6493fd045568e36e902616c35ababf01
+SHA512 (ruby-3.3.8.tar.xz) = 71c2f3ac9955e088fa885fd2ff695e67362a770a5d33e5160081eda3dd298ca2c692e299b03d757caecfbc94043fedc4ad093de84c505585d480cb36bbf978b9

test_rubygems_con.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+require 'test/unit'
+require 'rpm_test_helper'
+
+class TestRubyGemsCon < Test::Unit::TestCase
+  include RPMTestHelper
+
+  def test_filter_out_regular_requirements
+    gem_i = GemInfo.new
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(0, lines.size)
+
+    deps = [ Dependency.new('bar') ]
+    gem_i.dependencies = deps
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(0, lines.size)
+
+    deps = [
+      Dependency.new('bar'),
+      Dependency.new('baq'),
+      Dependency.new('quz')
+    ]
+
+    gem_i.dependencies = deps
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(0, lines.size)
+
+    deps = [
+      Dependency.new('bar', ['>= 4.1']),
+      Dependency.new('baz', ['~> 3.2']),
+      Dependency.new('quz', ['>= 5.6'])
+    ]
+
+    gem_i.dependencies = deps
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(0, lines.size)
+  end
+
+  def test_single_gem_single_version_conflict
+    con = Dependency.new('bar', ['!= 0.4.4'])
+
+    gem_i = GemInfo.new(dependencies: [ con ])
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(1, lines.size)
+    assert_equal("#{con.to_rpm_str} = 0.4.4\n", lines.first)
+  end
+
+  def test_multiple_gems_with_single_conflict
+    cons = [
+      Dependency.new('bar', ['!= 1.1']),
+      Dependency.new('baq', ['!= 1.2.2']),
+      Dependency.new('quz', ['!= 1.3'])
+    ]
+
+    gem_i = GemInfo.new(dependencies: cons)
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(3, lines.size)
+
+    assert_equal("#{cons[0].to_rpm_str} = 1.1\n"  , lines[0])
+    assert_equal("#{cons[1].to_rpm_str} = 1.2.2\n", lines[1])
+    assert_equal("#{cons[2].to_rpm_str} = 1.3\n"  , lines[2])
+  end
+
+  def test_multiple_conflicts_on_single_gem
+    con = Dependency.new('bar', ['!= 2.3', '!= 2.4'])
+
+    gem_i = GemInfo.new(dependencies: [con])
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(1, lines.size)
+    rpm_name = con.to_rpm_str
+    left_rpm_constraint = "(#{rpm_name} = 2.3 with "
+    right_rpm_constraint = "#{rpm_name} = 2.4)\n"
+    assert_equal((left_rpm_constraint + right_rpm_constraint), lines[0])
+
+    con = Dependency.new('bar', ['!= 2.3', '!= 2.4', '!= 4.5'])
+
+    gem_i = GemInfo.new(dependencies: [ con ])
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(1, lines.size)
+
+    rpm_name = con.to_rpm_str
+    left_rpm_constraint = "(#{rpm_name} = 2.3 with "
+    middle_rpm_constraint = "#{rpm_name} = 2.4 with "
+    right_rpm_constraint = "#{rpm_name} = 4.5)\n"
+
+    assert_equal((left_rpm_constraint + middle_rpm_constraint + right_rpm_constraint), lines[0])
+  end
+
+  def test_generates_conflicts_while_ignoring_regular_requirements
+    deps = [
+      Dependency.new('bar', ['>= 2.3', '!= 2.4.2']),
+      Dependency.new('quz', ['~> 3.0', '!= 3.2'])
+    ]
+
+    gem_i = GemInfo.new(dependencies: deps)
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(2, lines.size)
+
+    rpm_name = deps[0].to_rpm_str
+    rpm_constraint = "#{rpm_name} = 2.4.2\n"
+    assert_equal(rpm_constraint, lines[0])
+
+    rpm_name = deps[1].to_rpm_str
+    rpm_constraint = "#{rpm_name} = 3.2\n"
+    assert_equal(rpm_constraint, lines[1])
+  end
+end

test_rubygems_prov.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require 'test/unit'
+require 'rpm_test_helper'
+
+class TestRubyGemsProv < Test::Unit::TestCase
+  include RPMTestHelper
+
+  def test_provides_the_gem_version
+    gem_i = GemInfo.new(version: '1.2')
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(1, lines.size)
+    assert_equal("#{gem_i.to_rpm_str} = #{gem_i.version}\n", lines.first)
+
+    gem_i = GemInfo.new(name: 'somegem_foo', version: '4.5.6')
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(1, lines.size)
+    assert_equal("#{gem_i.to_rpm_str} = #{gem_i.version}\n", lines.first)
+
+    deps = [
+      Dependency.new('bar'),
+      Dependency.new('baq', [">= 1.2"]),
+      Dependency.new('quz', ["!= 3.2"])
+    ]
+    gem_i = GemInfo.new(dependencies: deps)
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(1, lines.size)
+    assert_equal("#{gem_i.to_rpm_str} = #{gem_i.version}\n", lines.first)
+  end
+
+  def test_translates_prelease_version_provides_from_rubygems_to_rpm
+    gem_i = GemInfo.new(version: '1.2.3.dev')
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(1, lines.size)
+    assert_equal("#{gem_i.to_rpm_str} = 1.2.3~dev\n", lines.first)
+
+    gem_i = GemInfo.new(name: 'foo2', version: '1.2.3.dev.2')
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(1, lines.size)
+    assert_equal("#{gem_i.to_rpm_str} = 1.2.3~dev.2\n", lines.first)
+  end
+end

test_rubygems_req.rb

@@ -0,0 +1,205 @@
+# frozen_string_literal: true
+
+require 'test/unit'
+require 'rpm_test_helper'
+
+class TestRubyGemsReq < Test::Unit::TestCase
+  include RPMTestHelper
+
+  def test_depends_on_rubygems
+    gem_i = GemInfo.new
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(1, lines.size)
+    assert_equal("#{helper_rubygems_dependency}\n", lines.first)
+  end
+
+  def test_requires_rubygems_and_dependency
+    dep = Dependency.new('bar')
+    gem_i = GemInfo.new(dependencies: [dep])
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(2, lines.size)
+    assert_equal("#{helper_rubygems_dependency}\n", lines.first)
+    assert_equal("#{dep.to_rpm_str}\n", lines[1])
+  end
+
+  def test_requires_multiple_dependencies_with_constraint
+    constraints = [
+      '>= 3.0',
+      '>= 3.0.0',
+      '>= 3',
+      '= 1.0.2',
+      '= 3.0',
+      '< 3.2',
+      '<= 3.4'
+    ]
+
+    dependencies = []
+    constraints.each_with_index do |constraint, idx|
+      dependencies << Dependency.new("bar#{idx}", [constraint])
+    end
+
+    gem_i = GemInfo.new(dependencies: dependencies)
+
+    lines = run_generator_single_file(gem_i)
+    # + 1 for the rubygems dependency
+    assert_equal(constraints.size + 1, lines.size)
+    dependencies.each_with_index do |dep, idx|
+      rpm_dep_name = dep.to_rpm_str
+      # Start indexing lines at 1, to jump over rubygems dependency
+      assert_equal("#{rpm_dep_name} #{constraints[idx]}\n", lines[idx + 1])
+    end
+  end
+
+  def test_expands_pessimistic_constraint_for_rpm
+    dep = Dependency.new('bar', ['~> 1.2'])
+
+    gem_i = GemInfo.new(dependencies: [dep])
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(2, lines.size)
+
+    rpm_dep_name = dep.to_rpm_str
+    left_constraint = "#{rpm_dep_name} >= 1.2"
+    right_constraint = "#{rpm_dep_name} < 2"
+    expected_constraint = "(#{left_constraint} with #{right_constraint})\n"
+    assert_equal(expected_constraint, lines[1])
+  end
+
+  def test_multiple_pessimistically_constrained_dependencies
+    dependencies = []
+    dep_map = [
+      {
+        constraint:     '~> 1.2.3',
+        expanded_left:  '>= 1.2.3',
+        expanded_rigth: '< 1.3',
+        gem_name: 'bar1'
+      },
+      {
+        constraint:     '~> 1.2',
+        expanded_left:  '>= 1.2',
+        expanded_rigth: '< 2',
+        gem_name: 'bar2'
+      },
+      {
+        constraint:     '~> 3',
+        expanded_left:  '>= 3',
+        expanded_rigth: '< 4',
+        gem_name: 'bar3'
+      }
+    ].each do |deps|
+      dependencies << Dependency.new(deps[:gem_name], [deps[:constraint]])
+    end
+
+    gem_i = GemInfo.new(dependencies: dependencies)
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(dep_map.size + 1, lines.size)
+
+    dep_map.each_with_index do |hash, idx|
+      rpm_dep_name = dependencies[idx].to_rpm_str
+      left_constraint = rpm_dep_name + ' ' + hash[:expanded_left]
+      right_constraint = rpm_dep_name + ' ' + hash[:expanded_rigth]
+      expected_constraint = "(#{left_constraint} with #{right_constraint})\n"
+      assert_equal(expected_constraint, lines[idx + 1])
+    end
+  end
+
+  def test_multiple_constraints_on_one_dependency_composes_constraints_for_RPM
+    # The quoting here depends on how the constraint is expanded in the helpers.
+    # right now the form is `["#{constraint}"]`, therefore we have to not specify
+    # left and right quotes.
+    constraints = ['>= 0.2.3', '<= 0.2.5']
+    dep = Dependency.new('baz', constraints)
+
+    gem_i = GemInfo.new(dependencies: [dep])
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(2, lines.size)
+    rpm_dep_name = dep.to_rpm_str
+    assert_equal("(#{rpm_dep_name} >= 0.2.3 with #{rpm_dep_name} <= 0.2.5)\n", lines[1])
+
+    # Not sure who would compose a dependency like this, but it's possible
+    # to do with the current generator
+    constraints = ['> 0.4.5', '< 0.6.4', '>= 2.3', '<= 2.5.3']
+    dep = Dependency.new('qux', constraints)
+
+    gem_i = GemInfo.new(dependencies: [dep])
+
+    lines = run_generator_single_file(gem_i)
+
+    rpm_dep = dep.to_rpm_str
+    expected_str = "(#{rpm_dep} > 0.4.5 with #{rpm_dep} < 0.6.4 with " \
+                   "#{rpm_dep} >= 2.3 with #{rpm_dep} <= 2.5.3)\n"
+
+    assert_equal(2, lines.size)
+    assert_equal(expected_str, lines[1])
+  end
+
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1561487
+  def test_depends_on_gem_with_version_conflict
+    dep = Dependency.new('baz', ['!= 0.4'])
+
+    gem_i = GemInfo.new(dependencies: [dep])
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(2, lines.size)
+    assert_equal("#{dep.to_rpm_str}\n", lines[1])
+  end
+
+  def test_filters_conflict_from_regular_version_constraints
+    constraint = ['> 1.2.4', '!= 1.2.7']
+    dep = Dependency.new('baq', constraint)
+
+    gem_i = GemInfo.new(dependencies: [dep])
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(2, lines.size)
+    assert_equal("#{dep.to_rpm_str} > 1.2.4\n", lines[1])
+  end
+
+  def test_filtering_conflicts_is_not_depending_on_contraint_ordering
+    constraints = ['!= 1.2.7', '> 1.2.4']
+    dep = Dependency.new('baq', constraints)
+
+    gem_i = GemInfo.new(dependencies: [dep])
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(2, lines.size)
+    assert_equal("#{dep.to_rpm_str} > 1.2.4\n", lines[1])
+  end
+
+  def test_filters_multiple_conflicts_from_dependency
+    omit "Case not yet supported."
+    constraints = ['!= 1.2.4', '!= 1.2.5', '!= 2.3', '!= 4.8']
+    dep = Dependency.new('baf', constraints)
+
+    gem_i = GemInfo.new(dependencies: [dep])
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(2, lines.size)
+    assert_equal("#{dep.to_rpm_str}\n", lines[1])
+  end
+
+  def test_filters_multiple_conflicts_from_dependency_but_keeps_regular_constraint
+    constraints = ['!= 1.2.4', '!= 1.2.5', '!= 2.3', '<= 4.8']
+    dep = Dependency.new('bam', constraints)
+
+    gem_i = GemInfo.new(dependencies: [dep])
+
+    lines = run_generator_single_file(gem_i)
+
+    assert_equal(2, lines.size)
+    assert_equal("#{dep.to_rpm_str} <= 4.8\n", lines[1])
+  end
+end