Upgrade to Ruby 3.3.8.

- CVE-2025-25186: Fix Net::IMAP vulnerable to possible DoS by memory exhaustion
  Resolves: rhbz#2345556
- CVE-2025-27219: Denial of Service in CGI::Cookie.parse
  Resolves: rhbz#2357516
- CVE-2025-27221: userinfo leakage in URI#join, URI#merge and URI#+

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,6 +1,3 @@
 /*/
 /ruby-*.tar.xz
-/rexml-*.gem
 /*.rpm
-
-!/plans/

macros.rubygems

@@ -2,41 +2,17 @@
 %gem_dir %{_datadir}/gems
 %gem_archdir %{_libdir}/gems
 
-# %gem_prerelease - Provides prerelease string if available.
-#
-# Usage: %gem_prerelease [custom_gem_name]
-#
-# If avilable, prints prerelease string, which is a %prerelease macro by
-# default. When [custom_gem_name] is provided, the custom_gem_name is used to
-# derive %custom_gem_name_prerelease macro, which can be predefined.
-#
-# Please note that for the prerelease macros are the dashes in
-# [custom_gem_name] replaced by underscores.
-#
-%gem_prerelease() %{?1:%{expand:%%{?%{gsub %{1} - _}_prerelease}}}%{!?1:%{?prerelease}}
-
-# %gem_version - Provides version string (including prerelease if available).
-#
-# Usage: %gem_version [custom_gem_name]
-#
-# Prints version (including prerelease string), that is %version macro by
-# default. When [custom_gem_name] is provided, the custom_gem_name is used to
-# derive %custom_gem_name_version macro which needs to be predefined.
-#
-# Please note that for the version macros are the dashes in [custom_gem_name]
-# replaced by underscores.
-#
-%gem_version() %{?1:%{expand:%{%{gsub %{1} - _}_version}}}%{!?1:%{version}}%{gem_prerelease %{?1}}
-
 # %gem_name_version - Provides gem_name-version string.
 #
 # Usage: %gem_name_version [custom_gem_name]
 #
 # Prints gem_name-version string, by default joining %gem_name, %version and
 # %prerelease macros. When [custom_gem_name] is provided, the
-# custom_gem_name is joined with version as provided by %gem_version macro.
+# custom_gem_name is joined with %custom_gem_name_version macro which needs
+# to be predefined. Please note that for the version macros are the dashes
+# replaced by underscores.
 #
-%gem_name_version() %{?1}%{!?1:%{gem_name}}-%{gem_version %{?1}}
+%gem_name_version() %{?1}%{!?1:%{gem_name}}-%{?1:%{expand:%{%{gsub %{1} - _}_version}}}%{!?1:%{version}}%{?prerelease}
 
 # Common gem locations and files.
 #

plans/all.fmf

@@ -1,6 +0,0 @@
-summary: Test plan with all Fedora tests
-discover:
-   how: fmf
-   url: https://src.fedoraproject.org/tests/ruby.git
-execute:
-   how: tmt

rdoc-pr1531-fix-mutilple-document-installation.patch

@@ -1,28 +0,0 @@
-From 994ee4c17fb8c217ab0335df55620c6bdb5d5cbe Mon Sep 17 00:00:00 2001
-From: tompng <tomoyapenguin@gmail.com>
-Date: Fri, 26 Dec 2025 04:57:12 +0900
-Subject: [PATCH] Fix comment_location for merged ClassModule
-
----
- lib/rdoc/code_object/class_module.rb       | 7 ++++++-
- test/rdoc/code_object/class_module_test.rb | 6 ++++++
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/lib/rdoc/code_object/class_module.rb b/lib/rdoc/code_object/class_module.rb
-index b6bed352a2..d7ee36f950 100644
---- a/lib/rdoc/code_object/class_module.rb
-+++ b/lib/rdoc/code_object/class_module.rb
-@@ -477,7 +477,12 @@ def merge(class_module)
-       document = document.merge other_document
- 
-       @comment = RDoc::Comment.from_document(document)
--      @comment_location = document
-+
-+      @comment_location = if document.parts.first.is_a?(RDoc::Markup::Document)
-+                            document.parts.map { |doc| [doc, doc.file] }
-+                          else
-+                            [[document, document.file]]
-+                          end
-     end
- 
-     cm = class_module

ruby-2.1.0-Enable-configuration-of-archlibdir.patch

@@ -1,4 +1,4 @@
-From e1293f665128b0d9c5bfa0b5beeab4afebf07e6a Mon Sep 17 00:00:00 2001
+From 07c666ba5c3360dd6f43605a8ac7c85c99c1721f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
 Date: Tue, 1 Oct 2013 12:22:40 +0200
 Subject: [PATCH] Allow to configure libruby.so placement.
@@ -8,10 +8,10 @@ Subject: [PATCH] Allow to configure libruby.so placement.
  1 file changed, 5 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index a64358fada..b3bdfad1eb 100644
+index d261ea57b5..3c13076b82 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3556,6 +3556,11 @@ AS_IF([test ${multiarch+set}], [
+@@ -3482,6 +3482,11 @@ AS_IF([test ${multiarch+set}], [
  ])
  
  archlibdir='${libdir}/${arch}'

ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch

@@ -1,4 +1,4 @@
-From 6062f4976c5b51f8b952b9f6745175be7b1c5ff9 Mon Sep 17 00:00:00 2001
+From e24d97c938c481450ed80ec83e5399595946c1ae Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
 Date: Fri, 8 Feb 2013 22:48:41 +0100
 Subject: [PATCH] Prevent duplicated paths when empty version string is
@@ -11,10 +11,10 @@ Subject: [PATCH] Prevent duplicated paths when empty version string is
  3 files changed, 15 insertions(+), 2 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 2bc5153141..a64358fada 100644
+index c42436c23d..d261ea57b5 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4472,7 +4472,8 @@ AS_CASE(["$ruby_version_dir_name"],
+@@ -4321,7 +4321,8 @@ AS_CASE(["$ruby_version_dir_name"],
  ruby_version_dir=/'${ruby_version_dir_name}'
  
  if test -z "${ruby_version_dir_name}"; then
@@ -25,7 +25,7 @@ index 2bc5153141..a64358fada 100644
  
  rubylibdir='${rubylibprefix}'${ruby_version_dir}
 diff --git a/loadpath.c b/loadpath.c
-index b8969e6998..bbfd4daa78 100644
+index 9160031..0d4d953 100644
 --- a/loadpath.c
 +++ b/loadpath.c
 @@ -65,21 +65,33 @@ const char ruby_initial_load_paths[] =
@@ -63,10 +63,10 @@ index b8969e6998..bbfd4daa78 100644
  
      RUBY_LIB "\0"
 diff --git a/tool/mkconfig.rb b/tool/mkconfig.rb
-index db74115730..2b01796abf 100755
+index 07076d4..35e6c3c 100755
 --- a/tool/mkconfig.rb
 +++ b/tool/mkconfig.rb
-@@ -114,7 +114,7 @@
+@@ -115,7 +115,7 @@
      val = val.gsub(/\$(?:\$|\{?(\w+)\}?)/) {$1 ? "$(#{$1})" : $&}.dump
      case name
      when /^prefix$/

ruby-2.1.0-always-use-i386.patch

@@ -1,4 +1,4 @@
-From 9e70f6e4b8771965a30ecfb6d1c6015df350ca55 Mon Sep 17 00:00:00 2001
+From 2089cab72b38d6d5e7ba2b596e41014209acad30 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
 Date: Mon, 19 Nov 2012 14:37:28 +0100
 Subject: [PATCH] Always use i386.
@@ -8,10 +8,10 @@ Subject: [PATCH] Always use i386.
  1 file changed, 2 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index b3bdfad1eb..411322a27f 100644
+index 3c13076b82..93af30321d 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4536,6 +4536,8 @@ AC_SUBST(vendorarchdir)dnl
+@@ -4385,6 +4385,8 @@ AC_SUBST(vendorarchdir)dnl
  AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
  AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl
  

ruby-2.1.0-custom-rubygems-location.patch

@@ -1,4 +1,4 @@
-From c7952996ac9738a14bea0a1a971fea13460a6c94 Mon Sep 17 00:00:00 2001
+From 94da59aafacc6a9efe829529eb51385588d6f149 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
 Date: Fri, 11 Nov 2011 13:14:45 +0100
 Subject: [PATCH] Allow to install RubyGems into custom location, outside of
@@ -12,10 +12,10 @@ Subject: [PATCH] Allow to install RubyGems into custom location, outside of
  4 files changed, 22 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index 411322a27f..b5f842a512 100644
+index 93af30321d..bc13397e0e 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4508,6 +4508,10 @@ AC_ARG_WITH(vendorarchdir,
+@@ -4357,6 +4357,10 @@ AC_ARG_WITH(vendorarchdir,
              [vendorarchdir=$withval],
              [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}])
  
@@ -26,7 +26,7 @@ index 411322a27f..b5f842a512 100644
  AS_IF([test "${LOAD_RELATIVE+set}"], [
      AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
      RUBY_EXEC_PREFIX=''
-@@ -4532,6 +4536,7 @@ AC_SUBST(sitearchdir)dnl
+@@ -4381,6 +4385,7 @@ AC_SUBST(sitearchdir)dnl
  AC_SUBST(vendordir)dnl
  AC_SUBST(vendorlibdir)dnl
  AC_SUBST(vendorarchdir)dnl
@@ -35,7 +35,7 @@ index 411322a27f..b5f842a512 100644
  AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
  AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl
 diff --git a/loadpath.c b/loadpath.c
-index bbfd4daa78..69677a9297 100644
+index 623dc9d..74c5d9e 100644
 --- a/loadpath.c
 +++ b/loadpath.c
 @@ -94,6 +94,10 @@ const char ruby_initial_load_paths[] =
@@ -50,7 +50,7 @@ index bbfd4daa78..69677a9297 100644
  #ifdef RUBY_THINARCH
      RUBY_ARCH_LIB_FOR(RUBY_THINARCH) "\0"
 diff --git a/template/verconf.h.tmpl b/template/verconf.h.tmpl
-index 9ba2bd6de5..4ec4ce9353 100644
+index 79c003e..34f2382 100644
 --- a/template/verconf.h.tmpl
 +++ b/template/verconf.h.tmpl
 @@ -36,6 +36,9 @@
@@ -64,10 +64,10 @@ index 9ba2bd6de5..4ec4ce9353 100644
  % R = {}
  % R["ruby_version"] = '"RUBY_LIB_VERSION"'
 diff --git a/tool/rbinstall.rb b/tool/rbinstall.rb
-index a9e6365b27..7117e65e82 100755
+index e9110a17ca..76a1f0a315 100755
 --- a/tool/rbinstall.rb
 +++ b/tool/rbinstall.rb
-@@ -393,6 +393,7 @@ def CONFIG.[](name, mandatory = false)
+@@ -359,6 +359,7 @@ def CONFIG.[](name, mandatory = false)
    vendorlibdir = CONFIG["vendorlibdir"]
    vendorarchlibdir = CONFIG["vendorarchdir"]
  end
@@ -75,7 +75,7 @@ index a9e6365b27..7117e65e82 100755
  mandir = CONFIG["mandir", true]
  docdir = CONFIG["docdir", true]
  enable_shared = CONFIG["ENABLE_SHARED"] == 'yes'
-@@ -1082,7 +1083,16 @@ def (bins = []).add(name)
+@@ -595,7 +596,16 @@ def stub
  install?(:local, :comm, :lib) do
    prepare "library scripts", rubylibdir
    noinst = %w[*.txt *.rdoc *.gemspec]

ruby-2.3.0-ruby_version-Add-ruby_version_dir_name-support-for-RDoc.patch

@@ -1,22 +0,0 @@
-From f833e213596b0bcfad8264a555eb5093303fb5f2 Mon Sep 17 00:00:00 2001
-From: Jarek Prokop <jprokop@redhat.com>
-Date: Thu, 25 Sep 2025 12:26:39 +0200
-Subject: [PATCH] Add ruby_version_dir_name support for RDoc.
-
----
- lib/rdoc/ri/paths.rb | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/rdoc/ri/paths.rb b/lib/rdoc/ri/paths.rb
-index 8e89b04e..731f9e36 100644
---- a/lib/rdoc/ri/paths.rb
-+++ b/lib/rdoc/ri/paths.rb
-@@ -10,7 +10,7 @@ module RDoc::RI::Paths
-   #:stopdoc:
-   require 'rbconfig'
- 
--  version = RbConfig::CONFIG['ruby_version']
-+  version = RbConfig::CONFIG['ruby_version_dir_name'] || RbConfig::CONFIG['ruby_version']
- 
-   BASE    = File.join RbConfig::CONFIG['ridir'], version
- 

ruby-2.3.0-ruby_version.patch

@@ -1,4 +1,4 @@
-From 5406ea4b4b13db747e5c1f8341bb257b4da04435 Mon Sep 17 00:00:00 2001
+From 4fc1be3af3f58621bb751c9e63c208b15c0e8d16 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
 Date: Tue, 31 Mar 2015 16:21:04 +0200
 Subject: [PATCH 1/4] Use ruby_version_dir_name for versioned directories.
@@ -17,10 +17,10 @@ string.
  2 files changed, 36 insertions(+), 31 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 2bbce78fd0..9d8662369c 100644
+index 80b137e380..63cd3b4f8b 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4422,9 +4422,6 @@ AS_CASE(["$target_os"],
+@@ -4271,9 +4271,6 @@ AS_CASE(["$target_os"],
      rubyw_install_name='$(RUBYW_INSTALL_NAME)'
      ])
  
@@ -30,7 +30,7 @@ index 2bbce78fd0..9d8662369c 100644
  rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'}
  AC_ARG_WITH(rubyarchprefix,
  	    AS_HELP_STRING([--with-rubyarchprefix=DIR],
-@@ -4447,57 +4444,63 @@ AC_ARG_WITH(ridir,
+@@ -4296,57 +4293,63 @@ AC_ARG_WITH(ridir,
  AC_SUBST(ridir)
  AC_SUBST(RI_BASE_NAME)
  
@@ -122,7 +122,7 @@ index 2bbce78fd0..9d8662369c 100644
  
  AS_IF([test "${LOAD_RELATIVE+set}"], [
      AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
-@@ -4514,6 +4517,7 @@ AC_SUBST(sitearchincludedir)dnl
+@@ -4363,6 +4366,7 @@ AC_SUBST(sitearchincludedir)dnl
  AC_SUBST(arch)dnl
  AC_SUBST(sitearch)dnl
  AC_SUBST(ruby_version)dnl
@@ -131,7 +131,7 @@ index 2bbce78fd0..9d8662369c 100644
  AC_SUBST(rubyarchdir)dnl
  AC_SUBST(sitedir)dnl
 diff --git a/template/ruby.pc.in b/template/ruby.pc.in
-index 6901ec2320..9b7b787208 100644
+index 8a2c066..c81b211 100644
 --- a/template/ruby.pc.in
 +++ b/template/ruby.pc.in
 @@ -2,6 +2,7 @@ MAJOR=@MAJOR@
@@ -143,20 +143,35 @@ index 6901ec2320..9b7b787208 100644
  RUBY_PROGRAM_VERSION=@RUBY_PROGRAM_VERSION@
  arch=@arch@
 
-From baff562149499973123d2187620201be641c6538 Mon Sep 17 00:00:00 2001
+
+From 518850aba6eee76de7715aae8d37330e34b01983 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
 Date: Tue, 31 Mar 2015 16:37:26 +0200
 Subject: [PATCH 2/4] Add ruby_version_dir_name support for RDoc.
 
 ---
- tool/rbinstall.rb | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ lib/rdoc/ri/paths.rb | 2 +-
+ tool/rbinstall.rb    | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
 
+diff --git a/lib/rdoc/ri/paths.rb b/lib/rdoc/ri/paths.rb
+index 970cb91..5bf8230 100644
+--- a/lib/rdoc/ri/paths.rb
++++ b/lib/rdoc/ri/paths.rb
+@@ -10,7 +10,7 @@ module RDoc::RI::Paths
+   #:stopdoc:
+   require 'rbconfig'
+ 
+-  version = RbConfig::CONFIG['ruby_version']
++  version = RbConfig::CONFIG['ruby_version_dir_name'] || RbConfig::CONFIG['ruby_version']
+ 
+   BASE    = File.join RbConfig::CONFIG['ridir'], version
+ 
 diff --git a/tool/rbinstall.rb b/tool/rbinstall.rb
-index 874c3ef1d9..a9e6365b27 100755
+index d4c110e..d39c9a6 100755
 --- a/tool/rbinstall.rb
 +++ b/tool/rbinstall.rb
-@@ -1053,7 +1053,7 @@ def (bins = []).add(name)
+@@ -453,7 +453,7 @@ def CONFIG.[](name, mandatory = false)
  
  install?(:doc, :rdoc) do
    if $rdocdir
@@ -166,7 +181,7 @@ index 874c3ef1d9..a9e6365b27 100755
      install_recursive($rdocdir, ridatadir, :no_install => rdoc_noinst, :mode => $data_mode)
    end
 
-From 7cf872a9a34f38d71cd2ca04ac114b4ea85cc56c Mon Sep 17 00:00:00 2001
+From 9f0ec0233f618cbb862629816b22491c3df79578 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
 Date: Tue, 31 Mar 2015 16:37:44 +0200
 Subject: [PATCH 3/4] Add ruby_version_dir_name support for RubyGems.
@@ -177,7 +192,7 @@ Subject: [PATCH 3/4] Add ruby_version_dir_name support for RubyGems.
  2 files changed, 7 insertions(+), 5 deletions(-)
 
 diff --git a/lib/rubygems/defaults.rb b/lib/rubygems/defaults.rb
-index 90f09fc191..f6b8a03b95 100644
+index d4ff4a262c..3f9a5bf590 100644
 --- a/lib/rubygems/defaults.rb
 +++ b/lib/rubygems/defaults.rb
 @@ -35,7 +35,7 @@ def self.default_spec_cache_dir
@@ -209,10 +224,10 @@ index 90f09fc191..f6b8a03b95 100644
  
    ##
 diff --git a/test/rubygems/test_gem.rb b/test/rubygems/test_gem.rb
-index 74c8953904..1f3bd91d51 100644
+index b25068405d..e9fef4a311 100644
 --- a/test/rubygems/test_gem.rb
 +++ b/test/rubygems/test_gem.rb
-@@ -1339,7 +1339,8 @@ def test_self_use_paths
+@@ -1365,7 +1365,8 @@ def test_self_use_paths
  
    def test_self_user_dir
      parts = [@userhome, ".gem", Gem.ruby_engine]
@@ -222,7 +237,7 @@ index 74c8953904..1f3bd91d51 100644
  
      FileUtils.mkdir_p File.join(parts)
  
-@@ -1415,7 +1416,7 @@ def test_self_vendor_dir
+@@ -1441,7 +1442,7 @@ def test_self_vendor_dir
      vendordir(File.join(@tempdir, "vendor")) do
        expected =
          File.join RbConfig::CONFIG["vendordir"], "gems",
@@ -232,7 +247,8 @@ index 74c8953904..1f3bd91d51 100644
        assert_equal expected, Gem.vendor_dir
      end
 
-From 17cb98b7b78f8bfc511feffbe061747f676055b1 Mon Sep 17 00:00:00 2001
+
+From 88c38a030c22dbf9422ece847bdfbf87d6659313 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
 Date: Wed, 1 Apr 2015 14:55:37 +0200
 Subject: [PATCH 4/4] Let headers directories follow the configured version
@@ -243,10 +259,10 @@ Subject: [PATCH 4/4] Let headers directories follow the configured version
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index 9d8662369c..2bc5153141 100644
+index a00f2b6776..999e2d6d5d 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -151,7 +151,7 @@ RUBY_BASE_NAME=`echo ruby | sed "$program_transform_name"`
+@@ -136,7 +136,7 @@ RUBY_BASE_NAME=`echo ruby | sed "$program_transform_name"`
  RUBYW_BASE_NAME=`echo rubyw | sed "$program_transform_name"`
  AC_SUBST(RUBY_BASE_NAME)
  AC_SUBST(RUBYW_BASE_NAME)

ruby-2.7.0-Initialize-ABRT-hook.patch

@@ -1,4 +1,4 @@
-From 03b44a86b574dc0b63fd57c5f9b52b56ad3ced37 Mon Sep 17 00:00:00 2001
+From eca084e4079c77c061045df9c21b219175b05228 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
 Date: Mon, 6 Jan 2020 13:56:04 +0100
 Subject: [PATCH] Initialize ABRT hook.
@@ -16,15 +16,15 @@ To keep the things simple for now, load the ABRT hook via C.
 [5]: https://lists.fedoraproject.org/archives/list/ruby-sig@lists.fedoraproject.org/message/LH6L6YJOYQT4Y5ZNOO4SLIPTUWZ5V45Q/
 ---
  abrt.c                                | 12 ++++++++++++
- common.mk                             |  1 +
+ common.mk                             |  3 ++-
  ruby.c                                |  4 ++++
  spec/ruby/core/kernel/require_spec.rb |  2 ++
- 4 files changed, 19 insertions(+)
+ 4 files changed, 20 insertions(+), 1 deletion(-)
  create mode 100644 abrt.c
 
 diff --git a/abrt.c b/abrt.c
 new file mode 100644
-index 0000000000..e99cb432e6
+index 0000000000..74b0bd5c0f
 --- /dev/null
 +++ b/abrt.c
 @@ -0,0 +1,12 @@
@@ -41,22 +41,24 @@ index 0000000000..e99cb432e6
 +  );
 +}
 diff --git a/common.mk b/common.mk
-index 08fee9119a..dae7d9dc00 100644
+index b2e5b2b6d0..f39f81da5c 100644
 --- a/common.mk
 +++ b/common.mk
-@@ -116,6 +116,7 @@ PRISM_FILES = prism/api_node.$(OBJEXT) \
+@@ -111,7 +111,8 @@ PRISM_FILES = prism/api_node.$(OBJEXT) \
+ 		prism/prism.$(OBJEXT) \
  		prism_init.$(OBJEXT)
  
- COMMONOBJS    = \
-+		abrt.$(OBJEXT) \
- 		array.$(OBJEXT) \
+-COMMONOBJS    = array.$(OBJEXT) \
++COMMONOBJS    = abrt.$(OBJEXT) \
++                array.$(OBJEXT) \
  		ast.$(OBJEXT) \
  		bignum.$(OBJEXT) \
+ 		class.$(OBJEXT) \
 diff --git a/ruby.c b/ruby.c
-index b00fc1502d..32b88f7496 100644
+index 60c57d6259..1eec16f2c8 100644
 --- a/ruby.c
 +++ b/ruby.c
-@@ -1773,10 +1773,14 @@ proc_options(long argc, char **argv, ruby_cmdline_options_t *opt, int envopt)
+@@ -1724,10 +1724,14 @@ proc_options(long argc, char **argv, ruby_cmdline_options_t *opt, int envopt)
  
  void Init_builtin_features(void);
  
@@ -68,19 +70,19 @@ index b00fc1502d..32b88f7496 100644
  {
      Init_builtin_features();
 +    Init_abrt();
+     rb_const_remove(rb_cObject, rb_intern_const("TMP_RUBY_PREFIX"));
  }
  
- void rb_call_builtin_inits(void);
 diff --git a/spec/ruby/core/kernel/require_spec.rb b/spec/ruby/core/kernel/require_spec.rb
-index 60d17242fe..a8f93b0db4 100644
+index 60c57d6259..1eec16f2c8 100644
 --- a/spec/ruby/core/kernel/require_spec.rb
 +++ b/spec/ruby/core/kernel/require_spec.rb
-@@ -26,6 +26,8 @@
+@@ -25,6 +25,8 @@
      out = ruby_exe("puts $LOADED_FEATURES", options: '--disable-gems --disable-did-you-mean')
      features = out.lines.map { |line| File.basename(line.chomp, '.*') }
  
 +    # Ignore ABRT
 +    features -= %w[abrt]
      # Ignore CRuby internals
-     features -= %w[encdb transdb windows_1252 windows_31j]
+     features -= %w[encdb transdb windows_1252]
      features.reject! { |feature| feature.end_with?('-fake') }

ruby-3.3.0-Disable-syntax-suggest-test-case.patch

@@ -1,4 +1,4 @@
-From 9b7cb6a40d73bb86ee0de34360068e90e80f4e7e Mon Sep 17 00:00:00 2001
+From 6365d1b79e10330fced83d00d4cb950380a3b0fe Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
 Date: Thu, 7 Sep 2023 13:13:02 +0200
 Subject: [PATCH] Disable syntax-suggest test case.
@@ -9,12 +9,12 @@ This requires internet connection.
  1 file changed, 2 deletions(-)
 
 diff --git a/common.mk b/common.mk
-index dae7d9dc00..111e859d1b 100644
+index d55d1788aa..73755f6ccd 100644
 --- a/common.mk
 +++ b/common.mk
-@@ -1619,8 +1619,6 @@ no-test-bundled-gems-spec:
- 
- test-syntax-suggest:
+@@ -1601,8 +1601,6 @@ yes-test-syntax-suggest: $(PREPARE_SYNTAX_SUGGEST)
+ 	$(ACTIONS_ENDGROUP)
+ no-test-syntax-suggest:
  
 -check: $(DOT_WAIT) $(PREPARE_SYNTAX_SUGGEST) test-syntax-suggest
 -

ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.patch

@@ -0,0 +1,302 @@
+From 3d405634f43d39079ee93cdc59ed7fc0a5e8917a Mon Sep 17 00:00:00 2001
+From: KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au>
+Date: Sun, 9 Jun 2024 21:15:39 +1000
+Subject: [PATCH] Extract hardening CFLAGS to a special $hardenflags variable
+
+This changes the automatic detection of -fstack-protector,
+-D_FORTIFY_SOURCE, and -mbranch-protection to write to $hardenflags
+instead of $XCFLAGS. The definition of $cflags is changed to
+"$hardenflags $orig_cflags $optflags $debugflags $warnflags" to match.
+
+Furthermore, these flags are _prepended_ to $hardenflags, rather than
+appended.
+
+The implications of doing this are as follows:
+
+* If a CRuby builder specifies cflags="-mbranch-protection=foobar" at
+  the ./configure script, and the configure script detects that
+  -mbranch-protection=pac-ret is accepted, then GCC will be invoked as
+  "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar". Since
+  the last flags take precedence, that means that user-supplied values
+  of these flags in $cflags will take priority.
+* Likewise, if a CRuby builder explicitly specifies
+  "hardenflags=-mbranch-protection=foobar", because we _prepend_ to
+  $hardenflags in our autoconf script, we will still invoke GCC as
+  "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar".
+* If a CRuby builder specifies CFLAGS="..." at the configure line,
+  automatic detection of hardening flags is ignored as before.
+* C extensions will _also_ be built with hardening flags now as well
+  (this was not the case by default before because the detected flags
+  went into $XCFLAGS).
+
+Additionally, as part of this work, I changed how the detection of
+PAC/BTI in Context.S works. Rather than appending the autodetected
+option to ASFLAGS, we simply compile a set of test programs with the
+actual CFLAGS in use to determine what PAC/BTI settings were actually
+chosen by the builder. Context.S is made aware of these choices through
+some custom macros.
+
+The result of this work is that:
+
+* Ruby will continue to choose some sensible defaults for hardening
+  options for the C compiler
+* Distributors are able to specify CFLAGS that are consistent with their
+  distribution and override these defaults
+* Context.S will react to whatever -mbranch-protection is actually in
+  use, not what was autodetected
+* Extensions get built with hardening flags too.
+
+[Bug #20154]
+[Bug #20520]
+---
+ configure.ac                  | 81 ++++++++++++++++++++++++++++++-----
+ coroutine/arm64/Context.S     | 14 +++---
+ template/Makefile.in          |  1 +
+ tool/m4/ruby_append_option.m4 |  4 ++
+ tool/m4/ruby_try_cflags.m4    | 17 ++++++++
+ 5 files changed, 100 insertions(+), 17 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index f35fad6a362611..0da15772d36671 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -354,7 +354,7 @@ test -z "$warnflags" ||
+ AS_IF([test -z "${CFLAGS+set}"], [
+     cflags=`echo " $cflags " | sed "$cflagspat;s/^ *//;s/ *$//"`
+     orig_cflags="$cflags"
+-    cflags="$cflags "'${optflags} ${debugflags} ${warnflags}'
++    cflags='${hardenflags} '"$cflags "'${optflags} ${debugflags} ${warnflags}'
+ ])
+ dnl AS_IF([test -z "${CXXFLAGS+set}"], [
+ dnl     cxxflags=`echo " $cxxflags " | sed "$cflagspat;s/^ *//;s/ *$//"`
+@@ -802,7 +802,7 @@ AS_IF([test "$GCC" = yes], [
+ 		  [fortify_source=$enableval])
+     AS_IF([test "x$fortify_source" != xno], [
+         RUBY_TRY_CFLAGS([$optflags -D_FORTIFY_SOURCE=2],
+-                        [RUBY_APPEND_OPTION(XCFLAGS, -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2)], [],
++                        [RUBY_PREPEND_OPTION(hardenflags, -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2)], [],
+                         [@%:@include <stdio.h>])
+     ])
+ 
+@@ -823,20 +823,24 @@ AS_IF([test "$GCC" = yes], [
+     AC_MSG_CHECKING([for -fstack-protector])
+     AC_MSG_RESULT(["$stack_protector"])
+     AS_CASE(["$stack_protector"], [-*], [
+-	RUBY_APPEND_OPTION(XCFLAGS, $stack_protector)
+-	RUBY_APPEND_OPTION(XLDFLAGS, $stack_protector)
+-	RUBY_APPEND_OPTION(LDFLAGS, $stack_protector)
++        RUBY_PREPEND_OPTION(hardenflags, $stack_protector)
++        RUBY_APPEND_OPTION(XLDFLAGS, $stack_protector)
++        RUBY_APPEND_OPTION(LDFLAGS, $stack_protector)
+     ])
+ 
+     # aarch64 branch protection
+     AS_CASE(["$target_cpu"], [aarch64], [
+ 	AS_FOR(option, opt, [-mbranch-protection=pac-ret -msign-return-address=all], [
+-            RUBY_TRY_CFLAGS(option, [branch_protection=yes], [branch_protection=no])
++            # Try these flags in the _prepended_ position - i.e. we want to try building a program
++            # with CFLAGS="-mbranch-protection=pac-ret $CFLAGS". If the builder has provided different
++            # branch protection flags in CFLAGS, we don't want to overwrite those. We just want to
++            # find some branch protection flags which work if none were provided.
++            RUBY_TRY_CFLAGS_PREPEND(option, [branch_protection=yes], [branch_protection=no])
+             AS_IF([test "x$branch_protection" = xyes], [
+-                # C compiler and assembler must be consistent for -mbranch-protection
+-                # since they both check `__ARM_FEATURE_PAC_DEFAULT` definition.
+-                RUBY_APPEND_OPTION(XCFLAGS, option)
+-                RUBY_APPEND_OPTION(ASFLAGS, option)
++                # _prepend_ the options to CFLAGS, so that user-provided flags will overwrite them.
++                # These CFLAGS are used during the configure script to compile further test programs;
++                # however, $harden_flags is prepended separately to CFLAGS at the end of the script.
++                RUBY_PREPEND_OPTION(hardenflags, $opt)
+                 break
+             ])
+         ])
+@@ -985,6 +989,59 @@ test -z "${ac_env_CFLAGS_set}" -a -n "${cflags+set}" && eval CFLAGS="\"$cflags $
+ test -z "${ac_env_CXXFLAGS_set}" -a -n "${cxxflags+set}" && eval CXXFLAGS="\"$cxxflags $ARCH_FLAG\""
+ }
+ 
++# The lines above expand out the $cflags/$optflags/$debugflags/$hardenflags variables into the
++# CFLAGS variable. So, at this point, we have a $CFLAGS var with the actual compiler flags we're
++# going to use.
++# That means this is the right time to check what branch protection flags are going to be in use
++# and define appropriate macros for use in Context.S based on this
++AS_CASE(["$target_cpu"], [aarch64], [
++    AC_CACHE_CHECK([whether __ARM_FEATURE_BTI_DEFAULT is defined],
++        rb_cv_aarch64_bti_enabled,
++        AC_COMPILE_IFELSE(
++            [AC_LANG_PROGRAM([[
++                @%:@ifndef __ARM_FEATURE_BTI_DEFAULT
++                @%:@error "__ARM_FEATURE_BTI_DEFAULT not defined"
++                @%:@endif
++            ]])],
++        [rb_cv_aarch64_bti_enabled=yes],
++        [rb_cv_aarch64_bti_enabled=no])
++    )
++    AS_IF([test "$rb_cv_aarch64_bti_enabled" = yes],
++          AC_DEFINE(RUBY_AARCH64_BTI_ENABLED, 1))
++    AC_CACHE_CHECK([whether __ARM_FEATURE_PAC_DEFAULT is defined],
++        rb_cv_aarch64_pac_enabled,
++        AC_COMPILE_IFELSE(
++            [AC_LANG_PROGRAM([[
++                @%:@ifndef __ARM_FEATURE_PAC_DEFAULT
++                @%:@error "__ARM_FEATURE_PAC_DEFAULT not defined"
++                @%:@endif
++            ]])],
++        [rb_cv_aarch64_pac_enabled=yes],
++        [rb_cv_aarch64_pac_enabled=no])
++    )
++    AS_IF([test "$rb_cv_aarch64_pac_enabled" = yes],
++          AC_DEFINE(RUBY_AARCH64_PAC_ENABLED, 1))
++    # Context.S will only ever sign its return address with the A-key; it doesn't support
++    # the B-key at the moment.
++    AS_IF([test "$rb_cv_aarch64_pac_enabled" = yes], [
++        AC_CACHE_CHECK([whether __ARM_FEATURE_PAC_DEFAULT specifies the b-key bit 0x02],
++            rb_cv_aarch64_pac_b_key,
++            AC_COMPILE_IFELSE(
++                [AC_LANG_PROGRAM([[
++                    @%:@ifdef __ARM_FEATURE_PAC_DEFAULT
++                    @%:@if __ARM_FEATURE_PAC_DEFAULT & 0x02
++                    @%:@error "__ARM_FEATURE_PAC_DEFAULT specifies B key"
++                    @%:@endif
++                    @%:@endif
++                ]])],
++            [rb_cv_aarch64_pac_b_key=no],
++            [rb_cv_aarch64_pac_b_key=yes])
++        )
++        AS_IF([test "$rb_cv_aarch64_pac_b_key" = yes],
++            AC_MSG_ERROR(-mbranch-protection flag specified b-key but Ruby's Context.S does not support this yet.))
++    ])
++])
++
+ AC_CACHE_CHECK([whether compiler has statement and declarations in expressions],
+   rb_cv_have_stmt_and_decl_in_expr,
+   [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[ __extension__ ({ int a = 0; a; }); ]])],
+@@ -4215,12 +4272,13 @@ AS_IF([test "${ARCH_FLAG}"], [
+ rb_cv_warnflags=`echo "$rb_cv_warnflags" | sed 's/^ *//;s/ *$//'`
+ warnflags="$rb_cv_warnflags"
+ AC_SUBST(cppflags)dnl
+-AC_SUBST(cflags, ["${orig_cflags:+$orig_cflags }"'${optflags} ${debugflags} ${warnflags}'])dnl
++AC_SUBST(cflags, ['${hardenflags} '"${orig_cflags:+$orig_cflags }"' ${optflags} ${debugflags} ${warnflags}'])dnl
+ AC_SUBST(cxxflags)dnl
+ AC_SUBST(optflags)dnl
+ AC_SUBST(debugflags)dnl
+ AC_SUBST(warnflags)dnl
+ AC_SUBST(strict_warnflags)dnl
++AC_SUBST(hardenflags)dnl
+ AC_SUBST(XCFLAGS)dnl
+ AC_SUBST(XLDFLAGS)dnl
+ AC_SUBST(EXTLDFLAGS)dnl
+@@ -4688,6 +4746,7 @@ config_summary "DLDFLAGS"            "$DLDFLAGS"
+ config_summary "optflags"            "$optflags"
+ config_summary "debugflags"          "$debugflags"
+ config_summary "warnflags"           "$warnflags"
++config_summary "hardenflags"         "$hardenflags"
+ config_summary "strip command"       "$STRIP"
+ config_summary "install doc"         "$DOCTARGETS"
+ config_summary "YJIT support"        "$YJIT_SUPPORT"
+diff --git a/coroutine/arm64/Context.S b/coroutine/arm64/Context.S
+index 5251ab214df1f0..54611a247e2f66 100644
+--- a/coroutine/arm64/Context.S
++++ b/coroutine/arm64/Context.S
+@@ -5,6 +5,8 @@
+ ##  Copyright, 2018, by Samuel Williams.
+ ##
+ 
++#include "ruby/config.h"
++
+ #define TOKEN_PASTE(x,y) x##y
+ #define PREFIXED_SYMBOL(prefix,name) TOKEN_PASTE(prefix,name)
+ 
+@@ -27,10 +29,10 @@
+ .global PREFIXED_SYMBOL(SYMBOL_PREFIX,coroutine_transfer)
+ PREFIXED_SYMBOL(SYMBOL_PREFIX,coroutine_transfer):
+ 
+-#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT != 0)
++#if defined(RUBY_AARCH64_PAC_ENABLED)
+ 	# paciasp (it also acts as BTI landing pad, so no need to insert BTI also)
+ 	hint #25
+-#elif defined(__ARM_FEATURE_BTI_DEFAULT) && (__ARM_FEATURE_BTI_DEFAULT != 0)
++#elif defined(RUBY_AARCH64_BTI_ENABLED)
+ 	# For the the case PAC is not enabled but BTI is.
+ 	# bti c
+ 	hint #34
+@@ -73,7 +75,7 @@ PREFIXED_SYMBOL(SYMBOL_PREFIX,coroutine_transfer):
+ 	# Pop stack frame
+ 	add sp, sp, 0xa0
+ 
+-#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT != 0)
++#if defined(RUBY_AARCH64_PAC_ENABLED)
+ 	# autiasp: Authenticate x30 (LR) with SP and key A
+ 	hint #29
+ #endif
+@@ -85,18 +87,18 @@ PREFIXED_SYMBOL(SYMBOL_PREFIX,coroutine_transfer):
+ .section .note.GNU-stack,"",%progbits
+ #endif
+ 
+-#if __ARM_FEATURE_BTI_DEFAULT != 0 || __ARM_FEATURE_PAC_DEFAULT != 0
++#if defined(RUBY_AARCH64_BTI_ENABLED) || defined(RUBY_AARCH64_PAC_ENABLED)
+ /*  See "ELF for the Arm 64-bit Architecture (AArch64)"
+     https://github.com/ARM-software/abi-aa/blob/2023Q3/aaelf64/aaelf64.rst#program-property */
+ #  define GNU_PROPERTY_AARCH64_FEATURE_1_BTI (1<<0)
+ #  define GNU_PROPERTY_AARCH64_FEATURE_1_PAC (1<<1)
+ 
+-#  if __ARM_FEATURE_BTI_DEFAULT != 0
++#  if defined(RUBY_AARCH64_BTI_ENABLED)
+ #    define BTI_FLAG GNU_PROPERTY_AARCH64_FEATURE_1_BTI
+ #  else
+ #    define BTI_FLAG 0
+ #  endif
+-#  if __ARM_FEATURE_PAC_DEFAULT != 0
++#  if defined(RUBY_AARCH64_PAC_ENABLED)
+ #    define PAC_FLAG GNU_PROPERTY_AARCH64_FEATURE_1_PAC
+ #  else
+ #    define PAC_FLAG 0
+diff --git a/template/Makefile.in b/template/Makefile.in
+index 033ac56cb38886..abb4469777ce8a 100644
+--- a/template/Makefile.in
++++ b/template/Makefile.in
+@@ -89,6 +89,7 @@ cflags = @cflags@
+ optflags = @optflags@
+ debugflags = @debugflags@
+ warnflags = @warnflags@ @strict_warnflags@
++hardenflags = @hardenflags@
+ cppflags = @cppflags@
+ incflags = @incflags@
+ RUBY_DEVEL = @RUBY_DEVEL@ # "yes" or empty
+diff --git a/tool/m4/ruby_append_option.m4 b/tool/m4/ruby_append_option.m4
+index ff828d2162c22f..98359fa1f95f52 100644
+--- a/tool/m4/ruby_append_option.m4
++++ b/tool/m4/ruby_append_option.m4
+@@ -3,3 +3,7 @@ AC_DEFUN([RUBY_APPEND_OPTION],
+ 	[# RUBY_APPEND_OPTION($1)
+ 	AS_CASE([" [$]{$1-} "],
+ 	[*" $2 "*], [], ['  '], [ $1="$2"], [ $1="[$]$1 $2"])])dnl
++AC_DEFUN([RUBY_PREPEND_OPTION],
++	[# RUBY_APPEND_OPTION($1)
++	AS_CASE([" [$]{$1-} "],
++	[*" $2 "*], [], ['  '], [ $1="$2"], [ $1="$2 [$]$1"])])dnl
+diff --git a/tool/m4/ruby_try_cflags.m4 b/tool/m4/ruby_try_cflags.m4
+index b74718fe5e1cef..b397642aad9ca2 100644
+--- a/tool/m4/ruby_try_cflags.m4
++++ b/tool/m4/ruby_try_cflags.m4
+@@ -22,3 +22,20 @@ AC_DEFUN([RUBY_TRY_CFLAGS], [
+ 	AC_MSG_RESULT(no)],
+ 	[$4], [$5])
+ ])dnl
++
++AC_DEFUN([_RUBY_TRY_CFLAGS_PREPEND], [
++    RUBY_WERROR_FLAG([
++    CFLAGS="$1 [$]CFLAGS"
++    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$4]], [[$5]])],
++	[$2], [$3])
++    ])dnl
++])dnl
++AC_DEFUN([RUBY_TRY_CFLAGS_PREPEND], [
++    AC_MSG_CHECKING([whether ]$1[ is accepted as CFLAGS])dnl
++    _RUBY_TRY_CFLAGS_PREPEND([$1],
++	[$2
++	AC_MSG_RESULT(yes)],
++	[$3
++	AC_MSG_RESULT(no)],
++	[$4], [$5])
++])dnl

ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch

@@ -0,0 +1,47 @@
+From ae215a47ae1a6527bb7b8566e5bcc9430652462f Mon Sep 17 00:00:00 2001
+From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
+Date: Fri, 5 Jan 2024 15:58:59 +0100
+Subject: [PATCH] Only set min_version on OpenSSL < 1.1.0
+
+Both Red Hat and Debian-like systems configure the minimum TLS version
+to be 1.2 by default, but allow users to change this via configs.
+
+On Red Hat and derivatives this happens via crypto-policies[1], which in
+writes settings in /etc/crypto-policies/back-ends/opensslcnf.config.
+Most notably, it sets TLS.MinProtocol there. For Debian there's
+MinProtocol in /etc/ssl/openssl.cnf. Both default to TLSv1.2, which is
+considered a secure default.
+
+In constrast, the SSLContext has a hard coded OpenSSL::SSL::TLS1_VERSION
+for min_version. TLS 1.0 and 1.1 are considered insecure. By always
+setting this in the default parameters, the system wide default can't be
+respected, even if a developer wants to.
+
+This takes the approach that's also done for ciphers: it's only set for
+OpenSSL < 1.1.0.
+
+[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
+---
+ lib/openssl/ssl.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
+index e557b8b48..83ecacafb 100644
+--- a/ext/openssl/lib/openssl/ssl.rb
++++ b/ext/openssl/lib/openssl/ssl.rb
+@@ -22,7 +22,6 @@ module OpenSSL
+   module SSL
+     class SSLContext
+       DEFAULT_PARAMS = { # :nodoc:
+-        :min_version => OpenSSL::SSL::TLS1_VERSION,
+         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
+         :verify_hostname => true,
+         :options => -> {
+@@ -55,6 +54,7 @@ class SSLContext
+       if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
+            OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
+         DEFAULT_PARAMS.merge!(
++          min_version: OpenSSL::SSL::TLS1_VERSION,
+           ciphers: %w{
+             ECDHE-ECDSA-AES128-GCM-SHA256
+             ECDHE-RSA-AES128-GCM-SHA256

ruby-4.0.1-Support-customizable-rustc_flags-for-rustc-builds.patch

@@ -1,117 +0,0 @@
-From 1cfb11bc8d01e4fc1ff47807721e29b250f0f19f Mon Sep 17 00:00:00 2001
-From: Jarek Prokop <jprokop@redhat.com>
-Date: Mon, 22 Dec 2025 10:13:34 +0100
-Subject: [PATCH] Support customizable rustc_flags for rustc builds.
-
-Add `rustc_flags` option for configure that appends to RUSTC_FLAGS
-flags used when compiling with rustc for customizable build flags.
-It appends to existing defaults in RUSTC_FLAGS.
-
-Co-authored-by: Alan Wu <XrXr@users.noreply.github.com>
----
- common.mk            | 10 ++--------
- configure.ac         |  8 ++++++++
- defs/jit.mk          |  2 ++
- template/Makefile.in |  1 +
- 4 files changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/common.mk b/common.mk
-index 08fee9119a..9ac5ae919f 100644
---- a/common.mk
-+++ b/common.mk
-@@ -270,21 +270,15 @@ MAKE_LINK = $(MINIRUBY) -rfileutils -e "include FileUtils::Verbose" \
- # For release builds
- YJIT_RUSTC_ARGS = --crate-name=yjit \
- 	$(JIT_RUST_FLAGS) \
-+	$(RUSTC_FLAGS) \
- 	--edition=2021 \
--	-g \
--	-C lto=thin \
--	-C opt-level=3 \
--	-C overflow-checks=on \
- 	'--out-dir=$(CARGO_TARGET_DIR)/release/' \
- 	'$(top_srcdir)/yjit/src/lib.rs'
- 
- ZJIT_RUSTC_ARGS = --crate-name=zjit \
- 	$(JIT_RUST_FLAGS) \
-+	$(RUSTC_FLAGS) \
- 	--edition=2024 \
--	-g \
--	-C lto=thin \
--	-C opt-level=3 \
--	-C overflow-checks=on \
- 	'--out-dir=$(CARGO_TARGET_DIR)/release/' \
- 	'$(top_srcdir)/zjit/src/lib.rs'
- 
-diff --git a/configure.ac b/configure.ac
-index 2bbce78fd0..a3aa6dc383 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -69,6 +69,7 @@ dnl 93(bright yellow) is copied from .github/workflows/mingw.yml
- AC_ARG_VAR([cflags], [additional CFLAGS (ignored when CFLAGS is given)])dnl
- AC_ARG_VAR([cppflags], [additional CPPFLAGS (ignored when CPPFLAGS is given)])dnl
- AC_ARG_VAR([cxxflags], [additional CXXFLAGS (ignored when CXXFLAGS is given)])dnl
-+AC_ARG_VAR([rustc_flags], [additional RUSTC_FLAGS])dnl
- 
- [begin]_group "environment section" && {
- HAVE_BASERUBY=yes
-@@ -4054,6 +4055,11 @@ AS_CASE(["${ZJIT_SUPPORT}"],
-     AC_DEFINE(USE_ZJIT, 0)
- ])
- 
-+RUSTC_FLAGS='-g -C lto=thin -C opt-level=3 -C overflow-checks=on'
-+AS_IF([test -n "${rustc_flags}"], [
-+    RUSTC_FLAGS="${RUSTC_FLAGS} ${rustc_flags}"
-+])
-+
- JIT_RUST_FLAGS='--crate-type=staticlib --cfg feature=\"stats_allocator\"'
- RLIB_DIR=
- AS_CASE(["$JIT_CARGO_SUPPORT:$YJIT_SUPPORT:$ZJIT_SUPPORT"],
-@@ -4111,6 +4117,7 @@ AS_IF([test -n "$RUST_LIB"], [
- dnl These variables end up in ::RbConfig::CONFIG
- AC_SUBST(RUSTC)dnl Rust compiler command
- AC_SUBST(JIT_RUST_FLAGS)dnl the common rustc flags for JIT crates such as zjit
-+AC_SUBST(RUSTC_FLAGS)dnl user-configurable rustc compiler flags
- AC_SUBST(CARGO)dnl Cargo command for Rust builds
- AC_SUBST(CARGO_BUILD_ARGS)dnl for selecting Rust build profiles
- AC_SUBST(YJIT_SUPPORT)dnl what flavor of YJIT the Ruby build includes
-@@ -4855,6 +4862,7 @@ config_summary "strip command"       "$STRIP"
- config_summary "install doc"         "$DOCTARGETS"
- config_summary "YJIT support"        "$YJIT_SUPPORT"
- config_summary "ZJIT support"        "$ZJIT_SUPPORT"
-+config_summary "RUSTC_FLAGS"         "$RUSTC_FLAGS"
- config_summary "man page type"       "$MANTYPE"
- config_summary "search path"         "$search_path"
- config_summary "static-linked-ext"   ${EXTSTATIC:+"yes"}
-diff --git a/defs/jit.mk b/defs/jit.mk
-index 42b56c4cd9..27b14e7a07 100644
---- a/defs/jit.mk
-+++ b/defs/jit.mk
-@@ -40,6 +40,7 @@ else ifneq ($(strip $(RLIB_DIR)),) # combo build
- $(RUST_LIB): $(srcdir)/ruby.rs
- 	$(ECHO) 'building $(@F)'
- 	$(gnumake_recursive)$(Q) $(RUSTC) --edition=2024 \
-+	    $(RUSTC_FLAGS) \
- 	    '-L$(@D)' \
- 	    --extern=yjit \
- 	    --extern=zjit \
-@@ -58,6 +59,7 @@ $(JIT_RLIB):
- 	$(gnumake_recursive)$(Q) $(RUSTC) --crate-name=jit \
- 	    --edition=2024 \
- 	    $(JIT_RUST_FLAGS) \
-+	    $(RUSTC_FLAGS) \
- 	    '--out-dir=$(@D)' \
- 	    '$(top_srcdir)/jit/src/lib.rs'
- endif # ifneq ($(JIT_CARGO_SUPPORT),no)
-diff --git a/template/Makefile.in b/template/Makefile.in
-index 443c394cb4..0b7b50e3aa 100644
---- a/template/Makefile.in
-+++ b/template/Makefile.in
-@@ -115,6 +115,7 @@ CARGO_TARGET_DIR=@abs_top_builddir@/target
- CARGO_BUILD_ARGS=@CARGO_BUILD_ARGS@
- ZJIT_TEST_FEATURES=@ZJIT_TEST_FEATURES@
- JIT_RUST_FLAGS=@JIT_RUST_FLAGS@
-+RUSTC_FLAGS=@RUSTC_FLAGS@
- RLIB_DIR=@RLIB_DIR@
- RUST_LIB=@RUST_LIB@
- RUST_LIBOBJ = $(RUST_LIB:.a=.@OBJEXT@)

ruby.rpmlintrc

@@ -13,13 +13,15 @@ addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan
 # The template files do not have to have executable bits.
 addFilter(r'^rubygem-bundler\.noarch: E: non-executable-script /usr/share/gems/gems/bundler-[\d\.]+/lib/bundler/templates/[\w/\.]+ 644 /usr/bin/env ')
 
-# Samples don't really need executable bits.
-addFilter(r'^rubygem-bigdecimal\.x86_64: E: non-executable-script /usr/share/gems/gems/bigdecimal-[\d\.]+/sample/\w+.rb 644 /usr/local/bin/ruby$')
-
 # The bundled gem files permissions are overridden as 644 by `make install`.
 # https://bugs.ruby-lang.org/issues/17840
 # https://github.com/rubygems/rubygems/issues/5255
-addFilter(r'^.*: E: non-executable-script /usr/share/gems/gems/(abbrev|getoptlong|nkf|observer|resolv|resolv-replace|rinda|syslog)-[\d\.]+/bin/\w+ 644 ')
+# https://github.com/ruby/debug/pull/481
+# https://github.com/ruby/net-ftp/pull/12
+# https://github.com/ruby/net-imap/pull/53
+# https://github.com/ruby/net-pop/pull/7
+# https://github.com/ruby/prime/pull/16
+addFilter(r'^.*: E: non-executable-script /usr/share/gems/gems/(debug|net-(ftp|imap|pop)|prime)-[\d\.]+/bin/\w+ 644 ')
 
 # Ruby provides API to set the cipher list.
 addFilter(r'^ruby-libs\.\w+: W: crypto-policy-non-compliance-openssl /usr/lib(64)?/ruby/openssl.so SSL_CTX_set_cipher_list$')

sources

@@ -1 +1 @@
-SHA512 (ruby-4.0.1.tar.xz) = b67d9d1f97ba30200d103f8454e39dc2d0450819d51d91eb5451d44b0bafc56d2fa48bb1be6c5081babe5828f679984bad02b9bcee7441f6bd34c0a95b8f200b
+SHA512 (ruby-3.3.8.tar.xz) = 71c2f3ac9955e088fa885fd2ff695e67362a770a5d33e5160081eda3dd298ca2c692e299b03d757caecfbc94043fedc4ad093de84c505585d480cb36bbf978b9