From 6b40c49708bd326e2fab20e0b68e7cbe0b13aa39 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= <b.e.droge@rug.nl>
Date: Fri, 2 Feb 2024 16:33:38 +0100
Subject: [PATCH 1/5] script for updating zlib and glibc

---
 ...update-pkgs-EESSI.IO-2023.06_2024-01-31.sh | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100755 scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh

diff --git a/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh b/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
new file mode 100755
index 00000000..20c116f0
--- /dev/null
+++ b/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -e
+
+mytmpdir=$(mktemp -d)
+
+if [ -z "$EPREFIX" ]; then
+    # this assumes we're running in a Gentoo Prefix environment
+    EPREFIX=$(dirname $(dirname $SHELL))
+fi
+echo "EPREFIX=${EPREFIX}"
+
+# collect list of installed packages before updating packages
+list_installed_pkgs_pre_update=${mytmpdir}/installed-pkgs-pre-update.txt
+echo "Collecting list of installed packages to ${list_installed_pkgs_pre_update}..."
+qlist -IRv | sort | tee ${list_installed_pkgs_pre_update}
+
+# update checkout of gentoo repository to sufficiently recent commit
+# this is required because we pin to a specific commit when bootstrapping the compat layer
+# see gentoo_git_commit in ansible/playbooks/roles/compatibility_layer/defaults/main.yml;
+
+# https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac78a6d2a0ec2546a59ed98e00499ddd8343b13d (2024-01-31)
+gentoo_commit='ac78a6d2a0ec2546a59ed98e00499ddd8343b13d'
+echo "Updating $EPREFIX/var/db/repos/gentoo to recent commit (${gentoo_commit})..."
+cd $EPREFIX/var/db/repos/gentoo
+time git fetch origin
+echo "Checking out ${gentoo_commit} in ${PWD}..."
+time git checkout ${gentoo_commit}
+cd -
+
+# update zlib due to https://security.gentoo.org/glsa/202401-18
+emerge --update --oneshot --verbose '=sys-libs/zlib-1.3-r2'  # was sys-libs/zlib-1.2.13-r1
+
+# update glibc due to https://security.gentoo.org/glsa/202402-01
+emerge --update --oneshot --verbose '=sys-libs/glibc-2.37-r10'  # was sys-libs/glibc-2.37-r7
+
+# collect list of installed packages after updating packages
+list_installed_pkgs_post_update=${mytmpdir}/installed-pkgs-post-update.txt
+echo "Collecting list of installed packages to ${list_installed_pkgs_post_update}..."
+qlist -IRv | sort | tee ${list_installed_pkgs_post_update}
+
+echo
+echo "diff in installed packages:"
+diff -u ${list_installed_pkgs_pre_update} ${list_installed_pkgs_post_update}
+
+rm -rf ${mytmpdir}

From e731213256bfc44ba4d7a523a82ad7a0fa874b77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= <b.e.droge@rug.nl>
Date: Tue, 6 Feb 2024 11:38:22 +0100
Subject: [PATCH 2/5] unmask openssl 1.1.x and update to 1.1.1w

---
 scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh b/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
index 20c116f0..406d8227 100755
--- a/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
+++ b/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
@@ -28,6 +28,13 @@ echo "Checking out ${gentoo_commit} in ${PWD}..."
 time git checkout ${gentoo_commit}
 cd -
 
+# unmask dev-libs/openssl-1.1.1w, so we can update to it
+# (masked by $EPREFIX/var/db/repos/gentoo/profiles/package.mask, because OpenSSL 1.1.x is EOL)
+echo '# unmask dev-libs/openssl-1.1.1w (openssl 1.1.x is masked via $EPREFIX/var/db/repos/gentoo/profiles/package.mask)' >> ${EPREFIX}/etc/portage/package.unmask
+echo '=dev-libs/openssl-1.1.1w' >> ${EPREFIX}/etc/portage/package.unmask
+# update openssl due to https://nvd.nist.gov/vuln/detail/CVE-2023-4807
+emerge --update --oneshot --verbose '=dev-libs/openssl-1.1.1w'  # was dev-libs/openssl-1.1.1u
+
 # update zlib due to https://security.gentoo.org/glsa/202401-18
 emerge --update --oneshot --verbose '=sys-libs/zlib-1.3-r2'  # was sys-libs/zlib-1.2.13-r1
 

From 97373b17d96ab55104f6af0b76703e7f28e6d185 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= <b.e.droge@rug.nl>
Date: Thu, 8 Feb 2024 16:29:59 +0100
Subject: [PATCH 3/5] upgrade zlib before switching to new commit

---
 scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh b/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
index 406d8227..290e78bb 100755
--- a/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
+++ b/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
@@ -19,6 +19,11 @@ qlist -IRv | sort | tee ${list_installed_pkgs_pre_update}
 # this is required because we pin to a specific commit when bootstrapping the compat layer
 # see gentoo_git_commit in ansible/playbooks/roles/compatibility_layer/defaults/main.yml;
 
+# update zlib due to https://security.gentoo.org/glsa/202401-18
+# this has to be done before switching to a newer commit, as that one doesn't have this zlib version anymore,
+# while the current commit does
+emerge --update --oneshot --verbose '=sys-libs/zlib-1.2.13-r2'  # was sys-libs/zlib-1.2.13-r1
+
 # https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac78a6d2a0ec2546a59ed98e00499ddd8343b13d (2024-01-31)
 gentoo_commit='ac78a6d2a0ec2546a59ed98e00499ddd8343b13d'
 echo "Updating $EPREFIX/var/db/repos/gentoo to recent commit (${gentoo_commit})..."
@@ -35,9 +40,6 @@ echo '=dev-libs/openssl-1.1.1w' >> ${EPREFIX}/etc/portage/package.unmask
 # update openssl due to https://nvd.nist.gov/vuln/detail/CVE-2023-4807
 emerge --update --oneshot --verbose '=dev-libs/openssl-1.1.1w'  # was dev-libs/openssl-1.1.1u
 
-# update zlib due to https://security.gentoo.org/glsa/202401-18
-emerge --update --oneshot --verbose '=sys-libs/zlib-1.3-r2'  # was sys-libs/zlib-1.2.13-r1
-
 # update glibc due to https://security.gentoo.org/glsa/202402-01
 emerge --update --oneshot --verbose '=sys-libs/glibc-2.37-r10'  # was sys-libs/glibc-2.37-r7
 

From 2cd0deb90b1206a497436617d24890222613f12f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= <b.e.droge@rug.nl>
Date: Thu, 8 Feb 2024 16:49:29 +0100
Subject: [PATCH 4/5] add code for updating eessi overlay

---
 ...update-pkgs-EESSI.IO-2023.06_2024-01-31.sh | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh b/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
index 290e78bb..24f1047d 100755
--- a/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
+++ b/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
@@ -15,15 +15,25 @@ list_installed_pkgs_pre_update=${mytmpdir}/installed-pkgs-pre-update.txt
 echo "Collecting list of installed packages to ${list_installed_pkgs_pre_update}..."
 qlist -IRv | sort | tee ${list_installed_pkgs_pre_update}
 
-# update checkout of gentoo repository to sufficiently recent commit
-# this is required because we pin to a specific commit when bootstrapping the compat layer
-# see gentoo_git_commit in ansible/playbooks/roles/compatibility_layer/defaults/main.yml;
+# update checkout of eessi overlay to sufficiently recent commit to include fix from https://github.com/EESSI/gentoo-overlay/pull/98
+# https://github.com/EESSI/gentoo-overlay/commit/bf189508bf7510d8acf8ef089d4c7f03f6c512d1 (2024-01-29)
+eessi_commit='bf189508bf7510d8acf8ef089d4c7f03f6c512d1'
+echo "Updating $EPREFIX/var/db/repos/eessi to recent commit (${eessi_commit})..."
+cd $EPREFIX/var/db/repos/eessi
+time git fetch origin
+echo "Checking out ${eessi_commit} in ${PWD}..."
+time git checkout ${eessi_commit}
+cd -
 
 # update zlib due to https://security.gentoo.org/glsa/202401-18
-# this has to be done before switching to a newer commit, as that one doesn't have this zlib version anymore,
-# while the current commit does
+# this has to be done before switching to a newer commit of the gentoo repository,
+# as that one doesn't have this zlib version anymore, # while the current commit does
 emerge --update --oneshot --verbose '=sys-libs/zlib-1.2.13-r2'  # was sys-libs/zlib-1.2.13-r1
 
+# update checkout of gentoo repository to sufficiently recent commit
+# this is required because we pin to a specific commit when bootstrapping the compat layer
+# see gentoo_git_commit in ansible/playbooks/roles/compatibility_layer/defaults/main.yml;
+
 # https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac78a6d2a0ec2546a59ed98e00499ddd8343b13d (2024-01-31)
 gentoo_commit='ac78a6d2a0ec2546a59ed98e00499ddd8343b13d'
 echo "Updating $EPREFIX/var/db/repos/gentoo to recent commit (${gentoo_commit})..."

From 22ce97df94d6b9814cfb0daaf9f27707609a02cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= <b.e.droge@rug.nl>
Date: Thu, 8 Feb 2024 17:07:46 +0100
Subject: [PATCH 5/5] explicit commit for checkout that contains the required
 version of zlib, make comments clearer

---
 ...update-pkgs-EESSI.IO-2023.06_2024-01-31.sh | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh b/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
index 24f1047d..4239527f 100755
--- a/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
+++ b/scripts/update-pkgs-EESSI.IO-2023.06_2024-01-31.sh
@@ -25,15 +25,25 @@ echo "Checking out ${eessi_commit} in ${PWD}..."
 time git checkout ${eessi_commit}
 cd -
 
-# update zlib due to https://security.gentoo.org/glsa/202401-18
-# this has to be done before switching to a newer commit of the gentoo repository,
-# as that one doesn't have this zlib version anymore, # while the current commit does
-emerge --update --oneshot --verbose '=sys-libs/zlib-1.2.13-r2'  # was sys-libs/zlib-1.2.13-r1
-
 # update checkout of gentoo repository to sufficiently recent commit
 # this is required because we pin to a specific commit when bootstrapping the compat layer
 # see gentoo_git_commit in ansible/playbooks/roles/compatibility_layer/defaults/main.yml;
+# https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9718dafa6ecd841f4364f2ee0039613f0b8efec (2023-10-30)
+gentoo_commit='d9718dafa6ecd841f4364f2ee0039613f0b8efec'
+echo "Updating $EPREFIX/var/db/repos/gentoo to recent commit (${gentoo_commit})..."
+cd $EPREFIX/var/db/repos/gentoo
+time git fetch origin
+echo "Checking out ${gentoo_commit} in ${PWD}..."
+time git checkout ${gentoo_commit}
+cd -
+
+# update zlib due to https://security.gentoo.org/glsa/202401-18
+# this has to be done before switching to an even newer commit of the gentoo repository,
+# as that doesn't have this zlib version anymore, while the current commit does
+emerge --update --oneshot --verbose '=sys-libs/zlib-1.2.13-r2'  # was sys-libs/zlib-1.2.13-r1
 
+# update checkout of gentoo repository to an even more recent commit,
+# which contains the required versions of openssl and glibc
 # https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac78a6d2a0ec2546a59ed98e00499ddd8343b13d (2024-01-31)
 gentoo_commit='ac78a6d2a0ec2546a59ed98e00499ddd8343b13d'
 echo "Updating $EPREFIX/var/db/repos/gentoo to recent commit (${gentoo_commit})..."