From b54d144da57b52442a540124265313c239d9c83f Mon Sep 17 00:00:00 2001
From: Chris Banks <chris@banks.cx>
Date: Mon, 11 Sep 2023 22:40:13 +0100
Subject: [PATCH] Update to OpenSSL 3 and remove Ruby 2.7.

OpenSSL 1.1.1 is end-of-life today. Ruby still doesn't properly
support OpenSSL 3 but staying on 1.1.1 is no longer viable. In practice
it works fine though and everyone else has been using it for ages now.

Ruby 2.7 doesn't compile against OpenSSL 3, but went out of maintenance
5 months ago and we no longer have anything that's using it.
---
 .github/workflows/build.yaml |  2 +-
 SHA256SUMS                   |  2 --
 base.Dockerfile              | 23 ++---------------------
 builder.Dockerfile           |  2 +-
 versions/2_7                 |  2 --
 5 files changed, 4 insertions(+), 27 deletions(-)
 delete mode 100644 versions/2_7

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 204c569..ca735dc 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        version: ['2_7', '3_1', '3_1_2', '3_2', '3_2_0']
+        version: ['3_1', '3_1_2', '3_2', '3_2_0']
     permissions:
       packages: write
     steps:
diff --git a/SHA256SUMS b/SHA256SUMS
index 1eedca2..a69f22a 100644
--- a/SHA256SUMS
+++ b/SHA256SUMS
@@ -1,5 +1,3 @@
-d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0  openssl-1.1.1v.tar.gz
-e7203b0cc09442ed2c08936d483f8ac140ec1c72e37bb5c401646b7866cb5d10  ruby-2.7.6.tar.gz
 61843112389f02b735428b53bb64cf988ad9fb81858b8248e22e57336f24a83e  ruby-3.1.2.tar.gz
 5ea498a35f4cd15875200a52dde42b6eb179e1264e17d78732c3a57cd1c6ab9e  ruby-3.1.3.tar.gz
 daaa78e1360b2783f98deeceb677ad900f3a36c0ffa6e2b6b19090be77abc272  ruby-3.2.0.tar.gz
diff --git a/base.Dockerfile b/base.Dockerfile
index a7885c7..9658e91 100644
--- a/base.Dockerfile
+++ b/base.Dockerfile
@@ -11,14 +11,12 @@ RUN : "${RUBY_MAJOR?}" "${RUBY_VERSION?}"
 # Environment variables required for build.
 ENV LANG=C.UTF-8 \
     CPPFLAGS=-DENABLE_PATH_CHECK=0 \
-    OPENSSL_VERSION=1.1.1v \
     RUBY_MAJOR=${RUBY_MAJOR} \
     RUBY_VERSION=${RUBY_VERSION}
 
 # Build-time dependencies for Ruby.
-# TODO: remove perl once we no longer need to build OpenSSL.
 # TODO: remove curl and gpg once downloads are done in the build script.
-RUN install_packages curl ca-certificates g++ gpg libc-dev make bison patch libdb-dev libffi-dev libgdbm-dev libgmp-dev libreadline-dev libyaml-dev zlib1g-dev uuid-dev libjemalloc-dev perl
+RUN install_packages curl ca-certificates g++ gpg libc-dev make bison patch libdb-dev libffi-dev libgdbm-dev libgmp-dev libreadline-dev libssl-dev libyaml-dev zlib1g-dev uuid-dev libjemalloc-dev
 
 # Process the repo signing key for nodesource so we don't have to include gpg
 # in the final image.
@@ -28,18 +26,6 @@ RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dear
 # TODO: do the download and verification externally, in the build script.
 COPY SHA256SUMS /
 
-# TODO: remove OpenSSL build once https://www.github.com/ruby/openssl/issues/369 is fixed.
-WORKDIR /usr/src/openssl
-RUN set -x; \
-    MAKEFLAGS=-j"$(nproc)"; export MAKEFLAGS; \
-    openssl_tarball="openssl-${OPENSSL_VERSION}.tar.gz"; \
-    curl -fsSLO "https://www.openssl.org/source/${openssl_tarball}"; \
-    grep "${openssl_tarball}" /SHA256SUMS | sha256sum --check --strict; \
-    tar -xf "${openssl_tarball}" --strip-components=1; \
-    ./config --prefix=/opt/openssl --openssldir=/opt/openssl no-tests shared zlib; \
-    make; \
-    make install_sw;  # Avoid building manpages and such.
-
 # Build/install Ruby and update the default gems so that we have an up-to-date
 # version of Bundler.
 #
@@ -52,7 +38,7 @@ RUN set -x; \
     MAKEFLAGS=-j"$(nproc)"; export MAKEFLAGS; \
     ruby_tarball="ruby-${RUBY_VERSION}.tar.gz"; \
     curl -fsSLO "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR}/${ruby_tarball}"; \
-    grep "${ruby_tarball}" /SHA256SUMS | sha256sum --check --strict; \
+    grep -F "${ruby_tarball}" /SHA256SUMS | sha256sum --check --strict; \
     tar -xf "${ruby_tarball}" --strip-components=1; \
     arch="$(uname -m)-linux-gnu"; \
     ./configure \
@@ -61,7 +47,6 @@ RUN set -x; \
       --mandir=/tmp/throwaway \
       --disable-install-doc \
       --enable-shared \
-      --with-openssl-dir=/opt/openssl \
     ; \
     make; \
     make install; \
@@ -79,10 +64,6 @@ COPY --from=builder /usr/local/bin/ /usr/local/bin/
 COPY --from=builder /usr/local/include/ /usr/local/include/
 COPY --from=builder /usr/local/lib/ /usr/local/lib/
 COPY --from=builder /usr/local/share/ /usr/local/share/
-COPY --from=builder /opt/openssl /opt/openssl
-# Make our locally-built OpenSSL use the system cacert store.
-RUN rm -fr /opt/openssl/certs; \
-    ln -s /etc/ssl/certs /opt/openssl/certs
 
 # Environment variables common to most GOV.UK apps.
 ENV APP_HOME=/app \
diff --git a/builder.Dockerfile b/builder.Dockerfile
index 235baa3..846dc1c 100644
--- a/builder.Dockerfile
+++ b/builder.Dockerfile
@@ -1,7 +1,7 @@
 ARG RUBY_MAJOR
 FROM ghcr.io/alphagov/govuk-ruby-base:${RUBY_MAJOR}
 
-RUN install_packages g++ libc-dev make git gpg libmariadb-dev-compat libpq-dev xz-utils
+RUN install_packages g++ libc-dev libssl-dev make git gpg libmariadb-dev-compat libpq-dev xz-utils
 
 # Environment variables to make build cleaner and faster
 ENV BUNDLE_IGNORE_MESSAGES=1 \
diff --git a/versions/2_7 b/versions/2_7
deleted file mode 100644
index 35062c8..0000000
--- a/versions/2_7
+++ /dev/null
@@ -1,2 +0,0 @@
-RUBY_MAJOR="2.7"
-RUBY_VERSION="2.7.6"