Habitat team has come up with a fix for the issue where Openssl package was not honoring letencrypt certs. We can find the details of the original issue here : https://discourse.chef.io/t/core-openssl-package-not-honoring-letsencrypt-certs/20345/2.
As part of the fix there is a new version of openssl and cacerts packages and all the reverse dependencies for those two packages. Here is the list of the packages which have been refreshed.
cacerts
openssl
wget
openssl-musl
libarchive-musl
rust
python38
curl
sensu-backend
sensu-agent
python2
node
python
openssh
libarchive
raml2html
cyrus-sasl
aws-cli
cmake
git
memcached
nginx
postgresql
go14
go17
go
scaffolding-go
mercurial
wrk
tap-xunit
socat
sccache
yarn
scaffolding-go17
rust-nightly
repo
rabbitmqadmin
python39
python37
python36
python35
python34
postgresql96-client
postgresql96
postgresql95-client
postgresql95
postgresql94-client
postgresql94
postgresql93-client
postgresql93
postgresql11-client
postgresql11
postgresql-client
ponysay
openssl11
openldap
node6
node8
node9
node10
node12
node14
monit
libzip
libtalloc
libssh2
libpq
lastpass-cli
node11
jfrog-cli
haproxy20
haproxy19
haproxy18
haproxy17
haproxy16
haproxy
handlebars-cmd
grafana
python36
scons
freetds
foulkon
etcd
erlang21
erlang20
erlang19
erlang18
erlang16
envdir
erlang
lttng-ust
docutils
docker-compose
curl-static-musl
virtualenv
curator
rsync
cargo-nightly
bind
azure-cli
clingo
asciinema
ansible
tor
tcpdump
scaffolding-node
ruby26
ruby25
ruby27
ruby30
rebar3
rebar
vde2
postfix
powershell
openvpn
openresty
nmap
netdata
mongodb
kibana
img
gdb
galera
mariadb
elixir
dovecot
dotnet-asp-core
rpm
dcrpm
curator4
ruby
bundler
buildkite-cli
aspcud
wordpress-proxy
wal-e
sqitch_pg
shield-proxy
serf
sensu
scaffolding-ruby
relx
rabbitmq
psscriptanalyzer
pester
percona-xtrabackup
opam
msodbcsql17
meson
glib
atk
at-spi2-core
mc
httpd
json-glib
qemu
github_changelog_generator
shared-mime-info
gdk-pixbuf
gamin
fluentd
mysql-client
dotnet-core-sdk
dotnet-core
dd-agent
php
composer
llvm7
clang7
llvm
clang
cairo
at-spi2-atk
wordpress
tlog
subversion
mysql
mosquitto
grpc-cpp
harfbuzz
drush
mssql
pango
gnuplot
storm
R
jenkins
gtk2
gtk
elasticsearch
cuda
crate
gocd-server
elasticsearch5
haproxy21
shield-agent
rethinkdb
drupal
shield
erlang22
How does this affect me?
If you have a plan which is dependent on one of the packages listed above then your plan needs to be rebuilt. Let’s look at an example below.
Dependencies
Let’s say I have a plan under my origin (nellshamrell) called widget_world – let’s say it lives at
nellshamrell/widget_world on Builder.
nellshamrell/widget_world
Now, let’s say that plan depends on two more plans, nellshamrell/widget and nellshamrell/world (yes, it’s contrived, just go with it for now).
nellshamrell/widget_world
-> nellshamrell/widget
-> nellshamrell/world
And let’s say each of those plans depends on core/glibc for some reason:
nellshamrell/widget_world
-> nellshamrell/widget
--> core/glibc
-> nellshamrell/world
--> core/glibc
And let’s say both are using the current core/glibc plan, which means they are both using version 2.29:
nellshamrell/widget_world
-> nellshamrell/widget
--> core/glibc/2.29
-> nellshamrell/world
--> core/glibc/2.29
My nellshamrell/widget_world plan will build fine, because both of its dependencies are built with the same version of glibc.
(studio) $ build widget_world
...
Success!
I love when a plan.sh comes together!
Then suppose the Habitat team upgrades core/glibc to 2.33. And let’s say for some reason you only update one of the dependencies to use the updated glibc – so nellshamrell/widget will depend on core/glibc/2.33, while nellshamrell/world will still depend on core/glibc/2.29:
nellshamrell/widget_world
-> nellshamrell/widget
--> core/glibc/2.33
-> nellshamrell/world
--> core/glibc/2.29
This time, if I attempt to build nellshamrell/widget_world, it will return a very ugly error that looks similar to this:
(studio) $ build widget_world
(...)
widget_world: WARN
widget_world: WARN The following runtime dependencies have more than one version
widget_world: WARN release in the full dependency chain:
widget_world: WARN
widget_world: WARN * core/glibc ( core/glibc/2.29/ core/glibc/2.33/ )
widget_world: WARN
widget_world: WARN The current situation usually arises when a plan has a direct
widget_world: WARN dependency on one version of a package (acme/A/7.0/20160101200001)
widget_world: WARN and has a direct dependency on another package which itself depends
widget_world: WARN on another version of the same package (acme/A/2.0/20151201060001).
widget_world: WARN If this package (acme/A) contains shared libraries which are
widget_world: WARN loaded at runtime by the current plan, then both versions of
widget_world: WARN acme/A could be loaded into the same process in a potentially
widget_world: WARN surprising order. Worse, if both versions of acme/A are
widget_world: WARN ABI-incompatible, runtime segmentation faults are more than likely.
widget_world: WARN
widget_world: WARN In order to preserve reliability at runtime the duplicate dependency
widget_world: WARN entries will need to be resolved before this plan can be built.
widget_world: WARN Below is an expanded graph of all $pkg_deps and their dependencies
widget_world: WARN with the problematic lines noted.
widget_world: WARN
widget_world: WARN Computed dependency graph (Lines with '*' denote a problematic entry):nellshamrell/widget_world/1.0.0/
nellshamrell/widget/1.0.0/ ( )
core/glibc/2.33/ ( )
nellshamrell/world/1.0.0/ ( )
core/glibc/2.29/ ( )
ERROR: Computed runtime dependency check failed, aborting
This error occurs because nellshamrell/widget_world has one dependency that was built with 2.33, and another that was built with 2.29. This makes them incompatible, and the nellshamrell/widget_world plan will not build.
How do I resolve this?
In this case, you can resolve this error by rebuilding nellshamrell/world with core/glibc version 2.33. If we do that, and now both dependencies depend on the same version of glibc, then nellshamrell/widget_world will build fine:
nellshamrell/widget_world
-> nellshamrell/widget
--> core/glibc/2.33
-> nellshamrell/world
--> core/glibc/2.33
The refreshed packages with be released on Monday Oct 25 , 2021.