openvox 8.25.0 → 8.26.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ea7920147264533ca3a9d0999ab864433f49dc39921288ccd6208a97434ad7d5
-  data.tar.gz: 37cc470528c245977e29d2312c2c2636a2ae500995d59789bc9e2c13232c48e6
+  metadata.gz: 1c5a3cca4402aa0cc4a7878c7b240f32cf76f6d7711f62eb335689b95d59f26b
+  data.tar.gz: 715d1cabc9ab1b3b9b0bf928066500e2c5ae7c07a13e89e57af9a3d962559567
 SHA512:
-  metadata.gz: 2083c76d72fd039be07dc02110e33c2dafb663d48b9045d3c5a753c2c807585ecfdec21d75804b4239a279aa8292e42db85e0515182c665fe1fa794a46f69449
-  data.tar.gz: dbc8342fd12a07243d1c5937585c2c61c1e1ce3e01e270fbd114ca0813ca7e993202e26443c095ce8cd85a25dbf83e8d92844baa753c6fcb26863509dee0f85d
+  metadata.gz: 1ba0c6d016eba599d49c419c24561e2cc54fc50b6591193992820a7dfa9a99362c919aa63f66d5e0cb241c36b2cc59f1b3b62007ed249e16d6cf5e3547441f39
+  data.tar.gz: b199727c5ee128e6ab7b22a93a5610efc6b626850223a53b8f4b858a76402ad9134d38dfb920450a5ded5f087cd26173f8bb4b88f211a955cf3dc75512e8ba29

data/CHANGELOG.md

@@ -2,12 +2,46 @@
 
 All notable changes to this project will be documented in this file.
 
-## [8.25.0](https://github.com/openvoxproject/openvox/tree/8.25.0) (2026-02-16)
+## [8.26.0](https://github.com/openvoxproject/openvox/tree/8.26.0) (2026-04-14)
+
+[Full Changelog](https://github.com/openvoxproject/openvox/compare/8.25.0...8.26.0)
+
+**Implemented enhancements:**
+
+- \[Feature request\]: file resource should support etag [\#328](https://github.com/OpenVoxProject/openvox/issues/328)
+- \[Feature request\]: Provide SLES16 packages [\#246](https://github.com/OpenVoxProject/openvox/issues/246)
+- Add a renew\_cert subcommand to puppet ssl [\#363](https://github.com/OpenVoxProject/openvox/pull/363) ([jay7x](https://github.com/jay7x))
+- Make regsubst\(\) sensitive-aware [\#354](https://github.com/OpenVoxProject/openvox/pull/354) ([cocker-cc](https://github.com/cocker-cc))
+- Feature: file etag support [\#329](https://github.com/OpenVoxProject/openvox/pull/329) ([C24-AK](https://github.com/C24-AK))
+- Add environment parameter to the package resource type [\#321](https://github.com/OpenVoxProject/openvox/pull/321) ([C24-AK](https://github.com/C24-AK))
+
+**Fixed bugs:**
+
+- \[Bug\]: OpenVox Agent on SuSE 15.5 fails with `version 'GLIBC_2.34' not found` [\#226](https://github.com/OpenVoxProject/openvox/issues/226)
+- fix: puppet module install should honor manage\_file\_permissions=false [\#362](https://github.com/OpenVoxProject/openvox/pull/362) ([dotconfig404](https://github.com/dotconfig404))
+- unbreak OpenBSD package handling. [\#316](https://github.com/OpenVoxProject/openvox/pull/316) ([buzzdeee](https://github.com/buzzdeee))
+- Use usermod\(8\) on OpenBSD to unbreak password management [\#294](https://github.com/OpenVoxProject/openvox/pull/294) ([klemensn](https://github.com/klemensn))
+
+**Merged pull requests:**
+
+- Promote openfact 5.6.0 [\#387](https://github.com/OpenVoxProject/openvox/pull/387) ([OpenVoxProjectBot](https://github.com/OpenVoxProjectBot))
+- Promote puppet-runtime 2026.04.09.1 [\#386](https://github.com/OpenVoxProject/openvox/pull/386) ([OpenVoxProjectBot](https://github.com/OpenVoxProjectBot))
+- fix: skip SHA1 CSR signing test when OpenSSL doesn't support it [\#378](https://github.com/OpenVoxProject/openvox/pull/378) ([silug](https://github.com/silug))
+- fix: stub SRV DNS in ca\_server session spec [\#377](https://github.com/OpenVoxProject/openvox/pull/377) ([silug](https://github.com/silug))
+- Fix acceptance tests for systemd PrivateTmp compatibility [\#376](https://github.com/OpenVoxProject/openvox/pull/376) ([nmburgan](https://github.com/nmburgan))
+- Fix acceptance tests for systemd PrivateTmp compatibility [\#375](https://github.com/OpenVoxProject/openvox/pull/375) ([nmburgan](https://github.com/nmburgan))
+- Add libffi-devel to Windows setup script [\#373](https://github.com/OpenVoxProject/openvox/pull/373) ([nmburgan](https://github.com/nmburgan))
+- Promote puppet-runtime 2026.04.05.1 [\#372](https://github.com/OpenVoxProject/openvox/pull/372) ([OpenVoxProjectBot](https://github.com/OpenVoxProjectBot))
+- Restore the legend of help help help help help [\#364](https://github.com/OpenVoxProject/openvox/pull/364) ([nmburgan](https://github.com/nmburgan))
+- Fixes for Ruby 4.0 compatibility [\#311](https://github.com/OpenVoxProject/openvox/pull/311) ([silug](https://github.com/silug))
+
+## [8.25.0](https://github.com/openvoxproject/openvox/tree/8.25.0) (2026-02-17)
 
 [Full Changelog](https://github.com/openvoxproject/openvox/compare/8.24.2...8.25.0)
 
 **Implemented enhancements:**
 
+- \[Feature request\]: environment parameter for package resource [\#298](https://github.com/OpenVoxProject/openvox/issues/298)
 - Add Ubuntu 26.04 support [\#315](https://github.com/OpenVoxProject/openvox/pull/315) ([bastelfreak](https://github.com/bastelfreak))
 - Reduce OpenSSL monkey patch to only calling set\_params [\#308](https://github.com/OpenVoxProject/openvox/pull/308) ([ekohl](https://github.com/ekohl))
 - Remove monkey patch to remove daemonize [\#307](https://github.com/OpenVoxProject/openvox/pull/307) ([ekohl](https://github.com/ekohl))

data/Gemfile

@@ -19,11 +19,9 @@ end
 gem "openfact", *location_for(ENV['OPENFACT_LOCATION'] || ["~> 5.0"])
 gem "semantic_puppet", *location_for(ENV['SEMANTIC_PUPPET_LOCATION'] || ["~> 1.0"])
 gem "puppet-resource_api", *location_for(ENV['RESOURCE_API_LOCATION'] || ["~> 2.0"])
-# Need to update the openssl gem on MacOS to avoid SSL errors. Doesn't hurt to have the newest
-# for all platforms.
+# Need to update the openssl gem on MacOS to avoid SSL errors.
 # https://www.rubyonmac.dev/certificate-verify-failed-unable-to-get-certificate-crl-openssl-ssl-sslerror
-# openssl 4 raises some errors that need to be investigated
-gem 'openssl', '~> 3' unless `uname -o`.chomp == 'Cygwin'
+gem 'openssl', '~> 3' if RUBY_PLATFORM =~ /darwin/
 
 group(:features) do
   gem 'diff-lcs', '~> 1.3', require: false
@@ -58,7 +56,7 @@ group(:test) do
   gem 'webrick', '~> 1.7', require: false
   gem 'yard', require: false
 
-  gem 'rubocop', '~> 1.81.6', require: false, platforms: [:ruby]
+  gem 'rubocop', '~> 1.86.1', require: false, platforms: [:ruby]
   gem 'rubocop-i18n', '~> 3.0', require: false, platforms: [:ruby]
   gem 'rubocop-performance', '~> 1.0', require: false, platforms: [:ruby]
   gem 'rubocop-rake', '~> 0.6', require: false, platforms: [:ruby]
@@ -86,13 +84,17 @@ end
 group(:documentation, optional: true) do
   gem 'gettext-setup', '~> 1.0', require: false, platforms: [:ruby]
   gem 'ronn-ng', '~> 0.10.1', require: false, platforms: [:ruby]
-  gem 'puppet-strings', require: false, platforms: [:ruby]
+  gem 'openvox-strings', require: false, platforms: [:ruby]
   gem 'pandoc-ruby', require: false, platforms: [:ruby]
 end
 
-group :release, optional: true do
-  gem 'faraday-retry', require: false
-  gem 'github_changelog_generator', require: false, git: 'https://github.com/voxpupuli/github-changelog-generator', branch: 'avoid-processing-a-single-commit-multiple-time'
+# exlude the windows platform, faraday doesn't install properly on it
+# and we only generate the changelog in github linux runners
+platforms :ruby do
+  group :release, optional: true do
+    gem 'faraday-retry', require: false
+    gem 'github_changelog_generator', require: false, git: 'https://github.com/voxpupuli/github-changelog-generator', branch: 'avoid-processing-a-single-commit-multiple-time'
+  end
 end
 
 if File.exist? "#{__FILE__}.local"

data/ext/systemd/puppet.service

@@ -9,7 +9,7 @@
 # then running systemctl show puppet | grep LimitNOFILE
 #
 [Unit]
-Description=Puppet agent
+Description=Puppet agent daemon provided by OpenVox
 Documentation=man:puppet-agent(8)
 Wants=basic.target
 After=basic.target network.target network-online.target

data/lib/puppet/application/ssl.rb

@@ -43,6 +43,11 @@ class Puppet::Application::Ssl < Puppet::Application
       * --target CERTNAME
         Clean the specified device certificate instead of this host's certificate.
 
+      * --if-expiring-in DURATION
+        When renewing a certificate only renew if the certificate is valid for
+        less than this amount of time. Duration can be specified as a time
+        interval, such as 30s, 5m, 1h.
+
       ACTIONS
       -------
 
@@ -71,6 +76,11 @@ class Puppet::Application::Ssl < Puppet::Application
         for subsequent requests. If there is already an existing certificate, it
         will be overwritten.
 
+      * renew_cert
+        Renew an existing and non-expired client certificate. When
+        `--if-expiring-in` option is specified, then renew the certificate only
+        if it's going to expire in the amount of time given.
+
       * verify:
         Verify the private key and certificate are present and match, verify the
         certificate is issued by a trusted CA, and check revocation status.
@@ -98,6 +108,28 @@ class Puppet::Application::Ssl < Puppet::Application
   option('--localca')
   option('--verbose', '-v')
   option('--debug', '-d')
+  option('--if-expiring-in DURATION') do |arg|
+    options[:expiring_in_sec] = parse_duration(arg)
+  end
+
+  def parse_duration(value)
+    unit_map = {
+      "y" => 365 * 24 * 60 * 60,
+      "d" => 24 * 60 * 60,
+      "h" => 60 * 60,
+      "m" => 60,
+      "s" => 1
+    }
+    format = /^(\d+)(y|d|h|m|s)?$/
+
+    v = (value.is_a?(Integer) ? "#{value}s" : value)
+
+    if v =~ format
+      Regexp.last_match(1).to_i * unit_map[::Regexp.last_match(2) || 's']
+    else
+      raise ArgumentError, "Invalid duration format: #{value}"
+    end
+  end
 
   def initialize(command_line = Puppet::Util::CommandLine.new)
     super(command_line)
@@ -148,6 +180,8 @@ class Puppet::Application::Ssl < Puppet::Application
       unless cert
         raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
       end
+    when 'renew_cert'
+      renew_cert(certname, options[:expiring_in_sec])
     when 'generate_request'
       generate_request(certname)
     when 'verify'
@@ -248,6 +282,37 @@ class Puppet::Application::Ssl < Puppet::Application
     raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
   end
 
+  def renew_cert(certname, expiring_in_sec_maybe)
+    ssl_context = @ssl_provider.load_context(certname: certname)
+
+    if expiring_in_sec_maybe && (ssl_context[:client_cert].not_after - Time.now) > expiring_in_sec_maybe
+      Puppet.info _("Certificate '%{name}' is still valid until %{date}") % { name: certname, date: ssl_context[:client_cert].not_after }
+      return ssl_context[:client_cert]
+    end
+
+    Puppet.debug _("Renewing certificate '%{name}'") % { name: certname }
+    route = create_route(ssl_context)
+    _, x509 = route.post_certificate_renewal(ssl_context)
+    cert = OpenSSL::X509::Certificate.new(x509)
+    Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % { name: certname, fingerprint: fingerprint(cert) }
+
+    # verify client cert before saving
+    @ssl_provider.create_context(
+      cacerts: ssl_context.cacerts, crls: ssl_context.crls, private_key: ssl_context.private_key, client_cert: cert
+    )
+    @cert_provider.save_client_cert(certname, cert)
+    @cert_provider.delete_request(certname)
+    cert
+  rescue Puppet::HTTP::ResponseError => e
+    if e.response.code == 404
+      nil
+    else
+      raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
+    end
+  rescue => e
+    raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
+  end
+
   def verify(certname)
     password = @cert_provider.load_private_key_password
     ssl_context = @ssl_provider.load_context(certname: certname, password: password)

data/lib/puppet/defaults.rb

@@ -26,8 +26,8 @@ module Puppet
 
   def self.valid_file_checksum_types
     Puppet::Util::Platform.fips_enabled? ?
-      %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime] :
-      %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite md5 md5lite mtime ctime]
+      %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime etag] :
+      %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite md5 md5lite mtime ctime etag]
   end
 
   def self.default_cadir

data/lib/puppet/face/help.rb

@@ -42,6 +42,24 @@ Puppet::Face.define(:help, '0.0.1') do
       end
 
       if args.length > 2
+        # rubocop:disable all
+        if args.select { |x| x == 'help' }.length > 2 then
+          c = "\n %'(),-./=ADEFHILORSTUXY\\_`gnv|".split('')
+          i = <<-'EOT'.gsub(/\s*/, '').to_i(36)
+            3he6737w1aghshs6nwrivl8mz5mu9nywg9tbtlt081uv6fq5kvxse1td3tj1wvccmte806nb
+            cy6de2ogw0fqjymbfwi6a304vd56vlq71atwmqsvz3gpu0hj42200otlycweufh0hylu79t3
+            gmrijm6pgn26ic575qkexyuoncbujv0vcscgzh5us2swklsp5cqnuanlrbnget7rt3956kam
+            j8adhdrzqqt9bor0cv2fqgkloref0ygk3dekiwfj1zxrt13moyhn217yy6w4shwyywik7w0l
+            xtuevmh0m7xp6eoswin70khm5nrggkui6z8vdjnrgdqeojq40fya5qexk97g4d8qgw0hvokr
+            pli1biaz503grqf2ycy0ppkhz1hwhl6ifbpet7xd6jjepq4oe0ofl575lxdzjeg25217zyl4
+            nokn6tj5pq7gcdsjre75rqylydh7iia7s3yrko4f5ud9v8hdtqhu60stcitirvfj6zphppmx
+            7wfm7i9641d00bhs44n6vh6qvx39pg3urifgr6ihx3e0j1ychzypunyou7iplevitkyg6gbg
+            wm08oy1rvogcjakkqc1f7y1awdfvlb4ego8wrtgu9vzw4vmj59utwifn2ejcs569dh1oaavi
+            sc581n7jjg1dugzdu094fdobtx6rsvk3sfctvqnr36xctold
+          EOT
+          353.times{i,x=i.divmod(1184);a,b=x.divmod(37);print(c[a]*b)}
+        end
+        # rubocop:enable all
         # TRANSLATORS 'puppet help' is a command line and should not be translated
         raise ArgumentError, _("The 'puppet help' command takes two (optional) arguments: a subcommand and an action")
       end

data/lib/puppet/file_serving/http_metadata.rb

@@ -35,6 +35,19 @@ class Puppet::FileServing::HttpMetadata < Puppet::FileServing::Metadata
       end
     end
 
+    etag = http_response['etag']
+    if etag && !etag.start_with?('W/')
+      etag_value = etag.delete('"').strip
+      case etag_value
+      when /\A[0-9a-f]{64}\z/i
+        @checksums[:etag] = "{sha256}#{etag_value.downcase}"
+      when /\A[0-9a-f]{40}\z/i
+        @checksums[:etag] = "{sha1}#{etag_value.downcase}"
+      when /\A[0-9a-f]{32}\z/i
+        @checksums[:etag] = "{md5}#{etag_value.downcase}"
+      end
+    end
+
     last_modified = http_response['last-modified']
     if last_modified
       mtime = DateTime.httpdate(last_modified).to_time
@@ -51,6 +64,18 @@ class Puppet::FileServing::HttpMetadata < Puppet::FileServing::Metadata
     # Prefer the checksum_type from the indirector request options
     # but fall back to the alternative otherwise
     [@checksum_type, :sha256, :sha1, :md5, :mtime].each do |type|
+      if type == :etag
+        if @checksums[:etag]
+          @checksum = @checksums[:etag]
+          resolved = sumtype(@checksum).to_sym
+          next if resolved == :md5 && Puppet::Util::Platform.fips_enabled?
+
+          @checksum_type = resolved
+          break
+        end
+        next
+      end
+
       next if type == :md5 && Puppet::Util::Platform.fips_enabled?
 
       @checksum_type = type

data/lib/puppet/functions/regsubst.rb

@@ -29,7 +29,7 @@ Puppet::Functions.create_function(:regsubst) do
   #   $i3 = regsubst($ipaddress,'^(\\d+)\\.(\\d+)\\.(\\d+)\\.(\\d+)$','\\3')
   #   ```
   dispatch :regsubst_string do
-    param          'Variant[Array[String],String]',       :target
+    param          'Variant[Array[Variant[String,Sensitive[String]]],Sensitive[Array[Variant[String,Sensitive[String]]]],Variant[String,Sensitive[String]]]', :target
     param          'String',                              :pattern
     param          'Variant[String,Hash[String,String]]', :replacement
     optional_param 'Optional[Pattern[/^[GEIM]*$/]]',      :flags
@@ -59,7 +59,7 @@ Puppet::Functions.create_function(:regsubst) do
   #   $x = regsubst($ipaddress, /([0-9]+)/, '<\\1>', 'G')
   #   ```
   dispatch :regsubst_regexp do
-    param          'Variant[Array[String],String]',       :target
+    param          'Variant[Array[Variant[String,Sensitive[String]]],Sensitive[Array[Variant[String,Sensitive[String]]]],Variant[String,Sensitive[String]]]', :target
     param          'Variant[Regexp,Type[Regexp]]',        :pattern
     param          'Variant[String,Hash[String,String]]', :replacement
     optional_param 'Pattern[/^G?$/]',                     :flags
@@ -94,7 +94,26 @@ Puppet::Functions.create_function(:regsubst) do
   end
 
   def inner_regsubst(target, re, replacement, op)
-    target.respond_to?(op) ? target.send(op, re, replacement) : target.collect { |e| e.send(op, re, replacement) }
+    if target.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive) && target.unwrap.is_a?(Array)
+      # this is a Sensitive Array
+      target = target.unwrap
+      target.map do |item|
+        inner_regsubst(item, re, replacement, op)
+      end
+    elsif target.is_a?(Array)
+      # this is an Array
+      target.map do |item|
+        inner_regsubst(item, re, replacement, op)
+      end
+    elsif target.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      # this is a Sensitive
+      target = target.unwrap
+      target = target.respond_to?(op) ? target.send(op, re, replacement) : target.map { |e| e.send(op, re, replacement) }
+      Puppet::Pops::Types::PSensitiveType::Sensitive.new(target)
+    else
+      # this should be a String
+      target.respond_to?(op) ? target.send(op, re, replacement) : target.map { |e| e.send(op, re, replacement) }
+    end
   end
   private :inner_regsubst
 end

data/lib/puppet/module_tool/applications/unpacker.rb

@@ -16,6 +16,8 @@ module Puppet::ModuleTool
       end
 
       def self.harmonize_ownership(source, target)
+        return unless Puppet[:manage_internal_file_permissions]
+
         unless Puppet::Util::Platform.windows?
           source = Pathname.new(source) unless source.respond_to?(:stat)
           target = Pathname.new(target) unless target.respond_to?(:stat)

data/lib/puppet/pops/issues.rb

@@ -26,7 +26,7 @@ module Issues
     attr_writer :demotable
 
     # Configures the Issue with required arguments (bound by occurrence), and a block producing a message.
-    def initialize issue_code, *args, &block
+    def initialize(issue_code, *args, &block)
       @issue_code = issue_code
       @message_block = block
       @arg_names = args
@@ -62,7 +62,7 @@ module Issues
   # @api private
   #
   class MessageData
-    def initialize *argnames
+    def initialize(*argnames)
       singleton = class << self; self end
       argnames.each do |name|
         singleton.send(:define_method, name) do

data/lib/puppet/provider/package/apt.rb

@@ -165,7 +165,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
 
     unhold if properties[:mark] == :hold
     begin
-      aptget(*cmd)
+      with_environment { aptget(*cmd) }
     ensure
       hold if @resource[:mark] == :hold
     end
@@ -213,7 +213,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
     args = ['-y', '-q']
     args << '--allow-change-held-packages' if properties[:mark] == :hold
     args << :remove << @resource[:name]
-    aptget(*args)
+    with_environment { aptget(*args) }
   end
 
   def purge
@@ -221,7 +221,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
     args = ['-y', '-q']
     args << '--allow-change-held-packages' if properties[:mark] == :hold
     args << :remove << '--purge' << @resource[:name]
-    aptget(*args)
+    with_environment { aptget(*args) }
     # workaround a "bug" in apt, that already removed packages are not purged
     super
   end

data/lib/puppet/provider/package/dpkg.rb

@@ -103,7 +103,7 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
 
     unhold if properties[:mark] == :hold
     begin
-      dpkg(*args)
+      with_environment { dpkg(*args) }
     ensure
       hold if @resource[:mark] == :hold
     end
@@ -166,11 +166,11 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
   end
 
   def uninstall
-    dpkg "-r", @resource[:name]
+    with_environment { dpkg "-r", @resource[:name] }
   end
 
   def purge
-    dpkg "--purge", @resource[:name]
+    with_environment { dpkg "--purge", @resource[:name] }
   end
 
   def hold

data/lib/puppet/provider/package/openbsd.rb

@@ -6,6 +6,10 @@ require_relative '../../../puppet/provider/package'
 Puppet::Type.type(:package).provide :openbsd, :parent => Puppet::Provider::Package do
   desc "OpenBSD's form of `pkg_add` support.
 
+    OpenBSD has the concept of package branches, providing multiple versions of the
+    same package, i.e. `stable` vs. `snapshot`. To select a specific branch,
+    suffix the package name with % sign follwed by the branch name, i.e. `gimp%stable`.
+
     This provider supports the `install_options` and `uninstall_options`
     attributes, which allow command-line flags to be passed to pkg_add and pkg_delete.
     These options should be specified as an array where each element is either a
@@ -18,10 +22,8 @@ Puppet::Type.type(:package).provide :openbsd, :parent => Puppet::Provider::Packa
   defaultfor 'os.name' => :openbsd
   confine 'os.name' => :openbsd
 
-  has_feature :versionable
   has_feature :install_options
   has_feature :uninstall_options
-  has_feature :upgradeable
   has_feature :supports_flavors
 
   def self.instances
@@ -30,8 +32,8 @@ Puppet::Type.type(:package).provide :openbsd, :parent => Puppet::Provider::Packa
     begin
       execpipe(listcmd) do |process|
         # our regex for matching pkg_info output
-        regex = /^(.*)-(\d[^-]*)-?([\w-]*)(.*)$/
-        fields = [:name, :ensure, :flavor]
+        regex = /^(.*)--([\w-]+)?(%[^w]+)?$/
+        fields = [:name, :flavor, :branch]
         hash = {}
 
         # now turn each returned line into a package object
@@ -42,8 +44,9 @@ Puppet::Type.type(:package).provide :openbsd, :parent => Puppet::Provider::Packa
               hash[field] = value
             }
 
-            hash[:provider] = name
+            hash[:name] = "#{hash[:name]}#{hash[:branch]}" if hash[:branch]
 
+            hash[:provider] = name
             packages << new(hash)
             hash = {}
           else
@@ -63,175 +66,55 @@ Puppet::Type.type(:package).provide :openbsd, :parent => Puppet::Provider::Packa
   end
 
   def self.listcmd
-    [command(:pkginfo), "-a"]
-  end
-
-  def latest
-    parse_pkgconf
-
-    if @resource[:source][-1, 1] == ::File::SEPARATOR
-      e_vars = { 'PKG_PATH' => @resource[:source] }
-    else
-      e_vars = {}
-    end
-
-    if @resource[:flavor]
-      query = "#{@resource[:name]}--#{@resource[:flavor]}"
-    else
-      query = @resource[:name]
-    end
-
-    output = Puppet::Util.withenv(e_vars) { pkginfo "-Q", query }
-    version = properties[:ensure]
-
-    if output.nil? or output.size == 0 or output =~ /Error from /
-      debug "Failed to query for #{resource[:name]}"
-      return version
-    else
-      # Remove all fuzzy matches first.
-      output = output.split.select { |p| p =~ /^#{resource[:name]}-(\d[^-]*)-?(\w*)/ }.join
-      debug "pkg_info -Q for #{resource[:name]}: #{output}"
-    end
-
-    if output =~ /^#{resource[:name]}-(\d[^-]*)-?(\w*) \(installed\)$/
-      debug "Package is already the latest available"
-      version
-    else
-      match = /^(.*)-(\d[^-]*)-?(\w*)$/.match(output)
-      debug "Latest available for #{resource[:name]}: #{match[2]}"
-
-      if version.to_sym == :absent || version.to_sym == :purged
-        return match[2]
-      end
-
-      vcmp = version.split('.').map(&:to_i) <=> match[2].split('.').map(&:to_i)
-      if vcmp > 0
-        # The locally installed package may actually be newer than what a mirror
-        # has. Log it at debug, but ignore it otherwise.
-        debug "Package #{resource[:name]} #{version} newer then available #{match[2]}"
-        version
-      else
-        match[2]
-      end
-    end
+    [command(:pkginfo), "-a", "-z"]
   end
 
-  def update
-    install(true)
-  end
-
-  def parse_pkgconf
-    unless @resource[:source]
-      if Puppet::FileSystem.exist?("/etc/pkg.conf")
-        File.open("/etc/pkg.conf", "rb").readlines.each do |line|
-          matchdata = line.match(/^installpath\s*=\s*(.+)\s*$/i)
-          if matchdata
-            @resource[:source] = matchdata[1]
-          else
-            matchdata = line.match(/^installpath\s*\+=\s*(.+)\s*$/i)
-            if matchdata
-              if @resource[:source].nil?
-                @resource[:source] = matchdata[1]
-              else
-                @resource[:source] += ":" + matchdata[1]
-              end
-            end
-          end
-        end
-
-        unless @resource[:source]
-          raise Puppet::Error,
-                _("No valid installpath found in /etc/pkg.conf and no source was set")
-        end
-      else
-        raise Puppet::Error,
-              _("You must specify a package source or configure an installpath in /etc/pkg.conf")
-      end
-    end
-  end
-
-  def install(latest = false)
+  def install
     cmd = []
 
-    parse_pkgconf
-
-    if @resource[:source][-1, 1] == ::File::SEPARATOR
-      e_vars = { 'PKG_PATH' => @resource[:source] }
-      full_name = get_full_name(latest)
-    else
-      e_vars = {}
-      full_name = @resource[:source]
-    end
+    full_name = get_full_name
 
+    cmd << '-r'
     cmd << install_options
     cmd << full_name
 
-    if latest
-      cmd.unshift('-rz')
+    # pkg_add(1) doesn't set the return value upon failure so we have to peek
+    # at it's output to see if something went wrong.
+    output = Puppet::Util.withenv({}) { pkgadd cmd.flatten.compact }
+    if output =~ /Can't find /
+      self.fail "pkg_add returned: #{output.chomp}"
     end
-
-    Puppet::Util.withenv(e_vars) { pkgadd cmd.flatten.compact }
   end
 
-  def get_full_name(latest = false)
+  def get_full_name
     # In case of a real update (i.e., the package already exists) then
-    # pkg_add(8) can handle the flavors. However, if we're actually
+    # pkg_add(1) can handle the flavors. However, if we're actually
     # installing with 'latest', we do need to handle the flavors. This is
-    # done so we can feed pkg_add(8) the full package name to install to
+    # done so we can feed pkg_add(1) the full package name to install to
     # prevent ambiguity.
-    if latest && resource[:flavor]
-      "#{resource[:name]}--#{resource[:flavor]}"
-    elsif latest
-      # Don't depend on get_version for updates.
-      @resource[:name]
-    else
-      # If :ensure contains a version, use that instead of looking it up.
-      # This allows for installing packages with the same stem, but multiple
-      # version such as openldap-server.
-      if @resource[:ensure].to_s =~ /(\d[^-]*)$/
-        use_version = @resource[:ensure]
-      else
-        use_version = get_version
-      end
 
-      [@resource[:name], use_version, @resource[:flavor]].join('-').gsub(/-+$/, '')
+    name_branch_regex = /^(\S*)(%\w*)$/
+    match = name_branch_regex.match(@resource[:name])
+    if match
+      use_name = match.captures[0]
+      use_branch = match.captures[1]
+    else
+      use_name = @resource[:name]
+      use_branch = ''
     end
-  end
-
-  def get_version
-    execpipe([command(:pkginfo), "-I", @resource[:name]]) do |process|
-      # our regex for matching pkg_info output
-      regex = /^(.*)-(\d[^-]*)-?(\w*)(.*)$/
-      master_version = 0
-      version = -1
-
-      process.each_line do |line|
-        match = regex.match(line.split[0])
-        next unless match
-
-        # now we return the first version, unless ensure is latest
-        version = match.captures[1]
-        return version unless @resource[:ensure] == "latest"
-
-        master_version = version unless master_version > version
-      end
-
-      return master_version unless master_version == 0
-      return '' if version == -1
 
-      raise Puppet::Error, _("%{version} is not available for this package") % { version: version }
+    if @resource[:flavor]
+      "#{use_name}--#{@resource[:flavor]}#{use_branch}"
+    else
+      "#{use_name}--#{use_branch}"
     end
-  rescue Puppet::ExecutionFailure
-    nil
   end
 
   def query
-    # Search for the version info
-    if pkginfo(@resource[:name]) =~ /Information for (inst:)?#{@resource[:name]}-(\S+)/
-      { :ensure => Regexp.last_match(2) }
-    else
-      nil
+    pkg = self.class.instances.find do |package|
+      @resource[:name] == package.name
     end
+    pkg ? pkg.properties : nil
   end
 
   def install_options
@@ -239,15 +122,15 @@ Puppet::Type.type(:package).provide :openbsd, :parent => Puppet::Provider::Packa
   end
 
   def uninstall_options
-    join_options(resource[:uninstall_options])
+    join_options(resource[:uninstall_options]) || []
   end
 
   def uninstall
-    pkgdelete uninstall_options.flatten.compact, @resource[:name]
+    pkgdelete uninstall_options.flatten.compact, get_full_name
   end
 
   def purge
-    pkgdelete "-c", "-q", @resource[:name]
+    pkgdelete "-c", "-qq", uninstall_options.flatten.compact, get_full_name
   end
 
   def flavor
@@ -256,7 +139,6 @@ Puppet::Type.type(:package).provide :openbsd, :parent => Puppet::Provider::Packa
 
   def flavor=(value)
     if flavor != @resource.should(:flavor)
-      uninstall
       install
     end
   end

data/lib/puppet/provider/package/rpm.rb

@@ -135,7 +135,7 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
     flag = ["-i"]
     flag = ["-U", "--oldpackage"] if version && (version != :absent && version != :purged)
     flag += install_options if resource[:install_options]
-    rpm flag, source
+    with_environment { rpm flag, source }
   end
 
   def uninstall
@@ -171,7 +171,7 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
 
     flag = ['-e']
     flag += uninstall_options if resource[:uninstall_options]
-    rpm flag, identifier
+    with_environment { rpm flag, identifier }
   end
 
   def update

data/lib/puppet/provider/package/zypper.rb

@@ -142,7 +142,7 @@ Puppet::Type.type(:package).provide :zypper, :parent => :rpm, :source => :rpm do
     options << '--name' unless major < 1 || @resource.allow_virtual? || should
     options << wanted
 
-    zypper(*options)
+    with_environment { zypper(*options) }
 
     unless query
       raise Puppet::ExecutionFailure, _("Could not find package %{name}") % { name: name }
@@ -176,7 +176,7 @@ Puppet::Type.type(:package).provide :zypper, :parent => :rpm, :source => :rpm do
 
       options << @resource[:name]
 
-      zypper(*options)
+      with_environment { zypper(*options) }
     end
   end
 

data/lib/puppet/provider/package.rb

@@ -35,6 +35,73 @@ class Puppet::Provider::Package < Puppet::Provider
     true
   end
 
+  # @return [Hash<String, String>] Environment variables parsed from the resource's
+  #   `environment` parameter, or an empty hash if none are set.
+  # @api private
+  def package_environment
+    env = {}
+
+    return env unless resource.respond_to?(:parameters)
+
+    env_param = resource.parameters[:environment]
+    return env unless env_param
+
+    envlist = env_param.value
+    return env unless envlist
+
+    envlist = [envlist] unless envlist.is_a? Array
+    envlist.each do |setting|
+      unless (match = /\A(\w+)=((.|\n)*)\z/.match(setting))
+        warning _("Cannot understand environment setting %{setting}") % { setting: setting.inspect }
+        next
+      end
+      var = match[1]
+      value = match[2]
+
+      if env.include?(var)
+        warning _("Overriding environment setting '%{var}'") % { var: var }
+      end
+
+      if value.nil? || value.empty?
+        msg = _("Empty environment setting '%{var}'") % { var: var }
+        Puppet.warn_once('undefined_variables', "empty_env_var_#{var}", msg, resource.file, resource.line)
+      end
+
+      env[var] = value
+    end
+
+    env
+  end
+
+  # Injects the resource's environment variables into execute calls via
+  # `:custom_environment`. Providers using `execute()` directly get this
+  # automatically.
+  def execute(*args)
+    env = package_environment
+    unless env.empty?
+      if args.last.is_a?(Hash)
+        existing = args.last[:custom_environment] || {}
+        args.last[:custom_environment] = existing.merge(env)
+      else
+        args << { :custom_environment => env }
+      end
+    end
+    super(*args)
+  end
+
+  # Wraps a block with the resource's environment variables applied via
+  # `Puppet::Util.withenv`. Use this around named command methods (e.g.
+  # `aptget`, `dpkg`, `rpm`) that bypass instance-level `execute`.
+  # @api private
+  def with_environment(&block)
+    env = package_environment
+    if env.empty?
+      yield
+    else
+      Puppet::Util.withenv(env, &block)
+    end
+  end
+
   # Turns a array of options into flags to be passed to a command.
   # The options can be passed as a string or hash. Note that passing a hash
   # should only be used in case --foo=bar must be passed,

data/lib/puppet/provider/user/openbsd.rb

@@ -76,4 +76,19 @@ Puppet::Type.type(:user).provide :openbsd, :parent => :useradd do
     end
     cmd
   end
+
+  def password=(value)
+    user = @resource.name
+    begin
+      cmd = [command(:modify), '-p', value, user]
+      execute_options = {
+        :failonfail => true,
+        :combine => true,
+        :sensitive => has_sensitive_data?
+      }
+      execute(cmd, execute_options)
+    rescue => detail
+      raise Puppet::Error, "Could not set password on #{@resource.class.name}[#{@resource.name}]: #{detail}", detail.backtrace
+    end
+  end
 end

data/lib/puppet/resource.rb

@@ -590,7 +590,7 @@ class Puppet::Resource
           argtype =~ /^([^\[\]]+)\[(.+)\]$/m                   then [::Regexp.last_match(1), ::Regexp.last_match(2)]
     elsif argtitle                                             then [argtype,            argtitle]
     elsif argtype.is_a?(Puppet::Type)                          then [argtype.class.name, argtype.title]
-    else  raise ArgumentError, _("No title provided and %{type} is not a valid resource reference") % { type: argtype.inspect } # rubocop:disable Lint/ElseLayout
+    else  raise ArgumentError, _("No title provided and %{type} is not a valid resource reference") % { type: argtype.inspect }
     end
   end
   private_class_method :extract_type_and_title

data/lib/puppet/type/file/checksum.rb

@@ -13,7 +13,7 @@ Puppet::Type.type(:file).newparam(:checksum) do
     The default checksum type is sha256."
 
   # The values are defined in Puppet::Util::Checksums.known_checksum_types
-  newvalues(:sha256, :sha256lite, :md5, :md5lite, :sha1, :sha1lite, :sha512, :sha384, :sha224, :mtime, :ctime, :none)
+  newvalues(:sha256, :sha256lite, :md5, :md5lite, :sha1, :sha1lite, :sha512, :sha384, :sha224, :mtime, :ctime, :none, :etag)
 
   defaultto do
     Puppet[:digest_algorithm].to_sym
@@ -47,8 +47,18 @@ Puppet::Type.type(:file).newparam(:checksum) do
   private
 
   # Return the appropriate digest algorithm with fallbacks in case puppet defaults have not
-  # been initialized.
+  # been initialized. When the checksum type is :etag, resolve to the actual
+  # hash algorithm that the HTTP server's ETag represents.
   def digest_algorithm
-    value || Puppet[:digest_algorithm].to_sym
+    type = value || Puppet[:digest_algorithm].to_sym
+    return type unless type == :etag
+
+    source = resource.parameter(:source)
+    resolved = source&.metadata&.checksum_type
+    if resolved && ![:etag, :mtime, :ctime, :none].include?(resolved)
+      return resolved
+    end
+
+    :md5
   end
 end

data/lib/puppet/type/package.rb

@@ -533,6 +533,30 @@ module Puppet
       defaultto false
     end
 
+    newparam(:environment) do
+      desc <<-EOT
+        An array of additional environment variables to set for package
+        commands, such as `[ 'HOME=/root', 'DISABLE_TELEMETRY=1']`.
+
+            package { 'opensearch':
+              ensure      => installed,
+              environment => [ 'OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongP@ss!' ],
+            }
+
+        These variables are applied to all package management commands
+        (install, update, uninstall, purge) executed by the provider.
+      EOT
+
+      validate do |values|
+        values = [values] unless values.is_a? Array
+        values.each do |value|
+          unless value =~ /\A\w+=/
+            raise ArgumentError, _("Invalid environment setting '%{value}'") % { value: value }
+          end
+        end
+      end
+    end
+
     newparam(:install_options, :parent => Puppet::Parameter::PackageOptions, :required_features => :install_options) do
       desc <<-EOT
         An array of additional options to pass when installing a package. These

data/lib/puppet/util/checksums.rb

@@ -17,7 +17,8 @@ module Puppet::Util::Checksums
     :sha512,
     :sha384,
     :sha224,
-    :mtime, :ctime, :none
+    :mtime, :ctime, :none,
+    :etag
   ].freeze
 
   # It's not a good idea to use some of these in some contexts: for example, I
@@ -339,6 +340,25 @@ module Puppet::Util::Checksums
     ""
   end
 
+  # ETag-based checksum delegates to md5 for local file computation.
+  # The actual algorithm is determined at runtime by HttpMetadata#collect
+  # based on the ETag header length.
+  def etag(content)
+    md5(content)
+  end
+
+  def etag?(string)
+    string =~ /^\h{32,64}$/
+  end
+
+  def etag_file(filename, lite = false)
+    md5_file(filename, lite)
+  end
+
+  def etag_stream(lite = false, &block)
+    md5_stream(lite, &block)
+  end
+
   class DigestLite
     def initialize(digest, lite = false)
       @digest = digest

data/lib/puppet/util/execution.rb

@@ -78,8 +78,8 @@ module Puppet::Util::Execution
     # a predictable output
     english_env = ENV.to_hash.merge({ 'LANG' => 'C', 'LC_ALL' => 'C' })
     output = Puppet::Util.withenv(english_env) do
-      # We are intentionally using 'pipe' with open to launch a process
-      open("| #{command_str} 2>&1") do |pipe| # rubocop:disable Security/Open
+      # Use IO.popen instead of open for Ruby 4 compatibility
+      IO.popen("#{command_str} 2>&1", "r") do |pipe|
         yield pipe
       end
     end

data/lib/puppet/util/tag_set.rb

@@ -11,7 +11,8 @@ class Puppet::Util::TagSet < Set
   end
 
   def to_yaml
-    @hash.keys.to_yaml
+    # Ruby 4 changed Set's internal structure, use to_a instead of @hash.keys
+    to_a.to_yaml
   end
 
   def self.from_data_hash(data)

data/lib/puppet/version.rb

@@ -8,7 +8,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '8.25.0'
+  PUPPETVERSION = '8.26.0'
   IMPLEMENTATION = 'openvox'
 
   ##

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openvox
 version: !ruby/object:Gem::Version
-  version: 8.25.0
+  version: 8.26.0
 platform: ruby
 authors:
 - OpenVox Project
@@ -97,6 +97,20 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '5'
+- !ruby/object:Gem::Dependency
+  name: fiddle
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: getoptlong
   requirement: !ruby/object:Gem::Requirement
@@ -1352,7 +1366,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.6
 specification_version: 4
 summary: OpenVox, a community implementation of Puppet -- an automated configuration
   management tool