puppet 6.29.0 → 7.0.0

data/lib/puppet/ssl/state_machine.rb

@@ -10,7 +10,7 @@ require 'puppet/util/pidlock'
 # certs. This way we're sure about which SSLContext is being used during any
 # phase of the bootstrapping process.
 #
-# @private
+# @api private
 class Puppet::SSL::StateMachine
   class SSLState
     attr_reader :ssl_context
@@ -27,15 +27,6 @@ class Puppet::SSL::StateMachine
       detail.set_backtrace(cause.backtrace)
       Error.new(@machine, message, detail)
     end
-
-    def log_error(message)
-      # When running daemonized we set stdout to /dev/null, so write to the log instead
-      if Puppet[:daemonize]
-        Puppet.err(message)
-      else
-        $stdout.puts(message)
-      end
-    end
   end
 
   # Load existing CA certs or download them. Transition to NeedCRLs.
@@ -279,15 +270,15 @@ class Puppet::SSL::StateMachine
     def next_state
       time = @machine.waitforcert
       if time < 1
-        log_error(_("Exiting now because the waitforcert setting is set to 0."))
+        puts _("Exiting now because the waitforcert setting is set to 0.")
         exit(1)
       elsif Time.now.to_i > @machine.wait_deadline
-        log_error(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] })
+        puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] }
         exit(1)
       else
         Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
 
-        # close http/tls and session state before sleeping
+        # close persistent connections and session state before sleeping
         Puppet.runtime[:http].close
         @machine.session = Puppet.runtime[:http].create_session
 
@@ -414,6 +405,7 @@ class Puppet::SSL::StateMachine
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
   # @raise [Puppet::Error] If we fail to generate an SSLContext
+  # @api private
   def ensure_ca_certificates
     final_state = run_machine(NeedLock.new(self), NeedKey)
     final_state.ssl_context
@@ -423,10 +415,24 @@ class Puppet::SSL::StateMachine
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
   # @raise [Puppet::Error] If we fail to generate an SSLContext
+  # @api private
   def ensure_client_certificate
     final_state = run_machine(NeedLock.new(self), Done)
     ssl_context = final_state.ssl_context
-    @ssl_provider.print(ssl_context, @digest)
+
+    if Puppet::Util::Log.sendlevel?(:debug)
+      chain = ssl_context.client_chain
+      # print from root to client
+      chain.reverse.each_with_index do |cert, i|
+        digest = Puppet::SSL::Digest.new(@digest, cert.to_der)
+        if i == chain.length - 1
+          Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
+        else
+          Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
+        end
+      end
+    end
+
     ssl_context
   end
 

data/lib/puppet/ssl/verifier.rb

@@ -14,6 +14,7 @@ class Puppet::SSL::Verifier
   # @param hostname [String] FQDN of the server we're attempting to connect to
   # @param ssl_context [Puppet::SSL::SSLContext] ssl_context containing CA certs,
   #   CRLs, etc needed to verify the server's certificate chain
+  # @api private
   def initialize(hostname, ssl_context)
     @hostname = hostname
     @ssl_context = ssl_context
@@ -25,6 +26,7 @@ class Puppet::SSL::Verifier
   #
   # @param verifier [Puppet::SSL::Verifier] the verifier to compare against
   # @return [Boolean] return true if a cached connection can be used, false otherwise
+  # @api private
   def reusable?(verifier)
     verifier.instance_of?(self.class) &&
       verifier.ssl_context.object_id == @ssl_context.object_id
@@ -115,12 +117,6 @@ class Puppet::SSL::Verifier
         return false
       end
 
-    # ruby-openssl#74ef8c0cc56b840b772240f2ee2b0fc0aafa2743 now sets the
-    # store_context error when the cert is mismatched
-    when OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH
-      @last_error = Puppet::SSL::CertMismatchError.new(peer_cert, @hostname)
-      return false
-
     when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
       crl = store_context.current_crl
       if crl && crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS

data/lib/puppet/ssl.rb

@@ -2,18 +2,22 @@
 require 'puppet'
 require 'puppet/ssl/openssl_loader'
 
+# Responsible for bootstrapping an agent's certificate and private key, generating
+# SSLContexts for use in making HTTPS connections, and handling CSR attributes and
+# certificate extensions.
+#
+# @see Puppet::SSL::SSLProvider
 # @api private
-module Puppet::SSL # :nodoc:
+module Puppet::SSL
   CA_NAME = "ca".freeze
-  require 'puppet/ssl/host'
+
   require 'puppet/ssl/oids'
-  require 'puppet/ssl/validator'
-  require 'puppet/ssl/validator/no_validator'
-  require 'puppet/ssl/validator/default_validator'
   require 'puppet/ssl/error'
   require 'puppet/ssl/ssl_context'
   require 'puppet/ssl/verifier'
-  require 'puppet/ssl/verifier_adapter'
   require 'puppet/ssl/ssl_provider'
   require 'puppet/ssl/state_machine'
+  require 'puppet/ssl/certificate'
+  require 'puppet/ssl/certificate_request'
+  require 'puppet/ssl/certificate_request_attributes'
 end

data/lib/puppet/test/test_helper.rb

@@ -142,16 +142,11 @@ module Puppet::Test
         },
         "Context for specs")
 
-      # trigger `require 'facter'`
-      Puppet.runtime[:facter]
-
+      Puppet.runtime.clear
       Puppet::Parser::Functions.reset
       Puppet::Application.clear!
       Puppet::Util::Profiler.clear
 
-      Puppet::SSL::Host.reset
-      Puppet::Rest::Routes.clear
-
       Puppet::Node::Facts.indirection.terminus_class = :memory
       facts = Puppet::Node::Facts.new(Puppet[:node_name_value])
       Puppet::Node::Facts.indirection.save(facts)
@@ -171,7 +166,6 @@ module Puppet::Test
 
       Puppet::Util::Storage.clear
       Puppet::Util::ExecutionStub.reset
-      Puppet.runtime.clear
 
       Puppet.clear_deprecation_warnings
 
@@ -226,6 +220,7 @@ module Puppet::Test
       {
           :logdir     => "/dev/null",
           :confdir    => "/dev/null",
+          :publicdir  => "/dev/null",
           :codedir    => "/dev/null",
           :vardir     => "/dev/null",
           :rundir     => "/dev/null",

data/lib/puppet/transaction/additional_resource_generator.rb

@@ -137,7 +137,7 @@ class Puppet::Transaction::AdditionalResourceGenerator
       else
         @catalog.add_resource_after(parent_resource, res)
       end
-      @catalog.add_edge(@catalog.container_of(parent_resource), res) if @catalog.container_of(parent_resource)
+      @catalog.add_edge(@catalog.container_of(parent_resource), res)
       if @relationship_graph && priority
         # If we have a relationship_graph we should add the resource
         # to it (this is an eval_generate). If we don't, then the

data/lib/puppet/transaction/persistence.rb

@@ -6,26 +6,6 @@ require 'puppet/util/yaml'
 # as calculating corrective_change).
 # @api private
 class Puppet::Transaction::Persistence
-
-  def self.allowed_classes
-    @allowed_classes ||= [
-      Symbol,
-      Time,
-      Regexp,
-      # URI is excluded, because it serializes all instance variables including the
-      # URI parser. Better to serialize the URL encoded representation.
-      SemanticPuppet::Version,
-      # SemanticPuppet::VersionRange has many nested classes and is unlikely to be
-      # used directly, so ignore it
-      Puppet::Pops::Time::Timestamp,
-      Puppet::Pops::Time::TimeData,
-      Puppet::Pops::Time::Timespan,
-      Puppet::Pops::Types::PBinaryType::Binary,
-      # Puppet::Pops::Types::PSensitiveType::Sensitive values are excluded from
-      # the persistence store, ignore it.
-    ].freeze
-  end
-
   def initialize
     @old_data = {}
     @new_data = {"resources" => {}}
@@ -82,7 +62,7 @@ class Puppet::Transaction::Persistence
     result = nil
     Puppet::Util.benchmark(:debug, _("Loaded transaction store file in %{seconds} seconds")) do
       begin
-        result = Puppet::Util::Yaml.safe_load_file(filename, self.class.allowed_classes)
+        result = Puppet::Util::Yaml.safe_load_file(filename, [Symbol, Time])
       rescue Puppet::Util::Yaml::YamlLoadError => detail
         Puppet.log_exception(detail, _("Transaction store file %{filename} is corrupt (%{detail}); replacing") % { filename: filename, detail: detail })
 

data/lib/puppet/transaction/report.rb

@@ -66,8 +66,6 @@ class Puppet::Transaction::Report
   # Contains the name and port of the server that was successfully contacted
   # @return [String] a string of the format 'servername:port'
   attr_accessor :server_used
-  alias :master_used :server_used
-  alias :master_used= :server_used=
 
   # The host name for which the report is generated
   # @return [String] the host name
@@ -77,10 +75,6 @@ class Puppet::Transaction::Report
   # @return [String] the environment name
   attr_accessor :environment
 
-  # The name of the environment the agent initially started in
-  # @return [String] the environment name
-  attr_accessor :initial_environment
-
   # Whether there are changes that we decided not to apply because of noop
   # @return [Boolean]
   #
@@ -230,7 +224,7 @@ class Puppet::Transaction::Report
     @external_times ||= {}
     @host = Puppet[:node_name_value]
     @time = start_time
-    @report_format = 11
+    @report_format = 12
     @puppet_version = Puppet.version
     @configuration_version = configuration_version
     @transaction_uuid = transaction_uuid
@@ -330,7 +324,7 @@ class Puppet::Transaction::Report
     }
 
     # The following is include only when set
-    hash['master_used'] = hash['server_used'] = @server_used unless @server_used.nil?
+    hash['server_used'] = @server_used unless @server_used.nil?
     hash['catalog_uuid'] = @catalog_uuid unless @catalog_uuid.nil?
     hash['code_id'] = @code_id unless @code_id.nil?
     hash['job_id'] = @job_id unless @job_id.nil?
@@ -381,17 +375,7 @@ class Puppet::Transaction::Report
   # @api public
   #
   def raw_summary
-    report = {
-      "version" => {
-        "config" => configuration_version,
-        "puppet" => Puppet.version
-      },
-      "application" => {
-        "run_mode" => Puppet.run_mode.name.to_s,
-        "initial_environment" => initial_environment,
-        "converged_environment" => environment
-      }
-    }
+    report = { "version" => { "config" => configuration_version, "puppet" => Puppet.version  } }
 
     @metrics.each do |name, metric|
       key = metric.name.to_s

data/lib/puppet/transaction.rb

@@ -376,16 +376,10 @@ class Puppet::Transaction
     Puppet.debug { "Prefetching #{provider_class.name} resources for #{type_name}" }
     begin
       provider_class.prefetch(resources)
-    rescue LoadError, Puppet::MissingCommand => detail
+    rescue LoadError, StandardError => detail
       #TRANSLATORS `prefetch` is a function name and should not be translated
       message = _("Could not prefetch %{type_name} provider '%{name}': %{detail}") % { type_name: type_name, name: provider_class.name, detail: detail }
       Puppet.log_exception(detail, message)
-    rescue StandardError => detail
-      message = _("Could not prefetch %{type_name} provider '%{name}': %{detail}") % { type_name: type_name, name: provider_class.name, detail: detail }
-      Puppet.log_exception(detail, message)
-
-      raise unless Puppet.settings[:future_features]
-
       @prefetch_failed_providers[type_name][provider_class.name] = true
     end
     @prefetched_providers[type_name][provider_class.name] = true

data/lib/puppet/type/exec.rb

@@ -11,10 +11,7 @@ module Puppet
 
       * The command itself is already idempotent. (For example, `apt-get update`.)
       * The exec has an `onlyif`, `unless`, or `creates` attribute, which prevents
-        Puppet from running the command unless some condition is met. The
-        `onlyif` and `unless` commands of an `exec` are used in the process of
-        determining whether the `exec` is already in sync, therefore they must be run
-        during a noop Puppet run.
+        Puppet from running the command unless some condition is met.
       * The exec has `refreshonly => true`, which allows Puppet to run the
         command only when some other resource is changed. (See the notes on refreshing
         below.) 
@@ -201,20 +198,10 @@ module Puppet
         any output is logged at the `err` log level.
 
         Multiple `exec` resources can use the same `command` value; Puppet
-        only uses the resource title to ensure `exec`s are unique.
-
-        On *nix platforms, the command can be specified as an array of
-        strings and Puppet will invoke it using the more secure method of
-        parameterized system calls. For example, rather than executing the
-        malicious injected code, this command will echo it out:
-
-            command => ['/bin/echo', 'hello world; rm -rf /']
-      "
+        only uses the resource title to ensure `exec`s are unique."
 
       validate do |command|
-        unless command.is_a?(String) || command.is_a?(Array)
-          raise ArgumentError, _("Command must be a String or Array<String>, got value of class %{klass}") % { klass: command.class }
-        end
+        raise ArgumentError, _("Command must be a String, got value of class %{klass}") % { klass: command.class } unless command.is_a? String
       end
     end
 
@@ -457,7 +444,7 @@ module Puppet
 
             exec { '/bin/echo root >> /usr/lib/cron/cron.allow':
               path   => '/usr/bin:/usr/sbin:/bin',
-              unless => 'grep ^root$ /usr/lib/cron/cron.allow 2>/dev/null',
+              unless => 'grep root /usr/lib/cron/cron.allow 2>/dev/null',
             }
 
         This would add `root` to the cron.allow file (on Solaris) unless
@@ -467,17 +454,10 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
-        Since this command is used in the process of determining whether the
-        `exec` is already in sync, it must be run during a noop Puppet run.
-
         This parameter can also take an array of commands. For example:
 
             unless => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
-        or an array of arrays. For example:
-
-            unless => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
-
         This `exec` would only run if every command in the array has a
         non-zero exit code.
       EOT
@@ -530,17 +510,10 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
-        Since this command is used in the process of determining whether the
-        `exec` is already in sync, it must be run during a noop Puppet run.
-
         This parameter can also take an array of commands. For example:
 
             onlyif => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
-        or an array of arrays. For example:
-
-            onlyif => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
-
         This `exec` would only run if every command in the array has an
         exit code of 0 (success).
       EOT
@@ -589,14 +562,12 @@ module Puppet
       reqs << self[:cwd] if self[:cwd]
 
       file_regex = Puppet::Util::Platform.windows? ? %r{^([a-zA-Z]:[\\/]\S+)} : %r{^(/\S+)}
-      cmd = self[:command]
-      cmd = cmd[0] if cmd.is_a? Array
 
-      cmd.scan(file_regex) { |str|
+      self[:command].scan(file_regex) { |str|
         reqs << str
       }
 
-      cmd.scan(/^"([^"]+)"/) { |str|
+      self[:command].scan(/^"([^"]+)"/) { |str|
         reqs << str
       }
 
@@ -612,7 +583,6 @@ module Puppet
           # fully qualified.  It might not be a bad idea to add
           # unqualified files, but, well, that's a bit more annoying
           # to do.
-          line = line[0] if line.is_a? Array
           reqs += line.scan(file_regex)
         end
       }

data/lib/puppet/type/file/checksum.rb

@@ -7,7 +7,7 @@ Puppet::Type.type(:file).newparam(:checksum) do
 
   desc "The checksum type to use when determining whether to replace a file's contents.
 
-    The default checksum type is md5."
+    The default checksum type is #{Puppet.default_digest_algorithm}."
 
   newvalues(*Puppet::Util::Checksums.known_checksum_types)
 

data/lib/puppet/type/file/data_sync.rb

@@ -79,7 +79,7 @@ module Puppet
       return :absent unless stat
       ftype = stat.ftype
       # Don't even try to manage the content on directories or links
-      return nil if ['directory', 'link', 'fifo', 'socket'].include?(ftype)
+      return nil if ["directory","link"].include?(ftype)
 
       begin
         resource.parameter(:checksum).sum_file(resource[:path])

data/lib/puppet/type/file/mode.rb

@@ -90,15 +90,9 @@ module Puppet
         raise Puppet::Error, "The file mode specification is invalid: #{value.inspect}"
       end
 
-      # normalizes to symbolic form, e.g. u+a, an octal string without leading 0
       normalize_symbolic_mode(value)
     end
 
-    unmunge do |value|
-      # return symbolic form or octal string *with* leading 0's
-      display_mode(value) if value
-    end
-
     def desired_mode_from_current(desired, current)
       current = current.to_i(8) if current.is_a? String
       is_a_directory = @resource.stat && @resource.stat.directory?

data/lib/puppet/type/file/selcontext.rb

@@ -42,7 +42,7 @@ module Puppet
         return nil
       end
 
-      context = self.get_selinux_default_context(@resource[:path], @resource[:ensure])
+      context = self.get_selinux_default_context(@resource[:path])
       unless context
         return nil
       end

data/lib/puppet/type/file/source.rb

@@ -340,7 +340,7 @@ module Puppet
 
     def handle_response_error(response)
       message = "Error #{response.code} on SERVER: #{response.body.empty? ? response.reason : response.body}"
-      raise Net::HTTPError.new(message, response.nethttp)
+      raise Net::HTTPError.new(message, Puppet::HTTP::ResponseConverter.to_ruby_response(response))
     end
   end
 

data/lib/puppet/type/file.rb

@@ -83,33 +83,31 @@ Puppet::Type.newtype(:file) do
         use copy the file in the same directory with that value as the extension
         of the backup. (A value of `true` is a synonym for `.puppet-bak`.)
       * If set to any other string, Puppet will try to back up to a filebucket
-        with that title. See the `filebucket` resource type for more details.
-        (This is the preferred method for backup, since it can be centralized
-        and queried.)
+        with that title. Puppet automatically creates a **local** filebucket
+        named `puppet` if one doesn't already exist. See the `filebucket` resource
+        type for more details.
 
-      Default value: `puppet`, which backs up to a filebucket of the same name.
-      (Puppet automatically creates a **local** filebucket named `puppet` if one
-      doesn't already exist.)
+      Default value: `false`
 
       Backing up to a local filebucket isn't particularly useful. If you want
       to make organized use of backups, you will generally want to use the
-      primary Puppet server's filebucket service. This requires declaring a
+      puppet master server's filebucket service. This requires declaring a
       filebucket resource and a resource default for the `backup` attribute
       in site.pp:
 
           # /etc/puppetlabs/puppet/manifests/site.pp
           filebucket { 'main':
             path   => false,                # This is required for remote filebuckets.
-            server => 'puppet.example.com', # Optional; defaults to the configured primary Puppet server.
+            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
           }
 
           File { backup => main, }
 
-      If you are using multiple primary servers, you will want to
+      If you are using multiple puppet master servers, you will want to
       centralize the contents of the filebucket. Either configure your load
-      balancer to direct all filebucket traffic to a single primary server, or use
+      balancer to direct all filebucket traffic to a single master, or use
       something like an out-of-band rsync task to synchronize the content on all
-      primary servers.
+      masters.
 
       > **Note**: Enabling and using the backup option, and by extension the 
         filebucket resource, requires appropriate planning and management to ensure 
@@ -125,7 +123,7 @@ Puppet::Type.newtype(:file) do
         - Restrict the directory to a maximum size after which the oldest items are removed.
     EOT
 
-    defaultto "puppet"
+    defaultto false
 
     munge do |value|
       # I don't really know how this is happening.
@@ -220,23 +218,6 @@ Puppet::Type.newtype(:file) do
     end
   end
 
-  newparam(:max_files) do
-    desc "In case the resource is a directory and the recursion is enabled, puppet will
-      generate a new resource for each file file found, possible leading to
-      an excessive number of resources generated without any control.
-
-      Setting `max_files` will check the number of file resources that
-      will eventually be created and will raise a resource argument error if the
-      limit will be exceeded.
-
-      Use value `0` to log a warning instead of raising an error.
-
-      Use value `-1` to disable errors and warnings due to max files."
-
-    defaultto 0
-    newvalues(/^[0-9]+$/, /^-1$/)
-  end
-
   newparam(:replace, :boolean => true, :parent => Puppet::Parameter::Boolean) do
     desc "Whether to replace a file or symlink that already exists on the local system but
       whose content doesn't match what the `source` or `content` attribute
@@ -361,7 +342,7 @@ Puppet::Type.newtype(:file) do
       This command must have a fully qualified path, and should contain a
       percent (`%`) token where it would expect an input file. It must exit `0`
       if the syntax is correct, and non-zero otherwise. The command will be
-      run on the target system while applying the catalog, not on the primary Puppet server.
+      run on the target system while applying the catalog, not on the puppet master.
 
       Example:
 
@@ -593,7 +574,7 @@ Puppet::Type.newtype(:file) do
     options = @original_parameters.merge(:path => full_path).reject { |param, value| value.nil? }
 
     # These should never be passed to our children.
-    [:parent, :ensure, :recurse, :recurselimit, :max_files, :target, :alias, :source].each do |param|
+    [:parent, :ensure, :recurse, :recurselimit, :target, :alias, :source].each do |param|
       options.delete(param) if options.include?(param)
     end
 
@@ -770,7 +751,6 @@ Puppet::Type.newtype(:file) do
       :links => self[:links],
       :recurse => (self[:recurse] == :remote ? true : self[:recurse]),
       :recurselimit => self[:recurselimit],
-      :max_files => self[:max_files],
       :source_permissions => self[:source_permissions],
       :ignore => self[:ignore],
       :checksum_type => (self[:source] || self[:content]) ? self[:checksum] : :none,

data/lib/puppet/type/filebucket.rb

@@ -4,7 +4,7 @@ module Puppet
   Type.newtype(:filebucket) do
     @doc = <<-EOT
       A repository for storing and retrieving file content by MD5 checksum. Can
-      be local to each agent node, or centralized on a primary Puppet server. All
+      be local to each agent node, or centralized on a puppet master server. All
       puppet servers provide a filebucket service that agent nodes can access
       via HTTP, but you must declare a filebucket resource before any agents
       will do so.
@@ -25,14 +25,14 @@ module Puppet
           # /etc/puppetlabs/puppet/manifests/site.pp
           filebucket { 'main':
             path   => false,                # This is required for remote filebuckets.
-            server => 'puppet.example.com', # Optional; defaults to the configured primary server.
+            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
           }
 
           File { backup => main, }
 
-      Puppet master servers automatically provide the filebucket service, so
+      Puppet Servers automatically provide the filebucket service, so
       this will work in a default configuration. If you have a heavily
-      restricted `auth.conf` file, you may need to allow access to the
+      restricted Puppet Server `auth.conf` file, you may need to allow access to the
       `file_bucket_file` endpoint.
     EOT
 

data/lib/puppet/type/group.rb

@@ -1,4 +1,5 @@
 require 'etc'
+require 'facter'
 require 'puppet/property/keyvalue'
 require 'puppet/parameter/boolean'
 

data/lib/puppet/type/package.rb

@@ -106,10 +106,6 @@ module Puppet
         provider.purge
       end
 
-      newvalue(:held, :event => :package_held, :required_features => :holdable) do
-        provider.deprecated_hold
-      end
-
       newvalue(:disabled, :required_features => :disableable) do
         provider.disable
       end
@@ -161,7 +157,7 @@ module Puppet
         @should.each { |should|
           case should
           when :present
-            return true unless [:absent, :purged, :held, :disabled].include?(is)
+            return true unless [:absent, :purged, :disabled].include?(is)
           when :latest
             # Short-circuit packages that are not present
             return false if is == :absent || is == :purged
@@ -426,10 +422,10 @@ module Puppet
     end
 
     newparam(:source) do
-      desc "Where to find the package file. This is mostly used by providers that don't
+      desc "Where to find the package file. This is only used by providers that don't
         automatically download packages from a central repository. (For example:
-        the `yum` provider ignores this attribute, `apt` provider uses it if present
-        and the `rpm` and `dpkg` providers require it.)
+        the `yum` and `apt` providers ignore this attribute, but the `rpm` and
+        `dpkg` providers require it.)
 
         Different providers accept different values for `source`. Most providers
         accept paths to local files stored on the target system. Some providers
@@ -657,8 +653,7 @@ module Puppet
       if provider.reinstallable? &&
         @parameters[:reinstall_on_refresh].value == :true &&
         @parameters[:ensure].value != :purged &&
-        @parameters[:ensure].value != :absent &&
-        @parameters[:ensure].value != :held
+        @parameters[:ensure].value != :absent
 
         provider.reinstall
       end
@@ -673,7 +668,7 @@ module Puppet
         Default is "none". Mark can be specified with or without `ensure`,
         if `ensure` is missing will default to "present".
 
-        Mark cannot be specified together with "purged", "absent" or "held"
+        Mark cannot be specified together with "purged", or "absent"
         values for `ensure`.
       EOT
       newvalues(:hold, :none)
@@ -710,11 +705,8 @@ module Puppet
     end
 
     validate do
-      if :held == @parameters[:ensure].should
-        warning '"ensure=>held" has been deprecated and will be removed in a future version, use "mark=hold" instead'
-      end
-      if @parameters[:mark] && [:absent, :purged, :held].include?(@parameters[:ensure].should)
-        raise ArgumentError, _('You cannot use "mark" property while "ensure" is one of ["absent", "purged", "held"]')
+      if @parameters[:mark] && [:absent, :purged].include?(@parameters[:ensure].should)
+        raise ArgumentError, _('You cannot use "mark" property while "ensure" is one of ["absent", "purged"]')
       end
     end
   end