!97 remove cert expired at 20250512

From: @sherlock2010 
Reviewed-by: @renmingshuai 
Signed-off-by: @renmingshuai

add-secure-compile-option-in-Makefile.patch

@@ -8,9 +8,9 @@ diff -urN grpc/CMakeLists.txt grpc_new/CMakeLists.txt
  endif()
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${_gRPC_C_CXX_FLAGS}")
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${_gRPC_C_CXX_FLAGS}")
-+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-z,now -fPIE -fPIC")
-+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wl,-z,now -fstack-protector-strong")
-+set(_gRPC_ALLTARGETS_LIBRARYIES "${_gRPC_ALLTARGETS_LIBRARYIES} -Wl,-z,now -pie") 
++set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2")
++set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2")
++set(_gRPC_ALLTARGETS_LIBRARYIES "${_gRPC_ALLTARGETS_LIBRARYIES} -Wl,-z,relro -Wl,-z,now -pie") 
  
  if(gRPC_USE_PROTO_LITE)
    set(_gRPC_PROTOBUF_LIBRARY_NAME "libprotobuf-lite")
@@ -23,9 +23,9 @@ index 6ede6e34d2..d6190ecde4 100644
  DEFINES += $(EXTRA_DEFINES)
  LDLIBS += $(EXTRA_LDLIBS)
 
-+CFLAGS += -Wl,-z,now -fPIE -fPIC
-+CPPFLAGS += -Wl,-z,now -fstack-protector-strong
-+LDFLAGS += -Wl,-z,now -pie
++CFLAGS += -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2
++CPPFLAGS += -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2
++LDFLAGS += -Wl,-z,relro -Wl,-z,now -pie
 +
  HOST_CPPFLAGS += $(CPPFLAGS)
  HOST_CFLAGS += $(CFLAGS)

backport-Generating-projects.patch

@@ -0,0 +1,149 @@
+From 4efde0b477834d51ecf559779bde850e01984c5b Mon Sep 17 00:00:00 2001
+From: Esun Kim <veblush@google.com>
+Date: Tue, 29 Sep 2020 14:32:42 -0700
+Subject: [PATCH] Generating projects
+
+---
+ CMakeLists.txt                              | 10 +++++-----
+ Makefile                                    |  1 -
+ config.m4                                   |  1 -
+ config.w32                                  |  1 -
+ grpc.gemspec                                |  4 +++-
+ package.xml                                 |  4 +++-
+ src/python/grpcio/grpc_core_dependencies.py |  1 -
+ 7 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 7e36f024d7b5..a117b94125b1 100644
+--- a/Makefile
++++ b/Makefile
+@@ -4274,7 +4274,6 @@ endif
+ 
+ 
+ LIBGRPC_ABSEIL_SRC = \
+-    third_party/abseil-cpp/absl/base/dynamic_annotations.cc \
+     third_party/abseil-cpp/absl/base/internal/cycleclock.cc \
+     third_party/abseil-cpp/absl/base/internal/raw_logging.cc \
+     third_party/abseil-cpp/absl/base/internal/spinlock.cc \
+diff --git a/config.m4 b/config.m4
+index b7e257e3ab69..26b7b31fd2d1 100644
+--- a/config.m4
++++ b/config.m4
+@@ -611,7 +611,6 @@ if test "$PHP_GRPC" != "no"; then
+     src/php/ext/grpc/server.c \
+     src/php/ext/grpc/server_credentials.c \
+     src/php/ext/grpc/timeval.c \
+-    third_party/abseil-cpp/absl/base/dynamic_annotations.cc \
+     third_party/abseil-cpp/absl/base/internal/cycleclock.cc \
+     third_party/abseil-cpp/absl/base/internal/raw_logging.cc \
+     third_party/abseil-cpp/absl/base/internal/spinlock.cc \
+diff --git a/config.w32 b/config.w32
+index 777e8cf8e9a7..a01156c0b454 100644
+--- a/config.w32
++++ b/config.w32
+@@ -578,7 +578,6 @@ if (PHP_GRPC != "no") {
+     "src\\php\\ext\\grpc\\server.c " +
+     "src\\php\\ext\\grpc\\server_credentials.c " +
+     "src\\php\\ext\\grpc\\timeval.c " +
+-    "third_party\\abseil-cpp\\absl\\base\\dynamic_annotations.cc " +
+     "third_party\\abseil-cpp\\absl\\base\\internal\\cycleclock.cc " +
+     "third_party\\abseil-cpp\\absl\\base\\internal\\raw_logging.cc " +
+     "third_party\\abseil-cpp\\absl\\base\\internal\\spinlock.cc " +
+diff --git a/grpc.gemspec b/grpc.gemspec
+index 6ae02b8bc90e..34e0d2269570 100644
+--- a/grpc.gemspec
++++ b/grpc.gemspec
+@@ -1174,12 +1174,12 @@ Gem::Specification.new do |s|
+   s.files += %w( third_party/abseil-cpp/absl/base/casts.h )
+   s.files += %w( third_party/abseil-cpp/absl/base/config.h )
+   s.files += %w( third_party/abseil-cpp/absl/base/const_init.h )
+-  s.files += %w( third_party/abseil-cpp/absl/base/dynamic_annotations.cc )
+   s.files += %w( third_party/abseil-cpp/absl/base/dynamic_annotations.h )
+   s.files += %w( third_party/abseil-cpp/absl/base/internal/atomic_hook.h )
+   s.files += %w( third_party/abseil-cpp/absl/base/internal/bits.h )
+   s.files += %w( third_party/abseil-cpp/absl/base/internal/cycleclock.cc )
+   s.files += %w( third_party/abseil-cpp/absl/base/internal/cycleclock.h )
++  s.files += %w( third_party/abseil-cpp/absl/base/internal/dynamic_annotations.h )
+   s.files += %w( third_party/abseil-cpp/absl/base/internal/endian.h )
+   s.files += %w( third_party/abseil-cpp/absl/base/internal/errno_saver.h )
+   s.files += %w( third_party/abseil-cpp/absl/base/internal/hide_ptr.h )
+diff --git a/package.xml b/package.xml
+index 36c87bb94b1b..8e6199006fbc 100644
+--- a/package.xml
++++ b/package.xml
+@@ -1176,12 +1176,12 @@
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/casts.h" role="src" />
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/config.h" role="src" />
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/const_init.h" role="src" />
+-    <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/dynamic_annotations.cc" role="src" />
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/dynamic_annotations.h" role="src" />
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/internal/atomic_hook.h" role="src" />
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/internal/bits.h" role="src" />
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/internal/cycleclock.cc" role="src" />
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/internal/cycleclock.h" role="src" />
++    <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/internal/dynamic_annotations.h" role="src" />
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/internal/endian.h" role="src" />
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/internal/errno_saver.h" role="src" />
+     <file baseinstalldir="/" name="third_party/abseil-cpp/absl/base/internal/hide_ptr.h" role="src" />
+diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py
+index 3373671efd88..3d20756ad550 100644
+--- a/src/python/grpcio/grpc_core_dependencies.py
++++ b/src/python/grpcio/grpc_core_dependencies.py
+@@ -577,7 +577,6 @@
+     'src/core/tsi/ssl_transport_security.cc',
+     'src/core/tsi/transport_security.cc',
+     'src/core/tsi/transport_security_grpc.cc',
+-    'third_party/abseil-cpp/absl/base/dynamic_annotations.cc',
+     'third_party/abseil-cpp/absl/base/internal/cycleclock.cc',
+     'third_party/abseil-cpp/absl/base/internal/raw_logging.cc',
+     'third_party/abseil-cpp/absl/base/internal/spinlock.cc',
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 0b224ac..8a74c52 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -15541,7 +15541,7 @@ generate_pkgconfig(
+   "gRPC platform support library"
+   "${gRPC_CORE_VERSION}"
+   ""
+-  "-lgpr -labsl_str_format_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations"
++  "-lgpr -labsl_str_format_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity"
+   ""
+   "gpr.pc")
+ 
+@@ -15551,7 +15551,7 @@ generate_pkgconfig(
+   "high performance general RPC framework"
+   "${gRPC_CORE_VERSION}"
+   "gpr openssl"
+-  "-lgrpc -laddress_sorting -lre2 -lupb -lcares -lz -labsl_bad_optional_access -labsl_str_format_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations"
++  "-lgrpc -laddress_sorting -lre2 -lupb -lcares -lz -labsl_bad_optional_access -labsl_str_format_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity"
+   ""
+   "grpc.pc")
+ 
+@@ -15561,7 +15561,7 @@ generate_pkgconfig(
+   "high performance general RPC framework without SSL"
+   "${gRPC_CORE_VERSION}"
+   "gpr"
+-  "-lgrpc_unsecure -labsl_bad_optional_access -labsl_str_format_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations"
++  "-lgrpc_unsecure -labsl_bad_optional_access -labsl_str_format_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity"
+   ""
+   "grpc_unsecure.pc")
+ 
+@@ -15571,7 +15571,7 @@ generate_pkgconfig(
+   "C++ wrapper for gRPC"
+   "${gRPC_CPP_VERSION}"
+   "grpc"
+-  "-lgrpc++ -labsl_bad_optional_access -labsl_str_format_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations"
++  "-lgrpc++ -labsl_bad_optional_access -labsl_str_format_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity"
+   ""
+   "grpc++.pc")
+ 
+@@ -15581,6 +15581,6 @@ generate_pkgconfig(
+   "C++ wrapper for gRPC without SSL"
+   "${gRPC_CPP_VERSION}"
+   "grpc_unsecure"
+-  "-lgrpc++_unsecure -labsl_bad_optional_access -labsl_str_format_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations"
++  "-lgrpc++_unsecure -labsl_bad_optional_access -labsl_str_format_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity"
+   ""
+   "grpc++_unsecure.pc")
+-- 
+2.27.0

backport-Ignore-Connection-Aborted-errors-on-accept-29318.patch

@@ -0,0 +1,58 @@
+From 5850cba2957cc894477e735a74aa6c246b499ff4 Mon Sep 17 00:00:00 2001
+From: Yash Tibrewal <yashkt@google.com>
+Date: Mon, 11 Apr 2022 15:49:18 -0700
+Subject: [PATCH] Ignore Connection Aborted errors on accept (#29318)
+
+* Ignore Connection Aborted errors on accept
+
+* Reviewer comments
+---
+ src/core/lib/iomgr/tcp_server_posix.cc | 32 +++++++++++++-------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/src/core/lib/iomgr/tcp_server_posix.cc b/src/core/lib/iomgr/tcp_server_posix.cc
+index c40ddbf646..f02bb8396a 100644
+--- a/src/core/lib/iomgr/tcp_server_posix.cc
++++ b/src/core/lib/iomgr/tcp_server_posix.cc
+@@ -204,22 +204,22 @@ static void on_read(void* arg, grpc_error_handle err) {
+        strip off the ::ffff:0.0.0.0/96 prefix first. */
+     int fd = grpc_accept4(sp->fd, &addr, 1, 1);
+     if (fd < 0) {
+-      switch (errno) {
+-        case EINTR:
+-          continue;
+-        case EAGAIN:
+-          grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
+-          return;
+-        default:
+-          gpr_mu_lock(&sp->server->mu);
+-          if (!sp->server->shutdown_listeners) {
+-            gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
+-          } else {
+-            /* if we have shutdown listeners, accept4 could fail, and we
+-               needn't notify users */
+-          }
+-          gpr_mu_unlock(&sp->server->mu);
+-          goto error;
++      if (errno == EINTR) {
++        continue;
++      } else if (errno == EAGAIN || errno == ECONNABORTED ||
++                 errno == EWOULDBLOCK) {
++        grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
++        return;
++      } else {
++        gpr_mu_lock(&sp->server->mu);
++        if (!sp->server->shutdown_listeners) {
++          gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
++        } else {
++          /* if we have shutdown listeners, accept4 could fail, and we
++             needn't notify users */
++        }
++        gpr_mu_unlock(&sp->server->mu);
++        goto error;
+       }
+     }
+ 
+-- 
+2.33.0
+

backport-Upgrade-Abseil-to-LTS-2020923.patch

@@ -0,0 +1,487 @@
+From 5b4344063e9d44cdd4e6f00729b48de2f2956145 Mon Sep 17 00:00:00 2001
+From: Esun Kim <veblush@google.com>
+Date: Tue, 29 Sep 2020 14:29:06 -0700
+Subject: [PATCH] Upgrade Abseil to LTS 2020923.2
+
+---
+ bazel/grpc_deps.bzl                        |   8 +-
+ gRPC-C++.podspec                           |   2 +-
+ gRPC-Core.podspec                          |   2 +-
+ src/abseil-cpp/preprocessed_builds.yaml    | 181 ++++++++++++++-------
+ templates/gRPC-C++.podspec.template        |   2 +-
+ templates/gRPC-Core.podspec.template       |   2 +-
+ third_party/abseil-cpp                     |   2 +-
+ tools/run_tests/sanity/check_submodules.sh |   2 +-
+ 8 files changed, 135 insertions(+), 66 deletions(-)
+
+diff --git a/src/abseil-cpp/preprocessed_builds.yaml b/src/abseil-cpp/preprocessed_builds.yaml
+index a6a35f2f6d45..257efad9b27f 100644
+--- a/src/abseil-cpp/preprocessed_builds.yaml
++++ b/src/abseil-cpp/preprocessed_builds.yaml
+@@ -93,12 +93,14 @@
+   name: absl/base:core_headers
+   src: []
+ - cmake_target: absl::dynamic_annotations
+-  deps: []
++  deps:
++  - absl/base:config
++  - absl/base:core_headers
+   headers:
+   - third_party/abseil-cpp/absl/base/dynamic_annotations.h
++  - third_party/abseil-cpp/absl/base/internal/dynamic_annotations.h
+   name: absl/base:dynamic_annotations
+-  src:
+-  - third_party/abseil-cpp/absl/base/dynamic_annotations.cc
++  src: []
+ - cmake_target: absl::endian
+   deps:
+   - absl/base:config
+@@ -124,6 +126,13 @@
+   name: absl/base:exponential_biased
+   src:
+   - third_party/abseil-cpp/absl/base/internal/exponential_biased.cc
++- cmake_target: absl::fast_type_id
++  deps:
++  - absl/base:config
++  headers:
++  - third_party/abseil-cpp/absl/base/internal/fast_type_id.h
++  name: absl/base:fast_type_id
++  src: []
+ - cmake_target: absl::log_severity
+   deps:
+   - absl/base:config
+@@ -187,6 +196,16 @@
+   name: absl/base:spinlock_wait
+   src:
+   - third_party/abseil-cpp/absl/base/internal/spinlock_wait.cc
++- cmake_target: absl::strerror
++  deps:
++  - absl/base:config
++  - absl/base:core_headers
++  - absl/base:errno_saver
++  headers:
++  - third_party/abseil-cpp/absl/base/internal/strerror.h
++  name: absl/base:strerror
++  src:
++  - third_party/abseil-cpp/absl/base/internal/strerror.cc
+ - cmake_target: absl::throw_delegate
+   deps:
+   - absl/base:config
+@@ -206,6 +225,7 @@
+   - absl/container:layout
+   - absl/memory:memory
+   - absl/meta:type_traits
++  - absl/strings:cord
+   - absl/strings:strings
+   - absl/types:compare
+   - absl/utility:utility
+@@ -233,7 +253,9 @@
+   src: []
+ - cmake_target: absl::container_memory
+   deps:
++  - absl/base:config
+   - absl/memory:memory
++  - absl/meta:type_traits
+   - absl/utility:utility
+   headers:
+   - third_party/abseil-cpp/absl/container/internal/container_memory.h
+@@ -242,6 +264,7 @@
+ - cmake_target: absl::fixed_array
+   deps:
+   - absl/algorithm:algorithm
++  - absl/base:config
+   - absl/base:core_headers
+   - absl/base:dynamic_annotations
+   - absl/base:throw_delegate
+@@ -278,6 +301,7 @@
+   deps:
+   - absl/base:config
+   - absl/hash:hash
++  - absl/strings:cord
+   - absl/strings:strings
+   headers:
+   - third_party/abseil-cpp/absl/container/internal/hash_function_defaults.h
+@@ -350,6 +374,7 @@
+   src: []
+ - cmake_target: absl::layout
+   deps:
++  - absl/base:config
+   - absl/base:core_headers
+   - absl/meta:type_traits
+   - absl/strings:strings
+@@ -516,15 +541,38 @@
+   - absl/base:raw_logging_internal
+   - absl/debugging:debugging_internal
+   - absl/debugging:demangle_internal
++  - absl/strings:strings
+   headers:
+   - third_party/abseil-cpp/absl/debugging/internal/symbolize.h
+   - third_party/abseil-cpp/absl/debugging/symbolize.h
++  - third_party/abseil-cpp/absl/debugging/symbolize_darwin.inc
+   - third_party/abseil-cpp/absl/debugging/symbolize_elf.inc
+   - third_party/abseil-cpp/absl/debugging/symbolize_unimplemented.inc
+   - third_party/abseil-cpp/absl/debugging/symbolize_win32.inc
+   name: absl/debugging:symbolize
+   src:
+   - third_party/abseil-cpp/absl/debugging/symbolize.cc
++- cmake_target: absl::flags_commandlineflag
++  deps:
++  - absl/base:config
++  - absl/base:fast_type_id
++  - absl/flags:commandlineflag_internal
++  - absl/strings:strings
++  - absl/types:optional
++  headers:
++  - third_party/abseil-cpp/absl/flags/commandlineflag.h
++  name: absl/flags:commandlineflag
++  src:
++  - third_party/abseil-cpp/absl/flags/commandlineflag.cc
++- cmake_target: absl::flags_commandlineflag_internal
++  deps:
++  - absl/base:config
++  - absl/base:fast_type_id
++  headers:
++  - third_party/abseil-cpp/absl/flags/internal/commandlineflag.h
++  name: absl/flags:commandlineflag_internal
++  src:
++  - third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc
+ - cmake_target: absl::flags_config
+   deps:
+   - absl/base:config
+@@ -546,9 +594,7 @@
+   - absl/base:core_headers
+   - absl/flags:config
+   - absl/flags:flag_internal
+-  - absl/flags:handle
+-  - absl/flags:marshalling
+-  - absl/flags:registry
++  - absl/flags:reflection
+   - absl/strings:strings
+   headers:
+   - third_party/abseil-cpp/absl/flags/declare.h
+@@ -561,29 +607,21 @@
+   - absl/base:base
+   - absl/base:config
+   - absl/base:core_headers
++  - absl/flags:commandlineflag
++  - absl/flags:commandlineflag_internal
+   - absl/flags:config
+-  - absl/flags:handle
+-  - absl/flags:registry
++  - absl/flags:marshalling
++  - absl/flags:reflection
+   - absl/memory:memory
++  - absl/meta:type_traits
+   - absl/strings:strings
+   - absl/synchronization:synchronization
++  - absl/utility:utility
+   headers:
+   - third_party/abseil-cpp/absl/flags/internal/flag.h
+   name: absl/flags:flag_internal
+   src:
+   - third_party/abseil-cpp/absl/flags/internal/flag.cc
+-- cmake_target: absl::flags_handle
+-  deps:
+-  - absl/base:config
+-  - absl/base:core_headers
+-  - absl/flags:config
+-  - absl/flags:marshalling
+-  - absl/strings:strings
+-  - absl/types:optional
+-  headers:
+-  - third_party/abseil-cpp/absl/flags/internal/commandlineflag.h
+-  name: absl/flags:handle
+-  src: []
+ - cmake_target: absl::flags_marshalling
+   deps:
+   - absl/base:config
+@@ -600,12 +638,14 @@
+   deps:
+   - absl/base:config
+   - absl/base:core_headers
++  - absl/flags:commandlineflag
++  - absl/flags:commandlineflag_internal
+   - absl/flags:config
+   - absl/flags:flag
+   - absl/flags:flag_internal
+-  - absl/flags:handle
++  - absl/flags:private_handle_accessor
+   - absl/flags:program_name
+-  - absl/flags:registry
++  - absl/flags:reflection
+   - absl/flags:usage
+   - absl/flags:usage_internal
+   - absl/strings:strings
+@@ -624,6 +664,17 @@
+   - third_party/abseil-cpp/absl/flags/internal/path_util.h
+   name: absl/flags:path_util
+   src: []
++- cmake_target: absl::flags_private_handle_accessor
++  deps:
++  - absl/base:config
++  - absl/flags:commandlineflag
++  - absl/flags:commandlineflag_internal
++  - absl/strings:strings
++  headers:
++  - third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h
++  name: absl/flags:private_handle_accessor
++  src:
++  - third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc
+ - cmake_target: absl::flags_program_name
+   deps:
+   - absl/base:config
+@@ -636,22 +687,23 @@
+   name: absl/flags:program_name
+   src:
+   - third_party/abseil-cpp/absl/flags/internal/program_name.cc
+-- cmake_target: absl::flags_registry
++- cmake_target: absl::flags_reflection
+   deps:
+   - absl/base:config
+   - absl/base:core_headers
+-  - absl/base:raw_logging_internal
++  - absl/container:flat_hash_map
++  - absl/flags:commandlineflag
++  - absl/flags:commandlineflag_internal
+   - absl/flags:config
+-  - absl/flags:handle
++  - absl/flags:private_handle_accessor
+   - absl/strings:strings
+   - absl/synchronization:synchronization
+   headers:
+   - third_party/abseil-cpp/absl/flags/internal/registry.h
+-  - third_party/abseil-cpp/absl/flags/internal/type_erased.h
+-  name: absl/flags:registry
++  - third_party/abseil-cpp/absl/flags/reflection.h
++  name: absl/flags:reflection
+   src:
+-  - third_party/abseil-cpp/absl/flags/internal/registry.cc
+-  - third_party/abseil-cpp/absl/flags/internal/type_erased.cc
++  - third_party/abseil-cpp/absl/flags/reflection.cc
+ - cmake_target: absl::flags_usage
+   deps:
+   - absl/base:config
+@@ -668,13 +720,14 @@
+   deps:
+   - absl/base:config
+   - absl/base:core_headers
++  - absl/flags:commandlineflag
+   - absl/flags:config
+   - absl/flags:flag
+   - absl/flags:flag_internal
+-  - absl/flags:handle
+   - absl/flags:path_util
++  - absl/flags:private_handle_accessor
+   - absl/flags:program_name
+-  - absl/flags:registry
++  - absl/flags:reflection
+   - absl/strings:strings
+   headers:
+   - third_party/abseil-cpp/absl/flags/internal/usage.h
+@@ -746,6 +799,7 @@
+   src: []
+ - cmake_target: absl::int128
+   deps:
++  - absl/base:bits
+   - absl/base:config
+   - absl/base:core_headers
+   headers:
+@@ -758,25 +812,16 @@
+ - cmake_target: absl::random_internal_distribution_caller
+   deps:
+   - absl/base:config
++  - absl/base:fast_type_id
++  - absl/utility:utility
+   headers:
+   - third_party/abseil-cpp/absl/random/internal/distribution_caller.h
+   name: absl/random/internal:distribution_caller
+   src: []
+-- cmake_target: absl::random_internal_distributions
+-  deps:
+-  - absl/base:base
+-  - absl/meta:type_traits
+-  - absl/random/internal:distribution_caller
+-  - absl/random/internal:traits
+-  - absl/random/internal:uniform_helper
+-  - absl/strings:strings
+-  headers:
+-  - third_party/abseil-cpp/absl/random/internal/distributions.h
+-  name: absl/random/internal:distributions
+-  src: []
+ - cmake_target: absl::random_internal_fast_uniform_bits
+   deps:
+   - absl/base:config
++  - absl/meta:type_traits
+   headers:
+   - third_party/abseil-cpp/absl/random/internal/fast_uniform_bits.h
+   name: absl/random/internal:fast_uniform_bits
+@@ -806,16 +851,17 @@
+   - third_party/abseil-cpp/absl/random/internal/iostream_state_saver.h
+   name: absl/random/internal:iostream_state_saver
+   src: []
+-- cmake_target: absl::random_internal_mocking_bit_gen_base
++- cmake_target: absl::random_internal_mock_helpers
+   deps:
+-  - absl/random:random
+-  - absl/strings:strings
++  - absl/base:fast_type_id
++  - absl/types:optional
+   headers:
+-  - third_party/abseil-cpp/absl/random/internal/mocking_bit_gen_base.h
+-  name: absl/random/internal:mocking_bit_gen_base
++  - third_party/abseil-cpp/absl/random/internal/mock_helpers.h
++  name: absl/random/internal:mock_helpers
+   src: []
+ - cmake_target: ''
+   deps:
++  - absl/base:config
+   - absl/base:core_headers
+   - absl/base:raw_logging_internal
+   - absl/random/internal:platform
+@@ -832,7 +878,6 @@
+   - absl/random/internal:pool_urbg
+   - absl/random/internal:salted_seed_seq
+   - absl/random/internal:seed_material
+-  - absl/strings:strings
+   - absl/types:optional
+   - absl/types:span
+   headers:
+@@ -855,10 +900,10 @@
+   - absl/base:config
+   headers:
+   - third_party/abseil-cpp/absl/random/internal/platform.h
+-  - third_party/abseil-cpp/absl/random/internal/randen-keys.inc
+   - third_party/abseil-cpp/absl/random/internal/randen_traits.h
+   name: absl/random/internal:platform
+-  src: []
++  src:
++  - third_party/abseil-cpp/absl/random/internal/randen_round_keys.cc
+ - cmake_target: absl::random_internal_pool_urbg
+   deps:
+   - absl/base:base
+@@ -960,7 +1005,9 @@
+   src: []
+ - cmake_target: absl::random_internal_uniform_helper
+   deps:
++  - absl/base:config
+   - absl/meta:type_traits
++  - absl/random/internal:traits
+   headers:
+   - third_party/abseil-cpp/absl/random/internal/uniform_helper.h
+   name: absl/random/internal:uniform_helper
+@@ -978,10 +1025,11 @@
+ - cmake_target: absl::random_bit_gen_ref
+   deps:
+   - absl/base:core_headers
++  - absl/base:fast_type_id
+   - absl/meta:type_traits
+   - absl/random/internal:distribution_caller
+   - absl/random/internal:fast_uniform_bits
+-  - absl/random/internal:mocking_bit_gen_base
++  - absl/random:random
+   headers:
+   - third_party/abseil-cpp/absl/random/bit_gen_ref.h
+   name: absl/random:bit_gen_ref
+@@ -992,7 +1040,7 @@
+   - absl/base:config
+   - absl/base:core_headers
+   - absl/meta:type_traits
+-  - absl/random/internal:distributions
++  - absl/random/internal:distribution_caller
+   - absl/random/internal:fast_uniform_bits
+   - absl/random/internal:fastmath
+   - absl/random/internal:generate_real
+@@ -1001,12 +1049,10 @@
+   - absl/random/internal:uniform_helper
+   - absl/random/internal:wide_multiply
+   - absl/strings:strings
+-  - absl/types:span
+   headers:
+   - third_party/abseil-cpp/absl/random/bernoulli_distribution.h
+   - third_party/abseil-cpp/absl/random/beta_distribution.h
+   - third_party/abseil-cpp/absl/random/discrete_distribution.h
+-  - third_party/abseil-cpp/absl/random/distribution_format_traits.h
+   - third_party/abseil-cpp/absl/random/distributions.h
+   - third_party/abseil-cpp/absl/random/exponential_distribution.h
+   - third_party/abseil-cpp/absl/random/gaussian_distribution.h
+@@ -1055,6 +1101,7 @@
+   - third_party/abseil-cpp/absl/random/seed_sequences.cc
+ - cmake_target: absl::status
+   deps:
++  - absl/base:atomic_hook
+   - absl/base:config
+   - absl/base:core_headers
+   - absl/base:raw_logging_internal
+@@ -1066,16 +1113,31 @@
+   - absl/strings:strings
+   - absl/types:optional
+   headers:
++  - third_party/abseil-cpp/absl/status/internal/status_internal.h
+   - third_party/abseil-cpp/absl/status/status.h
+   - third_party/abseil-cpp/absl/status/status_payload_printer.h
+   name: absl/status:status
+   src:
+   - third_party/abseil-cpp/absl/status/status.cc
+   - third_party/abseil-cpp/absl/status/status_payload_printer.cc
++- cmake_target: absl::statusor
++  deps:
++  - absl/base:core_headers
++  - absl/base:raw_logging_internal
++  - absl/meta:type_traits
++  - absl/status:status
++  - absl/strings:strings
++  - absl/types:variant
++  - absl/utility:utility
++  headers:
++  - third_party/abseil-cpp/absl/status/internal/statusor_internal.h
++  - third_party/abseil-cpp/absl/status/statusor.h
++  name: absl/status:statusor
++  src:
++  - third_party/abseil-cpp/absl/status/statusor.cc
+ - cmake_target: absl::cord
+   deps:
+   - absl/base:base
+-  - absl/base:base_internal
+   - absl/base:core_headers
+   - absl/base:endian
+   - absl/base:raw_logging_internal
+@@ -1087,6 +1149,7 @@
+   - absl/strings:internal
+   - absl/strings:str_format
+   - absl/strings:strings
++  - absl/types:optional
+   headers:
+   - third_party/abseil-cpp/absl/strings/cord.h
+   name: absl/strings:cord
+@@ -1094,6 +1157,8 @@
+   - third_party/abseil-cpp/absl/strings/cord.cc
+ - cmake_target: absl::cord
+   deps:
++  - absl/base:base_internal
++  - absl/container:compressed_tuple
+   - absl/meta:type_traits
+   - absl/strings:strings
+   headers:
+@@ -1127,11 +1192,14 @@
+   src: []
+ - cmake_target: absl::str_format_internal
+   deps:
++  - absl/base:bits
+   - absl/base:config
+   - absl/base:core_headers
++  - absl/functional:function_ref
+   - absl/meta:type_traits
+   - absl/numeric:int128
+   - absl/strings:strings
++  - absl/types:optional
+   - absl/types:span
+   headers:
+   - third_party/abseil-cpp/absl/strings/internal/str_format/arg.h
+@@ -1311,6 +1379,7 @@
+   deps:
+   - absl/base:config
+   - absl/base:core_headers
++  - absl/base:fast_type_id
+   - absl/meta:type_traits
+   - absl/types:bad_any_cast
+   - absl/utility:utility

backport-iomgr-EventEngine-Improve-server-handling-o.patch

@@ -0,0 +1,184 @@
+From 1e86ca5834b94cae7d5e6d219056c0fc895cf95d Mon Sep 17 00:00:00 2001
+From: AJ Heller <hork@google.com>
+Date: Wed, 12 Jul 2023 18:42:09 -0700
+Subject: [PATCH] [backport][iomgr][EventEngine] Improve server handling of
+ file descriptor exhaustion (#33672)
+
+Backport of #33656
+---
+ src/core/lib/iomgr/tcp_server_posix.cc        | 45 ++++++++++++++-----
+ src/core/lib/iomgr/tcp_server_utils_posix.h   | 13 +++++
+ .../iomgr/tcp_server_utils_posix_common.cc    | 21 ++++++++
+ 3 files changed, 66 insertions(+), 13 deletions(-)
+
+diff --git a/src/core/lib/iomgr/tcp_server_posix.cc b/src/core/lib/iomgr/tcp_server_posix.cc
+index a1db16d916..6804928fe3 100644
+--- a/src/core/lib/iomgr/tcp_server_posix.cc
++++ b/src/core/lib/iomgr/tcp_server_posix.cc
+@@ -16,13 +16,17 @@
+  *
+  */
+ 
++#include <grpc/support/port_platform.h>
++
++#include <utility>
++
++#include <grpc/support/atm.h>
++
+ /* FIXME: "posix" files shouldn't be depending on _GNU_SOURCE */
+ #ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+ #endif
+ 
+-#include <grpc/support/port_platform.h>
+-
+ #include "src/core/lib/iomgr/port.h"
+ 
+ #ifdef GRPC_POSIX_SOCKET_TCP_SERVER
+@@ -350,21 +357,35 @@ static void on_read(void* arg, grpc_error* err) {
+     if (fd < 0) {
+       if (errno == EINTR) {
+         continue;
+-      } else if (errno == EAGAIN || errno == ECONNABORTED ||
+-                 errno == EWOULDBLOCK) {
++      }
++      // When the process runs out of fds, accept4() returns EMFILE. When this
++      // happens, the connection is left in the accept queue until either a
++      // read event triggers the on_read callback, or time has passed and the
++      // accept should be re-tried regardless. This callback is not cancelled,
++      // so a spurious wakeup may occur even when there's nothing to accept.
++      // This is not a performant code path, but if an fd limit has been
++      // reached, the system is likely in an unhappy state regardless.
++      if (errno == EMFILE) {
++        grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
++        if (gpr_atm_full_xchg(&sp->retry_timer_armed, true)) return;
++        grpc_timer_init(&sp->retry_timer,
++                        grpc_core::ExecCtx::Get()->Now() + 1 * GPR_MS_PER_SEC,
++                        &sp->retry_closure);
++        return;
++      }
++      if (errno == EAGAIN || errno == ECONNABORTED || errno == EWOULDBLOCK) {
+         grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
+         return;
++      }
++      gpr_mu_lock(&sp->server->mu);
++      if (!sp->server->shutdown_listeners) {
++        gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
+       } else {
+-        gpr_mu_lock(&sp->server->mu);
+-        if (!sp->server->shutdown_listeners) {
+-          gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
+-        } else {
+-          /* if we have shutdown listeners, accept4 could fail, and we
+-             needn't notify users */
+-        }
+-        gpr_mu_unlock(&sp->server->mu);
+-        goto error;
++        // if we have shutdown listeners, accept4 could fail, and we
++        // needn't notify users
+       }
++      gpr_mu_unlock(&sp->server->mu);
++      goto error;
+     }
+ 
+     /* For UNIX sockets, the accept call might not fill up the member sun_path
+@@ -558,6 +581,7 @@ static grpc_error* clone_port(grpc_tcp_listener* listener,
+     sp->port_index = listener->port_index;
+     sp->fd_index = listener->fd_index + count - i;
+     GPR_ASSERT(sp->emfd);
++    grpc_tcp_server_listener_initialize_retry_timer(sp);
+     while (listener->server->tail->next != nullptr) {
+       listener->server->tail = listener->server->tail->next;
+     }
+@@ -791,6 +815,7 @@ static void tcp_server_shutdown_listeners(grpc_tcp_server* s) {
+   if (s->active_ports) {
+     grpc_tcp_listener* sp;
+     for (sp = s->head; sp; sp = sp->next) {
++      grpc_timer_cancel(&sp->retry_timer);
+       grpc_fd_shutdown(sp->emfd,
+                        GRPC_ERROR_CREATE_FROM_STATIC_STRING("Server shutdown"));
+     }
+diff --git a/src/core/lib/iomgr/tcp_server_utils_posix.h b/src/core/lib/iomgr/tcp_server_utils_posix.h
+index 26cef0209f..de5a888cff 100644
+--- a/src/core/lib/iomgr/tcp_server_utils_posix.h
++++ b/src/core/lib/iomgr/tcp_server_utils_posix.h
+@@ -30,6 +30,7 @@
+ #include "src/core/lib/iomgr/resolve_address.h"
+ #include "src/core/lib/iomgr/socket_utils_posix.h"
+ #include "src/core/lib/iomgr/tcp_server.h"
++#include "src/core/lib/iomgr/timer.h"
+ 
+ /* one listening port */
+ typedef struct grpc_tcp_listener {
+@@ -52,6 +53,11 @@ typedef struct grpc_tcp_listener {
+      identified while iterating through 'next'. */
+   struct grpc_tcp_listener* sibling;
+   int is_sibling;
++  // If an accept4() call fails, a timer is started to drain the accept queue in
++  // case no further connection attempts reach the gRPC server.
++  grpc_closure retry_closure;
++  grpc_timer retry_timer;
++  gpr_atm retry_timer_armed;
+ } grpc_tcp_listener;
+ 
+ /* the overall server */
+@@ -139,4 +145,10 @@ grpc_error* grpc_tcp_server_prepare_socket(
+ /* Ruturn true if the platform supports ifaddrs */
+ bool grpc_tcp_server_have_ifaddrs(void);
+ 
++// Initialize (but don't start) the timer and callback to retry accept4() on a
++// listening socket after file descriptors have been exhausted. This must be
++// called when creating a new listener.
++void grpc_tcp_server_listener_initialize_retry_timer(
++    grpc_tcp_listener* listener);
++
+ #endif /* GRPC_CORE_LIB_IOMGR_TCP_SERVER_UTILS_POSIX_H */
+diff --git a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
+index 574fd02d0d..a32f542c4a 100644
+--- a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
++++ b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
+@@ -18,6 +18,8 @@
+ 
+ #include <grpc/support/port_platform.h>
+ 
++#include <grpc/support/atm.h>
++
+ #include "src/core/lib/iomgr/port.h"
+ 
+ #ifdef GRPC_POSIX_SOCKET_TCP_SERVER_UTILS_COMMON
+@@ -81,6 +83,24 @@ static int get_max_accept_queue_size(void) {
+   return s_max_accept_queue_size;
+ }
+ 
++static void listener_retry_timer_cb(void* arg, grpc_error* err) {
++  // Do nothing if cancelled.
++  if (err != GRPC_ERROR_NONE) return;
++  grpc_tcp_listener* listener = static_cast<grpc_tcp_listener*>(arg);
++  gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
++  if (!grpc_fd_is_shutdown(listener->emfd)) {
++    grpc_fd_set_readable(listener->emfd);
++  }
++}
++
++void grpc_tcp_server_listener_initialize_retry_timer(
++    grpc_tcp_listener* listener) {
++  gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
++  grpc_timer_init_unset(&listener->retry_timer);
++  GRPC_CLOSURE_INIT(&listener->retry_closure, listener_retry_timer_cb, listener,
++                    grpc_schedule_on_exec_ctx);
++}
++
+ static grpc_error* add_socket_to_server(grpc_tcp_server* s, int fd,
+                                         const grpc_resolved_address* addr,
+                                         unsigned port_index, unsigned fd_index,
+@@ -112,6 +132,7 @@ static grpc_error* add_socket_to_server(grpc_tcp_server* s, int fd,
+     sp->server = s;
+     sp->fd = fd;
+     sp->emfd = grpc_fd_create(fd, name.c_str(), true);
++    grpc_tcp_server_listener_initialize_retry_timer(sp);
+     memcpy(&sp->addr, addr, sizeof(grpc_resolved_address));
+     sp->port = port;
+     sp->port_index = port_index;
+-- 
+2.33.0
+

grpc.spec

@@ -1,6 +1,6 @@
 Name:          grpc
 Version:       1.31.0
-Release:       5
+Release:       10
 Summary:       A modern, open source high performance RPC framework that can run in any environment
 License:       ASL 2.0
 URL:           https://www.grpc.io
@@ -17,6 +17,12 @@ Patch0007:     add-secure-compile-option-in-Makefile.patch
 Patch0008:     fix-re2-build-error.patch
 Patch0009:     allow-grpcio-to-be-build-against-system-re2.patch
 Patch0010:     grpc-1.31.0-python-grpcio-use-system-abseil.patch
+Patch0011:     backport-Upgrade-Abseil-to-LTS-2020923.patch
+Patch0012:     backport-Generating-projects.patch
+Patch0013:     backport-Ignore-Connection-Aborted-errors-on-accept-29318.patch
+Patch0014:     backport-iomgr-EventEngine-Improve-server-handling-o.patch
+Patch0015:     remove-cert-expired-on-20230930.patch 
+Patch0016:     remove-cert-expired-at-20250512.patch
 
 BuildRequires: gcc-c++ pkgconfig protobuf-devel protobuf-compiler gdb
 BuildRequires: openssl-devel c-ares-devel gflags-devel gtest-devel zlib-devel gperftools-devel
@@ -75,7 +81,8 @@ cmake ../../ -DgRPC_INSTALL=ON\
              -DgRPC_INSTALL_SHAREDIR=%{buildroot}%{_datadir}/%{name} \
              -DgRPC_INSTALL_PKGCONFIGDIR=%{buildroot}%{_libdir}/pkgconfig \
              -DCMAKE_INSTALL_PREFIX=%{_prefix} \
-             -DBUILD_SHARED_LIBS=ON
+             -DBUILD_SHARED_LIBS=ON \
+             -DCMAKE_VERBOSE_MAKEFILE=ON
 make -j24 V=1
 
 # build python module
@@ -124,6 +131,36 @@ cd ../..
 %{python3_sitearch}/grpcio-%{version}-py?.?.egg-info
 
 %changelog
+* Fri Jun 21 2024 zhouyihang<zhouyihang3@h-partners.com> - 1.31.0-10
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:remove cert expired at 20250512
+
+* Wed Nov 15 2023 zhouyihang<zhouyihang3@h-partners.com> - 1.31.0-9
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:remove cert expired on 20230930
+
+* Wed Sep 20 2023 zhouyihang <zhouyihang3@h-partners.com> - 1.31.0-8
+- Type:CVE
+- ID:CVE-2023-4785
+- SUG:NA
+- DESC:fix CVE-2023-4785
+
+* Thu Oct 20 2022 zhouyihang <zhouyihang3@h-partners.com> - 1.31.0-7
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:add some secure compilation options
+
+* Tue Oct 11 2022 gaihuiying <eaglegai@163.com> - 1.31.0-6
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix adjust to abseil-cpp 20210324,since it dont provides absl_dynamic_annotations library anymore
+
 * Tue Oct 19 2021 gaihuiying <gaihuiying1@huawei.com> - 1.31.0-5
 - Type:requirement
 - ID:NA

remove-cert-expired-at-20250512.patch

@@ -0,0 +1,51 @@
+From 15327a17f80de1251e84d38dda045bbfd7061125 Mon Sep 17 00:00:00 2001
+From: renmingshuai <renmingshuai@huawei.com>
+Date: Tue, 28 May 2024 20:59:35 +0800
+Subject: [PATCH] huawei-remove-cert-expired-at-20250512
+
+---
+ etc/roots.pem | 29 -----------------------------
+ 1 file changed, 29 deletions(-)
+
+diff --git a/etc/roots.pem b/etc/roots.pem
+index c599727..d84a8f5 100644
+--- a/etc/roots.pem
++++ b/etc/roots.pem
+@@ -64,35 +64,6 @@ bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
+ fF6adulZkMV8gzURZVE=
+ -----END CERTIFICATE-----
+
+-# Issuer: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
+-# Subject: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
+-# Label: "Baltimore CyberTrust Root"
+-# Serial: 33554617
+-# MD5 Fingerprint: ac:b6:94:a5:9c:17:e0:d7:91:52:9b:b1:97:06:a6:e4
+-# SHA1 Fingerprint: d4:de:20:d0:5e:66:fc:53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74
+-# SHA256 Fingerprint: 16:af:57:a9:f6:76:b0:ab:12:60:95:aa:5e:ba:de:f2:2a:b3:11:19:d6:44:ac:95:cd:4b:93:db:f3:f2:6a:eb
+------BEGIN CERTIFICATE-----
+-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+------END CERTIFICATE-----
+-
+ # Issuer: CN=AddTrust External CA Root O=AddTrust AB OU=AddTrust External TTP Network
+ # Subject: CN=AddTrust External CA Root O=AddTrust AB OU=AddTrust External TTP Network
+ # Label: "AddTrust External Root"
+--
+2.33.0

remove-cert-expired-on-20230930.patch

@@ -0,0 +1,51 @@
+From 924b52b761bb3fae1f9a316e6a7989f3d3be8687 Mon Sep 17 00:00:00 2001
+From: sunsuwan <sunsuwan3@huawei.com>
+Date: Tue, 8 Aug 2023 15:27:04 +0800
+Subject: [PATCH] remove cert expired on 20230930
+
+---
+ etc/roots.pem | 28 ----------------------------
+ 1 file changed, 28 deletions(-)
+
+diff --git a/etc/roots.pem b/etc/roots.pem
+index bd5911a..c599727 100644
+--- a/etc/roots.pem
++++ b/etc/roots.pem
+@@ -248,34 +248,6 @@ mJlglFwjz1onl14LBQaTNx47aTbrqZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK
+ 4SVhM7JZG+Ju1zdXtg2pEto=
+ -----END CERTIFICATE-----
+ 
+-# Issuer: O=SECOM Trust.net OU=Security Communication RootCA1
+-# Subject: O=SECOM Trust.net OU=Security Communication RootCA1
+-# Label: "Security Communication Root CA"
+-# Serial: 0
+-# MD5 Fingerprint: f1:bc:63:6a:54:e0:b5:27:f5:cd:e7:1a:e3:4d:6e:4a
+-# SHA1 Fingerprint: 36:b1:2b:49:f9:81:9e:d7:4c:9e:bc:38:0f:c6:56:8f:5d:ac:b2:f7
+-# SHA256 Fingerprint: e7:5e:72:ed:9f:56:0e:ec:6e:b4:80:00:73:a4:3f:c3:ad:19:19:5a:39:22:82:01:78:95:97:4a:99:02:6b:6c
+------BEGIN CERTIFICATE-----
+-MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY
+-MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t
+-dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5
+-WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD
+-VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3
+-DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8
+-9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ
+-DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9
+-Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N
+-QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ
+-xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G
+-A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T
+-AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG
+-kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr
+-Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5
+-Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU
+-JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot
+-RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw==
+------END CERTIFICATE-----
+-
+ # Issuer: CN=Sonera Class2 CA O=Sonera
+ # Subject: CN=Sonera Class2 CA O=Sonera
+ # Label: "Sonera Class 2 Root CA"
+-- 
+2.33.0
+