fix: add openssl replace_requires to vfx Conan profiles

[aloysbaillet]

Summary

• openssl replace_requires: Conan 2 replaces (not merges) [replace_requires] sections when a child profile defines its own. After openssl was moved to common-wrappers (99175a6) and removed from vfx profiles (d95cc87), the openssl mapping from parent ci_common* profiles was silently lost. Adds explicit openssl/* entries to vfx2024, vfx2025, and vfx2026 profiles.
• ASWF_PYSIDE_CLANG_VERSION: The packages/common/Dockerfile was hardcoding ASWF_PYSIDE_CLANG_VERSION to ASWF_CLANG_VERSION, ignoring the ARG from versions.yaml. This caused PySide to use the wrong clang version.
• Explicit cache mount IDs: Added id=aswf-conan-cache and id=aswf-ccache to BuildKit cache mounts in both the package builder and CI image Dockerfiles for more predictable cache sharing.
• nss version: Corrected nss version from 3.112.0 to 3.101.0 in all vfx profiles and versions.yaml. The nss conanfile detects the version from the system, and the CUDA base image ships nss 3.101.0, not 3.112.0. This was causing Qt builds to fail in both CI and local builds.

Test plan

• CI docker build passes the cpython package build step (openssl fix)
• CI docker build passes the Qt package build step (nss version fix)
• CI docker build passes the PySide package build step (clang version fix)
• Full VFX 2026 pipeline completes without package resolution errors

🤖 Generated with Claude Code

[jfpanisset]

As per:

https://dl.rockylinux.org/pub/rocky/8.10/AppStream/x86_64/os/Packages/n/

Although the first release of Rocky 8.10 had nss-3.90.0-7 from 2024-05-23, since then there have been a number of updates:

• 3.101.0-7 on 2024-09-16
• 3.101.0-11 on 2024-12-21
• 3.112.0-4 on 2025-09-10

For vfx2024-2025-2026 the base image as per ci-baseos-gl-conan/image.yaml is:

 ${ASWF_BASEOS_IMAGE}:${ASWF_CUDA_VERSION}-runtime-${ASWF_BASEOS_DISTRO}

which resolves to:

vfx2024: nvidia/cuda:12.6.3-runtime-rockylinux8
vfx2025: nvidia/cuda:12.6.3-runtime-rockylinux8
vfx2026: nvidia/cuda:12.9.1-runtime-rockylinux8

Those base images don't have nss-3 in them, that gets installed by scripts/common/install_yumpackages.sh, which will get you nss-3.112.0-4

Looking at the latest set of images which were refreshed a few weeks ago, they also seem to have nss-3.112.0-4 in them:

$ docker image pull aswf/ci-baseos-gl-conan:6.3
$ docker run --rm  aswf/ci-baseos-gl-conan:6.3 rpm -qa | grep nss-3
nss-3.112.0-4.el8_10.x86_64

Detecting that a base image needs to be refresh / rebuilt is not simple. Where did you run across a base image that still had nss-3.101 in it?

[jfpanisset]

For the openssl issue, I believe the problem is caused by an obsolete version specified in versions.yaml, I just merged a fix here:

5815057

For the issue with nss, I saw this in a failed build:

ERROR: Package 'nss/3.112.0@aswftesting/vfx2026' not resolved: Unable to find 'nss/3.112.0@aswftesting/vfx2026' in remotes.

I'm investigating why this is, the code in packages/conan/recipes/nss/conanfile.py is supposed to get the version from /usr/lib64/pkgconfig/nss.pc should be setting the version to 3.112.0

[jfpanisset]

I don't think any version of nss is included in the CUDA base images, either the 12.6.3 which is used for vfx2024 and vfx2025, or the 12.9.1 for vfx2026:

$ docker run -it --rm nvidia/cuda:12.6.3-runtime-rockylinux8 rpm -qa | grep nss-
$ docker run -it --rm nvidia/cuda:12.9.1-runtime-rockylinux8 rpm -qa | grep nss-

And unless different Rocky Linux mirrors have different contents (which is definitely not impossible), when scripts/common/install-yumpackages.sh does:

yum install --setopt=tsflags=nodocs -y \
...
nss \
nss-devel \
...

I end up with:

[root@8ebccabae70f /]# rpm -qa | grep nss-3
nss-3.112.0-4.el8_10.x86_64

We've seen similar issues before where unavailable Rocky Linux mirrors would cause build failures:

#299

Some discussion here:

https://forums.rockylinux.org/t/mirror-list-mirrors-rockylinux-org-is-serving-out-of-sync-repositories-for-both-rl9-and-rl8/19756

I wonder if you tried switch from mirrors.rockylinux.org to dl.rockylinux.org if you'd end up with nss-3.112.0?

[jfpanisset]

I just tried:

curl 'https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8.10' > /tmp/repos.txt
for url in $(cat /tmp/repos.txt); do echo $url; curl -OL $url/Packages/n/nss-3.112.0-4.el8_10.x86_64.rpm; done

and all the repos seemed to have nss-3.112.0...

Perhaps worth trying to replace dnf clean all with dnf upgrade --refresh in install_yumpackages.sh ?