!46 [sync] PR-44: Update to 2024.4

From: @openeuler-sync-bot Reviewed-by: @duyiwei7w Signed-off-by: @duyiwei7w
2024-04-26 02:42:16 +00:00 · 2024-04-26 02:42:16 +00:00 · ff0ba90f2a
commit ff0ba90f2a
parent de3f7db43b 1d05d6925e
12 changed files with 1958 additions and 1548 deletions
--- a/0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch
+++ b/0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch
@ -0,0 +1,150 @@
 From a8e53434a529e7d53514a8c44d1cec42f04b0723 Mon Sep 17 00:00:00 2001
 From: Colin Walters <walters@verbum.org>
 Date: Thu, 21 Mar 2024 10:43:07 -0400
 Subject: [PATCH] Revert "compose: Inject our static tmpfiles.d dropins
 earlier"
 This reverts commit e1e78cf9df902d895a7fce9dc719726c283e9d03.
 It breaks idempotency with osbuild.
 Closes: https://github.com/coreos/rpm-ostree/issues/4879
 ---
 rust/src/passwd.rs                         |  3 --
 src/app/rpmostree-compose-builtin-tree.cxx | 40 --------------------
 src/libpriv/rpmostree-postprocess.cxx      | 44 ++++++++++++++++++++--
 3 files changed, 41 insertions(+), 46 deletions(-)
 diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
 index 79ee488f..821497d8 100644
 --- a/rust/src/passwd.rs
 +++ b/rust/src/passwd.rs
@@ -106,9 +106,6 @@ pub fn passwd_cleanup(rootfs_dfd: i32) -> Result<()> {
 /// in /usr/etc at this point), and splitting it into two streams: a new
 /// /etc/passwd that just contains the root entry, and /usr/lib/passwd which
 /// contains everything else.
 -///
 -/// Note: the presence of /usr/lib/passwd is used in postprocess_final() to make
 -/// it idempotent. See related comment there.
 #[context("Migrating 'passwd' to /usr/lib")]
 pub fn migrate_passwd_except_root(rootfs_dfd: i32) -> CxxResult<()> {
     static ETCSRC_PATH: &str = "usr/etc/passwd";
 diff --git a/src/app/rpmostree-compose-builtin-tree.cxx b/src/app/rpmostree-compose-builtin-tree.cxx
 index 1f2862f8..63648288 100644
 --- a/src/app/rpmostree-compose-builtin-tree.cxx
 +++ b/src/app/rpmostree-compose-builtin-tree.cxx
@@ -477,46 +477,6 @@ install_packages (RpmOstreeTreeComposeContext *self, gboolean *out_unmodified,
                                         std::string (previous_ref), opt_unified_core),
               error);
 -  /* Assembly will regen the rpm-ostree-autovar.conf tmpfiles.d dropin; let's
 -   * make sure to add our own static dropins before that so that they're taken
 -   * into account when looking for dupes. */
 -  g_print ("Adding rpm-ostree-0-integration.conf\n");
 -
 -  /* This is useful if we're running in an uninstalled configuration, e.g.
 -   * during tests. */
 -  const char *pkglibdir_path = g_getenv ("RPMOSTREE_UNINSTALLED_PKGLIBDIR") ?: PKGLIBDIR;
 -  glnx_autofd int pkglibdir_dfd = -1;
 -  if (!glnx_opendirat (AT_FDCWD, pkglibdir_path, TRUE, &pkglibdir_dfd, error))
 -    return FALSE;
 -
 -  if (!glnx_shutil_mkdir_p_at (rootfs_dfd, "usr/lib/tmpfiles.d", 0755, cancellable, error))
 -    return FALSE;
 -
 -  if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration.conf", NULL, rootfs_dfd,
 -                          "usr/lib/tmpfiles.d/rpm-ostree-0-integration.conf",
 -                          GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
 -                          cancellable, error))
 -    return FALSE;
 -
 -  if ((*self->treefile_rs)->get_opt_usrlocal () == rpmostreecxx::OptUsrLocal::StateOverlay)
 -    {
 -      if (!glnx_file_copy_at (
 -              pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal-compat.conf", NULL, rootfs_dfd,
 -              "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal-compat.conf",
 -              GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
 -              cancellable, error))
 -        return FALSE;
 -    }
 -  else
 -    {
 -      if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal.conf", NULL,
 -                              rootfs_dfd,
 -                              "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal.conf",
 -                              GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
 -                              cancellable, error))
 -        return FALSE;
 -    }
 -
   if (opt_unified_core)
     {
       if (!rpmostree_context_import (self->corectx, cancellable, error))
 diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx
 index 9b5cdec7..311de70f 100644
 --- a/src/libpriv/rpmostree-postprocess.cxx
 +++ b/src/libpriv/rpmostree-postprocess.cxx
@@ -368,12 +368,13 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
 {
   GLNX_AUTO_PREFIX_ERROR ("Finalizing rootfs", error);
 -  /* Use the presence of /usr/lib/passwd as an "idempotence" marker to
 +  /* Use installation of the tmpfiles integration as an "idempotence" marker to
    * avoid doing postprocessing twice, which can happen when mixing `compose
    * postprocess-root` with `compose commit`.
    */
 -  const char usr_lib_passwd[] = "usr/lib/password";
 -  if (!glnx_fstatat_allow_noent (rootfs_dfd, usr_lib_passwd, NULL, AT_SYMLINK_NOFOLLOW, error))
 +  const char tmpfiles_integration_path[] = "usr/lib/tmpfiles.d/rpm-ostree-0-integration.conf";
 +  if (!glnx_fstatat_allow_noent (rootfs_dfd, tmpfiles_integration_path, NULL, AT_SYMLINK_NOFOLLOW,
 +                                 error))
     return FALSE;
   if (errno == 0)
     return TRUE;
@@ -446,6 +447,43 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
   if (!rpmostree_rootfs_postprocess_common (rootfs_dfd, cancellable, error))
     return FALSE;
 +  g_print ("Adding rpm-ostree-0-integration.conf\n");
 +  /* This is useful if we're running in an uninstalled configuration, e.g.
 +   * during tests. */
 +  const char *pkglibdir_path = g_getenv ("RPMOSTREE_UNINSTALLED_PKGLIBDIR") ?: PKGLIBDIR;
 +  glnx_autofd int pkglibdir_dfd = -1;
 +
 +  if (!glnx_opendirat (AT_FDCWD, pkglibdir_path, TRUE, &pkglibdir_dfd, error))
 +    return FALSE;
 +
 +  if (!glnx_shutil_mkdir_p_at (rootfs_dfd, "usr/lib/tmpfiles.d", 0755, cancellable, error))
 +    return FALSE;
 +
 +  if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration.conf", NULL, rootfs_dfd,
 +                          tmpfiles_integration_path,
 +                          GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
 +                          cancellable, error))
 +    return FALSE;
 +
 +  if (treefile.get_opt_usrlocal () == rpmostreecxx::OptUsrLocal::StateOverlay)
 +    {
 +      if (!glnx_file_copy_at (
 +              pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal-compat.conf", NULL, rootfs_dfd,
 +              "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal-compat.conf",
 +              GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
 +              cancellable, error))
 +        return FALSE;
 +    }
 +  else
 +    {
 +      if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal.conf", NULL,
 +                              rootfs_dfd,
 +                              "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal.conf",
 +                              GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
 +                              cancellable, error))
 +        return FALSE;
 +    }
 +
   /* Handle kernel/initramfs if we're not doing a container */
   if (!container)
     {
 -- 
 2.43.0
--- a/0001-add-loongarch64-support-not-upstream-modified-files.patch
+++ b/0001-add-loongarch64-support-not-upstream-modified-files.patch
--- a/0001-fix-compose-err.patch
+++ b/0001-fix-compose-err.patch
@ -1,26 +1,26 @@
-From a0558cf0f93f9278301ad59c13081ae86a9bf72d Mon Sep 17 00:00:00 2001
+From 4f76ecdf729cad9c6ba0cac2bbaff8c140f01220 Mon Sep 17 00:00:00 2001
-From: chendexi <chendexi@kylinos.cn>
+From: rpm-build <rpm-build>
-Date: Wed, 21 Feb 2024 10:36:06 +0800
+Date: Wed, 17 Jan 2024 01:30:02 +0800
-Subject: [PATCH 1/2] fix-compose-err
+Subject: [PATCH 1/4] fix compose err
 ---
 rust/src/scripts.rs | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/rust/src/scripts.rs b/rust/src/scripts.rs
-index e597863..149389a 100644
+index 078322a..766c82f 100644
 --- a/rust/src/scripts.rs
 +++ b/rust/src/scripts.rs
-@@ -17,6 +17,9 @@ use phf::phf_set;
+@@ -16,6 +16,9 @@ use phf::phf_set;
 ///
 /// NOTE FOR GIT history: This list used to live in src/libpriv/rpmostree-script-gperf.gperf
 static IGNORED_PKG_SCRIPTS: phf::Set<&'static str> = phf_set! {
     "glibc.prein",
 +    "glibc-common.posttrans",
 +    "grub2-efi-x64.prein",
 +    "grub2-efi-aa64.prein",
     "glibc.prein",
     // We take over depmod/dracut etc.  It's `kernel` in C7 and kernel-core in F25+
     // XXX: we should probably change this to instead ignore based on the kernel virtual Provides
     "kernel.posttrans",
 -- 
-2.25.1
+2.33.0
--- a/0001-passwd-create-etc-g-shadow-with-mode-0.patch
+++ b/0001-passwd-create-etc-g-shadow-with-mode-0.patch
@ -0,0 +1,83 @@
 From fb2d5dd809bf28b600b0531172da3d3dbe270918 Mon Sep 17 00:00:00 2001
 From: Jonathan Lebon <jonathan@jlebon.com>
 Date: Tue, 19 Mar 2024 15:20:43 -0400
 Subject: [PATCH 1/2] passwd: create `/etc/[g]shadow` with mode 0
 Because of how our composes work, we need to manually inject
 passwd-related things before installing packages. A somewhat recent
 regression in that area made it so that the `/etc/shadow` and
 `/etc/gshadow` files were created with default permissions (0644), which
 meant they were world readable.
 Fix this by explicitly setting their modes to 0. Ideally, we would rely
 on the canonical permissions set in the `setup` package here, but it's
 tricky to fix that without reworking how we install `setup` and handle
 `passwd` treefile options.
 Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to
 `etc/{passwd,group}`").
 Fixes #4401
 ---
 rust/src/passwd.rs             | 14 ++++++++++++++
 tests/compose/libbasic-test.sh |  5 +++++
 2 files changed, 19 insertions(+)
 diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
 index 821497d8..a64f6468 100644
 --- a/rust/src/passwd.rs
 +++ b/rust/src/passwd.rs
@@ -418,6 +418,12 @@ fn write_data_from_treefile(
     let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
     let shadow_name = target.shadow_file();
     let target_shadow_path = format!("{}{}", dest_path, shadow_name);
 +    // Ideally these permissions come from `setup`, which is the package
 +    // that owns these files:
 +    // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
 +    // But at this point of the compose, the rootfs is completely empty; we
 +    // haven't started unpacking things yet. So we need to hardcode it here.
 +    let shadow_perms = cap_std::fs::Permissions::from_mode(0);
     match target {
         PasswdKind::User => {
@@ -427,6 +433,10 @@ fn write_data_from_treefile(
                     for user in entries {
                         writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
                     }
 +                    target_shadow
 +                        .get_mut()
 +                        .as_file_mut()
 +                        .set_permissions(shadow_perms)?;
                     Ok(())
                 })
                 .with_context(|| format!("Writing {target_shadow_path}"))?;
@@ -438,6 +448,10 @@ fn write_data_from_treefile(
                     for group in entries {
                         writeln!(target_shadow, "{}:::", group.name)?;
                     }
 +                    target_shadow
 +                        .get_mut()
 +                        .as_file_mut()
 +                        .set_permissions(shadow_perms)?;
                     Ok(())
                 })
                 .with_context(|| format!("Writing {target_shadow_path}"))?;
 diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
 index 0a751760..3f7c6d8a 100644
 --- a/tests/compose/libbasic-test.sh
 +++ b/tests/compose/libbasic-test.sh
@@ -22,6 +22,11 @@ validate_passwd group
 ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
 assert_file_has_content_literal passwd.txt '00644 '
 +ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
 +assert_file_has_content_literal shadow.txt '00000 '
 +ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
 +assert_file_has_content_literal gshadow.txt '00000 '
 +
 ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
 assert_file_has_content_literal useradd.txt HOME=/var/home
 -- 
 2.44.0
--- a/0002-add-sw_64-support-not-upstream-modified-files.patch
+++ b/0002-add-sw_64-support-not-upstream-modified-files.patch
--- a/0002-unit-chmod-etc-g-shadow-to-0000.patch
+++ b/0002-unit-chmod-etc-g-shadow-to-0000.patch
@ -0,0 +1,79 @@
 From 0f7016046b833a55c57f9429cab83d185e1b5147 Mon Sep 17 00:00:00 2001
 From: jbtrystram <jbtrystram@redhat.com>
 Date: Thu, 21 Mar 2024 17:27:21 +0100
 Subject: [PATCH 2/2] unit: chmod /etc/[g]shadow[-] to 0000
 fdb879c introduced a regression where /etc/[g]shadow[-] files where
 created with default permissions: 0644
 This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000
 before interactive login is allowed on a system.
 This will fix the systems that were deployed with the above issue.
 We keep the stamp in /etc to account for the case where a deployment
 with this unit is rolled back. If we used /var, the stamp would have
 stayed but the fix would not be re-applied on the next update.
 ---
 Makefile-daemon.am                            |  1 +
 packaging/rpm-ostree.spec.in                  |  5 +++++
 src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
 diff --git a/Makefile-daemon.am b/Makefile-daemon.am
 index 4233d90d..f96f49a9 100644
 --- a/Makefile-daemon.am
 +++ b/Makefile-daemon.am
@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
 	rpm-ostreed-automatic.service \
 	rpm-ostree-bootstatus.service \
 	rpm-ostree-countme.service \
 +	rpm-ostree-fix-shadow-mode.service \
 	$(NULL)
 systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
 diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
 index 8aa9afaa..f734f676 100644
 --- a/packaging/rpm-ostree.spec.in
 +++ b/packaging/rpm-ostree.spec.in
@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \
 # Setup rpm-ostree-countme.timer according to presets
 %post
 %systemd_post rpm-ostree-countme.timer
 +# Only enable on rpm-ostree based systems and manually force unit enablement to
 +# explicitly ignore presets for this security fix
 +if [ -e /run/ostree-booted ]; then
 +    ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service  /usr/lib/systemd/system/multi-user.target.wants/
 +fi
 %preun
 %systemd_preun rpm-ostree-countme.timer
 diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
 new file mode 100644
 index 00000000..4aea7462
 --- /dev/null
 +++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
@@ -0,0 +1,19 @@
 +[Unit]
 +# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
 +# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
 +Description=Update permissions for /etc/shadow
 +Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
 +ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
 +ConditionPathExists=/run/ostree-booted
 +# Make sure this is started before any unprivileged (interactive) user has access to the system.
 +Before=systemd-user-sessions.service
 +
 +[Service]
 +Type=oneshot
 +ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
 +ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
 +ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
 +RemainAfterExit=yes
 +
 +[Install]
 +WantedBy=multi-user.target
 -- 
 2.44.0
--- a/0003-add-for-support-NestOS-kernel.patch
+++ b/0003-add-for-support-NestOS-kernel.patch
@ -0,0 +1,25 @@
 From 4807c26a992f43ae62e29274f0c0bc0969d2fed7 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Wed, 17 Jan 2024 05:58:25 +0800
 Subject: [PATCH 3/4] add for support NestOS kernel
 ---
 rust/src/scripts.rs | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/rust/src/scripts.rs b/rust/src/scripts.rs
 index f7f6e8f..84c6f0d 100644
 --- a/rust/src/scripts.rs
 +++ b/rust/src/scripts.rs
@@ -43,6 +43,8 @@ static IGNORED_PKG_SCRIPTS: phf::Set<&'static str> = phf_set! {
     "kernel-64k-modules.posttrans",
     "kernel-64k-debug-core.posttrans",
     "kernel-64k-debug-modules.posttrans",
 +    // add for support NestOS kernel
 +    "NestOS-kernel.posttrans",
     // Additionally ignore posttrans scripts for the Oracle Linux `kernel-uek` package
     "kernel-uek.posttrans",
     // Legacy workaround
 -- 
 2.33.0
--- a/1000-add-loongarch64-support-not-upstream-modified-files.patch
+++ b/1000-add-loongarch64-support-not-upstream-modified-files.patch
--- a/1001-add-sw_64-support-not-upstream-modified-files.patch
+++ b/1001-add-sw_64-support-not-upstream-modified-files.patch
--- a/add-for-support-NestOS-kernel.patch
+++ b/add-for-support-NestOS-kernel.patch
@ -1,25 +0,0 @@
 From f28e2c7d00c99a7b7c34ba15caaed1c7f0911a65 Mon Sep 17 00:00:00 2001
 From: chendexi <chendexi@kylinos.cn>
 Date: Wed, 21 Feb 2024 10:38:06 +0800
 Subject: [PATCH 2/2] add-for-support-NestOS-kernel
 ---
 rust/src/scripts.rs | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/rust/src/scripts.rs b/rust/src/scripts.rs
 index 149389a..07f12d7 100644
 --- a/rust/src/scripts.rs
 +++ b/rust/src/scripts.rs
@@ -20,6 +20,8 @@ static IGNORED_PKG_SCRIPTS: phf::Set<&'static str> = phf_set! {
     "glibc-common.posttrans",
     "grub2-efi-x64.prein",
     "grub2-efi-aa64.prein",
 +    // add for support NestOS kernel
 +    "NestOS-kernel.posttrans",
     // We take over depmod/dracut etc.  It's `kernel` in C7 and kernel-core in F25+
     // XXX: we should probably change this to instead ignore based on the kernel virtual Provides
     "kernel.posttrans",
 -- 
 2.25.1
--- a/rpm-ostree-2024.4.tar.xz
+++ b/rpm-ostree-2024.4.tar.xz
--- a/rpm-ostree.spec
+++ b/rpm-ostree.spec
@ -1,18 +1,15 @@
-%bcond_without rust
+Name:       rpm-ostree
-%global __requires_exclude ^libdnf[.]so[.].*$
+Version:    2024.4
-%global __provides_exclude_from ^%{_libdir}/%{name}/.*$
+Release:    1
-
+Summary:    Hybrid image/package system
-Name:		rpm-ostree
+License:    LGPL-2.0-or-later
-Version:	2023.7
+URL:        https://github.com/coreos/rpm-ostree
-Release:	2
+Source0:    https://github.com/coreos/rpm-ostree/releases/download/v%{version}/%{name}-%{version}.tar.xz
-Summary:	Hybrid image/package system
+Patch0:     0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch
-License:	LGPL-2.0-or-later
+Patch1:     0001-passwd-create-etc-g-shadow-with-mode-0.patch
-URL:		https://github.com/coreos/rpm-ostree
+Patch2:     0002-unit-chmod-etc-g-shadow-to-0000.patch
-Source0:	https://github.com/coreos/rpm-ostree/releases/download/v%{version}/%{name}-%{version}.tar.xz
+Patch3:     0001-fix-compose-err.patch
-Patch0:         fix-compose-err.patch
+Patch4:     0003-add-for-support-NestOS-kernel.patch
 Patch1:         add-for-support-NestOS-kernel.patch
 Patch2:         fix-CVE-2024-2905.patch
 %if %{with rust}
 %if !%{defined rust_arches}
 %define rust_arches x86_64 i686 armv7hl aarch64 ppc64 ppc64le s390x riscv64 loongarch64 sw_64
@ -21,33 +18,116 @@ Patch2:         fix-CVE-2024-2905.patch
 ExclusiveArch: %{rust_arches}
 %ifarch loongarch64
-Patch1000:  1000-add-loongarch64-support-not-upstream-modified-files.patch
+Patch5:  0001-add-loongarch64-support-not-upstream-modified-files.patch
 %endif
 %ifarch sw_64
-Patch1001:  1001-add-sw_64-support-not-upstream-modified-files.patch
+Patch6:  0002-add-sw_64-support-not-upstream-modified-files.patch
 %endif
-%if %{defined rusttoolset_version}
+BuildRequires: make
-BuildRequires: %{rusttoolset_version}-cargo
+BuildRequires: rust-packaging
-%else
+BuildRequires: cargo
-BuildRequires:	 cargo 
+BuildRequires: rust
 # Enable ASAN + UBSAN
 %bcond_with sanitizers
 # Embedded unit tests
 %bcond_with bin_unit_tests
 %bcond_with zchunk
 # For the autofiles bits below
 BuildRequires: python3-devel
 # We always run autogen.sh
 BuildRequires: autoconf automake libtool git
 # For docs
 BuildRequires: chrpath
 BuildRequires: gtk-doc
 BuildRequires: /usr/bin/g-ir-scanner
 # Core requirements
 # One way to check this: `objdump -p /path/to/rpm-ostree | grep LIBOSTREE` and pick the highest (though that might miss e.g. new struct members)
 BuildRequires: pkgconfig(ostree-1) >= 2023.7
 BuildRequires: pkgconfig(polkit-gobject-1)
 BuildRequires: pkgconfig(json-glib-1.0)
 BuildRequires: pkgconfig(rpm) >= 4.16.0
 BuildRequires: pkgconfig(libarchive)
 BuildRequires: pkgconfig(libsystemd)
 BuildRequires: libcap-devel
 BuildRequires: libattr-devel
 # We currently interact directly with librepo (libdnf below also pulls it in,
 # but duplicating to be clear)
 BuildRequires: pkgconfig(librepo)
 # Needed by curl-rust
 BuildRequires: pkgconfig(libcurl)
 BuildRequires: cmake
 BuildRequires: pkgconfig(expat)
 BuildRequires: pkgconfig(check)
 # We use some libsolv types directly too (libdnf below also pulls it in,
 # but duplicating to be clear)
 BuildRequires: pkgconfig(libsolv)
 # These are build deps which aren't strictly required in Koji/Brew builds, but
 # are required for git builds. Since they're few and tiny, we just add it here
 # to keep it part of `dnf builddep`.
 BuildRequires: jq
 #########################################################################
 #                         libdnf build deps                             #
 #                                                                       #
 # Copy/pasted from libdnf/libdnf.spec. Removed the irrelevant bits like #
 # valgrind, rhsm, swig, python, and sanitizer stuff.                    #
 #########################################################################
 %global libsolv_version 0.7.21
 %global libmodulemd_version 2.13.0
 %global librepo_version 1.13.1
 BuildRequires:  cmake
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  libsolv-devel >= %{libsolv_version}
 BuildRequires:  pkgconfig(librepo) >= %{librepo_version}
 BuildRequires:  pkgconfig(check)
 BuildRequires:  pkgconfig(gio-unix-2.0) >= 2.50.0
 BuildRequires:  pkgconfig(gtk-doc)
 BuildRequires:  rpm-devel >= 4.16.0
 %if %{with zchunk}
 BuildRequires:  pkgconfig(zck) >= 0.9.11
 %endif
 BuildRequires:  pkgconfig(sqlite3)
 BuildRequires:  pkgconfig(json-c)
 BuildRequires:  pkgconfig(cppunit)
 BuildRequires:  pkgconfig(modulemd-2.0) >= %{libmodulemd_version}
 BuildRequires:  pkgconfig(smartcols)
 BuildRequires:  gettext
 BuildRequires:  gpgme-devel
-%endif
+Requires:       libmodulemd%{?_isa} >= %{libmodulemd_version}
 Requires:       libsolv%{?_isa} >= %{libsolv_version}
 Requires:       librepo%{?_isa} >= %{librepo_version}
-BuildRequires:   /usr/bin/python3 autoconf automake libtool git chrpath libattr-devel 
+#########################################################################
-BuildRequires:   gtk-doc gperf gnome-common /usr/bin/g-ir-scanner ostree-devel cmake
+#                     end of libdnf build deps                          #
-BuildRequires:   polkit-devel json-glib-devel rpm-devel libarchive-devel systemd-devel 
+#########################################################################
 BuildRequires:   libcap-devel libcurl-devel librepo-devel expat-devel check-devel 
 BuildRequires:   pkgconfig(libsolv) gcc gcc-c++
 BuildRequires:   chrpath jq glib2-devel sqlite-devel json-c-devel cppunit-devel
 BuildRequires:   libmodulemd-devel libsmartcols-devel gettext gpgme-devel make
-Requires:	 ostree bubblewrap fuse 
+# For now...see https://github.com/projectatomic/rpm-ostree/pull/637
 # and https://github.com/fedora-infra/fedmsg-atomic-composer/pull/17
 # etc.  We'll drop this dependency at some point in the future when
 # rpm-ostree wraps more of ostree (such as `ostree admin unlock` etc.)
 Requires: ostree
 Requires: bubblewrap
 Requires: fuse
-Provides:        rpm-ostree-libs = %{version}-%{release}
+# For container functionality
-Obsoletes:       rpm-ostree-libs < %{version}-%{release}
+# https://github.com/coreos/rpm-ostree/issues/3286
 Requires: skopeo
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %description
 rpm-ostree is a hybrid image/package system.  It supports
@ -57,39 +137,85 @@ Additionally, unlike many "pure" image systems, with rpm-ostree
 each client system can layer on additional packages, providing
 a "best of both worlds" approach.
-%package         devel
+%package libs
-Summary:         Header files for rpm-ostree
+Summary: Shared library for %{name}
 Requires:        %{name} = %{version}-%{release}
-%description     devel
+%description libs
-Header files for rpm-ostree.
+The %{name}-libs package includes the shared library for %{name}.
-%package_help
+%package devel
 Summary: Development headers for %{name}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %description devel
 The %{name}-devel package includes the header files for %{name}-libs.
 %prep
-%autosetup -n %{name}-%{version} -p1
+%autosetup -Sgit -n %{name}-%{version} -p1
 %if 0%{?__isa_bits} == 32
 sed -ie 's,^lto = true,lto = false,' Cargo.toml
 %endif
 %build
-%{?rusttoolset} env NOCONFIGURE=1 ./autogen.sh
+env NOCONFIGURE=1 ./autogen.sh
-%configure --disable-silent-rules --enable-gtk-doc \
+# Since we're hybrid C++/Rust we need to propagate this manually;
-           %{?with_rust:--enable-rust}
+# the %%configure macro today assumes (reasonably) that one is building
 # C/C++ and sets C{,XX}FLAGS
 %if 0%{?build_rustflags:1}
 export RUSTFLAGS="%{build_rustflags}"
 %endif
 %configure --disable-silent-rules --enable-gtk-doc %{?rpmdb_default} %{?with_sanitizers:--enable-sanitizers} %{?with_bin_unit_tests:--enable-bin-unit-tests}
-%{?rusttoolset} %make_build
+%make_build
 %install
-%{?rusttoolset}  %make_install INSTALL="install -p -c"
+%make_install INSTALL="install -p -c"
-%delete_la 
+find $RPM_BUILD_ROOT -name '*.la' -delete
-chrpath -d %{buildroot}%{_libdir}/librpmostree-1.so.1.0.0
+cat > autofiles.py <<EOF
-chrpath -d %{buildroot}%{_bindir}/rpm-ostree
+import os,sys,glob
 os.chdir(os.environ['RPM_BUILD_ROOT'])
 for line in sys.argv[1:]:
    if line == '':
        break
    if line[0] != '/':
        sys.stdout.write(line + '\n')
    else:
        files = glob.glob(line[1:])
        if len(files) > 0:
            sys.stderr.write('{0} matched {1} files\n'.format(line, len(files)))
            sys.stdout.write(line + '\n')
        else:
            sys.stderr.write('{0} did not match any files\n'.format(line))
 EOF
 PYTHON=python3
 if ! test -x /usr/bin/python3; then
    PYTHON=python2
 fi
 $PYTHON autofiles.py > files \
  '%{_bindir}/*' \
  '%{_libdir}/%{name}' \
  '%{_mandir}/man*/*' \
  '%{_datadir}/dbus-1/system.d/*' \
  '%{_sysconfdir}/rpm-ostreed.conf' \
  '%{_prefix}/lib/systemd/system/*' \
  '%{_libexecdir}/rpm-ostree*' \
  '%{_libexecdir}/libostree/ext/*' \
  '%{_datadir}/polkit-1/actions/*.policy' \
  '%{_datadir}/dbus-1/system-services/*' \
  '%{_datadir}/bash-completion/completions/*'
-mkdir -p %{buildroot}/etc/ld.so.conf.d
+$PYTHON autofiles.py > files.lib \
-echo "%{_libdir}/%{name}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
+  '%{_libdir}/*.so.*' \
  '%{_libdir}/girepository-1.0/*.typelib'
-%ldconfig_scriptlets
+$PYTHON autofiles.py > files.devel \
-
+  '%{_libdir}/lib*.so' \
-install -d -m 0755 %{buildroot}/etc/dbus-1/system.d/
+  '%{_includedir}/*' \
-install -pm 0644 src/daemon/org.projectatomic.rpmostree1.conf %{buildroot}/etc/dbus-1/system.d/
+  '%{_datadir}/dbus-1/interfaces/org.projectatomic.rpmostree1.xml' \
  '%{_libdir}/pkgconfig/*' \
  '%{_datadir}/gtk-doc/html/*' \
  '%{_datadir}/gir-1.0/*-1.0.gir'
 # Setup rpm-ostree-countme.timer according to presets
 %post
@ -106,39 +232,17 @@ fi
 %postun
 %systemd_postun_with_restart rpm-ostree-countme.timer
-%files
+%files -f files
-%defattr(-,root,root)
+%doc COPYING.GPL COPYING.LGPL LICENSE README.md
 %doc README.md
 %license COPYING.*
 %{_bindir}/*
 %{_sysconfdir}/dbus-1/system.d/*
 %{_sysconfdir}/rpm-ostreed.conf
 %{_libdir}/*.so.*
 %{_libdir}/rpm-ostree/*
 %{_libdir}/girepository-1.0/*
 %{_libexecdir}/rpm-ostree*
 %{_libexecdir}/libostree/*
 %{_prefix}/lib/systemd/system/*
 %{_datadir}/dbus-1/system-services
 %{_datadir}/polkit-1/actions/*.policy
 %{_datadir}/dbus-1/system.d/org.projectatomic.rpmostree1.conf
 %{_datadir}/bash-completion/completions/rpm-ostree
 %config(noreplace) /etc/ld.so.conf.d/*
-%files       devel
+%files libs -f files.lib
 %defattr(-,root,root)
 %{_libdir}/*.so
 %{_includedir}/*
 %{_libdir}/pkgconfig/*
 %{_datadir}/gtk-doc/html/*
 %{_datadir}/gir-1.0/*-1.0.gir
 %{_datadir}/dbus-1/interfaces/org.projectatomic.rpmostree1.xml
-%files       help
+%files devel -f files.devel
 %defattr(-,root,root)
 %{_mandir}/man*/*
 %changelog
 * Mon Apr 22 2024 lijian <lijian2@kylinos.cn> - 2024.4-1
 - Update to 2024.4
 * Wed Apr 10 2024 chendexi <chendexi@kylinos.cn> - 2023.7-2
 - Synchronize upstream spec file modifications
 - Fix CVE-2024-2905