Import from CS git

.gitignore

@@ -1 +1 @@
-SOURCES/osbuild-composer-75.tar.gz
+SOURCES/osbuild-composer-101.tar.gz

.osbuild-composer.metadata

@@ -1 +1 @@
-b03146ce367157bf2ea8028c1a9bdbf27e69de97 SOURCES/osbuild-composer-75.tar.gz
+0feb86b5dcd146ce5b87816ae482eb50ed507c16 SOURCES/osbuild-composer-101.tar.gz

SOURCES/CVE-2025-30204.patch

@@ -0,0 +1,391 @@
+diff --git a/go.mod b/go.mod
+index f571516..d3d329f 100644
+--- a/go.mod
++++ b/go.mod
+@@ -23,7 +23,7 @@ require (
+ 	github.com/getkin/kin-openapi v0.93.0
+ 	github.com/getsentry/sentry-go v0.26.0
+ 	github.com/gobwas/glob v0.2.3
+-	github.com/golang-jwt/jwt/v4 v4.5.0
++	github.com/golang-jwt/jwt/v4 v4.5.2
+ 	github.com/google/go-cmp v0.6.0
+ 	github.com/google/uuid v1.6.0
+ 	github.com/gophercloud/gophercloud v1.9.0
+@@ -114,7 +114,7 @@ require (
+ 	github.com/go-openapi/validate v0.22.1 // indirect
+ 	github.com/gogo/protobuf v1.3.2 // indirect
+ 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+-	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
++	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+ 	github.com/golang/glog v1.1.2 // indirect
+ 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+ 	github.com/golang/protobuf v1.5.3 // indirect
+diff --git a/go.sum b/go.sum
+index 5996751..488870b 100644
+--- a/go.sum
++++ b/go.sum
+@@ -251,10 +251,11 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL
+ github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+ github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+ github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+-github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+-github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
++github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
++github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
++github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
++github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+ github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+ github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo=
+ github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ=
+diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+index c0a6f69..0fc510a 100644
+--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+@@ -7,6 +7,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	// If populated, only these methods will be considered valid.
+ 	//
+@@ -36,19 +38,21 @@ func NewParser(options ...ParserOption) *Parser {
+ 	return p
+ }
+ 
+-// Parse parses, validates, verifies the signature and returns the parsed token.
+-// keyFunc will receive the parsed token and should return the key for validating.
++// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will
++// receive the parsed token and should return the key for validating.
+ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
+ 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
+ }
+ 
+-// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims
+-// interface. This provides default values which can be overridden and allows a caller to use their own type, rather
+-// than the default MapClaims implementation of Claims.
++// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object
++// implementing the Claims interface. This provides default values which can be overridden and
++// allows a caller to use their own type, rather than the default MapClaims implementation of
++// Claims.
+ //
+-// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
+-// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
+-// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
++// Note: If you provide a custom claim implementation that embeds one of the standard claims (such
++// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or
++// b) if you are using a pointer, allocate the proper memory for it before passing in the overall
++// claims, otherwise you might run into a panic.
+ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
+ 	token, parts, err := p.ParseUnverified(tokenString, claims)
+ 	if err != nil {
+@@ -85,12 +89,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 		return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
+ 	}
+ 
++	// Perform validation
++	token.Signature = parts[2]
++	if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
++		return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid}
++	}
++
+ 	vErr := &ValidationError{}
+ 
+ 	// Validate Claims
+ 	if !p.SkipClaimsValidation {
+ 		if err := token.Claims.Valid(); err != nil {
+-
+ 			// If the Claims Valid returned an error, check if it is a validation error,
+ 			// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
+ 			if e, ok := err.(*ValidationError); !ok {
+@@ -98,22 +107,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 			} else {
+ 				vErr = e
+ 			}
++			return token, vErr
+ 		}
+ 	}
+ 
+-	// Perform validation
+-	token.Signature = parts[2]
+-	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
+-		vErr.Inner = err
+-		vErr.Errors |= ValidationErrorSignatureInvalid
+-	}
+-
+-	if vErr.valid() {
+-		token.Valid = true
+-		return token, nil
+-	}
++	// No errors so far, token is valid.
++	token.Valid = true
+ 
+-	return token, vErr
++	return token, nil
+ }
+ 
+ // ParseUnverified parses the token but doesn't validate the signature.
+@@ -123,9 +124,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // It's only ever useful in cases where you know the signature is valid (because it has
+ // been checked previously in the stack) and you want to extract values from it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -175,3 +177,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 
+ 	return token, parts, nil
+ }
++
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
+diff --git a/vendor/github.com/golang-jwt/jwt/v5/README.md b/vendor/github.com/golang-jwt/jwt/v5/README.md
+index 964598a..0bb636f 100644
+--- a/vendor/github.com/golang-jwt/jwt/v5/README.md
++++ b/vendor/github.com/golang-jwt/jwt/v5/README.md
+@@ -10,11 +10,11 @@ implementation of [JSON Web
+ Tokens](https://datatracker.ietf.org/doc/html/rfc7519).
+ 
+ Starting with [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0)
+-this project adds Go module support, but maintains backwards compatibility with
++this project adds Go module support, but maintains backward compatibility with
+ older `v3.x.y` tags and upstream `github.com/dgrijalva/jwt-go`. See the
+ [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information. Version
+ v5.0.0 introduces major improvements to the validation of tokens, but is not
+-entirely backwards compatible. 
++entirely backward compatible. 
+ 
+ > After the original author of the library suggested migrating the maintenance
+ > of `jwt-go`, a dedicated team of open source maintainers decided to clone the
+@@ -24,7 +24,7 @@ entirely backwards compatible.
+ 
+ 
+ **SECURITY NOTICE:** Some older versions of Go have a security issue in the
+-crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue
++crypto/elliptic. The recommendation is to upgrade to at least 1.15 See issue
+ [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more
+ detail.
+ 
+@@ -32,7 +32,7 @@ detail.
+ what you
+ expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/).
+ This library attempts to make it easy to do the right thing by requiring key
+-types match the expected alg, but you should take the extra step to verify it in
++types to match the expected alg, but you should take the extra step to verify it in
+ your usage.  See the examples provided.
+ 
+ ### Supported Go versions
+@@ -41,7 +41,7 @@ Our support of Go versions is aligned with Go's [version release
+ policy](https://golang.org/doc/devel/release#policy). So we will support a major
+ version of Go until there are two newer major releases. We no longer support
+ building jwt-go with unsupported Go versions, as these contain security
+-vulnerabilities which will not be fixed.
++vulnerabilities that will not be fixed.
+ 
+ ## What the heck is a JWT?
+ 
+@@ -117,7 +117,7 @@ notable differences:
+ 
+ This library is considered production ready.  Feedback and feature requests are
+ appreciated.  The API should be considered stable.  There should be very few
+-backwards-incompatible changes outside of major version updates (and only with
++backward-incompatible changes outside of major version updates (and only with
+ good reason).
+ 
+ This project uses [Semantic Versioning 2.0.0](http://semver.org).  Accepted pull
+@@ -125,8 +125,8 @@ requests will land on `main`.  Periodically, versions will be tagged from
+ `main`.  You can find all the releases on [the project releases
+ page](https://github.com/golang-jwt/jwt/releases).
+ 
+-**BREAKING CHANGES:*** A full list of breaking changes is available in
+-`VERSION_HISTORY.md`.  See `MIGRATION_GUIDE.md` for more information on updating
++**BREAKING CHANGES:** A full list of breaking changes is available in
++`VERSION_HISTORY.md`.  See [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information on updating
+ your code.
+ 
+ ## Extensions
+diff --git a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
+index b08402c..2740597 100644
+--- a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
++++ b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
+@@ -2,11 +2,11 @@
+ 
+ ## Supported Versions
+ 
+-As of February 2022 (and until this document is updated), the latest version `v4` is supported.
++As of November 2024 (and until this document is updated), the latest version `v5` is supported. In critical cases, we might supply back-ported patches for `v4`.
+ 
+ ## Reporting a Vulnerability
+ 
+-If you think you found a vulnerability, and even if you are not sure, please report it to jwt-go-security@googlegroups.com or one of the other [golang-jwt maintainers](https://github.com/orgs/golang-jwt/people). Please try be explicit, describe steps to reproduce the security issue with code example(s).
++If you think you found a vulnerability, and even if you are not sure, please report it a [GitHub Security Advisory](https://github.com/golang-jwt/jwt/security/advisories/new). Please try be explicit, describe steps to reproduce the security issue with code example(s).
+ 
+ You will receive a response within a timely manner. If the issue is confirmed, we will do our best to release a patch as soon as possible given the complexity of the problem.
+ 
+diff --git a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
+index ca85659..c929e4a 100644
+--- a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
++++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
+@@ -62,7 +62,7 @@ func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interf
+ 	case *ecdsa.PublicKey:
+ 		ecdsaKey = k
+ 	default:
+-		return newError("ECDSA verify expects *ecsda.PublicKey", ErrInvalidKeyType)
++		return newError("ECDSA verify expects *ecdsa.PublicKey", ErrInvalidKeyType)
+ 	}
+ 
+ 	if len(sig) != 2*m.KeySize {
+@@ -96,7 +96,7 @@ func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte
+ 	case *ecdsa.PrivateKey:
+ 		ecdsaKey = k
+ 	default:
+-		return nil, newError("ECDSA sign expects *ecsda.PrivateKey", ErrInvalidKeyType)
++		return nil, newError("ECDSA sign expects *ecdsa.PrivateKey", ErrInvalidKeyType)
+ 	}
+ 
+ 	// Create the hasher
+diff --git a/vendor/github.com/golang-jwt/jwt/v5/hmac.go b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
+index 96c6272..aca600c 100644
+--- a/vendor/github.com/golang-jwt/jwt/v5/hmac.go
++++ b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
+@@ -91,7 +91,7 @@ func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interfa
+ func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) {
+ 	if keyBytes, ok := key.([]byte); ok {
+ 		if !m.Hash.Available() {
+-			return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
++			return nil, ErrHashUnavailable
+ 		}
+ 
+ 		hasher := hmac.New(m.Hash.New, keyBytes)
+@@ -100,5 +100,5 @@ func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte,
+ 		return hasher.Sum(nil), nil
+ 	}
+ 
+-	return nil, ErrInvalidKeyType
++	return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
+ }
+diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go
+index ecf99af..054c7eb 100644
+--- a/vendor/github.com/golang-jwt/jwt/v5/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go
+@@ -8,6 +8,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	// If populated, only these methods will be considered valid.
+ 	validMethods []string
+@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // It's only ever useful in cases where you know the signature is valid (since it has already
+ // been or will be checked elsewhere in the stack) and you want to extract values from it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 	return token, parts, nil
+ }
+ 
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
++
+ // DecodeSegment decodes a JWT specific base64url encoding. This function will
+ // take into account whether the [Parser] is configured with additional options,
+ // such as [WithStrictDecoding] or [WithPaddingAllowed].
+diff --git a/vendor/github.com/golang-jwt/jwt/v5/token.go b/vendor/github.com/golang-jwt/jwt/v5/token.go
+index 352873a..9c7f4ab 100644
+--- a/vendor/github.com/golang-jwt/jwt/v5/token.go
++++ b/vendor/github.com/golang-jwt/jwt/v5/token.go
+@@ -75,7 +75,7 @@ func (t *Token) SignedString(key interface{}) (string, error) {
+ }
+ 
+ // SigningString generates the signing string.  This is the most expensive part
+-// of the whole deal.  Unless you need this for something special, just go
++// of the whole deal. Unless you need this for something special, just go
+ // straight for the SignedString.
+ func (t *Token) SigningString() (string, error) {
+ 	h, err := json.Marshal(t.Header)
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index 35d0433..f49c006 100644
+--- a/vendor/modules.txt
++++ b/vendor/modules.txt
+@@ -568,10 +568,10 @@ github.com/gogo/protobuf/proto
+ # github.com/golang-jwt/jwt v3.2.2+incompatible
+ ## explicit
+ github.com/golang-jwt/jwt
+-# github.com/golang-jwt/jwt/v4 v4.5.0
++# github.com/golang-jwt/jwt/v4 v4.5.2
+ ## explicit; go 1.16
+ github.com/golang-jwt/jwt/v4
+-# github.com/golang-jwt/jwt/v5 v5.2.0
++# github.com/golang-jwt/jwt/v5 v5.2.2
+ ## explicit; go 1.18
+ github.com/golang-jwt/jwt/v5
+ # github.com/golang/glog v1.1.2

SPECS/osbuild-composer.spec

@@ -7,9 +7,12 @@
 # This is used internally during nightly pipeline testing!
 %bcond_with relax_requires
 
+# The minimum required osbuild version
+%global min_osbuild_version 109
+
 %global goipath         github.com/osbuild/osbuild-composer
 
-Version:        75
+Version:        101
 
 %gometa
 
@@ -22,7 +25,7 @@ It is compatible with composer-cli and cockpit-composer clients.
 }
 
 Name:           osbuild-composer
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        An image building service based on osbuild
 
 # osbuild-composer doesn't have support for building i686 and armv7hl images
@@ -33,6 +36,7 @@ License:        Apache-2.0
 URL:            %{gourl}
 Source0:        %{gosource}
 
+Patch0:         CVE-2025-30204.patch
 
 BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
 BuildRequires:  systemd
@@ -42,9 +46,13 @@ BuildRequires:  make
 # Build requirements of 'theproglottis/gpgme' package
 BuildRequires:  gpgme-devel
 BuildRequires:  libassuan-devel
+# Build requirements of 'github.com/containers/storage' package
+BuildRequires:  device-mapper-devel
 %if 0%{?fedora}
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  git
+# Build requirements of 'github.com/containers/storage' package
+BuildRequires:  btrfs-progs-devel
 # DO NOT REMOVE the BUNDLE_START and BUNDLE_END markers as they are used by 'tools/rpm_spec_add_provides_bundle.sh' to generate the Provides: bundled list
 # BUNDLE_START
 # BUNDLE_END
@@ -78,6 +86,16 @@ export PATH=$PWD/_bin${PATH:+:$PATH}
 export GOPATH=$GO_BUILD_PATH:%{gopath}
 export GOFLAGS+=" -mod=vendor"
 %endif
+%if 0%{?fedora}
+# Fedora disables Go modules by default, but we want to use them.
+# Undefine the macro which disables it to use the default behavior.
+%undefine gomodulesmode
+%endif
+
+# btrfs-progs-devel is not available on RHEL
+%if 0%{?rhel}
+GOTAGS="exclude_graphdriver_btrfs"
+%endif
 
 # Set the commit hash so that composer can report what source version
 # was used to build it. This has to be set explicitly when calling rpmbuild,
@@ -87,8 +105,10 @@ export LDFLAGS="${LDFLAGS} -X 'github.com/osbuild/osbuild-composer/internal/comm
 %endif
 export LDFLAGS="${LDFLAGS} -X 'github.com/osbuild/osbuild-composer/internal/common.RpmVersion=%{name}-%{?epoch:%epoch:}%{version}-%{release}.%{_arch}'"
 
-%gobuild -o _bin/osbuild-composer %{goipath}/cmd/osbuild-composer
-%gobuild -o _bin/osbuild-worker %{goipath}/cmd/osbuild-worker
+%gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-composer %{goipath}/cmd/osbuild-composer
+%gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-worker %{goipath}/cmd/osbuild-worker
+%gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-jobsite-manager %{goipath}/cmd/osbuild-jobsite-manager
+%gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-jobsite-builder %{goipath}/cmd/osbuild-jobsite-builder
 
 make man
 
@@ -107,16 +127,15 @@ export GOPATH=%{gobuilddir}:%{gopath}
 
 TEST_LDFLAGS="${LDFLAGS:-} -B 0x$(od -N 20 -An -tx1 -w100 /dev/urandom | tr -d ' ')"
 
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-cli-tests %{goipath}/cmd/osbuild-composer-cli-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-dnf-json-tests %{goipath}/cmd/osbuild-dnf-json-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-weldr-tests %{goipath}/internal/client/
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-image-tests %{goipath}/cmd/osbuild-image-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-auth-tests %{goipath}/cmd/osbuild-auth-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-koji-tests %{goipath}/cmd/osbuild-koji-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-dbjobqueue-tests %{goipath}/cmd/osbuild-composer-dbjobqueue-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-manifest-tests %{goipath}/cmd/osbuild-composer-manifest-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-service-maintenance-tests %{goipath}/cmd/osbuild-service-maintenance
-go build -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-mock-openid-provider %{goipath}/cmd/osbuild-mock-openid-provider
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-cli-tests %{goipath}/cmd/osbuild-composer-cli-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-dnf-json-tests %{goipath}/cmd/osbuild-dnf-json-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-weldr-tests %{goipath}/internal/client/
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-image-tests %{goipath}/cmd/osbuild-image-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-auth-tests %{goipath}/cmd/osbuild-auth-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-koji-tests %{goipath}/cmd/osbuild-koji-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-dbjobqueue-tests %{goipath}/cmd/osbuild-composer-dbjobqueue-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-service-maintenance-tests %{goipath}/cmd/osbuild-service-maintenance
+go build -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-mock-openid-provider %{goipath}/cmd/osbuild-mock-openid-provider
 
 %endif
 
@@ -124,7 +143,8 @@ go build -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-mock-openi
 install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/osbuild-composer
 install -m 0755 -vp _bin/osbuild-composer                          %{buildroot}%{_libexecdir}/osbuild-composer/
 install -m 0755 -vp _bin/osbuild-worker                            %{buildroot}%{_libexecdir}/osbuild-composer/
-install -m 0755 -vp dnf-json                                       %{buildroot}%{_libexecdir}/osbuild-composer/
+install -m 0755 -vp _bin/osbuild-jobsite-manager                   %{buildroot}%{_libexecdir}/osbuild-composer/
+install -m 0755 -vp _bin/osbuild-jobsite-builder                   %{buildroot}%{_libexecdir}/osbuild-composer/
 
 # Only include repositories for the distribution and release
 install -m 0755 -vd                                                %{buildroot}%{_datadir}/osbuild-composer/repositories
@@ -180,7 +200,6 @@ install -m 0755 -vp _bin/osbuild-image-tests                       %{buildroot}%
 install -m 0755 -vp _bin/osbuild-auth-tests                        %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp _bin/osbuild-koji-tests                        %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp _bin/osbuild-composer-dbjobqueue-tests         %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp _bin/osbuild-composer-manifest-tests           %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp _bin/osbuild-service-maintenance-tests         %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp _bin/osbuild-mock-openid-provider              %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/define-compose-url.sh                    %{buildroot}%{_libexecdir}/osbuild-composer-test/
@@ -196,7 +215,6 @@ install -m 0755 -vp tools/generic_s3_test.sh                       %{buildroot}%
 install -m 0755 -vp tools/generic_s3_https_test.sh                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/run-mock-auth-servers.sh                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/set-env-variables.sh                     %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp tools/test-case-generators/generate-test-cases %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/tests/osbuild-composer
 install -m 0755 -vp test/cases/*.sh                                %{buildroot}%{_libexecdir}/tests/osbuild-composer/
 
@@ -251,7 +269,7 @@ install -m 0644 -vp test/data/upgrade8to9/*                       %{buildroot}%{
 %check
 export GOFLAGS="-buildmode=pie"
 %if 0%{?rhel}
-export GOFLAGS+=" -mod=vendor"
+export GOFLAGS+=" -mod=vendor -tags=exclude_graphdriver_btrfs"
 export GOPATH=$PWD/_build:%{gopath}
 # cd inside GOPATH, otherwise go with GO111MODULE=off ignores vendor directory
 cd $PWD/_build/src/%{goipath}
@@ -261,13 +279,13 @@ cd $PWD/_build/src/%{goipath}
 %endif
 
 %post
-%systemd_post osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-remote-worker.socket
+%systemd_post osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-composer-prometheus.socket osbuild-remote-worker.socket
 
 %preun
-%systemd_preun osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-remote-worker.socket
+%systemd_preun osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-composer-prometheus.socket osbuild-remote-worker.socket
 
 %postun
-%systemd_postun_with_restart osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-remote-worker.socket
+%systemd_postun_with_restart osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-composer-prometheus.socket osbuild-remote-worker.socket
 
 %files
 %license LICENSE
@@ -276,13 +294,16 @@ cd $PWD/_build/src/%{goipath}
 %{_unitdir}/osbuild-composer.service
 %{_unitdir}/osbuild-composer.socket
 %{_unitdir}/osbuild-composer-api.socket
+%{_unitdir}/osbuild-composer-prometheus.socket
 %{_unitdir}/osbuild-local-worker.socket
 %{_unitdir}/osbuild-remote-worker.socket
 %{_sysusersdir}/osbuild-composer.conf
 
 %package core
 Summary:    The core osbuild-composer binary
-Requires:   %{name}-dnf-json = %{version}-%{release}
+Requires:   osbuild-depsolve-dnf >= %{min_osbuild_version}
+Provides:   %{name}-dnf-json = %{version}-%{release}
+Obsoletes:  %{name}-dnf-json < %{version}-%{release}
 
 %description core
 The core osbuild-composer binary. This is suitable both for spawning in containers and by systemd.
@@ -295,17 +316,21 @@ The core osbuild-composer binary. This is suitable both for spawning in containe
 Summary:    The worker for osbuild-composer
 Requires:   systemd
 Requires:   qemu-img
-Requires:   osbuild >= 80
-Requires:   osbuild-ostree >= 80
-Requires:   osbuild-lvm2 >= 80
-Requires:   osbuild-luks2 >= 80
-Requires:   %{name}-dnf-json = %{version}-%{release}
+Requires:   osbuild >= %{min_osbuild_version}
+Requires:   osbuild-ostree >= %{min_osbuild_version}
+Requires:   osbuild-lvm2 >= %{min_osbuild_version}
+Requires:   osbuild-luks2 >= %{min_osbuild_version}
+Requires:   osbuild-depsolve-dnf >= %{min_osbuild_version}
+Provides:   %{name}-dnf-json = %{version}-%{release}
+Obsoletes:  %{name}-dnf-json < %{version}-%{release}
 
 %description worker
 The worker for osbuild-composer
 
 %files worker
 %{_libexecdir}/osbuild-composer/osbuild-worker
+%{_libexecdir}/osbuild-composer/osbuild-jobsite-manager
+%{_libexecdir}/osbuild-composer/osbuild-jobsite-builder
 %{_unitdir}/osbuild-worker@.service
 %{_unitdir}/osbuild-remote-worker@.service
 
@@ -327,25 +352,6 @@ fi
 # restart all the worker services
 %systemd_postun_with_restart "osbuild-worker@*.service" "osbuild-remote-worker@*.service"
 
-%package dnf-json
-Summary: The dnf-json binary used by osbuild-composer and the workers
-
-# Conflicts with older versions of composer that provide the same files
-# this can be removed when RHEL 8 reaches EOL
-Conflicts: osbuild-composer <= 35
-
-%description dnf-json
-The dnf-json binary used by osbuild-composer and the workers.
-
-%files dnf-json
-%{_libexecdir}/osbuild-composer/dnf-json
-
-%post dnf-json
-# Fix ownership of the rpmmd cache files from previous versions where it was owned by root:root
-if [ -e /var/cache/osbuild-composer/rpmmd ]; then
-    chown -f -R --from root:root _osbuild-composer:_osbuild-composer /var/cache/osbuild-composer/rpmmd
-fi
-
 %if %{with tests} || 0%{?rhel}
 
 %package tests
@@ -417,6 +423,79 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 %endif
 
 %changelog
+* Tue Apr 22 2025 Tomáš Hozza <thozza@redhat.com> - 101-3
+- Resolve RHEL-84643 (CVE-2025-30204)
+
+* Wed Sep 25 2024 Tomáš Hozza <thozza@redhat.com> - 101-2
+- Rebuilt to fix:
+  - CVE-2024-34156
+  - CVE-2024-1394
+  - RHEL-24303
+  - RHEL-57905
+
+* Mon Feb 26 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 101-1
+- New upstream release
+
+* Wed Feb 07 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 100-1
+- New upstream release
+
+* Wed Jan 24 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 99-1
+- New upstream release
+
+* Wed Jan 10 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 98-1
+- New upstream release
+
+* Wed Dec 13 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 96-1
+- New upstream release
+
+* Wed Nov 29 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 95-1
+- New upstream release
+
+* Wed Nov 15 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 94-1
+- New upstream release
+
+* Wed Nov 01 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 93-1
+- New upstream release
+
+* Wed Oct 18 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 92-1
+- New upstream release
+
+* Wed Oct 04 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 91-1
+- New upstream release
+
+* Thu Sep 21 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 90-1
+- New upstream release
+
+* Wed Sep 06 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 89-1
+- New upstream release
+
+* Thu Aug 24 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 88-1
+- New upstream release
+
+* Wed Aug 09 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 87-1
+- New upstream release
+
+* Wed Jul 26 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 86-1
+- New upstream release
+
+* Fri Jul 14 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 85-1
+- New upstream release
+
+* Wed Jun 14 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 84-1
+- New upstream release
+
+* Wed May 17 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 82-1
+- New upstream release
+
+* Wed Apr 19 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 80-1
+- New upstream release
+
+* Wed Apr 05 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 79-1
+- New upstream release
+
+* Wed Mar 08 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 77-1
+- New upstream release
+
 * Wed Feb 22 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 75-1
 - New upstream release