2025-10-07 08:18:52 +00:00
7 changed files with 62 additions and 25 deletions
--- a/90-default.preset
+++ b/90-default.preset
@ -56,7 +56,7 @@ enable avahi-daemon.*
 enable cups.socket
 enable cups.path

-# RHELBLD-15232: We need the full service enabled to act as a print server
+# RHEL-37762: We need the full service enabled to act as a print server
 enable cups.service

 # The various syslog implementations
@ -360,6 +360,10 @@ enable device_cio_free.service
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630514
 enable stratisd.service

+# nvme auto connect
+# RHEL-76850
+enable nvmefc-boot-connections.service
+
 # Enable a service to finalize staged OSTree changes at shutdown
 # https://bugzilla.redhat.com/show_bug.cgi?id=1639372
 enable ostree-finalize-staged.path
@ -419,9 +423,9 @@ enable thermald.service
 # https://pagure.io/fesco/issue/2457
 enable uresourced.service

-# enable power-profiles-daemon
-# https://pagure.io/fedora-workstation/issue/191
-enable power-profiles-daemon.service
+# enable tuned-ppd.service
+# https://issues.redhat.com/browse/RHEL-68853
+enable tuned-ppd.service

 # Enable clevis-luks-askpass.path
 # https://bugzilla.redhat.com/show_bug.cgi?id=2101719
@ -465,3 +469,6 @@ enable cockpit.socket

 # https://fedoraproject.org/wiki/Changes/EnableFwupdRefreshByDefault
 enable fwupd-refresh.timer
+
+# RHEL-67012
+enable fips-crypto-policy-overlay.service
--- a/almalinux-crb.repo
+++ b/almalinux-crb.repo
@ -2,7 +2,7 @@
 name=AlmaLinux $releasever - CRB
 mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/crb
 # baseurl=https://repo.almalinux.org/almalinux/$releasever/CRB/$basearch/os/
-enabled=0
+enabled=1
 gpgcheck=1
 countme=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-10
--- a/almalinux-release.spec
+++ b/almalinux-release.spec
@ -3,12 +3,12 @@
 %global major   10
 %global minor   0
 %global eol_date 2035-06-01
-%global beta Beta

 Name:           almalinux-release
 Version:        %{major}.%{minor}
-Release:        14.4%{?dist}
+Release:        32%{?dist}
 Summary:        %{distro} release files
+Group:          System Environment/Base
 License:        GPL-2.0-or-later
 URL:            https://almalinux.org

@ -30,7 +30,8 @@ Provides:       redhat-release = %{version}-%{release}
 # https://github.com/rpm-software-management/dnf/blob/4.2.23/dnf/const.py.in#L26
 Provides:       system-release = %{version}-%{release}
 Provides:       system-release(releasever) = %{major}
-Conflicts:      system-release
+Provides:       system-release(releasever_major) = %{major}
+Provides:       system-release(releasever_minor) = %{minor}

 # required by libdnf
 # https://github.com/rpm-software-management/libdnf/blob/0.48.0/libdnf/module/ModulePackage.cpp#L472
@ -45,7 +46,15 @@ Source302:      90-default-user.preset
 Source303:      99-default-disable.preset
 Source304:      50-redhat.conf

-Source400:      alsecureboot001.cer
+Source400:      alsecurebootca1.cer
+# kernel signing certificate
+Source401:      alsecureboot1.cer
+# grub2 signing certificate
+Source402:      alsecureboot1.cer
+# Fwupd signing certificate
+Source403:      alsecureboot1.cer
+# UKI signing certificate
+Source404:      alsecureboot1.cer

 Source500:      almalinux-appstream.repo
 Source501:      almalinux-baseos.repo
@ -60,6 +69,8 @@ Source511:      almalinux-rt.repo

 Source600:      RPM-GPG-KEY-AlmaLinux-10

+Source700:      macros.x86_64_v2
+
 %package -n almalinux-sb-certs
 Summary: %{distro} public secureboot certificates
 Group: System Environment/Base
@ -186,6 +197,13 @@ cat > %{buildroot}%{_rpmmacrodir}/macros.dist << EOF
 %%dist_bug_report_url %{dist_bug_report_url}
 EOF

+# make almalinux-release a protected package
+install -p -d -m 755 %{buildroot}%{_sysconfdir}/dnf/protected.d/
+touch almalinux-release.conf
+echo almalinux-release > almalinux-release.conf
+install -p -c -m 0644 almalinux-release.conf %{buildroot}%{_sysconfdir}/dnf/protected.d/
+rm -f almalinux-release.conf
+
 # use unbranded datadir
 install -d -m 0755 %{buildroot}%{_datadir}/almalinux-release
 ln -s almalinux-release %{buildroot}%{_datadir}/redhat-release
@ -216,29 +234,29 @@ install -d -m 0755 %{buildroot}%{_datadir}/pki/sb-certs/

 # Install aarch64 certs
 install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-aarch64.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-aarch64.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-aarch64.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-aarch64.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-aarch64.cer
+install -m 644 %{SOURCE401} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-aarch64.cer
+install -m 644 %{SOURCE402} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-aarch64.cer
+install -m 644 %{SOURCE403} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-aarch64.cer
+install -m 644 %{SOURCE404} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-aarch64.cer


 # Install x86_64 certs
 install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-x86_64.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-x86_64.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-x86_64.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-x86_64.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-x86_64.cer
+install -m 644 %{SOURCE401} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-x86_64.cer
+install -m 644 %{SOURCE402} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-x86_64.cer
+install -m 644 %{SOURCE403} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-x86_64.cer
+install -m 644 %{SOURCE404} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-x86_64.cer

 # Install ppc64le certs
 install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-ppc64le.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-ppc64le.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-ppc64le.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-ppc64le.cer
+install -m 644 %{SOURCE401} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-ppc64le.cer
+install -m 644 %{SOURCE402} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-ppc64le.cer
+install -m 644 %{SOURCE404} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-ppc64le.cer

 # Install s390x certs
 install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-s390x.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-s390x.cer
-install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-s390x.cer
+install -m 644 %{SOURCE401} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-s390x.cer
+install -m 644 %{SOURCE404} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-s390x.cer

 # Link x86_64 certs
 ln -sr %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-x86_64.cer %{buildroot}%{_sysconfdir}/pki/sb-certs/secureboot-ca-x86_64.cer
@ -274,7 +292,6 @@ install -p -m 0644 %{SOURCE503} %{buildroot}%{_sysconfdir}/yum.repos.d/
 install -p -m 0644 %{SOURCE504} %{buildroot}%{_sysconfdir}/yum.repos.d/
 install -p -m 0644 %{SOURCE505} %{buildroot}%{_sysconfdir}/yum.repos.d/
 install -p -m 0644 %{SOURCE506} %{buildroot}%{_sysconfdir}/yum.repos.d/
-install -p -m 0644 %{SOURCE507} %{buildroot}%{_sysconfdir}/yum.repos.d/
 # RT and NFV are only for x86_64
 %ifarch x86_64
 install -p -m 0644 %{SOURCE510} %{buildroot}%{_sysconfdir}/yum.repos.d/
@ -304,8 +321,7 @@ install -p -m 0644 %{SOURCE600} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
 # These variables should be set in the build environment to change rpm names
 mkdir -p %{buildroot}%{_sysconfdir}/rpm
 %ifarch x86_64_v2
-echo '%%_target_platform x86_64-%%{_vendor}-%%{_target_os}%%{?_gnu}' >> %{buildroot}%{_sysconfdir}/rpm/macros.x86_64_v2
-echo '%%x86_64_v2 1' >> %{buildroot}%{_sysconfdir}/rpm/macros.x86_64_v2
+install -p -m 0644 %{SOURCE700}  %{buildroot}%{_sysconfdir}/rpm/
 %endif


@ -319,6 +335,7 @@ echo '%%x86_64_v2 1' >> %{buildroot}%{_sysconfdir}/rpm/macros.x86_64_v2
 %config(noreplace) %{_sysconfdir}/issue
 %config(noreplace) %{_sysconfdir}/issue.net
 %dir %{_sysconfdir}/issue.d
+%{_sysconfdir}/dnf/protected.d/almalinux-release.conf
 %dir %{_sysconfdir}/yum.repos.d
 %ghost %{_sysconfdir}/yum.repos.d/redhat.repo
 %{_rpmmacrodir}/macros.dist
@ -358,5 +375,14 @@ echo '%%x86_64_v2 1' >> %{buildroot}%{_sysconfdir}/rpm/macros.x86_64_v2
 %{_sysconfdir}/pki/rpm-gpg

 %changelog
+* Tue Sep 09 2025 Eduard Abdullin <eabdullin@almalinux.org> - 10.0-32
+- Redefine __cflags_arch_x86_64_level and __cflags_arch_x86_64 macroses for x86_64_v2
+
+* Thu May 29 2025 Neal Gompa <ngompa@almalinux.org> - 10.0-31
+- Enable CRB repository by default
+
+* Mon May 19 2025 Eduard Abdullin <eabdullin@almalinux.org> - 10.0-30
+- 10.0 stable release
+
 * Mon Nov 25 2024 Eduard Abdullin <eabdullin@almalinux.org> - 10.0-14.4
 - Initial release
--- a/alsecureboot001.cer
+++ b/alsecureboot001.cer
--- a/alsecureboot1.cer
+++ b/alsecureboot1.cer
--- a/alsecurebootca1.cer
+++ b/alsecurebootca1.cer
--- a/macros.x86_64_v2
+++ b/macros.x86_64_v2
@ -0,0 +1,4 @@
+%_target_platform x86_64-%{_vendor}-%{_target_os}%{?_gnu}
+%x86_64_v2 1
+%__cflags_arch_x86_64_level %[0%{?x86_64_v2} ? "-v2" : ""]%[ (!0%{?x86_64_v2} && 0%{?rhel} == 9) ? "-v2" : ""]%[ (!0%{?x86_64_v2} && 0%{?rhel} > 9) ? "-v3" : ""]
+%__cflags_arch_x86_64 -march=x86-64%{?__cflags_arch_x86_64_level:%{__cflags_arch_x86_64_level}}