import UBI containers-common-1-135.el9_7

SOURCES/002-rhel-shortnames-overrides.conf

@@ -1,10 +1,22 @@
 [aliases]
-"skopeo"  = "registry.access.redhat.com/ubi8/skopeo"
-"ubi8/skopeo" = "registry.access.redhat.com/ubi8/skopeo"
-"rhel9/skopeo" = "registry.redhat.io/rhel9/skopeo"
-"buildah" = "registry.access.redhat.com/ubi8/buildah"
-"ubi8/buildah" = "registry.access.redhat.com/ubi8/buildah"
+"buildah" = "registry.access.redhat.com/ubi10/buildah"
+"podman" = "registry.access.redhat.com/ubi10/podman"
+"skopeo"  = "registry.access.redhat.com/ubi10/skopeo"
+"rhel8/buildah" = "registry.redhat.io/rhel8/buildah"
+"rhel8/podman" = "registry.redhat.io/rhel8/podman"
+"rhel8/skopeo" = "registry.redhat.io/rhel8/skopeo"
 "rhel9/buildah" = "registry.redhat.io/rhel9/buildah"
-"podman" = "registry.access.redhat.com/ubi8/podman"
-"ubi8/podman" = "registry.access.redhat.com/ubi8/podman"
 "rhel9/podman" = "registry.redhat.io/rhel9/podman"
+"rhel9/skopeo" = "registry.redhat.io/rhel9/skopeo"
+"rhel10/buildah" = "registry.redhat.io/rhel10/buildah"
+"rhel10/podman" = "registry.redhat.io/rhel10/podman"
+"rhel10/skopeo" = "registry.redhat.io/rhel10/skopeo"
+"ubi8/buildah" = "registry.access.redhat.com/ubi8/buildah"
+"ubi8/podman" = "registry.access.redhat.com/ubi8/podman"
+"ubi8/skopeo" = "registry.access.redhat.com/ubi8/skopeo"
+"ubi9/buildah" = "registry.access.redhat.com/ubi9/buildah"
+"ubi9/podman" = "registry.access.redhat.com/ubi9/podman"
+"ubi9/skopeo" = "registry.access.redhat.com/ubi9/skopeo"
+"ubi10/buildah" = "registry.access.redhat.com/ubi10/buildah"
+"ubi10/podman" = "registry.access.redhat.com/ubi10/podman"
+"ubi10/skopeo" = "registry.access.redhat.com/ubi10/skopeo"

SOURCES/RPM-GPG-KEY-redhat-release

@@ -37,30 +37,30 @@ dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw==
 -----END PGP PUBLIC KEY BLOCK-----
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mQINBGIpIp4BEAC/o5e1WzLIsS6/JOQCs4XYATYTcf6B6ALzcP05G0W3uRpUQSrL
-FRKNrU8ZCelm/B+XSh2ljJNeklp2WLxYENDOsftDXGoyLr2hEkI5OyK267IHhFNJ
-g+BN+T5Cjh4ZiiWij6o9F7x2ZpxISE9M4iI80rwSv1KOnGSw5j2zD2EwoMjTVyVE
-/t3s5XJxnDclB7ZqL+cgjv0mWUY/4+b/OoRTkhq7b8QILuZp75Y64pkrndgakm1T
-8mAGXV02mEzpNj9DyAJdUqa11PIhMJMxxHOGHJ8CcHZ2NJL2e7yJf4orTj+cMhP5
-LzJcVlaXnQYu8Zkqa0V6J1Qdj8ZXL72QsmyicRYXAtK9Jm5pvBHuYU2m6Ja7dBEB
-Vkhe7lTKhAjkZC5ErPmANNS9kPdtXCOpwN1lOnmD2m04hks3kpH9OTX7RkTFUSws
-eARAfRID6RLfi59B9lmAbekecnsMIFMx7qR7ZKyQb3GOuZwNYOaYFevuxusSwCHv
-4FtLDIhk+Fge+EbPdEva+VLJeMOb02gC4V/cX/oFoPkxM1A5LHjkuAM+aFLAiIRd
-Np/tAPWk1k6yc+FqkcDqOttbP4ciiXb9JPtmzTCbJD8lgH0rGp8ufyMXC9x7/dqX
-TjsiGzyvlMnrkKB4GL4DqRFl8LAR02A3846DD8CAcaxoXggL2bJCU2rgUQARAQAB
-tDVSZWQgSGF0LCBJbmMuIChhdXhpbGlhcnkga2V5IDMpIDxzZWN1cml0eUByZWRo
-YXQuY29tPokCUgQTAQgAPBYhBH5GJCWMQGU11W1vE1BU5KRaY0CzBQJiKSKeAhsD
-BQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRBQVOSkWmNAsyBfEACuTN/X
-YR+QyzeRw0pXcTvMqzNE4DKKr97hSQEwZH1/v1PEPs5O3psuVUm2iam7bqYwG+ry
-EskAgMHi8AJmY0lioQD5/LTSLTrM8UyQnU3g17DHau1NHIFTGyaW4a7xviU4C2+k
-c6X0u1CPHI1U4Q8prpNcfLsldaNYlsVZtUtYSHKPAUcswXWliW7QYjZ5tMSbu8jR
-OMOc3mZuf0fcVFNu8+XSpN7qLhRNcPv+FCNmk/wkaQfH4Pv+jVsOgHqkV3aLqJeN
-kNUnpyEKYkNqo7mNfNVWOcl+Z1KKKwSkIi3vg8maC7rODsy6IX+Y96M93sqYDQom
-aaWue2gvw6thEoH4SaCrCL78mj2YFpeg1Oew4QwVcBnt68KOPfL9YyoOicNs4Vuu
-fb/vjU2ONPZAeepIKA8QxCETiryCcP43daqThvIgdbUIiWne3gae6eSj0EuUPoYe
-H5g2Lw0qdwbHIOxqp2kvN96Ii7s1DK3VyhMt/GSPCxRnDRJ8oQKJ2W/I1IT5VtiU
-zMjjq5JcYzRPzHDxfVzT9CLeU/0XQ+2OOUAiZKZ0dzSyyVn8xbpviT7iadvjlQX3
-CINaPB+d2Kxa6uFWh+ZYOLLAgZ9B8NKutUHpXN66YSfe79xFBSFWKkJ8cSIMk13/
-Ifs7ApKlKCCRDpwoDqx/sjIaj1cpOfLHYjnefg==
-=UZd/
+mQINBFsy23UBEACUKSphFEIEvNpy68VeW4Dt6qv+mU6am9a2AAl10JANLj1oqWX+
+oYk3en1S6cVe2qehSL5DGVa3HMUZkP3dtbD4SgzXzxPodebPcr4+0QNWigkUisri
+XGL5SCEcOP30zDhZvg+4mpO2jMi7Kc1DLPzBBkgppcX91wa0L1pQzBcvYMPyV/Dh
+KbQHR75WdkP6OA2JXdfC94nxYq+2e0iPqC1hCP3Elh+YnSkOkrawDPmoB1g4+ft/
+xsiVGVy/W0ekXmgvYEHt6si6Y8NwXgnTMqxeSXQ9YUgVIbTpsxHQKGy76T5lMlWX
+4LCOmEVomBJg1SqF6yi9Vu8TeNThaDqT4/DddYInd0OO69s0kGIXalVgGYiW2HOD
+x2q5R1VGCoJxXomz+EbOXY+HpKPOHAjU0DB9MxbU3S248LQ69nIB5uxysy0PSco1
+sdZ8sxRNQ9Dw6on0Nowx5m6Thefzs5iK3dnPGBqHTT43DHbnWc2scjQFG+eZhe98
+Ell/kb6vpBoY4bG9/wCG9qu7jj9Z+BceCNKeHllbezVLCU/Hswivr7h2dnaEFvPD
+O4GqiWiwOF06XaBMVgxA8p2HRw0KtXqOpZk+o+sUvdPjsBw42BB96A1yFX4jgFNA
+PyZYnEUdP6OOv9HSjnl7k/iEkvHq/jGYMMojixlvXpGXhnt5jNyc4GSUJQARAQAB
+tDNSZWQgSGF0LCBJbmMuIChhdXhpbGlhcnkga2V5KSA8c2VjdXJpdHlAcmVkaGF0
+LmNvbT6JAjkEEwECACMFAlsy23UCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
+gAAKCRD3b2bD1AgnknqOD/9fB2ASuG2aJIiap4kK58R+RmOVM4qgclAnaG57+vjI
+nKvyfV3NH/keplGNRxwqHekfPCqvkpABwhdGEXIE8ILqnPewIMr6PZNZWNJynZ9i
+eSMzVuCG7jDoGyQ5/6B0f6xeBtTeBDiRl7+Alehet1twuGL1BJUYG0QuLgcEzkaE
+/gkuumeVcazLzz7L12D22nMk66GxmgXfqS5zcbqOAuZwaA6VgSEgFdV2X2JU79zS
+BQJXv7NKc+nDXFG7M7EHjY3Rma3HXkDbkT8bzh9tJV7Z7TlpT829pStWQyoxKCVq
+sEX8WsSapTKA3P9YkYCwLShgZu4HKRFvHMaIasSIZWzLu+RZH/4yyHOhj0QB7XMY
+eHQ6fGSbtJ+K6SrpHOOsKQNAJ0hVbSrnA1cr5+2SDfel1RfYt0W9FA6DoH/S5gAR
+dzT1u44QVwwp3U+eFpHphFy//uzxNMtCjjdkpzhYYhOCLNkDrlRPb+bcoL/6ePSr
+016PA7eEnuC305YU1Ml2WcCn7wQV8x90o33klJmEkWtXh3X39vYtI4nCPIvZn1eP
+Vy+F+wWt4vN2b8oOdlzc2paOembbCo2B+Wapv5Y9peBvlbsDSgqtJABfK8KQq/jK
+Yl3h5elIa1I3uNfczeHOnf1enLOUOlq630yeM/yHizz99G1g+z/guMh5+x/OHraW
+iA==
+=+Gxh
 -----END PGP PUBLIC KEY BLOCK-----

SOURCES/containers-policy.json.5.md

@@ -160,16 +160,6 @@ The _reference_ annotation value, if any, is not used.
 - The top-level scope `"/"` is forbidden; use the transport default scope `""`,
   for consistency with other transports.
 
-### `ostree`:
-
-Supported scopes have the form _repo-path_`:`_image-scope_; _repo_path_ is the path to the OSTree repository.
-
-_image-scope_ is the _docker_reference_ part of the reference, with with a `:latest` tag implied if no tag is present,
-and parent namespaces of the _docker_reference_ value (by omitting the tag, or a prefix specifying a higher-level namespace).
-
-*Note:*
-- The _repo_path_ must be absolute and contain no symlinks. Paths violating these requirements may be silently ignored.
-
 ### `sif:`
 
 Supported scopes are paths to Singularity images, and their parent directories
@@ -329,6 +319,14 @@ This requirement requires an image to be signed using a sigstore signature with
         "oidcIssuer": "https://expected.OIDC.issuer/",
         "subjectEmail", "expected-signing-user@example.com",
     },
+    "pki": {
+        "caRootsPath": "/path/to/local/CARoots/file",
+        "caRootsData": "base64-encoded-CARoots-data",
+        "caIntermediatesPath": "/path/to/local/CAIntermediates/file",
+        "caIntermediatesData": "base64-encoded-CAIntermediates-data",
+        "subjectHostname": "expected-signing-hostname.example.com",
+        "subjectEmail": "expected-signing-user@example.com"
+    },
     "rekorPublicKeyPath": "/path/to/local/public/key/file",
     "rekorPublicKeyPaths": ["/path/to/local/public/key/one","/path/to/local/public/key/two"],
     "rekorPublicKeyData": "base64-encoded-public-key-data",
@@ -336,7 +334,7 @@ This requirement requires an image to be signed using a sigstore signature with
     "signedIdentity": identity_requirement
 }
 ```
-Exactly one of `keyPath`, `keyPaths`, `keyData`, `keyDatas` and `fulcio` must be present.
+Exactly one of `keyPath`, `keyPaths`, `keyData`, `keyDatas`, `fulcio` and `pki` must be present.
 
 If `keyPath` or `keyData` is present, it contains a sigstore public key.
 Only signatures made by this key are accepted.
@@ -350,6 +348,11 @@ Both `oidcIssuer` and `subjectEmail` are mandatory,
 exactly specifying the expected identity provider,
 and the identity of the user obtaining the Fulcio certificate.
 
+If `pki` is present, the signature must be based on a non-Fulcio X.509 certificate.
+One of `caRootsPath` and `caRootsData` must be specified, containing certificates of the CAs.
+Only one of `caIntermediatesPath` and `caIntermediatesData` can be present, containing certificates of the intermediate CAs.
+One of `subjectEmail` and `subjectHostname` must be specified, exactly specifying the expected identity to which the certificate was issued.
+
 At most one of `rekorPublicKeyPath`, `rekorPublicKeyPaths`, `rekorPublicKeyData` and `rekorPublicKeyDatas` can be present;
 it is mandatory if `fulcio` is specified.
 If a Rekor public key is specified,
@@ -407,6 +410,18 @@ selectively allow individual transports and scopes as desired.
                     "rekorPublicKeyPath": "/path/to/rekor.pub",
                 }
             ],
+            /* A Sigstore-signed repository using a certificate generated by a custom public-key infrastructure.*/
+            "hostname:5000/myns/sigstore-signed-byopki": [
+                {
+                    "type": "sigstoreSigned",
+                    "pki": {
+                        "caRootsPath": "/path/to/pki_root_crts.pem",
+                        "caIntermediatesPath": "/path/to/pki_intermediate_crts.pem",
+                        "subjectHostname": "test-user.example.com"
+                        "subjectEmail": "test-user@example.com"
+                    }
+                }
+            ],
             /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
             "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
                 {

SOURCES/containers-transports.5.md

@@ -77,7 +77,6 @@ An image in a directory structure compliant with the "Open Container Image Layou
 
 The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
 The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
-If _reference_ is not specified when reading an image, the directory must contain exactly one image.
 For reading images, @_source-index_ is a zero-based index in manifest (to access untagged images).
 If neither reference nor @_source_index is specified when reading an image, the path must contain exactly one image.
 
@@ -92,11 +91,6 @@ The _path_ value terminates at the first `:` character; any further `:` characte
 The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
 If _reference_ is not specified when reading an archive, the archive must contain exactly one image.
 
-### **ostree:**_docker-reference_[`@`_/absolute/repo/path_]
-
-An image in the local ostree(1) repository.
-_/absolute/repo/path_ defaults to `/ostree/repo`.
-
 ### **sif:**_path_
 
 An image using the Singularity image format at _path_.
@@ -139,7 +133,7 @@ $ skopeo copy docker://docker.io/library/alpine:latest containers-storage:alpine
 
 ## SEE ALSO
 
-docker-login(1), docker-save(1), ostree(1), podman-login(1), skopeo-copy(1), skopeo-inspect(1), tar(1), container-registries.conf(5), containers-storage.conf(5)
+docker-login(1), docker-save(1), podman-login(1), skopeo-copy(1), skopeo-inspect(1), tar(1), container-registries.conf(5), containers-storage.conf(5)
 
 ## AUTHORS
 

SOURCES/containers.conf

@@ -236,13 +236,12 @@ default_sysctls = [
 #
 #mounts = []
 
-# Default way to to create a Network namespace for the container
-# Options are:
-# `private` Create private Network Namespace for the container.
-# `host`    Share host Network Namespace with the container.
-# `none`    Containers do not use the network
+# Default way to create a NET namespace for the container.
+# The option is mapped to the **--network** argument for the podman commands, it accepts the same values as that option.
+# For example it can be set to `bridge`, `host`, `none`, `pasta` and more, see the podman-create(1)
+# manual for all available options.
 #
-#netns = "private"
+#netns = ""
 
 # Do not modify the `/etc/hosts` file in the container. Podman assumes control
 # over the container's `/etc/hosts` file by default; refer to the `--add-host`
@@ -381,14 +380,17 @@ default_sysctls = [
 #firewall_driver = ""
 
 
-# The network name of the default network to attach pods to.
+# The name of the default network as seen in `podman network ls`. This option only effects the network assignment when
+# the bridge network mode is selected, i.e. `--network bridge`. It is the default for rootful containers but not as
+# rootless. To change the default network mode use the **netns** option under the `[containers]` table.
+#
+# Note: This should not be changed while you have any containers using this network.
 #
 #default_network = "podman"
 
 # The default subnet for the default network given in default_network.
-# If a network with that name does not exist, a new network using that name and
-# this subnet will be created.
-# Must be a valid IPv4 CIDR prefix.
+#
+# Note: This should not be changed if any containers are currently running on the default network.
 #
 #default_subnet = "10.88.0.0/16"
 
@@ -586,6 +588,7 @@ default_sysctls = [
 #
 #cdi_spec_dirs = [
 #  "/etc/cdi",
+#  "/var/run/cdi",
 #]
 
 # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
@@ -898,7 +901,7 @@ runtime = "crun"
 # Linux:
 #    qemu    - Open source machine emulator and virtualizer. (Default)
 # Windows: there are currently two options:
-#    wsl     - Windows Subsystem for Linux (Default) 
+#    wsl     - Windows Subsystem for Linux (Default)
 #    hyperv  - Windows Server Virtualization
 # Mac: there are currently two options:
 #    applehv - Default Apple Hypervisor (Default)

SOURCES/containers.conf.5.md

@@ -29,6 +29,10 @@ Note, container engines also use other configuration files for configuring the e
 container images.
 * `policy.conf` for controlling which images can be pulled to the system.
 
+Note: If Podman is running in a virtual machine using `podman machine` (this
+includes Mac and Windows hosts), ensure that the configuration files are edited in the
+virtual machine by using `podman machine ssh`.
+
 ## ENVIRONMENT VARIABLES
 If the `CONTAINERS_CONF` environment variable is set, all system and user
 config files are ignored and only the specified config file will be loaded.
@@ -199,7 +203,12 @@ container. The special value “none” can be specified to disable creation of
 **env**=["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
 
 Environment variable list for the container process, used for passing
-environment variables to the container.
+environment variables to the container. If a variable is listed without a value,
+the value is copied from the host environment.
+
+Note that this is only used when a container is created, not with subsequent
+commands like `podman exec`. This prevents variables in the config file from
+overwriting values specified on the command line when the container was created.
 
 **env_host**=false
 
@@ -217,11 +226,10 @@ setup. Adding these internal hostnames to `/etc/hosts` is silently skipped then.
 Set this config to `none` to never add the internal hostnames to `/etc/hosts`.
 
 Note: If Podman is running in a virtual machine using `podman machine` (this
-includes Mac and Windows hosts), Podman will silently skip adding the internal
-hostnames to `/etc/hosts`, unless an IP address was configured manually. The
-internal hostnames are resolved by the gvproxy DNS resolver instead. This config
-has no effect on gvproxy. However, since `/etc/hosts` bypasses the DNS resolver,
-a manually configured IP address still takes precedence.
+includes Mac and Windows hosts), Podman resolves the `host.containers.internal`
+hostname via the podman machine (gvproxy) DNS resolver instead when it is empty.
+Also because the name will be resolved by the DNS name in gvproxy setting this
+to `none` has no effect. This option does not change the gvproxy behavior.
 
 Note: This config doesn't affect the actual network setup, it just tells Podman
 the IP address it should expect. Configuring an IP address here doesn't ensure
@@ -304,13 +312,12 @@ Specified as "type=TYPE,source=<directory-on-host>,destination=<directory-in-con
 
 Example:  [ "type=bind,source=/var/lib/foobar,destination=/var/lib/foobar,ro", ]
 
-**netns**="private"
+**netns**=""
 
 Default way to create a NET namespace for the container.
-Options are:
-  `private` Create private NET Namespace for the container.
-  `host`    Share host NET Namespace with the container.
-  `none`    Containers do not use the network.
+The option is mapped to the **--network** argument for the podman commands, it accepts the same values as that option.
+For example it can be set to `bridge`, `host`, `none`, `pasta` and more, see the [podman-create(1)](https://docs.podman.io/en/latest/markdown/podman-create.1.html#network-mode-net)
+manual for all available options.
 
 **no_hosts**=false
 
@@ -442,12 +449,17 @@ netavark_plugin_dirs = [
 
 **default_network**="podman"
 
-The network name of the default network to attach pods to.
+The name of the default network as seen in `podman network ls`. This option only effects the network assignment when
+the bridge network mode is selected, i.e. `--network bridge`. It is the default for rootful containers but not as
+rootless. To change the default network mode use the **netns** option under the `[containers]` table.
+
+Note: This should not be changed while you have any containers using this network.
 
 **default_subnet**="10.88.0.0/16"
 
 The subnet to use for the default network (named above in **default_network**).
-If the default network does not exist, it will be automatically created the first time a tool is run using this subnet.
+
+Note: This should not be changed if any containers are currently running on the default network.
 
 **default_subnet_pools**=[]
 
@@ -683,7 +695,7 @@ The default path on Windows is:
 
 Path to the OCI hooks directories for automatically executed hooks.
 
-**cdi_spec_dirs**=["/etc/cdi", ...]
+**cdi_spec_dirs**=["/etc/cdi", "/var/run/cdi", ...]
 
 Directories to scan for CDI Spec files.
 

SOURCES/seccomp.json

@@ -152,6 +152,7 @@
 				"fadvise64",
 				"fadvise64_64",
 				"fallocate",
+				"fanotify_init",
 				"fanotify_mark",
 				"fchdir",
 				"fchmod",
@@ -692,7 +693,6 @@
 		{
 			"names": [
 				"bpf",
-				"fanotify_init",
 				"lookup_dcookie",
 				"quotactl",
 				"quotactl_fd",
@@ -712,7 +712,6 @@
 		},
 		{
 			"names": [
-				"fanotify_init",
 				"lookup_dcookie",
 				"perf_event_open",
 				"quotactl",

SOURCES/shortnames.conf

@@ -155,3 +155,9 @@
   "grafana/oncall" = "docker.io/grafana/oncall"
   "grafana/pyroscope" = "docker.io/grafana/pyroscope"
   "grafana/tempo" = "docker.io/grafana/tempo"
+  # curl
+  "curl" = "quay.io/curl/curl"
+  # nginx
+  "nginx" = "docker.io/library/nginx"
+  # QUBIP
+  "qubip/pq-container" = "quay.io/qubip/pq-container"

SOURCES/storage.conf

@@ -62,6 +62,7 @@ additionalimagestores = [
 # https://github.com/containers/storage/blob/main/docs/containers-storage-zstd-chunked.md
 # This is a "string bool": "false" | "true" (cannot be native TOML boolean)
 # enable_partial_images = "false"
+enable_partial_images = "false"
 
 # Tells containers/storage to use hard links rather then create new files in
 # the image, if an identical file already existed in storage.

SOURCES/update.sh

@@ -55,6 +55,7 @@ elif pwd | grep -e rhel-9 -e c9s > /dev/null
 then
 ensure registries.conf short-name-mode               \"enforcing\"
 ensure containers.conf runtime                       \"crun\"
+ensure storage.conf    enable_partial_images         \"false\"
 
 elif pwd | grep -e rhel-10 -e c10s > /dev/null
 then

SPECS/containers-common.spec

@@ -4,15 +4,15 @@
 # pick the oldest version on c/image, c/common, c/storage vendored in
 # podman/skopeo/podman.
 %global skopeo_branch main
-%global image_branch v5.34.0
-%global common_branch v0.62.0
-%global storage_branch v1.57.1
+%global image_branch v5.36.0
+%global common_branch v0.64.0
+%global storage_branch v1.59.0
 %global shortnames_branch main
 
-Epoch: 2
+Epoch: 4
 Name: containers-common
 Version: 1
-Release: 117%{?dist}
+Release: 135%{?dist}
 Summary: Common configuration and documentation for containers
 License: ASL 2.0
 ExclusiveArch: %{go_arches}
@@ -158,6 +158,9 @@ docker:
          sigstore: https://registry.redhat.io/containers/sigstore
 EOF
 
+# Placeholder check to silence rpmlint
+%check
+
 %files
 %dir %{_sysconfdir}/containers
 %dir %{_sysconfdir}/containers/certs.d
@@ -191,13 +194,34 @@ EOF
 %files extra
 
 %changelog
-* Mon Mar 03 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-117
-- rebuild against the proper target
-- Resolves: RHEL-78845
+* Thu Sep 25 2025 Jindrich Novy <jnovy@redhat.com> - 4:1-135
+- Update rhel-shortnames-overrides to include complete list of UBI/RHEL images
+- Resolves: RHEL-116618
 
-* Wed Feb 26 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-116
+* Mon Aug 18 2025 Jindrich Novy <jnovy@redhat.com> - 4:1-134
+- update vendored components for RHEL9.7
+- Related: RHEL-80816
+
+* Tue Aug 12 2025 Jindrich Novy <jnovy@redhat.com> - 4:1-133
+- update shortnames and vendored components
+- Related: RHEL-80816
+
+* Wed Jun 11 2025 Jindrich Novy <jnovy@redhat.com> - 4:1-132
+- update vendored components
+- Related: RHEL-80816
+
+* Sun Jun 08 2025 Lokesh Mandvekar <lsm5@redhat.com> - 2:1-131
+- fetch TMT podman revdep tests from podman dist-git
+- needs at least podman 5.4.0-8.el9
+- Related: RHEL-80816
+
+* Mon Mar 03 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-130
+- rebuild to preserve upgrade path
+- Related: RHEL-80816
+
+* Mon Feb 24 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-116
 - add files section for extra subpackage
-- Resolves: RHEL-78845
+- Resolves: RHEL-80525
 
 * Mon Feb 17 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-115
 - Add containers-common-extra properly