Backport patches

Resolves: rhbz#2156065
Resolves: rhbz#2166444
Resolves: rhbz#2132383
Resolves: rhbz#1898089

0030-versionlock-Use-only-most-specif-NEVRA-RhBug-1961217.patch

@@ -0,0 +1,88 @@
+From ee0e1ca0751d29adcc4788334ce8fd74b4d772c9 Mon Sep 17 00:00:00 2001
+From: Marek Blaha <mblaha@redhat.com>
+Date: Wed, 19 May 2021 16:52:57 +0200
+Subject: [PATCH] versionlock: Store full NEVRA
+
+---
+ plugins/versionlock.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/plugins/versionlock.py b/plugins/versionlock.py
+index 77b7f91..8a3994e 100644
+--- a/plugins/versionlock.py
++++ b/plugins/versionlock.py
+@@ -312,5 +312,4 @@ def _match(ent, patterns):
+ 
+ def pkgtup2spec(name, arch, epoch, version, release):
+     # we ignore arch
+-    e = "" if epoch in (None, "") else "%s:" % epoch
+-    return "%s-%s%s-%s.*" % (name, e, version, release)
++    return "%s-%s:%s-%s.*" % (name, epoch or "0", version, release)
+-- 
+2.40.1
+
+
+From da25d50a8753b0a648a2653e2fb9e33eb372f73f Mon Sep 17 00:00:00 2001
+From: Marek Blaha <mblaha@redhat.com>
+Date: Wed, 19 May 2021 16:53:37 +0200
+Subject: [PATCH] versionlock: Use only the most specific NEVRA (RhBug:1961217)
+
+When matching patterns from versionlock.list file accept only the most
+specific possible NEVRA.
+The problem with current implementation (using of all possible variants)
+is following (also see the referenced bug):
+
+$ dnf repoquery procps-ng
+procps-ng-0:3.3.17-1.fc34.1.x86_64
+procps-ng-0:3.3.17-1.fc34.x86_64    <-- this one is installed
+
+See the `.1` minorbump part of the release after %{dist} in
+`procps-ng-0:3.3.17-1.fc34.1.x86_64`
+
+$ dnf versionlock procps-ng
+Adding versionlock on: procps-ng-0:3.3.17-1.fc34.*
+
+Now both of the available procps-ng version could be matched by this
+pattern:
+- procps-ng-0:3.3.17-1.fc34.x86_64 (when `*` is considered arch)
+- procps-ng-0:3.3.17-1.fc34.1.x86_64 (when `*` is matched against
+  release part, and arch is considered not present)
+
+That results in versionlock allowing upgrade to a newer version than the
+locked one.
+
+= changelog =
+msg:           Versionlock works correctly with packages with minorbump part of release
+type:          bugfix
+resolves:      https://bugzilla.redhat.com/show_bug.cgi?id=1961217
+---
+ plugins/versionlock.py | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/versionlock.py b/plugins/versionlock.py
+index 8a3994e..32c51da 100644
+--- a/plugins/versionlock.py
++++ b/plugins/versionlock.py
+@@ -89,7 +89,9 @@ class VersionLock(dnf.Plugin):
+                 pat = pat[1:]
+                 excl = 1
+ 
+-            possible_nevras = dnf.subject.Subject(pat).get_nevra_possibilities()
++            possible_nevras = dnf.subject.Subject(pat).get_nevra_possibilities(
++                forms=[hawkey.FORM_NEVRA, hawkey.FORM_NEVR, hawkey.FORM_NEV,
++                       hawkey.FORM_NA, hawkey.FORM_NAME])
+             if possible_nevras:
+                 count[excl] += 1
+             else:
+@@ -102,6 +104,8 @@ class VersionLock(dnf.Plugin):
+                 else:
+                     locked_names.add(nevra.name)
+                     locked_query = locked_query.union(pat_query)
++                if pat_query:
++                    break
+ 
+         if count[1]:
+             logger.debug(APPLY_EXCLUDE.format(locklist_fn, count[1]))
+-- 
+2.40.1
+

0031-Fix-boot-time-derivation-for-systems-with-no-rtc.patch

@@ -0,0 +1,55 @@
+From 23a6123348f0a387768ebdfdaaded900a083039e Mon Sep 17 00:00:00 2001
+From: Todd Lewis <todd_lewis@unc.edu>
+Date: Wed, 16 Nov 2022 10:45:39 -0500
+Subject: [PATCH] Fix boot time derivation for systems with no rtc
+
+That addresses https://bugzilla.redhat.com/show_bug.cgi?id=2137935
+---
+ plugins/needs_restarting.py | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/needs_restarting.py b/plugins/needs_restarting.py
+index 91dbe66..03831fa 100644
+--- a/plugins/needs_restarting.py
++++ b/plugins/needs_restarting.py
+@@ -34,6 +34,7 @@ import functools
+ import os
+ import re
+ import stat
++import time
+ 
+ 
+ # For which package updates we should recommend a reboot
+@@ -199,7 +200,28 @@ class ProcessStart(object):
+ 
+     @staticmethod
+     def get_boot_time():
+-        return int(os.stat('/proc/1').st_mtime)
++        """
++        We have two sources from which to derive the boot time. These values vary
++        depending on containerization, existence of a Real Time Clock, etc.
++        For our purposes we want the latest derived value.
++        - st_mtime of /proc/1
++             Reflects the time the first process was run after booting
++             This works for all known cases except machines without
++             a RTC - they awake at the start of the epoch.
++        - /proc/uptime
++             Seconds field of /proc/uptime subtracted from the current time
++             Works for machines without RTC iff the current time is reasonably correct.
++             Does not work on containers which share their kernel with the
++             host - there the host kernel uptime is returned
++        """
++
++        proc_1_boot_time = int(os.stat('/proc/1').st_mtime)
++        if os.path.isfile('/proc/uptime'):
++            with open('/proc/uptime', 'rb') as f:
++                uptime = f.readline().strip().split()[0].strip()
++                proc_uptime_boot_time = int(time.time() - float(uptime))
++                return max(proc_1_boot_time, proc_uptime_boot_time)
++        return proc_1_boot_time
+ 
+     @staticmethod
+     def get_sc_clk_tck():
+--
+libgit2 1.3.2
+

0032-Doc-update-for-reposync-RhBug-2132383-2182004.patch

@@ -0,0 +1,34 @@
+From a83af3db9f1aaf698be5455a01814849e39307d8 Mon Sep 17 00:00:00 2001
+From: Jaroslav Mracek <jmracek@redhat.com>
+Date: Mon, 27 Mar 2023 10:24:59 +0200
+Subject: [PATCH] Documentation update for reposync (RhBug:2132383,2182004)
+
+The update describe the behavior when `-n` and `--download-metadata`
+is used.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2132383
+https://bugzilla.redhat.com/show_bug.cgi?id=2182004
+---
+ doc/reposync.rst | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/doc/reposync.rst b/doc/reposync.rst
+index 0df00b9..bbf714c 100644
+--- a/doc/reposync.rst
++++ b/doc/reposync.rst
+@@ -46,7 +46,11 @@ All general DNF options are accepted. Namely, the ``--repoid`` option can be use
+     Delete local packages no longer present in repository.
+ 
+ ``--download-metadata``
+-    Download all repository metadata. Downloaded copy is instantly usable as a repository, no need to run createrepo_c on it.
++    Download all repository metadata. Downloaded copy is instantly usable as a repository, no need to run createrepo_c
++    on it. When the option is used with `--newest-only`, only latest packages will be downloaded, but metadata will
++    still contain older packages. It might be useful to update metadata using `createrepo_c --update` to remove
++    the packages with missing RPM files from metadata. Otherwise, DNF ends with an error due to the missing files
++    whenever it tries to download older packages.
+ 
+ ``-g, --gpgcheck``
+     Remove packages that fail GPG signature checking after downloading. Exit code is ``1`` if at least one package was removed.
+--
+libgit2 1.3.2
+

0033-reposync-Implement-safe-write-path-opt-RhBug-1898089.patch

@@ -0,0 +1,97 @@
+From 632ab7751b42d3bf27a59f3ff9c572afb3ac3cd4 Mon Sep 17 00:00:00 2001
+From: Marek Blaha <mblaha@redhat.com>
+Date: Wed, 6 Oct 2021 16:43:10 +0200
+Subject: [PATCH] reposync: Implement --safe-write-path option (RhBug:1898089)
+
+By default reposync is not allowed to write files outside of repository
+download path (by default ./<repo id>). But there are some repositories
+that store packages using relative parent paths (e.g.
+../packages-store/f/foo.rpm).
+This patch introduces new --safe-write-path option that can override
+this limitation and set a root directory that is considered safe for
+writing.
+For example `dnf reposync --repoid=the_repo --safe-write-path=.` will
+allow reposync to write files not only to `./the_repo` directory but
+also to current working directory itself.
+
+= changelog =
+msg: With --safe-write-path option reposync can download repositories with relative package locations (like ../package-store/f/foo.rpm)
+type: enhancement
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1898089
+---
+ doc/reposync.rst    |  3 +++
+ plugins/reposync.py | 27 ++++++++++++++++++++-------
+ 2 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/doc/reposync.rst b/doc/reposync.rst
+index bbf714c..ede8901 100644
+--- a/doc/reposync.rst
++++ b/doc/reposync.rst
+@@ -71,6 +71,9 @@ All general DNF options are accepted. Namely, the ``--repoid`` option can be use
+ ``-p <download-path>, --download-path=<download-path>``
+     Root path under which the downloaded repositories are stored, relative to the current working directory. Defaults to the current working directory. Every downloaded repository has a subdirectory named after its ID under this path.
+ 
++``--safe-write-path``
++    Specify the filesystem path prefix under which the reposync is allowed to write. If not specified it defaults to download path of the repository. Useful for repositories that use relative locations of packages out of repository directory (e.g. "../packages_store/foo.rpm"). Use with care, any file under the ``safe-write-path`` can be overwritten. Can be only used when syncing a single repository.
++
+ ``--remote-time``
+     Try to set the timestamps of the downloaded files to those on the remote side.
+ 
+diff --git a/plugins/reposync.py b/plugins/reposync.py
+index 0ff936f..63d8e98 100644
+--- a/plugins/reposync.py
++++ b/plugins/reposync.py
+@@ -88,6 +88,8 @@ class RepoSyncCommand(dnf.cli.Command):
+         parser.add_argument('-u', '--urls', default=False, action='store_true',
+                             help=_("Just list urls of what would be downloaded, "
+                                    "don't download"))
++        parser.add_argument('--safe-write-path', default=None,
++                            help=_("Filesystem path that is considered safe for writing. Defaults to download path."))
+ 
+     def configure(self):
+         demands = self.cli.demands
+@@ -108,9 +110,16 @@ class RepoSyncCommand(dnf.cli.Command):
+         if self.opts.source:
+             repos.enable_source_repos()
+ 
+-        if len(list(repos.iter_enabled())) > 1 and self.opts.norepopath:
+-            raise dnf.cli.CliError(
+-                _("Can't use --norepopath with multiple repositories"))
++        if self.opts.safe_write_path is not None:
++            self.opts.safe_write_path = os.path.realpath(self.opts.safe_write_path)
++
++        if len(list(repos.iter_enabled())) > 1:
++            if self.opts.norepopath:
++                raise dnf.cli.CliError(
++                    _("Can't use --norepopath with multiple repositories"))
++            elif self.opts.safe_write_path is not None:
++                raise dnf.cli.CliError(
++                    _("Can't use --safe-write-path with multiple repositories"))
+ 
+         for repo in repos.iter_enabled():
+             repo._repo.expire()
+@@ -188,13 +197,17 @@ class RepoSyncCommand(dnf.cli.Command):
+         repo_target = self.repo_target(pkg.repo)
+         pkg_download_path = os.path.realpath(
+             os.path.join(repo_target, pkg.location))
+-        # join() ensures repo_target ends with a path separator (otherwise the
++
++        # join() ensures safe_write_path ends with a path separator (otherwise the
+         # check would pass if pkg_download_path was a "sibling" path component
+         # of repo_target that has the same prefix).
+-        if not pkg_download_path.startswith(os.path.join(repo_target, '')):
++        safe_write_path = os.path.join(self.opts.safe_write_path or repo_target, '')
++
++        if not pkg_download_path.startswith(safe_write_path):
+             raise dnf.exceptions.Error(
+-                _("Download target '{}' is outside of download path '{}'.").format(
+-                    pkg_download_path, repo_target))
++                _("Download target '{0}' for location '{1}' of '{2}' package "
++                  "is outside of safe write path '{3}'.").format(
++                    pkg_download_path, pkg.location, pkg.name, safe_write_path))
+         return pkg_download_path
+ 
+     def delete_old_local_packages(self, repo, pkglist):
+--
+libgit2 1.3.2
+

dnf-plugins-core.spec

@@ -34,7 +34,7 @@
 
 Name:           dnf-plugins-core
 Version:        4.0.21
-Release:        19%{?dist}
+Release:        20%{?dist}
 Summary:        Core Plugins for DNF
 License:        GPLv2+
 URL:            https://github.com/rpm-software-management/dnf-plugins-core
@@ -68,6 +68,10 @@ Patch26:        0026-Add-a-warning-when-using-system-upgrade-on-RHEL.patch
 Patch27:        0027-offline-upgrade-Add-security-filters.patch
 Patch28:        0028-system-upgrade-Show-warning-always-for-a-downstream.patch
 Patch29:        0029-Update-translations.patch
+Patch30:        0030-versionlock-Use-only-most-specif-NEVRA-RhBug-1961217.patch
+Patch31:        0031-Fix-boot-time-derivation-for-systems-with-no-rtc.patch
+Patch32:        0032-Doc-update-for-reposync-RhBug-2132383-2182004.patch
+Patch33:        0033-reposync-Implement-safe-write-path-opt-RhBug-1898089.patch
 
 
 BuildArch:      noarch
@@ -844,6 +848,12 @@ ln -sf %{_mandir}/man1/%{yum_utils_subpackage_name}.1.gz %{buildroot}%{_mandir}/
 %endif
 
 %changelog
+* Wed May 17 2023 Jaroslav Rohel <jrohel@redhat.com> - 4.0.21-20
+- versionlock: Use only the most specific NEVRA (RhBug:1961217)
+- Fix boot time derivation for systems with no rtc (RhBug:2166444,2182157)
+- Doc update for reposync (RhBug:2132383,2182004)
+- reposync: Implement --safe-write-path option (RhBug:1898089,2203766)
+
 * Wed Mar 08 2023 Marek Blaha <mblaha@redhat.com> - 4.0.21-19
 - Update translations