Add missing runtime dependencies to -aot- subpackage

Related: RHEL-62799

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -0,0 +1,10 @@
+/dotnet-prebuilts-9.0.100-preview.7.24380.1-ppc64le.tar.gz
+/dotnet-prebuilts-9.0.100-preview.7.24380.1-s390x.tar.gz
+/dotnet-sdk-9.0.100-preview.7.24380.2-linux-arm64.tar.gz
+/dotnet-v9.0.0-preview.7.24405.7-x64-bootstrap.tar.gz
+/dotnet-9.0.0-preview.7.24405.7.tar.gz
+/dotnet-9.0.0-preview.7.24405.7.tar.gz.sig
+/dotnet-9.0.0-rc.1.24431.7.tar.gz
+/dotnet-9.0.0-rc.1.24431.7.tar.gz.sig
+/dotnet-9.0.0-rc.2.24473.5.tar.gz
+/dotnet-9.0.0-rc.2.24473.5.tar.gz.sig

README.md

@@ -0,0 +1,74 @@
+# dotnet9.0
+
+This is the .NET 9.0 package for RHEL.
+
+Please report any issues [using Jira](https://issues.redhat.com/).
+
+# Specification
+
+This package follows [package naming and contents suggested by
+upstream](https://docs.microsoft.com/en-us/dotnet/core/build/distribution-packaging),
+with one exception. It installs dotnet to `/usr/lib64/dotnet` (aka
+`%{_libdir}`).
+
+# Contributing
+
+1. Fork the repo.
+
+2. Checkout the forked repository.
+
+    - `git clone git@gitlab.com:$USER/centos_rpms_dotnet9.0.git dotnet9.0`
+    - `cd dotnet9.0`
+
+3. Make your changes. Don't forget to add a changelog.
+
+   If you are updating to a new upstream release: Get the new upstream source
+   tarball and the detached signature. Update the versions in the spec file.
+   Add a changelog. This is generally automated by the following.
+
+    - `./update-release <sdk-version> <runtime-version>`
+
+    If this fails because of compiler errors, you might have to figure
+    out a fix, then add the patch in `build-dotnet-tarball` script
+    rather than the spec file.
+
+4. Do local builds.
+
+    - `centpkg local`
+
+5. Fix any errors that come up and rebuild until it works locally. Any
+   patches that are needed at this point should be added to the spec file.
+
+6. Do builds in koji.
+
+    - `centpkg scratch-build --srpm`
+
+7. If this is a new release, upload the source archive and detached signature to
+   the look-aside cache.
+
+    - `centpkg new-sources dotnet-source-tarball.tar.gz dotnet-source-tarball.tar.gz.sig`
+
+8. Commit the changes to the git repo.
+
+    - `git add` any new patches
+    - `git remove` any now-unnecessary patches
+    - `git commit -a`
+    - `git push`
+
+9. Create a pull request with your changes.
+
+10. Once the tests in the pull-request pass, and reviewers are happy, merge the
+   pull request and do a real build.
+
+    - `centpkg build`
+
+# Testing
+
+This package uses CI tests as defined in `tests/ci.yml`. You can run them using
+[tmt](https://tmt.readthedocs.io/en/stable/overview.html). Creating a
+pull-request or running an official build will fire off tests and flag any
+issues. We have enabled gating (via `gating.yaml`) on the tests. That prevents
+a build that fails any test from being released until the failures are waived.
+
+The tests themselves are contained in this external repository:
+https://github.com/redhat-developer/dotnet-regular-tests/

build-dotnet-bootstrap-tarball

@@ -0,0 +1,171 @@
+#!/bin/bash
+
+# Usage:
+#   build-dotnet-bootstrap-tarball <tag-or-commit-from-dotnet>
+#
+# Creates a source archive suitable for bootstrapping from a tag (or commit) at
+# https://github.com/dotnet/dotnet
+#
+# Clone dotnet/dotnet, check out the tag, and build a source-tarball.
+# Can also use a full git commit identifier instead of tag (not an
+# abbreviated 8 character commit identifier though).
+
+set -euo pipefail
+IFS=$'\n\t'
+
+function print_usage {
+    echo "Usage:"
+    echo "$0 <tag-from-dotnet>"
+    echo
+    echo "Creates a $arch bootstrap source archive from a tag at https://github.com/dotnet/dotnet"
+}
+
+function clean_dotnet_cache {
+    rm -rf ~/.aspnet ~/.dotnet/ ~/.nuget/ ~/.local/share/NuGet ~/.templateengine
+    rm -rf /tmp/NuGet /tmp/NuGetScratch /tmp/.NETCore* /tmp/.NETStandard* /tmp/.dotnet /tmp/dotnet.* /tmp/clr-debug-pipe* /tmp/Razor-Server /tmp/CoreFxPipe* /tmp/VBCSCompiler /tmp/.NETFramework*
+    rm -rf ~/.npm/
+}
+
+function check_bootstrap_environment {
+    if rpm -qa | grep dotnet ; then
+        echo "error: dotnet is installed. Not a good idea for bootstrapping."
+        exit 1
+    fi
+    if [ -d /usr/lib/dotnet ] || [ -d /usr/lib64/dotnet ] || [ -d /usr/share/dotnet ] ; then
+        echo "error: one of /usr/lib/dotnet /usr/lib64/dotnet or /usr/share/dotnet/ exists. Not a good idea for bootstrapping."
+        exit 1
+    fi
+    if command -v dotnet ; then
+        echo "error: dotnet is in $PATH. Not a good idea for bootstrapping."
+        exit 1
+    fi
+}
+
+function runtime_id {
+
+    source /etc/os-release
+    case "${ID}" in
+        # Remove the RHEL minor version
+        rhel) rid_version=${VERSION_ID%.*} ;;
+
+        *) rid_version=${VERSION_ID} ;;
+    esac
+
+    echo "${ID}.${rid_version}-${arch}"
+}
+
+build_bootstrap=false
+
+declare -A archmap
+archmap=(
+    ["aarch64"]="arm64"
+    ["amd64"]="x64"
+    ["armv8l"]="arm"
+    ["i386"]="x86"
+    ["i686"]="x86"
+    ["ppc64le"]="ppc64le"
+    ["s390x"]="s390x"
+    ["x86_64"]="x64"
+)
+
+arch=${archmap["$(uname -m)"]}
+
+
+positional_args=()
+while [[ "$#" -gt 0 ]]; do
+    arg="${1}"
+    case "${arg}" in
+        -h|--help)
+            print_usage
+            exit 0
+            ;;
+        *)
+            positional_args+=("$1")
+            shift
+            ;;
+    esac
+done
+
+check_bootstrap_environment
+
+tag=${positional_args[0]:-}
+if [[ -z ${tag} ]]; then
+    echo "error: missing tag to build"
+    exit 1
+fi
+
+set -x
+
+dir_name="dotnet-${tag}"
+unmodified_tarball_name="${dir_name}-original"
+tarball_name="${dir_name}"
+
+unmodified_tarball_name="${unmodified_tarball_name}-${arch}-bootstrap"
+tarball_name="${tarball_name}-${arch}-bootstrap"
+
+tarball_suffix=.tar.gz
+
+if [ -f "${tarball_name}${tarball_suffix}" ]; then
+    echo "error: ${tarball_name}${tarball_suffix} already exists"
+    exit 1
+fi
+
+
+if [ ! -f "${unmodified_tarball_name}.tar.gz" ]; then
+    if [[ $tag =~ ^[0-9a-fA-F]+$ ]]; then
+        if [ ! -f $tag.zip ]; then
+            wget https://github.com/dotnet/dotnet/archive/$tag.zip
+        fi
+        dir=$(mktemp -d -p $(pwd))
+        pushd $dir
+        unzip -q ../$tag.zip
+        if [[ $(ls -1q | wc -l) -gt 3 ]]; then
+            echo "error: tarball doesn't have a single main directory"
+            exit 1
+        fi
+        tar czf ../${unmodified_tarball_name}.tar.gz dotnet-$tag
+        popd
+    else
+        wget https://github.com/dotnet/dotnet/archive/refs/tags/${tag}.tar.gz
+        mv "${tag}.tar.gz" "${unmodified_tarball_name}.tar.gz"
+    fi
+fi
+
+tar tf "${unmodified_tarball_name}".tar.gz > .tarball_file_list
+extracted_tarball_root=$(head -1 .tarball_file_list | cut -d/ -f 1)
+if [[ "$extracted_tarball_root" == "."* ]]; then
+    echo "error: can't find main directory in the dotnet tarball"
+    exit 1
+fi
+if [[ $(grep -cv "^${extracted_tarball_root}/" .tarball_file_list) -gt 0 ]]; then
+    echo "error: tarball doesn't have a single main directory"
+    exit 1
+fi
+rm .tarball_file_list
+
+rm -rf "${tarball_name}"
+rm -rf "${extracted_tarball_root}"
+tar xf "${unmodified_tarball_name}.tar.gz"
+mv "${extracted_tarball_root}" "${tarball_name}"
+
+pushd "${tarball_name}"
+
+./prep-source-build.sh --bootstrap
+
+# Remove files with funny licenses and crypto implementations and
+# other not-very-useful artifacts. We MUST NOT ship any files that
+# have unapproved licenses and unexpected cryptographic
+# implementations.
+#
+# We use rm -r (no -f) to make sure the operation fails if the files
+# are not at the expected locations. If the files are not at the
+# expected location, we need to find the new location of the files and
+# delete them, or verify that upstream has already removed the files.
+
+# rm -r $FILE_TO_REMOVE
+
+popd
+
+echo "Bootstrap .NET SDK: $(jq .tools.dotnet "${tarball_name}"/global.json)"
+
+time tar -czf "${tarball_name}${tarball_suffix}" "${tarball_name}"

build-prebuilt-archive

@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# Usage:
+#   build-prebuilt-archive architecture vmr-directory
+#
+# Creates an archive containing necessary bootstrapping binaries for ppc64le or
+# s390x architectures from a VMR build.
+#
+# You need to have cloned the VMR (https://github.com/dotnet/dotnet) and
+# cross-compiled it for the target architecture already.
+
+set -euo pipefail
+IFS=$'\n\t'
+set -x
+
+function print_usage {
+    echo "Usage:"
+    echo "$0 <architecture> <vmr directory>"
+    echo
+    echo "Creates a ppc64le or s390x bootstrap archive from a VMR build."
+    echo
+    echo "You need to have cloned the VMR (https://github.com/dotnet/dotnet) and"
+    echo "cross-compiled it for the target architecture already."
+
+}
+
+positional_args=()
+while [[ "$#" -gt 0 ]]; do
+    arg="${1}"
+    case "${arg}" in
+        -h|--help)
+            print_usage
+            exit 0
+            ;;
+        *)
+            positional_args+=("$1")
+            shift
+            ;;
+    esac
+done
+
+arch=${positional_args[0]}  # Name of the architecture. Eg, s390x or ppc64le
+dir=${positional_args[1]} # Checkout of the VMR with the cross-build for the target architecture
+dir=$(readlink -f "$dir")
+
+sdk_tarball=$(readlink -f $(find "$dir" -iname 'dotnet-sdk*'"$arch"'*tar.gz' | head -1))
+
+# SDK is at VMR/artifacts/assets/Release/dotnet-sdk-9.0.100-preview.3.24165.1-linux-$arch.tar.gz. Extract the SDK version from the name.
+sdk_version=$(echo "$(basename "${sdk_tarball}")" | sed -E -e 's/dotnet-sdk-//' -e "s/-linux-$arch.tar.gz//")
+echo $sdk_version
+
+archive_name=dotnet-prebuilts-${sdk_version}-${arch}
+
+mkdir -p $archive_name
+pushd $archive_name
+
+cp -av $sdk_tarball .
+# Get all architecture-specific nuget packages
+find $dir/artifacts/packages/Release/Shipping/ -iname "*linux-$arch*nupkg" -exec cp -avL {} . \;
+
+popd
+
+tar cvzf $archive_name.tar.gz $archive_name

check-debug-symbols.py

@@ -0,0 +1,140 @@
+#!/usr/bin/python3
+
+"""
+Check debug symbols are present in shared object and can identify
+code.
+
+It starts scanning from a directory and recursively scans all ELF
+files found in it for various symbols to ensure all debuginfo is
+present and nothing has been stripped.
+
+Usage:
+
+./check-debug-symbols /path/of/dir/to/scan/
+
+
+Example:
+
+./check-debug-symbols /usr/lib64
+"""
+
+# This technique was explained to me by Mark Wielaard (mjw).
+
+import collections
+import os
+import re
+import subprocess
+import sys
+
+ScanResult = collections.namedtuple('ScanResult',
+                                    'file_name debug_info debug_abbrev file_symbols gnu_debuglink')
+
+file_symbol_exclude_list = [
+    'ilc',
+]
+
+def scan_file(file):
+    "Scan the provided file and return a ScanResult containing results of the scan."
+
+    # Test for .debug_* sections in the shared object. This is the  main test.
+    # Stripped objects will not contain these.
+    readelf_S_result = subprocess.run(['eu-readelf', '-S', file],
+                                      stdout=subprocess.PIPE, encoding='utf-8', check=True)
+    has_debug_info = any(line for line in readelf_S_result.stdout.split('\n') if '] .debug_info' in line)
+
+    has_debug_abbrev = any(line for line in readelf_S_result.stdout.split('\n') if '] .debug_abbrev' in line)
+
+    # Test FILE symbols. These will most likely be removed by anyting that
+    # manipulates symbol tables because it's generally useless. So a nice test
+    # that nothing has messed with symbols.
+    def contains_file_symbols(line):
+        parts = line.split()
+        if len(parts) < 8:
+            return False
+        return \
+            parts[2] == '0' and parts[3] == 'FILE' and parts[4] == 'LOCAL' and parts[5] == 'DEFAULT' and \
+            parts[6] == 'ABS' and re.match(r'((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx))?', parts[7])
+
+    readelf_s_result = subprocess.run(["eu-readelf", '-s', file],
+                                      stdout=subprocess.PIPE, encoding='utf-8', check=True)
+    has_file_symbols = True
+    if not os.path.basename(file) in file_symbol_exclude_list:
+        has_file_symbols = any(line for line in readelf_s_result.stdout.split('\n') if contains_file_symbols(line))
+
+    # Test that there are no .gnu_debuglink sections pointing to another
+    # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+    # no sense either.
+    has_gnu_debuglink = any(line for line in readelf_s_result.stdout.split('\n') if '] .gnu_debuglink' in line)
+
+    return ScanResult(file, has_debug_info, has_debug_abbrev, has_file_symbols, has_gnu_debuglink)
+
+def is_elf(file):
+    result = subprocess.run(['file', file], stdout=subprocess.PIPE, encoding='utf-8', check=True)
+    return re.search(r'ELF 64-bit [LM]SB (?:pie )?(?:executable|shared object)', result.stdout)
+
+def scan_file_if_sensible(file):
+    if is_elf(file):
+        return scan_file(file)
+    return None
+
+def scan_dir(dir):
+    results = []
+    for root, _, files in os.walk(dir):
+        for name in files:
+            result = scan_file_if_sensible(os.path.join(root, name))
+            if result:
+                results.append(result)
+    return results
+
+def scan(file):
+    file = os.path.abspath(file)
+    if os.path.isdir(file):
+        return scan_dir(file)
+    elif os.path.isfile(file):
+        return [scan_file_if_sensible(file)]
+
+def is_bad_result(result):
+    return not result.debug_info or not result.debug_abbrev or not result.file_symbols or result.gnu_debuglink
+
+def print_scan_results(results, verbose):
+    # print(results)
+    for result in results:
+        file_name = result.file_name
+        found_issue = False
+        if not result.debug_info:
+            found_issue = True
+            print('error: missing .debug_info section in', file_name)
+        if not result.debug_abbrev:
+            found_issue = True
+            print('error: missing .debug_abbrev section in', file_name)
+        if not result.file_symbols:
+            found_issue = True
+            print('error: missing FILE symbols in', file_name)
+        if result.gnu_debuglink:
+            found_issue = True
+            print('error: unexpected .gnu_debuglink section in', file_name)
+        if verbose and not found_issue:
+            print('OK: ', file_name)
+
+def main(args):
+    verbose = False
+    files = []
+    for arg in args:
+        if arg == '--verbose' or arg == '-v':
+            verbose = True
+        else:
+            files.append(arg)
+
+    results = []
+    for file in files:
+        results.extend(scan(file))
+
+    print_scan_results(results, verbose)
+
+    if any(is_bad_result(result) for result in results):
+        return 1
+    return 0
+
+
+if __name__ == '__main__':
+    sys.exit(main(sys.argv[1:]))

dotnet.sh.in

@@ -0,0 +1,14 @@
+
+# Set location for AppHost lookup
+[ -z "$DOTNET_ROOT" ] && export DOTNET_ROOT=@LIBDIR@/dotnet
+
+# Add dotnet tools directory to PATH
+DOTNET_TOOLS_PATH="$HOME/.dotnet/tools"
+case "$PATH" in
+    *"$DOTNET_TOOLS_PATH"* ) true ;;
+    * ) PATH="$PATH:$DOTNET_TOOLS_PATH" ;;
+esac
+
+# Extract self-contained executables under HOME
+# to avoid multi-user issues from using the default '/var/tmp'.
+[ -z "$DOTNET_BUNDLE_EXTRACT_BASE_DIR" ] && export DOTNET_BUNDLE_EXTRACT_BASE_DIR="${XDG_CACHE_HOME:-"$HOME"/.cache}/dotnet_bundle_extract"

gating.yaml

@@ -0,0 +1,23 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.other-archs.functional}

release-key-2023.asc

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: BSN Pgp v1.1.0.0
+
+mQINBGUKsUYBEADVCJm4EhXALr1ld42kWeh/vM0XMZ2orNT6NRLDRYjpE4mm4UqA
+vpjfGCwt5fLcrT4yZng8ABkB3QwTsZzmxesAMD5AZR/gdU1G96DuDGsjp6zJvTuX
+zvz3PXUYfcl9n5X32acA6N9J5Xfp10xqX3oitUODBdYy/vKW/v/y87ZxgaR6a3wp
+pPJBJIVKwFJx13v4BHRsGp1fepliQcXPvmNKFNI20le5+FbLq6C9hY5wcwGHGfQr
+EokH79GsmqgSImqxDOIh06J5VfWA+JwV+3vf95pD8IUrRfGQ+GK7b1/bySxtM5Qa
+b/IDgvl/Qq3AzEpGarMBaqGbqMz1C7jd8Y6nyKMP/V+OCjbEdYNM8GRz6kBP3Un+
+Frat5Lc2o4DF+zB3PKIJS3hku5gwlJu6IU1F23vmYFtjUcpRGmyQZDoWyBbOWlB5
+4SXqVu16amUsRFYmOK8BJMjdotcVbriVIv6WRmugfhIMoRJzVGxYkdbuiuMAX69V
+xDoGpxX5A8S5A79y0USUVtadQfFavMTyb/gUuUe8oDsqK9gdI3ETxLYG4gYwauVX
+fCGfoLOKsq5dPzEuEA7GCRrMau+rHKFaM7BigSdnHFW7xNZ4v0YnXAagoqM2G5o5
+9sak0l57vxxTVk2V3iZzkoU2J2Zlyxyh72n5vjRmb7aNwmQh4Eav6a8ssQARAQAB
+tBlvbm54Y29yZWRldkBtaWNyb3NvZnQuY29tiQI4BBMBCAAiBQJlCrFGAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD9v1PCTbSHLtfzEADIKq15XDeQxLSo
+BG1aFa9n82K1YADVcu1LeddfhDmQWLnZNgyHtQlKN2n59282CXtgymzae3uc05s2
+feIJaqF4M4NnCX8Ct3K7Hq1jI7ZktlquPCCy9XHq9aQY8XTxmdtRevtclKgYTwDh
+w+D/KbE8vTZ6o7JoubA3MKf4k3S8qL/0rIyaC6h0EpiWoMy1TdNMMK7BT4kl6Vz4
+W6KmNgOux1Pzku5ULM4WuOzmwW+NAzpOLJowfDs1ZC2RM3+g9i1/DmwWtCHngvGD
++clA0I0agXxo05toOBTfwxd2gWYczuo/Ole16fYTzqT6n0DHqOjjcc9A7EmC72fQ
+J+hHAqM+4+CbEGuMpNnTMpCZs98bcK3Rqx/bDJYtbclZzm5O/V4nVbDrJZKzpgA1
+KuzNMLkr62P6/t15UsStgmrlTILmE5NG0CR1mj/46+mNbsMZCel3dcvnT1Zf4rTq
+QxMC7Dd/DECKQVC339G/BRfNyhOk2S1mZR/g1uS4bznL+tiwudDh/TAi5C3ZBDMh
+0muwD9caXS/QFIBWtb2ai3IcpU357R/ERPKLcWYtoYJ80RuKi6XYr1WxSPBmd5Qm
+wuncye+wR2dveo2jnIXZGUSgz50ZNgBxs/cYWAQ8J6KMgIBa+JY2qalzvIGbrC5x
+Sr+CkhS8vrktfnRgc8yBssJnvNfqXA==
+=pKgS
+-----END PGP PUBLIC KEY BLOCK-----

release.json

@@ -0,0 +1,10 @@
+{
+  "release": "9.0.0-rc.2",
+  "channel": "9.0",
+  "tag": "v9.0.0-rc.2.24473.5",
+  "sdkVersion": "9.0.100-rc.2.24474.11",
+  "runtimeVersion": "9.0.0-rc.2.24473.5",
+  "aspNetCoreVersion": "9.0.0-rc.2.24474.3",
+  "sourceRepository": "https://github.com/dotnet/dotnet",
+  "sourceVersion": "b4c156e3f670d86ad737595a912c5c85c481b9ac"
+}

roslyn-analyzers-ppc64le-apphost.patch

@@ -0,0 +1,12 @@
+diff --git a/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj b/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj
+index 044a2aba4..b3f8f2611 100644
+--- a/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj
++++ b/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj
+@@ -4,6 +4,7 @@
+     <LangVersion>preview</LangVersion>
+     <Nullable>disable</Nullable>
+     <OutputType>Exe</OutputType>
++    <UseAppHost>false</UseAppHost>
+   </PropertyGroup>
+   <PropertyGroup>
+     <NonShipping>true</NonShipping>

rpminspect.yaml

@@ -0,0 +1,20 @@
+---
+inspections:
+    # We patch upstream a lot, no need to reject patches
+    patches: off
+badfuncs:
+    allowed:
+        # The Mono runtime (used on s390x, for example), uses inet_addr for
+        # debugging (such as sending the control flow graph to a remote process).
+        # See runtime/src/mono/mono/mini/cfgdump.c. This isn't part of any
+        # standard networking facility; networking APIs are implemented/used in
+        # libSystem*so.
+        /usr/lib64/dotnet/shared/Microsoft.NETCore.App/*/libcoreclr.so:
+            - inet_addr
+        /usr/lib64/dotnet/packs/Microsoft.NETCore.App.Runtime.*/*/runtimes/*/native/libcoreclr.so:
+            - inet_addr
+runpath:
+    # Upstream explicitly sets $ORIGIN/netcoredeps as an RPATH
+    # See https://github.com/dotnet/core/blob/main/Documentation/self-contained-linux-apps.md
+    allowed_origin_paths:
+        - /netcoredeps

runtime-disable-fortify-on-ilasm-parser.patch

@@ -0,0 +1,12 @@
+diff --git dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt
+index cca2c6da185..d31e6cb2070 100644
+--- dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt
++++ dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt
+@@ -52,6 +52,7 @@ if(CLR_CMAKE_HOST_UNIX)
+   add_compile_options(-Wno-array-bounds)
+   add_compile_options(-Wno-unused-label)
+   set_source_files_properties( prebuilt/asmparse.cpp PROPERTIES COMPILE_FLAGS "-O0" )
++  set_source_files_properties( prebuilt/asmparse.cpp PROPERTIES COMPILE_FLAGS "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=0" )
+ endif(CLR_CMAKE_HOST_UNIX)
+ 
+ if(CLR_CMAKE_HOST_LINUX OR CLR_CMAKE_HOST_FREEBSD OR CLR_CMAKE_HOST_NETBSD OR CLR_CMAKE_HOST_SUNOS OR CLR_CMAKE_HOST_HAIKU)

runtime-openssl-sha1.patch

@@ -0,0 +1,34 @@
+From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001
+From: Tom Deseyn <tom.deseyn@gmail.com>
+Date: Wed, 28 Feb 2024 14:08:15 +0100
+Subject: [PATCH] Allow certificate validation with SHA-1 signatures.
+
+RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate
+validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag
+with a chain where the last certificate uses a SHA-1 signature.
+
+This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default
+OpenSSL behavior for certificate validation.
+---
+ .../libs/System.Security.Cryptography.Native/pal_x509.c      | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+index 04c6ba06cd..2cd3413dae 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5
+ 
+     int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore);
+ 
+-    if (val != 0)
+-    {
+-        X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE);
+-    }
+-
+     return val;
+ }
+ 
+-- 
+2.43.2
+

runtime-re-enable-implicit-rejection.patch

@@ -0,0 +1,142 @@
+From 5fdc289903bd3a77d455583650b00297da0cae8f Mon Sep 17 00:00:00 2001
+From: Omair Majid <omajid@redhat.com>
+Date: Fri, 2 Feb 2024 15:51:23 -0500
+Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95216)"
+
+This reverts commit a5fc8ff9b03ffb2fdb81dad524ad1a20a0714995.
+
+To quote Clemens Lang:
+
+> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle
+> attack against PKCS#1v1.5 decryption. See
+> https://people.redhat.com/~hkario/marvin/ for details and
+> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a
+> comment by the researcher who published the vulnerability and proposed the
+> change in OpenSSL.
+
+For more details, see:
+https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
+---
+ .../RSA/EncryptDecrypt.cs                     | 49 ++++---------------
+ .../opensslshim.h                             |  6 ---
+ .../pal_evp_pkey_rsa.c                        | 13 -----
+ 3 files changed, 10 insertions(+), 58 deletions(-)
+
+diff --git a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+index 39f3ebc82ec..5b97f468a42 100644
+--- a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
++++ b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+@@ -353,10 +353,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc
+             Assert.Equal(TestData.HelloBytes, output);
+         }
+ 
+-        [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))]
++        [ConditionalFact]
+         [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)]
+         public void RoundtripEmptyArray()
+         {
++            if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
++            {
++                throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data.");
++            }
++            if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
++            {
++                throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data.");
++            }
++
+             using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
+             {
+                 void RoundtripEmpty(RSAEncryptionPadding paddingMode)
+@@ -757,23 +746,5 @@ public static IEnumerable<object[]> OaepPaddingModes
+                 }
+             }
+         }
+-
+-        public static bool PlatformSupportsEmptyRSAEncryption
+-        {
+-            get
+-            {
+-                if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
+-                {
+-                    return false;
+-                }
+-
+-                if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
+-                {
+-                    return false;
+-                }
+-
+-                return true;
+-            }
+-        }
+     }
+ }
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+index 0748e305d5c..cf10d2f7949 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+@@ -296,10 +296,8 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
+     REQUIRED_FUNCTION(ERR_peek_error) \
+     REQUIRED_FUNCTION(ERR_peek_error_line) \
+     REQUIRED_FUNCTION(ERR_peek_last_error) \
+-    REQUIRED_FUNCTION(ERR_pop_to_mark) \
+     FALLBACK_FUNCTION(ERR_put_error) \
+     REQUIRED_FUNCTION(ERR_reason_error_string) \
+-    REQUIRED_FUNCTION(ERR_set_mark) \
+     LIGHTUP_FUNCTION(ERR_set_debug) \
+     LIGHTUP_FUNCTION(ERR_set_error) \
+     REQUIRED_FUNCTION(EVP_aes_128_cbc) \
+@@ -355,7 +353,6 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
+     REQUIRED_FUNCTION(EVP_PKCS82PKEY) \
+     REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \
+-    REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \
+@@ -797,10 +794,8 @@ FOR_ALL_OPENSSL_FUNCTIONS
+ #define ERR_peek_error_line ERR_peek_error_line_ptr
+ #define ERR_peek_last_error ERR_peek_last_error_ptr
+ #define ERR_put_error ERR_put_error_ptr
+-#define ERR_pop_to_mark ERR_pop_to_mark_ptr
+ #define ERR_reason_error_string ERR_reason_error_string_ptr
+ #define ERR_set_debug ERR_set_debug_ptr
+-#define ERR_set_mark ERR_set_mark_ptr
+ #define ERR_set_error ERR_set_error_ptr
+ #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr
+ #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr
+@@ -855,7 +850,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
+ #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr
+ #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr
+ #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr
+-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr
+ #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr
+ #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr
+ #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+index 043bf9f9d1e..c9ccdf33e3a 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+@@ -67,19 +67,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const
+         {
+             return false;
+         }
+-
+-        // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding.
+-        // If the padding is invalid, the decryption operation returns random data.
+-        // See https://github.com/openssl/openssl/pull/13817 for background.
+-        // Some Linux distributions backported this change to previous versions of OpenSSL.
+-        // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid.
+-        ERR_set_mark();
+-
+-        EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0");
+-
+-        // Undo any changes to the error queue that may have occured while configuring implicit rejection if the
+-        // current version does not support implicit rejection.
+-        ERR_pop_to_mark();
+     }
+     else
+     {
+-- 
+2.43.0
+

sources

@@ -0,0 +1,2 @@
+SHA512 (dotnet-9.0.0-rc.2.24473.5.tar.gz) = 517334ed2bea3cff925ce6e8a04658d792b2f72cea1e9a405686d9d3f786d9b01ce35e8f7edd927bcdc6dbda8fae20267314da771df2d9cafbb4f867182f45ac
+SHA512 (dotnet-9.0.0-rc.2.24473.5.tar.gz.sig) = f46d27b0018b028f3612ec32030839305006adb3e7d818e73bd19ade6427a2fd9bf28c78df75f8b4c1eaf9e6454189d6261a5fd28b9f56ef8a04df68c4cc3810

tests/ci.fmf

@@ -0,0 +1,44 @@
+summary: Basic smoke test
+provision:
+    disk: 20
+    memory: 5120
+prepare:
+    how: install
+    package:
+        - aspnetcore-runtime-9.0
+        - babeltrace
+        - bash-completion
+        - bc
+        - binutils
+        - dotnet-runtime-9.0
+        - dotnet-sdk-9.0
+        - expect
+        - file
+        - findutils
+        - gcc-c++
+        - git
+        - jq
+        - libstdc++-devel
+        - lldb
+        - npm
+        - postgresql-odbc
+        - postgresql-server
+        - procps-ng
+        - python3
+        - strace
+        - util-linux
+        - wget
+        - which
+        - zlib-devel
+execute:
+    script:
+        - dotnet --info
+        - wget --no-verbose https://github.com/redhat-developer/dotnet-bunny/releases/latest/download/turkey.tar.gz
+        - tar xf turkey.tar.gz
+        - dotnet turkey/Turkey.dll --version
+        - git clone "https://github.com/redhat-developer/dotnet-regular-tests.git"
+        - dotnet turkey/Turkey.dll -l="$TMT_TEST_DATA" dotnet-regular-tests --timeout=1200
+        - dnf remove -yq 'dotnet*'
+        - set -x; if command -v dotnet ; then exit 1; fi
+        - set -x; if [ -d /usr/lib64/dotnet ]; then exit 1; fi
+        - set -x; if man dotnet; then exit 1; fi

update-release

@@ -0,0 +1,155 @@
+#!/bin/bash
+
+# Usage:
+#     ./update-release [runtime-version [--bug bug-id] [--tarball tarball-name] [--larger-rpm-release]
+
+set -euo pipefail
+IFS=$'\n\t'
+
+print_usage() {
+    echo " Usage:"
+    echo "     ./update-release [runtime-version] [--bug bug-id] [--tarball tarball-name] [--release-json release-json] [--larger-rpm-release]"
+}
+
+user_provided_tarball_name=""
+
+rpm_release=1
+positional_args=()
+bug_ids=()
+while [[ "$#" -gt 0 ]]; do
+    arg="$1"
+    case "${arg}" in
+        --bug)
+            bug_ids+=("$2")
+            shift;
+            shift;
+            ;;
+        -h|--help)
+            print_usage
+            exit 0
+            ;;
+        --release-json)
+            release_json="$2"
+            shift;
+            shift;
+            ;;
+        --tarball)
+            user_provided_tarball_name="$2"
+            shift;
+            shift;
+            ;;
+        --larger-rpm-release)
+            rpm_release="2"
+            shift;
+            ;;
+        *)
+            positional_args+=("$1")
+            shift
+            ;;
+    esac
+done
+
+spec_files=( ./*.spec )
+spec_file="${spec_files[0]}"
+
+dotnet_major_minor_version=$spec_file
+dotnet_major_minor_version=${dotnet_major_minor_version#./dotnet}
+dotnet_major_minor_version=${dotnet_major_minor_version%.spec}
+
+echo "Updating .NET $dotnet_major_minor_version"
+
+runtime_version=${positional_args[1]:-}
+sdk_version=""
+tag=v${runtime_version}
+if [[ -z ${runtime_version} ]]; then
+    cat > query <<EOF
+    [ .[] | select(.name | contains("NET 9.0 ")) ]
+    | first
+    | { tag_name: .tag_name,
+        tarball: .tarball_url,
+        signature: .assets[].browser_download_url | select(. | endswith("tar.gz.sig")),
+        release_manifest: .assets[] | select(.name == "release.json") | .browser_download_url }
+EOF
+    curl https://api.github.com/repos/dotnet/dotnet/releases \
+        | jq --from-file query > release.metadata.github
+    tag=$(jq -r .tag_name release.metadata.github)
+    curl -L "$(jq -r .release_manifest release.metadata.github)" -o release.json
+    aspnetcore_runtime_version=$(jq -r .aspNetCoreVersion release.json)
+    runtime_version=$(jq -r .runtimeVersion release.json)
+    sdk_version=$(jq -r .sdkVersion release.json)
+fi
+
+if [[ ${sdk_version:-} = "" ]]; then
+    # FIXME: add preview/rc parts
+    sdk_version=$(echo "${runtime_version}" | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+100 }')
+fi
+
+echo "Updating .NET $dotnet_major_minor_version to SDK ${sdk_version} and Runtime ${runtime_version}"
+
+sed -i -E "s|^%global upstream_tag .*$|%global upstream_tag ${tag}|" "$spec_file"
+
+sed -i -E "s|^%global runtime_version .*$|%global runtime_version ${runtime_version}|" "$spec_file"
+sed -i -E "s|^%global aspnetcore_runtime_version .*$|%global aspnetcore_runtime_version ${aspnetcore_runtime_version}|" "$spec_file"
+sed -i -E "s|^%global sdk_version .*$|%global sdk_version ${sdk_version}|" "$spec_file"
+
+if [[ $runtime_version = *preview* ]] || [[ $runtime_version = *rc* ]]; then
+    # For Preview/RC releases, convert x.y.z-preview.a.b to x.y.z~preview.a.b (replace - with ~)
+    # https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_handling_non_sorting_versions_with_tilde_dot_and_caret
+    runtime_rpm_version=${runtime_version/-/\~}
+    aspnetcore_runtime_rpm_version=${aspnetcore_runtime_version/-/\~}
+    sdk_rpm_version=${sdk_version/-/\~}
+    sed -i -E "s|^(%global runtime_rpm_version) .*$|\1 ${runtime_rpm_version}|" "$spec_file"
+    sed -i -E "s|^(%global aspnetcore_runtime_rpm_version) .*$|\1 ${aspnetcore_runtime_rpm_version}|" "$spec_file"
+    sed -i -E "s|^(%global sdk_rpm_version) .*$|\1 ${sdk_rpm_version}|" "$spec_file"
+else
+    # For GA releases replace rpm versions with rpm macros for the actual version
+    sed -i -E "s|^(%global runtime_rpm_version) .*$|\1 %{runtime_version}|" "$spec_file"
+    sed -i -E "s|^(%global aspnetcore_runtime_rpm_version) .*$|\1 %{aspnetcore_runtime_version}|" "$spec_file"
+    sed -i -E "s|^(%global sdk_rpm_version) .*$|\1 %{sdk_version}|" "$spec_file"
+fi
+
+if [[ -f "dotnet-${tag}.tar.gz" ]]; then
+    echo "dotnet-${tag}.tar.gz already exists, not rebuilding tarball"
+elif [[ -n ${user_provided_tarball_name} ]]; then
+    cp -a "${user_provided_tarball_name}" "dotnet-${tag}.tar.gz"
+    cp -a "${release_json}" release.json
+else
+    rm -f release.json
+    spectool -g "$spec_file"
+    if spectool -l "$spec_file" | grep 'bootstrap.tar.gz' ; then
+       build-dotnet-bootstrap-tarball "$tag"
+       tar xf dotnet-"$tag"-x64-bootstrap.tar.gz "dotnet-$tag-x64-bootstrap/global.json"
+       bootstrap_sdk_version=$(jq -r .tools.dotnet "dotnet-$tag-x64-bootstrap/global.json")
+       sed -i -E "s|^(%global bootstrap_sdk_version) .*$|\1 ${bootstrap_sdk_version}|" "$spec_file"
+       spectool -g "$spec_file"
+    fi
+fi
+
+set -x
+
+comment="Update to .NET SDK ${sdk_version} and Runtime ${runtime_version}"
+commit_message="$comment
+"
+for bug_id in "${bug_ids[@]}"; do
+    if [[ "$bug_id" =~ ^[[:digit:]]+$ ]]; then
+        comment="$comment
+- Resolves: RHBZ#$bug_id"
+        commit_message="$commit_message
+Resolves: RHBZ#$bug_id"
+    else
+        comment="$comment
+- Resolves: $bug_id"
+        commit_message="$commit_message
+Resolves: $bug_id"
+    fi
+done
+
+echo "$commit_message" > git-commit-message
+
+rpmdev-bumpspec --comment="$comment" "$spec_file"
+
+# Reset release in 'Release' tag
+sed -i -E 's|^Release:        [[:digit:]]+%|Release:        '"$rpm_release"'%|' "$spec_file"
+# Reset Release in changelog comment
+# See https://stackoverflow.com/questions/18620153/find-matching-text-and-replace-next-line
+sed -i -E '/^%changelog$/!b;n;s/-[[:digit:]]+$/-'"$rpm_release"'/' "$spec_file"