SOURCES/0050-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch

@@ -0,0 +1,93 @@
+From 8eac75556d0f53f3ba6cd12d2545bc8dbebb11f4 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Tue, 4 Jun 2024 06:57:19 -0400
+Subject: [PATCH] repo: Don't try to perform labeling if SELinux is disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The default for container execution is that `/sys/fs/selinux`
+is not mounted, and the libselinux library function `is_selinux_enabled`
+should be used to dynamically check if the system should attempt to perform SELinux labeling.
+
+This is how it's done by rpm, ostree, and systemd for example.
+
+But this code unconditionally tries to label if it finds a policy,
+which breaks in an obscure corner case
+when executed inside a container that includes policy files (e.g.
+fedora/rhel-bootc) but when we're not using overlayfs for the backend
+(with BUILDAH_BACKEND=vfs).
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libdnf/repo/Repo.cpp | 50 +++++++++++++++++++++++---------------------
+ 1 file changed, 26 insertions(+), 24 deletions(-)
+
+diff --git a/libdnf/repo/Repo.cpp b/libdnf/repo/Repo.cpp
+index 68b82ccc..4f646f8c 100644
+--- a/libdnf/repo/Repo.cpp
++++ b/libdnf/repo/Repo.cpp
+@@ -676,34 +676,36 @@ static int create_temporary_directory(char *name_template) {
+     int old_default_context_was_retrieved= 0;
+     struct selabel_handle *labeling_handle = NULL;
+ 
+-    /* A purpose of this piece of code is to deal with applications whose
+-     * security policy overrides a file context for temporary files but don't
+-     * know that libdnf executes GnuPG which expects a default file context. */
+-    if (0 == getfscreatecon(&old_default_context)) {
+-        old_default_context_was_retrieved = 1;
+-    } else {
+-        logger->debug(tfm::format("Failed to retrieve a default SELinux context"));
+-    }
++    if (is_selinux_enabled()) {
++        /* A purpose of this piece of code is to deal with applications whose
++         * security policy overrides a file context for temporary files but don't
++         * know that libdnf executes GnuPG which expects a default file context. */
++        if (0 == getfscreatecon(&old_default_context)) {
++            old_default_context_was_retrieved = 1;
++        } else {
++            logger->debug(tfm::format("Failed to retrieve a default SELinux context"));
++        }
+ 
+-    labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+-    if (NULL == labeling_handle) {
+-        logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s",
+-                    strerror(errno)));
+-    } else {
+-        if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) {
+-            /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
+-             * that value should be really defined in default file context
+-             * SELinux policy. Only log that the policy is incpomplete. */
+-            logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"",
+-                        name_template));
++        labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
++        if (NULL == labeling_handle) {
++            logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s",
++                        strerror(errno)));
+         } else {
+-            if (setfscreatecon(new_default_context)) {
+-                logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"",
+-                            new_default_context));
++            if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) {
++                /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
++                 * that value should be really defined in default file context
++                 * SELinux policy. Only log that the policy is incpomplete. */
++                logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"",
++                            name_template));
++            } else {
++                if (setfscreatecon(new_default_context)) {
++                    logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"",
++                                new_default_context));
++                }
++                freecon(new_default_context);
+             }
+-            freecon(new_default_context);
++            selabel_close(labeling_handle);
+         }
+-        selabel_close(labeling_handle);
+     }
+ #endif
+ 
+-- 
+2.45.2
+

SOURCES/0051-MergedTransaction-Calculate-RPM-difference-between-t.patch

@@ -0,0 +1,180 @@
+From 3dec8ebc9d1abc735de67cd5fd95677cfbfebc7d Mon Sep 17 00:00:00 2001
+From: Jan Kolarik <jkolarik@redhat.com>
+Date: Mon, 26 Feb 2024 09:58:33 +0000
+Subject: [PATCH 51/52] MergedTransaction: Calculate RPM difference between two
+ same versions as no-op
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream commit: 54823d82a1369c25ba1a68c18ea2a67c41f4fbe7
+
+If a package of a particular version is installed and would still be installed after a list of transactions, it's more user friendly to treat the whole situation as "do nothing".
+
+Resolves: https://issues.redhat.com/browse/RHEL-68770
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libdnf/transaction/MergedTransaction.cpp      | 38 ++++++++++++-------
+ libdnf/transaction/MergedTransaction.hpp      |  6 +--
+ .../transaction/MergedTransactionTest.cpp     |  7 +---
+ 3 files changed, 28 insertions(+), 23 deletions(-)
+
+diff --git a/libdnf/transaction/MergedTransaction.cpp b/libdnf/transaction/MergedTransaction.cpp
+index a8d878cb..8f26882f 100644
+--- a/libdnf/transaction/MergedTransaction.cpp
++++ b/libdnf/transaction/MergedTransaction.cpp
+@@ -192,7 +192,7 @@ static bool transaction_item_sort_function(const std::shared_ptr<TransactionItem
+  * Actions are merged using following rules:
+  * (old action) -> (new action) = (merged action)
+  *
+- * Erase/Obsolete -> Install/Obsoleting = Reinstall/Downgrade/Upgrade
++ * Erase/Obsolete -> Install/Obsoleting = Downgrade/Upgrade
+  *
+  * Reinstall/Reason change -> (new action) = (new action)
+  *
+@@ -210,6 +210,9 @@ static bool transaction_item_sort_function(const std::shared_ptr<TransactionItem
+  *
+  *      With complete transaction pair we need to get a new Upgrade/Downgrade package and
+  *      compare versions with original package from pair.
++ *
++ * Additionally, if a package is installed both before and after the list of transactions
++ * with the same version, no action will be taken.
+  */
+ std::vector< TransactionItemBasePtr >
+ MergedTransaction::getItems()
+@@ -261,13 +264,16 @@ getItemIdentifier(ItemPtr item)
+ 
+ /**
+  * Resolve the difference between RPMs in the first and second transaction item
+- *  and create a ItemPair of Upgrade, Downgrade or reinstall.
++ *  and create a ItemPair of Upgrade, Downgrade or drop the item from the merged
++ *  transaction set in case of both packages are of the same version.
+  * Method is called when original package is being removed and than installed again.
++ * \param itemPairMap merged transaction set
+  * \param previousItemPair original item pair
+  * \param mTransItem new transaction item
+  */
+ void
+-MergedTransaction::resolveRPMDifference(ItemPair &previousItemPair,
++MergedTransaction::resolveRPMDifference(ItemPairMap &itemPairMap,
++                                        ItemPair &previousItemPair,
+                                         TransactionItemBasePtr mTransItem)
+ {
+     auto firstItem = previousItemPair.first->getItem();
+@@ -277,11 +283,10 @@ MergedTransaction::resolveRPMDifference(ItemPair &previousItemPair,
+     auto secondRPM = std::dynamic_pointer_cast< RPMItem >(secondItem);
+ 
+     if (firstRPM->getVersion() == secondRPM->getVersion() &&
+-        firstRPM->getEpoch() == secondRPM->getEpoch()) {
+-        // reinstall
+-        mTransItem->setAction(TransactionItemAction::REINSTALL);
+-        previousItemPair.first = mTransItem;
+-        previousItemPair.second = nullptr;
++        firstRPM->getEpoch() == secondRPM->getEpoch() &&
++        firstRPM->getRelease() == secondRPM->getRelease()) {
++        // Drop the item from merged transaction
++        itemPairMap.erase(getItemIdentifier(firstItem));
+         return;
+     } else if ((*firstRPM) < (*secondRPM)) {
+         // Upgrade to secondRPM
+@@ -296,7 +301,9 @@ MergedTransaction::resolveRPMDifference(ItemPair &previousItemPair,
+ }
+ 
+ void
+-MergedTransaction::resolveErase(ItemPair &previousItemPair, TransactionItemBasePtr mTransItem)
++MergedTransaction::resolveErase(ItemPairMap &itemPairMap,
++                                ItemPair &previousItemPair,
++                                TransactionItemBasePtr mTransItem)
+ {
+     /*
+      * The original item has been removed - it has to be installed now unless the rpmdb
+@@ -306,7 +313,7 @@ MergedTransaction::resolveErase(ItemPair &previousItemPair, TransactionItemBaseP
+     if (mTransItem->getAction() == TransactionItemAction::INSTALL) {
+         if (mTransItem->getItem()->getItemType() == ItemType::RPM) {
+             // resolve the difference between RPM packages
+-            resolveRPMDifference(previousItemPair, mTransItem);
++            resolveRPMDifference(itemPairMap, previousItemPair, mTransItem);
+         } else {
+             // difference between comps can't be resolved
+             mTransItem->setAction(TransactionItemAction::REINSTALL);
+@@ -323,11 +330,14 @@ MergedTransaction::resolveErase(ItemPair &previousItemPair, TransactionItemBaseP
+  * transaction - new package is used to complete the pair. Items are stored in pairs (Upgrade,
+  * Upgrade) or (Downgraded, Downgrade). With complete transaction pair we need to get the new
+  * Upgrade/Downgrade item and compare its version with the original item from the pair.
++ * \param itemPairMap merged transaction set
+  * \param previousItemPair original item pair
+  * \param mTransItem new transaction item
+  */
+ void
+-MergedTransaction::resolveAltered(ItemPair &previousItemPair, TransactionItemBasePtr mTransItem)
++MergedTransaction::resolveAltered(ItemPairMap &itemPairMap,
++                                  ItemPair &previousItemPair,
++                                  TransactionItemBasePtr mTransItem)
+ {
+     auto newState = mTransItem->getAction();
+     auto firstState = previousItemPair.first->getAction();
+@@ -369,7 +379,7 @@ MergedTransaction::resolveAltered(ItemPair &previousItemPair, TransactionItemBas
+         } else {
+             if (mTransItem->getItem()->getItemType() == ItemType::RPM) {
+                 // resolve the difference between RPM packages
+-                resolveRPMDifference(previousItemPair, mTransItem);
++                resolveRPMDifference(itemPairMap, previousItemPair, mTransItem);
+             } else {
+                 // difference between comps can't be resolved
+                 previousItemPair.second->setAction(TransactionItemAction::REINSTALL);
+@@ -405,7 +415,7 @@ MergedTransaction::mergeItem(ItemPairMap &itemPairMap, TransactionItemBasePtr mT
+     switch (firstState) {
+         case TransactionItemAction::REMOVE:
+         case TransactionItemAction::OBSOLETED:
+-            resolveErase(previousItemPair, mTransItem);
++            resolveErase(itemPairMap, previousItemPair, mTransItem);
+             break;
+         case TransactionItemAction::INSTALL:
+             // the original package has been installed -> it may be either Removed, or altered
+@@ -432,7 +442,7 @@ MergedTransaction::mergeItem(ItemPairMap &itemPairMap, TransactionItemBasePtr mT
+         case TransactionItemAction::UPGRADE:
+         case TransactionItemAction::UPGRADED:
+         case TransactionItemAction::OBSOLETE:
+-            resolveAltered(previousItemPair, mTransItem);
++            resolveAltered(itemPairMap, previousItemPair, mTransItem);
+             break;
+         case TransactionItemAction::REINSTALLED:
+             break;
+diff --git a/libdnf/transaction/MergedTransaction.hpp b/libdnf/transaction/MergedTransaction.hpp
+index dbb8af11..f85b133a 100644
+--- a/libdnf/transaction/MergedTransaction.hpp
++++ b/libdnf/transaction/MergedTransaction.hpp
+@@ -76,9 +76,9 @@ protected:
+     typedef std::map< std::string, ItemPair > ItemPairMap;
+ 
+     void mergeItem(ItemPairMap &itemPairMap, TransactionItemBasePtr transItem);
+-    void resolveRPMDifference(ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
+-    void resolveErase(ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
+-    void resolveAltered(ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
++    void resolveRPMDifference(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
++    void resolveErase(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
++    void resolveAltered(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
+ };
+ 
+ } // namespace libdnf
+diff --git a/tests/libdnf/transaction/MergedTransactionTest.cpp b/tests/libdnf/transaction/MergedTransactionTest.cpp
+index 52507700..35fb4250 100644
+--- a/tests/libdnf/transaction/MergedTransactionTest.cpp
++++ b/tests/libdnf/transaction/MergedTransactionTest.cpp
+@@ -822,12 +822,7 @@ MergedTransactionTest::test_downgrade_upgrade_remove()
+     // test merging trans1, trans2
+     merged.merge(trans2);
+     auto items2 = merged.getItems();
+-    CPPUNIT_ASSERT_EQUAL(1, (int)items2.size());
+-    auto item2 = items2.at(0);
+-    CPPUNIT_ASSERT_EQUAL(std::string("tour-4.8-1.noarch"), item2->getItem()->toStr());
+-    CPPUNIT_ASSERT_EQUAL(std::string("repo1"), item2->getRepoid());
+-    CPPUNIT_ASSERT_EQUAL(TransactionItemAction::REINSTALL, item2->getAction());
+-    CPPUNIT_ASSERT_EQUAL(TransactionItemReason::USER, item2->getReason());
++    CPPUNIT_ASSERT_EQUAL(0, (int)items2.size());
+ 
+     // test merging trans1, trans2, trans3
+     merged.merge(trans3);
+-- 
+2.47.1
+

SOURCES/0052-MergedTransaction-Fix-invalid-memory-access-when-dro.patch

@@ -0,0 +1,94 @@
+From d3aed9b31495a4e10424a460f930f0678fb3688e Mon Sep 17 00:00:00 2001
+From: Jan Kolarik <jkolarik@redhat.com>
+Date: Tue, 23 Apr 2024 14:11:19 +0000
+Subject: [PATCH 52/52] MergedTransaction: Fix invalid memory access when
+ dropping items
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream commit: 90d2ffad964a91a7a798b81e15c16eb1e840f257
+
+When an item is dropped from the merged transaction, the `ItemPair` reference becomes invalid and should no longer be used.
+
+Resolves: https://issues.redhat.com/browse/RHEL-68770
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libdnf/transaction/MergedTransaction.cpp | 18 +++++++++++-------
+ libdnf/transaction/MergedTransaction.hpp |  2 +-
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/libdnf/transaction/MergedTransaction.cpp b/libdnf/transaction/MergedTransaction.cpp
+index 8f26882f..75d2c1e7 100644
+--- a/libdnf/transaction/MergedTransaction.cpp
++++ b/libdnf/transaction/MergedTransaction.cpp
+@@ -264,14 +264,15 @@ getItemIdentifier(ItemPtr item)
+ 
+ /**
+  * Resolve the difference between RPMs in the first and second transaction item
+- *  and create a ItemPair of Upgrade, Downgrade or drop the item from the merged
+- *  transaction set in case of both packages are of the same version.
+- * Method is called when original package is being removed and than installed again.
++ *  and create a ItemPair of Upgrade, Downgrade or remove the item from the merged
++ *  transaction set in case of both packages are the same.
++ * Method is called when original package is being removed and then installed again.
+  * \param itemPairMap merged transaction set
+  * \param previousItemPair original item pair
+  * \param mTransItem new transaction item
++ * \return true if the original and new transaction item differ
+  */
+-void
++bool
+ MergedTransaction::resolveRPMDifference(ItemPairMap &itemPairMap,
+                                         ItemPair &previousItemPair,
+                                         TransactionItemBasePtr mTransItem)
+@@ -287,7 +288,7 @@ MergedTransaction::resolveRPMDifference(ItemPairMap &itemPairMap,
+         firstRPM->getRelease() == secondRPM->getRelease()) {
+         // Drop the item from merged transaction
+         itemPairMap.erase(getItemIdentifier(firstItem));
+-        return;
++        return false;
+     } else if ((*firstRPM) < (*secondRPM)) {
+         // Upgrade to secondRPM
+         previousItemPair.first->setAction(TransactionItemAction::UPGRADED);
+@@ -298,6 +299,7 @@ MergedTransaction::resolveRPMDifference(ItemPairMap &itemPairMap,
+         mTransItem->setAction(TransactionItemAction::DOWNGRADE);
+     }
+     previousItemPair.second = mTransItem;
++    return true;
+ }
+ 
+ void
+@@ -308,12 +310,14 @@ MergedTransaction::resolveErase(ItemPairMap &itemPairMap,
+     /*
+      * The original item has been removed - it has to be installed now unless the rpmdb
+      *  has changed. Resolve the difference between packages and mark it as Upgrade,
+-     *  Reinstall or Downgrade
++     *  Downgrade or remove it from the transaction
+      */
+     if (mTransItem->getAction() == TransactionItemAction::INSTALL) {
+         if (mTransItem->getItem()->getItemType() == ItemType::RPM) {
+             // resolve the difference between RPM packages
+-            resolveRPMDifference(itemPairMap, previousItemPair, mTransItem);
++            if (!resolveRPMDifference(itemPairMap, previousItemPair, mTransItem)) {
++                return;
++            }
+         } else {
+             // difference between comps can't be resolved
+             mTransItem->setAction(TransactionItemAction::REINSTALL);
+diff --git a/libdnf/transaction/MergedTransaction.hpp b/libdnf/transaction/MergedTransaction.hpp
+index f85b133a..50212159 100644
+--- a/libdnf/transaction/MergedTransaction.hpp
++++ b/libdnf/transaction/MergedTransaction.hpp
+@@ -76,7 +76,7 @@ protected:
+     typedef std::map< std::string, ItemPair > ItemPairMap;
+ 
+     void mergeItem(ItemPairMap &itemPairMap, TransactionItemBasePtr transItem);
+-    void resolveRPMDifference(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
++    bool resolveRPMDifference(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
+     void resolveErase(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
+     void resolveAltered(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
+ };
+-- 
+2.47.1
+

SOURCES/almalinux_bugtracker.patch

@@ -1,23 +0,0 @@
-diff -aruN libdnf-0.63.0/docs/hawkey/conf.py libdnf-0.63.0_alma/docs/hawkey/conf.py
---- libdnf-0.63.0/docs/hawkey/conf.py	2021-05-18 17:07:23.000000000 +0300
-+++ libdnf-0.63.0_alma/docs/hawkey/conf.py	2021-12-30 11:03:39.179244600 +0300
-@@ -260,6 +260,6 @@
- rst_prolog = """
- .. default-domain:: py
- .. _libsolv: https://github.com/openSUSE/libsolv
--.. _bugzilla: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=hawkey
-+.. _bugzilla: https://bugs.almalinux.org/
- 
- """
-diff -aruN libdnf-0.63.0/libdnf/conf/Const.hpp libdnf-0.63.0_alma/libdnf/conf/Const.hpp
---- libdnf-0.63.0/libdnf/conf/Const.hpp	2021-05-18 17:07:23.000000000 +0300
-+++ libdnf-0.63.0_alma/libdnf/conf/Const.hpp	2021-12-30 11:03:47.004789800 +0300
-@@ -41,7 +41,7 @@
-                  "installonlypkg(vm)",
-                  "multiversion(kernel)"};
- 
--constexpr const char * BUGTRACKER="https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=dnf";
-+constexpr const char * BUGTRACKER="https://bugs.almalinux.org/";
- 
- }
- 

SOURCES/dnf-keyring-support-multiple-keys.patch

@@ -1,228 +0,0 @@
-From 5b87a29c78fe7b3fce8ac167a1a650449d25f54c Mon Sep 17 00:00:00 2001
-From: Dmitriy Popov <dpopov@cloudlinux.com>
-Date: Wed, 1 May 2024 23:16:47 +0300
-Subject: [PATCH] dnf-keyring-support-multiple-keys
-
-Since it is known from the bug (and practically proven) that "rpm --import"
-is capable of supporting multiple containers in one file, unlike the internal
-implementation, due to the need to globally rewrite the structure of parameters.
-
-https://github.com/rpm-software-management/rpm/pull/2242
-"This does not affect rpmkeys --import because it explicitly checks
-for multiple PGPTAG_PUBLIC_KEY packets and imports them separately"
-
-The patch implies the logic of the cli rpmcliImportPubkeys
-in dnf_keyring_add_public_key, except that instead of direct import,
-it continues to expand the keyring as before, and then imports it,
-making this change atomic.
-
-Signed-off-by: Dmitriy Popov <dpopov@cloudlinux.com>
----
- libdnf/dnf-keyring.cpp | 167 +++++++++++++++++++++++------------------
- 1 file changed, 96 insertions(+), 71 deletions(-)
-
-diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
-index 62a6248..f4afd35 100644
---- a/libdnf/dnf-keyring.cpp
-+++ b/libdnf/dnf-keyring.cpp
-@@ -62,13 +62,16 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
-     gboolean ret = TRUE;
-     int rc;
-     gsize len;
--    pgpArmor armor;
-     pgpDig dig = NULL;
-     rpmPubkey pubkey = NULL;
-     rpmPubkey *subkeys = NULL;
-     int nsubkeys = 0;
-     uint8_t *pkt = NULL;
-     g_autofree gchar *data = NULL;
-+    char const * const pgpmark = "-----BEGIN PGP ";
-+    size_t marklen = strlen(pgpmark);
-+    int keyno = 1;
-+    char *start = NULL;
- 
-     /* ignore symlinks and directories */
-     if (!g_file_test(filename, G_FILE_TEST_IS_REGULAR))
-@@ -81,79 +84,99 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
-     if (!ret)
-         goto out;
- 
--    /* rip off the ASCII armor and parse it */
--    armor = pgpParsePkts(data, &pkt, &len);
--    if (armor < 0) {
--        ret = FALSE;
--        g_set_error(error,
--                    DNF_ERROR,
--                    DNF_ERROR_GPG_SIGNATURE_INVALID,
--                    "failed to parse PKI file %s",
--                    filename);
--        goto out;
--    }
--
--    /* make sure it's something we can add to rpm */
--    if (armor != PGPARMOR_PUBKEY) {
--        ret = FALSE;
--        g_set_error(error,
--                    DNF_ERROR,
--                    DNF_ERROR_GPG_SIGNATURE_INVALID,
--                    "PKI file %s is not a public key",
--                    filename);
--        goto out;
--    }
-+    start = strstr(data, pgpmark);
- 
--    /* test each one */
--    pubkey = rpmPubkeyNew(pkt, len);
--    if (pubkey == NULL) {
--        ret = FALSE;
--        g_set_error(error,
--                    DNF_ERROR,
--                    DNF_ERROR_GPG_SIGNATURE_INVALID,
--                    "failed to parse public key for %s",
--                    filename);
--        goto out;
--    }
--
--    /* does the key exist in the keyring */
--    dig = rpmPubkeyDig(pubkey);
--    rc = rpmKeyringLookup(keyring, dig);
--    if (rc == RPMRC_OK) {
--        ret = TRUE;
--        g_debug("%s is already present", filename);
--        goto out;
--    }
-+    do {
-+        uint8_t *pkt = NULL;
-+        uint8_t *pkti = NULL;
-+        size_t pktlen = 0;
-+        size_t certlen;
-+
-+        /* Read pgp packet. */
-+        if (pgpParsePkts(start, &pkt, &pktlen) == PGPARMOR_PUBKEY) {
-+            pkti = pkt;
-+
-+            /* Iterate over certificates in pkt */
-+            while (pktlen > 0) {
-+                if (pgpPubKeyCertLen(pkti, pktlen, &certlen)) {
-+                    g_debug("%s: key %d import failed.\n", filename, keyno);
-+                    break;
-+                }
-+
-+                /* test each one */
-+                pubkey = rpmPubkeyNew(pkti, certlen);
-+                if (pubkey == NULL) {
-+                    ret = FALSE;
-+                    g_set_error(error,
-+                                 DNF_ERROR,
-+                                 DNF_ERROR_GPG_SIGNATURE_INVALID,
-+                                 "failed to parse public key for %s",
-+                                 filename);
-+                    goto out;
-+                }
-+
-+                /* add to in-memory keyring */
-+                rc = rpmKeyringAddKey(keyring, pubkey);
-+                if (rc == 1) {
-+                    ret = TRUE;
-+                    g_debug("%s is already added", filename);
-+                    goto out;
-+                } else if (rc < 0) {
-+                    ret = FALSE;
-+                    g_set_error(error,
-+                                 DNF_ERROR,
-+                                 DNF_ERROR_GPG_SIGNATURE_INVALID,
-+                                 "failed to add public key %s to rpmdb",
-+                                 filename);
-+                    goto out;
-+                }
-+
-+                subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
-+                for (int i = 0; i < nsubkeys; i++) {
-+                    rpmPubkey subkey = subkeys[i];
-+                    if (rpmKeyringAddKey(keyring, subkey) < 0) {
-+                        ret = FALSE;
-+                        g_set_error(error,
-+                                     DNF_ERROR,
-+                                     DNF_ERROR_GPG_SIGNATURE_INVALID,
-+                                     "failed to add subkeys for %s to rpmdb",
-+                                     filename);
-+                        goto out;
-+                    }
-+                }
-+
-+                pkti += certlen;
-+                pktlen -= certlen;
-+            }
-+        } else {
-+            g_debug("%s: key %d not an armored public key.\n", filename, keyno);
-+        }
- 
--    /* add to rpmdb automatically, without a prompt */
--    rc = rpmKeyringAddKey(keyring, pubkey);
--    if (rc == 1) {
--        ret = TRUE;
--        g_debug("%s is already added", filename);
--        goto out;
--    } else if (rc < 0) {
--        ret = FALSE;
--        g_set_error(error,
--                    DNF_ERROR,
--                    DNF_ERROR_GPG_SIGNATURE_INVALID,
--                    "failed to add public key %s to rpmdb",
--                    filename);
--        goto out;
--    }
-+        /* See if there are more keys in the buffer */
-+        if (start && start + marklen < data + len) {
-+            start = strstr(start + marklen, pgpmark);
-+        } else {
-+            start = NULL;
-+        }
- 
--    subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
--    for (int i = 0; i < nsubkeys; i++) {
--        rpmPubkey subkey = subkeys[i];
--        if (rpmKeyringAddKey(keyring, subkey) < 0) {
--            ret = FALSE;
--            g_set_error(error,
--                        DNF_ERROR,
--                        DNF_ERROR_GPG_SIGNATURE_INVALID,
--                        "failed to add subkeys for %s to rpmdb",
--                        filename);
--            goto out;
-+        keyno++;
-+        if (pkt != NULL)
-+            free(pkt); /* yes, free() */
-+            pkt = NULL;
-+        if (pubkey != NULL)
-+            rpmPubkeyFree(pubkey);
-+            pubkey = NULL;
-+        if (subkeys != NULL) {
-+            for (int i = 0; i < nsubkeys; i++) {
-+                if (subkeys[i] != NULL) {
-+                    rpmPubkeyFree (subkeys[i]);
-+                    subkeys[i] = NULL;
-+                }
-+            }
-+            free (subkeys);
-+            subkeys = NULL;
-         }
--    }
-+    } while (start != NULL);
- 
-     /* success */
-     g_debug("added missing public key %s to rpmdb", filename);
-@@ -165,7 +188,9 @@ out:
-         rpmPubkeyFree(pubkey);
-     if (subkeys != NULL) {
-         for (int i = 0; i < nsubkeys; i++) {
--          rpmPubkeyFree(subkeys[i]);
-+            if (subkeys[i] != NULL) {
-+                rpmPubkeyFree (subkeys[i]);
-+            }
-         }
-         free(subkeys);
-     }
--- 
-2.34.1
-

SPECS/libdnf.spec

@@ -58,7 +58,7 @@
 
 Name:           libdnf
 Version:        %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version}
-Release:        19%{?dist}.alma.2
+Release:        21%{?dist}
 Summary:        Library providing simplified C and Python API to libsolv
 License:        LGPLv2+
 URL:            https://github.com/rpm-software-management/libdnf
@@ -112,10 +112,10 @@ Patch46:        0046-Update-translations-RHEL-8.9.patch
 Patch47:        0047-filterAdvisory-installed_solvables-sort-RhBug2212838.patch
 Patch48:        0048-Avoid-reinstal-installonly-packages-marked-for-ERASE.patch
 Patch49:        0049-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch
+Patch50:        0050-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch
+Patch51:        0051-MergedTransaction-Calculate-RPM-difference-between-t.patch
+Patch52:        0052-MergedTransaction-Fix-invalid-memory-access-when-dro.patch
 
-# Almalinux patches
-Patch10001:     almalinux_bugtracker.patch
-Patch10002:     dnf-keyring-support-multiple-keys.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc
@@ -365,20 +365,24 @@ popd
 %endif
 
 %changelog
-* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma.2
+* Fri Dec 06 2024 Petr Pisar <ppisar@redhat.com> - 0.63.0-21
-- Add patch to fix issue with multiple keys in dnf-keyring
+- Fix calculating a difference between two same-version RPM transactions
+  (RHEL-68770)
 
-* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma
+* Mon Jun 24 2024 Petr Pisar <ppisar@redhat.com> - 0.63.0-20
-- AlmaLinux changes
+- Do not set a default SELinux creation context if SELinux appears to be
+  disabled (RHEL-43231)
 
 * Wed Oct 18 2023 Petr Pisar <ppisar@redhat.com> - 0.63.0-19
 - Set default SELinux labels on GnuPG directories (RHEL-6421)
+
 * Fri Oct 13 2023 Jaroslav Rohel <jrohel@redhat.com> - 0.63.0-18
 - filterAdvisory: match installed_solvables sort with lower_bound (RhBug:2212838, RHEL-1244)
 - Avoid reinstalling installonly packages marked for ERASE (RhBug:2163474, RHEL-1253)
 
 * Fri Sep 08 2023 Marek Blaha <mblaha@redhat.com> - 0.63.0-17
 - Update translations
+
 * Wed May 31 2023 Nicola Sella <nsella@redhat.com> - 0.63-0-16
 - Support "proxy=_none_" in main config (RhBug:2155713)
 
@@ -390,6 +394,7 @@ popd
 
 * Wed Oct 26 2022 Nicola Sella <nsella@redhat.com> - 0.63.0-13
 - Allow change of arch during security updates with noarch (RhBug:2124483)
+
 * Tue Sep 13 2022 Lukas Hrazky <lhrazky@redhat.com> - 0.63.0-12
 - Fix listing a repository without cpeid (RhBug:2066334)