.gitignore

@@ -1 +1 @@
-SOURCES/osbuild-composer-101.tar.gz
+SOURCES/osbuild-composer-100.tar.gz

.osbuild-composer.metadata

@@ -1 +1 @@
-0feb86b5dcd146ce5b87816ae482eb50ed507c16 SOURCES/osbuild-composer-101.tar.gz
+ee2bb2068e42599ca6ef66499d00077ee06b3b44 SOURCES/osbuild-composer-100.tar.gz

SOURCES/CVE-2025-30204.patch

@@ -1,391 +0,0 @@
-diff --git a/go.mod b/go.mod
-index f571516..d3d329f 100644
---- a/go.mod
-+++ b/go.mod
-@@ -23,7 +23,7 @@ require (
- 	github.com/getkin/kin-openapi v0.93.0
- 	github.com/getsentry/sentry-go v0.26.0
- 	github.com/gobwas/glob v0.2.3
--	github.com/golang-jwt/jwt/v4 v4.5.0
-+	github.com/golang-jwt/jwt/v4 v4.5.2
- 	github.com/google/go-cmp v0.6.0
- 	github.com/google/uuid v1.6.0
- 	github.com/gophercloud/gophercloud v1.9.0
-@@ -114,7 +114,7 @@ require (
- 	github.com/go-openapi/validate v0.22.1 // indirect
- 	github.com/gogo/protobuf v1.3.2 // indirect
- 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
--	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
-+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
- 	github.com/golang/glog v1.1.2 // indirect
- 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
- 	github.com/golang/protobuf v1.5.3 // indirect
-diff --git a/go.sum b/go.sum
-index 5996751..488870b 100644
---- a/go.sum
-+++ b/go.sum
-@@ -251,10 +251,11 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL
- github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
- github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
- github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
--github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
- github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
--github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
--github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
-+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
- github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
- github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo=
- github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ=
-diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
-index c0a6f69..0fc510a 100644
---- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
-+++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
-@@ -7,6 +7,8 @@ import (
- 	"strings"
- )
- 
-+const tokenDelimiter = "."
-+
- type Parser struct {
- 	// If populated, only these methods will be considered valid.
- 	//
-@@ -36,19 +38,21 @@ func NewParser(options ...ParserOption) *Parser {
- 	return p
- }
- 
--// Parse parses, validates, verifies the signature and returns the parsed token.
--// keyFunc will receive the parsed token and should return the key for validating.
-+// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will
-+// receive the parsed token and should return the key for validating.
- func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
- 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
- }
- 
--// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims
--// interface. This provides default values which can be overridden and allows a caller to use their own type, rather
--// than the default MapClaims implementation of Claims.
-+// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object
-+// implementing the Claims interface. This provides default values which can be overridden and
-+// allows a caller to use their own type, rather than the default MapClaims implementation of
-+// Claims.
- //
--// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
--// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
--// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
-+// Note: If you provide a custom claim implementation that embeds one of the standard claims (such
-+// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or
-+// b) if you are using a pointer, allocate the proper memory for it before passing in the overall
-+// claims, otherwise you might run into a panic.
- func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
- 	token, parts, err := p.ParseUnverified(tokenString, claims)
- 	if err != nil {
-@@ -85,12 +89,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
- 		return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
- 	}
- 
-+	// Perform validation
-+	token.Signature = parts[2]
-+	if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
-+		return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid}
-+	}
-+
- 	vErr := &ValidationError{}
- 
- 	// Validate Claims
- 	if !p.SkipClaimsValidation {
- 		if err := token.Claims.Valid(); err != nil {
--
- 			// If the Claims Valid returned an error, check if it is a validation error,
- 			// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
- 			if e, ok := err.(*ValidationError); !ok {
-@@ -98,22 +107,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
- 			} else {
- 				vErr = e
- 			}
-+			return token, vErr
- 		}
- 	}
- 
--	// Perform validation
--	token.Signature = parts[2]
--	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
--		vErr.Inner = err
--		vErr.Errors |= ValidationErrorSignatureInvalid
--	}
--
--	if vErr.valid() {
--		token.Valid = true
--		return token, nil
--	}
-+	// No errors so far, token is valid.
-+	token.Valid = true
- 
--	return token, vErr
-+	return token, nil
- }
- 
- // ParseUnverified parses the token but doesn't validate the signature.
-@@ -123,9 +124,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
- // It's only ever useful in cases where you know the signature is valid (because it has
- // been checked previously in the stack) and you want to extract values from it.
- func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
--	parts = strings.Split(tokenString, ".")
--	if len(parts) != 3 {
--		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
-+	var ok bool
-+	parts, ok = splitToken(tokenString)
-+	if !ok {
-+		return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
- 	}
- 
- 	token = &Token{Raw: tokenString}
-@@ -175,3 +177,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
- 
- 	return token, parts, nil
- }
-+
-+// splitToken splits a token string into three parts: header, claims, and signature. It will only
-+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
-+// will return nil parts and false.
-+func splitToken(token string) ([]string, bool) {
-+	parts := make([]string, 3)
-+	header, remain, ok := strings.Cut(token, tokenDelimiter)
-+	if !ok {
-+		return nil, false
-+	}
-+	parts[0] = header
-+	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
-+	if !ok {
-+		return nil, false
-+	}
-+	parts[1] = claims
-+	// One more cut to ensure the signature is the last part of the token and there are no more
-+	// delimiters. This avoids an issue where malicious input could contain additional delimiters
-+	// causing unecessary overhead parsing tokens.
-+	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
-+	if unexpected {
-+		return nil, false
-+	}
-+	parts[2] = signature
-+
-+	return parts, true
-+}
-diff --git a/vendor/github.com/golang-jwt/jwt/v5/README.md b/vendor/github.com/golang-jwt/jwt/v5/README.md
-index 964598a..0bb636f 100644
---- a/vendor/github.com/golang-jwt/jwt/v5/README.md
-+++ b/vendor/github.com/golang-jwt/jwt/v5/README.md
-@@ -10,11 +10,11 @@ implementation of [JSON Web
- Tokens](https://datatracker.ietf.org/doc/html/rfc7519).
- 
- Starting with [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0)
--this project adds Go module support, but maintains backwards compatibility with
-+this project adds Go module support, but maintains backward compatibility with
- older `v3.x.y` tags and upstream `github.com/dgrijalva/jwt-go`. See the
- [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information. Version
- v5.0.0 introduces major improvements to the validation of tokens, but is not
--entirely backwards compatible. 
-+entirely backward compatible. 
- 
- > After the original author of the library suggested migrating the maintenance
- > of `jwt-go`, a dedicated team of open source maintainers decided to clone the
-@@ -24,7 +24,7 @@ entirely backwards compatible.
- 
- 
- **SECURITY NOTICE:** Some older versions of Go have a security issue in the
--crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue
-+crypto/elliptic. The recommendation is to upgrade to at least 1.15 See issue
- [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more
- detail.
- 
-@@ -32,7 +32,7 @@ detail.
- what you
- expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/).
- This library attempts to make it easy to do the right thing by requiring key
--types match the expected alg, but you should take the extra step to verify it in
-+types to match the expected alg, but you should take the extra step to verify it in
- your usage.  See the examples provided.
- 
- ### Supported Go versions
-@@ -41,7 +41,7 @@ Our support of Go versions is aligned with Go's [version release
- policy](https://golang.org/doc/devel/release#policy). So we will support a major
- version of Go until there are two newer major releases. We no longer support
- building jwt-go with unsupported Go versions, as these contain security
--vulnerabilities which will not be fixed.
-+vulnerabilities that will not be fixed.
- 
- ## What the heck is a JWT?
- 
-@@ -117,7 +117,7 @@ notable differences:
- 
- This library is considered production ready.  Feedback and feature requests are
- appreciated.  The API should be considered stable.  There should be very few
--backwards-incompatible changes outside of major version updates (and only with
-+backward-incompatible changes outside of major version updates (and only with
- good reason).
- 
- This project uses [Semantic Versioning 2.0.0](http://semver.org).  Accepted pull
-@@ -125,8 +125,8 @@ requests will land on `main`.  Periodically, versions will be tagged from
- `main`.  You can find all the releases on [the project releases
- page](https://github.com/golang-jwt/jwt/releases).
- 
--**BREAKING CHANGES:*** A full list of breaking changes is available in
--`VERSION_HISTORY.md`.  See `MIGRATION_GUIDE.md` for more information on updating
-+**BREAKING CHANGES:** A full list of breaking changes is available in
-+`VERSION_HISTORY.md`.  See [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information on updating
- your code.
- 
- ## Extensions
-diff --git a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
-index b08402c..2740597 100644
---- a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
-+++ b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
-@@ -2,11 +2,11 @@
- 
- ## Supported Versions
- 
--As of February 2022 (and until this document is updated), the latest version `v4` is supported.
-+As of November 2024 (and until this document is updated), the latest version `v5` is supported. In critical cases, we might supply back-ported patches for `v4`.
- 
- ## Reporting a Vulnerability
- 
--If you think you found a vulnerability, and even if you are not sure, please report it to jwt-go-security@googlegroups.com or one of the other [golang-jwt maintainers](https://github.com/orgs/golang-jwt/people). Please try be explicit, describe steps to reproduce the security issue with code example(s).
-+If you think you found a vulnerability, and even if you are not sure, please report it a [GitHub Security Advisory](https://github.com/golang-jwt/jwt/security/advisories/new). Please try be explicit, describe steps to reproduce the security issue with code example(s).
- 
- You will receive a response within a timely manner. If the issue is confirmed, we will do our best to release a patch as soon as possible given the complexity of the problem.
- 
-diff --git a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
-index ca85659..c929e4a 100644
---- a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
-+++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
-@@ -62,7 +62,7 @@ func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interf
- 	case *ecdsa.PublicKey:
- 		ecdsaKey = k
- 	default:
--		return newError("ECDSA verify expects *ecsda.PublicKey", ErrInvalidKeyType)
-+		return newError("ECDSA verify expects *ecdsa.PublicKey", ErrInvalidKeyType)
- 	}
- 
- 	if len(sig) != 2*m.KeySize {
-@@ -96,7 +96,7 @@ func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte
- 	case *ecdsa.PrivateKey:
- 		ecdsaKey = k
- 	default:
--		return nil, newError("ECDSA sign expects *ecsda.PrivateKey", ErrInvalidKeyType)
-+		return nil, newError("ECDSA sign expects *ecdsa.PrivateKey", ErrInvalidKeyType)
- 	}
- 
- 	// Create the hasher
-diff --git a/vendor/github.com/golang-jwt/jwt/v5/hmac.go b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
-index 96c6272..aca600c 100644
---- a/vendor/github.com/golang-jwt/jwt/v5/hmac.go
-+++ b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
-@@ -91,7 +91,7 @@ func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interfa
- func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) {
- 	if keyBytes, ok := key.([]byte); ok {
- 		if !m.Hash.Available() {
--			return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
-+			return nil, ErrHashUnavailable
- 		}
- 
- 		hasher := hmac.New(m.Hash.New, keyBytes)
-@@ -100,5 +100,5 @@ func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte,
- 		return hasher.Sum(nil), nil
- 	}
- 
--	return nil, ErrInvalidKeyType
-+	return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
- }
-diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go
-index ecf99af..054c7eb 100644
---- a/vendor/github.com/golang-jwt/jwt/v5/parser.go
-+++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go
-@@ -8,6 +8,8 @@ import (
- 	"strings"
- )
- 
-+const tokenDelimiter = "."
-+
- type Parser struct {
- 	// If populated, only these methods will be considered valid.
- 	validMethods []string
-@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
- // It's only ever useful in cases where you know the signature is valid (since it has already
- // been or will be checked elsewhere in the stack) and you want to extract values from it.
- func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
--	parts = strings.Split(tokenString, ".")
--	if len(parts) != 3 {
--		return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)
-+	var ok bool
-+	parts, ok = splitToken(tokenString)
-+	if !ok {
-+		return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed)
- 	}
- 
- 	token = &Token{Raw: tokenString}
-@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
- 	return token, parts, nil
- }
- 
-+// splitToken splits a token string into three parts: header, claims, and signature. It will only
-+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
-+// will return nil parts and false.
-+func splitToken(token string) ([]string, bool) {
-+	parts := make([]string, 3)
-+	header, remain, ok := strings.Cut(token, tokenDelimiter)
-+	if !ok {
-+		return nil, false
-+	}
-+	parts[0] = header
-+	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
-+	if !ok {
-+		return nil, false
-+	}
-+	parts[1] = claims
-+	// One more cut to ensure the signature is the last part of the token and there are no more
-+	// delimiters. This avoids an issue where malicious input could contain additional delimiters
-+	// causing unecessary overhead parsing tokens.
-+	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
-+	if unexpected {
-+		return nil, false
-+	}
-+	parts[2] = signature
-+
-+	return parts, true
-+}
-+
- // DecodeSegment decodes a JWT specific base64url encoding. This function will
- // take into account whether the [Parser] is configured with additional options,
- // such as [WithStrictDecoding] or [WithPaddingAllowed].
-diff --git a/vendor/github.com/golang-jwt/jwt/v5/token.go b/vendor/github.com/golang-jwt/jwt/v5/token.go
-index 352873a..9c7f4ab 100644
---- a/vendor/github.com/golang-jwt/jwt/v5/token.go
-+++ b/vendor/github.com/golang-jwt/jwt/v5/token.go
-@@ -75,7 +75,7 @@ func (t *Token) SignedString(key interface{}) (string, error) {
- }
- 
- // SigningString generates the signing string.  This is the most expensive part
--// of the whole deal.  Unless you need this for something special, just go
-+// of the whole deal. Unless you need this for something special, just go
- // straight for the SignedString.
- func (t *Token) SigningString() (string, error) {
- 	h, err := json.Marshal(t.Header)
-diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 35d0433..f49c006 100644
---- a/vendor/modules.txt
-+++ b/vendor/modules.txt
-@@ -568,10 +568,10 @@ github.com/gogo/protobuf/proto
- # github.com/golang-jwt/jwt v3.2.2+incompatible
- ## explicit
- github.com/golang-jwt/jwt
--# github.com/golang-jwt/jwt/v4 v4.5.0
-+# github.com/golang-jwt/jwt/v4 v4.5.2
- ## explicit; go 1.16
- github.com/golang-jwt/jwt/v4
--# github.com/golang-jwt/jwt/v5 v5.2.0
-+# github.com/golang-jwt/jwt/v5 v5.2.2
- ## explicit; go 1.18
- github.com/golang-jwt/jwt/v5
- # github.com/golang/glog v1.1.2

SPECS/osbuild-composer.spec

@@ -7,12 +7,9 @@
 # This is used internally during nightly pipeline testing!
 %bcond_with relax_requires
 
-# The minimum required osbuild version
-%global min_osbuild_version 109
-
 %global goipath         github.com/osbuild/osbuild-composer
 
-Version:        101
+Version:        100
 
 %gometa
 
@@ -25,7 +22,7 @@ It is compatible with composer-cli and cockpit-composer clients.
 }
 
 Name:           osbuild-composer
-Release:        3%{?dist}
+Release:        1%{?dist}
 Summary:        An image building service based on osbuild
 
 # osbuild-composer doesn't have support for building i686 and armv7hl images
@@ -36,7 +33,6 @@ License:        Apache-2.0
 URL:            %{gourl}
 Source0:        %{gosource}
 
-Patch0:         CVE-2025-30204.patch
 
 BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
 BuildRequires:  systemd
@@ -107,8 +103,6 @@ export LDFLAGS="${LDFLAGS} -X 'github.com/osbuild/osbuild-composer/internal/comm
 
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-composer %{goipath}/cmd/osbuild-composer
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-worker %{goipath}/cmd/osbuild-worker
-%gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-jobsite-manager %{goipath}/cmd/osbuild-jobsite-manager
-%gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-jobsite-builder %{goipath}/cmd/osbuild-jobsite-builder
 
 make man
 
@@ -143,8 +137,7 @@ go build -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _b
 install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/osbuild-composer
 install -m 0755 -vp _bin/osbuild-composer                          %{buildroot}%{_libexecdir}/osbuild-composer/
 install -m 0755 -vp _bin/osbuild-worker                            %{buildroot}%{_libexecdir}/osbuild-composer/
-install -m 0755 -vp _bin/osbuild-jobsite-manager                   %{buildroot}%{_libexecdir}/osbuild-composer/
-install -m 0755 -vp _bin/osbuild-jobsite-builder                   %{buildroot}%{_libexecdir}/osbuild-composer/
+install -m 0755 -vp dnf-json                                       %{buildroot}%{_libexecdir}/osbuild-composer/
 
 # Only include repositories for the distribution and release
 install -m 0755 -vd                                                %{buildroot}%{_datadir}/osbuild-composer/repositories
@@ -301,9 +294,7 @@ cd $PWD/_build/src/%{goipath}
 
 %package core
 Summary:    The core osbuild-composer binary
-Requires:   osbuild-depsolve-dnf >= %{min_osbuild_version}
-Provides:   %{name}-dnf-json = %{version}-%{release}
-Obsoletes:  %{name}-dnf-json < %{version}-%{release}
+Requires:   %{name}-dnf-json = %{version}-%{release}
 
 %description core
 The core osbuild-composer binary. This is suitable both for spawning in containers and by systemd.
@@ -316,21 +307,17 @@ The core osbuild-composer binary. This is suitable both for spawning in containe
 Summary:    The worker for osbuild-composer
 Requires:   systemd
 Requires:   qemu-img
-Requires:   osbuild >= %{min_osbuild_version}
-Requires:   osbuild-ostree >= %{min_osbuild_version}
-Requires:   osbuild-lvm2 >= %{min_osbuild_version}
-Requires:   osbuild-luks2 >= %{min_osbuild_version}
-Requires:   osbuild-depsolve-dnf >= %{min_osbuild_version}
-Provides:   %{name}-dnf-json = %{version}-%{release}
-Obsoletes:  %{name}-dnf-json < %{version}-%{release}
+Requires:   osbuild >= 98
+Requires:   osbuild-ostree >= 98
+Requires:   osbuild-lvm2 >= 98
+Requires:   osbuild-luks2 >= 98
+Requires:   %{name}-dnf-json = %{version}-%{release}
 
 %description worker
 The worker for osbuild-composer
 
 %files worker
 %{_libexecdir}/osbuild-composer/osbuild-worker
-%{_libexecdir}/osbuild-composer/osbuild-jobsite-manager
-%{_libexecdir}/osbuild-composer/osbuild-jobsite-builder
 %{_unitdir}/osbuild-worker@.service
 %{_unitdir}/osbuild-remote-worker@.service
 
@@ -352,6 +339,25 @@ fi
 # restart all the worker services
 %systemd_postun_with_restart "osbuild-worker@*.service" "osbuild-remote-worker@*.service"
 
+%package dnf-json
+Summary: The dnf-json binary used by osbuild-composer and the workers
+
+# Conflicts with older versions of composer that provide the same files
+# this can be removed when RHEL 8 reaches EOL
+Conflicts: osbuild-composer <= 35
+
+%description dnf-json
+The dnf-json binary used by osbuild-composer and the workers.
+
+%files dnf-json
+%{_libexecdir}/osbuild-composer/dnf-json
+
+%post dnf-json
+# Fix ownership of the rpmmd cache files from previous versions where it was owned by root:root
+if [ -e /var/cache/osbuild-composer/rpmmd ]; then
+    chown -f -R --from root:root _osbuild-composer:_osbuild-composer /var/cache/osbuild-composer/rpmmd
+fi
+
 %if %{with tests} || 0%{?rhel}
 
 %package tests
@@ -423,19 +429,6 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 %endif
 
 %changelog
-* Tue Apr 22 2025 Tomáš Hozza <thozza@redhat.com> - 101-3
-- Resolve RHEL-84643 (CVE-2025-30204)
-
-* Wed Sep 25 2024 Tomáš Hozza <thozza@redhat.com> - 101-2
-- Rebuilt to fix:
-  - CVE-2024-34156
-  - CVE-2024-1394
-  - RHEL-24303
-  - RHEL-57905
-
-* Mon Feb 26 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 101-1
-- New upstream release
-
 * Wed Feb 07 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 100-1
 - New upstream release
 
@@ -463,9 +456,6 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 * Wed Oct 04 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 91-1
 - New upstream release
 
-* Thu Sep 21 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 90-1
-- New upstream release
-
 * Wed Sep 06 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 89-1
 - New upstream release
 
@@ -496,6 +486,9 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 * Wed Mar 08 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 77-1
 - New upstream release
 
+* Wed Mar 01 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 76-1
+- New upstream release
+
 * Wed Feb 22 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 75-1
 - New upstream release
 
@@ -520,6 +513,9 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 * Wed Nov 16 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 68-1
 - New upstream release
 
+* Thu Nov 03 2022 Tomas Hozza <thozza@redhat.com> - 67-2
+- Fix functional tests to make them pass in RHEL-9.2 gating
+
 * Wed Nov 02 2022 imagebuilder-bots+imagebuilder-bot@redhat.com <imagebuilder-bot> - 67-1
 - New upstream release
 
@@ -529,13 +525,13 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 * Wed Aug 24 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 60-1
 - New upstream release
 
-* Thu Aug 11 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 59-1
+* Wed Aug 10 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 59-1
 - New upstream release
 
 * Thu Jul 28 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 58-1
 - New upstream release
 
-* Mon Jul 18 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 57-1
+* Wed Jul 13 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 57-1
 - New upstream release
 
 * Wed Jun 15 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 55-1
@@ -544,81 +540,139 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 * Wed Jun 01 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 54-1
 - New upstream release
 
-* Mon May 23 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 53-1
+* Fri May 20 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 53-1
 - New upstream release
 
 * Wed May 04 2022 Ondřej Budai <ondrej@budai.cz> - 51-1
 - New upstream release
 
-* Tue Mar 01 2022 Ondřej Budai <ondrej@budai.cz> - 46-1
+* Mon Feb 28 2022 Simon Steinbeiss <simon.steinbeiss@redhat.com> - 46-1
 - New upstream release
 
-* Sat Feb 19 2022 Ondřej Budai <ondrej@budai.cz> - 45-1
+* Fri Feb 18 2022 Ondřej Budai <ondrej@budai.cz> - 45-1
 - New upstream release
 
-* Mon Feb 14 2022 Thomas Lavocat <tlavocat@redhat.com> - 44-1
+* Fri Feb 11 2022 Thomas Lavocat <tlavocat@redhat.com> - 44-1
 - New upstream release
 
-* Mon Feb 07 2022 Thomas Lavocat <tlavocat@redhat.com> - 43-1
+* Wed Jan 26 2022 Thomas Lavocat <tlavocat@redhat.com> - 43-1
 - New upstream release
 
-* Tue Jan 18 2022 Thomas Lavocat <tlavocat@redhat.com> - 42-1
+* Wed Jan 12 2022 Thomas Lavocat <tlavocat@redhat.com> - 42-1
+- New upstream release
+
+* Wed Dec 22 2021 Ondřej Budai <ondrej@budai.cz> - 41-1
 - New upstream release
 
 * Thu Dec 09 2021 Ondřej Budai <ondrej@budai.cz> - 40-1
 - New upstream release
 
-* Fri Oct 15 2021 Achilleas Koutsou <achilleas@redhat.com> - 37-1
+* Wed Nov 24 2021 Chloe Kaubisch <chloe.kaubisch@gmail.com> - 39-1
 - New upstream release
 
-* Fri Oct 15 2021 Achilleas Koutsou <achilleas@redhat.com> - 36-1
+* Fri Nov 12 2021 'Diaa Sami' <'<disami@redhat.com>'> - 38-1
+- New upstream release
+
+* Tue Nov 02 2021 lavocatt - 37-1
+- New upstream release
+
+* Thu Oct 14 2021 Achilleas Koutsou <achilleas@redhat.com> - 36-1
 - New upstream release
 
 * Mon Aug 30 2021 Tom Gundersen <teg@jklm.no> - 33-1
 - New upstream release
 
-* Sun Aug 29 2021 Tom Gundersen <teg@jklm.no> - 32-2
+* Sun Aug 29 2021 Tom Gundersen <teg@jklm.no> - 32-1
 - New upstream release
 
-* Thu Aug 12 2021 Ondřej Budai <ondrej@budai.cz> - 31-1
+* Sun Aug 15 2021 Ondřej Budai <ondrej@budai.cz> - 31-1
+- New upstream release
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 30-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Jul 02 2021 Ondřej Budai <ondrej@budai.cz> - 30-1
+- New upstream release
+
+* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 29-3
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 29-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Fri Mar 05 2021 Martin Sehnoutka <msehnout@redhat.com> - 29-1
 - New upstream release
 
 * Sat Feb 20 2021 Martin Sehnoutka <msehnout@redhat.com> - 28-1
 - New upstream release
 
-* Fri Feb 05 2021 Ondrej Budai <obudai@redhat.com> - 27-1
+* Thu Feb 04 2021 Ondrej Budai <obudai@redhat.com> - 27-1
 - New upstream release
 
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 26-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Dec 17 2020 Ondrej Budai <obudai@redhat.com> - 26-2
+- Fix the compatibility with a new golang-github-azure-storage-blob 0.12
+
 * Thu Dec 17 2020 Ondrej Budai <obudai@redhat.com> - 26-1
 - New upstream release
 
-* Mon Nov 30 2020 Ondrej Budai <obudai@redhat.com> - 25-1
-- New upstream release 25 (rhbz#1883481)
+* Thu Nov 19 2020 Ondrej Budai <obudai@redhat.com> - 25-1
+- New upstream release
 
-* Thu Sep 03 2020 Tom Gundersen <tgunders@redhat.com> - 20.1-1
-- New upstream release 20.1 (rhbz#1872370)
+* Thu Nov 12 2020 Ondrej Budai <obudai@redhat.com> - 24-1
+- New upstream release
 
-* Sun Aug 23 2020 Tom Gundersen <tgunders@redhat.com> - 20-1
-- New upstream release 20 (rhbz#1871184 and rhbz#1871179)
+* Fri Nov 06 2020 Ondrej Budai <obudai@redhat.com> - 23-1
+- New upstream release
 
-* Thu Aug 13 2020 Tom Gundersen <tgunders@redhat.com> - 19-1
-- New upstream release 19 (rhbz#1866015 and rhbz#1866013)
+* Fri Oct 16 2020 Ondrej Budai <obudai@redhat.com> - 22-1
+- New upstream release
 
-* Thu Jul 09 2020 Ondrej Budai <obudai@redhat.com> - 17-1
-- New upstream release 17 (rhbz#1831653)
-- Obsolete lorax-composer in favor of osbuild-composer (rhbz#1836844)
+* Sun Aug 23 2020 Tom Gundersen <teg@jklm.no> - 20-1
+- New upstream release
+
+* Tue Aug 11 2020 Tom Gundersen <teg@jklm.no> - 19-1
+- New upstream release
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 22 2020 Ondrej Budai <obudai@redhat.com> - 18-1
+- New upstream release
+
+* Wed Jul 08 2020 Ondrej Budai <obudai@redhat.com> - 17-1
+- New upstream release
 
 * Mon Jun 29 2020 Ondrej Budai <obudai@redhat.com> - 16-1
-- New upstream release 16 (rhbz#1831653)
+- New upstream release
 
 * Fri Jun 12 2020 Ondrej Budai <obudai@redhat.com> - 15-1
-- New upstream release 15 (rhbz#1831653)
+- New upstream release
 
 * Thu Jun 04 2020 Ondrej Budai <obudai@redhat.com> - 14-1
-- New upstream release 14 (rhbz#1831653)
+- New upstream release
+
+* Fri May 29 2020 Ondrej Budai <obudai@redhat.com> - 13-2
+- Add missing osbuild-ostree dependency
 
 * Thu May 28 2020 Ondrej Budai <obudai@redhat.com> - 13-1
-- New upstream release 13 (rhbz#1831653)
+- New upstream release
 
-* Tue May 05 2020 Ondrej Budai <obudai@redhat.com> - 11-1
-- Initial package (renamed from golang-github-osbuild-composer) (rhbz#1771887)
+* Thu May 14 2020 Ondrej Budai <obudai@redhat.com> - 12-1
+- New upstream release
+
+* Wed Apr 29 2020 Ondrej Budai <obudai@redhat.com> - 11-1
+- New upstream release
+
+* Wed Apr 15 2020 Ondrej Budai <obudai@redhat.com> - 10-1
+- New upstream release
+
+* Wed Apr 01 2020 Ondrej Budai <obudai@redhat.com> - 9-1
+- New upstream release
+
+* Mon Mar 23 2020 Ondrej Budai <obudai@redhat.com> - 8-1
+- Initial package (renamed from golang-github-osbuild-composer)