Import from AlmaLinux stable repository

.gitignore

@@ -1 +1 @@
-SOURCES/oscap-anaconda-addon-1.0.tar.gz
+SOURCES/oscap-anaconda-addon-1.2.1.tar.gz

.oscap-anaconda-addon.metadata

@@ -1 +0,0 @@
-6edf7e4859de8e66837404c084405ea4318a319d SOURCES/oscap-anaconda-addon-1.0.tar.gz

SOURCES/bootloader.patch

@@ -1,26 +0,0 @@
-From 1e275a0da36595dd921732e0f60510171cdbe75c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Tue, 15 Jan 2019 19:16:44 +0100
-Subject: [PATCH] Updated code to comply to the Bootloader proxy API.
-
----
- org_fedora_oscap/rule_handling.py | 4 ++--
- tests/test_rule_handling.py       | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
-index 738465f..f3fd057 100644
---- a/org_fedora_oscap/rule_handling.py
-+++ b/org_fedora_oscap/rule_handling.py
-@@ -716,9 +716,9 @@ def eval_rules(self, ksdata, storage, report_only=False):
- 
-         bootloader_proxy = STORAGE.get_proxy(BOOTLOADER)
- 
--        if self._require_password and not bootloader_proxy.password_is_set:
-+        if self._require_password and not bootloader_proxy.IsPasswordSet:
-             # TODO: Anaconda provides a way to set bootloader password:
--            # bootloader_proxy.set_password(...)
-+            # bootloader_proxy.SetEncryptedPassword(...)
-             # We don't support setting the bootloader password yet,
-             # but we shouldn't stop the installation, just because of that.
-             return [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING,

SOURCES/checksum.patch

@@ -1,30 +0,0 @@
-From fd1684358e212521abaf3ec7662aa97181868c0a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Tue, 15 Jan 2019 18:19:28 +0100
-Subject: [PATCH] Fixed the checksum function to use forward-compatible rb
- mode.
-
-On python3, there is a problem as contents of r-opened file is string,
-but they are treated as bytes later. rb mode is fully python2-compatible.
----
- org_fedora_oscap/utils.py |  4 ++--
- tests/data/file           |  1 +
- tests/test_utils.py       | 12 ++++++++++++
- 3 files changed, 15 insertions(+), 2 deletions(-)
- create mode 100644 tests/data/file
-
-diff --git a/org_fedora_oscap/utils.py b/org_fedora_oscap/utils.py
-index 6d5c157..3be8325 100644
---- a/org_fedora_oscap/utils.py
-+++ b/org_fedora_oscap/utils.py
-@@ -175,8 +175,8 @@ def get_file_fingerprint(fpath, hash_obj):
- 
-     """
- 
--    with open(fpath, "r") as fobj:
--        bsize = 4*1024
-+    with open(fpath, "rb") as fobj:
-+        bsize = 4 * 1024
-         # process file as 4 KB blocks
-         buf = fobj.read(bsize)
-         while buf:

SOURCES/do_not_use_capitals_for_the_spoke_title.patch

@@ -1,25 +0,0 @@
-From 2f97f43a4194263e47d4747e39c22b8287a659b3 Mon Sep 17 00:00:00 2001
-From: Radek Vykydal <rvykydal@redhat.com>
-Date: Wed, 21 Aug 2019 15:49:21 +0200
-Subject: [PATCH] Do not use capitals for spoke title.
-
-Resolves: rhbz#1744185
-
-To be consistent with other spokes.
----
- org_fedora_oscap/gui/spokes/oscap.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
-index 96802cf..0c90fb7 100644
---- a/org_fedora_oscap/gui/spokes/oscap.py
-+++ b/org_fedora_oscap/gui/spokes/oscap.py
-@@ -195,7 +195,7 @@ class OSCAPSpoke(NormalSpoke):
-     icon = "changes-prevent-symbolic"
- 
-     # title of the spoke (will be displayed on the hub)
--    title = N_("_SECURITY POLICY")
-+    title = N_("_Security Policy")
- 
-     # methods defined by API and helper methods #
-     def __init__(self, data, storage, payload, instclass):

SOURCES/help_id.patch

@@ -1,30 +0,0 @@
-From ccd4e2f078d00fa4570d2bd56802c726286d1020 Mon Sep 17 00:00:00 2001
-From: Martin Kolman <mkolman@redhat.com>
-Date: Wed, 10 Oct 2018 17:12:01 +0200
-Subject: [PATCH] Set help id for the OSCAP addon provided spoke (#1638068)
-
-The new Anaconda help system now operates on help ids instead of pointing to
-individual files.
-
-So drop the old property and replace it with a proper help_id.
-
-Resolves: rhbz#1638068
----
- org_fedora_oscap/gui/spokes/oscap.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
-index d9fe548..36fd656 100644
---- a/org_fedora_oscap/gui/spokes/oscap.py
-+++ b/org_fedora_oscap/gui/spokes/oscap.py
-@@ -179,8 +179,8 @@ class OSCAPSpoke(NormalSpoke):
-     # name of the .glade file in the same directory as this source
-     uiFile = "oscap.glade"
- 
--    # name of the file providing help content for this spoke
--    helpFile = "SecurityPolicySpoke.xml"
-+    # id of the help content for this spoke
-+    help_id = "SecurityPolicySpoke"
- 
-     # domain of oscap-anaconda-addon translations
-     translationDomain = "oscap-anaconda-addon"

SOURCES/oaa-api-update.patch

@@ -1,256 +0,0 @@
-diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
-index f712ac4..738465f 100644
---- a/org_fedora_oscap/rule_handling.py
-+++ b/org_fedora_oscap/rule_handling.py
-@@ -26,7 +26,13 @@
- import optparse
- import shlex
- import logging
-+
- from pyanaconda.pwpolicy import F22_PwPolicyData
-+from pyanaconda.core.constants import (
-+    FIREWALL_ENABLED, FIREWALL_DISABLED, FIREWALL_USE_SYSTEM_DEFAULTS)
-+from pyanaconda.modules.common.constants.objects import FIREWALL, BOOTLOADER
-+from pyanaconda.modules.common.constants.services import NETWORK, STORAGE, USERS
-+
- from org_fedora_oscap import common
- from org_fedora_oscap.common import OSCAPaddonError, RuleMessage
- 
-@@ -496,7 +502,10 @@ def eval_rules(self, ksdata, storage, report_only=False):
-             return []
- 
-         ret = []
--        if not ksdata.rootpw.password:
-+
-+        users_proxy = USERS.get_proxy()
-+
-+        if not users_proxy.IsRootPasswordSet:
-             # root password was not set
- 
-             msg = _("make sure to create password with minimal length of %d "
-@@ -505,12 +514,12 @@ def eval_rules(self, ksdata, storage, report_only=False):
-                                common.MESSAGE_TYPE_WARNING, msg)]
-         else:
-             # root password set
--            if ksdata.rootpw.isCrypted:
-+            if users_proxy.IsRootPasswordCrypted:
-                 msg = _("cannot check root password length (password is crypted)")
-                 log.warning("cannot check root password length (password is crypted)")
-                 return [RuleMessage(self.__class__,
-                                     common.MESSAGE_TYPE_WARNING, msg)]
--            elif len(ksdata.rootpw.password) < self._minlen:
-+            elif len(users_proxy.RootPassword) < self._minlen:
-                 # too short
-                 msg = _("root password is too short, a longer one with at "
-                         "least %d characters is required") % self._minlen
-@@ -705,10 +714,13 @@ def __str__(self):
-     def eval_rules(self, ksdata, storage, report_only=False):
-         """:see: RuleHandler.eval_rules"""
- 
--        if self._require_password and not storage.bootloader.password:
--            # Anaconda doesn't provide a way to set bootloader password, so
--            # users cannot do much about that --> we shouldn't stop the
--            # installation, should we?
-+        bootloader_proxy = STORAGE.get_proxy(BOOTLOADER)
-+
-+        if self._require_password and not bootloader_proxy.password_is_set:
-+            # TODO: Anaconda provides a way to set bootloader password:
-+            # bootloader_proxy.set_password(...)
-+            # We don't support setting the bootloader password yet,
-+            # but we shouldn't stop the installation, just because of that.
-             return [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING,
-                                 "boot loader password not set up")]
-         else:
-@@ -802,8 +814,13 @@ def __init__(self):
-         self._added_trusts = set()
-         self._removed_svcs = set()
- 
-+        self._new_services_to_add = set()
-+        self._new_ports_to_add = set()
-+        self._new_trusts_to_add = set()
-+        self._new_services_to_remove = set()
-+
-         self._firewall_enabled = None
--        self._firewall_default_enabled = None
-+        self._firewall_default_state = None
- 
-     def add_services(self, services):
-         """
-@@ -895,25 +912,26 @@ def __str__(self):
-     def eval_rules(self, ksdata, storage, report_only=False):
-         """:see: RuleHandler.eval_rules"""
- 
-+        firewall_proxy = NETWORK.get_proxy(FIREWALL)
-         messages = []
- 
--        if self._firewall_default_enabled is None:
-+        if self._firewall_default_state is None:
-             # firewall default startup setting
--            self._firewall_default_enabled = ksdata.firewall.enabled
-+            self._firewall_default_state = firewall_proxy.FirewallMode
- 
-         if self._firewall_enabled is False:
-             msg = _("Firewall will be disabled on startup")
-             messages.append(RuleMessage(self.__class__,
-                                         common.MESSAGE_TYPE_INFO, msg))
-             if not report_only:
--                ksdata.firewall.enabled = self._firewall_enabled
-+                firewall_proxy.SetFirewallMode(FIREWALL_DISABLED)
- 
-         elif self._firewall_enabled is True:
-             msg = _("Firewall will be enabled on startup")
-             messages.append(RuleMessage(self.__class__,
-                                         common.MESSAGE_TYPE_INFO, msg))
-             if not report_only:
--                ksdata.firewall.enabled = self._firewall_enabled
-+                firewall_proxy.SetFirewallMode(FIREWALL_ENABLED)
- 
-         # add messages for the already added services
-         for svc in self._added_svcs:
-@@ -937,49 +955,58 @@ def eval_rules(self, ksdata, storage, report_only=False):
-                                         common.MESSAGE_TYPE_INFO, msg))
- 
-         # services, that should be added
--        services_to_add = (svc for svc in self._add_svcs
--                           if svc not in ksdata.firewall.services)
-+        self._new_services_to_add = {
-+            svc for svc in self._add_svcs
-+            if svc not in firewall_proxy.EnabledServices}
- 
-         # ports, that should be added
--        ports_to_add = (ports for ports in self._add_ports
--                        if ports not in ksdata.firewall.ports)
-+        self._new_ports_to_add = {
-+            ports for ports in self._add_ports
-+            if ports not in firewall_proxy.EnabledPorts}
- 
-         # trusts, that should be added
--        trusts_to_add = (trust for trust in self._add_trusts
--                         if trust not in ksdata.firewall.trusts)
-+        self._new_trusts_to_add = {
-+            trust for trust in self._add_trusts
-+            if trust not in firewall_proxy.Trusts}
- 
--        for svc in services_to_add:
-+        for svc in self._new_services_to_add:
-             # add the service unless already added
-             if not report_only:
-                 self._added_svcs.add(svc)
--                ksdata.firewall.services.append(svc)
- 
-             msg = _("service '%s' has been added to the list of services to be "
-                     "added to the firewall" % svc)
-             messages.append(RuleMessage(self.__class__,
-                                         common.MESSAGE_TYPE_INFO, msg))
-+        if not report_only:
-+            all_services = list(self._add_svcs.union(set(firewall_proxy.EnabledServices)))
-+            firewall_proxy.SetEnabledServices(all_services)
- 
--        for port in ports_to_add:
-+        for port in self._new_ports_to_add:
-             # add the port unless already added
-             if not report_only:
-                 self._added_ports.add(port)
--                ksdata.firewall.ports.append(port)
- 
-             msg = _("port '%s' has been added to the list of ports to be "
-                     "added to the firewall" % port)
-             messages.append(RuleMessage(self.__class__,
-                                         common.MESSAGE_TYPE_INFO, msg))
-+        if not report_only:
-+            all_ports = list(self._add_ports.union(set(firewall_proxy.EnabledPorts)))
-+            firewall_proxy.SetEnabledPorts(all_ports)
- 
--        for trust in trusts_to_add:
-+        for trust in self._new_trusts_to_add:
-             # add the trust unless already added
-             if not report_only:
-                 self._added_trusts.add(trust)
--                ksdata.firewall.trusts.append(trust)
- 
-             msg = _("trust '%s' has been added to the list of trusts to be "
-                     "added to the firewall" % trust)
-             messages.append(RuleMessage(self.__class__,
-                                         common.MESSAGE_TYPE_INFO, msg))
-+        if not report_only:
-+            all_trusts = list(self._add_trusts.union(set(firewall_proxy.Trusts)))
-+            firewall_proxy.SetTrusts(all_trusts)
- 
-         # now do the same for the services that should be excluded
- 
-@@ -990,52 +1017,56 @@ def eval_rules(self, ksdata, storage, report_only=False):
-             messages.append(RuleMessage(self.__class__,
-                                         common.MESSAGE_TYPE_INFO, msg))
- 
--        # services, that should be added
--        services_to_remove = (svc for svc in self._remove_svcs
--                              if svc not in ksdata.firewall.remove_services)
-+        # services, that should be excluded
-+        self._new_services_to_remove = {
-+            svc for svc in self._remove_svcs
-+            if svc not in firewall_proxy.DisabledServices}
- 
--        for svc in services_to_remove:
-+        for svc in self._new_services_to_remove:
-             # exclude the service unless already excluded
-             if not report_only:
-                 self._removed_svcs.add(svc)
--                ksdata.firewall.remove_services.append(svc)
- 
-             msg = _("service '%s' has been added to the list of services to be "
-                     "removed from the firewall" % svc)
-             messages.append(RuleMessage(self.__class__,
-                                         common.MESSAGE_TYPE_INFO, msg))
-+        if not report_only:
-+            all_services = list(self._remove_svcs.union(set(firewall_proxy.DisabledServices)))
-+            firewall_proxy.SetDisabledServices(all_services)
- 
-         return messages
- 
-     def revert_changes(self, ksdata, storage):
-         """:see: RuleHander.revert_changes"""
-+        firewall_proxy = NETWORK.get_proxy(FIREWALL)
- 
-         if self._firewall_enabled is not None:
--            ksdata.firewall.enabled = self._firewall_default_enabled
-+            firewall_proxy.SetFirewallMode(self._firewall_default_state)
- 
-         # remove all services this handler added
--        for svc in self._added_svcs:
--            if svc in ksdata.firewall.services:
--                ksdata.firewall.services.remove(svc)
-+        all_services = firewall_proxy.EnabledServices
-+        orig_services = set(all_services).difference(self._new_services_to_add)
-+        firewall_proxy.SetEnabledServices(list(orig_services))
- 
-         # remove all ports this handler added
--        for port in self._added_ports:
--            if port in ksdata.firewall.ports:
--                ksdata.firewall.ports.remove(port)
-+        all_ports = firewall_proxy.EnabledPorts
-+        orig_ports = set(all_ports).difference(self._new_ports_to_add)
-+        firewall_proxy.SetEnabledPorts(list(orig_ports))
- 
-         # remove all trusts this handler added
--        for trust in self._added_trusts:
--            if trust in ksdata.firewall.trusts:
--                ksdata.firewall.trusts.remove(trust)
-+        all_trusts = firewall_proxy.Trusts
-+        orig_trusts = set(all_trusts).difference(self._new_trusts_to_add)
-+        firewall_proxy.SetTrusts(list(orig_trusts))
- 
-         # remove all services this handler excluded
--        for svc in self._removed_svcs:
--            if svc in ksdata.firewall.remove_services:
--                ksdata.firewall.remove_services.remove(svc)
-+        all_services = firewall_proxy.DisabledServices
-+        orig_services = set(all_services).difference(self._new_services_to_remove)
-+        firewall_proxy.SetDisabledServices(list(orig_services))
- 
-         self._added_svcs = set()
-         self._added_ports = set()
-         self._added_trusts = set()
-         self._removed_svcs = set()
-         self._firewall_enabled = None
--        self._firewall_default_enabled = None
-+        self._firewall_default_state = None

SOURCES/oscap-anaconda-addon-1.2.2-absent_appstream-PR_184.patch

@@ -0,0 +1,206 @@
+From 8eacfad08b3c27aa9510f2c3337356581bd9bebd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Mon, 3 Jan 2022 17:31:49 +0100
+Subject: [PATCH 1/3] Add oscap sanity check before attempting remediation
+
+If something is obviously wrong with the scanner, then don't attempt to remediate
+and try to show relevant information in a dialog window.
+---
+ org_fedora_oscap/common.py   | 39 ++++++++++++++++++++++++++++--------
+ org_fedora_oscap/ks/oscap.py | 11 ++++++++++
+ tests/test_common.py         |  8 ++++++++
+ 3 files changed, 50 insertions(+), 8 deletions(-)
+
+diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
+index 884bbc8..05829ce 100644
+--- a/org_fedora_oscap/common.py
++++ b/org_fedora_oscap/common.py
+@@ -139,7 +139,8 @@ def execute(self, ** kwargs):
+             proc = subprocess.Popen(self.args, stdout=subprocess.PIPE,
+                                     stderr=subprocess.PIPE, ** kwargs)
+         except OSError as oserr:
+-            msg = "Failed to run the oscap tool: %s" % oserr
++            msg = ("Failed to execute command '{command_string}': {oserr}"
++                   .format(command_string=command_string, oserr=oserr))
+             raise OSCAPaddonError(msg)
+ 
+         (stdout, stderr) = proc.communicate()
+@@ -215,6 +216,34 @@ def _run_oscap_gen_fix(profile, fpath, template, ds_id="", xccdf_id="",
+     return proc.stdout
+ 
+ 
++def do_chroot(chroot):
++    """Helper function doing the chroot if requested."""
++    if chroot and chroot != "/":
++        os.chroot(chroot)
++        os.chdir("/")
++
++
++def assert_scanner_works(chroot, executable="oscap"):
++    args = [executable, "--version"]
++    command = " ".join(args)
++
++    try:
++        proc = subprocess.Popen(
++            args, preexec_fn=lambda: do_chroot(chroot),
++            stdout=subprocess.PIPE, stderr=subprocess.PIPE)
++        (stdout, stderr) = proc.communicate()
++        stderr = stderr.decode(errors="replace")
++    except OSError as exc:
++        msg = _(f"Basic invocation '{command}' fails: {str(exc)}")
++        raise OSCAPaddonError(msg)
++    if proc.returncode != 0:
++        msg = _(
++            f"Basic scanner invocation '{command}' exited "
++            "with non-zero error code {proc.returncode}: {stderr}")
++        raise OSCAPaddonError(msg)
++    return True
++
++
+ def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="",
+                         chroot=""):
+     """
+@@ -244,12 +273,6 @@ def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="",
+     if not profile:
+         return ""
+ 
+-    def do_chroot():
+-        """Helper function doing the chroot if requested."""
+-        if chroot and chroot != "/":
+-            os.chroot(chroot)
+-            os.chdir("/")
+-
+     # make sure the directory for the results exists
+     results_dir = os.path.dirname(RESULTS_PATH)
+     if chroot:
+@@ -274,7 +297,7 @@ def do_chroot():
+     args.append(fpath)
+ 
+     proc = SubprocessLauncher(args)
+-    proc.execute(preexec_fn=do_chroot)
++    proc.execute(preexec_fn=lambda: do_chroot(chroot))
+     proc.log_messages()
+ 
+     if proc.returncode not in (0, 2):
+diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
+index 65d74cf..da1600f 100644
+--- a/org_fedora_oscap/ks/oscap.py
++++ b/org_fedora_oscap/ks/oscap.py
+@@ -488,6 +488,17 @@ def execute(self, storage, ksdata, users, payload):
+             # selected
+             return
+ 
++        try:
++            common.assert_scanner_works(
++                chroot=conf.target.system_root, executable="oscap")
++        except Exception as exc:
++            msg_lines = [_(
++                "The 'oscap' scanner doesn't work in the installed system: {error}"
++                .format(error=str(exc)))]
++            msg_lines.append(_("As a result, the installed system can't be hardened."))
++            self._terminate("\n".join(msg_lines))
++            return
++
+         target_content_dir = utils.join_paths(conf.target.system_root,
+                                               common.TARGET_CONTENT_DIR)
+         utils.ensure_dir_exists(target_content_dir)
+diff --git a/tests/test_common.py b/tests/test_common.py
+index 9f7a16a..4f25379 100644
+--- a/tests/test_common.py
++++ b/tests/test_common.py
+@@ -77,6 +77,14 @@ def _run_oscap(mock_subprocess, additional_args):
+     return expected_args, kwargs
+ 
+ 
++def test_oscap_works():
++    assert common.assert_scanner_works(chroot="/")
++    with pytest.raises(common.OSCAPaddonError, match="No such file"):
++        common.assert_scanner_works(chroot="/", executable="i_dont_exist")
++    with pytest.raises(common.OSCAPaddonError, match="non-zero"):
++        common.assert_scanner_works(chroot="/", executable="false")
++
++
+ def test_run_oscap_remediate_profile_only(mock_subprocess, monkeypatch):
+     return run_oscap_remediate_profile(
+         mock_subprocess, monkeypatch,
+
+From b54cf2bddba56e5b776fb60514a5e29d47c74cac Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Mon, 3 Jan 2022 17:42:31 +0100
+Subject: [PATCH 2/3] Don't raise exceptions in execute()
+
+Those result in tracebacks during the installation,
+while a dialog window presents a more useful form of user interaction.
+---
+ org_fedora_oscap/ks/oscap.py | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
+index da1600f..d3f0dbe 100644
+--- a/org_fedora_oscap/ks/oscap.py
++++ b/org_fedora_oscap/ks/oscap.py
+@@ -513,8 +513,9 @@ def execute(self, storage, ksdata, users, payload):
+             ret = util.execInSysroot("yum", ["-y", "--nogpg", "install",
+                                              self.raw_postinst_content_path])
+             if ret != 0:
+-                raise common.ExtractionError("Failed to install content "
+-                                             "RPM to the target system")
++                msg = _(f"Failed to install content RPM to the target system.")
++                self._terminate(msg)
++                return
+         elif self.content_type == "scap-security-guide":
+             # nothing needed
+             pass
+@@ -525,10 +526,15 @@ def execute(self, storage, ksdata, users, payload):
+         if os.path.exists(self.preinst_tailoring_path):
+             shutil.copy2(self.preinst_tailoring_path, target_content_dir)
+ 
+-        common.run_oscap_remediate(self.profile_id, self.postinst_content_path,
+-                                   self.datastream_id, self.xccdf_id,
+-                                   self.postinst_tailoring_path,
+-                                   chroot=conf.target.system_root)
++        try:
++            common.run_oscap_remediate(self.profile_id, self.postinst_content_path,
++                                       self.datastream_id, self.xccdf_id,
++                                       self.postinst_tailoring_path,
++                                       chroot=conf.target.system_root)
++        except Exception as exc:
++            msg = _(f"Something went wrong during the final hardening: {str(exc)}.")
++            self._terminate(msg)
++            return
+ 
+     def clear_all(self):
+         """Clear all the stored values."""
+
+From 00d770d1b7f8e1f0734e93da227f1c3e445033c8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Mon, 3 Jan 2022 17:44:12 +0100
+Subject: [PATCH 3/3] Change the error feedback based on the installation mode
+
+The original approach was confusing, because non-interactive installs run without any user input,
+and the message assumed that the user is able to answer installer's questions.
+---
+ org_fedora_oscap/ks/oscap.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
+index d3f0dbe..ef34448 100644
+--- a/org_fedora_oscap/ks/oscap.py
++++ b/org_fedora_oscap/ks/oscap.py
+@@ -372,13 +372,14 @@ def postinst_tailoring_path(self):
+                                 self.tailoring_path)
+ 
+     def _terminate(self, message):
+-        message += "\n" + _("The installation should be aborted.")
+-        message += " " + _("Do you wish to continue anyway?")
+         if flags.flags.automatedInstall and not flags.flags.ksprompt:
+             # cannot have ask in a non-interactive kickstart
+             # installation
++            message += "\n" + _("Aborting the installation.")
+             raise errors.CmdlineError(message)
+ 
++        message += "\n" + _("The installation should be aborted.")
++        message += " " + _("Do you wish to continue anyway?")
+         answ = errors.errorHandler.ui.showYesNoQuestion(message)
+         if answ == errors.ERROR_CONTINUE:
+             # prevent any futher actions here by switching to the dry

SOURCES/oscap-anaconda-addon-1.2.2-content_ident-PR_167.patch

@@ -0,0 +1,39 @@
+From 1abc4e96638e819d3fbee74396b36a6ccaf0ab29 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Tue, 3 Aug 2021 11:01:59 +0200
+Subject: [PATCH] Refactor content identification
+
+Don't use the multiprocessing pool - it sometimes creates probems during
+its initialization:
+https://bugzilla.redhat.com/show_bug.cgi?id=1989441
+---
+ org_fedora_oscap/content_handling.py | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py
+index f2af22f..65d5a28 100644
+--- a/org_fedora_oscap/content_handling.py
++++ b/org_fedora_oscap/content_handling.py
+@@ -111,9 +111,8 @@ def parse_HTML_from_content(content):
+ 
+ 
+ def identify_files(fpaths):
+-    with multiprocessing.Pool(os.cpu_count()) as p:
+-        labels = p.map(get_doc_type, fpaths)
+-    return {path: label for (path, label) in zip(fpaths, labels)}
++    result = {path: get_doc_type(path) for path in fpaths}
++    return result
+ 
+ 
+ def get_doc_type(file_path):
+@@ -131,7 +130,9 @@ def get_doc_type(file_path):
+     except UnicodeDecodeError:
+         # 'oscap info' supplied weird output, which happens when it tries
+         # to explain why it can't examine e.g. a JPG.
+-        return None
++        pass
++    except Exception as e:
++        log.warning(f"OSCAP addon: Unexpected error when looking at {file_path}: {str(e)}")
+     log.info("OSCAP addon: Identified {file_path} as {content_type}"
+              .format(file_path=file_path, content_type=content_type))
+     return content_type

SOURCES/oscap-anaconda-addon-1.2.2-deep_archives-PR_168.patch

@@ -0,0 +1,51 @@
+From 3377a914f4668af3d72216468ae192bc300890f9 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Mon, 9 Aug 2021 15:45:58 +0200
+Subject: [PATCH 1/2] Fix archive handling in GUI installs
+
+GUI downloads an archive, so the ensuing installation doesn't have to.
+However, the installation has to be able to discover files recovered
+from the archive.
+The fix makes sure that files are discovered also in subdirectories.
+---
+ org_fedora_oscap/content_discovery.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
+index f6b4d27..5fc7343 100644
+--- a/org_fedora_oscap/content_discovery.py
++++ b/org_fedora_oscap/content_discovery.py
+@@ -196,7 +196,8 @@ def _gather_available_files(self, actually_fetched_content, dest_filename):
+             if not dest_filename:  # using scap-security-guide
+                 fpaths = [self.DEFAULT_SSG_DATA_STREAM_PATH]
+             else:  # Using downloaded XCCDF/OVAL/DS/tailoring
+-                fpaths = glob(str(self.CONTENT_DOWNLOAD_LOCATION / "*.xml"))
++                fpaths = pathlib.Path(self.CONTENT_DOWNLOAD_LOCATION).rglob("*")
++                fpaths = [str(p) for p in fpaths if p.is_file()]
+         else:
+             dest_filename = pathlib.Path(dest_filename)
+             # RPM is an archive at this phase
+
+From 191df327e3e51f486fb655e97acac30222c264fa Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Mon, 9 Aug 2021 15:48:50 +0200
+Subject: [PATCH 2/2] Improve logging
+
+Logs written to log files can contain specific details.
+---
+ org_fedora_oscap/ks/oscap.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
+index d1b8c9e..65d74cf 100644
+--- a/org_fedora_oscap/ks/oscap.py
++++ b/org_fedora_oscap/ks/oscap.py
+@@ -393,7 +393,7 @@ def _terminate(self, message):
+                 time.sleep(100000)
+ 
+     def _handle_error(self, exception):
+-        log.error("Failed to fetch and initialize SCAP content!")
++        log.error(f"Failed to fetch and initialize SCAP content: {str(exception)}")
+ 
+         if isinstance(exception, ContentCheckError):
+             msg = _("The integrity check of the security content failed.")

SOURCES/oscap-anaconda-addon-1.2.2-tar-extraction-PR_249.patch

@@ -0,0 +1,32 @@
+From 6ac75d5052fff5a7d4b7e249ef198ccecd1f86a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Mon, 17 Jul 2023 17:08:54 +0200
+Subject: [PATCH] Make tar extraction safer
+
+See also https://bugzilla.redhat.com/show_bug.cgi?id=2218875
+---
+ org_fedora_oscap/common.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
+index 05829ce..b27276e 100644
+--- a/org_fedora_oscap/common.py
++++ b/org_fedora_oscap/common.py
+@@ -360,7 +360,7 @@ def extract_data(archive, out_dir, ensure_has_files=None):
+                 raise ExtractionError(msg)
+ 
+         utils.ensure_dir_exists(out_dir)
+-        zfile.extractall(path=out_dir)
++        zfile.extractall(path=out_dir, filter="data")
+         result = [utils.join_paths(out_dir, info.filename) for info in zfile.filelist]
+         zfile.close()
+     elif archive.endswith(".tar"):
+@@ -418,7 +418,7 @@ def _extract_tarball(archive, out_dir, ensure_has_files, alg):
+             raise ExtractionError(msg)
+ 
+     utils.ensure_dir_exists(out_dir)
+-    tfile.extractall(path=out_dir)
++    tfile.extractall(path=out_dir, filter="data")
+     result = [utils.join_paths(out_dir, member.path) for member in tfile.getmembers()]
+     tfile.close()
+ 

SOURCES/oscap-anaconda-addon-1.3.0-better_archive_handling-PR_220.patch

@@ -0,0 +1,372 @@
+From e8e303aa3ca9db564ea52258de15a81851c3b265 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 12 Oct 2022 11:37:04 +0200
+Subject: [PATCH 1/5] Add capability to preselect content from archives
+
+Users can specify content path and tailoring path in kickstarts,
+and the addon should be able to assure that those files are available,
+and that they have precedence over other files.
+---
+ org_fedora_oscap/content_discovery.py | 35 +++++++++++++++++++
+ tests/test_content_discovery.py       | 48 +++++++++++++++++++++++++++
+ 2 files changed, 83 insertions(+)
+ create mode 100644 tests/test_content_discovery.py
+
+diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
+index 5fc7343..f654449 100644
+--- a/org_fedora_oscap/content_discovery.py
++++ b/org_fedora_oscap/content_discovery.py
+@@ -11,6 +11,7 @@
+ from org_fedora_oscap import data_fetch, utils
+ from org_fedora_oscap import common
+ from org_fedora_oscap import content_handling
++from org_fedora_oscap.content_handling import CONTENT_TYPES
+ 
+ from org_fedora_oscap.common import _
+ 
+@@ -167,6 +168,38 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
+             msg = _(f"Integrity check of the content failed - {hash_obj.name} hash didn't match")
+             raise content_handling.ContentCheckError(msg)
+ 
++    def filter_discovered_content(self, labelled_files):
++        expected_path = self._addon_data.content_path
++        categories = (CONTENT_TYPES["DATASTREAM"], CONTENT_TYPES["XCCDF_CHECKLIST"])
++        if expected_path:
++            labelled_files = self.reduce_files(labelled_files, expected_path, categories)
++
++        expected_path = self._addon_data.tailoring_path
++        categories = (CONTENT_TYPES["TAILORING"], )
++        if expected_path:
++            labelled_files = self.reduce_files(labelled_files, expected_path, categories)
++
++        expected_path = self._addon_data.cpe_path
++        categories = (CONTENT_TYPES["CPE_DICT"], )
++        if expected_path:
++            labelled_files = self.reduce_files(labelled_files, expected_path, categories)
++
++        return labelled_files
++
++    def reduce_files(self, labelled_files, expected_path, categories):
++        reduced_files = dict()
++        if expected_path not in labelled_files:
++            msg = (
++                f"Expected a file {expected_path} to be part of the supplied content, "
++                f"but it was not the case, got only {list(labelled_files.keys())}"
++            )
++            raise RuntimeError(msg)
++        for path, label in labelled_files.items():
++            if label in categories and path != expected_path:
++                continue
++            reduced_files[path] = label
++        return reduced_files
++
+     def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_filename):
+         threadMgr.wait(wait_for)
+         actually_fetched_content = wait_for is not None
+@@ -182,6 +215,8 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
+             structured_content.add_content_archive(dest_filename)
+ 
+         labelled_files = content_handling.identify_files(fpaths)
++        labelled_files = self.filter_discovered_content(labelled_files)
++
+         for fname, label in labelled_files.items():
+             structured_content.add_file(fname, label)
+ 
+diff --git a/tests/test_content_discovery.py b/tests/test_content_discovery.py
+new file mode 100644
+index 0000000..5463c9a
+--- /dev/null
++++ b/tests/test_content_discovery.py
+@@ -0,0 +1,48 @@
++import pytest
++
++import org_fedora_oscap.content_discovery as tested_module
++
++
++@pytest.fixture
++def labelled_files():
++    return {
++        "dir/datastream": "D",
++        "dir/datastream2": "D",
++        "dir/dir/datastream3": "D",
++        "dir/dir/datastream3": "D",
++        "dir/XCCDF": "X",
++        "XCCDF2": "X",
++        "cpe": "C",
++        "t1": "T",
++        "dir3/t2": "T",
++    }
++
++
++def test_reduce(labelled_files):
++    bringer = tested_module.ContentBringer(None)
++
++    d_count = 0
++    x_count = 0
++    for l in labelled_files.values():
++        if l == "D":
++            d_count += 1
++        elif l == "X":
++            x_count += 1
++
++    reduced = bringer.reduce_files(labelled_files, "dir/datastream", ["D"])
++    assert len(reduced) == len(labelled_files) - d_count + 1
++    assert "dir/datastream" in reduced
++
++    reduced = bringer.reduce_files(labelled_files, "dir/datastream", ["D", "X"])
++    assert len(reduced) == len(labelled_files) - d_count - x_count + 1
++    assert "dir/datastream" in reduced
++
++    reduced = bringer.reduce_files(labelled_files, "dir/XCCDF", ["D", "X"])
++    assert len(reduced) == len(labelled_files) - d_count - x_count + 1
++    assert "dir/XCCDF" in reduced
++
++    with pytest.raises(RuntimeError, match="dir/datastream4"):
++        bringer.reduce_files(labelled_files, "dir/datastream4", ["D"])
++
++    reduced = bringer.reduce_files(labelled_files, "cpe", ["C"])
++    assert reduced == labelled_files
+
+From 82c1950903fcce079cd71f021c1fde25f75f9521 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 12 Oct 2022 11:40:11 +0200
+Subject: [PATCH 2/5] Handle changes in content identification
+
+The code is able to handle changes in the way how oscap identifies
+content much more gracefully.
+---
+ org_fedora_oscap/content_discovery.py | 13 +++++++++----
+ org_fedora_oscap/content_handling.py  |  5 +++++
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
+index f654449..b20f3a6 100644
+--- a/org_fedora_oscap/content_discovery.py
++++ b/org_fedora_oscap/content_discovery.py
+@@ -2,6 +2,7 @@
+ import logging
+ import pathlib
+ import shutil
++import os
+ from glob import glob
+ 
+ from pyanaconda.core import constants
+@@ -214,11 +215,15 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
+         if content_type in ("archive", "rpm"):
+             structured_content.add_content_archive(dest_filename)
+ 
+-        labelled_files = content_handling.identify_files(fpaths)
+-        labelled_files = self.filter_discovered_content(labelled_files)
++        labelled_filenames = content_handling.identify_files(fpaths)
++        labelled_relative_filenames = {
++            os.path.relpath(path, self.CONTENT_DOWNLOAD_LOCATION): label
++            for path, label in labelled_filenames.items()}
++        labelled_relative_filenames = self.filter_discovered_content(labelled_relative_filenames)
+ 
+-        for fname, label in labelled_files.items():
+-            structured_content.add_file(fname, label)
++        for rel_fname, label in labelled_relative_filenames.items():
++            fname = self.CONTENT_DOWNLOAD_LOCATION / rel_fname
++            structured_content.add_file(str(fname), label)
+ 
+         if fingerprint and dest_filename:
+             structured_content.record_verification(dest_filename)
+diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py
+index 65d5a28..3e2ecae 100644
+--- a/org_fedora_oscap/content_handling.py
++++ b/org_fedora_oscap/content_handling.py
+@@ -122,6 +122,11 @@ def get_doc_type(file_path):
+             if line.startswith("Document type:"):
+                 _prefix, _sep, type_info = line.partition(":")
+                 content_type = type_info.strip()
++                if content_type not in CONTENT_TYPES.values():
++                    log.info(
++                        f"File {file_path} labelled by oscap as {content_type}, "
++                        "which is an unexpected type.")
++                    content_type = f"unknown - {content_type}"
+                 break
+     except OSError:
+         # 'oscap info' exitted with a non-zero exit code -> unknown doc
+
+From b6bf5a6c96f5dbbd78043455802ebc0033cf1a6a Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 12 Oct 2022 11:38:51 +0200
+Subject: [PATCH 3/5] Remove unused code
+
+The function is not referenced anywhere in the project
+---
+ org_fedora_oscap/content_handling.py | 40 ----------------------------
+ 1 file changed, 40 deletions(-)
+
+diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py
+index 3e2ecae..5096bab 100644
+--- a/org_fedora_oscap/content_handling.py
++++ b/org_fedora_oscap/content_handling.py
+@@ -141,43 +141,3 @@ def get_doc_type(file_path):
+     log.info("OSCAP addon: Identified {file_path} as {content_type}"
+              .format(file_path=file_path, content_type=content_type))
+     return content_type
+-
+-
+-def explore_content_files(fpaths):
+-    """
+-    Function for finding content files in a list of file paths. SIMPLY PICKS
+-    THE FIRST USABLE CONTENT FILE OF A PARTICULAR TYPE AND JUST PREFERS DATA
+-    STREAMS OVER STANDALONE BENCHMARKS.
+-
+-    :param fpaths: a list of file paths to search for content files in
+-    :type fpaths: [str]
+-    :return: ContentFiles instance containing the file names of the XCCDF file,
+-        CPE dictionary and tailoring file or "" in place of those items
+-        if not found
+-    :rtype: ContentFiles
+-
+-    """
+-    xccdf_file = ""
+-    cpe_file = ""
+-    tailoring_file = ""
+-    found_ds = False
+-
+-    for fpath in fpaths:
+-        doc_type = get_doc_type(fpath)
+-        if not doc_type:
+-            continue
+-
+-        # prefer DS over standalone XCCDF
+-        if doc_type == "Source Data Stream" and (not xccdf_file or not found_ds):
+-            xccdf_file = fpath
+-            found_ds = True
+-        elif doc_type == "XCCDF Checklist" and not xccdf_file:
+-            xccdf_file = fpath
+-        elif doc_type == "CPE Dictionary" and not cpe_file:
+-            cpe_file = fpath
+-        elif doc_type == "XCCDF Tailoring" and not tailoring_file:
+-            tailoring_file = fpath
+-
+-    # TODO: raise exception if no xccdf_file is found?
+-    files = ContentFiles(xccdf_file, cpe_file, tailoring_file)
+-    return files
+
+From a990568ccddb2864c8daeae91fdc1f6588b3c6f3 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Thu, 13 Oct 2022 14:11:25 +0200
+Subject: [PATCH 4/5] Dont use tailoring if it is not expected
+
+Take tailorings into account only if it is specified in the kickstart.
+Compulsive usage of tailoring may be unwanted.
+---
+ org_fedora_oscap/content_discovery.py | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
+index b20f3a6..e9cf34a 100644
+--- a/org_fedora_oscap/content_discovery.py
++++ b/org_fedora_oscap/content_discovery.py
+@@ -169,16 +169,25 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
+             msg = _(f"Integrity check of the content failed - {hash_obj.name} hash didn't match")
+             raise content_handling.ContentCheckError(msg)
+ 
++    def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
++        expected_tailoring = self._addon_data.tailoring_path
++        tailoring_label = CONTENT_TYPES["TAILORING"]
++        if expected_tailoring:
++            labelled_files = self.reduce_files(labelled_files, expected_tailoring, [tailoring_label])
++        else:
++            labelled_files = {
++                path: label for path, label in labelled_files.items()
++                if label != tailoring_label
++            }
++        return labelled_files
++
+     def filter_discovered_content(self, labelled_files):
+         expected_path = self._addon_data.content_path
+         categories = (CONTENT_TYPES["DATASTREAM"], CONTENT_TYPES["XCCDF_CHECKLIST"])
+         if expected_path:
+             labelled_files = self.reduce_files(labelled_files, expected_path, categories)
+ 
+-        expected_path = self._addon_data.tailoring_path
+-        categories = (CONTENT_TYPES["TAILORING"], )
+-        if expected_path:
+-            labelled_files = self.reduce_files(labelled_files, expected_path, categories)
++        labelled_files = self.allow_one_expected_tailoring_or_no_tailoring(labelled_files)
+ 
+         expected_path = self._addon_data.cpe_path
+         categories = (CONTENT_TYPES["CPE_DICT"], )
+
+From c4cb296ca3838a0967c8258b9ed5221691884a36 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Tue, 8 Nov 2022 10:46:59 +0100
+Subject: [PATCH 5/5] Make the content RPM installation robust
+
+If a package manager fails to install the package,
+use the rpm command directly and skip deps.
+---
+ org_fedora_oscap/ks/oscap.py | 41 ++++++++++++++++++++++++++++--------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
+index e47d6ba..dac273d 100644
+--- a/org_fedora_oscap/ks/oscap.py
++++ b/org_fedora_oscap/ks/oscap.py
+@@ -23,6 +23,7 @@
+ import shutil
+ import re
+ import os
++import io
+ import time
+ import logging
+ import pathlib
+@@ -473,6 +474,33 @@ def setup(self, storage, ksdata, payload):
+             if pkg not in ksdata.packages.packageList:
+                 ksdata.packages.packageList.append(pkg)
+ 
++    def _attempt_rpm_installation(self):
++        log.info("OSCAP addon: Installing the security content RPM to the installed system.")
++        stdout = io.StringIO()
++        ret = util.execWithRedirect(
++                "yum", ["-y", "--nogpg", "install", self.raw_postinst_content_path],
++                stdout=stdout, root=conf.target.system_root)
++        stdout.seek(0)
++        if ret != 0:
++            log.error(
++                "OSCAP addon: Error installing security content RPM using yum: {0}",
++                stdout.read())
++
++            stdout = io.StringIO()
++            ret = util.execWithRedirect(
++                    "rpm", ["--install", "--nodeps", self.raw_postinst_content_path],
++                    stdout=stdout, root=conf.target.system_root)
++            if ret != 0:
++                log.error(
++                    "OSCAP addon: Error installing security content RPM using rpm: {0}",
++                    stdout.read())
++                msg = _(f"Failed to install content RPM to the target system.")
++                raise RuntimeError(msg)
++
++    def _copy_rpm_to_target_and_install(self, target_content_dir):
++        shutil.copy2(self.raw_preinst_content_path, target_content_dir)
++        self._attempt_rpm_installation()
++
+     def execute(self, storage, ksdata, users, payload):
+         """
+         The execute method that should make changes to the installed system. It
+@@ -507,15 +535,10 @@ def execute(self, storage, ksdata, users, payload):
+         if self.content_type == "datastream":
+             shutil.copy2(self.preinst_content_path, target_content_dir)
+         elif self.content_type == "rpm":
+-            # copy the RPM to the target system
+-            shutil.copy2(self.raw_preinst_content_path, target_content_dir)
+-
+-            # and install it with yum
+-            ret = util.execInSysroot("yum", ["-y", "--nogpg", "install",
+-                                             self.raw_postinst_content_path])
+-            if ret != 0:
+-                msg = _(f"Failed to install content RPM to the target system.")
+-                self._terminate(msg)
++            try:
++                self._copy_rpm_to_target_and_install(target_content_dir)
++            except Exception as exc:
++                self._terminate(str(exc))
+                 return
+         elif self.content_type == "scap-security-guide":
+             # nothing needed

SOURCES/oscap-anaconda-addon-1.3.0-clicking_nocrash-PR_221.patch

@@ -0,0 +1,74 @@
+From 55cc3b685dd5a9ca6059459f41876dd9f19f900d Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Tue, 11 Oct 2022 17:07:28 +0200
+Subject: [PATCH 1/2] Remove redundant message
+
+The send_ready already performs what the removed call
+could aim to accomplish.
+---
+ org_fedora_oscap/gui/spokes/oscap.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
+index c57b1cd..4f8702a 100644
+--- a/org_fedora_oscap/gui/spokes/oscap.py
++++ b/org_fedora_oscap/gui/spokes/oscap.py
+@@ -150,7 +150,6 @@ def decorated(self, *args, **kwargs):
+         self._ready = True
+         # pylint: disable-msg=E1101
+         hubQ.send_ready(self.__class__.__name__, True)
+-        hubQ.send_message(self.__class__.__name__, self.status)
+ 
+         return ret
+ 
+
+From 3f7c560947a17d1696899857e70ebcc8cba44019 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Thu, 13 Oct 2022 17:19:17 +0200
+Subject: [PATCH 2/2] Increase robustness of fetching state detection
+
+It is not completely practical to rely on locks alone,
+and we can elliminate some corner cases by looking
+whether well-known UI threads exist.
+---
+ org_fedora_oscap/gui/spokes/oscap.py | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
+index 4f8702a..d8e6ce2 100644
+--- a/org_fedora_oscap/gui/spokes/oscap.py
++++ b/org_fedora_oscap/gui/spokes/oscap.py
+@@ -363,11 +363,14 @@ def _render_selected(self, column, renderer, model, itr, user_data=None):
+         else:
+             renderer.set_property("stock-id", None)
+ 
++    def _still_fetching(self):
++        return self._fetching or threadMgr.get('OSCAPguiWaitForDataFetchThread')
++
+     def _fetch_data_and_initialize(self):
+         """Fetch data from a specified URL and initialize everything."""
+ 
+         with self._fetch_flag_lock:
+-            if self._fetching:
++            if self._still_fetching():
+                 # prevent multiple fetches running simultaneously
+                 return
+             self._fetching = True
+@@ -894,7 +897,7 @@ def refresh(self):
+ 
+             # hide the progress box, no progress now
+             with self._fetch_flag_lock:
+-                if not self._fetching:
++                if not self._still_fetching():
+                     really_hide(self._progress_box)
+ 
+                     self._content_url_entry.set_sensitive(True)
+@@ -1117,7 +1120,7 @@ def on_fetch_button_clicked(self, *args):
+         """Handler for the Fetch button"""
+ 
+         with self._fetch_flag_lock:
+-            if self._fetching:
++            if self._still_fetching():
+                 # some other fetching/pre-processing running, give up
+                 log.warn("Clicked the fetch button, although the GUI is in the fetching mode.")
+                 return

SOURCES/oscap-anaconda-addon-1.3.0-fix_content_paths-PR_225.patch

@@ -0,0 +1,202 @@
+From 08d3da5640e5c16cda4e79cc13ac7921f1ebd964 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Tue, 15 Nov 2022 15:37:28 +0100
+Subject: [PATCH 1/2] Fix handling of content paths
+
+Archives and ready-to-use content use paths differently.
+
+Archives get unpacked into a directory, where they need to be unpacked,
+analyzed, and cross-checked with e.g. the supplied content path,
+whereas ready-to-use content can be used directly.
+
+As the current codebase doesn't untangle all possible ways how to obtain
+existing content in a way of decomposing those into layers, this change
+just makes the current code working at the expense of making it worse to
+maintain.
+---
+ org_fedora_oscap/content_discovery.py | 34 ++++++++++++++++++---------
+ org_fedora_oscap/ks/oscap.py          |  6 ++++-
+ tests/test_content_discovery.py       | 21 +++++++++++++++++
+ 3 files changed, 49 insertions(+), 12 deletions(-)
+
+diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
+index e9cf34a..2b71b1f 100644
+--- a/org_fedora_oscap/content_discovery.py
++++ b/org_fedora_oscap/content_discovery.py
+@@ -25,6 +25,14 @@ def is_network(scheme):
+         for net_prefix in data_fetch.NET_URL_PREFIXES)
+ 
+ 
++def path_is_present_among_paths(path, paths):
++    absolute_path = os.path.abspath(path)
++    for second_path in paths:
++        if absolute_path == os.path.abspath(second_path):
++            return True
++    return False
++
++
+ class ContentBringer:
+     CONTENT_DOWNLOAD_LOCATION = pathlib.Path(common.INSTALLATION_CONTENT_DIR)
+     DEFAULT_SSG_DATA_STREAM_PATH = f"{common.SSG_DIR}/{common.SSG_CONTENT}"
+@@ -170,7 +178,7 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
+             raise content_handling.ContentCheckError(msg)
+ 
+     def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
+-        expected_tailoring = self._addon_data.tailoring_path
++        expected_tailoring = self._addon_data.preinst_tailoring_path
+         tailoring_label = CONTENT_TYPES["TAILORING"]
+         if expected_tailoring:
+             labelled_files = self.reduce_files(labelled_files, expected_tailoring, [tailoring_label])
+@@ -182,7 +190,7 @@ def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
+         return labelled_files
+ 
+     def filter_discovered_content(self, labelled_files):
+-        expected_path = self._addon_data.content_path
++        expected_path = self._addon_data.preinst_content_path
+         categories = (CONTENT_TYPES["DATASTREAM"], CONTENT_TYPES["XCCDF_CHECKLIST"])
+         if expected_path:
+             labelled_files = self.reduce_files(labelled_files, expected_path, categories)
+@@ -198,7 +206,7 @@ def filter_discovered_content(self, labelled_files):
+ 
+     def reduce_files(self, labelled_files, expected_path, categories):
+         reduced_files = dict()
+-        if expected_path not in labelled_files:
++        if not path_is_present_among_paths(expected_path, labelled_files.keys()):
+             msg = (
+                 f"Expected a file {expected_path} to be part of the supplied content, "
+                 f"but it was not the case, got only {list(labelled_files.keys())}"
+@@ -225,13 +233,9 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
+             structured_content.add_content_archive(dest_filename)
+ 
+         labelled_filenames = content_handling.identify_files(fpaths)
+-        labelled_relative_filenames = {
+-            os.path.relpath(path, self.CONTENT_DOWNLOAD_LOCATION): label
+-            for path, label in labelled_filenames.items()}
+-        labelled_relative_filenames = self.filter_discovered_content(labelled_relative_filenames)
++        labelled_filenames = self.filter_discovered_content(labelled_filenames)
+ 
+-        for rel_fname, label in labelled_relative_filenames.items():
+-            fname = self.CONTENT_DOWNLOAD_LOCATION / rel_fname
++        for fname, label in labelled_filenames.items():
+             structured_content.add_file(str(fname), label)
+ 
+         if fingerprint and dest_filename:
+@@ -274,11 +278,18 @@ def use_downloaded_content(self, content):
+         # We know that we have ended up with a datastream-like content,
+         # but if we can't convert an archive to a datastream.
+         # self._addon_data.content_type = "datastream"
+-        self._addon_data.content_path = str(preferred_content.relative_to(content.root))
++        content_type = self._addon_data.content_type
++        if content_type in ("archive", "rpm"):
++            self._addon_data.content_path = str(preferred_content.relative_to(content.root))
++        else:
++            self._addon_data.content_path = str(preferred_content)
+ 
+         preferred_tailoring = self.get_preferred_tailoring(content)
+         if content.tailoring:
+-            self._addon_data.tailoring_path = str(preferred_tailoring.relative_to(content.root))
++            if content_type in ("archive", "rpm"):
++                self._addon_data.tailoring_path = str(preferred_tailoring.relative_to(content.root))
++            else:
++                self._addon_data.tailoring_path = str(preferred_tailoring)
+ 
+     def use_system_content(self, content=None):
+         self._addon_data.clear_all()
+@@ -372,6 +383,7 @@ def _xccdf_content(self):
+ 
+     def find_expected_usable_content(self, relative_expected_content_path):
+         content_path = self.root / relative_expected_content_path
++        content_path = content_path.resolve()
+         eligible_main_content = (self._datastream_content(), self._xccdf_content())
+ 
+         if content_path in eligible_main_content:
+diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
+index dac273d..7d4a131 100644
+--- a/org_fedora_oscap/ks/oscap.py
++++ b/org_fedora_oscap/ks/oscap.py
+@@ -179,7 +179,11 @@ def _parse_profile_id(self, value):
+         self.profile_id = value
+ 
+     def _parse_content_path(self, value):
+-        # need to be checked?
++        if self.content_type in ("archive", "rpm") and os.path.isabs(self.content_path):
++            msg = (
++                "When using archives-like content input, the corresponding content path "
++                "has to be relative, but got '{self.content_path}'.")
++            raise KickstartValueError(msg)
+         self.content_path = value
+ 
+     def _parse_cpe_path(self, value):
+diff --git a/tests/test_content_discovery.py b/tests/test_content_discovery.py
+index 5463c9a..d6e14d9 100644
+--- a/tests/test_content_discovery.py
++++ b/tests/test_content_discovery.py
+@@ -1,3 +1,5 @@
++import os
++
+ import pytest
+ 
+ import org_fedora_oscap.content_discovery as tested_module
+@@ -46,3 +48,22 @@ def test_reduce(labelled_files):
+ 
+     reduced = bringer.reduce_files(labelled_files, "cpe", ["C"])
+     assert reduced == labelled_files
++
++
++def test_path_presence_detection():
++    list_of_paths = ["file1", os.path.abspath("file2"), os.path.abspath("dir///file3")]
++
++    list_of_paths_in_list = [
++        "file1", os.path.abspath("file1"), "./file1",
++        "file2", "dir/..//file2",
++        "dir/../dir/file3", "dir/file3",
++    ]
++    list_of_paths_not_in_list = [
++        "../file1", "file3"
++    ]
++
++    for path in list_of_paths_in_list:
++        assert tested_module.path_is_present_among_paths(path, list_of_paths)
++
++    for path in list_of_paths_not_in_list:
++        assert not tested_module.path_is_present_among_paths(path, list_of_paths)
+
+From 786ec5d90d12a1321fbff86f5d8d4a534059ad22 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 16 Nov 2022 15:35:09 +0100
+Subject: [PATCH 2/2] Compare paths according to their equivalence
+
+not according their arbitrary string form
+---
+ org_fedora_oscap/content_discovery.py | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
+index 2b71b1f..42c61e0 100644
+--- a/org_fedora_oscap/content_discovery.py
++++ b/org_fedora_oscap/content_discovery.py
+@@ -25,10 +25,14 @@ def is_network(scheme):
+         for net_prefix in data_fetch.NET_URL_PREFIXES)
+ 
+ 
++def paths_are_equivalent(p1, p2):
++    return os.path.abspath(p1) == os.path.abspath(p2)
++
++
+ def path_is_present_among_paths(path, paths):
+     absolute_path = os.path.abspath(path)
+     for second_path in paths:
+-        if absolute_path == os.path.abspath(second_path):
++        if paths_are_equivalent(path, second_path):
+             return True
+     return False
+ 
+@@ -213,7 +217,7 @@ def reduce_files(self, labelled_files, expected_path, categories):
+             )
+             raise RuntimeError(msg)
+         for path, label in labelled_files.items():
+-            if label in categories and path != expected_path:
++            if label in categories and not paths_are_equivalent(path, expected_path):
+                 continue
+             reduced_files[path] = label
+         return reduced_files

SOURCES/oscap-anaconda-addon-null-http_content_url-PR_232.patch

@@ -0,0 +1,66 @@
+From 58d4847dc4b55b9d4982be9505127679beca87c6 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 18 Jan 2023 16:36:36 +0100
+Subject: [PATCH 1/2] Handle the URL with missing ://
+
+---
+ org_fedora_oscap/content_discovery.py | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
+index 42c61e0..23fdafd 100644
+--- a/org_fedora_oscap/content_discovery.py
++++ b/org_fedora_oscap/content_discovery.py
+@@ -67,9 +67,14 @@ def content_uri(self):
+ 
+     @content_uri.setter
+     def content_uri(self, uri):
+-        scheme, path = uri.split("://", 1)
+-        self.content_uri_path = path
+-        self.content_uri_scheme = scheme
++        scheme_and_maybe_path = uri.split("://")
++        if len(scheme_and_maybe_path) == 1:
++            msg = (
++                f"Invalid supplied content URL '{uri}', "
++                "use the 'scheme://path' form.")
++            raise KickstartValueError(msg)
++        self.content_uri_path = scheme_and_maybe_path[1]
++        self.content_uri_scheme = scheme_and_maybe_path[0]
+ 
+     def fetch_content(self, what_if_fail, ca_certs_path=""):
+         """
+@@ -80,7 +85,10 @@ def fetch_content(self, what_if_fail, ca_certs_path=""):
+                 should handle them in the calling layer.
+             ca_certs_path: Path to the HTTPS certificate file
+         """
+-        self.content_uri = self._addon_data.content_url
++        try:
++            self.content_uri = self._addon_data.content_url
++        except Exception as exc:
++            what_if_fail(exc)
+         shutil.rmtree(self.CONTENT_DOWNLOAD_LOCATION, ignore_errors=True)
+         self.CONTENT_DOWNLOAD_LOCATION.mkdir(parents=True, exist_ok=True)
+         fetching_thread_name = self._fetch_files(
+
+From cbfdae4f43ade3ef982a967f3e2844e66db3f9a0 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 18 Jan 2023 16:36:53 +0100
+Subject: [PATCH 2/2] Stop fetching when there is an invalid profile
+
+---
+ org_fedora_oscap/gui/spokes/oscap.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
+index d8e6ce2..54eae1e 100644
+--- a/org_fedora_oscap/gui/spokes/oscap.py
++++ b/org_fedora_oscap/gui/spokes/oscap.py
+@@ -469,6 +469,8 @@ def update_progress_label(msg):
+         if self._addon_data.profile_id and not selected:
+             # profile ID given, but it was impossible to select it -> invalid
+             # profile ID given
++            with self._fetch_flag_lock:
++                self._fetching = False
+             self._invalid_profile_id()
+             return
+ 

SOURCES/rootpw.patch

@@ -1,68 +0,0 @@
-From 44a643f4c115d638d42f19f668cef1c220aab1b6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Thu, 17 Jan 2019 18:06:02 +0100
-Subject: [PATCH] Updated the code to use the up-to-date Anaconda API.
-
-Fixes RHBZ#1665551
----
- org_fedora_oscap/gui/spokes/oscap.py | 29 +++++++++++++++++++---------
- 1 file changed, 20 insertions(+), 9 deletions(-)
-
-diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
-index 36fd656..f16699b 100644
---- a/org_fedora_oscap/gui/spokes/oscap.py
-+++ b/org_fedora_oscap/gui/spokes/oscap.py
-@@ -38,6 +38,8 @@
- from pyanaconda.ui.categories.system import SystemCategory
- from pykickstart.errors import KickstartValueError
- 
-+from pyanaconda.modules.common.constants.services import USERS
-+
- # pylint: disable-msg=E0611
- from gi.repository import Gdk
- 
-@@ -650,26 +652,35 @@ def _update_message_store(self, report_only=False):
- 
-     def _resolve_rootpw_issues(self, messages, report_only):
-         """Mitigate root password issues (which are not fatal in GUI)"""
--        fatal_rootpw_msgs = [msg for msg in messages
--                             if msg.origin == rule_handling.PasswdRules and msg.type == common.MESSAGE_TYPE_FATAL]
-+        fatal_rootpw_msgs = [
-+            msg for msg in messages
-+            if msg.origin == rule_handling.PasswdRules and msg.type == common.MESSAGE_TYPE_FATAL]
-+
-         if fatal_rootpw_msgs:
-             for msg in fatal_rootpw_msgs:
-                 # cannot just change the message type because it is a namedtuple
-                 messages.remove(msg)
--                messages.append(common.RuleMessage(self.__class__,
--                                                   common.MESSAGE_TYPE_WARNING,
--                                                   msg.text))
-+
-+                msg = common.RuleMessage(
-+                    self.__class__, common.MESSAGE_TYPE_WARNING, msg.text)
-+                messages.append(msg)
-+
-             if not report_only:
--                self.__old_root_pw = self.data.rootpw.password
-+                users_proxy = USERS.get_proxy()
-+
-+                self.__old_root_pw = users_proxy.RootPassword
-                 self.data.rootpw.password = None
--                self.__old_root_pw_seen = self.data.rootpw.seen
-+                self.__old_root_pw_seen = users_proxy.IsRootpwKickstarted
-                 self.data.rootpw.seen = False
- 
-     def _revert_rootpw_changes(self):
-         if self.__old_root_pw is not None:
--            self.data.rootpw.password = self.__old_root_pw
--            self.data.rootpw.seen = self.__old_root_pw_seen
-+            users_proxy = USERS.get_proxy()
-+
-+            users_proxy.SetRootPassword(self.__old_root_pw)
-             self.__old_root_pw = None
-+
-+            users_proxy.SetRootpwKickstarted(self.__old_root_pw_seen)
-             self.__old_root_pw_seen = None
- 
-     @async_action_wait

SOURCES/translate_spoke_title.patch

@@ -1,22 +0,0 @@
-From c88dba4b9deeb78158bf2e239e4b7118a9e8b39f Mon Sep 17 00:00:00 2001
-From: Marek Haicman <mhaicman@redhat.com>
-Date: Thu, 7 Feb 2019 19:24:08 +0100
-Subject: [PATCH] Hack hub title to show translated.
-
----
- org_fedora_oscap/gui/spokes/oscap.py | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
-index 72c1501..594969a 100644
---- a/org_fedora_oscap/gui/spokes/oscap.py
-+++ b/org_fedora_oscap/gui/spokes/oscap.py
-@@ -190,6 +190,8 @@ def __init__(self, data, storage, payload, instclass):
- 
-         NormalSpoke.__init__(self, data, storage, payload, instclass)
-         self._addon_data = self.data.addons.org_fedora_oscap
-+        # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1673071
-+        self.title = _(self.title)
-         self._storage = storage
-         self._ready = False
- 

SPECS/oscap-anaconda-addon.spec

@@ -2,8 +2,8 @@
 %global _default_patch_flags --no-backup-if-mismatch
 
 Name:           oscap-anaconda-addon
-Version:        1.0
-Release:        10%{?dist}
+Version:        1.2.1
+Release:        14%{?dist}
 Summary:        Anaconda addon integrating OpenSCAP to the installation process
 
 License:        GPLv2+
@@ -16,25 +16,26 @@ URL:            https://github.com/OpenSCAP/oscap-anaconda-addon
 # or via direct git checkout:
 # git clone https://github.com/OpenSCAP/oscap-anaconda-addon.git
 Source0:        %{name}-%{version}.tar.gz
+
+# Let the Patch1 be reserved for translations patches
 Patch1: 	lang.patch
-Patch2: 	oaa-api-update.patch
-Patch3:		help_id.patch
-Patch4:		rootpw.patch
-Patch5:		bootloader.patch
-Patch6:		checksum.patch
-Patch7:		translate_spoke_title.patch
-Patch8:		do_not_use_capitals_for_the_spoke_title.patch
+Patch2: 	oscap-anaconda-addon-1.2.2-content_ident-PR_167.patch
+Patch3: 	oscap-anaconda-addon-1.2.2-deep_archives-PR_168.patch
+Patch4: 	oscap-anaconda-addon-1.2.2-absent_appstream-PR_184.patch
+Patch5: 	oscap-anaconda-addon-1.3.0-better_archive_handling-PR_220.patch
+Patch6: 	oscap-anaconda-addon-1.3.0-clicking_nocrash-PR_221.patch
+Patch7: 	oscap-anaconda-addon-1.3.0-fix_content_paths-PR_225.patch
+Patch8: 	oscap-anaconda-addon-null-http_content_url-PR_232.patch
+Patch9: 	oscap-anaconda-addon-1.2.2-tar-extraction-PR_249.patch
 
 BuildArch:      noarch
+BuildRequires:  make
 BuildRequires:  gettext
-BuildRequires:	python3-devel
+BuildRequires:  python3-devel
 BuildRequires:  python3-pycurl
-#BuildRequires:  python-mock
-#BuildRequires:  python-nose
-#BuildRequires:  python3-cpio
 BuildRequires:  openscap openscap-utils openscap-python3
-BuildRequires:  anaconda-core >= 28.22.10
-Requires:       anaconda-core >= 28.22.10
+BuildRequires:  anaconda-core >= 33
+Requires:       anaconda-core >= 33
 Requires:       python3-cpio
 Requires:       python3-pycurl
 Requires:       python3-kickstart
@@ -49,6 +50,9 @@ content.
 %prep
 %setup -q -n %{name}-%{version}
 
+# As patches may translates the strings that are updated by later patches,
+# Patch1 needs to be aplied last.
+%patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
@@ -56,9 +60,11 @@ content.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
-# As Patch1 translates the upsated string "_Security Policy" added by Patch8,
-# Patch1 needs to be aplied after Patch8
-%patch1 -p1
+%patch9 -p1
+# NOTE CONCERNING TRANSLATION PATCHES
+# When preparing translation patches, don't consider that some languages are unsupported -
+# we aim to include all applicable translation texts to the appropriate patch.
+# This has consulted with ljanda@redhat.com, and we basically follow the existing practice of the Anaconda project we integrate into.
 
 %build
 
@@ -76,6 +82,99 @@ make install DESTDIR=%{buildroot}
 %doc COPYING ChangeLog README.md
 
 %changelog
+* Wed Aug 02 2023 Jan Černý <jcerny@redhat.com> - 1.2.1-14
+- Rebuild after tests update
+
+* Wed Jul 19 2023 Jan Černý <jcerny@redhat.com> - 1.2.1-13
+- Fix tar file extraction (rhbz#2219408)
+- Update translations (rhbz#2189572)
+
+* Wed Feb 08 2023 Matej Tyc <matyc@redhat.com> - 1.2.1-12
+- Update translations
+  Resolves: rhbz#2139743
+
+* Mon Jan 23 2023 Matej Tyc <matyc@redhat.com> - 1.2.1-11
+- Fix a reaction to invalid content URI
+  Resolves: rhbz#2148509
+
+* Wed Nov 23 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-10
+- Fix regression introduced when fixing content archive input
+  Resolves: rhbz#2129008
+
+* Thu Nov 10 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-9
+- Fix problems with handling multi-datastream archives
+  Resolves: rhbz#2129008
+- Fix a crash when compulsively clicking in the GUI
+  Resolves: rhbz#2000998
+
+* Wed Jul 20 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-8
+- Update translations
+  Resolves: rhbz#2062707
+
+* Fri Jun 10 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-7
+- Remove the firstboot remediation feature completely.
+  We can't have it, while maintaining the standard UX.
+  Resolves: rhbz#2063179
+
+* Mon Mar 21 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-6
+- Introduce the firstboot remediation
+  Resolves: rhbz#1834716
+- Add better error handling of installation using unsupported installation sources
+  Resolves: rhbz#2007981
+
+* Fri Jan 21 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-5
+- Updated translations
+  Resolves: rhbz#2017356
+
+* Fri Aug 20 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-4
+- Updated translations
+  Resolves: rhbz#1962007
+
+* Mon Aug 09 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-3
+- Fix handling of archives with directories in GUI installs
+- Resolves: rhbz#1691305
+
+* Tue Aug 03 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-2
+- Refactor content identification
+- Resolves: rhbz#1989441
+
+* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-1
+- Rebase to the new upstream version.
+- Resolves: rhbz#1691305
+
+* Fri Jul 16 2021 Matej Tyc <matyc@redhat.com> - 1.2.0-2
+- Updated translations
+- Resolves: rhbz#1938623
+
+* Fri Jun 25 2021 Matej Tyc <matyc@redhat.com> - 1.2.0-1
+- Rebase to the new upstream version.
+- Resolves: rhbz#1691305
+
+* Mon Feb 15 2021 Matej Tyc <matyc@redhat.com> - 1.1.1-7
+- Updated translations.
+
+* Wed Nov 11 11:46:56 CET 2020 Matej Tyc <matyc@redhat.com> - 1.1.1-6
+- Improved handling of conflicts between packages removed vs software wanted to be installed - rhbz#1892310
+
+* Tue Aug 18 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-5
+- Fixed issues with encountering filenames with weird encoding during scans - rhbz#1867960
+
+* Thu Jul 09 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-4
+- Fixed spoke window text: RHBZ#1855041
+
+* Fri Jun 26 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-3
+- Updated translations: RHBZ#1820557
+
+* Mon Jun 22 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-2
+- Fixed issues addressing combination of profiles and GUI-based software selections: RHBZ#1843932, RHBZ#1787156
+- Improved handling of languages, capitalization: RHBZ#1696278
+- Updated translations: RHBZ#1820557
+
+* Tue Jun 02 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-1
+- Rebase to upstream 1.1.1
+- This OAA is compatible with the RHEL 8.3 Anaconda: RHBZ#1696278
+- The UX has been improved: RHBZ#1781790
+
 * Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 1.0-10
 - Do not use capital letters for spoke title: RHBZ#1744185
 - Updated translations