SOURCES/brp-mangle-shebangs

@@ -93,7 +93,14 @@ while IFS= read -r line; do
   fi
 
 
-  read shebang_line < "$f"
+  if ! read shebang_line < "$f"; then
+    echo >&2 "*** WARNING: Cannot read the first line from $f, removing executable bit"
+    ts=$(stat -c %y "$f")
+    chmod -x "$f"
+    touch -d "$ts" "$f"
+    continue
+  fi
+
   orig_shebang="${shebang_line#\#!}"
   if [ "$orig_shebang" = "$shebang_line" ]; then
     echo >&2 "*** WARNING: $f is executable but has no shebang, removing executable bit"

SOURCES/buildflags.md

@@ -13,6 +13,8 @@ this:
 
 This will invoke the `./configure` with arguments (such as
 `--prefix=/usr`) to adjust the paths to the packaging defaults.
+Prior to that, some common problems in autotools scripts are
+automatically patched across the source tree.
 
 As a side effect, this will set the environment variables `CFLAGS`,
 `CXXFLAGS`, `FFLAGS`, `FCFLAGS`, and `LDFLAGS`, so they can be used by
@@ -25,7 +27,8 @@ environment variables using
     %set_build_flags
 
 early in the `%build` section.  (Again, existing environment variables
-are not overwritten.)
+are not overwritten.)  `%set_build_flags` does not perform autotools
+script rewriting, unlike `%configure`.
 
 Individual build flags are also available through RPM macros:
 
@@ -66,11 +69,24 @@ For other considerations involving shared objects, see:
 
 * [Fedora Packaging Guidelines: Shared Libraries](https://fedoraproject.org/wiki/Packaging:Guidelines#Shared_Libraries)
 
-# Customizing compiler flags
+# Customizing compiler and other build flags
 
 It is possible to set RPM macros to change some aspects of the
 compiler flags.  Changing these flags should be used as a last
-recourse if other workarunds are not available.
+recourse if other workarounds are not available.
+
+### Disable autotools compatibility patching
+
+By default, the invocation of the `%configure` macro replaces
+`config.guess` files in the source tree with the system version.  To
+disable that, define this macro:
+
+    %global _configure_gnuconfig_hack 0
+
+`%configure` also patches `ltmain.sh` scripts, so that linker flags
+are set as well during libtool-.  This can be switched off using:
+
+    %global _configure_libtool_hardening_hack 0
 
 ### Lazy binding
 
@@ -145,6 +161,63 @@ to the RPM spec file to disable these strict checks.  Alternatively,
 you can pass `-z undefs` to ld (written as `-Wl,-z,undefs` on the gcc
 command line).  The latter needs binutils 2.29.1-12.fc28 or later.
 
+### Post-build ELF object processing
+
+By default, DWARF debugging information is separated from installed
+ELF objects and put into `-debuginfo` subpackages.  To disable most
+debuginfo processing (and thus the generation of these subpackages),
+define `_enable_debug_packages` as `0`.
+
+Processing of debugging information is controlled using the
+`find-debuginfo` tool from the `debugedit` package.  Several aspects
+of its operation can be controlled at the RPM level.
+
+* Creation of `-debuginfo` subpackages is enabled by default.
+  To disable, undefine `_debuginfo_subpackages`.
+* Likewise, `-debugsource` subpackages are automatically created.
+  To disable, undefine `_debugsource_subpackages`.
+  See [Separate Subpackage and Source Debuginfo](https://fedoraproject.org/wiki/Changes/SubpackageAndSourceDebuginfo)
+  for background information.
+* `_build_id_links`, `_unique_build_ids`, `_unique_debug_names`,
+  `_unique_debug_srcs` control how debugging information and
+  corresponding source files are represented on disk.
+  See `/usr/lib/rpm/macros` for details.  The defaults
+  enable parallel installation of `-debuginfo` packages for
+  different package versions, as described in
+  [Parallel Installable Debuginfo](https://fedoraproject.org/wiki/Changes/ParallelInstallableDebuginfo).
+* By default, a compressed symbol table is preserved in the
+  `.gnu_debugdata` section.  To disable that, undefine
+  `_include_minidebuginfo`.
+* To speed up debuggers, a `.gdb_index` section is created.  It can be
+  disabled by undefining `_include_gdb_index`.
+* Missing build IDs result in a build failure.  To ignore such
+  problems, undefine `_missing_build_ids_terminate_build`.
+* During processing, build IDs are recomputed to match the binary
+  content.  To skip this step, define `_no_recompute_build_ids` as `1`.
+* By default, the options in `_find_debuginfo_dwz_opts` turn on `dwz`
+  (DWARF compression) processing.  Undefine this macro to disable this
+  step.
+* Additional options can be passed by defining the
+  `_find_debuginfo_opts` macro.
+
+After separation of debugging information, additional transformations
+are applied, most of them also related to debugging information.
+These steps can be skipped by undefining the corresponding macros:
+
+* `__brp_strip`: Removal of leftover debugging information.  The tool
+  specified by the `__strip` macro is invoked with the `-g` option on
+  ELF object (`.o`) files.
+* `__brp_strip_static_archive`: This is similar to `__brp_strip`, but
+  processes static `.a` archives instead.
+* `__brp_strip_comment_note`: This step removes unallocated `.note`
+  sections, and `.comment` sections from ELF files.
+* `__brp_ldconfig`: For each shared object on the library search path
+  whose soname does not match its file name, a symbolic link from the
+  soname to the file name is created.  This way, these shared objects
+  are loadable immediately after installation, even if they are not yet
+  listed in the `/etc/ld.so.cache` file (because `ldconfig` has not been
+  invoked yet).
+
 # Individual compiler flags
 
 Compiler flags end up in the environment variables `CFLAGS`,
@@ -202,6 +275,11 @@ The general (architecture-independent) build flags are:
   variables.  (If the address of a variable is never taken, it is not
   possible that a buffer overflow is caused by incorrect pointer
   arithmetic involving a pointer to that variable.)
+* `-fstack-clash-protection`: Turn on instrumentation to avoid
+  skipping the guard page in large stack frames.  (Without this flag,
+  vulnerabilities can result where the stack overlaps with the heap,
+  or thread stacks spill into other regions of memory.)  This flag is
+  fully ABI-compatible and has adds very little run-time overhead.
 * `-grecord-gcc-switches`: Include select GCC command line switches in
   the DWARF debugging information.  This is useful for detecting the
   presence of certain build flags and general hardening coverage.
@@ -240,13 +318,6 @@ added by default.  This can be switched off by undefining the
 These compiler flags are enabled for all builds (hardened/annotated or
 not), but their selection depends on the architecture:
 
-*   `-fstack-clash-protection`: Turn on instrumentation to avoid
-    skipping the guard page in large stack frames.  (Without this flag,
-    vulnerabilities can result where the stack overlaps with the heap,
-    or thread stacks spill into other regions of memory.)  This flag is
-    fully ABI-compatible and has adds very little run-time overhead, but
-    is only available on certain architectures (currently aarch64, i386,
-    ppc64, ppc64le, s390x, x86_64).
 *   `-fcf-protection`: Instrument binaries to guard against
     ROP/JOP attacks.  Used on i686 and x86_64.
 *   `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in
@@ -260,24 +331,18 @@ not), but their selection depends on the architecture:
     useful because unwind information is available without having to
     install (and load) debugging ienformation.
     Asynchronous unwind tables are enabled for aarch64, i686, s390x,
-    and x86_64.  They are not needed on armhfp, ppc64 and ppc64le due
+    and x86_64.  They are not needed on ppc64le due
     to architectural differences in stack management.  On these
     architectures, `-fexceptions` (see above) still enables regular
     unwind tables (or they are enabled by default even without this
     option).
 *   `-funwind-tables`: A subset of the unwind information restricted
-    to actual call sites.  Used on ppc64, ppc64le.  Also implied by
+    to actual call sites.  Used on ppc64le.  Also implied by
     `-fexceptions`.
 
 In addition, `redhat-rpm-config` re-selects the built-in default
 tuning in the `gcc` package.  These settings are:
 
-*   **armhfp**: `-march=armv7-a -mfpu=vfpv3-d16  -mfloat-abi=hard`
-    selects an Arm subarchitecture based on the ARMv7-A architecture
-    with 16 64-bit floating point registers.  `-mtune=cortex-8a` selects
-    tuning for the Cortex-A8 implementation (while preserving compatibility
-    with other ARMv7-A implementations).  `-mabi=aapcs-linux` switches to
-    the AAPCS ABI for GNU/Linux.
 *   **i686**: `-march=x86-64` is used to select a minimum supported
     CPU level matching the baseline for the x86_64 architecture.
     `-mtune=generic` activates tuning for a current blend of CPUs.
@@ -296,7 +361,7 @@ tuning in the `gcc` package.  These settings are:
     (z14).
 *   **x86_64**: `-mtune=generic` selects tuning which is expected to
      beneficial for a broad range of current CPUs.
-*   **ppc64** and **aarch64** do not have any architecture-specific tuning.
+*   **aarch64** does not have any architecture-specific tuning.
 
 # Individual linker flags
 

SOURCES/gpgverify

@@ -0,0 +1,111 @@
+#!/bin/bash
+
+# Copyright 2018 B. Persson, Bjorn@Rombobeorn.se
+#
+# This material is provided as is, with absolutely no warranty expressed
+# or implied. Any use is at your own risk.
+#
+# Permission is hereby granted to use or copy this shellscript
+# for any purpose, provided the above notices are retained on all copies.
+# Permission to modify the code and to distribute modified code is granted,
+# provided the above notices are retained, and a notice that the code was
+# modified is included with the above copyright notice.
+
+
+function print_help {
+    cat <<'EOF'
+Usage: gpgverify --keyring=<pathname> --signature=<pathname> --data=<pathname>
+
+gpgverify is a wrapper around gpgv designed for easy and safe scripting. It
+verifies a file against a detached OpenPGP signature and a keyring. The keyring
+shall contain all the keys that are trusted to certify the authenticity of the
+file, and must not contain any untrusted keys.
+
+The differences, compared to invoking gpgv directly, are that gpgverify accepts
+the keyring in either ASCII-armored or unarmored form, and that it will not
+accidentally use a default keyring in addition to the specified one.
+
+Parameters:
+  --keyring=<pathname>    keyring with all the trusted keys and no others
+  --signature=<pathname>  detached signature to verify
+  --data=<pathname>       file to verify against the signature
+EOF
+}
+
+
+fatal_error() {
+    message="$1"  # an error message
+    status=$2     # a number to use as the exit code
+    echo "gpgverify: $message" >&2
+    exit $status
+}
+
+
+require_parameter() {
+    term="$1"   # a term for a required parameter
+    value="$2"  # Complain and terminate if this value is empty.
+    if test -z "${value}" ; then
+        fatal_error "No ${term} was provided." 2
+    fi
+}
+
+
+check_status() {
+    action="$1"  # a string that describes the action that was attempted
+    status=$2    # the exit code of the command
+    if test $status -ne 0 ; then
+        fatal_error "$action failed." $status
+    fi
+}
+
+
+# Parse the command line.
+keyring=
+signature=
+data=
+for parameter in "$@" ; do
+    case "${parameter}" in
+        (--help)
+            print_help
+            exit
+            ;;
+        (--keyring=*)
+            keyring="${parameter#*=}"
+            ;;
+        (--signature=*)
+            signature="${parameter#*=}"
+            ;;
+        (--data=*)
+            data="${parameter#*=}"
+            ;;
+        (*)
+            fatal_error "Unknown parameter: \"${parameter}\"" 2
+            ;;
+    esac
+done
+require_parameter 'keyring' "${keyring}"
+require_parameter 'signature' "${signature}"
+require_parameter 'data file' "${data}"
+
+# Make a temporary working directory.
+workdir="$(mktemp --directory)"
+check_status 'Making a temporary directory' $?
+workring="${workdir}/keyring.gpg"
+
+# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't
+# ASCII-armored.
+gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}"
+check_status 'Decoding the keyring' $?
+
+# Verify the signature using the decoded keyring.
+gpgv2 --homedir="${workdir}" --keyring="${workring}" "${signature}" "${data}"
+check_status 'Signature verification' $?
+
+# (--homedir isn't actually necessary. --dearmor processes only the input file,
+# and if --keyring is used and contains a slash, then gpgv2 uses only that
+# keyring. Thus neither command will look for a default keyring, but --homedir
+# makes extra double sure that no default keyring will be touched in case
+# another version of GPG works differently.)
+
+# Clean up. (This is not done in case of an error that may need inspection.)
+rm --recursive --force ${workdir}

SOURCES/macros.fedora-misc

@@ -0,0 +1,79 @@
+# Some miscellaneous Fedora-related macros
+
+# List files matching inclusion globs, excluding files matching exclusion blogs
+# Optional parameters:
+#  – -i "<globs>" inclusion globs
+#  – -x "<globs>" exclusion globs
+# Globs are space-separated lists of shell globs. Such lists require %{quote:}
+# use for safe rpm argument passing.
+# Alternatively, set the following rpm variables before calling the macro:
+#  – “listfiles_include” inclusion globs
+#  — “listfiles_exclude” exclusion globs
+# Arguments passed to the macro without flags will be interpreted as inclusion
+# globs.
+%listfiles(i:x:) %{expand:
+%if %{lua: print(string.len(rpm.expand("%{?-i*}%{?listfiles_include}%*")))}
+  listfiles_include=$(realpath -e --relative-base=. %{?-i*} %{?listfiles_include} %* | sort -u)
+  %if  %{lua: print(string.len(rpm.expand("%{?-x*}%{?listfiles_exclude}")))}
+    while IFS= read -r finc ; do
+      realpath -qe --relative-base=. %{?-x*} %{?listfiles_exclude} \\
+        | sort -u | grep -q "${finc}" || echo "${finc}"
+    done <<< "${listfiles_include}"
+  %else
+    echo "${listfiles_include}"
+  %endif
+%endif
+}
+
+# https://github.com/rpm-software-management/rpm/issues/581
+# Write the contents of a list of rpm variables to a macro file.
+# The target file must contain the corresponding anchors.
+# For example %writevars -f myfile foo bar will replace:
+#  @@FOO@@ with the rpm evaluation of %{foo} and
+#  @@BAR@@ with the rpm evaluation of %{bar}
+# in myfile
+%writevars(f:) %{lua:
+local    fedora = require "fedora.common"
+local macrofile = rpm.expand("%{-f*}")
+local   rpmvars = {}
+for i = 1, rpm.expand("%#") do
+  table.insert(rpmvars, rpm.expand("%" .. i))
+end
+fedora.writevars(macrofile,rpmvars)
+}
+
+# gpgverify verifies signed sources. There is documentation in the script.
+%gpgverify(k:s:d:) %{lua:
+local script = rpm.expand("%{_rpmconfigdir}/redhat/gpgverify ")
+local keyring = rpm.expand("%{-k*}")
+local signature = rpm.expand("%{-s*}")
+local data = rpm.expand("%{-d*}")
+print(script)
+if keyring ~= "" then
+  print(rpm.expand("--keyring='%{SOURCE" .. keyring ..  "}' "))
+end
+if signature ~= "" then
+  print(rpm.expand("--signature='%{SOURCE" .. signature ..  "}' "))
+end
+if data ~= "" then
+  print(rpm.expand("--data='%{SOURCE" .. data ..  "}' "))
+end
+}
+
+# gpgverify verifies signed sources. There is documentation in the script.
+%gpgverify(k:s:d:) %{lua:
+local script = rpm.expand("%{_rpmconfigdir}/redhat/gpgverify ")
+local keyring = rpm.expand("%{-k*}")
+local signature = rpm.expand("%{-s*}")
+local data = rpm.expand("%{-d*}")
+print(script)
+if keyring ~= "" then
+  print(rpm.expand("--keyring='%{SOURCE" .. keyring ..  "}' "))
+end
+if signature ~= "" then
+  print(rpm.expand("--signature='%{SOURCE" .. signature ..  "}' "))
+end
+if data ~= "" then
+  print(rpm.expand("--data='%{SOURCE" .. data ..  "}' "))
+end
+}

SOURCES/macros.kernel-srpm

@@ -0,0 +1,3 @@
+# kernel_arches lists what arches the full kernel is built for.
+
+%kernel_arches x86_64 s390x ppc64le aarch64 %{arm}

SOURCES/modalias.prov

@@ -1,4 +1,4 @@
-#! /bin/sh
+#! /bin/bash -efu
 
 # heavily based upon find-suggests.ksyms by Andreas Gruenbacher <agruen@suse.de>.
 # with modifications by Michael Brown <Michael_E_Brown@dell.com>
@@ -14,7 +14,8 @@ IFS=$'\n'
 # completeness, so that we can determine when drivers are folded into
 # mainline kernel.
 #
-case "$1" in
+is_kernel_package=""
+case "${1:-}" in
 kernel-module-*)    ;; # Fedora kernel module package names start with
 		       # kernel-module.
 kernel*)	   is_kernel_package=1 ;;
@@ -25,6 +26,11 @@ if ! [ -z "$is_kernel_package" ]; then
     exit 0
 fi
 
+# Check for presence of the commands used
+which /sbin/modinfo >/dev/null || exit 0
+which sed >/dev/null || exit 0
+which sort >/dev/null || exit 0
+
 print_modaliases() {
     declare class=$1 variants=$2 pos=$3
     if [ -n "$variants" ]; then
@@ -35,7 +41,7 @@ print_modaliases() {
 }
 
 combine_modaliases() {
-    declare tag class variants pos n
+    declare tag class variants="" pos="" n
     read class
     while read tag; do
 	for ((n=0; n<${#class}; n++)); do
@@ -58,19 +64,15 @@ combine_modaliases() {
     print_modaliases "$class" "$variants" "$pos"
 }
 
-for module in $(grep -E '/lib/modules/.+\.ko$') $*; do
+for module in $(grep -E '/lib/modules/.+\.ko(\.gz|\.bz2|\.xz)?$') "$@"; do
     # | head -n1 because some modules have *two* version tags. *cough*b44*cough*
     modver=$(/sbin/modinfo -F version "$module"| head -n1)
-    modver=${modver// /_}
-
+    modver=${modver//[^0-9a-zA-Z._]/_}
     # only add version tag if it has a version
-    if [ -n "$modver" ]; then
-        /sbin/modinfo -F alias "$module" \
-        | sed -nre "s,(.+),modalias(\\1) = $modver,p"
-    else
-        /sbin/modinfo -F alias "$module" \
-        | sed -nre "s,(.+),modalias(\\1),p"
-    fi
+    [ -z "$modver" ] || modver=" = $modver"
+
+    /sbin/modinfo -F alias "$module" \
+    | sed -nre "s,[^][0-9a-zA-Z._:*?/-],_,g; s,(.+),modalias(\\1)$modver,p"
 done \
 | sort -u \
 | combine_modaliases

SOURCES/redhat-annobin-plugin-select.sh

@@ -0,0 +1,199 @@
+#!/usr/bin/sh
+# This is a script to select which GCC spec file fragment
+# should be the destination of the redhat-annobin-cc1 symlink.
+
+# Author: Nick Clifton  <nickc@redhat.com>
+# Copyright (c) 2021 Red Hat.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published
+# by the Free Software Foundation; either version 2, or (at your
+# option) any later version.
+
+# It is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# Usage:
+#   redhat-annobin-plugin-select [script-dir]
+#
+# If script-dir is not provided then /usr/lib/rpm/redhat is used
+# as the location where all of the annobin plugin selection files
+# can be found.
+
+if test "x$1" = "x" ;
+then
+    rrcdir=/usr/lib/rpm/redhat
+else
+    rrcdir=$1
+fi
+
+# Set this variable to non-zero to enable the generation of debugging
+# messages.
+debug=0
+
+# Decide which version of the annobin plugin for gcc should be used.
+# There are two possible versions, one created by the annobin package and one
+# created by the gcc package.  The logic selects the gcc version unless both
+# have been built by the same version of the compiler.  In that case the
+# annobin version is selected instead.
+#
+# The point of all this is that the annobin plugin is very sensitive to
+# mismatches with the version of gcc that built it.  If the plugin is built
+# by version A of gcc, but then run on version B of gcc, it is possible for
+# the plugin to misbehave, which then causes problems if gating tests examine
+# the plugin's output.  (This has happened more than once in RHEL...).
+#
+# So the plugin is built both by gcc and by the annobin package.  This means
+# that whenever gcc is updated a fresh plugin is built, and the logic below
+# will select that version.  But in order to allow annobin development to
+# proceed independtently of gcc, the annobin package can also update its
+# version of the plugin, and the logic will select this new version.
+
+# This is where the annobin package stores the information on the version
+# of gcc that built the annobin plugin.
+aver=`gcc --print-file-name=plugin`/annobin-plugin-version-info
+
+# This is where the gcc package stores its version information.
+gver=`gcc --print-file-name=rpmver`
+
+aplugin=`gcc --print-file-name=plugin`/annobin.so.0.0.0
+gplugin=`gcc --print-file-name=plugin`/gcc-annobin.so.0.0.0
+
+# This is the file that needs to be updated when either of those version
+# files changes.
+rac1=redhat-annobin-cc1
+
+# This is the GCC spec file fragment that selects the gcc-built version of
+# the annobin plugin
+select_gcc=redhat-annobin-select-gcc-built-plugin
+
+# This is the GCC spec file fragment that selects the annobin-built version
+# of the annobin plugin
+select_annobin=redhat-annobin-select-annobin-built-plugin
+
+install_annobin_version=0
+install_gcc_version=0
+
+if [ -f $aplugin ]
+then
+    if [ -f $gplugin ]
+    then
+	if [ $debug -eq 1 ]
+	then
+	    echo "  redhat-rpm-config: Both plugins exist, checking version information"
+	fi
+
+	if [ -f $gver ]
+	then
+	    if [ -f $aver ]
+	    then
+		if [ $debug -eq 1 ]
+		then
+		    echo "  redhat-rpm-config: Both plugin version files exist - comparing..."
+		fi
+
+		# Get the first line from the version info files.  This is just in
+		# vase there are extra lines in the files.
+		avers=`head --lines=1 $aver`
+		gvers=`head --lines=1 $gver`
+
+		if [ $debug -eq 1 ]
+		then
+		    echo "  redhat-rpm-config: Annobin plugin built by gcc $avers"
+		    echo "  redhat-rpm-config: GCC     plugin built by gcc $gvers"
+		fi
+
+		# If both plugins were built by the same version of gcc then select
+		# the one from the annobin package (in case it is built from newer
+		# sources).  If the plugin builder versions differ, select the gcc
+		# built version instead.  This assumes that the gcc built version
+		# always matches the installed gcc, which should be true.
+		if [ $avers = $gvers ]
+		then
+		    if [ $debug -eq 1 ]
+		    then
+			echo "  redhat-rpm-config: Both plugins built by the same compiler - using annobin-built plugin"
+		    fi
+		    install_annobin_version=1
+		else
+		    if [ $debug -eq 1 ]
+		    then
+			echo "  redhat-rpm-config: Versions differ - using gcc-built plugin"
+		    fi
+		    install_gcc_version=1
+		fi
+	    else
+		if [ $debug -eq 1 ]
+		then
+		    echo "  redhat-rpm-config: Annobin version file does not exist, using gcc-built plugin"
+		fi
+		install_gcc_version=1
+	    fi
+	else
+	    if [ -f $aver ]
+	    then
+		# FIXME: This is suspicious.  If the installed GCC does not supports plugins
+		# then enabling the annobin plugin will not work.
+		if [ $debug -eq 1 ]
+		then
+		    echo "  redhat-rpm-config: GCC plugin version file does not exist, using annobin-built plugin"
+		fi
+		install_annobin_version=1
+	    else
+		if [ $debug -eq 1 ]
+		then
+		    echo "  redhat-rpm-config: Neither version file exists - playing safe and using gcc-built plugin"
+		    echo "  redhat-rpm-config: Note: expected to find $aver and/or $gver"
+		fi
+		install_gcc_version=1
+	    fi
+	fi
+    else
+	if [ $debug -eq 1 ]
+	then
+	    echo "  redhat-rpm-config: Only the annobin plugin exists - using that"
+	fi
+	install_annobin_version=1
+    fi
+else
+    if [ -f $gplugin ]
+    then
+	if [ $debug -eq 1 ]
+	then
+	    echo "  redhat-rpm-config: Only the gcc plugin exists - using that"
+	fi
+    else
+	if [ $debug -eq 1 ]
+	then
+	    echo "  redhat-rpm-config: Neither plugin exists - playing safe and using gcc-built plugin"
+	    echo "  redhat-rpm-config: Note: expected to find $aplugin and/or $gplugin"
+	fi
+    fi
+    install_gcc_version=1
+fi
+
+if [ $install_annobin_version -eq 1 ]
+then
+    if [ $debug -eq 1 ]
+    then
+	echo "  redhat-rpm-config: Installing annobin version of $rac1"
+    fi
+    pushd $rrcdir > /dev/null
+    rm -f $rac1
+    ln -s $select_annobin "$rac1"
+    popd > /dev/null
+    
+else if [ $install_gcc_version -eq 1 ]
+     then
+	if [ $debug -eq 1 ]
+	then
+	    echo "  redhat-rpm-config: Installing gcc version of $rac1"
+	fi
+	pushd $rrcdir > /dev/null
+	rm -f $rac1
+	ln -s $select_gcc $rac1
+	popd > /dev/null
+     fi
+fi

SOURCES/redhat-annobin-select-annobin-built-plugin

@@ -0,0 +1,2 @@
+*cc1_options:
++ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin}

SOURCES/redhat-annobin-select-gcc-built-plugin

@@ -0,0 +1,2 @@
+*cc1_options:
++ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=gcc-annobin}

SPECS/redhat-rpm-config.spec

@@ -6,7 +6,7 @@
 
 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
-Version: 123
+Version: 131
 Release: 1%{?dist}
 # No version specified.
 License: GPL+
@@ -27,6 +27,9 @@ Source51: redhat-hardened-ld
 
 # gcc specs files for annobin builds
 Source52: redhat-annobin-cc1
+Source53: redhat-annobin-select-gcc-built-plugin
+Source54: redhat-annobin-select-annobin-built-plugin
+Source55: redhat-annobin-plugin-select.sh
 
 # The macros defined by these files are for things that need to be defined
 # at srpm creation time when it is not feasible to require the base packages
@@ -45,6 +48,8 @@ Source151: macros.kmp
 Source152: macros.vpath
 Source153: macros.forge
 Source154: macros.ldconfig
+Source155: macros.kernel-srpm
+Source156: macros.fedora-misc
 
 # Build policy scripts
 # this comes from https://github.com/rpm-software-management/rpm/pull/344
@@ -65,6 +70,7 @@ Source400: dist.sh
 Source401: rpmsort
 Source402: symset-table
 Source403: kmodtool
+Source404: gpgverify
 
 # 2016-10-02 snapshots from http://git.savannah.gnu.org/gitweb/?p=config.git
 Source500: config.guess
@@ -102,6 +108,7 @@ Requires: rpm >= 4.11.0
 Requires: dwz >= 0.4
 Requires: zip
 Requires: (annobin if gcc)
+Requires: (gcc-plugin-annobin if gcc)
 
 # for brp-mangle-shebangs
 Requires: %{_bindir}/find
@@ -110,6 +117,11 @@ Requires: %{_bindir}/grep
 Requires: %{_bindir}/sed
 Requires: %{_bindir}/xargs
 
+# iconv modules have been split out of glibc into a separate package (#1971664)
+# so let's ensure packages that require them at build time but haven't yet
+# added an explicit BuildRequires will continue to work (#2013328)
+Requires: glibc-gconv-extra
+
 # -fstack-clash-protection and -fcf-protection require GCC 8.
 Conflicts: gcc < 8
 
@@ -143,6 +155,7 @@ install -p -m 444 -t %{buildroot}%{rrcdir} redhat-hardened-*
 install -p -m 444 -t %{buildroot}%{rrcdir} redhat-annobin-*
 install -p -m 755 -t %{buildroot}%{rrcdir} config.*
 install -p -m 755 -t %{buildroot}%{rrcdir} dist.sh rpmsort symset-table kmodtool
+install -p -m 755 -t %{buildroot}%{rrcdir} gpgverify
 install -p -m 755 -t %{buildroot}%{rrcdir} brp-*
 
 install -p -m 755 -t %{buildroot}%{rrcdir} find-*
@@ -161,6 +174,54 @@ install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kmod.prov
 install -p -m 644 %{SOURCE20} %{buildroot}%{_fileattrsdir}/kabi.attr
 install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
 
+# This trigger is used to decide which version of the annobin plugin for gcc
+# should be used.  See comments in the script for full details.
+#
+# Note: for RHEL the rpm containing the annobin built plugin is called
+# "annobin", whereas in Fedora it is called "annobin-plugin-gcc".  This is
+# for historical reasons and will change with the introduction of RHEL-10.
+#
+# Note - whilst "gcc-plugin-annobin" requires "gcc" and hence in theory we
+# do not need to trigger on "gcc", the redhat-annobin-plugin-select.sh
+# script invokes gcc to determine the version of the gcc plugin, and this
+# can be significant.
+#
+# For example, suppose that version N of gcc is installed and that annobin
+# version A (built by gcc version N) is also installed.  Then a new version
+# of gcc is released.  If the rpms are updated in this order:
+#   gcc-plugin-annobin
+#   gcc
+# then when the trigger for gcc-plugin-annobin is run, the script will see
+# (the not yet updated) gcc is currently version N, which matches the current
+# annobin plugin A, so no changes are necessary.  Then gcc is updated and,
+# if the trigger below did not include "gcc", the script would not run again
+# and so now you would have an out of date version of the annobin plugin.
+#
+# Alternatively imagine installing gcc and annobin for the first time.
+# If the installation order is:
+#    gcc
+#    annobin-plugin-gcc
+#    gcc-plugin-annobin
+# then the installation of gcc will not cause the gcc-plugin-annobin to be
+# selected, since it does not exist yet.  Then annobin-plugin-gcc is installed
+# and since it is the only plugin, it will be selected.  Then
+# gcc-plugin-annobin is installed, and if the trigger below was not set to
+# run on gcc-plugin-annobin, it would pass unnoticed.
+#
+# Hence it is necessary to trigger on both gcc and gcc-plugin-annobin.
+
+%triggerin -- annobin gcc-plugin-annobin gcc
+%{rrcdir}/redhat-annobin-plugin-select.sh
+%end
+
+# We also trigger when an annobin plugin is uninstalled.  This allows us to switch
+# over to the other version of the plugin.  It does not matter if
+# gcc is uninstalled, since if that happens the plugin cannot be used.
+
+%triggerpostun -- annobin gcc-plugin-annobin
+%{rrcdir}/redhat-annobin-plugin-select.sh
+%end
+
 %files
 %dir %{rrcdir}
 %{rrcdir}/macros
@@ -168,6 +229,7 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
 %{rrcdir}/brp-mangle-shebangs
 %{rrcdir}/brp-ldconfig
 %{rrcdir}/dist.sh
+%{rrcdir}/gpgverify
 %{rrcdir}/redhat-hardened-*
 %{rrcdir}/redhat-annobin-*
 %{rrcdir}/config.*
@@ -181,7 +243,15 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
 %{_rpmconfigdir}/macros.d/macros.forge
 %{_rpmconfigdir}/macros.d/macros.ldconfig
 %{_rpmconfigdir}/macros.d/macros.vpath
+%{_rpmconfigdir}/macros.d/macros.kernel-srpm
+%{_rpmconfigdir}/macros.d/macros.fedora-misc
 %{_rpmconfigdir}/kabi.sh
+
+%attr(0755,-,-) %{rrcdir}/redhat-annobin-plugin-select.sh
+%verify(owner group mode) %{rrcdir}/redhat-annobin-cc1
+%{rrcdir}/redhat-annobin-select-gcc-built-plugin
+%{rrcdir}/redhat-annobin-select-annobin-built-plugin
+
 %doc buildflags.md
 
 %files -n kernel-rpm-macros
@@ -198,6 +268,33 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
 %{_rpmconfigdir}/macros.d/macros.kmp
 
 %changelog
+* Wed Feb 08 2023 Nick Clifton  <nickc@redhat.com> - 131-1
+- Fix triggers for the installation and removal of gcc-plugin-annobin.  (#2168233)
+
+* Tue Apr 05 2022 Nick Clifton <nickc@redhat.com> = 130-1
+- Select between gcc-built and annobin-built versions of the annobin plugin.
+  (#2067153)
+
+* Wed Mar 23 2022 Michal Domonkos <mdomonko@redhat.com> - 129-1
+- Fix handling of files without newlines in brp-mangle-shebang (#2063036)
+
+* Wed Jan 05 2022 Eugene Syromiatnikov <esyr@redhat.com> - 128-1
+- modalias.prov: handle compressed kmods, sanitise alias/version strings
+  (#1976000)
+
+* Mon Dec 13 2021 Michal Domonkos <mdomonko@redhat.com> - 127-1
+- Add Requires: glibc-gconv-extras to cover for the split (#2013328)
+
+* Mon Nov 29 2021 Florian Weimer <fweimer@redhat.com> - 126-1
+- buildflags.md: Documentation updates (#2005079)
+
+* Fri Nov 27 2020 Florian Festi <ffesti@redhat.com> - 125-1
+- Add missing macros.fedora-misc file (#1874576)
+
+* Mon Nov 09 2020 Florian Festi <ffesti@redhat.com> - 124-1
+- Add macros.kernel-srpm (#1874578)
+- Added gpgverify (#1874576)
+
 * Tue Jun 16 2020 Florian Festi <ffesti@redhat.com> - 123-1
 - Update kmod.prov for better performance (#1794491)
 - Backport performance improvements for brp-mangle-shebangs (#1794779)