Backport patch to tweak downgrade protection for FCOS

See https://github.com/coreos/rpm-ostree/pull/2096 and
https://github.com/coreos/fedora-coreos-tracker/issues/481.

0001-upgrader-Reset-ref-before-fetching-commit-by-overrid.patch

@@ -0,0 +1,49 @@
+From b7ff1612eae3e5aa88fc52d59f7511c7046152fb Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Fri, 15 May 2020 10:19:04 -0400
+Subject: [PATCH] upgrader: Reset ref before fetching commit by override
+
+This is a short-term hack until we can depend on the new
+`timestamp-check-from-rev` from ostree:
+
+https://github.com/ostreedev/ostree/pull/2099
+
+That way, we still get downgrade protection, but wrt the checked out
+deployment, not the local ref.
+
+For more information, see
+https://github.com/coreos/rpm-ostree/pull/2094
+https://github.com/coreos/fedora-coreos-tracker/issues/481
+---
+ src/daemon/rpmostree-sysroot-upgrader.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/daemon/rpmostree-sysroot-upgrader.c b/src/daemon/rpmostree-sysroot-upgrader.c
+index 4e595b1b..45aaf282 100644
+--- a/src/daemon/rpmostree-sysroot-upgrader.c
++++ b/src/daemon/rpmostree-sysroot-upgrader.c
+@@ -419,8 +419,19 @@ rpmostree_sysroot_upgrader_pull_base (RpmOstreeSysrootUpgrader  *self,
+             /* Add the timestamp check, unless disabled. The option was added in
+              * libostree v2017.11 */
+             if (!allow_older)
+-              g_variant_builder_add (optbuilder, "{s@v}", "timestamp-check",
+-                                     g_variant_new_variant (g_variant_new_boolean (TRUE)));
++              {
++                g_variant_builder_add (optbuilder, "{s@v}", "timestamp-check",
++                                       g_variant_new_variant (g_variant_new_boolean (TRUE)));
++                /* XXX: Short-term hack until we switch to timestamp-check-from-rev:
++                 * https://github.com/coreos/rpm-ostree/pull/2094. This ensures that
++                 * timestamp-check is comparing against our deployment csum's timestamp, not
++                 * whatever the ref is pointing to.
++                 */
++                if (override_commit &&
++                    !ostree_repo_set_ref_immediate (self->repo, origin_remote, origin_ref,
++                                                    self->base_revision, cancellable, error))
++                  return FALSE;
++              }
+             g_variant_builder_add (optbuilder, "{s@v}", "refs",
+                                    g_variant_new_variant (g_variant_new_strv (
+                                                                               (const char *const *)&origin_ref, 1)));
+-- 
+2.25.4
+

rpm-ostree.spec

@@ -4,7 +4,7 @@
 Summary: Hybrid image/package system
 Name: rpm-ostree
 Version: 2020.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 #VCS: https://github.com/cgwalters/rpm-ostree
 # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
 # in the upstream git.  If rust is enabled, it contains vendored sources.
@@ -12,6 +12,8 @@ Source0: rpm-ostree-%{version}.tar.xz
 License: LGPLv2+
 URL: https://github.com/projectatomic/rpm-ostree
 
+Patch0: 0001-upgrader-Reset-ref-before-fetching-commit-by-overrid.patch
+
 ExclusiveArch: %{rust_arches}
 
 %if 0%{?fedora}
@@ -190,6 +192,10 @@ $PYTHON autofiles.py > files.devel \
 
 %files devel -f files.devel
 %changelog
+* Fri May 15 2020 Jonathan Lebon <jonathan@jlebon.com> - 2020.2-3
+- Backport https://github.com/coreos/rpm-ostree/pull/2096
+  See https://github.com/coreos/fedora-coreos-tracker/issues/481
+
 * Fri May 15 2020 Colin Walters <walters@verbum.org> - 2020.2-2
 - https://github.com/coreos/rpm-ostree/releases/tag/v2020.2