import UBI rpm-4.16.1.3-25.el9

SOURCES/0001-Macroize-find-debuginfo-script-location.patch

@@ -0,0 +1,51 @@
+From 1a2554da434548e916240796fe7ca9689c5771fe Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 27 May 2021 13:58:58 +0300
+Subject: [PATCH] Macroize find-debuginfo script location
+
+Makes it easier to handle varying paths, mainly in preparation for the
+next step.
+
+(cherry picked from commit ce48167f37af59b6366083fb78a314f7931c0c6b)
+---
+ configure.ac | 1 +
+ macros.in    | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 39f9a0e5b..35b4dff4c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -113,6 +113,7 @@ AC_PATH_PROG(__NM, nm, /usr/bin/nm, $MYPATH)
+ AC_PATH_PROG(__OBJCOPY, objcopy, /usr/bin/objcopy, $MYPATH)
+ AC_PATH_PROG(__OBJDUMP, objdump, /usr/bin/objdump, $MYPATH)
+ AC_PATH_PROG(__STRIP, strip, /usr/bin/strip, $MYPATH)
++AC_PATH_PROG(__FIND_DEBUGINFO, find-debuginfo, /usr/bin/find-debuginfo, $MYPATH)
+ 
+ AC_PATH_PROG(__GIT, git, /usr/bin/git, $MYPATH)
+ AC_PATH_PROG(__HG, hg, /usr/bin/hg, $MYPATH)
+diff --git a/macros.in b/macros.in
+index 24b124702..2bcf07ef8 100644
+--- a/macros.in
++++ b/macros.in
+@@ -80,6 +80,8 @@
+ %__remsh		%{__rsh}
+ %__strip		@__STRIP@
+ 
++%__find_debuginfo	@__FIND_DEBUGINFO@
++
+ #==============================================================================
+ # Conditional build stuff.
+ 
+@@ -149,7 +151,7 @@
+ #       _find_debuginfo_vendor_opts to pass options to the script.
+ #
+ %__debug_install_post   \
+-    %{_rpmconfigdir}/find-debuginfo.sh \\\
++    %{__find_debuginfo} \\\
+     %{?_smp_build_ncpus:-j%{_smp_build_ncpus}} \\\
+     %{?_missing_build_ids_terminate_build:--strict-build-id} \\\
+     %{?_no_recompute_build_ids:-n} \\\
+-- 
+2.41.0
+

SOURCES/rpm-4.16.1.3-IMA-without-xattr.patch

@@ -0,0 +1,41 @@
+Based on
+
+From 7db2efa95d859cebda2b095ffdffac42812bd6d9 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 22 Feb 2022 16:57:00 +0000
+Subject: [PATCH] ima: Install on filesystems without xattr support without
+ failing
+
+If an RPM contains IMA signed digests and rpm-plugin-ima is installed,
+then any attempt to install to a filesystem that doesn't support
+extended attributes will cause the RPM installation to fail.
+
+This can be seen, for example, if installing a file /boot, which is
+usually a vFAT filesystem.
+
+The rpm-plugin for selinux fixed this some time back, and that same
+logic can be applied to IMA too - where, if a failure to set an extended
+attribute results in an errno that is set to EOPNOTSUPP, then this
+should not cause a complete failure, but should instead just be logged
+at a debug level.
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+
+--- rpm-4.16.1.3/plugins/ima.c.orig	2023-05-02 18:19:25.095992859 +0200
++++ rpm-4.16.1.3/plugins/ima.c	2023-05-02 18:21:46.032941008 +0200
+@@ -69,10 +69,13 @@
+ 	fsig = rpmfiFSignature(fi, &len);
+ 	if (fsig && (check_zero_hdr(fsig, len) == 0)) {
+ 	    if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) {
+-	        rpmlog(RPMLOG_ERR,
++		int is_err = errno != EOPNOTSUPP; 
++	        rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG,
+ 			"ima: could not apply signature on '%s': %s\n",
+ 			path, strerror(errno));
+-	        rc = RPMRC_FAIL;
++		if (is_err) {
++		    rc = RPMRC_FAIL;
++		}
+ 	    }
+ 	}
+ 

SOURCES/rpm-4.16.1.3-external-debugedit.patch

@@ -0,0 +1,11 @@
+--- rpm-4.16.1.3/tests/Makefile.am.orig	2023-05-03 12:44:36.287582896 +0200
++++ rpm-4.16.1.3/tests/Makefile.am	2023-05-03 12:46:34.182938006 +0200
+@@ -170,7 +170,7 @@
+ 	for d in dev etc magic tmp var; do if [ ! -d testing/$${d} ]; then mkdir testing/$${d}; fi; done
+ 	for node in urandom stdin stderr stdout null full; do ln -s /dev/$${node} testing/dev/$${node}; done
+ 	for cf in hosts resolv.conf passwd shadow group gshadow mtab ; do [ -f /etc/$${cf} ] && ln -s /etc/$${cf} testing/etc/$${cf}; done
+-	for prog in gzip cat patch tar sh ln chmod rm mkdir uname grep sed find file ionice mktemp nice cut sort diff touch install wc coreutils xargs; do p=`which $${prog}`; if [ "$${p}" != "" ]; then ln -s $${p} testing/$(bindir)/; fi; done
++	for prog in gzip cat patch tar sh ln chmod rm mkdir uname grep sed find file ionice mktemp nice cut sort diff touch install wc coreutils xargs debugedit find-debuginfo find-debuginfo.sh ; do p=`which $${prog}`; if [ "$${p}" != "" ]; then ln -s $${p} testing/$(bindir)/; fi; done
+ 	for d in /proc /sys /selinux /etc/selinux; do if [ -d $${d} ]; then ln -s $${d} testing/$${d}; fi; done
+ 	(cd testing/magic && file -C)
+ 	chmod -R u-w testing/

SPECS/rpm.spec

@@ -32,7 +32,7 @@
 
 %global rpmver 4.16.1.3
 #global snapver rc1
-%global rel 22
+%global rel 25
 %global sover 9
 
 %global srcver %{rpmver}%{?snapver:-%{snapver}}
@@ -93,12 +93,14 @@ Patch121: rpm-4.16.1.3-rpm2archive-nocompression.patch
 Patch122: rpm-4.16.1.3-Support-long-languages-names-for-QT.patch
 Patch123: rpm-4.14.3-rpm2archive-parse-popt-options.patch
 Patch124: rpm-4.14.3-rpm2archive-Don-t-print-usage.patch
+Patch125: rpm-4.16.1.3-IMA-without-xattr.patch
 
 # These are not yet upstream
 Patch906: rpm-4.7.1-geode-i686.patch
 # Probably to be upstreamed in slightly different form
 Patch907: rpm-4.15.x-ldflags.patch
 Patch908: 0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch
+Patch909: rpm-4.16.1.3-external-debugedit.patch
 
 # Not yet (all) upstream, debugedit DWARF5
 # https://code.wildebeest.org/git/user/mjw/rpm/log/?h=gcc-dwarf5-4.16.1.2
@@ -112,6 +114,7 @@ Patch916: 0006-debugedit-Handle-DWARF-5-debug_line-and-debug_line_s.patch
 # Downstream-only patches
 Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch
 Patch1001: rpm-4.16.1.3-find_debuginfo_vendor_opts.patch
+Patch1002: 0001-Macroize-find-debuginfo-script-location.patch
 
 # Partially GPL/LGPL dual-licensed and some bits with BSD
 # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD
@@ -127,7 +130,7 @@ BuildRequires: libdb-devel
 %endif
 
 %if %{with check}
-BuildRequires: fakechroot gnupg2
+BuildRequires: fakechroot gnupg2 debugedit
 %endif
 
 # XXX generally assumed to be installed but make it explicit as rpm
@@ -244,6 +247,7 @@ Suggests: gdb-minimal
 # "just work" while allowing for alternatives, depend on a virtual
 # provide, typically coming from redhat-rpm-config.
 Requires: system-rpm-config
+Requires: debugedit
 
 %description build
 The rpm-build package contains the scripts and executable programs
@@ -415,6 +419,19 @@ pushd python
 %py3_install
 popd
 
+cat > $RPM_BUILD_ROOT/%{rpmhome}/debugedit << END
+#!/bin/sh
+/usr/bin/debugedit "\$@"
+END
+cat > $RPM_BUILD_ROOT/%{rpmhome}/sepdebugcrcfix << END
+#!/bin/sh
+/usr/bin/sepdebugcrcfix "\$@"
+END
+cat > $RPM_BUILD_ROOT/%{rpmhome}/find-debuginfo.sh << END
+#!/bin/sh
+/usr/bin/find-debuginfo.sh "\$@"
+END
+
 mkdir -p $RPM_BUILD_ROOT%{_unitdir}
 install -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}
 
@@ -627,6 +644,18 @@ fi
 
 %changelog
 
+* Fri Jun 30 2023 Florian Festi <ffesti@redhat.com> - 4.16.1.3-25
+- Followup on #2166383
+- Add compat scripts calling external find-debug, sepdebugcrcfix and debugedit
+- Add %%__find_debuginfo macro
+
+* Thu May 04 2023 Florian Festi <ffesti@redhat.com> - 4.16.1.3-24
+- Use external find-debug and debugedit (#2166383)
+
+* Wed May 03 2023 Florian Festi <ffesti@redhat.com> - 4.16.1.3-23
+- Don't error out on IMA signatures on files not supporting them
+  (#2157835, #2157836)
+
 * Mon Dec 19 2022 Florian Festi <ffesti@redhat.com> - 4.16.1.3-22
 - Fix option handling in rpm2archive for #2150804