systemd-257-10

Resolves: RHEL-77718,RHEL-85854
2025-04-11 13:23:11 +02:00 · 2025-04-11 13:23:11 +02:00 · 4258202f09
commit 4258202f09
parent 68186c009d
3 changed files with 432 additions and 353 deletions
--- a/0348-resolved-pick-up-new-DNSSEC-KSC-from-2024.patch
+++ b/0348-resolved-pick-up-new-DNSSEC-KSC-from-2024.patch
@ -0,0 +1,42 @@
 From 5f02c6b7a277dae1e8d122045a3ff881eb2c334c Mon Sep 17 00:00:00 2001
 From: Lennart Poettering <lennart@poettering.net>
 Date: Mon, 3 Mar 2025 22:40:05 +0100
 Subject: [PATCH] resolved: pick up new DNSSEC KSC from 2024
 Import thew new key from https://data.iana.org/root-anchors/root-anchors.xml.
 The old one remains valid, as per provided data.
 Fixes: #36260
 (cherry picked from commit 8113361e82eea2741290f7117034d356acb3ab4d)
 Resolves: RHEL-77718
 ---
 src/resolve/resolved-dns-trust-anchor.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c
 index 9df93f109a..be9e487454 100644
 --- a/src/resolve/resolved-dns-trust-anchor.c
 +++ b/src/resolve/resolved-dns-trust-anchor.c
@@ -25,6 +25,10 @@ static const uint8_t root_digest2[] =
         { 0xE0, 0x6D, 0x44, 0xB8, 0x0B, 0x8F, 0x1D, 0x39, 0xA9, 0x5C, 0x0B, 0x0D, 0x7C, 0x65, 0xD0, 0x84,
           0x58, 0xE8, 0x80, 0x40, 0x9B, 0xBC, 0x68, 0x34, 0x57, 0x10, 0x42, 0x37, 0xC7, 0xF8, 0xEC, 0x8D };
 +static const uint8_t root_digest3[] =
 +        { 0x68, 0x3D, 0x2D, 0x0A, 0xCB, 0x8C, 0x9B, 0x71, 0x2A, 0x19, 0x48, 0xB2, 0x7F, 0x74, 0x12, 0x19,
 +          0x29, 0x8D, 0x0A, 0x45, 0x0D, 0x61, 0x2C, 0x48, 0x3A, 0xF4, 0x44, 0xA4, 0xC0, 0xFB, 0x2B, 0x16 };
 +
 static bool dns_trust_anchor_knows_domain_positive(DnsTrustAnchor *d, const char *name) {
         assert(d);
@@ -93,6 +97,9 @@ static int dns_trust_anchor_add_builtin_positive(DnsTrustAnchor *d) {
         /* Add the currently valid RRs from https://data.iana.org/root-anchors/root-anchors.xml */
         r = add_root_ksk(answer, key, 20326, DNSSEC_ALGORITHM_RSASHA256, DNSSEC_DIGEST_SHA256, root_digest2, sizeof(root_digest2));
 +        if (r < 0)
 +                return r;
 +        r = add_root_ksk(answer, key, 38696, DNSSEC_ALGORITHM_RSASHA256, DNSSEC_DIGEST_SHA256, root_digest3, sizeof(root_digest3));
         if (r < 0)
                 return r;
--- a/0349-test_ukify-Skip-on-riscv64.patch
+++ b/0349-test_ukify-Skip-on-riscv64.patch
@ -0,0 +1,33 @@
 From 0131e46cd0673bdc7f7449ea77d7dde265be26bb Mon Sep 17 00:00:00 2001
 From: Andrea Bolognani <abologna@redhat.com>
 Date: Fri, 14 Mar 2025 18:36:13 +0100
 Subject: [PATCH] test_ukify: Skip on riscv64
 The test needs binutils 2.42 to work on the architecture,
 but we only have 2.41 in RHEL 10.
 Signed-off-by: Andrea Bolognani <abologna@redhat.com>
 rhel-only: test
 Resolves: RHEL-85854
 ---
 src/ukify/test/test_ukify.py | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
 index 61d465fca1..c24c51d964 100755
 --- a/src/ukify/test/test_ukify.py
 +++ b/src/ukify/test/test_ukify.py
@@ -52,6 +52,11 @@ except ValueError as e:
     print(str(e), file=sys.stderr)
     sys.exit(77)
 +# Skip this test on riscv64 for now. It needs binutils 2.42 to work
 +# on the architecture, but we only have 2.41 in RHEL 10
 +if ukify.guess_efi_arch() == 'riscv64':
 +    sys.exit(77)
 +
 build_root = os.getenv('PROJECT_BUILD_ROOT')
 try:
     slow_tests = bool(int(os.getenv('SYSTEMD_SLOW_TESTS', '1')))
--- a/systemd.spec
+++ b/systemd.spec
@ -48,7 +48,7 @@ Url:            https://systemd.io
 # Allow users to specify the version and release when building the rpm by 
 # setting the %%version_override and %%release_override macros.
 Version:        %{?version_override}%{!?version_override:257}
-Release:        9%{?dist}
+Release:        10%{?dist}
 %global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?)
@ -102,6 +102,7 @@ i=1; for j in 00*patch; do printf "Patch%04d:      %s\n" $i $j; i=$((i+1));done|
 GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py >hwdb.patch
 %endif
 %if %{without upstream}
 # Backports of patches from upstream (0000–0499)
 #
 # Any patches which are "in preparation" upstream should be listed here, rather
@ -456,8 +457,11 @@ Patch0344:  0344-chase-introduce-flags-that-verify-that-chased-inode-.patch
 Patch0345: 0345-udevadm-verify-chase-specified-paths.patch
 Patch0346: 0346-bash-completion-udevadm-verify-suggest-found-udev-ru.patch
 Patch0347: 0347-udevadm-introduce-cat-command.patch
 Patch0348: 0348-resolved-pick-up-new-DNSSEC-KSC-from-2024.patch
 Patch0349: 0349-test_ukify-Skip-on-riscv64.patch
 # Downstream-only patches (9000–9999)
 %endif
 %ifarch %{ix86} x86_64 aarch64 riscv64
 %global want_bootloader 1
@ -791,11 +795,7 @@ Requires:       python3dist(cryptography)
 Recommends:     python3dist(pillow)
 # for tests
-%ifarch riscv64
+BuildRequires:  binutils
 # 2.42 received support for riscv64 + efi targets
 %global binutils_version_req >= 2.42
 %endif
 BuildRequires:  binutils %{?binutils_version_req}
 BuildArch:      noarch
@ -1387,6 +1387,10 @@ rm -f .file-list-*
 rm -f %{name}.lang
 %changelog
 * Fri Apr 11 2025 systemd maintenance team <systemd-maint@redhat.com> - 257-10
 - resolved: pick up new DNSSEC KSC from 2024 (RHEL-77718)
 - test_ukify: Skip on riscv64 (RHEL-85854)
 * Fri Feb 14 2025 systemd maintenance team <systemd-maint@redhat.com> - 257-9
 - Add BuildRequires for git-core (RHEL-71409)