From dd8aebd6d2e5d8f7916c69d22c10e3e5166c15d2 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Fri, 12 Sep 2025 16:20:38 +0200 Subject: [PATCH 001/213] New version: alpha-4459.0.0 Signed-off-by: Mathieu Tortuyaux --- sdk_container/.repo/manifests/version.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index a71613703f0..7037d8fa3b7 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4455.0.0+nightly-20250911-2100 -FLATCAR_VERSION_ID=4455.0.0 -FLATCAR_BUILD_ID="nightly-20250911-2100" -FLATCAR_SDK_VERSION=4455.0.0+nightly-20250911-2100 +FLATCAR_VERSION=4459.0.0 +FLATCAR_VERSION_ID=4459.0.0 +FLATCAR_BUILD_ID="" +FLATCAR_SDK_VERSION=4459.0.0 From 400ec29263941b2f730f8c4af7915dd25b8df3b8 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 16 Sep 2025 21:00:26 +0000 Subject: [PATCH 002/213] New version: alpha-4459.0.0-nightly-20250916-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 7037d8fa3b7..1b1ec3c82df 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.0.0 +FLATCAR_VERSION=4459.0.0+nightly-20250916-2100 FLATCAR_VERSION_ID=4459.0.0 -FLATCAR_BUILD_ID="" +FLATCAR_BUILD_ID="nightly-20250916-2100" FLATCAR_SDK_VERSION=4459.0.0 From 16b9bc379b41f56b74301a9559fa927b5eeb3ecf Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 17 Sep 2025 14:25:07 +0000 Subject: [PATCH 003/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 7c76f815fcf..f86a84673d2 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-03c3e3d8e8d132a6753c2e9cb205d32ff31564df +ghcr.io/flatcar/mantle:git-cea59f004aba03af0d9bb046caf9137878bb25dc From e4ae8c232576400a1e000bba7d9700073d2223c7 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 17 Sep 2025 21:00:31 +0000 Subject: [PATCH 004/213] New version: alpha-4459.0.0-nightly-20250917-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 1b1ec3c82df..acf5f61a985 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.0.0+nightly-20250916-2100 +FLATCAR_VERSION=4459.0.0+nightly-20250917-2100 FLATCAR_VERSION_ID=4459.0.0 -FLATCAR_BUILD_ID="nightly-20250916-2100" +FLATCAR_BUILD_ID="nightly-20250917-2100" FLATCAR_SDK_VERSION=4459.0.0 From bed306083955fa18231b5cdc1063828021a267e4 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Sat, 20 Sep 2025 07:07:06 +0000 Subject: [PATCH 005/213] sys-kernel/coreos-sources: Update from 6.12.47 to 6.12.48 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-09-20-linux-6.12.48-update.md | 1 + .../{hv-daemons-6.12.47.ebuild => hv-daemons-6.12.48.ebuild} | 0 ...oreos-kernel-6.12.47.ebuild => coreos-kernel-6.12.48.ebuild} | 0 ...eos-modules-6.12.47.ebuild => coreos-modules-6.12.48.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.47.ebuild => coreos-sources-6.12.48.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-09-20-linux-6.12.48-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.47.ebuild => hv-daemons-6.12.48.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.47.ebuild => coreos-kernel-6.12.48.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.47.ebuild => coreos-modules-6.12.48.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.47.ebuild => coreos-sources-6.12.48.ebuild} (100%) diff --git a/changelog/updates/2025-09-20-linux-6.12.48-update.md b/changelog/updates/2025-09-20-linux-6.12.48-update.md new file mode 100644 index 00000000000..8a2374f2033 --- /dev/null +++ b/changelog/updates/2025-09-20-linux-6.12.48-update.md @@ -0,0 +1 @@ +- Linux ([6.12.48](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.48)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.47.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.48.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.47.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.48.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.47.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.48.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.47.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.48.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.47.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.48.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.47.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.48.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index cf8223ad400..c20a183ecd7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.47.xz 2896968 BLAKE2B 4064af2ae029d13d63a0a6cfb9e4121266ab33622c03e088ad3544a0f5bf443d75a2ff2f7c35b58d7cc8669acb0eac93165cd3bfe5d8567f332516850bc9f7a4 SHA512 19bb9e9e235fa408e3b37dd6fe475f1dc7690bd09274dcdcb722ccc9733da9169dbaa97dffb15e0b32da6a62cd89b2da8cad32b4d2f16f2fbbd9d023b5ebae9b +DIST patch-6.12.48.xz 2931416 BLAKE2B 888711e5a4b9578bdd09379aac0b385b901e9784e1307b2c36a700f996e6deb9c2e6531ea2a4fd4daec6bd2cb44c8a7767d00e59922c2311e448592605929e00 SHA512 f7a4999b1f2d2019fcaf691a2c0f1797be73858404fd4825962ec32945733fe98f625d8451d9bc264a1c14500b4596be6b73ea947da35e7b27f044f08642f2ab diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.47.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.48.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.47.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.48.ebuild From 681ad155e50b0dcec5a4a5385183d7f6c892022b Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 22 Sep 2025 07:12:44 +0000 Subject: [PATCH 006/213] app-misc/ca-certificates: Update from 3.115 to 3.116 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-09-22-ca-certificates-3.116-update.md | 1 + .../coreos-overlay/app-misc/ca-certificates/Manifest | 2 +- ...certificates-3.115.1.ebuild => ca-certificates-3.116.ebuild} | 0 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-09-22-ca-certificates-3.116-update.md rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.115.1.ebuild => ca-certificates-3.116.ebuild} (100%) diff --git a/changelog/updates/2025-09-22-ca-certificates-3.116-update.md b/changelog/updates/2025-09-22-ca-certificates-3.116-update.md new file mode 100644 index 00000000000..b1df3c58838 --- /dev/null +++ b/changelog/updates/2025-09-22-ca-certificates-3.116-update.md @@ -0,0 +1 @@ +- ca-certificates ([3.116](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_116.html)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest index d60c711b8f2..aa5f5fae11a 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -1 +1 @@ -DIST nss-3.115.1.tar.gz 76656855 BLAKE2B ce0ddb2eb17b079131210bbf82c6d614b5efe0b6d6fefb88461ae59518afd870011f278480ec14cbaafab88d715833acb3ae4e56347fb413516d5fceb547c9e1 SHA512 c75ab9bdddeda40d0e50837f47539b370b342216aeabf82614285485b50461600623e9a506e6026cf0928f6b0ada05a02ac1a060fca7938049b3471ac418a008 +DIST nss-3.116.tar.gz 76661970 BLAKE2B 2a9a43a4319447d087fa107b3a5d33e769212177a334660a92ee68b17eb0554d2194e1c3d1eb32c01b083e49b6707e8e3ed1628c407d7efc2bb3aea073249f19 SHA512 35ce4d077b733bb27a235583a27d085a988e0ac09a8390ce482e037c2fd5724a39044e01865d9a78632bd23fe26db0f5508dc27dc7640b2713c784ce8533639f diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.115.1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.116.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.115.1.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.116.ebuild From 9a2b2ee5dfd9feaacfb4920a9f41c0cbaf9b1909 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Tue, 23 Sep 2025 03:30:12 +0000 Subject: [PATCH 007/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index f86a84673d2..8035e7f1af1 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-cea59f004aba03af0d9bb046caf9137878bb25dc +ghcr.io/flatcar/mantle:git-070e3b8a86c05bd190cfba3d01d871081ff0a256 From 7480902501378e9239c7d3de3dd540553f073318 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 23 Sep 2025 21:00:29 +0000 Subject: [PATCH 008/213] New version: alpha-4459.0.0-nightly-20250923-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index acf5f61a985..fccb38606e2 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.0.0+nightly-20250917-2100 +FLATCAR_VERSION=4459.0.0+nightly-20250923-2100 FLATCAR_VERSION_ID=4459.0.0 -FLATCAR_BUILD_ID="nightly-20250917-2100" +FLATCAR_BUILD_ID="nightly-20250923-2100" FLATCAR_SDK_VERSION=4459.0.0 From c2aa0a3b94f44d3e455b7eb25f4a43eb9ef218d3 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Mon, 29 Sep 2025 21:00:31 +0000 Subject: [PATCH 009/213] New version: alpha-4459.0.0-nightly-20250929-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index fccb38606e2..459b4c2bc6c 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.0.0+nightly-20250923-2100 +FLATCAR_VERSION=4459.0.0+nightly-20250929-2100 FLATCAR_VERSION_ID=4459.0.0 -FLATCAR_BUILD_ID="nightly-20250923-2100" +FLATCAR_BUILD_ID="nightly-20250929-2100" FLATCAR_SDK_VERSION=4459.0.0 From 13c8bb3d306a8739f4b6b11b6590d3f2f5d74756 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 29 Sep 2025 21:00:43 +0000 Subject: [PATCH 010/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 8035e7f1af1..e22e42971f2 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-070e3b8a86c05bd190cfba3d01d871081ff0a256 +ghcr.io/flatcar/mantle:git-8c626e89d46bf28823ab7e785f8a8b64643ddaa8 From a22a6e6d8a5d631bbe5ce73c77c77b4e02d206ec Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 16 Sep 2025 11:30:27 +0200 Subject: [PATCH 011/213] coreos-base/coreos-init: enable SSH keys injection for Scaleway Signed-off-by: Mathieu Tortuyaux --- ...eos-init-0.0.1-r200.ebuild => coreos-init-0.0.1-r201.ebuild} | 0 .../coreos-base/coreos-init/coreos-init-9999.ebuild | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/{coreos-init-0.0.1-r200.ebuild => coreos-init-0.0.1-r201.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r200.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r201.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r200.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r201.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild index d1b3f4f941b..4be33339949 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild @@ -8,7 +8,7 @@ EGIT_REPO_URI="https://github.com/flatcar/init.git" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - EGIT_COMMIT="dd9cbe449efb7134f885b07b16425eb51fb808a8" # flatcar-master + EGIT_COMMIT="ba8eefbeaf0bc272828637506a2e70c7630922c8" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi From c579d7ae34e264a48e37b3881416222d9f3e1634 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 16 Sep 2025 12:01:11 +0200 Subject: [PATCH 012/213] sys-kernel/bootengine: set Scaleway hostname use Afterburn to set the Scaleway hostname Signed-off-by: Mathieu Tortuyaux --- ...ootengine-0.0.38-r37.ebuild => bootengine-0.0.38-r38.ebuild} | 0 .../coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/{bootengine-0.0.38-r37.ebuild => bootengine-0.0.38-r38.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r37.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r38.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r37.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r38.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild index 341d7f0909a..cda632706f6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild @@ -7,7 +7,7 @@ EGIT_REPO_URI="https://github.com/flatcar/bootengine.git" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - EGIT_COMMIT="31ba2964ce5e77ae5553eb0a3624afcc7078bb09" # flatcar-master + EGIT_COMMIT="daf43bf9c1ca45bf1a43566c3a6f96ec0cb44a36" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi From dbe2e8196384af6f0052de252776c5f378a5a07d Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 16 Sep 2025 16:56:04 +0200 Subject: [PATCH 013/213] changelog: add entries Signed-off-by: Mathieu Tortuyaux --- changelog/changes/2025-09-16-scaleway.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelog/changes/2025-09-16-scaleway.md diff --git a/changelog/changes/2025-09-16-scaleway.md b/changelog/changes/2025-09-16-scaleway.md new file mode 100644 index 00000000000..b473f63c9f8 --- /dev/null +++ b/changelog/changes/2025-09-16-scaleway.md @@ -0,0 +1,2 @@ +- Scaleway: The hostname is now set _via_ Afterburn ([scripts#3277](https://github.com/flatcar/scripts/pull/3277)) +- Scaleway: SSH keys are now fetched _via_ Afterburn ([scripts#3277](https://github.com/flatcar/scripts/pull/3277)) From 7bac9c25652bcbc7bfded7faeded8afd3a7ff8bc Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 30 Sep 2025 21:00:31 +0000 Subject: [PATCH 014/213] New version: alpha-4459.0.0-nightly-20250930-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 459b4c2bc6c..8e218798643 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.0.0+nightly-20250929-2100 +FLATCAR_VERSION=4459.0.0+nightly-20250930-2100 FLATCAR_VERSION_ID=4459.0.0 -FLATCAR_BUILD_ID="nightly-20250929-2100" +FLATCAR_BUILD_ID="nightly-20250930-2100" FLATCAR_SDK_VERSION=4459.0.0 From ca9669b1ce075b3f200ab9ad7e2e18b48f2e796d Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 2 Oct 2025 21:00:44 +0000 Subject: [PATCH 015/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index e22e42971f2..9ece4b3f340 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-8c626e89d46bf28823ab7e785f8a8b64643ddaa8 +ghcr.io/flatcar/mantle:git-2b18f11605a2dac70e107357fb4a24764d32b3f9 From b190708aa6fba206ca66d3df4f0718a93872b8bb Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Fri, 3 Oct 2025 21:00:29 +0000 Subject: [PATCH 016/213] New version: alpha-4459.0.0-nightly-20251003-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 8e218798643..c1cb13d5250 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.0.0+nightly-20250930-2100 +FLATCAR_VERSION=4459.0.0+nightly-20251003-2100 FLATCAR_VERSION_ID=4459.0.0 -FLATCAR_BUILD_ID="nightly-20250930-2100" +FLATCAR_BUILD_ID="nightly-20251003-2100" FLATCAR_SDK_VERSION=4459.0.0 From 17285f43c1dafd2ca9249c7986f863bc469e644d Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 6 Oct 2025 07:12:04 +0000 Subject: [PATCH 017/213] app-misc/ca-certificates: Update from 3.116 to 3.117 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-10-06-ca-certificates-3.117-update.md | 1 + .../coreos-overlay/app-misc/ca-certificates/Manifest | 2 +- ...a-certificates-3.116.ebuild => ca-certificates-3.117.ebuild} | 0 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-10-06-ca-certificates-3.117-update.md rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.116.ebuild => ca-certificates-3.117.ebuild} (100%) diff --git a/changelog/updates/2025-10-06-ca-certificates-3.117-update.md b/changelog/updates/2025-10-06-ca-certificates-3.117-update.md new file mode 100644 index 00000000000..e252b00ec95 --- /dev/null +++ b/changelog/updates/2025-10-06-ca-certificates-3.117-update.md @@ -0,0 +1 @@ +- ca-certificates ([3.117](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_117.html)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest index aa5f5fae11a..f64b3dc24ab 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -1 +1 @@ -DIST nss-3.116.tar.gz 76661970 BLAKE2B 2a9a43a4319447d087fa107b3a5d33e769212177a334660a92ee68b17eb0554d2194e1c3d1eb32c01b083e49b6707e8e3ed1628c407d7efc2bb3aea073249f19 SHA512 35ce4d077b733bb27a235583a27d085a988e0ac09a8390ce482e037c2fd5724a39044e01865d9a78632bd23fe26db0f5508dc27dc7640b2713c784ce8533639f +DIST nss-3.117.tar.gz 76684970 BLAKE2B cf078cb1d48fbbf39e2661b6cdb9d610db3d0c13bcec68bacaf7cce8165cbf91229f9931008d1bfd28a561cc1fca994fbf3a174ddb7de2cf10ad4208926764a0 SHA512 12e6eaa67d290fc8146dee2d92017fd481e4969d556870ec4200aab8d2590efe63686ca9cca5cc1b95c7078cc0ab7f1e27e77de5a1a2b75c4f1f3b4b65c700fe diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.116.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.117.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.116.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.117.ebuild From 126cfcc0048b02cfb5b057e5c1825c0b7dd368fb Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 2 Oct 2025 23:26:30 +0900 Subject: [PATCH 018/213] ci-automation/release.sh: Fix upload to R2 The upload to R2 was added experimentally and we now want to make use of it. The CHANNEL variable wasn't defined and it failed because of that. Do the upload for all channels and set the variable up first. Existing releases should get synced from the current Origin server via a FUSE mount that we anyway want to rely on for the directory listing that Caddy creates. Left to decide is how we manage the "current" version but that is done manually anyway as of now. Signed-off-by: Kai Lueke --- ci-automation/release.sh | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/ci-automation/release.sh b/ci-automation/release.sh index 6f327bc5848..e362fd0136a 100644 --- a/ci-automation/release.sh +++ b/ci-automation/release.sh @@ -164,9 +164,20 @@ function copy_from_bincache_to_bucket() { local arch="${2}" local version="${3}" + echo "Experimental (i.e ignore if it fails) - copy the images to CloudFlare bucket" + ( + set +eu rclone --config "${RCLONE_CONFIGURATION_FILE}" \ sync \ - --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}/${version}" + --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}-usr/${version}" + # Exit the function cleanly for now: + true + ) + # Note: There is no "current" symlink and when switching the release to current we + # could at a later stage (when the update payloads are selected in Nebraska) either + # use folder copies where we delete the old "current" folder first, or we could + # use a clever Caddy redirect to make "current" point to the wanted version for + # each channel. } function publish_sdk() { @@ -206,6 +217,8 @@ function _release_build_impl() { local vernum="${FLATCAR_VERSION}" local docker_vernum="" docker_vernum="$(vernum_to_docker_image_version "${vernum}")" + local channel= + channel="$(get_git_channel)" local container_name="flatcar-publish-${docker_vernum}" local mantle_ref @@ -222,6 +235,7 @@ function _release_build_impl() { create_digests "${SIGNER}" "aws-${arch}/flatcar_production_ami_"*txt "aws-${arch}/flatcar_production_ami_"*json sign_artifacts "${SIGNER}" "aws-${arch}/flatcar_production_ami_"*txt "aws-${arch}/flatcar_production_ami_"*json copy_to_buildcache "images/${arch}/${vernum}/" "aws-${arch}/flatcar_production_ami_"*txt* "aws-${arch}/flatcar_production_ami_"*json* + copy_from_bincache_to_bucket "${channel}" "${arch}" "${vernum}" done if [ "${vernum}" = "${sdk_version}" ]; then publish_sdk "${docker_sdk_vernum}" @@ -230,9 +244,6 @@ function _release_build_impl() { echo "Done, now you can copy the images to Origin" echo "====" - echo "Experimental (i.e ignore if it fails) - copy the images to CloudFlare bucket for Alpha channel" - [[ "${CHANNEL}" != "alpha" ]] && exit 0 - copy_from_bincache_to_bucket "${CHANNEL}" "${arch}" "${vernum}" # Future: trigger copy to Origin in a secure way # Future: trigger update payload signing From 709ec0efbfd96dc002be25dab465addd07aaf4e5 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Tue, 7 Oct 2025 07:07:32 +0000 Subject: [PATCH 019/213] sys-kernel/coreos-sources: Update from 6.12.48 to 6.12.51 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-10-07-linux-6.12.51-update.md | 1 + .../{hv-daemons-6.12.48.ebuild => hv-daemons-6.12.51.ebuild} | 0 ...oreos-kernel-6.12.48.ebuild => coreos-kernel-6.12.51.ebuild} | 0 ...eos-modules-6.12.48.ebuild => coreos-modules-6.12.51.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.48.ebuild => coreos-sources-6.12.51.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-10-07-linux-6.12.51-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.48.ebuild => hv-daemons-6.12.51.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.48.ebuild => coreos-kernel-6.12.51.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.48.ebuild => coreos-modules-6.12.51.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.48.ebuild => coreos-sources-6.12.51.ebuild} (100%) diff --git a/changelog/updates/2025-10-07-linux-6.12.51-update.md b/changelog/updates/2025-10-07-linux-6.12.51-update.md new file mode 100644 index 00000000000..92bf080c60d --- /dev/null +++ b/changelog/updates/2025-10-07-linux-6.12.51-update.md @@ -0,0 +1 @@ +- Linux ([6.12.51](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.51) (includes [6.12.50](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.50), [6.12.49](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.49))) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.48.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.51.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.48.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.51.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.48.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.48.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.48.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.51.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.48.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.51.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index c20a183ecd7..8ce049d890b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.48.xz 2931416 BLAKE2B 888711e5a4b9578bdd09379aac0b385b901e9784e1307b2c36a700f996e6deb9c2e6531ea2a4fd4daec6bd2cb44c8a7767d00e59922c2311e448592605929e00 SHA512 f7a4999b1f2d2019fcaf691a2c0f1797be73858404fd4825962ec32945733fe98f625d8451d9bc264a1c14500b4596be6b73ea947da35e7b27f044f08642f2ab +DIST patch-6.12.51.xz 2974844 BLAKE2B cfb7242811febee3e506aa8775189f90cb1501341ca7aea7153aca28553cb5e953902f1c7bc23b2872f3f4617ee76641888c0cc0ae7a4611399a892030832b58 SHA512 5e04752b3432809212315b24c8fc18764b367e9e3282325d3d52b75190b4e0eeca48a10dc3baf09abfde3a633a7b14e03b4224251ae4e0b6206085683cce5dd2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.48.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.51.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.48.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.51.ebuild From 1e05bc9f8d98c40ea39181e855314d55d71c4715 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 7 Oct 2025 21:00:32 +0000 Subject: [PATCH 020/213] New version: alpha-4459.0.0-nightly-20251007-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index c1cb13d5250..a95ba5c199d 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.0.0+nightly-20251003-2100 +FLATCAR_VERSION=4459.0.0+nightly-20251007-2100 FLATCAR_VERSION_ID=4459.0.0 -FLATCAR_BUILD_ID="nightly-20251003-2100" +FLATCAR_BUILD_ID="nightly-20251007-2100" FLATCAR_SDK_VERSION=4459.0.0 From 237ace2a7f7c13c96f3f0cd50262bc161537c6ef Mon Sep 17 00:00:00 2001 From: Meerthika Date: Wed, 8 Oct 2025 21:25:08 +0530 Subject: [PATCH 021/213] Add hvf acceleration support for macOS Signed-off-by: Meerthika --- build_library/qemu_template.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build_library/qemu_template.sh b/build_library/qemu_template.sh index e4c0efc5ada..32445e85274 100755 --- a/build_library/qemu_template.sh +++ b/build_library/qemu_template.sh @@ -247,8 +247,8 @@ else ;; amd64-usr+*) set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;; - arm64-usr+aarch64) - set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;; + arm64-usr+aarch64|arm64-usr+arm64) + set -- -machine virt,accel=kvm:hvf:tcg,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;; arm64-usr+*) if test "${VM_NCPUS}" -gt 4 ; then VM_NCPUS=4 From 7986cf25900aae69c3dccb4f5cca797425140adc Mon Sep 17 00:00:00 2001 From: Meerthika Date: Wed, 8 Oct 2025 21:46:44 +0530 Subject: [PATCH 022/213] Add changelog for macOS acceleration Signed-off-by: Meerthika Signed-off-by: James Le Cuirot --- changelog/bugfixes/2025-10-08-macos-hvf-accel.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/bugfixes/2025-10-08-macos-hvf-accel.md diff --git a/changelog/bugfixes/2025-10-08-macos-hvf-accel.md b/changelog/bugfixes/2025-10-08-macos-hvf-accel.md new file mode 100644 index 00000000000..802a8f4ee99 --- /dev/null +++ b/changelog/bugfixes/2025-10-08-macos-hvf-accel.md @@ -0,0 +1 @@ +- Fixed the QEMU launcher script to include HVF acceleration on arm64-based Macs for faster performance ([Flatcar#1901](https://github.com/flatcar/Flatcar/issues/1901)) From 5e8d82d20af94bcdf595cddb8b555bbe8ba0f132 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 9 Oct 2025 21:00:32 +0000 Subject: [PATCH 023/213] New version: alpha-4459.0.0-nightly-20251009-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index a95ba5c199d..9502e413b69 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.0.0+nightly-20251007-2100 +FLATCAR_VERSION=4459.0.0+nightly-20251009-2100 FLATCAR_VERSION_ID=4459.0.0 -FLATCAR_BUILD_ID="nightly-20251007-2100" +FLATCAR_BUILD_ID="nightly-20251009-2100" FLATCAR_SDK_VERSION=4459.0.0 From 4aa3d1c37e39a7b1567f3d7aa4ad149a8bd616d7 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Fri, 10 Oct 2025 14:06:48 +0000 Subject: [PATCH 024/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 9ece4b3f340..0dd4d52e169 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-2b18f11605a2dac70e107357fb4a24764d32b3f9 +ghcr.io/flatcar/mantle:git-1fc97dcf2d326ff44e869f2dbd5bfa9e5e0d914e From fb8ce7b25f18ffadb37c930adfa44a8c9c049923 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Fri, 10 Oct 2025 21:00:29 +0000 Subject: [PATCH 025/213] New version: alpha-4459.0.0-nightly-20251010-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 9502e413b69..4f14f154d56 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.0.0+nightly-20251009-2100 +FLATCAR_VERSION=4459.0.0+nightly-20251010-2100 FLATCAR_VERSION_ID=4459.0.0 -FLATCAR_BUILD_ID="nightly-20251009-2100" +FLATCAR_BUILD_ID="nightly-20251010-2100" FLATCAR_SDK_VERSION=4459.0.0 From c691fe7e655eb7f415e7a5ef8056d669cadb559d Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Mon, 13 Oct 2025 03:01:00 +0530 Subject: [PATCH 026/213] New version: beta-4459.1.0 Signed-off-by: Sayan Chowdhury --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 4f14f154d56..538e43153d3 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.0.0+nightly-20251010-2100 -FLATCAR_VERSION_ID=4459.0.0 -FLATCAR_BUILD_ID="nightly-20251010-2100" +FLATCAR_VERSION=4459.1.0 +FLATCAR_VERSION_ID=4459.1.0 +FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From 9bb2d97e3f8dcaa2444abe885cb0d76bce598261 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Fri, 10 Oct 2025 17:21:31 +0900 Subject: [PATCH 027/213] coreos-base/update_engine: Fix keeping of needed Flatcar extensions Pulls in https://github.com/flatcar/update_engine/pull/51 Signed-off-by: Kai Lueke --- changelog/bugfixes/2025-10-10-flatcar-extensions.md | 1 + .../coreos-base/update_engine/update_engine-9999.ebuild | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/bugfixes/2025-10-10-flatcar-extensions.md diff --git a/changelog/bugfixes/2025-10-10-flatcar-extensions.md b/changelog/bugfixes/2025-10-10-flatcar-extensions.md new file mode 100644 index 00000000000..afd3e3d42f5 --- /dev/null +++ b/changelog/bugfixes/2025-10-10-flatcar-extensions.md @@ -0,0 +1 @@ +- Fixed that the needed Flatcar extensions don't get removed on update which caused a re-download ([update_engine#51](https://github.com/flatcar/update_engine/pull/51)) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild index 80eb8ec9635..1e90b9c3bd4 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild @@ -7,7 +7,7 @@ EGIT_REPO_URI="https://github.com/flatcar/update_engine.git" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - EGIT_COMMIT="aa31b3ea36b2c4d585406ab13dbdf2c4e8959a99" # main + EGIT_COMMIT="85eea2c932a0028b90d4db2f3d495ecf73f9342a" # main KEYWORDS="amd64 arm64" fi From dae2cdc086d2f3bad538fe1e127ce91c3c276581 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Mon, 13 Oct 2025 18:21:42 +0900 Subject: [PATCH 028/213] coreos-base/update_engine: Fix opaque directory handling When /etc way kept busy through, e.g., a process using it as CWD, then even in the temporary namespace unmounting failed unless it was done with the lazy option. This pulls in https://github.com/flatcar/update_engine/pull/52 to address this. Signed-off-by: Kai Lueke --- .../coreos-base/update_engine/update_engine-9999.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild index 1e90b9c3bd4..126f5cd4f7a 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild @@ -7,7 +7,7 @@ EGIT_REPO_URI="https://github.com/flatcar/update_engine.git" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - EGIT_COMMIT="85eea2c932a0028b90d4db2f3d495ecf73f9342a" # main + EGIT_COMMIT="3a44be455f7c6978e99f9e3d4f01401d80301c40" # main KEYWORDS="amd64 arm64" fi From 9e3d41b321ba340525371b18cda4a1912fd9a515 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Tue, 14 Oct 2025 12:32:06 +0000 Subject: [PATCH 029/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 0dd4d52e169..4522a055bc9 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-1fc97dcf2d326ff44e869f2dbd5bfa9e5e0d914e +ghcr.io/flatcar/mantle:git-106d21dc07739f9ff4fa171069f521da7aa6051b From 851e761b67afcaa4da10e6b262b60580d2403db7 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 14 Oct 2025 21:00:35 +0000 Subject: [PATCH 030/213] New version: beta-4459.1.0-nightly-20251014-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 538e43153d3..944180ef63b 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0 +FLATCAR_VERSION=4459.1.0+nightly-20251014-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="" +FLATCAR_BUILD_ID="nightly-20251014-2100" FLATCAR_SDK_VERSION=4459.0.0 From f80c4645fd136fd8810f96ae0cec532671245ac0 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 15 Oct 2025 21:00:31 +0000 Subject: [PATCH 031/213] New version: beta-4459.1.0-nightly-20251015-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 944180ef63b..3293265da43 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251014-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251015-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251014-2100" +FLATCAR_BUILD_ID="nightly-20251015-2100" FLATCAR_SDK_VERSION=4459.0.0 From c08f2bdbe8c20ba97e183e3c70c13f2e58de55a8 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 20 Oct 2025 07:07:15 +0000 Subject: [PATCH 032/213] sys-kernel/coreos-sources: Update from 6.12.51 to 6.12.54 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-10-20-linux-6.12.54-update.md | 1 + .../{hv-daemons-6.12.51.ebuild => hv-daemons-6.12.54.ebuild} | 0 ...oreos-kernel-6.12.51.ebuild => coreos-kernel-6.12.54.ebuild} | 0 ...eos-modules-6.12.51.ebuild => coreos-modules-6.12.54.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.51.ebuild => coreos-sources-6.12.54.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-10-20-linux-6.12.54-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.51.ebuild => hv-daemons-6.12.54.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.51.ebuild => coreos-kernel-6.12.54.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.51.ebuild => coreos-modules-6.12.54.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.51.ebuild => coreos-sources-6.12.54.ebuild} (100%) diff --git a/changelog/updates/2025-10-20-linux-6.12.54-update.md b/changelog/updates/2025-10-20-linux-6.12.54-update.md new file mode 100644 index 00000000000..46ab4107d60 --- /dev/null +++ b/changelog/updates/2025-10-20-linux-6.12.54-update.md @@ -0,0 +1 @@ +- Linux ([6.12.54](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.54) (includes [6.12.53](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.53), [6.12.52](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.52))) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.51.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.54.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.51.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.54.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.54.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.54.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.51.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.54.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.51.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.54.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 8ce049d890b..05a8d04998b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.51.xz 2974844 BLAKE2B cfb7242811febee3e506aa8775189f90cb1501341ca7aea7153aca28553cb5e953902f1c7bc23b2872f3f4617ee76641888c0cc0ae7a4611399a892030832b58 SHA512 5e04752b3432809212315b24c8fc18764b367e9e3282325d3d52b75190b4e0eeca48a10dc3baf09abfde3a633a7b14e03b4224251ae4e0b6206085683cce5dd2 +DIST patch-6.12.54.xz 3096864 BLAKE2B f5bff8166a5a45535092614ef9ed1d9e39064fd2762f0d71e852a87437326892c9d25a095ad51eb3b7fdfe266ba5f16d271303b98c4c1c6ed1716cfa09b669bb SHA512 744143218b5258a67f4b00126c72d7630b6e563dd0cc0a9cf685bc38cb48dc217d717053117e72a52fba061b2171a99ef64d992288f75500f069c617d1663b5b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.51.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.54.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.51.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.54.ebuild From 8f3c11b8ab4bb4dad4ce6f9ca2da64564f928849 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 20 Oct 2025 12:53:43 +0000 Subject: [PATCH 033/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 4522a055bc9..35eab7e7e07 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-106d21dc07739f9ff4fa171069f521da7aa6051b +ghcr.io/flatcar/mantle:git-a46c3d3292d3b51c167feb01bbf8357ed73b46b1 From ef6754e325eb582508b443ff00c285b3abce8a3b Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Mon, 20 Oct 2025 14:24:23 +0900 Subject: [PATCH 034/213] sys-firmware/intel-microcode: Use kernel built-in microcode The Intel microcode wasn't applied anymore after it was reworked to be in the initrd instead of being built-in as part of the kernel image. This was due to how the kernel build system can't handle combined initrds and skip the early cpio when compressing. The AMD microcode was still built-in as part of the kernel image. Let the kernel build system pick up the Intel microcode by installing it to the firmware directory. Disable the inclusion of microcode in the initrd. Signed-off-by: Kai Lueke --- changelog/bugfixes/2025-10-20-microcode-updates.md | 1 + .../coreos-overlay/profiles/coreos/base/package.use | 5 +---- 2 files changed, 2 insertions(+), 4 deletions(-) create mode 100644 changelog/bugfixes/2025-10-20-microcode-updates.md diff --git a/changelog/bugfixes/2025-10-20-microcode-updates.md b/changelog/bugfixes/2025-10-20-microcode-updates.md new file mode 100644 index 00000000000..4d0b8cafc56 --- /dev/null +++ b/changelog/bugfixes/2025-10-20-microcode-updates.md @@ -0,0 +1 @@ +- Fixed Intel microcode updates which were broken in recent Alpha and Beta releases by switching back to built-in extra firmware instead of early cpio inclusion ([Flatcar#1909](https://github.com/flatcar/Flatcar/issues/1909)) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 785127fe0bc..f367cd9aa93 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -157,12 +157,9 @@ sys-libs/libsemanage -python sys-fs/zfs minimal -rootfs # Do not tinker with /boot partition at installation time. +sys-firmware/intel-microcode -initramfs sys-fs/zfs-kmod -initramfs -# Only needed for direct loading by the kernel, which is dangerous, and we -# include all the microcode in the initrd anyway. -sys-firmware/intel-microcode -split-ucode - # For sys-auth/sssd net-dns/bind gssapi net-dns/bind-tools gssapi From e803b91918385ab933e401fedbfc2b308a1dd890 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Mon, 20 Oct 2025 21:00:33 +0000 Subject: [PATCH 035/213] New version: beta-4459.1.0-nightly-20251020-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 3293265da43..e622501f244 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251015-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251020-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251015-2100" +FLATCAR_BUILD_ID="nightly-20251020-2100" FLATCAR_SDK_VERSION=4459.0.0 From 9c8d3ffd0835eba5db0ea2b745a6edb217ee1802 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Tue, 21 Oct 2025 11:09:39 +0000 Subject: [PATCH 036/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 35eab7e7e07..e107239838a 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-a46c3d3292d3b51c167feb01bbf8357ed73b46b1 +ghcr.io/flatcar/mantle:git-0a3d1c3bdb03b340eba94b484d7f7d4caf141ddc From 541163672c4092e10939b160e6e8562664b1cf9a Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 21 Oct 2025 21:00:32 +0000 Subject: [PATCH 037/213] New version: beta-4459.1.0-nightly-20251021-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index e622501f244..2132310bf5d 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251020-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251021-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251020-2100" +FLATCAR_BUILD_ID="nightly-20251021-2100" FLATCAR_SDK_VERSION=4459.0.0 From f86e26d21c47d251e69dbc9be9e3f62b817205ae Mon Sep 17 00:00:00 2001 From: Tristan Bringuier Date: Fri, 17 Oct 2025 11:13:46 +0200 Subject: [PATCH 038/213] Add linux console settings to grub.cfg.frag Adding this to fix console issues on Scaleway's instances Signed-off-by: Tristan Bringuier Signed-off-by: Mathieu Tortuyaux --- .../coreos-base/common-oem-files/files/scaleway/grub.cfg.frag | 1 + 1 file changed, 1 insertion(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/common-oem-files/files/scaleway/grub.cfg.frag diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/common-oem-files/files/scaleway/grub.cfg.frag b/sdk_container/src/third_party/coreos-overlay/coreos-base/common-oem-files/files/scaleway/grub.cfg.frag new file mode 100644 index 00000000000..0b87566bceb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/common-oem-files/files/scaleway/grub.cfg.frag @@ -0,0 +1 @@ +set linux_console="console=ttyS0,115200n8 earlycon=ttyS0,115200" From 2d1289f8ccad8fd982316499eae61668a78d6aba Mon Sep 17 00:00:00 2001 From: Tristan Bringuier Date: Mon, 20 Oct 2025 14:38:44 +0200 Subject: [PATCH 039/213] Adding changelog for Scaleway console patch Signed-off-by: Tristan Bringuier Signed-off-by: Mathieu Tortuyaux --- changelog/changes/2025-10-20-scaleway.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/changes/2025-10-20-scaleway.md diff --git a/changelog/changes/2025-10-20-scaleway.md b/changelog/changes/2025-10-20-scaleway.md new file mode 100644 index 00000000000..0b86f17eac0 --- /dev/null +++ b/changelog/changes/2025-10-20-scaleway.md @@ -0,0 +1 @@ +- Scaleway: The Linux console is now attached to the correct console port. ([scripts#3383](https://github.com/flatcar/scripts/pull/3383)) From de820f759b677c490e09f812c2e524556f1a8832 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 22 Oct 2025 21:00:29 +0000 Subject: [PATCH 040/213] New version: beta-4459.1.0-nightly-20251022-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 2132310bf5d..59b37a8c14e 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251021-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251022-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251021-2100" +FLATCAR_BUILD_ID="nightly-20251022-2100" FLATCAR_SDK_VERSION=4459.0.0 From 6dd38a52320627f55956705712417698017aa33e Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 23 Oct 2025 13:48:48 +0000 Subject: [PATCH 041/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index e107239838a..c9cf3674cd3 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-0a3d1c3bdb03b340eba94b484d7f7d4caf141ddc +ghcr.io/flatcar/mantle:git-12158468f8828ad935f4ea3fb85bf2a753ad258f From 3cd17cc5e40a56a5b218c6f4dc0d0720e9fe9cdf Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 21 Oct 2025 15:44:50 +0200 Subject: [PATCH 042/213] ci-automation/release.sh: use rclone docker image rclone was previously called from the Mantle image but it's not the case anymore because we need some environment variables (CHANNEL, ARCH, etc.) Let's switch to the `rclone` Docker image. Signed-off-by: Mathieu Tortuyaux --- ci-automation/release.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/ci-automation/release.sh b/ci-automation/release.sh index e362fd0136a..131c74d11b7 100644 --- a/ci-automation/release.sh +++ b/ci-automation/release.sh @@ -167,9 +167,12 @@ function copy_from_bincache_to_bucket() { echo "Experimental (i.e ignore if it fails) - copy the images to CloudFlare bucket" ( set +eu - rclone --config "${RCLONE_CONFIGURATION_FILE}" \ - sync \ - --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}-usr/${version}" + docker run --rm -ti \ + -v "${RCLONE_CONFIGURATION_FILE}:/opt/rclone.conf:ro" \ + docker.io/rclone/rclone:1.71.1 \ + --config "/opt/rclone.conf" \ + sync \ + --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}-usr/${version}" # Exit the function cleanly for now: true ) From 65a3af6dcaf9fde0dfc98536867c156b649b6712 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 22 Oct 2025 13:55:08 +0200 Subject: [PATCH 043/213] ci-automation/release.sh: lift 'experimental' usage Signed-off-by: Mathieu Tortuyaux --- ci-automation/release.sh | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/ci-automation/release.sh b/ci-automation/release.sh index 131c74d11b7..cc3a9b840e8 100644 --- a/ci-automation/release.sh +++ b/ci-automation/release.sh @@ -164,18 +164,13 @@ function copy_from_bincache_to_bucket() { local arch="${2}" local version="${3}" - echo "Experimental (i.e ignore if it fails) - copy the images to CloudFlare bucket" - ( - set +eu + echo "Copy the images from bincache to CloudFlare bucket" docker run --rm -ti \ -v "${RCLONE_CONFIGURATION_FILE}:/opt/rclone.conf:ro" \ docker.io/rclone/rclone:1.71.1 \ --config "/opt/rclone.conf" \ sync \ --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}-usr/${version}" - # Exit the function cleanly for now: - true - ) # Note: There is no "current" symlink and when switching the release to current we # could at a later stage (when the update payloads are selected in Nebraska) either # use folder copies where we delete the old "current" folder first, or we could From 7c6aa2596d6fdc95277162d53ca3e26b84ca8716 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 23 Oct 2025 21:00:30 +0000 Subject: [PATCH 044/213] New version: beta-4459.1.0-nightly-20251023-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 59b37a8c14e..72792e6a9ec 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251022-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251023-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251022-2100" +FLATCAR_BUILD_ID="nightly-20251023-2100" FLATCAR_SDK_VERSION=4459.0.0 From da69a638a7e6169ddd5780876915438fcd2aa6a7 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Mon, 27 Oct 2025 14:19:22 +0900 Subject: [PATCH 045/213] Exclude TUN devices from default systemd-networkd setup This pulls in https://github.com/flatcar/init/pull/136 to prevent the default network setup to conflict with TUN/TAP device configuration from other tools. Signed-off-by: Kai Lueke --- changelog/bugfixes/2025-10-27-tun-interface-exclusion.md | 1 + .../coreos-base/coreos-init/coreos-init-9999.ebuild | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/bugfixes/2025-10-27-tun-interface-exclusion.md diff --git a/changelog/bugfixes/2025-10-27-tun-interface-exclusion.md b/changelog/bugfixes/2025-10-27-tun-interface-exclusion.md new file mode 100644 index 00000000000..5f8df2d61bd --- /dev/null +++ b/changelog/bugfixes/2025-10-27-tun-interface-exclusion.md @@ -0,0 +1 @@ +- Excluded TUN/TAP interfaces from the default DHCP network configuration to solve conflicts with the programs that created them ([Flatcar#1933](https://github.com/flatcar/Flatcar/issues/1933)) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild index 4be33339949..7aa0ec4bd4b 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild @@ -8,7 +8,7 @@ EGIT_REPO_URI="https://github.com/flatcar/init.git" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - EGIT_COMMIT="ba8eefbeaf0bc272828637506a2e70c7630922c8" # flatcar-master + EGIT_COMMIT="8bd8a82fb22bc46ea2cf7da94d58655e102ca26d" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi From 07158bb8691839053af45ac5a2d6d2e2d59622cc Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Mon, 27 Oct 2025 21:00:26 +0000 Subject: [PATCH 046/213] New version: beta-4459.1.0-nightly-20251027-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 72792e6a9ec..9dbc39b40a4 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251023-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251027-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251023-2100" +FLATCAR_BUILD_ID="nightly-20251027-2100" FLATCAR_SDK_VERSION=4459.0.0 From 0df7964eba0b3f6a6ba81e56e1bf34b7a69f2ff4 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 27 Oct 2025 21:00:45 +0000 Subject: [PATCH 047/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index c9cf3674cd3..a524f97cb46 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-12158468f8828ad935f4ea3fb85bf2a753ad258f +ghcr.io/flatcar/mantle:git-5bdb901f58d210ae9ccd5cf8e4e8e68a6ebeed1e From 944468b4cd613608add4897198f8421355cb14e0 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 28 Oct 2025 21:00:31 +0000 Subject: [PATCH 048/213] New version: beta-4459.1.0-nightly-20251028-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 9dbc39b40a4..b3e8997fb1b 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251027-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251028-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251027-2100" +FLATCAR_BUILD_ID="nightly-20251028-2100" FLATCAR_SDK_VERSION=4459.0.0 From 27621e0d3bf820e37e31eab5e290cfe0b42a269a Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 29 Oct 2025 21:00:31 +0000 Subject: [PATCH 049/213] New version: beta-4459.1.0-nightly-20251029-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index b3e8997fb1b..3800a56c30e 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251028-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251029-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251028-2100" +FLATCAR_BUILD_ID="nightly-20251029-2100" FLATCAR_SDK_VERSION=4459.0.0 From 3a38263ff81e0c9a5f5632e356c303638384694c Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 30 Oct 2025 16:11:46 +0000 Subject: [PATCH 050/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index a524f97cb46..9ae60d8de12 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-5bdb901f58d210ae9ccd5cf8e4e8e68a6ebeed1e +ghcr.io/flatcar/mantle:git-a943b9a4d1fdf80c6d66a030e2e129f08b1c8d44 From 063265440602d47ab8997f00a66105f84f0736d3 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 30 Oct 2025 21:00:30 +0000 Subject: [PATCH 051/213] New version: beta-4459.1.0-nightly-20251030-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 3800a56c30e..a271dfe44a4 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251029-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251030-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251029-2100" +FLATCAR_BUILD_ID="nightly-20251030-2100" FLATCAR_SDK_VERSION=4459.0.0 From 332f878423d4fa7b13ef983f37cec2e377f0c8ba Mon Sep 17 00:00:00 2001 From: Maxime de Roucy Date: Fri, 26 Sep 2025 17:56:23 +0200 Subject: [PATCH 052/213] nutanix AHV support Signed-off-by: Maxime de Roucy Signed-off-by: Mathieu Tortuyaux --- build_library/vm_image_util.sh | 8 ++++++++ changelog/changes/2025-11-05-nutanix.md | 1 + .../common-oem-files-0-r11.ebuild | 1 + .../coreos-base/oem-nutanix/metadata.xml | 4 ++++ .../oem-nutanix/oem-nutanix-0.0.1.ebuild | 15 +++++++++++++++ 5 files changed, 29 insertions(+) create mode 100644 changelog/changes/2025-11-05-nutanix.md create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-nutanix/metadata.xml create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-nutanix/oem-nutanix-0.0.1.ebuild diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index 17a0c024a26..1b7f1da5f0c 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -43,6 +43,7 @@ VALID_IMG_TYPES=( vmware_ova vmware_raw xen + nutanix ) #list of oem package names, minus the oem- prefix @@ -353,6 +354,13 @@ IMG_proxmoxve_OEM_PACKAGE=common-oem-files IMG_proxmoxve_OEM_USE=proxmoxve IMG_proxmoxve_OEM_SYSEXT=oem-proxmoxve +## nutanix +IMG_nutanix_DISK_FORMAT=qcow2 +IMG_nutanix_DISK_LAYOUT=vm +IMG_nutanix_OEM_USE=nutanix +IMG_nutanix_OEM_PACKAGE=common-oem-files +IMG_nutanix_OEM_SYSEXT=oem-nutanix + ########################################################### # Print the default vm type for the specified board diff --git a/changelog/changes/2025-11-05-nutanix.md b/changelog/changes/2025-11-05-nutanix.md new file mode 100644 index 00000000000..dda835b57bb --- /dev/null +++ b/changelog/changes/2025-11-05-nutanix.md @@ -0,0 +1 @@ +- Added Nutanix images ([flatcar/scripts#3311](https://github.com/flatcar/scripts/pull/3311)) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/common-oem-files/common-oem-files-0-r11.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/common-oem-files/common-oem-files-0-r11.ebuild index d77890980eb..6bdfa95ca07 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/common-oem-files/common-oem-files-0-r11.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/common-oem-files/common-oem-files-0-r11.ebuild @@ -50,6 +50,7 @@ AMD64_ONLY_OEMIDS=( gce hyperv vmware + nutanix ) OEMIDS=( diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-nutanix/metadata.xml b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-nutanix/metadata.xml new file mode 100644 index 00000000000..097975e3adc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-nutanix/metadata.xml @@ -0,0 +1,4 @@ + + + + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-nutanix/oem-nutanix-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-nutanix/oem-nutanix-0.0.1.ebuild new file mode 100644 index 00000000000..c466e609c80 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-nutanix/oem-nutanix-0.0.1.ebuild @@ -0,0 +1,15 @@ +# Copyright (c) 2020 Kinvolk GmbH. All rights reserved. +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="OEM suite for Nutanix" +HOMEPAGE="https://www.nutanix.com/" +SRC_URI="" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64" +IUSE="" + +OEM_NAME="Nutanix" From 8a25061e7d96850123367a9f2a643c211300389b Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 5 Nov 2025 21:00:31 +0000 Subject: [PATCH 053/213] New version: beta-4459.1.0-nightly-20251105-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index a271dfe44a4..a7d5419c4ab 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251030-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251105-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251030-2100" +FLATCAR_BUILD_ID="nightly-20251105-2100" FLATCAR_SDK_VERSION=4459.0.0 From 41c5fc2ee0375813e4c2b9917f49d105f0dfda9b Mon Sep 17 00:00:00 2001 From: Christian Baumann Date: Fri, 19 Sep 2025 17:11:31 +0200 Subject: [PATCH 054/213] sys-kernel/coreos-modules: enable CONFIG_MEMCG_V1 Signed-off-by: Christian Baumann Signed-off-by: James Le Cuirot --- changelog/bugfixes/2025-09-19-kernel-config-memcg-v1.md | 1 + .../sys-kernel/coreos-modules/files/commonconfig-6.12 | 1 + 2 files changed, 2 insertions(+) create mode 100644 changelog/bugfixes/2025-09-19-kernel-config-memcg-v1.md diff --git a/changelog/bugfixes/2025-09-19-kernel-config-memcg-v1.md b/changelog/bugfixes/2025-09-19-kernel-config-memcg-v1.md new file mode 100644 index 00000000000..88fbb6e55c1 --- /dev/null +++ b/changelog/bugfixes/2025-09-19-kernel-config-memcg-v1.md @@ -0,0 +1 @@ +- Enabled `CONFIG_MEMCG_V1` to mitigate cgroupsv1 removal (e.g JVM) ([Flatcar#1884](https://github.com/flatcar/Flatcar/issues/1884)) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 index 61fc9232496..efc937e08b8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 @@ -467,6 +467,7 @@ CONFIG_MEGARAID_MM=m CONFIG_MEGARAID_NEWGEN=y CONFIG_MEGARAID_SAS=m CONFIG_MEMCG=y +CONFIG_MEMCG_V1=y CONFIG_MEMORY_HOTPLUG=y CONFIG_MEMORY_HOTREMOVE=y CONFIG_MEMTEST=y From 64b1d43790b1ac40cb3b048988936cd1b42f04bb Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 7 Nov 2025 13:21:45 +0100 Subject: [PATCH 055/213] app-containers/runc: Sync with Gentoo It's from Gentoo commit b4c450b220406a895ed093b19b92241746408a66. Signed-off-by: Krzesimir Nowak --- .../app-containers/runc/Manifest | 3 + .../app-containers/runc/runc-1.2.8.ebuild | 71 +++++++++++++++++++ .../app-containers/runc/runc-1.3.1.ebuild | 71 +++++++++++++++++++ .../app-containers/runc/runc-1.3.3.ebuild | 71 +++++++++++++++++++ 4 files changed, 216 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.2.8.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.1.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest index 9788fc59b6b..56040f29612 100644 --- a/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest @@ -1,4 +1,7 @@ DIST runc-1.2.4.tar.gz 2759394 BLAKE2B 02b282c9fbe7f82ad1d4297b9d2576ee99db7f4db193aa6b08b595d1a18f4a0cb41c5fddb8184ca389e77726c71f4b64b686b2ee1b8e8df97179669362c17ff7 SHA512 2a14bfe7759e0cefcf88fac9d756eb2cbed8a9ebf7b6eacb96855467ea151c278ae0d58735d2a5a2d3335fc54eae4625dfcdb641065df58ba10fd1faafbd3119 DIST runc-1.2.5.tar.gz 2763738 BLAKE2B 446dd633d94f41957ba205b944320734ddf505e1bdc8f6f9d1002de8ecdd46368af19d788b8812cee87aaab1f8583d01e0c4d6fd0a56590a819588814bfb1841 SHA512 67dd870a24cfe896ead01f156eda6076b14bf287781734c2c4ab0e313d66f49bbf8d51705c5f0c24a604df311439c769a95cbfda12c7fa87ab2e6a31801a6984 DIST runc-1.2.6.tar.gz 2763135 BLAKE2B d5e40e95f8c0069073d0010d120aca1828e585b103ecd671fca072138ef3528a316414cfac5ca725f45cb84f23ab4216d9e6f466beb118fb2813ab4be3a18e92 SHA512 9a89295e001914726dfc1040729301f62ad6b630943c65f7ade6ed460ef4a2f5f35cf40662730a9e8a6c6d0301a3c9959a85973097ceb8db05c043f9c1a86248 +DIST runc-1.2.8.tar.gz 2834651 BLAKE2B 5f76e40ee8bda4668758dce318625af1dbb13c0d33a17c9c872bc68aefd6311cac570ed934a69b92b4a327c6084ff6d6d55f8914b105513f9484bbc903107a4d SHA512 8d29a2ca179320f9a01c37383506f10aea1764e18b3321c507787556e3a531e23221f8369696d8caaf30124a523a68d0ad3609bae5ab06aa6c519e644d54d4ef DIST runc-1.3.0.tar.gz 2858199 BLAKE2B c9402a074b816b9452763267a7ffdc69af6c0cd4cf54fbdfdc91ccbd8bbc5daa783259176775e90f6266fa6a02bf0bad7fbb8eb879b5764309f7f9cd2f246086 SHA512 63422501f6189d0d47f6b2f59565de572bc68b138a65c7dbcc8b5ad42dbc37245ee66e2683ab61971a84c076a15f54f484c37fde4a30815ee19edc9a0d97e9f4 +DIST runc-1.3.1.tar.gz 2860795 BLAKE2B 5711881488dc3d52182377dc09690436aff142552d35728b10c221874a1dafc3b1fe78972891ebfc53e232465aec97eacc78318a453b030c052ca2218c61438d SHA512 0a3007d046fe9711541e29ca07fd72515f19b220c8c79b9df9164f7b88a6b9077ba7a11607593b641823b9e99c0f2e96500a57e2a16e11501bbb7c4690870183 +DIST runc-1.3.3.tar.gz 2929410 BLAKE2B 1feddc154836eff606a685a0c0d606c1bbcd5a1a1ec8a288233581a88e0b3b6a95f446125688a8dca5efd5a275bf22931553cb9ab894f6aa0826d5a1274b6f91 SHA512 9ce0af1b79163c44913979c0483322247b154109871a113726163f64c6354141e7cefb5fb6e1225eaa4bb48a1e33ba9a6049cb45cb2af8793134647dad18c8dc diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.2.8.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.2.8.ebuild new file mode 100644 index 00000000000..dedc761a5b4 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.2.8.ebuild @@ -0,0 +1,71 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module linux-info + +# update on bump, look for commit ID on release tag. +# https://github.com/opencontainers/runc +RUNC_COMMIT=eeb7e6024f9ee43876301b1d23c353384fa6dcdd + +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="https://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" +S="${WORKDIR}/${PN}-${MY_PV}" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp selinux test" + +COMMON_DEPEND=" + apparmor? ( sys-libs/libapparmor ) + seccomp? ( sys-libs/libseccomp )" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND} + !app-emulation/docker-runc + selinux? ( sec-policy/selinux-container )" +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" )" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +src_compile() { + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.1.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.1.ebuild new file mode 100644 index 00000000000..dae88b4ee6b --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.1.ebuild @@ -0,0 +1,71 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module linux-info + +# update on bump, look for commit ID on release tag. +# https://github.com/opencontainers/runc +RUNC_COMMIT=e6457afc48eff1ce22dece664932395026a7105e + +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="https://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" +S="${WORKDIR}/${PN}-${MY_PV}" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp selinux test" + +COMMON_DEPEND=" + apparmor? ( sys-libs/libapparmor ) + seccomp? ( sys-libs/libseccomp )" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND} + !app-emulation/docker-runc + selinux? ( sec-policy/selinux-container )" +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" )" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +src_compile() { + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild new file mode 100644 index 00000000000..766ebb230cb --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild @@ -0,0 +1,71 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module linux-info + +# update on bump, look for commit ID on release tag. +# https://github.com/opencontainers/runc +RUNC_COMMIT=d842d7719497cc3b774fd71620278ac9e17710e0 + +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="https://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" +S="${WORKDIR}/${PN}-${MY_PV}" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp selinux test" + +COMMON_DEPEND=" + apparmor? ( sys-libs/libapparmor ) + seccomp? ( sys-libs/libseccomp )" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND} + !app-emulation/docker-runc + selinux? ( sec-policy/selinux-container )" +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" )" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +src_compile() { + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} From de01f337be794a9e2a476b40e4500f8318b1c39c Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 7 Nov 2025 13:21:45 +0100 Subject: [PATCH 056/213] app-containers/containerd: Sync with Gentoo It's from Gentoo commit 107cc22593c97542852ee68c564554c2fbfcdf20. Signed-off-by: Krzesimir Nowak --- .../app-containers/containerd/Manifest | 1 + .../containerd/containerd-2.1.4.ebuild | 94 +++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.1.4.ebuild diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest index 58d58774588..58c47eae9d7 100644 --- a/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest @@ -4,3 +4,4 @@ DIST containerd-2.0.4.tar.gz 10450939 BLAKE2B f82ed40eab0f1d186f4fb04217b8f75a9d DIST containerd-2.0.5.tar.gz 10452563 BLAKE2B bf03316c9211eaa17a3b40b1fc9f9aca42fe3e621e086e612eb07c286c6b62bc7a0a2426ce7b6742dce2924d570ab599aefb43463c4fa6be277e562bad79668f SHA512 af89a5c9ad5f931c5fee33c75c13c296fc9ec966f2c64ec244897695eebb365bcb542f6b431e60d4ef7213f0ea11d3a8896d1b7f033ed445e6b521b7ddbffe6f DIST containerd-2.1.0.tar.gz 10610618 BLAKE2B 147c21b4650543af9b0e533e381a0505ba927d6e9270b9b03a09016eb3ccf29875db7fa274944fea2ff7b029b6a05a17d14c61e24b5f3426b31f320831eeb46a SHA512 e9bb128917bb6b2e21a8e05344af3fdcdda8620be20e54407bc2c73046278a88a77bcbed6ef7a59099c9ee3303283db46b90b71afdd45236d3c534749ba844e0 DIST containerd-2.1.1.tar.gz 10610787 BLAKE2B acc2d769752c783643795d228c0d267b0802e09166dc783e84087da0029a822a64688f5e59c047c47b25f50ca2a1ccb7f5b6216ad6beeb4489df308e525e9716 SHA512 542f7cae61e1ef2e1b529b0bea66d7ad9016d4605de73de9c9c8a738e50ec6f470b939d1546482320515b77424bffe1cf24b721173ac0c0ecd0100c92817cfb1 +DIST containerd-2.1.4.tar.gz 10614131 BLAKE2B b8f4007b4bb368a1fa04c913d606f65d2ea4a17a6419ce12f2b6112eee2574d7a09fb8e2500d1c2f21bef8792dc047df4d63446211ae006662e616facda91f24 SHA512 a9f84784e917621ee5ea38ad20b8106e642fbf463a00d319b73a1a8e4d1fdd5be2fba0789b6a5d31107ef239d3713eced99ce979d4b2764714271a63c0936c15 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.1.4.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.1.4.ebuild new file mode 100644 index 00000000000..005dcab5960 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.1.4.ebuild @@ -0,0 +1,94 @@ +# Copyright 2022-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-env go-module systemd toolchain-funcs +GIT_REVISION=75cb2b7193e4e490e9fbdc236c0e811ccaba3376 + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test" + +COMMON_DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" + +DEPEND=" +${COMMON_DEPEND} +" + +# recommended minimum version of runc is found in script/setup/runc-version +RDEPEND=" + ${COMMON_DEPEND} + >=app-containers/runc-1.3.0[apparmor?,seccomp?] +" + +BDEPEND=" + dev-go/go-md2man + virtual/pkgconfig +" + +# tests require root or docker +RESTRICT+="test" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + # The Go env is already set, but reset it for CBUILD in a subshell to allow + # building the man pages when cross-compiling. + ( + CHOST="${CBUILD}" go-env_set_compile_environment + # race condition in man target https://bugs.gentoo.org/765100 + tc-env_build emake "${myemakeargs[@]}" man -j1 #nowarn + ) + + emake "${myemakeargs[@]}" all + +} + +src_install() { + rm bin/gen-manpages || die + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} From c0baba4d8acc32b6b1632eeb4674f3648874025b Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 7 Nov 2025 13:29:15 +0100 Subject: [PATCH 057/213] app-container/{containerd,runc}: Bump to 2.0.7 and 1.3.3 Signed-off-by: Krzesimir Nowak --- .../app-containers/containerd/Manifest | 1 + .../containerd/containerd-2.0.7.ebuild | 90 +++++++++++++++++++ .../app-containers/runc/runc-1.3.3.ebuild | 2 +- 3 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.7.ebuild diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest index 58c47eae9d7..8e19b7425fe 100644 --- a/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest @@ -2,6 +2,7 @@ DIST containerd-2.0.2.tar.gz 10379986 BLAKE2B aee39f749f056965b899f6525bebe00d46 DIST containerd-2.0.3.tar.gz 10450757 BLAKE2B 5dec56a40dc2874fb0b6fd4d72704f6417858eefd983c8ec5dfb2c9ef8be1e9e309cff83395e03c2d5fef30ed5c0561329ffbcd3dfba91e40d8017f7a605771b SHA512 9528a65d9d9f13d15d861f7ce71ab483958020bda83947d18868b477204e9e2e33eccc69280502c54b2be9ce577724e3e2b1772229c99636099b04bac1079ac1 DIST containerd-2.0.4.tar.gz 10450939 BLAKE2B f82ed40eab0f1d186f4fb04217b8f75a9da8e33b1140c0b5866dcc61e17fe1040f31ef09bdb07ad98a52def5e9eb12cfeb635e96b2c5f64fdb4d8cfb6c84b885 SHA512 f84e0cc0b82313df010b95989faf56e81ebfbbc321585b968c8c706917b91a9f0d895692fa5046f24f1c370de7a74b50daf83da617fe0595e5a8ff69ed658727 DIST containerd-2.0.5.tar.gz 10452563 BLAKE2B bf03316c9211eaa17a3b40b1fc9f9aca42fe3e621e086e612eb07c286c6b62bc7a0a2426ce7b6742dce2924d570ab599aefb43463c4fa6be277e562bad79668f SHA512 af89a5c9ad5f931c5fee33c75c13c296fc9ec966f2c64ec244897695eebb365bcb542f6b431e60d4ef7213f0ea11d3a8896d1b7f033ed445e6b521b7ddbffe6f +DIST containerd-2.0.7.tar.gz 10465656 BLAKE2B 656787c91e913fee32af282bfe82dd78a2732b113ff06adb157787efd5ddca31d13e7acf26e5e59ef51d233ecdee8b89200a9a8048e8422b6d4bd272a047c1ac SHA512 393e6f6357806367b7e007da7f2a951fb4330750d4e16c8e612f49c9b5d62a9f6a2b866dc12317da11dc75f2f2cd7e2e9b5118a3f07e5a68d3475d0449844a4f DIST containerd-2.1.0.tar.gz 10610618 BLAKE2B 147c21b4650543af9b0e533e381a0505ba927d6e9270b9b03a09016eb3ccf29875db7fa274944fea2ff7b029b6a05a17d14c61e24b5f3426b31f320831eeb46a SHA512 e9bb128917bb6b2e21a8e05344af3fdcdda8620be20e54407bc2c73046278a88a77bcbed6ef7a59099c9ee3303283db46b90b71afdd45236d3c534749ba844e0 DIST containerd-2.1.1.tar.gz 10610787 BLAKE2B acc2d769752c783643795d228c0d267b0802e09166dc783e84087da0029a822a64688f5e59c047c47b25f50ca2a1ccb7f5b6216ad6beeb4489df308e525e9716 SHA512 542f7cae61e1ef2e1b529b0bea66d7ad9016d4605de73de9c9c8a738e50ec6f470b939d1546482320515b77424bffe1cf24b721173ac0c0ecd0100c92817cfb1 DIST containerd-2.1.4.tar.gz 10614131 BLAKE2B b8f4007b4bb368a1fa04c913d606f65d2ea4a17a6419ce12f2b6112eee2574d7a09fb8e2500d1c2f21bef8792dc047df4d63446211ae006662e616facda91f24 SHA512 a9f84784e917621ee5ea38ad20b8106e642fbf463a00d319b73a1a8e4d1fdd5be2fba0789b6a5d31107ef239d3713eced99ce979d4b2764714271a63c0936c15 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.7.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.7.ebuild new file mode 100644 index 00000000000..2edd8edc636 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.7.ebuild @@ -0,0 +1,90 @@ +# Copyright 2022-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module systemd +GIT_REVISION=4ac6c20c7bbf8177f29e46bbdc658fec02ffb8ad + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test" + +COMMON_DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" + +DEPEND=" +${COMMON_DEPEND} +" + +# recommended minimum version of runc is found in script/setup/runc-version +RDEPEND=" + ${COMMON_DEPEND} + >=app-containers/runc-1.3.3[apparmor?,seccomp?] +" + +BDEPEND=" + dev-go/go-md2man + virtual/pkgconfig +" + +# tests require root or docker +RESTRICT+="test" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + -e "s/-mod=readonly//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + # race condition in man target https://bugs.gentoo.org/765100 + # we need to explicitly specify GOFLAGS for "go run" to use vendor source + emake "${myemakeargs[@]}" man -j1 #nowarn + emake "${myemakeargs[@]}" all + +} + +src_install() { + rm bin/gen-manpages || die + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild index 766ebb230cb..f5d678fd98a 100644 --- a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild @@ -19,7 +19,7 @@ S="${WORKDIR}/${PN}-${MY_PV}" LICENSE="Apache-2.0 BSD-2 BSD MIT" SLOT="0" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +KEYWORDS="amd64 ~arm arm64 ~ppc64 ~riscv ~x86" IUSE="apparmor hardened +kmem +seccomp selinux test" COMMON_DEPEND=" From 8bc62695e0b2a2ecbc3f43ed88bd8acdd63ad0ab Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 7 Nov 2025 13:40:52 +0100 Subject: [PATCH 058/213] changelog: Add entries Signed-off-by: Krzesimir Nowak --- changelog/security/2025-11-07-runc-containerd.md | 2 ++ changelog/updates/2025-11-07-runc-containerd.md | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 changelog/security/2025-11-07-runc-containerd.md create mode 100644 changelog/updates/2025-11-07-runc-containerd.md diff --git a/changelog/security/2025-11-07-runc-containerd.md b/changelog/security/2025-11-07-runc-containerd.md new file mode 100644 index 00000000000..3a317a677d2 --- /dev/null +++ b/changelog/security/2025-11-07-runc-containerd.md @@ -0,0 +1,2 @@ +- containerd ([CVE-2024-25621](https://www.cve.org/CVERecord?id=CVE-2024-25621), [CVE-2025-64329](https://www.cve.org/CVERecord?id=CVE-2025-64329)) +- runc ([CVE-2025-31133](https://www.cve.org/CVERecord?id=CVE-2025-31133), [CVE-2025-52565](https://www.cve.org/CVERecord?id=CVE-2025-52565), [CVE-2025-52881](https://www.cve.org/CVERecord?id=CVE-2025-52881)) diff --git a/changelog/updates/2025-11-07-runc-containerd.md b/changelog/updates/2025-11-07-runc-containerd.md new file mode 100644 index 00000000000..e6cea0735a4 --- /dev/null +++ b/changelog/updates/2025-11-07-runc-containerd.md @@ -0,0 +1,2 @@ +- runc ([1.3.3](https://github.com/opencontainers/runc/releases/tag/v1.3.3) (includes [1.3.2](https://github.com/opencontainers/runc/releases/tag/v1.3.2), [1.3.1](https://github.com/opencontainers/runc/releases/tag/v1.3.1), [1.3.0](https://github.com/opencontainers/runc/releases/tag/v1.3.0))) +- containerd ([2.0.7](https://github.com/containerd/containerd/releases/tag/v2.0.7) (includes [2.0.6](https://github.com/containerd/containerd/releases/tag/v2.0.6))) From 7c7eb2686cb004fe08624e5ef2f34c17b50df2e0 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Thu, 6 Nov 2025 17:44:47 +0100 Subject: [PATCH 059/213] ci-automation/release.sh: 'the input device is not a TTY' This has been raised in current CI. Signed-off-by: Mathieu Tortuyaux --- ci-automation/release.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci-automation/release.sh b/ci-automation/release.sh index cc3a9b840e8..c17312aa642 100644 --- a/ci-automation/release.sh +++ b/ci-automation/release.sh @@ -164,8 +164,8 @@ function copy_from_bincache_to_bucket() { local arch="${2}" local version="${3}" - echo "Copy the images from bincache to CloudFlare bucket" - docker run --rm -ti \ + echo "Copying the images from bincache to CloudFlare bucket" + docker run --rm \ -v "${RCLONE_CONFIGURATION_FILE}:/opt/rclone.conf:ro" \ docker.io/rclone/rclone:1.71.1 \ --config "/opt/rclone.conf" \ From b4a77c42974eb622e6dc4dab7dbfa562195ab83b Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Fri, 7 Nov 2025 14:26:19 +0000 Subject: [PATCH 060/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 9ae60d8de12..60bd2a7e563 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-a943b9a4d1fdf80c6d66a030e2e129f08b1c8d44 +ghcr.io/flatcar/mantle:git-ae5d57df64af4aa8c2ff640644fd8cb90c46bf30 From 3a35257f9ed091f4d7a1d30f2d4f5d21bc5c093d Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Fri, 7 Nov 2025 21:00:31 +0000 Subject: [PATCH 061/213] New version: beta-4459.1.0-nightly-20251107-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index a7d5419c4ab..e5a14736049 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251105-2100 +FLATCAR_VERSION=4459.1.0+nightly-20251107-2100 FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251105-2100" +FLATCAR_BUILD_ID="nightly-20251107-2100" FLATCAR_SDK_VERSION=4459.0.0 From 78b8a84370d4eb3c3cf97eadd535d1797da620b9 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 10 Nov 2025 13:27:02 +0100 Subject: [PATCH 062/213] New version: beta-4459.1.1 Signed-off-by: Mathieu Tortuyaux --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index e5a14736049..8d5b1c1cb4c 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.0+nightly-20251107-2100 -FLATCAR_VERSION_ID=4459.1.0 -FLATCAR_BUILD_ID="nightly-20251107-2100" +FLATCAR_VERSION=4459.1.1 +FLATCAR_VERSION_ID=4459.1.1 +FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From 3c4ff3e55187f1517aaebe347f3d4081340dc209 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 10 Nov 2025 13:27:49 +0100 Subject: [PATCH 063/213] New version: stable-4459.2.0 Signed-off-by: Mathieu Tortuyaux --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 8d5b1c1cb4c..e57bd980180 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.1 -FLATCAR_VERSION_ID=4459.1.1 +FLATCAR_VERSION=4459.2.0 +FLATCAR_VERSION_ID=4459.2.0 FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From 41d9c32c30dea38947c242f8000097708263af46 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Tue, 11 Nov 2025 23:17:45 +0900 Subject: [PATCH 064/213] ci-automation/release: Set up rclone config for mapping into container The wrong variable was used to set up the mapping of the rclone config into the rclone container and it wasn't set up in the right function. Move it into the right function and use the right variable name but also don't rely on /proc/PID/fd/FD to be mappable into the container but instead use a regular temp file. Signed-off-by: Kai Lueke --- ci-automation/release.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ci-automation/release.sh b/ci-automation/release.sh index c17312aa642..5074297ce50 100644 --- a/ci-automation/release.sh +++ b/ci-automation/release.sh @@ -91,8 +91,6 @@ function _inside_mantle() { secret_to_file gcp_json_key_path "${GCP_JSON_KEY}" google_release_credentials_file="" secret_to_file google_release_credentials_file "${GOOGLE_RELEASE_CREDENTIALS}" - rclone_configuration_file="" - secret_to_file rclone_configuration_file "${RCLONE_CONFIGURATION_FILE}" for platform in aws azure; do for arch in amd64 arm64; do @@ -164,13 +162,21 @@ function copy_from_bincache_to_bucket() { local arch="${2}" local version="${3}" + rclone_configuration_file="$(mktemp)" + chmod 600 "${rclone_configuration_file}" + + ( + trap "rm -f ${rclone_configuration_file}" EXIT + echo "${RCLONE_CONFIGURATION_FILE}" | base64 --decode > "${rclone_configuration_file}" + echo "Copying the images from bincache to CloudFlare bucket" docker run --rm \ - -v "${RCLONE_CONFIGURATION_FILE}:/opt/rclone.conf:ro" \ + -v "${rclone_configuration_file}:/opt/rclone.conf:ro" \ docker.io/rclone/rclone:1.71.1 \ --config "/opt/rclone.conf" \ sync \ --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}-usr/${version}" + ) # Note: There is no "current" symlink and when switching the release to current we # could at a later stage (when the update payloads are selected in Nebraska) either # use folder copies where we delete the old "current" folder first, or we could From 56457118e9548acf8e17df3b5206d0c411c74826 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Tue, 11 Nov 2025 23:22:17 +0900 Subject: [PATCH 065/213] ci-automation/release.sh: Update comment about current state Signed-off-by: Kai Lueke --- ci-automation/release.sh | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/ci-automation/release.sh b/ci-automation/release.sh index 5074297ce50..0f20ed4ccaf 100644 --- a/ci-automation/release.sh +++ b/ci-automation/release.sh @@ -177,11 +177,6 @@ function copy_from_bincache_to_bucket() { sync \ --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}-usr/${version}" ) - # Note: There is no "current" symlink and when switching the release to current we - # could at a later stage (when the update payloads are selected in Nebraska) either - # use folder copies where we delete the old "current" folder first, or we could - # use a clever Caddy redirect to make "current" point to the wanted version for - # each channel. } function publish_sdk() { @@ -249,12 +244,13 @@ function _release_build_impl() { echo "====" - # Future: trigger copy to Origin in a secure way # Future: trigger update payload signing + + # In separate unified pipeline with sub jobs per channel? # Future: trigger website update # Future: trigger release email sending # Future: trigger push to nebraska - # Future: trigger Origin symlink switch + # Future: trigger Origin current-release.txt switch } TEMPLATE=' From cc4903cdf201b6307fed610a219b25f22b0744ee Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Tue, 11 Nov 2025 20:15:39 +0530 Subject: [PATCH 066/213] New version: beta-4459.1.1 Signed-off-by: Sayan Chowdhury --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index e57bd980180..8d5b1c1cb4c 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.0 -FLATCAR_VERSION_ID=4459.2.0 +FLATCAR_VERSION=4459.1.1 +FLATCAR_VERSION_ID=4459.1.1 FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From a540c72d3d3bb2974763c141741acfcf59a1a241 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Tue, 11 Nov 2025 21:00:43 +0000 Subject: [PATCH 067/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 60bd2a7e563..53958b7f358 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-ae5d57df64af4aa8c2ff640644fd8cb90c46bf30 +ghcr.io/flatcar/mantle:git-440a5980874819a7153591edcb081ee19dad91fa From 71b53fca90d0ed289ad95fe0123259e2b65fc016 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Wed, 12 Nov 2025 16:20:23 +0900 Subject: [PATCH 068/213] ci-automation/release.sh: Skip bucket copy on failure until it works We got a DNS resolution problem due to UDP packets not going to the configured server. For now try the host network (and otherwise maybe a custom DNS server?). But in any case we should not block the release on that and continue. Signed-off-by: Kai Lueke --- ci-automation/release.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci-automation/release.sh b/ci-automation/release.sh index 0f20ed4ccaf..8d5f30a605e 100644 --- a/ci-automation/release.sh +++ b/ci-automation/release.sh @@ -170,12 +170,12 @@ function copy_from_bincache_to_bucket() { echo "${RCLONE_CONFIGURATION_FILE}" | base64 --decode > "${rclone_configuration_file}" echo "Copying the images from bincache to CloudFlare bucket" - docker run --rm \ + docker run --rm --net host \ -v "${rclone_configuration_file}:/opt/rclone.conf:ro" \ docker.io/rclone/rclone:1.71.1 \ --config "/opt/rclone.conf" \ sync \ - --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}-usr/${version}" + --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}-usr/${version}" || { echo "ERROR: Skipping bucket copy due to failure" ; } ) } From 0469e001bda45817ff38e45026dca5724d144043 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Wed, 12 Nov 2025 13:14:28 +0530 Subject: [PATCH 069/213] New version: beta-4459.1.1 Signed-off-by: Sayan Chowdhury From b05bc386b7494cb0a368317459f77e525329c04b Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Wed, 12 Nov 2025 16:25:29 +0530 Subject: [PATCH 070/213] New version: stable-4459.2.0 Signed-off-by: Sayan Chowdhury --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 8d5b1c1cb4c..e57bd980180 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.1 -FLATCAR_VERSION_ID=4459.1.1 +FLATCAR_VERSION=4459.2.0 +FLATCAR_VERSION_ID=4459.2.0 FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From c3fc8c31ac87049f43be70142a54058d62568406 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 12 Nov 2025 14:43:45 +0000 Subject: [PATCH 071/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 60bd2a7e563..53958b7f358 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-ae5d57df64af4aa8c2ff640644fd8cb90c46bf30 +ghcr.io/flatcar/mantle:git-440a5980874819a7153591edcb081ee19dad91fa From 61006afa3c37ff68a6e8bc65e16aef8af8ce8354 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 12 Nov 2025 21:00:29 +0000 Subject: [PATCH 072/213] New version: beta-4459.1.1-nightly-20251112-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index e57bd980180..8633d2e5b56 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.0 -FLATCAR_VERSION_ID=4459.2.0 -FLATCAR_BUILD_ID="" +FLATCAR_VERSION=4459.1.1+nightly-20251112-2100 +FLATCAR_VERSION_ID=4459.1.1 +FLATCAR_BUILD_ID="nightly-20251112-2100" FLATCAR_SDK_VERSION=4459.0.0 From 0ec42cc213fb1c13198909f76c18855944b79c13 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 12 Nov 2025 10:54:30 +0100 Subject: [PATCH 073/213] ci/release: copy secondary artifacts from bincache this logic takes care of copying binary packages, SDK and packages containers to cloudflare bucket in the `r2:flatcar/mirror/` location Signed-off-by: Mathieu Tortuyaux --- ci-automation/release.sh | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/ci-automation/release.sh b/ci-automation/release.sh index 8d5f30a605e..86c88dea0c0 100644 --- a/ci-automation/release.sh +++ b/ci-automation/release.sh @@ -175,7 +175,27 @@ function copy_from_bincache_to_bucket() { docker.io/rclone/rclone:1.71.1 \ --config "/opt/rclone.conf" \ sync \ - --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}-usr/${version}" || { echo "ERROR: Skipping bucket copy due to failure" ; } + --http-url "https://${BUILDCACHE_SERVER}/images/${arch}/${version}" :http: "r2:flatcar/${channel}/${arch}-usr/${version}" || { echo "ERROR: Skipping images copy to bucket due to failure" ; } + + echo "Copying the binary packages from bincache to CloudFlare bucket" + docker run --rm --net host \ + -v "${rclone_configuration_file}:/opt/rclone.conf:ro" \ + docker.io/rclone/rclone:1.71.1 \ + --config "/opt/rclone.conf" \ + sync \ + --http-url "https://${BUILDCACHE_SERVER}/boards/${arch}-usr/${version}" :http: "r2:flatcar/mirror/boards/${arch}-usr/${version}" || { echo "ERROR: Skipping binary packages copy to bucket due to failure" ; } + + # Only copy once the 'containers' artifacts + if [ "${arch}" = "amd64" ]; then + echo "Copying SDK and packages containers from bincache to CloudFlare bucket" + docker run --rm --net host \ + -v "${rclone_configuration_file}:/opt/rclone.conf:ro" \ + docker.io/rclone/rclone:1.71.1 \ + --config "/opt/rclone.conf" \ + sync \ + --http-url "https://${BUILDCACHE_SERVER}/containers/${version}" :http: "r2:flatcar/mirror/containers/${version}" || { echo "ERROR: Skipping containers copy (SDK / packages) to bucket due to failure" ; } + fi + ) } @@ -200,6 +220,22 @@ function publish_sdk() { docker_image_from_registry_or_buildcache "${sdk_name}" "${docker_sdk_vernum}" docker push "${sdk_container_common_registry}/flatcar-sdk-${a}:${docker_sdk_vernum}" done + + rclone_configuration_file="$(mktemp)" + chmod 600 "${rclone_configuration_file}" + + ( + trap "rm -f ${rclone_configuration_file}" EXIT + echo "${RCLONE_CONFIGURATION_FILE}" | base64 --decode > "${rclone_configuration_file}" + + echo "Copying the SDK from bincache to CloudFlare bucket" + docker run --rm --net host \ + -v "${rclone_configuration_file}:/opt/rclone.conf:ro" \ + docker.io/rclone/rclone:1.71.1 \ + --config "/opt/rclone.conf" \ + sync \ + --http-url "https://${BUILDCACHE_SERVER}/sdk/amd64/${docker_sdk_vernum}" :http: "r2:flatcar/mirror/sdk/amd64/${docker_sdk_vernum}" || { echo "ERROR: Skipping SDK copy to bucket due to failure" ; } + ) } function _release_build_impl() { From 3b67bedc38f15259ff1742125362801fd89eb2b9 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Thu, 13 Nov 2025 10:58:11 +0100 Subject: [PATCH 074/213] ci/config: remove RELEASES_SERVER This does not seem to be used anywhere here and can be misleading Signed-off-by: Mathieu Tortuyaux --- ci-automation/ci-config.env | 1 - 1 file changed, 1 deletion(-) diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index cfacd062975..791a9b114fc 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -12,7 +12,6 @@ BUILDCACHE_SERVER="${BUILDCACHE_SERVER:-bincache.flatcar-linux.net}" BUILDCACHE_PATH_PREFIX="/srv/bincache" BUILDCACHE_USER="bincache" -RELEASES_SERVER="mirror.release.flatcar-linux.net" CONTAINER_REGISTRY="ghcr.io/flatcar" RELEASES_JSON_FEED="https://www.flatcar.org/releases-json/releases.json" From 7d0fd9092c830777cca4e1c023a734f954099658 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 13 Nov 2025 21:00:26 +0000 Subject: [PATCH 075/213] New version: stable-4459.2.0-nightly-20251113-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 8633d2e5b56..6d573726687 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.1+nightly-20251112-2100 -FLATCAR_VERSION_ID=4459.1.1 -FLATCAR_BUILD_ID="nightly-20251112-2100" +FLATCAR_VERSION=4459.2.0+nightly-20251113-2100 +FLATCAR_VERSION_ID=4459.2.0 +FLATCAR_BUILD_ID="nightly-20251113-2100" FLATCAR_SDK_VERSION=4459.0.0 From 17d292252ab2ee2146e9eabdf04c7da029da2b1f Mon Sep 17 00:00:00 2001 From: Daniel Zatovic Date: Thu, 9 Oct 2025 16:09:29 +0200 Subject: [PATCH 076/213] sys-apps/systemd: allow @mount syscalls for systemd-udevd.service In Flatcar we are using modprobe helpers that run depmod in temporary overlay. systemd-udevd.service may try to load drivers for some block devices (e.g. ZFS), which ends up calling our helpers, which invoke mount command. The mount syscalls are forbidden by the default systemd-udevd syscall filter. Signed-off-by: Daniel Zatovic Signed-off-by: James Le Cuirot --- .../bugfixes/2025-11-05-fix-modprobe-via-udevd.md | 1 + .../coreos/config/env/sys-apps/systemd | 13 +++++++++++++ ...temd-256.9-r1.ebuild => systemd-256.9-r2.ebuild} | 0 ...systemd-257.7.ebuild => systemd-257.7-r1.ebuild} | 0 4 files changed, 14 insertions(+) create mode 100644 changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/{systemd-256.9-r1.ebuild => systemd-256.9-r2.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/{systemd-257.7.ebuild => systemd-257.7-r1.ebuild} (100%) diff --git a/changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md b/changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md new file mode 100644 index 00000000000..da0e38ffc65 --- /dev/null +++ b/changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md @@ -0,0 +1 @@ +- Fixed the loading of kernel modules from system extensions via udev (e.g. at boot time). diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd index 3806da9f578..f5f1ad0bbbe 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd @@ -11,3 +11,16 @@ After=ensure-sysext.service EOF popd } + +cros_post_src_install_udev() { + insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d" + newins - flatcar.conf < Date: Fri, 14 Nov 2025 21:00:32 +0000 Subject: [PATCH 077/213] New version: beta-4459.1.1-nightly-20251114-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 6d573726687..760c9c3b58d 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.0+nightly-20251113-2100 -FLATCAR_VERSION_ID=4459.2.0 -FLATCAR_BUILD_ID="nightly-20251113-2100" +FLATCAR_VERSION=4459.1.1+nightly-20251114-2100 +FLATCAR_VERSION_ID=4459.1.1 +FLATCAR_BUILD_ID="nightly-20251114-2100" FLATCAR_SDK_VERSION=4459.0.0 From 13244444a94979d3e5a348f3f28b9b6d4a201da3 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 17 Nov 2025 21:00:45 +0000 Subject: [PATCH 078/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 53958b7f358..ff82d3b7b21 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-440a5980874819a7153591edcb081ee19dad91fa +ghcr.io/flatcar/mantle:git-b1cad9fdb92baf9bc51dc64f34219a9c2ebb98c7 From a9e64e07a2cab95c496cce134429c0ee4402d12b Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 27 Oct 2025 16:41:37 +0100 Subject: [PATCH 079/213] ci-config: use new bincache server Signed-off-by: Mathieu Tortuyaux --- ci-automation/ci-config.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index 791a9b114fc..441b021ecca 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -9,7 +9,7 @@ # - http and https (WITHOUT auto-redirect) # - ssh for BUILDCACHE_USER BUILDCACHE_SERVER="${BUILDCACHE_SERVER:-bincache.flatcar-linux.net}" -BUILDCACHE_PATH_PREFIX="/srv/bincache" +BUILDCACHE_PATH_PREFIX="/mnt/buckets/linode-bincache" BUILDCACHE_USER="bincache" CONTAINER_REGISTRY="ghcr.io/flatcar" From e9a4308fef87769db3ffa4ebca790a0d64680a3d Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 19 Nov 2025 08:30:42 +0000 Subject: [PATCH 080/213] New version: beta-4459.1.1-nightly-20251119-0830 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 760c9c3b58d..20dcc5edf11 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.1+nightly-20251114-2100 +FLATCAR_VERSION=4459.1.1+nightly-20251119-0830 FLATCAR_VERSION_ID=4459.1.1 -FLATCAR_BUILD_ID="nightly-20251114-2100" +FLATCAR_BUILD_ID="nightly-20251119-0830" FLATCAR_SDK_VERSION=4459.0.0 From f61904379f193bb8ad931e0abaa5e7775190b1ff Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 19 Nov 2025 21:00:29 +0000 Subject: [PATCH 081/213] New version: beta-4459.1.1-nightly-20251119-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 20dcc5edf11..87068102357 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.1+nightly-20251119-0830 +FLATCAR_VERSION=4459.1.1+nightly-20251119-2100 FLATCAR_VERSION_ID=4459.1.1 -FLATCAR_BUILD_ID="nightly-20251119-0830" +FLATCAR_BUILD_ID="nightly-20251119-2100" FLATCAR_SDK_VERSION=4459.0.0 From 46ffd3b5a6da7836de896580577002fec65cf72a Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 20 Nov 2025 21:00:28 +0000 Subject: [PATCH 082/213] New version: stable-4459.2.0-nightly-20251120-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 87068102357..0c63caf0fa3 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.1+nightly-20251119-2100 -FLATCAR_VERSION_ID=4459.1.1 -FLATCAR_BUILD_ID="nightly-20251119-2100" +FLATCAR_VERSION=4459.2.0+nightly-20251120-2100 +FLATCAR_VERSION_ID=4459.2.0 +FLATCAR_BUILD_ID="nightly-20251120-2100" FLATCAR_SDK_VERSION=4459.0.0 From 0300e9c71d29da441ed7f169440457f8d14e407c Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Fri, 14 Nov 2025 07:06:05 +0000 Subject: [PATCH 083/213] sys-kernel/coreos-sources: Update from 6.12.54 to 6.12.58 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-11-14-linux-6.12.58-update.md | 1 + .../{hv-daemons-6.12.54.ebuild => hv-daemons-6.12.58.ebuild} | 0 ...oreos-kernel-6.12.54.ebuild => coreos-kernel-6.12.58.ebuild} | 0 ...eos-modules-6.12.54.ebuild => coreos-modules-6.12.58.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.54.ebuild => coreos-sources-6.12.58.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-11-14-linux-6.12.58-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.54.ebuild => hv-daemons-6.12.58.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.54.ebuild => coreos-kernel-6.12.58.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.54.ebuild => coreos-modules-6.12.58.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.54.ebuild => coreos-sources-6.12.58.ebuild} (100%) diff --git a/changelog/updates/2025-11-14-linux-6.12.58-update.md b/changelog/updates/2025-11-14-linux-6.12.58-update.md new file mode 100644 index 00000000000..4a21dba1024 --- /dev/null +++ b/changelog/updates/2025-11-14-linux-6.12.58-update.md @@ -0,0 +1 @@ +- Linux ([6.12.58](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.58) (includes [6.12.57](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.57), [6.12.56](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.56), [6.12.55](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.55))) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.54.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.58.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.54.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.58.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.54.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.58.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.54.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.58.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.54.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.58.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.54.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.58.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 05a8d04998b..77c27fc312f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.54.xz 3096864 BLAKE2B f5bff8166a5a45535092614ef9ed1d9e39064fd2762f0d71e852a87437326892c9d25a095ad51eb3b7fdfe266ba5f16d271303b98c4c1c6ed1716cfa09b669bb SHA512 744143218b5258a67f4b00126c72d7630b6e563dd0cc0a9cf685bc38cb48dc217d717053117e72a52fba061b2171a99ef64d992288f75500f069c617d1663b5b +DIST patch-6.12.58.xz 3286180 BLAKE2B 6a96368f7c0db35442897ef811f2601c985e61d87928be77c84dd460dd935cfc0562239ab88341877535a25e84d571fd50641560b2f9b496905c1f22403af183 SHA512 dcbe11090c4c2020b05ad3930cad292191608b953676158255679f56075639baf666eed7421f775218d06798dbc99a9816ccf31cdaf6ab09cdc9b022527ed79c diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.54.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.58.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.54.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.58.ebuild From 19d7b3a176d831f91b92a7c49f1ca6c0f6024621 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Mon, 24 Nov 2025 00:48:15 +0530 Subject: [PATCH 084/213] New version: beta-4459.1.2 Signed-off-by: Sayan Chowdhury --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 0c63caf0fa3..ea0923b50d1 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.0+nightly-20251120-2100 -FLATCAR_VERSION_ID=4459.2.0 -FLATCAR_BUILD_ID="nightly-20251120-2100" +FLATCAR_VERSION=4459.1.2 +FLATCAR_VERSION_ID=4459.1.2 +FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From 996a905679e1ab680738cec98dd02edd2e8c595b Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Mon, 24 Nov 2025 00:49:58 +0530 Subject: [PATCH 085/213] New version: stable-4459.2.1 Signed-off-by: Sayan Chowdhury --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index ea0923b50d1..f1342b563d3 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.2 -FLATCAR_VERSION_ID=4459.1.2 +FLATCAR_VERSION=4459.2.1 +FLATCAR_VERSION_ID=4459.2.1 FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From f000fd79372124784b7dbe76166f9f443c797efb Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 24 Nov 2025 07:03:12 +0000 Subject: [PATCH 086/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index ff82d3b7b21..479d3d511ca 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-b1cad9fdb92baf9bc51dc64f34219a9c2ebb98c7 +ghcr.io/flatcar/mantle:git-14077514e7a6d01831b759b4d493411acc8f7bc3 From 8b63f5d1f674605188cfec0edf241b8a2d666f0e Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 24 Nov 2025 07:11:11 +0000 Subject: [PATCH 087/213] app-misc/ca-certificates: Update from 3.117 to 3.118.1 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-11-24-ca-certificates-3.118.1-update.md | 1 + .../coreos-overlay/app-misc/ca-certificates/Manifest | 2 +- ...certificates-3.117.ebuild => ca-certificates-3.118.1.ebuild} | 0 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-11-24-ca-certificates-3.118.1-update.md rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.117.ebuild => ca-certificates-3.118.1.ebuild} (100%) diff --git a/changelog/updates/2025-11-24-ca-certificates-3.118.1-update.md b/changelog/updates/2025-11-24-ca-certificates-3.118.1-update.md new file mode 100644 index 00000000000..3246ed5c527 --- /dev/null +++ b/changelog/updates/2025-11-24-ca-certificates-3.118.1-update.md @@ -0,0 +1 @@ +- ca-certificates ([3.118.1](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_118_1.html)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest index f64b3dc24ab..71eceb4f051 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -1 +1 @@ -DIST nss-3.117.tar.gz 76684970 BLAKE2B cf078cb1d48fbbf39e2661b6cdb9d610db3d0c13bcec68bacaf7cce8165cbf91229f9931008d1bfd28a561cc1fca994fbf3a174ddb7de2cf10ad4208926764a0 SHA512 12e6eaa67d290fc8146dee2d92017fd481e4969d556870ec4200aab8d2590efe63686ca9cca5cc1b95c7078cc0ab7f1e27e77de5a1a2b75c4f1f3b4b65c700fe +DIST nss-3.118.1.tar.gz 77625759 BLAKE2B 6b2f8bf0707801755b95a863eccf62f6cc9a381bf23e543ba6cff1ad41608846aa4632de6e4b7bc93b005bc43af21e32ae932e1e598ce89c2857c40a236fed6f SHA512 c031b9e200832689c8c02ac3a8327f4d8c74cb10ad1f5cefb8c6a15a469e910e3ea7bacfa617ce4c46d6e77d5a174b1fac89508c94c96e7888ee1838471ab7cc diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.117.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.118.1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.117.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.118.1.ebuild From d835933cbefb69a58181057fae38f2d27c165930 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Tue, 25 Nov 2025 07:06:07 +0000 Subject: [PATCH 088/213] sys-kernel/coreos-sources: Update from 6.12.58 to 6.12.59 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-11-25-linux-6.12.59-update.md | 1 + .../{hv-daemons-6.12.58.ebuild => hv-daemons-6.12.59.ebuild} | 0 ...oreos-kernel-6.12.58.ebuild => coreos-kernel-6.12.59.ebuild} | 0 ...eos-modules-6.12.58.ebuild => coreos-modules-6.12.59.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.58.ebuild => coreos-sources-6.12.59.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-11-25-linux-6.12.59-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.58.ebuild => hv-daemons-6.12.59.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.58.ebuild => coreos-kernel-6.12.59.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.58.ebuild => coreos-modules-6.12.59.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.58.ebuild => coreos-sources-6.12.59.ebuild} (100%) diff --git a/changelog/updates/2025-11-25-linux-6.12.59-update.md b/changelog/updates/2025-11-25-linux-6.12.59-update.md new file mode 100644 index 00000000000..1d2d9141bc6 --- /dev/null +++ b/changelog/updates/2025-11-25-linux-6.12.59-update.md @@ -0,0 +1 @@ +- Linux ([6.12.59](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.59)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.58.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.59.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.58.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.59.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.58.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.59.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.58.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.59.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.58.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.59.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.58.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.59.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 77c27fc312f..e4618731fc7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.58.xz 3286180 BLAKE2B 6a96368f7c0db35442897ef811f2601c985e61d87928be77c84dd460dd935cfc0562239ab88341877535a25e84d571fd50641560b2f9b496905c1f22403af183 SHA512 dcbe11090c4c2020b05ad3930cad292191608b953676158255679f56075639baf666eed7421f775218d06798dbc99a9816ccf31cdaf6ab09cdc9b022527ed79c +DIST patch-6.12.59.xz 3325064 BLAKE2B 9bd2f598b2884592a47fc021966c3c4bf2310d3cf2ccd6c730d4f4186d51676ae7a4363a48f0a0f59bb163ae374de620a0c0a7bfe0fd016f7a5774f7c9d44e19 SHA512 a97bba0f85260aedba917b43be968a36e594f9d9b8fea6b6eb7d72f0349e1329f0d9b18ba46d6f183f28d0f644040e1f82f78c3f5fe22b8e15aa49f22046b01d diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.58.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.59.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.58.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.59.ebuild From 4a0b66553f83574b782ebb01b69aa13cf2d1dda3 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Tue, 25 Nov 2025 14:15:58 +0000 Subject: [PATCH 089/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 479d3d511ca..b5e5aa8ac97 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-14077514e7a6d01831b759b4d493411acc8f7bc3 +ghcr.io/flatcar/mantle:git-7654ac0911c3e65b645025d2a98f36fc11a0d0af From cf0a3697ea204b41450b67f549f1fcfeadf6e392 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 27 Nov 2025 09:56:50 +0000 Subject: [PATCH 090/213] New version: beta-4459.1.1-nightly-20251127-0956 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index f1342b563d3..fb8a9fa49fe 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.1 -FLATCAR_VERSION_ID=4459.2.1 -FLATCAR_BUILD_ID="" +FLATCAR_VERSION=4459.1.1+nightly-20251127-0956 +FLATCAR_VERSION_ID=4459.1.1 +FLATCAR_BUILD_ID="nightly-20251127-0956" FLATCAR_SDK_VERSION=4459.0.0 From 9325d96ba2e3a9a8b0d0826c67963fa63af102ce Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 27 Nov 2025 21:00:26 +0000 Subject: [PATCH 091/213] New version: stable-4459.2.1-nightly-20251127-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index fb8a9fa49fe..d417dd62c88 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.1+nightly-20251127-0956 -FLATCAR_VERSION_ID=4459.1.1 -FLATCAR_BUILD_ID="nightly-20251127-0956" +FLATCAR_VERSION=4459.2.1+nightly-20251127-2100 +FLATCAR_VERSION_ID=4459.2.1 +FLATCAR_BUILD_ID="nightly-20251127-2100" FLATCAR_SDK_VERSION=4459.0.0 From a66839a10186daa4319599143424d64b57b9ed84 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 24 Nov 2025 15:21:19 +0100 Subject: [PATCH 092/213] changelog: add missing link Signed-off-by: Mathieu Tortuyaux --- changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md b/changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md index da0e38ffc65..ba4f511e0ad 100644 --- a/changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md +++ b/changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md @@ -1 +1 @@ -- Fixed the loading of kernel modules from system extensions via udev (e.g. at boot time). +- Fixed the loading of kernel modules from system extensions via udev (e.g. at boot time). ([flatcar/scripts#3367](https://github.com/flatcar/scripts/pull/3367)) From 7795874c220b8d6d6163dbc0d70e2c4ff8256b21 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 24 Nov 2025 15:24:19 +0100 Subject: [PATCH 093/213] ci-automation: remove Equinix Metal testing After years of good services and sponsoring from Equinix Metal, we need to retire those tests for AMD64 / ARM64 bare metal instances. As Equinix Metal offering is still around until June 2026, let's continue to produce and release Flatcar images for any users still using those images but we won't test them as the Flatcar account won't be covered by sponsoring. Signed-off-by: Mathieu Tortuyaux --- ci-automation/ci-config.env | 20 ------ ci-automation/garbage_collect.sh | 1 - ci-automation/garbage_collect_cloud.sh | 2 - ci-automation/vendor-testing/equinix_metal.sh | 65 ------------------- 4 files changed, 88 deletions(-) delete mode 100755 ci-automation/vendor-testing/equinix_metal.sh diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index 441b021ecca..29c899d677a 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -81,26 +81,6 @@ QEMU_DEVCONTAINER_URL="${QEMU_DEVCONTAINER_URL:-}" QEMU_DEVCONTAINER_BINHOST_URL="${QEMU_DEVCONTAINER_BINHOST_URL:-}" QEMU_DEVCONTAINER_FILE="${QEMU_DEVCONTAINER_FILE:-}" -# -- Equinix Metal -- -EQUINIXMETAL_PARALLEL="${PARALLEL_TESTS:-4}" -# Metro is a set of Equinix Metal regions -EQUINIXMETAL_amd64_METRO="${EQUINIXMETAL_amd64_METRO:-SV}" -EQUINIXMETAL_arm64_METRO="${EQUINIXMETAL_arm64_METRO:-DC}" -# Name of the Equinix Metal image -EQUINIXMETAL_IMAGE_NAME="flatcar_production_packet_image.bin.bz2" -# Storage URL required to store user-data -EQUINIXMETAL_STORAGE_URL="${EQUINIXMETAL_STORAGE_URL:-gs://flatcar-jenkins/mantle/packet}" -# Equinix Metal default AMD64 instance type -EQUINIXMETAL_amd64_INSTANCE_TYPE="${EQUINIXMETAL_amd64_INSTANCE_TYPE:-c3.small.x86}" -# Space separated list of instance types. On those instances the -# cl.internet kola test will be run if this test is selected to run. -EQUINIXMETAL_amd64_MORE_INSTANCE_TYPES="m3.small.x86 c3.medium.x86 m3.large.x86 s3.xlarge.x86 n2.xlarge.x86" -# Equinix Metal default ARM64 instance type -EQUINIXMETAL_arm64_INSTANCE_TYPE="c3.large.arm" -# Space separated list of instance types. On those instances the -# cl.internet kola test will be run if this test is selected to run. -EQUINIXMETAL_arm64_MORE_INSTANCE_TYPES="" - # -- PXE -- PXE_KERNEL_NAME="flatcar_production_pxe.vmlinuz" PXE_IMAGE_NAME="flatcar_production_pxe_image.cpio.gz" diff --git a/ci-automation/garbage_collect.sh b/ci-automation/garbage_collect.sh index 058c0663816..44fcebb889d 100644 --- a/ci-automation/garbage_collect.sh +++ b/ci-automation/garbage_collect.sh @@ -258,7 +258,6 @@ function _garbage_collect_impl() { --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY \ --env AWS_CREDENTIALS \ --env DIGITALOCEAN_TOKEN_JSON \ - --env EQUINIXMETAL_KEY --env EQUINIXMETAL_PROJECT \ --env GCP_JSON_KEY \ --env VMWARE_ESX_CREDS \ --env BRIGHTBOX_CLIENT_ID --env BRIGHTBOX_CLIENT_SECRET \ diff --git a/ci-automation/garbage_collect_cloud.sh b/ci-automation/garbage_collect_cloud.sh index 12a2f0db5a7..78eb8d0735d 100755 --- a/ci-automation/garbage_collect_cloud.sh +++ b/ci-automation/garbage_collect_cloud.sh @@ -5,8 +5,6 @@ timeout --signal=SIGQUIT 60m ore aws gc --access-id "${AWS_ACCESS_KEY_ID}" --sec timeout --signal=SIGQUIT 60m ore do gc --config-file=<(echo "${DIGITALOCEAN_TOKEN_JSON}" | base64 --decode) timeout --signal=SIGQUIT 60m ore gcloud gc --json-key <(echo "${GCP_JSON_KEY}" | base64 --decode) timeout --signal=SIGQUIT 60m ore azure gc --duration 6h -timeout --signal=SIGQUIT 60m ore equinixmetal gc --duration 6h \ - --project="${EQUINIXMETAL_PROJECT}" --gs-json-key=<(echo "${GCP_JSON_KEY}" | base64 --decode) --api-key="${EQUINIXMETAL_KEY}" timeout --signal=SIGQUIT 60m ore brightbox gc --duration 6h \ --brightbox-client-id="${BRIGHTBOX_CLIENT_ID}" --brightbox-client-secret="${BRIGHTBOX_CLIENT_SECRET}" timeout --signal=SIGQUIT 60m ore akamai gc --duration 6h \ diff --git a/ci-automation/vendor-testing/equinix_metal.sh b/ci-automation/vendor-testing/equinix_metal.sh deleted file mode 100755 index 376742e1336..00000000000 --- a/ci-automation/vendor-testing/equinix_metal.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/bash -# Copyright (c) 2021 The Flatcar Maintainers. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -set -euo pipefail - -# Test execution script for the Equinix Metal vendor image. -# This script is supposed to run in the mantle container. -# This script requires the PXE images to be built. - -source ci-automation/vendor_test.sh - -# Equinix Metal ARM server are not yet hourly available in the default `SV` metro -equinixmetal_metro_var="EQUINIXMETAL_${CIA_ARCH}_METRO" -equinixmetal_metro="${!equinixmetal_metro_var}" - -EQUINIXMETAL_INSTANCE_TYPE_VAR="EQUINIXMETAL_${CIA_ARCH}_INSTANCE_TYPE" -EQUINIXMETAL_INSTANCE_TYPE="${!EQUINIXMETAL_INSTANCE_TYPE_VAR}" -MORE_INSTANCE_TYPES_VAR="EQUINIXMETAL_${CIA_ARCH}_MORE_INSTANCE_TYPES" -MORE_INSTANCE_TYPES=( ${!MORE_INSTANCE_TYPES_VAR} ) - -# The maximum is 6h coming from the ore GC duration parameter -timeout=6h - -BASE_URL="http://${BUILDCACHE_SERVER}/images/${CIA_ARCH}/${CIA_VERNUM}" - -run_kola_tests() { - local instance_type="${1}"; shift - local instance_tapfile="${1}"; shift - - timeout --signal=SIGQUIT "${timeout}" \ - kola run \ - --board="${CIA_ARCH}-usr" \ - --basename="ci-${CIA_VERNUM/+/-}-${CIA_ARCH}" \ - --platform=equinixmetal \ - --tapfile="${instance_tapfile}" \ - --parallel="${EQUINIXMETAL_PARALLEL}" \ - --equinixmetal-image-url="${BASE_URL}/${EQUINIXMETAL_IMAGE_NAME}" \ - --equinixmetal-installer-image-kernel-url="${BASE_URL}/${PXE_KERNEL_NAME}" \ - --equinixmetal-installer-image-cpio-url="${BASE_URL}/${PXE_IMAGE_NAME}" \ - --equinixmetal-metro="${equinixmetal_metro}" \ - --equinixmetal-plan="${instance_type}" \ - --equinixmetal-project="${EQUINIXMETAL_PROJECT}" \ - --equinixmetal-storage-url="${EQUINIXMETAL_STORAGE_URL}" \ - --gce-json-key=<(set +x; echo "${GCP_JSON_KEY}" | base64 --decode) \ - --equinixmetal-api-key="${EQUINIXMETAL_KEY}" \ - --image-version "${CIA_VERNUM}" \ - "${@}" -} - -query_kola_tests() { - shift; # ignore the instance type - kola list --platform=equinixmetal --filter "${@}" -} - -run_kola_tests_on_instances \ - "${EQUINIXMETAL_INSTANCE_TYPE}" \ - "${CIA_TAPFILE}" \ - "${CIA_FIRST_RUN}" \ - "${MORE_INSTANCE_TYPES[@]}" \ - '--' \ - 'cl.internet' \ - '--' \ - "${@}" From 49cfcad6ef61642779810ba9d6c13dba2b89a331 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Fri, 28 Nov 2025 12:34:24 +0000 Subject: [PATCH 094/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index b5e5aa8ac97..2151b7627cb 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-7654ac0911c3e65b645025d2a98f36fc11a0d0af +ghcr.io/flatcar/mantle:git-82cb0035c8555c3a4e83a62373b35b73ddc7d3bf From f05d8460d003d3e823c307ca143e68e2613b57d3 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Fri, 28 Nov 2025 21:00:31 +0000 Subject: [PATCH 095/213] New version: beta-4459.1.2-nightly-20251128-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index d417dd62c88..16115f8ffeb 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.1+nightly-20251127-2100 -FLATCAR_VERSION_ID=4459.2.1 -FLATCAR_BUILD_ID="nightly-20251127-2100" +FLATCAR_VERSION=4459.1.2+nightly-20251128-2100 +FLATCAR_VERSION_ID=4459.1.2 +FLATCAR_BUILD_ID="nightly-20251128-2100" FLATCAR_SDK_VERSION=4459.0.0 From d0cf11fbbb0522e072ad9194996a27c6633935fc Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 1 Dec 2025 21:00:53 +0000 Subject: [PATCH 096/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 2151b7627cb..587105409be 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-82cb0035c8555c3a4e83a62373b35b73ddc7d3bf +ghcr.io/flatcar/mantle:git-c4e298d8328977f03869d2f73ddd4c61cc836a0d From 2664bf5ba8b711a3b097ca51fb0ffa692b02cdb4 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Tue, 2 Dec 2025 07:06:55 +0000 Subject: [PATCH 097/213] sys-kernel/coreos-sources: Update from 6.12.59 to 6.12.60 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-12-02-linux-6.12.60-update.md | 1 + .../{hv-daemons-6.12.59.ebuild => hv-daemons-6.12.60.ebuild} | 0 ...oreos-kernel-6.12.59.ebuild => coreos-kernel-6.12.60.ebuild} | 0 ...eos-modules-6.12.59.ebuild => coreos-modules-6.12.60.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.59.ebuild => coreos-sources-6.12.60.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-12-02-linux-6.12.60-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.59.ebuild => hv-daemons-6.12.60.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.59.ebuild => coreos-kernel-6.12.60.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.59.ebuild => coreos-modules-6.12.60.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.59.ebuild => coreos-sources-6.12.60.ebuild} (100%) diff --git a/changelog/updates/2025-12-02-linux-6.12.60-update.md b/changelog/updates/2025-12-02-linux-6.12.60-update.md new file mode 100644 index 00000000000..67d75e8da14 --- /dev/null +++ b/changelog/updates/2025-12-02-linux-6.12.60-update.md @@ -0,0 +1 @@ +- Linux ([6.12.60](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.60)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.59.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.60.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.59.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.60.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.59.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.60.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.59.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.60.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.59.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.60.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.59.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.60.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index e4618731fc7..ba68cf08ce4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.59.xz 3325064 BLAKE2B 9bd2f598b2884592a47fc021966c3c4bf2310d3cf2ccd6c730d4f4186d51676ae7a4363a48f0a0f59bb163ae374de620a0c0a7bfe0fd016f7a5774f7c9d44e19 SHA512 a97bba0f85260aedba917b43be968a36e594f9d9b8fea6b6eb7d72f0349e1329f0d9b18ba46d6f183f28d0f644040e1f82f78c3f5fe22b8e15aa49f22046b01d +DIST patch-6.12.60.xz 3340176 BLAKE2B 4bba3b136922e2e60bc7565112938abef76e18c84729969f2868caf43bf3afaf8c20d2e600a1e2cf987551c83a233367dca6a0254cf8637cc134960ba2618a4f SHA512 fdd7dce9736c87bb25b966091c133ef37bf257ffc34c1909e6809fa674b2047cba801f8b6430b3087a1569326e9d8d9b41bda914ee186f5d8d65c3df4d8f3777 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.59.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.60.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.59.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.60.ebuild From 1673dc6e70c031261878cff9ec5f5d586dc38f75 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 2 Dec 2025 21:00:30 +0000 Subject: [PATCH 098/213] New version: beta-4459.1.2-nightly-20251202-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 16115f8ffeb..1c8d5878cd8 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.2+nightly-20251128-2100 +FLATCAR_VERSION=4459.1.2+nightly-20251202-2100 FLATCAR_VERSION_ID=4459.1.2 -FLATCAR_BUILD_ID="nightly-20251128-2100" +FLATCAR_BUILD_ID="nightly-20251202-2100" FLATCAR_SDK_VERSION=4459.0.0 From c69f65858e48180caecb33220eacd4ec50d796de Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 3 Dec 2025 21:00:28 +0000 Subject: [PATCH 099/213] New version: beta-4459.1.2-nightly-20251203-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 1c8d5878cd8..986804613c1 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.2+nightly-20251202-2100 +FLATCAR_VERSION=4459.1.2+nightly-20251203-2100 FLATCAR_VERSION_ID=4459.1.2 -FLATCAR_BUILD_ID="nightly-20251202-2100" +FLATCAR_BUILD_ID="nightly-20251203-2100" FLATCAR_SDK_VERSION=4459.0.0 From 50829932618f9272f691202aee09d84f40518add Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 4 Dec 2025 21:00:29 +0000 Subject: [PATCH 100/213] New version: stable-4459.2.1-nightly-20251204-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 986804613c1..c0fdd0a8c3a 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.2+nightly-20251203-2100 -FLATCAR_VERSION_ID=4459.1.2 -FLATCAR_BUILD_ID="nightly-20251203-2100" +FLATCAR_VERSION=4459.2.1+nightly-20251204-2100 +FLATCAR_VERSION_ID=4459.2.1 +FLATCAR_BUILD_ID="nightly-20251204-2100" FLATCAR_SDK_VERSION=4459.0.0 From c827613ee0519f6a089e28e6f37c87147a4599b5 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Sun, 7 Dec 2025 07:05:36 +0000 Subject: [PATCH 101/213] sys-kernel/coreos-sources: Update from 6.12.60 to 6.12.61 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-12-07-linux-6.12.61-update.md | 1 + .../{hv-daemons-6.12.60.ebuild => hv-daemons-6.12.61.ebuild} | 0 ...oreos-kernel-6.12.60.ebuild => coreos-kernel-6.12.61.ebuild} | 0 ...eos-modules-6.12.60.ebuild => coreos-modules-6.12.61.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.60.ebuild => coreos-sources-6.12.61.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-12-07-linux-6.12.61-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.60.ebuild => hv-daemons-6.12.61.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.60.ebuild => coreos-kernel-6.12.61.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.60.ebuild => coreos-modules-6.12.61.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.60.ebuild => coreos-sources-6.12.61.ebuild} (100%) diff --git a/changelog/updates/2025-12-07-linux-6.12.61-update.md b/changelog/updates/2025-12-07-linux-6.12.61-update.md new file mode 100644 index 00000000000..2ee29616433 --- /dev/null +++ b/changelog/updates/2025-12-07-linux-6.12.61-update.md @@ -0,0 +1 @@ +- Linux ([6.12.61](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.61)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.60.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.61.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.60.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.61.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.60.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.61.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.60.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.61.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.60.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.61.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.60.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.61.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index ba68cf08ce4..c3b7c480800 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.60.xz 3340176 BLAKE2B 4bba3b136922e2e60bc7565112938abef76e18c84729969f2868caf43bf3afaf8c20d2e600a1e2cf987551c83a233367dca6a0254cf8637cc134960ba2618a4f SHA512 fdd7dce9736c87bb25b966091c133ef37bf257ffc34c1909e6809fa674b2047cba801f8b6430b3087a1569326e9d8d9b41bda914ee186f5d8d65c3df4d8f3777 +DIST patch-6.12.61.xz 3501360 BLAKE2B 4863a9677f889e9cfb200617299e3016d24000c383300e6d6382c0e190f5eb12ec4d3523a229086ccde13c0e36b4e6bdd972bdd94d238e7cd8e2a0d4b98a09ac SHA512 c13f0b5e6c5591582187b54236cf981a5214904ccbc309e94e996b048283d7f301f2ab38fc9c584ad6c2c9ec0dd94f73bb099d64c4e31514787fec975dc0818a diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.60.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.61.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.60.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.61.ebuild From 1e71f84e99851b0e554b94a5e4e51778dcb9f731 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 8 Dec 2025 07:13:16 +0000 Subject: [PATCH 102/213] app-misc/ca-certificates: Update from 3.118 to 3.119 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-12-08-ca-certificates-3.119-update.md | 1 + .../coreos-overlay/app-misc/ca-certificates/Manifest | 2 +- ...certificates-3.118.1.ebuild => ca-certificates-3.119.ebuild} | 0 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-12-08-ca-certificates-3.119-update.md rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.118.1.ebuild => ca-certificates-3.119.ebuild} (100%) diff --git a/changelog/updates/2025-12-08-ca-certificates-3.119-update.md b/changelog/updates/2025-12-08-ca-certificates-3.119-update.md new file mode 100644 index 00000000000..1efcd3c3423 --- /dev/null +++ b/changelog/updates/2025-12-08-ca-certificates-3.119-update.md @@ -0,0 +1 @@ +- ca-certificates ([3.119](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_119.html)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest index 71eceb4f051..26a6180296f 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -1 +1 @@ -DIST nss-3.118.1.tar.gz 77625759 BLAKE2B 6b2f8bf0707801755b95a863eccf62f6cc9a381bf23e543ba6cff1ad41608846aa4632de6e4b7bc93b005bc43af21e32ae932e1e598ce89c2857c40a236fed6f SHA512 c031b9e200832689c8c02ac3a8327f4d8c74cb10ad1f5cefb8c6a15a469e910e3ea7bacfa617ce4c46d6e77d5a174b1fac89508c94c96e7888ee1838471ab7cc +DIST nss-3.119.tar.gz 77633205 BLAKE2B 65a90414c0affbe3a814f26f8223f9f175a39082ae1f59699068953e9de3b9ab1bc23b28654978c5c6087310461de53df24753a8e9ef2978bbb562436799df62 SHA512 f2dc601bf6070c493e7577f4fc5d329fdefe6b1cd09e88680b39f0cd6181bbfdce4eedb67d5c612a13f7ad1e57c8de81b366b6565f9353442b4443e041df26b3 diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.118.1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.119.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.118.1.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.119.ebuild From dee434d2ffc67c5a1618685075d33626f0acc38f Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 10 Dec 2025 08:49:46 +0000 Subject: [PATCH 103/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 587105409be..10cb8fc1e8f 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-c4e298d8328977f03869d2f73ddd4c61cc836a0d +ghcr.io/flatcar/mantle:git-ca6c57aefdb2655ee17e364e6f4f30540d41af46 From 747ec9c2b2db1c969837b82b2c31353c16d787f9 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 10 Dec 2025 16:29:54 +0000 Subject: [PATCH 104/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 10cb8fc1e8f..29573130ba1 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-ca6c57aefdb2655ee17e364e6f4f30540d41af46 +ghcr.io/flatcar/mantle:git-cd81c65e3e8dadb0ba7e0e71da432ee2c342a035 From fca70e4ff596f0eb58a3c9c7843892c30d93b45d Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 10 Dec 2025 21:00:28 +0000 Subject: [PATCH 105/213] New version: stable-4459.2.1-nightly-20251210-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index c0fdd0a8c3a..a3cffff623e 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.1+nightly-20251204-2100 +FLATCAR_VERSION=4459.2.1+nightly-20251210-2100 FLATCAR_VERSION_ID=4459.2.1 -FLATCAR_BUILD_ID="nightly-20251204-2100" +FLATCAR_BUILD_ID="nightly-20251210-2100" FLATCAR_SDK_VERSION=4459.0.0 From 78afe10dfbfa0d08be9a2b62eed6933d60e9fba1 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 11 Dec 2025 10:54:02 +0000 Subject: [PATCH 106/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 29573130ba1..db6a2c240d6 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-cd81c65e3e8dadb0ba7e0e71da432ee2c342a035 +ghcr.io/flatcar/mantle:git-bed79eb716792cbd6f79301f515bafcdb59ee93d From ed8c71287157c817968dbe9ec5868eb3f19a89da Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Tue, 19 Aug 2025 10:32:16 +0200 Subject: [PATCH 107/213] Add STACKIT Signed-off-by: Robin Schneider Signed-off-by: Mathieu Tortuyaux --- ci-automation/ci-config.env | 8 ++++ ci-automation/garbage_collect.sh | 1 + ci-automation/garbage_collect_cloud.sh | 2 + ci-automation/vendor-testing/stackit.sh | 50 +++++++++++++++++++++++++ 4 files changed, 61 insertions(+) create mode 100755 ci-automation/vendor-testing/stackit.sh diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index 29c899d677a..50b6afbdb82 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -158,3 +158,11 @@ HETZNER_PARALLEL="${PARALLEL_TESTS:-1}" AKAMAI_PARALLEL="${PARALLEL_TESTS:-1}" AKAMAI_REGION="us-ord" AKAMAI_INSTANCE_TYPE="g6-standard-2" + +# -- STACKIT -- +STACKIT_PARALLEL="${PARALLEL_TESTS:-1}" +STACKIT_IMAGE_NAME="flatcar_production_stackit_image.img" +: ${STACKIT_amd64_INSTANCE_TYPE:="c2i.8"} +: ${STACKIT_arm64_INSTANCE_TYPE:="g1r.4d"} +: ${STACKIT_arm64_LOCATION:="eu01-2"} +: ${STACKIT_amd64_LOCATION:="eu01-2"} diff --git a/ci-automation/garbage_collect.sh b/ci-automation/garbage_collect.sh index 44fcebb889d..fdc168ae1f7 100644 --- a/ci-automation/garbage_collect.sh +++ b/ci-automation/garbage_collect.sh @@ -262,6 +262,7 @@ function _garbage_collect_impl() { --env VMWARE_ESX_CREDS \ --env BRIGHTBOX_CLIENT_ID --env BRIGHTBOX_CLIENT_SECRET \ --env AKAMAI_TOKEN \ + --env STACKIT_SERVICE_ACCOUNT \ -w /work -v "$PWD":/work "${mantle_ref}" /work/ci-automation/garbage_collect_cloud.sh echo diff --git a/ci-automation/garbage_collect_cloud.sh b/ci-automation/garbage_collect_cloud.sh index 78eb8d0735d..94c75ca16f5 100755 --- a/ci-automation/garbage_collect_cloud.sh +++ b/ci-automation/garbage_collect_cloud.sh @@ -9,6 +9,8 @@ timeout --signal=SIGQUIT 60m ore brightbox gc --duration 6h \ --brightbox-client-id="${BRIGHTBOX_CLIENT_ID}" --brightbox-client-secret="${BRIGHTBOX_CLIENT_SECRET}" timeout --signal=SIGQUIT 60m ore akamai gc --duration 6h \ --akamai-token="${AKAMAI_TOKEN}" +timeout --signal=SIGQUIT 60m ore stackit gc --duration 6h \ + --stackit-service-account-key-path=<(echo "${STACKIT_SERVICE_ACCOUNT}" | base64 --decode) secret_to_file aws_credentials_config_file "${AWS_CREDENTIALS}" for channel in alpha beta stable lts; do for arch in amd64 arm64; do diff --git a/ci-automation/vendor-testing/stackit.sh b/ci-automation/vendor-testing/stackit.sh new file mode 100755 index 00000000000..ea8c30e31bb --- /dev/null +++ b/ci-automation/vendor-testing/stackit.sh @@ -0,0 +1,50 @@ +#!/bin/bash +# Copyright (c) 2025 The Flatcar Maintainers. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +set -euo pipefail + +# Test execution script for STACKIT vendor. +# This script is supposed to run in the mantle container. + +source ci-automation/vendor_test.sh + +stackit_instance_type_var="STACKIT_${CIA_ARCH}_INSTANCE_TYPE" +stackit_instance_type="${!stackit_instance_type_var}" + +stackit_location_var="STACKIT_${CIA_ARCH}_LOCATION" +stackit_location="${!stackit_location_var}" + +copy_from_buildcache "images/${CIA_ARCH}/${CIA_VERNUM}/${STACKIT_IMAGE_NAME}" . + +kola_test_basename="ci-${CIA_VERNUM//[+.]/-}" + +# Upload the image on STACKIT. +IMAGE_ID=$(ore stackit \ + --stackit-service-account-key-path=<(echo "${STACKIT_SERVICE_ACCOUNT}" | base64 --decode) \ + --stackit-project-id="${STACKIT_PROJECT_ID}" \ + create-image \ + --board "${CIA_ARCH}-usr" \ + --name "${kola_test_basename}" \ + --file="${STACKIT_IMAGE_NAME}" +) + +set -x + +timeout --signal=SIGQUIT 2h kola run \ + --board="${CIA_ARCH}-usr" \ + --parallel="${STACKIT_PARALLEL}" \ + --tapfile="${CIA_TAPFILE}" \ + --channel="${CIA_CHANNEL}" \ + --basename="${kola_test_basename}" \ + --platform=stackit \ + --stackit-service-account-key-path=<(echo "${STACKIT_SERVICE_ACCOUNT}" | base64 --decode) \ + --stackit-project-id="${STACKIT_PROJECT_ID}" \ + --stackit-image-id="${IMAGE_ID}" \ + --stackit-type="${stackit_instance_type}" \ + --stackit-availability-zone="${stackit_location}" \ + --image-version "${CIA_VERNUM}" \ + "${@}" + +set +x From f704fbc693f76b891c802cd3b68277f23fac5bd4 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 11 Dec 2025 21:00:27 +0000 Subject: [PATCH 108/213] New version: stable-4459.2.1-nightly-20251211-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index a3cffff623e..2647db1a235 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.1+nightly-20251210-2100 +FLATCAR_VERSION=4459.2.1+nightly-20251211-2100 FLATCAR_VERSION_ID=4459.2.1 -FLATCAR_BUILD_ID="nightly-20251210-2100" +FLATCAR_BUILD_ID="nightly-20251211-2100" FLATCAR_SDK_VERSION=4459.0.0 From 37d153f89842d05c0627a78f366cc38f11a9b6a6 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 11 Dec 2025 21:00:34 +0000 Subject: [PATCH 109/213] New version: beta-4459.1.2-nightly-20251211-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 2647db1a235..1cb75840303 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.1+nightly-20251211-2100 -FLATCAR_VERSION_ID=4459.2.1 +FLATCAR_VERSION=4459.1.2+nightly-20251211-2100 +FLATCAR_VERSION_ID=4459.1.2 FLATCAR_BUILD_ID="nightly-20251211-2100" FLATCAR_SDK_VERSION=4459.0.0 From 76bbb21ee41770520e4e1504caae15ae9ee276d4 Mon Sep 17 00:00:00 2001 From: Jan Bronicki Date: Fri, 12 Dec 2025 14:54:20 +0100 Subject: [PATCH 110/213] New version: stable-4459.2.2 Signed-off-by: Jan Bronicki --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 1cb75840303..efe585a515c 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.2+nightly-20251211-2100 -FLATCAR_VERSION_ID=4459.1.2 -FLATCAR_BUILD_ID="nightly-20251211-2100" +FLATCAR_VERSION=4459.2.2 +FLATCAR_VERSION_ID=4459.2.2 +FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From 9f8aaa16341c126a10a40d2363919f65bc8997a5 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Sat, 13 Dec 2025 07:06:00 +0000 Subject: [PATCH 111/213] sys-kernel/coreos-sources: Update from 6.12.61 to 6.12.62 Signed-off-by: Flatcar Buildbot --- changelog/updates/2025-12-13-linux-6.12.62-update.md | 1 + .../{hv-daemons-6.12.61.ebuild => hv-daemons-6.12.62.ebuild} | 0 ...oreos-kernel-6.12.61.ebuild => coreos-kernel-6.12.62.ebuild} | 0 ...eos-modules-6.12.61.ebuild => coreos-modules-6.12.62.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.61.ebuild => coreos-sources-6.12.62.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-12-13-linux-6.12.62-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.61.ebuild => hv-daemons-6.12.62.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.61.ebuild => coreos-kernel-6.12.62.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.61.ebuild => coreos-modules-6.12.62.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.61.ebuild => coreos-sources-6.12.62.ebuild} (100%) diff --git a/changelog/updates/2025-12-13-linux-6.12.62-update.md b/changelog/updates/2025-12-13-linux-6.12.62-update.md new file mode 100644 index 00000000000..dc33be703fc --- /dev/null +++ b/changelog/updates/2025-12-13-linux-6.12.62-update.md @@ -0,0 +1 @@ +- Linux ([6.12.62](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.62)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.61.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.61.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.61.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.62.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.61.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.62.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.61.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.62.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.61.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.62.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index c3b7c480800..6ac6e1a5888 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.61.xz 3501360 BLAKE2B 4863a9677f889e9cfb200617299e3016d24000c383300e6d6382c0e190f5eb12ec4d3523a229086ccde13c0e36b4e6bdd972bdd94d238e7cd8e2a0d4b98a09ac SHA512 c13f0b5e6c5591582187b54236cf981a5214904ccbc309e94e996b048283d7f301f2ab38fc9c584ad6c2c9ec0dd94f73bb099d64c4e31514787fec975dc0818a +DIST patch-6.12.62.xz 3513124 BLAKE2B 26859581d5f20c3e06fb97677919fc8ca3038309cddc1ff042b8467088dbfae463c3e2ae9ccfb57b97079fd80342a10009b8fed0faaa1e2872988898e8a23b69 SHA512 44cbe57f40584e5ac3577c8d2820e81e9d8da225e9ba158f160421cc139f4a21e5af4064b2810c0c2f2b92aa9d3c4ca5be2d5e63cb4a150e2cdb882e4f4b6557 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.61.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.62.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.61.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.62.ebuild From 96a734ec085ec7081ab4ea3af1dc23bbb5240612 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 15 Dec 2025 21:00:46 +0000 Subject: [PATCH 112/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index db6a2c240d6..feb83e80cb1 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-bed79eb716792cbd6f79301f515bafcdb59ee93d +ghcr.io/flatcar/mantle:git-6610630deab5366a448ac855f178f4f611e88e38 From 6a40a86c196d25ab5b6c5a751bdc1bd36a7eaab9 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 16 Dec 2025 21:00:25 +0000 Subject: [PATCH 113/213] New version: stable-4459.2.1-nightly-20251216-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index efe585a515c..b179eb935ce 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2 -FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="" +FLATCAR_VERSION=4459.2.1+nightly-20251216-2100 +FLATCAR_VERSION_ID=4459.2.1 +FLATCAR_BUILD_ID="nightly-20251216-2100" FLATCAR_SDK_VERSION=4459.0.0 From acc684acc9122172263039a6fa50202a941e58be Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 16 Dec 2025 21:00:30 +0000 Subject: [PATCH 114/213] New version: beta-4459.1.2-nightly-20251216-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index b179eb935ce..705fe336d06 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.1+nightly-20251216-2100 -FLATCAR_VERSION_ID=4459.2.1 +FLATCAR_VERSION=4459.1.2+nightly-20251216-2100 +FLATCAR_VERSION_ID=4459.1.2 FLATCAR_BUILD_ID="nightly-20251216-2100" FLATCAR_SDK_VERSION=4459.0.0 From 6fdb33ddc8b8c23766f540bf887741140f162bd1 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 17 Dec 2025 14:47:24 +0000 Subject: [PATCH 115/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index feb83e80cb1..0b60cc829c5 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-6610630deab5366a448ac855f178f4f611e88e38 +ghcr.io/flatcar/mantle:git-188e64dfaa2d0d49f336eb5d66773b20a345336b From 74088868593e7d2a96ab88239bd6c508e40ca60c Mon Sep 17 00:00:00 2001 From: Thilo Fromm Date: Wed, 17 Dec 2025 12:38:25 +0100 Subject: [PATCH 116/213] ci-automation: fix broken result indicators in test reports The CI automation test report library used embedded images to indicate test success / failures. The URL these images were referenced from has gone AWOL some time ago, resulting in ugly "missing image" references in test reports. This change updates the test result indicator code to only use emojis. Signed-off-by: Thilo Fromm --- ci-automation/tapfile_helper_lib.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ci-automation/tapfile_helper_lib.sh b/ci-automation/tapfile_helper_lib.sh index a96f715143f..49867ebf327 100644 --- a/ci-automation/tapfile_helper_lib.sh +++ b/ci-automation/tapfile_helper_lib.sh @@ -279,18 +279,18 @@ __md_print_test_verdict() { local failed_vendors="$4" - v="![${verdict}](https://via.placeholder.com/50x20/00ff00/000000?text=PASS)" + v="🟢 ${verdict}" if [ "${verdict}" = "not ok" ] ; then - v="![${verdict}](https://via.placeholder.com/50x20/ff0000/ffffff?text=FAIL)" + v="❌ ${verdict}" fi echo echo -n "${v} **${name}**" if [ -n "${succeded_vendors}" ] ; then - echo -n " 🟢 Succeeded: ${succeded_vendors}" + echo -n "; Succeeded: ${succeded_vendors}" fi if [ -n "${failed_vendors}" ] ; then - echo -n " ❌ Failed: ${failed_vendors}" + echo -n "; Failed: ${failed_vendors}" fi echo if [ "${verdict}" = "not ok" ] \ From 90e5ada06aa5088689af92e2f4b6b5b9aa788193 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 17 Dec 2025 21:00:24 +0000 Subject: [PATCH 117/213] New version: beta-4459.1.2-nightly-20251217-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 705fe336d06..ec0e44aeeff 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.2+nightly-20251216-2100 +FLATCAR_VERSION=4459.1.2+nightly-20251217-2100 FLATCAR_VERSION_ID=4459.1.2 -FLATCAR_BUILD_ID="nightly-20251216-2100" +FLATCAR_BUILD_ID="nightly-20251217-2100" FLATCAR_SDK_VERSION=4459.0.0 From 06885d8b0bee77bfb9465fd3465aafad5a188155 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 18 Dec 2025 09:32:26 +0000 Subject: [PATCH 118/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 0b60cc829c5..84f015664d5 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-188e64dfaa2d0d49f336eb5d66773b20a345336b +ghcr.io/flatcar/mantle:git-ca15fced3c5ce28bfdfce8965a271da8f18ea333 From c1e8523a441215f44971a98c91d07b93bccc514d Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Thu, 18 Dec 2025 09:36:28 +0100 Subject: [PATCH 119/213] Use a less powerful machine for amd64 tests Signed-off-by: Robin Schneider Signed-off-by: Mathieu Tortuyaux --- ci-automation/ci-config.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index 50b6afbdb82..f8e8fe3a9e3 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -162,7 +162,7 @@ AKAMAI_INSTANCE_TYPE="g6-standard-2" # -- STACKIT -- STACKIT_PARALLEL="${PARALLEL_TESTS:-1}" STACKIT_IMAGE_NAME="flatcar_production_stackit_image.img" -: ${STACKIT_amd64_INSTANCE_TYPE:="c2i.8"} +: ${STACKIT_amd64_INSTANCE_TYPE:="c2i.2"} : ${STACKIT_arm64_INSTANCE_TYPE:="g1r.4d"} : ${STACKIT_arm64_LOCATION:="eu01-2"} : ${STACKIT_amd64_LOCATION:="eu01-2"} From 4cca7039829936441fdf7d7463927b8e8dfb1ad1 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 18 Dec 2025 12:01:54 +0000 Subject: [PATCH 120/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 84f015664d5..c1b38e87a74 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-ca15fced3c5ce28bfdfce8965a271da8f18ea333 +ghcr.io/flatcar/mantle:git-ab9b14c14d84a20ccd96078fa3041ce735953288 From 005c7c17e85851a45859cce7923787845012bcf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20T=C3=B6lle?= Date: Fri, 7 Nov 2025 16:09:45 +0100 Subject: [PATCH 121/213] scripts: update hetzner amd64 instance type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The currently used server type (`cpx11`) was deprecated and will be removed on 2026-01-01. - https://www.hetzner.com/news/new-cloud-plans/ - https://docs.hetzner.cloud/changelog#2025-10-16-new-server-types-with-categories - https://docs.hetzner.cloud/changelog#2025-10-16-server-types-deprecated Signed-off-by: Julian Tölle Signed-off-by: Mathieu Tortuyaux --- ci-automation/ci-config.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index f8e8fe3a9e3..f54c7d2cda8 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -147,7 +147,7 @@ BRIGHTBOX_PARALLEL="${PARALLEL_TESTS:-1}" # -- Hetzner -- : ${HETZNER_IMAGE_NAME:='flatcar_production_hetzner_image.bin.bz2'} -: ${HETZNER_amd64_INSTANCE_TYPE:="cpx11"} +: ${HETZNER_amd64_INSTANCE_TYPE:="cpx22"} : ${HETZNER_arm64_INSTANCE_TYPE:="cax11"} : ${HETZNER_arm64_LOCATION:="fsn1"} : ${HETZNER_amd64_LOCATION:="hel1"} From bdf8c0d74d3a82f3fe7f8ffbec598507764c26c8 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 18 Dec 2025 21:00:23 +0000 Subject: [PATCH 122/213] New version: stable-4459.2.2-nightly-20251218-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index ec0e44aeeff..e1013269a40 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.1.2+nightly-20251217-2100 -FLATCAR_VERSION_ID=4459.1.2 -FLATCAR_BUILD_ID="nightly-20251217-2100" +FLATCAR_VERSION=4459.2.2+nightly-20251218-2100 +FLATCAR_VERSION_ID=4459.2.2 +FLATCAR_BUILD_ID="nightly-20251218-2100" FLATCAR_SDK_VERSION=4459.0.0 From 0fa37e43e3454f00262580f9cac139d4ad2c8b60 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Fri, 19 Dec 2025 17:53:53 +0900 Subject: [PATCH 123/213] coreos-base/coreos-init: Add noop systemd-sysupdate transfer config This pulls in https://github.com/flatcar/init/pull/139 as workaround for https://github.com/flatcar/flatcar/issues/1979 and should be backported to Alpha/Beta. Signed-off-by: Kai Lueke --- .../coreos-base/coreos-init/coreos-init-9999.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild index 7aa0ec4bd4b..54b75bb7a0e 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild @@ -8,7 +8,7 @@ EGIT_REPO_URI="https://github.com/flatcar/init.git" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - EGIT_COMMIT="8bd8a82fb22bc46ea2cf7da94d58655e102ca26d" # flatcar-master + EGIT_COMMIT="860090d932a0bcdf71a73619f270845a06b64af0" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi From 64f1760d3d1ba5033b0b45fe70feafdaf236bc1f Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Fri, 19 Dec 2025 18:16:27 +0900 Subject: [PATCH 124/213] coreos-base/coreos-init: Use backport branch for sysupdate noop This pulls in a change to use the old .conf extension instead of .transfer. Signed-off-by: Kai Lueke --- .../coreos-base/coreos-init/coreos-init-9999.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild index 54b75bb7a0e..5d0d1b6665e 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild @@ -8,7 +8,7 @@ EGIT_REPO_URI="https://github.com/flatcar/init.git" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - EGIT_COMMIT="860090d932a0bcdf71a73619f270845a06b64af0" # flatcar-master + EGIT_COMMIT="e4a70e49b97fbcc427f8e2bea5f8406c10bebeac" # flatcar-4081 KEYWORDS="amd64 arm arm64 x86" fi From 59fac6347ffce169ad42e124cd72a65157d10094 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Fri, 19 Dec 2025 18:23:11 +0900 Subject: [PATCH 125/213] coreos-base/coreos-init: Use separate backport branch LTS already has flatcar-4081-backport but we can't share it because it's older. Create an explicit backport branch for Stable. Signed-off-by: Kai Lueke --- .../coreos-base/coreos-init/coreos-init-9999.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild index 5d0d1b6665e..5279bbaa9af 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild @@ -8,7 +8,7 @@ EGIT_REPO_URI="https://github.com/flatcar/init.git" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - EGIT_COMMIT="e4a70e49b97fbcc427f8e2bea5f8406c10bebeac" # flatcar-4081 + EGIT_COMMIT="e4a70e49b97fbcc427f8e2bea5f8406c10bebeac" # flatcar-4459-backport KEYWORDS="amd64 arm arm64 x86" fi From 2b114deca298f3ae5b01867d53716710db9f6116 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Fri, 19 Dec 2025 21:00:24 +0000 Subject: [PATCH 126/213] New version: stable-4459.2.2-nightly-20251219-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index e1013269a40..562c6d4f2c3 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20251218-2100 +FLATCAR_VERSION=4459.2.2+nightly-20251219-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20251218-2100" +FLATCAR_BUILD_ID="nightly-20251219-2100" FLATCAR_SDK_VERSION=4459.0.0 From 03b816b992098f70f98fac80a7e347bd81f8245a Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 22 Dec 2025 11:26:06 +0000 Subject: [PATCH 127/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index c1b38e87a74..0543e277ca0 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-ab9b14c14d84a20ccd96078fa3041ce735953288 +ghcr.io/flatcar/mantle:git-8b11316ccfb0a772f133392954e1ef548e34f984 From 6cafeaad54da47523ad581cca80cd9e152327a35 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 22 Dec 2025 13:14:18 +0000 Subject: [PATCH 128/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 0543e277ca0..3e7a964d557 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-8b11316ccfb0a772f133392954e1ef548e34f984 +ghcr.io/flatcar/mantle:git-05822977eaba120d5662bc5a46a7fd2ec0995d70 From e6d9d492ee645074d8047fb63fec23dda8ef4bf9 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Mon, 22 Dec 2025 21:00:26 +0000 Subject: [PATCH 129/213] New version: stable-4459.2.2-nightly-20251222-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 562c6d4f2c3..5a5ce60bcb9 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20251219-2100 +FLATCAR_VERSION=4459.2.2+nightly-20251222-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20251219-2100" +FLATCAR_BUILD_ID="nightly-20251222-2100" FLATCAR_SDK_VERSION=4459.0.0 From af4caefb140ad9ff6d0d4b9bde196c6fec6ed3a2 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 23 Dec 2025 09:38:55 +0100 Subject: [PATCH 130/213] coreos-base/coreos-init: add EGIT_BRANCH As we are using the git eclass, we can't simply use a git ref if this one is on another branch, we need to pass the git branch as well. Signed-off-by: Mathieu Tortuyaux --- .../coreos-base/coreos-init/coreos-init-9999.ebuild | 1 + 1 file changed, 1 insertion(+) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild index 5279bbaa9af..0cb01ef9ea3 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild @@ -8,6 +8,7 @@ EGIT_REPO_URI="https://github.com/flatcar/init.git" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else + EGIT_BRANCH="flatcar-4459-backport" EGIT_COMMIT="e4a70e49b97fbcc427f8e2bea5f8406c10bebeac" # flatcar-4459-backport KEYWORDS="amd64 arm arm64 x86" fi From 40f20bd469bf6204a2e40fe726cdf55e78971e05 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 23 Dec 2025 21:00:24 +0000 Subject: [PATCH 131/213] New version: stable-4459.2.2-nightly-20251223-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 5a5ce60bcb9..afb96251349 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20251222-2100 +FLATCAR_VERSION=4459.2.2+nightly-20251223-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20251222-2100" +FLATCAR_BUILD_ID="nightly-20251223-2100" FLATCAR_SDK_VERSION=4459.0.0 From 869bb872af9c48496346c05f4c37242edc51efd2 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 25 Dec 2025 21:00:24 +0000 Subject: [PATCH 132/213] New version: stable-4459.2.2-nightly-20251225-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index afb96251349..109841b1da6 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20251223-2100 +FLATCAR_VERSION=4459.2.2+nightly-20251225-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20251223-2100" +FLATCAR_BUILD_ID="nightly-20251225-2100" FLATCAR_SDK_VERSION=4459.0.0 From e00d0be078a1b37eb9fc85bf532d67858c35f39d Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 1 Jan 2026 21:00:23 +0000 Subject: [PATCH 133/213] New version: stable-4459.2.2-nightly-20260101-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 109841b1da6..b85a1554101 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20251225-2100 +FLATCAR_VERSION=4459.2.2+nightly-20260101-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20251225-2100" +FLATCAR_BUILD_ID="nightly-20260101-2100" FLATCAR_SDK_VERSION=4459.0.0 From 6b4231adf3bddd94bc50edf4f49c14fe1bdd35f4 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Fri, 2 Jan 2026 10:56:55 +0000 Subject: [PATCH 134/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 3e7a964d557..608243e47e3 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-05822977eaba120d5662bc5a46a7fd2ec0995d70 +ghcr.io/flatcar/mantle:git-971035fe2d1181b5d21caba326103063706d1f4d From 0f0df261917a101af542aabd33db232c0c4abc69 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Fri, 2 Jan 2026 21:00:22 +0000 Subject: [PATCH 135/213] New version: stable-4459.2.2-nightly-20260102-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index b85a1554101..63830d77ddf 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20260101-2100 +FLATCAR_VERSION=4459.2.2+nightly-20260102-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20260101-2100" +FLATCAR_BUILD_ID="nightly-20260102-2100" FLATCAR_SDK_VERSION=4459.0.0 From 8c7973e7a93bbd188464fc9b21ee07270f614d1f Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 8 Jan 2026 21:00:22 +0000 Subject: [PATCH 136/213] New version: stable-4459.2.2-nightly-20260108-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 63830d77ddf..75c58034851 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20260102-2100 +FLATCAR_VERSION=4459.2.2+nightly-20260108-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20260102-2100" +FLATCAR_BUILD_ID="nightly-20260108-2100" FLATCAR_SDK_VERSION=4459.0.0 From 1aed8790cfb4c05f484b6ea475fd12c4890e557c Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Mon, 22 Dec 2025 10:09:50 +0000 Subject: [PATCH 137/213] github: Fix and simplify kernel-apply-patch.sh regarding hv-daemons This action is kicked off from main for all channels, but the script is run against each branch, so we can assume that hv-daemons is there. COREOS_SOURCE_REVISION isn't in the hv-daemons ebuild, but that doesn't matter. sed will do nothing. Signed-off-by: James Le Cuirot Signed-off-by: Mathieu Tortuyaux --- .github/workflows/kernel-apply-patch.sh | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/.github/workflows/kernel-apply-patch.sh b/.github/workflows/kernel-apply-patch.sh index 764d8c3a7bd..aa4844c4a11 100755 --- a/.github/workflows/kernel-apply-patch.sh +++ b/.github/workflows/kernel-apply-patch.sh @@ -28,23 +28,15 @@ fi extra_pkgs=( sys-kernel/coreos-modules sys-kernel/coreos-kernel + app-emulation/hv-daemons ) -for pkg in sources modules kernel; do - pushd "sys-kernel/coreos-${pkg}" - git mv "coreos-${pkg}"-*.ebuild "coreos-${pkg}-${VERSION_NEW}.ebuild" - sed -i -e '/^COREOS_SOURCE_REVISION=/s/=.*/=""/' "coreos-${pkg}-${VERSION_NEW}.ebuild" - popd +for pkg in sys-kernel/coreos-{sources,modules,kernel} app-emulation/hv-daemons; do + pkg+=/${pkg##*/} + git mv "${pkg}"-*.ebuild "${pkg}-${VERSION_NEW}.ebuild" + sed -i -e '/^COREOS_SOURCE_REVISION=/s/=.*/=""/' "${pkg}-${VERSION_NEW}.ebuild" done -if [[ -d app-emulation/hv-daemons ]]; then - # Update hyperv daemons ebuild soft-link to reflect new kernel version - find -D exec app-emulation/hv-daemons/ -type l -exec rm '{}' \; - ln --relative -s app-emulation/hv-daemons/hv-daemons-9999.ebuild \ - app-emulation/hv-daemons/hv-daemons-${VERSION_NEW}.ebuild - extra_pkgs+=( app-emulation/hv-daemons ) -fi - # Leave ebuild repo section of SDK popd From baa6f6a06dafde9e8c18cd6e2eec2e73f846e7a2 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Wed, 10 Dec 2025 22:31:38 +0000 Subject: [PATCH 138/213] app-emulation/hv-daemons: Drop 9999 ebuild It doesn't make any sense because there is no 9999 version of coreos-sources. Signed-off-by: James Le Cuirot --- .../hv-daemons/hv-daemons-6.12.62.ebuild | 28 ++++++++++++++++- .../hv-daemons/hv-daemons-9999.ebuild | 31 ------------------- .../app-emulation/hv-daemons/metadata.xml | 4 --- 3 files changed, 27 insertions(+), 36 deletions(-) mode change 120000 => 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-9999.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/metadata.xml diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild deleted file mode 120000 index 95dcc24d68a..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild +++ /dev/null @@ -1 +0,0 @@ -hv-daemons-9999.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild new file mode 100644 index 00000000000..8e49474683e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild @@ -0,0 +1,27 @@ +# Copyright 2025 The Flatcar Maintainers +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit coreos-kernel savedconfig systemd + +DESCRIPTION="HyperV guest support daemons" +KEYWORDS="amd64 arm64" + +src_compile() { + # Build hv_vss_daemon, hv_kvp_daemon, hv_fcopy_daemon + kmake tools/hv +} + +src_install() { + local -a HV_DAEMONS=(hv_vss_daemon hv_kvp_daemon hv_fcopy_daemon hv_fcopy_uio_daemon) + local HV_DAEMON + for HV_DAEMON in "${HV_DAEMONS[@]}" + do + if [ -f "${S}/build/tools/hv/${HV_DAEMON}" ]; then + dobin "${S}/build/tools/hv/${HV_DAEMON}" + systemd_dounit "${FILESDIR}/${HV_DAEMON}.service" + systemd_enable_service "multi-user.target" "${HV_DAEMON}.service" + fi + done +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-9999.ebuild deleted file mode 100644 index 5cca1461c78..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-9999.ebuild +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2044-2016 The Flatcar Maintainers -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit coreos-kernel savedconfig systemd - -DESCRIPTION="HyperV guest support daemons." -KEYWORDS="amd64 arm64" - -if [[ "${PV}" == 9999 ]]; then - KEYWORDS="~amd64 ~arm64" -fi - -src_compile() { - # Build hv_vss_daemon, hv_kvp_daemon, hv_fcopy_daemon - kmake tools/hv -} - -src_install() { - local -a HV_DAEMONS=(hv_vss_daemon hv_kvp_daemon hv_fcopy_daemon hv_fcopy_uio_daemon) - local HV_DAEMON - for HV_DAEMON in "${HV_DAEMONS[@]}" - do - if [ -f "${S}/build/tools/hv/${HV_DAEMON}" ]; then - dobin "${S}/build/tools/hv/${HV_DAEMON}" - systemd_dounit "${FILESDIR}/${HV_DAEMON}.service" - systemd_enable_service "multi-user.target" "${HV_DAEMON}.service" - fi - done -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/metadata.xml deleted file mode 100644 index 097975e3adc..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/metadata.xml +++ /dev/null @@ -1,4 +0,0 @@ - - - - From 1d28dd1548fe06b7cdb11195db1f91534a24e365 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Fri, 9 Jan 2026 13:35:42 +0000 Subject: [PATCH 139/213] sys-kernel/coreos-sources: Update from 6.12.62 to 6.12.64 Signed-off-by: Flatcar Buildbot --- changelog/updates/2026-01-09-linux-6.12.64-update.md | 1 + .../{hv-daemons-6.12.62.ebuild => hv-daemons-6.12.64.ebuild} | 0 ...oreos-kernel-6.12.62.ebuild => coreos-kernel-6.12.64.ebuild} | 0 ...eos-modules-6.12.62.ebuild => coreos-modules-6.12.64.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.62.ebuild => coreos-sources-6.12.64.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2026-01-09-linux-6.12.64-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.62.ebuild => hv-daemons-6.12.64.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.62.ebuild => coreos-kernel-6.12.64.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.62.ebuild => coreos-modules-6.12.64.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.62.ebuild => coreos-sources-6.12.64.ebuild} (100%) diff --git a/changelog/updates/2026-01-09-linux-6.12.64-update.md b/changelog/updates/2026-01-09-linux-6.12.64-update.md new file mode 100644 index 00000000000..fcc151f25f6 --- /dev/null +++ b/changelog/updates/2026-01-09-linux-6.12.64-update.md @@ -0,0 +1 @@ +- Linux ([6.12.64](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.64) (includes [6.12.63](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.63))) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.64.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.62.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.64.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.62.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.64.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.62.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.64.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.62.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.64.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.62.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.64.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 6ac6e1a5888..ba62ab03f17 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.62.xz 3513124 BLAKE2B 26859581d5f20c3e06fb97677919fc8ca3038309cddc1ff042b8467088dbfae463c3e2ae9ccfb57b97079fd80342a10009b8fed0faaa1e2872988898e8a23b69 SHA512 44cbe57f40584e5ac3577c8d2820e81e9d8da225e9ba158f160421cc139f4a21e5af4064b2810c0c2f2b92aa9d3c4ca5be2d5e63cb4a150e2cdb882e4f4b6557 +DIST patch-6.12.64.xz 3723996 BLAKE2B 79527e9990c84105254f3f515906809a3d2fb0094488cb4e1d734c5ca0541553d0d557dc68fda0399ee6dd20a7f515e90b8a1fbaaa5fbeadd82afaf5d6e3a4c7 SHA512 428b10d6c34d696ba9bdd2c4e359ffa5a5c56cee3b0d9790e231a0eb0a365272b54c0cdeec6ff31af6f3190adcd5cf69fbe2cbdb47de3b22e449e1fcd0cb480b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.62.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.64.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.62.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.64.ebuild From fd5949a2bd941c5b0ea2089dc0dfec860c47493b Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Fri, 9 Jan 2026 16:18:04 +0000 Subject: [PATCH 140/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 608243e47e3..188f5fb6c58 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-971035fe2d1181b5d21caba326103063706d1f4d +ghcr.io/flatcar/mantle:git-80a34d896674a7dd24749ba44ff3a804dc0e694a From 8503f6f7631e347203be0f00d9153767b79073c8 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Fri, 9 Jan 2026 21:00:24 +0000 Subject: [PATCH 141/213] New version: stable-4459.2.2-nightly-20260109-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 75c58034851..641168b9222 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20260108-2100 +FLATCAR_VERSION=4459.2.2+nightly-20260109-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20260108-2100" +FLATCAR_BUILD_ID="nightly-20260109-2100" FLATCAR_SDK_VERSION=4459.0.0 From 3dff52b495a7c5d68190d1d509cf7fe42f88f821 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 12 Jan 2026 07:10:47 +0000 Subject: [PATCH 142/213] sys-kernel/coreos-sources: Update from 6.12.64 to 6.12.65 Signed-off-by: Flatcar Buildbot --- changelog/updates/2026-01-12-linux-6.12.65-update.md | 1 + .../{hv-daemons-6.12.64.ebuild => hv-daemons-6.12.65.ebuild} | 0 ...oreos-kernel-6.12.64.ebuild => coreos-kernel-6.12.65.ebuild} | 0 ...eos-modules-6.12.64.ebuild => coreos-modules-6.12.65.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.64.ebuild => coreos-sources-6.12.65.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2026-01-12-linux-6.12.65-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.64.ebuild => hv-daemons-6.12.65.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.64.ebuild => coreos-kernel-6.12.65.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.64.ebuild => coreos-modules-6.12.65.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.64.ebuild => coreos-sources-6.12.65.ebuild} (100%) diff --git a/changelog/updates/2026-01-12-linux-6.12.65-update.md b/changelog/updates/2026-01-12-linux-6.12.65-update.md new file mode 100644 index 00000000000..a36dea8c485 --- /dev/null +++ b/changelog/updates/2026-01-12-linux-6.12.65-update.md @@ -0,0 +1 @@ +- Linux ([6.12.65](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.65)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.64.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.65.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.64.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.65.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.64.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.65.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.64.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.65.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.64.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.65.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.64.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.65.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index ba62ab03f17..a24d46cafe9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.64.xz 3723996 BLAKE2B 79527e9990c84105254f3f515906809a3d2fb0094488cb4e1d734c5ca0541553d0d557dc68fda0399ee6dd20a7f515e90b8a1fbaaa5fbeadd82afaf5d6e3a4c7 SHA512 428b10d6c34d696ba9bdd2c4e359ffa5a5c56cee3b0d9790e231a0eb0a365272b54c0cdeec6ff31af6f3190adcd5cf69fbe2cbdb47de3b22e449e1fcd0cb480b +DIST patch-6.12.65.xz 3728296 BLAKE2B eddc8ef3db5f267d11222eb19b95c6ee46bebd63abc7e107b10894c426ed3303537522738e1cdb14f6feeaa1c513fc415e57e35b247a7e361f6cba42242855fd SHA512 668f8af255a429048875d23c0c859d763ee6998d5205bd4e1614dfa46dfb389c8fe14cb29a22fdb6989f289c477bd1d1afb28be77d4c7ba933f10a6b4332e609 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.64.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.65.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.64.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.65.ebuild From 8cdbce634752925324c4afd9057a2a1f7e7ccf48 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 12 Jan 2026 07:16:40 +0000 Subject: [PATCH 143/213] app-misc/ca-certificates: Update from 3.119 to 3.120 Signed-off-by: Flatcar Buildbot --- changelog/updates/2026-01-12-ca-certificates-3.120-update.md | 1 + .../coreos-overlay/app-misc/ca-certificates/Manifest | 2 +- ...a-certificates-3.119.ebuild => ca-certificates-3.120.ebuild} | 0 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2026-01-12-ca-certificates-3.120-update.md rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.119.ebuild => ca-certificates-3.120.ebuild} (100%) diff --git a/changelog/updates/2026-01-12-ca-certificates-3.120-update.md b/changelog/updates/2026-01-12-ca-certificates-3.120-update.md new file mode 100644 index 00000000000..a2dfb875f68 --- /dev/null +++ b/changelog/updates/2026-01-12-ca-certificates-3.120-update.md @@ -0,0 +1 @@ +- ca-certificates ([3.120](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_120.html)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest index 26a6180296f..a3c2af2388e 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -1 +1 @@ -DIST nss-3.119.tar.gz 77633205 BLAKE2B 65a90414c0affbe3a814f26f8223f9f175a39082ae1f59699068953e9de3b9ab1bc23b28654978c5c6087310461de53df24753a8e9ef2978bbb562436799df62 SHA512 f2dc601bf6070c493e7577f4fc5d329fdefe6b1cd09e88680b39f0cd6181bbfdce4eedb67d5c612a13f7ad1e57c8de81b366b6565f9353442b4443e041df26b3 +DIST nss-3.120.tar.gz 77634611 BLAKE2B f1bff45d52a1c4580d522e1377c0f5af175b9ae52b5ba8edb4cffe0c42bbb1ba1e0382a493abffb9ca7f7a2ee46d8e6857b036f43cdda6328d432c2dc97572e4 SHA512 7ec5b6c94a5c7fde9c02c3f1a10964e9cf5fe99372c8fcdb2866d10ef4c9cd42abc26931574dbfc229c358e2615d7907136a595e3e17944369894c1201fc2c6e diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.119.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.119.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.ebuild From 99c06d4298dfcee4eec3942d58ab0f0a94f144de Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 12 Jan 2026 13:36:57 +0000 Subject: [PATCH 144/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 188f5fb6c58..13093ee8974 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-80a34d896674a7dd24749ba44ff3a804dc0e694a +ghcr.io/flatcar/mantle:git-783b5ba0cd474350513073d610b18800c2e30e02 From a063b8362f2fb2fa9d11e8554abfb677097ea2ff Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Mon, 12 Jan 2026 21:00:26 +0000 Subject: [PATCH 145/213] New version: stable-4459.2.2-nightly-20260112-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 641168b9222..7af5165bf1e 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20260109-2100 +FLATCAR_VERSION=4459.2.2+nightly-20260112-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20260109-2100" +FLATCAR_BUILD_ID="nightly-20260112-2100" FLATCAR_SDK_VERSION=4459.0.0 From 9a683b87acebef65c4471ca6e4c2137897d37ef5 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 15 Jan 2026 21:00:23 +0000 Subject: [PATCH 146/213] New version: stable-4459.2.2-nightly-20260115-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 7af5165bf1e..1347d46179f 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20260112-2100 +FLATCAR_VERSION=4459.2.2+nightly-20260115-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20260112-2100" +FLATCAR_BUILD_ID="nightly-20260115-2100" FLATCAR_SDK_VERSION=4459.0.0 From 47513f668c15de9f53fdcca3e80cbad9bee664fd Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Sun, 18 Jan 2026 07:06:28 +0000 Subject: [PATCH 147/213] sys-kernel/coreos-sources: Update from 6.12.65 to 6.12.66 Signed-off-by: Flatcar Buildbot --- changelog/updates/2026-01-18-linux-6.12.66-update.md | 1 + .../{hv-daemons-6.12.65.ebuild => hv-daemons-6.12.66.ebuild} | 0 ...oreos-kernel-6.12.65.ebuild => coreos-kernel-6.12.66.ebuild} | 0 ...eos-modules-6.12.65.ebuild => coreos-modules-6.12.66.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.65.ebuild => coreos-sources-6.12.66.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2026-01-18-linux-6.12.66-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.65.ebuild => hv-daemons-6.12.66.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.65.ebuild => coreos-kernel-6.12.66.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.65.ebuild => coreos-modules-6.12.66.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.65.ebuild => coreos-sources-6.12.66.ebuild} (100%) diff --git a/changelog/updates/2026-01-18-linux-6.12.66-update.md b/changelog/updates/2026-01-18-linux-6.12.66-update.md new file mode 100644 index 00000000000..a7de15077b6 --- /dev/null +++ b/changelog/updates/2026-01-18-linux-6.12.66-update.md @@ -0,0 +1 @@ +- Linux ([6.12.66](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.66)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.65.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.66.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.65.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.66.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.65.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.65.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.65.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.66.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.65.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.66.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index a24d46cafe9..0eb81bef4c7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.65.xz 3728296 BLAKE2B eddc8ef3db5f267d11222eb19b95c6ee46bebd63abc7e107b10894c426ed3303537522738e1cdb14f6feeaa1c513fc415e57e35b247a7e361f6cba42242855fd SHA512 668f8af255a429048875d23c0c859d763ee6998d5205bd4e1614dfa46dfb389c8fe14cb29a22fdb6989f289c477bd1d1afb28be77d4c7ba933f10a6b4332e609 +DIST patch-6.12.66.xz 3752552 BLAKE2B ed48dbfe0b583092e82f863702026e477809615f47bf4cab4cfb80bfebbed0dd938c92d2ab269267f5a7ae9a08ce984dbd2aa2ae56c48f0205b96fc3932c0bf9 SHA512 54230c57698f0d891742f70e6f8bb957c0b6d188ab8d5dc219b2a8b2ef9b8e0c7bcf51002a08f0f9c4b584f39378f0ac3f613c1a5a7562f8535d2fd05cfd71a4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.65.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.66.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.65.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.66.ebuild From ac45bfa2bf9ce6caad39d89e331608e77268bbf8 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 19 Jan 2026 13:39:34 +0000 Subject: [PATCH 148/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 13093ee8974..1c5ea78d70d 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-783b5ba0cd474350513073d610b18800c2e30e02 +ghcr.io/flatcar/mantle:git-57892101aaa76c3999d01c86803a749aa85ba6c7 From 108531fd5e7dfa04c54748d9c1e9aa12ac6b39c5 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Mon, 19 Jan 2026 21:00:25 +0000 Subject: [PATCH 149/213] New version: stable-4459.2.2-nightly-20260119-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 1347d46179f..b8f1eb50d8d 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20260115-2100 +FLATCAR_VERSION=4459.2.2+nightly-20260119-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20260115-2100" +FLATCAR_BUILD_ID="nightly-20260119-2100" FLATCAR_SDK_VERSION=4459.0.0 From 98470bd2f55be9426eb2a3592c99396a2420a0df Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 22 Jan 2026 21:00:27 +0000 Subject: [PATCH 150/213] New version: stable-4459.2.2-nightly-20260122-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index b8f1eb50d8d..aa205903a9a 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20260119-2100 +FLATCAR_VERSION=4459.2.2+nightly-20260122-2100 FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20260119-2100" +FLATCAR_BUILD_ID="nightly-20260122-2100" FLATCAR_SDK_VERSION=4459.0.0 From 04810e7e17d7f3c1f046405f8d2cca7ae959a523 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Fri, 23 Jan 2026 14:56:34 +0100 Subject: [PATCH 151/213] New version: stable-4459.2.3 Signed-off-by: Mathieu Tortuyaux --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index aa205903a9a..b347a32be41 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.2+nightly-20260122-2100 -FLATCAR_VERSION_ID=4459.2.2 -FLATCAR_BUILD_ID="nightly-20260122-2100" +FLATCAR_VERSION=4459.2.3 +FLATCAR_VERSION_ID=4459.2.3 +FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From dd5671bd283b3ac64401fe6934b33ad8dc19b4c8 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 26 Jan 2026 21:00:36 +0000 Subject: [PATCH 152/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 1c5ea78d70d..02e321579fb 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-57892101aaa76c3999d01c86803a749aa85ba6c7 +ghcr.io/flatcar/mantle:git-1f65cb1fb8d244a6714709b3534e223770474c29 From a3da01ae705ecbc2126ea691685e6f7db76f55a2 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 27 Jan 2026 21:00:22 +0000 Subject: [PATCH 153/213] New version: stable-4459.2.3-nightly-20260127-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index b347a32be41..2b7b0140d8c 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3 +FLATCAR_VERSION=4459.2.3+nightly-20260127-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="" +FLATCAR_BUILD_ID="nightly-20260127-2100" FLATCAR_SDK_VERSION=4459.0.0 From 274cc322ba272785dd059514805096474916a853 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 28 Jan 2026 10:00:07 +0100 Subject: [PATCH 154/213] dev-libs/openssl: sync with ::gentoo Commit-ref: https://github.com/gentoo/gentoo/commit/492effc365a0cdcd0cca81a583f62aad855e3ed9 Signed-off-by: Mathieu Tortuyaux --- .../portage-stable/dev-libs/openssl/Manifest | 42 +-- .../openssl/files/gentoo.config-1.0.2 | 8 + .../openssl/files/gentoo.config-1.0.4 | 8 + .../dev-libs/openssl/openssl-1.0.2u-r1.ebuild | 4 +- .../dev-libs/openssl/openssl-1.1.1w.ebuild | 4 +- ...sl-3.0.16.ebuild => openssl-3.0.18.ebuild} | 4 +- ...sl-3.0.17.ebuild => openssl-3.0.19.ebuild} | 6 +- .../dev-libs/openssl/openssl-3.0.9999.ebuild | 4 +- .../dev-libs/openssl/openssl-3.1.8.ebuild | 290 ----------------- .../dev-libs/openssl/openssl-3.1.9999.ebuild | 290 ----------------- .../dev-libs/openssl/openssl-3.2.5.ebuild | 297 ------------------ ...nssl-3.2.4.ebuild => openssl-3.2.6.ebuild} | 4 +- .../dev-libs/openssl/openssl-3.2.9999.ebuild | 4 +- ...nssl-3.3.3.ebuild => openssl-3.3.5.ebuild} | 7 +- ...nssl-3.3.4.ebuild => openssl-3.3.6.ebuild} | 9 +- .../dev-libs/openssl/openssl-3.3.9999.ebuild | 7 +- ...nssl-3.4.2.ebuild => openssl-3.4.3.ebuild} | 7 +- ...nssl-3.4.1.ebuild => openssl-3.4.4.ebuild} | 9 +- .../dev-libs/openssl/openssl-3.4.9999.ebuild | 7 +- .../dev-libs/openssl/openssl-3.5.4.ebuild | 297 ++++++++++++++++++ .../dev-libs/openssl/openssl-3.5.5.ebuild | 297 ++++++++++++++++++ .../dev-libs/openssl/openssl-3.5.9999.ebuild | 7 +- .../dev-libs/openssl/openssl-3.6.0.ebuild | 297 ++++++++++++++++++ .../dev-libs/openssl/openssl-3.6.1.ebuild | 297 ++++++++++++++++++ ...l-3.5.2.ebuild => openssl-3.6.9999.ebuild} | 7 +- 25 files changed, 1283 insertions(+), 930 deletions(-) rename sdk_container/src/third_party/portage-stable/dev-libs/openssl/{openssl-3.0.16.ebuild => openssl-3.0.18.ebuild} (98%) rename sdk_container/src/third_party/portage-stable/dev-libs/openssl/{openssl-3.0.17.ebuild => openssl-3.0.19.ebuild} (96%) delete mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.8.ebuild delete mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.9999.ebuild delete mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.5.ebuild rename sdk_container/src/third_party/portage-stable/dev-libs/openssl/{openssl-3.2.4.ebuild => openssl-3.2.6.ebuild} (98%) rename sdk_container/src/third_party/portage-stable/dev-libs/openssl/{openssl-3.3.3.ebuild => openssl-3.3.5.ebuild} (97%) rename sdk_container/src/third_party/portage-stable/dev-libs/openssl/{openssl-3.3.4.ebuild => openssl-3.3.6.ebuild} (96%) rename sdk_container/src/third_party/portage-stable/dev-libs/openssl/{openssl-3.4.2.ebuild => openssl-3.4.3.ebuild} (97%) rename sdk_container/src/third_party/portage-stable/dev-libs/openssl/{openssl-3.4.1.ebuild => openssl-3.4.4.ebuild} (97%) create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.4.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.5.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.0.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.1.ebuild rename sdk_container/src/third_party/portage-stable/dev-libs/openssl/{openssl-3.5.2.ebuild => openssl-3.6.9999.ebuild} (97%) diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest index ac4da6e6aba..cf4aa2fa2ec 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest @@ -3,23 +3,25 @@ DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32 DIST openssl-1.1.1w.tar.gz 9893384 BLAKE2B 2fdba6ca0188928ab2f74e606136afca66cfa0467170fa6298ef160b64ac6fdcad1e81e5dd14013ce0e9921d0f7417edec531cd0beaf1196fec704c2c6d48395 SHA512 b4c625fe56a4e690b57b6a011a225ad0cb3af54bd8fb67af77b5eceac55cc7191291d96a660c5b568a08a2fbf62b4612818e7cca1bb95b2b6b4fc649b0552b6d DIST openssl-1.1.1w.tar.gz.asc 833 BLAKE2B d990be69ed913509d52b78e7473668429d4485adb29ef03e4612dd0cadbac4f04c7289d8e5baf6f397bcedeaac9f802f18fc719964d882ae0514ed1ca16ae277 SHA512 0f3d7aa48b1cabf8dd43e8108aeed10a4dffb4f5a244d4da9c86ea358b0c8b90c46da561d21e01c567c2f5035d824ed82ec104aad1776b7f33a1be85990e98ef -DIST openssl-3.0.16.tar.gz 15334967 BLAKE2B a1bcaf17c92beca6ff7f39857788120648904ef1dd25ffa2e43bd5477810e8c18751929d5ed270e7f429c569c5b5fdf069f1280646d8b4d1e879f15dfa03f7d9 SHA512 5eea2b0c60d870549fc2b8755f1220a57f870d95fbc8d5cc5abb9589f212d10945f355c3e88ff48540a7ee1c4db774b936023ca33d7c799ea82d91eef9c1c16d -DIST openssl-3.0.16.tar.gz.asc 833 BLAKE2B 5f288f4b1e3a85181a73f288c7cb2d2e6e54e09b3ba032a6074c207f1f53d2920f4cdbbc9143a60063b3426eaa0279af4b1ed59b6b909047051ce73caff03584 SHA512 8b9688ecf84cb61b2718fc898eb748a8eb1ad9125f4742b09552d81bce098753dcbc36cdee9a30adbe4127de30938d955a7af12f8619338bcf2e2e748c8e8c86 -DIST openssl-3.0.17.tar.gz 15344831 BLAKE2B 4f7df7867ece7043d8682b8ebfacd4611abb81d977bef36b1183dcae7fd136d1bf4ea7bf1d24a165211aaceba79895814b82586305177d3066b0cad729059882 SHA512 563546cfc0766b9a690c20bcc7df1afed843c3c57df4b8fa561d4c695e6f5cc3258a2cd95775f8fb5fd78005198ee20aa58c3fc19fdefbe5e60b8731390842c2 -DIST openssl-3.0.17.tar.gz.asc 833 BLAKE2B 908b65ba1454915b767947003978b452feaa54e58c20dac6bf66c497de28213b3e06e73c55991fb09d584e6b2d9cb5db688e6927b5afc847f62c0a30a2b2ee43 SHA512 d07368696c698cb5f0f194be90f110c84d961c58c7d311106a3ef235ee3e1e1f8473a53e61add48aca7630ce010b5457e90c92da6fee4b576689d0a9ba59864c -DIST openssl-3.1.8.tar.gz 15706439 BLAKE2B 05d8ac054bc46ac6196470bd388ef8be2d2dd62c14bb22fff668ab8e8914bb8d89eb78119ba49839a364ca4c3683186299a9bfbf6a03d83a8630b54e668e5977 SHA512 faf066b207184a67387d4659b68de0bb89c4ec847b835998c8cc57ee4a8759f3fc3b7fe2db85f394bf8c54720ce044447168e0fa2fda6f0901c4d9a1697d9a6e -DIST openssl-3.1.8.tar.gz.asc 833 BLAKE2B b9f1f439ff373d4b3706cfd9d2518d84aca1744ae50a31c50cb7fd4aa9de1d4139fc314390353377391a99b3d6c9ea66b0160d7fed15bdf4c9a255e94654eb80 SHA512 0737d62b6971f311936908d7cf3eb6c01e1ae314709bc80cfdbe885d17c64337fd2378a1e93c932f870681efc992a8d0656625580e30cc9e3d397aa4ebb7c7e6 -DIST openssl-3.2.4.tar.gz 17782746 BLAKE2B 079a0eb15b960a8ec89a2b2ccfa1f5e216dac325cb0857e168119fb240b6cdd78ecf723802a53d1e62e0a534be60e5459f561de764d1987e38eab466e555f994 SHA512 24712cb722ed8daff51db9deec4db982256cccd1a537d3a8690a94a6fd41815fd85cab95e551212938f28a61ed658d285b07734f7b88d8a0b18a318602d424f2 -DIST openssl-3.2.4.tar.gz.asc 833 BLAKE2B 27c55522889843a14133535d47ad1fc7b2eba7a6f7fd0f78a8be8f36492ff53932b1a50131e90a37c3c22ba60b188b9dff98717756c4a20f361b22d069482399 SHA512 a381b24bd47a2e00657a29af02aa890b22186de70ba3ac3776ff5d4fb40579e9fd8356aacb6ce230d40adb6765e906b8d9bda54f98cc8887e98069f9bfd10140 -DIST openssl-3.2.5.tar.gz 17800797 BLAKE2B 6d1dad57e6700ac9e14912e6b96a486d40ac5fa2567d129c0f4d9bed8fbd408f65000a1d4fcd2ebc49ecd118bfa03a504cfb24da38bdf4530cd250046cf05de1 SHA512 a0662f8d35df9986ade5332d86c8d79bf9d98f4a92dbf63e177be2cf24bc633fbcb2758fdc5eab425aaafd48d9b6fdf32602c915e61f8278e1b78452d54dfc21 -DIST openssl-3.2.5.tar.gz.asc 833 BLAKE2B 591629a5435de5b715b58c4758797bdfd99586dc8807cbaac0f80010b51adb755864ed5694e15a35f1716f905654632ff6c591c6923d5d67ced27d43a60964d6 SHA512 b3b7fa105caed32de357db55023a114ad9704324887f51979c2e10b305a91774026fad28dab37b733a57abaa941b2793fbd0ad333bf35d05b8a0b1cf03172d79 -DIST openssl-3.3.3.tar.gz 18102481 BLAKE2B c2033e357963e339faaf3b35b18c660da48616a6228e802a3ef1c4a6a51a570db42970d973868c4d57afcd3953403c9ff047317cac49a865af628abde99c2ade SHA512 4f53d963c258305f0e926d2e56fc73359c3d62adb25bfce06889eef3278652d073b9e2a4100a884c0d8ee90cb924ba258a5de4e7be6d2c7c49765167e95430d7 -DIST openssl-3.3.3.tar.gz.asc 833 BLAKE2B dbb8436f7e8e015eca740ccddcbfc159884089c7540e47d03d65efcc607a28d29889f7eaf53412e50362d201941df3061e7877b6216215d4cab04bdb149d23a7 SHA512 2fde16310fc0a2985ea9df5b8485c17391a589297679687634b833b453e9c5d04ddb3b8b4f117259af9b13813ca0ea9ee6cec2d854dfc7e1add3dbb78962ccd0 -DIST openssl-3.3.4.tar.gz 18113350 BLAKE2B f4a2c050eef854212b4518e04f5746c65a0cf22437eba11a0eb095158113836f181e25891021f923700a939d792e537b71c650991b3346eb6ca0a5053f565409 SHA512 7f01240b745ee6b3af6935ec3fd3be700f7be243b092d3265f160f1da12d52efb562755fb2b41240bc12a22a2ec7440fb21d4c53183c6a91c4182e0e8a2adfb1 -DIST openssl-3.3.4.tar.gz.asc 833 BLAKE2B 75097d89f505070b4aeb0660c725726ae4fefd8d46becf786a75fe6c03727fbdb07c0699e1b6f002791cd2b791f53bc636c5e249ab25fcad2235ee6c3ff5a9d3 SHA512 76cc3eb3e09dbf3a22531ba1b5b945d41525850d74ce155a13a0b0955f51f857e7e7246b0fc24bfe9a9cb0dd45aee059faa22cabd7b0db862e537be0f4a043c5 -DIST openssl-3.4.1.tar.gz 18346056 BLAKE2B 328a2a4f0536b15ffe6421afc99bdb5dcdf3d29f44437fdd80bbf4089f5f2658ca10907e033eda2e04c6b862e49b150ea59d8ab1807d14a3dcf64e10c32e78af SHA512 1de6307c587686711f05d1e96731c43526fa3af51e4cd94c06c880954b67f6eb4c7db3177f0ea5937d41bc1f8cadcf5bce75025b5c1a46a469376960f1001c5f -DIST openssl-3.4.1.tar.gz.asc 833 BLAKE2B 321a5593ce5a1ff07553dcca722b0da0e9e9f3ef639176d663b6a92be2a32d3379536a788930f7f78dccc4e4d4922fe696f8d1bd65aa54f51c3c75accad34b1f SHA512 b007d5a35a7904d5d5e053e232a54b2ba75fb43f80bf1fe2175528e86e31cca8161da09d7417b50359008ce1955497e4d11c46794f15cc7c3220aa92eff99ccb -DIST openssl-3.4.2.tar.gz 18357346 BLAKE2B f773b8bd1bcfeae2c906c079598460cb87aaab5a39691b00ba27864b30261ae69af4314a28e0209707e1954b3ec2dfc920be4a21c96efae29e596b315d9821ab SHA512 5633659dd6ccad48a16ddbf3c0d35eb6df7d4ed2d1d99e5bf2fb7ba0b6ee955e14b671e9b3be3794151f35754b9969b4243317c28bae5b48e24d89930579cc31 -DIST openssl-3.4.2.tar.gz.asc 833 BLAKE2B d278d061c09896c6819e479092c96c371515fbae535f9c4848f79660a1c1a444737a17299873e6dfd190f1f11f4d662b78940ddddea2e2514a801765cd39f452 SHA512 c6df601904db0415ac100a496367e3c6cd59b3eda76cf0bfe3fc39805ff05dd717d87016a144391701f4bb141f303c88b9ddcf812db28858b8b9080126832afa -DIST openssl-3.5.2.tar.gz 53180161 BLAKE2B fd6179457b85d7a2ae87ee432de4d9e0d5b5dba30b6b57d0f289a0d034c6d7de7c7166b1f69f00d822105c5119bfa44fd52bf5b9035a14aae21015ad3fe2d224 SHA512 db2c7a88bea432f96d867a98af15f850f371d4136c657338de93cb88a39a3578c025b5df7310e195a02fc715ad5a2422a319a44f0247c6a7e2ba8b36aad77651 -DIST openssl-3.5.2.tar.gz.asc 833 BLAKE2B f22883c76bc636f6d5916913486ef0873da91b0e29dd24569def0409e8573ebe23f28b9e3b3ed6120fb85afaa3181470b8fc83959b40389d8b1cd2dc4852f404 SHA512 2be00d03e5b246833f8e47f59bd7ca3dbaec519f2160fd9dfed3a7b2c65b9977703811c06662c17b301e456bbfc73477c76e3b444329741e99e2576005900580 +DIST openssl-3.0.18.tar.gz 15348046 BLAKE2B 2cb9cefecab790f6e857a63e2ade93e1b28fdfab7110e4ed6049c36c7cc2131e88454cb49e70e0802adf6f9317b3f21e950446a9152b58074f9ffb787732716a SHA512 6bdd16f33b83ae2a12777230c4ff00d0595bbc00253ac8c3ac31e1375e818fc74d7f491bd2e507ff33cab9f0498cfb28fa8690f75a98663568d40901523cdf3c +DIST openssl-3.0.18.tar.gz.asc 833 BLAKE2B bfa698106e314bf8800c5bdf9ec892611a91a2bcb006b7e5f52afc5d0af64be65bf8512e042b37d36db041964aa83c17f4b1ee2f22dcb127d4e4665d3b6c9440 SHA512 cd4cd8afab68cbe0a5b034039112901cf8a25711c55556681f86b04e47389bcffae85a98f155a517156dd9fb29ceb82f627e371881feb928e887053f145bddfd +DIST openssl-3.0.19.tar.gz 15280904 BLAKE2B 0d21fd9037b87c5d22c75e2201208394fa7d6a37ed7a44cc6ae760ab95ff6743a00d26b90141871ba5bd76a56500142df33d04219379e51b6f74e411e9d2b3af SHA512 6e602ac7217e1b4423793ee5c4c10745f70fcde3f9820d6c894ebeedb4f29566e2d0c3c590ae210484dcea4eb53db5bb8dbbfee14bbaca3e147406b1343c3cd7 +DIST openssl-3.0.19.tar.gz.asc 833 BLAKE2B f5ed372d80afc3fde1c4298166fabb512bb0f350725497d98a83575b98b049dd8ec3dc169043b11f9135702d37d762bb24afd98eab75d5a42b6554bec2064c8f SHA512 3ae5adb82d071658c3a839d7713c7d4fd09b13dc36860327d0347ca94cb0c712081f03d3e8251af2297b7d1792345a078e18ffa8b92e5f90fe6d5370152813e8 +DIST openssl-3.2.6.tar.gz 17805999 BLAKE2B 3c1410d8f8aea119828259cd88d6e8336d20b5176a4b0e1907c79d76fef5954f658bb5c7fd2b20985ed7ee5930842a39c6b1a9aa1a0944c00ead0f81f2c3603d SHA512 a183b9ecfcf75f1dbc7911d726adb26f9da83e307b593dbbd7ded5f46170b63bac44e403cef53d16daf2d8dc116f8c2eb820c9de50d073c75681ef8e5de01c05 +DIST openssl-3.2.6.tar.gz.asc 833 BLAKE2B 9f332db499dea93760e1d2f881115cd5c8574141e42b86429d2b009ac6f698ef7341f1a5ff407803506c06fd59e3fe243387befb2ee68584ce88893364c09a17 SHA512 2bfbe94619349fa7af86109a7ad84588a033e690a45d5500e3f1332891e5cb39f18ee631a307b6c8aa5724f2c684b90f276d071a91556f01312bed83d7b30aa3 +DIST openssl-3.3.5.tar.gz 18125182 BLAKE2B 377a9a2cbc1f97fb34f1f314789354e047e1bc875eddc4e2aa50578009a3352e196ea33b0d6f57ede199b16d4b0e6096782a0d70ea1a4d923d5543b1caf6ca02 SHA512 4fe2d51afefd21af4e50225bde6dfd2c12eb00ce2a144ee1aadba48463604cd180135b5f71fcea3908977b043ffceb7d2824fa30b969a017df016dccd8519aad +DIST openssl-3.3.5.tar.gz.asc 833 BLAKE2B 7a6e93e68981436932bf3e019e9021863dfafd2699065959086ac1b1f2bda278b94965f5027794ee565e2a80d8c4c0b796b6e17063eccd38e5ec723cfb2411ba SHA512 b79526a5cf0326b63828d534a3ddd2cb5699a226a485345017c9a1ef34fe7610a62a2b6b90d171da8b4660a9937cdf7688c08b93d6e05629a8648627a928676c +DIST openssl-3.3.6.tar.gz 18035615 BLAKE2B 3cc0b33885449192863edc4600d144a98903d2c323f4a6f11e2aba8e6dfa5fa45a9d025d5de60c0511972cb42de9ef7fc81073d8abc5d1d2886b660089b9aaf5 SHA512 3c0840420f30f74404446a9d9fe9ee48222e867190ddc9e51e1c0f1f45c3c0caad6cb41068f65adc2be2aa5e0b8447c42ee821dd28e2ec60140cf004dc3493c1 +DIST openssl-3.3.6.tar.gz.asc 833 BLAKE2B 93ea9f040912defd9a228309ce110b1dc535e219223afb0299eacbabb17c333bc282a7656bd870f3d01aa69856c409908d3d0610e541a56d919b1f204bd0b571 SHA512 90f7a392b1348f74e3617212fbad8974d92b8d48832a8d5c338ad792ae25a067ae102475ba935cd41d1a5d89e80458a5f05ef921e942279149d8534bf9ac01e6 +DIST openssl-3.4.3.tar.gz 18369414 BLAKE2B e74392b93696d4967d8ec1d0edc2f2d559e56cf6cb28207708d5288a3df2854b37e21b33c9a816829d4215a7575285dd91b65770d0333e966fcc800837bfe3d5 SHA512 84d73d8ee1032b911bd60c8c0c69cca14e37c80c57735789f23d49b968388c641a75add3b347b222228cbb629f0c10c17a2f6c139547bdd261f4bab4a78eb94c +DIST openssl-3.4.3.tar.gz.asc 833 BLAKE2B 52c5c0753230812ce251b274e2e934e9746c51e11aeed73046a5408356d620a32d5703bffe3c0d8933ebc03c659b80d8b1d7d6a77d4876620d0fea3aa54b27ed SHA512 510fbbb693549b0aad3004739f001f8569ca17a859848b48a58afac3f1bd2f92aa2bac649a492fa32bad4e5d5c14f4a6e341253bc6cc9536428307be71daf516 +DIST openssl-3.4.4.tar.gz 18278255 BLAKE2B 022d97f839120bdb21a8fa011b42cd1e0f732253f4b7e02172a8cfb5f6a60c855500ce542d49e256ff3cb6428a929487e921ee4834f74dd57d10165ec44924ab SHA512 2f75b045f0dddd2421ecd7b1817a4e5a7608293e797135eb945573d1115b2d89f0fd3706ee5e02c7de2e50b3bfc59ac73014e2cb6270ff6b9e1515691347dbb2 +DIST openssl-3.4.4.tar.gz.asc 833 BLAKE2B c8c4e9338e5e6f4630701e894e551bd0606401462762755832e607d3145688624b61beba0c6128f6fbc632d50b8eac13da7c4530300e5579527ad4523251f521 SHA512 a599e8d77426de126a6358d159b46ab9d301962016fa85219f0294e6eb667733436ceeccb0de6017adb71c1b9cd52a496882919e9edd65e749a8ae95d5143cb4 +DIST openssl-3.5.4.tar.gz 53190367 BLAKE2B 07e02f88af05e189385eef28599b81bd16d242130975c79df46e565a0dd92f74e59807d4770a2b3316adf08f2ca6a0dd2bfc96ab2a88a8dfb5c0d19197fe8fbf SHA512 365aca6f2e59b5c8261fba683425d177874cf6024b0d216ca309112b879c1f4e8da78617e23c3c95d0b4a26b83ecd0d8348038b999d30e597d19f466c4761227 +DIST openssl-3.5.4.tar.gz.asc 833 BLAKE2B 837dfd4778073dbecdf5859dfe11b81dcecd9796a13c06c36c6dadfed04f9cee158759d96116ae8d0985ba29bcaefad874824b8f633f13c252b79a9e28fa7303 SHA512 7bf10c965e5f376979c8cd0a24560ba9d0169ee41d43c54f78642d50d9a27bf111c5553b1ee4c6c1b459b00d465681dea8ba983d0a0396ecc52b9e561769ffe5 +DIST openssl-3.5.5.tar.gz 53104821 BLAKE2B 5fe5f7e768ade2dcffdd90841875de3e3a463aac979d57462fa5c69ec5e7288063dfc35cd6b049db007cff9135089fa05956f715476e12efc58a7d6969f6d29a SHA512 7cf0eb91bac175f7fe0adcafef457790d43fe7f98e2d4bef681c2fd5ca365e1fa5b562c645a60ab602365adedf9d91c074624eea66d3d7e155639fc50d5861ec +DIST openssl-3.5.5.tar.gz.asc 833 BLAKE2B 122e9abcadb8559ef42dda7cc985c1457852243f8e8fb12e9a1d3b824853a56f311726252c6b1cfde47c3d5500bf36c18d8f7f19c42582c8f40d974dac22011f SHA512 82645f4fb427467b1e52f096ef6c6ccbdaa5aefcd28c8d3149a92f7c7711d0936e1e097f4168db6196809c19f83c1b85068d327cc1f0c5ad9f33d9d3686003d7 +DIST openssl-3.6.0.tar.gz 54974351 BLAKE2B 4a0150aa9a78581e74119b338848458249630c94a43589a5b311d41c669b817b043007ddd13b3fb81233da10af3ccd455f3fbf3b09cf45016c475a8e2044e965 SHA512 866825a1cdf0b705b409402fbc7a713e7d9b8e7736c5126be57b354927954c148a341fc52b02c0629c1e015a889bfd40217f8e703b73235892e91da060909b76 +DIST openssl-3.6.0.tar.gz.asc 833 BLAKE2B 47e8aff0e9c0306213c0e3db689c16f7ee65d28a3d1201f317f184980237725598cec5256fc3453e48802ba28f0301867ab9e1413724d68773ead9125562d3c9 SHA512 1622ee1a099a1d2c5cac4de4c464574cd8b2d9c2bd565aa5f7a7efd6d4081849937d3d1b6d6e34254e0904f79a9c2477fb692c71599792092ceb09fc11a30d8d +DIST openssl-3.6.1.tar.gz 54891951 BLAKE2B da949967d40ca9e17baf1bedded5080e37bce2dfc187f2a46f80ec01e708f9d550d055ef8557812135c4a1081b8f3477c5d4dbe46e0f39a9b696a7dbdc6b769a SHA512 492cd2e0a7506e085d9840a929ead994390409a35c24e47e0cf44987920711b61f1513f21b7eee50e56f226b26cd654cda6dbd1f6e439563a93a8f0e530fefb5 +DIST openssl-3.6.1.tar.gz.asc 833 BLAKE2B 3af3fc0b57503cf5d1a8c34a460d76fcde1823250c721ac10f523196f57ceb3e7ceb66332af3e10ec24eefa3e4acec145349bedf37fe29fe2dde787f3001ebb3 SHA512 a1feb4e309d5288ed33e9459cee24272b67321eb037e11effd8ac0626aca792be5b442cc8c5e0c1abd288a1c0d05c8af7927b8c4a08e7685c92a6561ad806659 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/gentoo.config-1.0.2 b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/gentoo.config-1.0.2 index caa569588f3..66a8b368170 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/gentoo.config-1.0.2 +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/gentoo.config-1.0.2 @@ -64,6 +64,7 @@ case ${CHOST} in *-winnt*) system="winnt";; x86_64-*-mingw*) system="mingw64";; *mingw*) system="mingw";; + *-gnu*) system="hurd";; *) exit 0;; esac @@ -165,6 +166,13 @@ mingw*) # special case ... no xxx-yyy style name echo ${system} ;; +hurd) + case ${chost_machine} in + i[0-9]86*) machine=x86;; + x86_64*) machine=x86_64;; + *) machine=generic32;; + esac + ;; esac diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/gentoo.config-1.0.4 b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/gentoo.config-1.0.4 index d32ce877a34..7754d9e5aaf 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/gentoo.config-1.0.4 +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/gentoo.config-1.0.4 @@ -65,6 +65,7 @@ case ${CHOST} in *-winnt*) system="winnt";; x86_64-*-mingw*) system="mingw64";; *mingw*) system="mingw";; + *-gnu*) system="hurd";; *) exit 0;; esac @@ -179,6 +180,13 @@ mingw*) # special case ... no xxx-yyy style name echo ${system} ;; +hurd) + case ${chost_machine} in + i[0-9]86*) machine=x86;; + x86_64*) machine=x86_64;; + *) machine=generic32;; + esac + ;; esac diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-1.0.2u-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-1.0.2u-r1.ebuild index 19da2ab2d4f..d0c876578de 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-1.0.2u-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-1.0.2u-r1.ebuild @@ -33,7 +33,7 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz LICENSE="openssl" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~x86-linux ~arm64-macos" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos" IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test tls-compression +tls-heartbeat vanilla" RESTRICT="!bindist? ( bindist ) !test? ( test )" @@ -41,7 +41,7 @@ RESTRICT="!bindist? ( bindist ) RDEPEND=">=app-misc/c_rehash-1.7-r1 gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] ) - tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )" + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] )" DEPEND="${RDEPEND}" BDEPEND=" >=dev-lang/perl-5 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-1.1.1w.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-1.1.1w.ebuild index 339a452b1db..c8826028e09 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-1.1.1w.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-1.1.1w.ebuild @@ -16,13 +16,13 @@ S="${WORKDIR}/${MY_P}" LICENSE="openssl" SLOT="0/1.1" # .so version of libssl/libcrypto if [[ ${PV} != *_pre* ]] ; then - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" fi IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers" RESTRICT="!test? ( test )" RDEPEND=" - tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )" + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] )" DEPEND="${RDEPEND}" BDEPEND=" >=dev-lang/perl-5 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.16.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.18.ebuild similarity index 98% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.16.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.18.ebuild index 9f2d35b91c4..3395bae6620 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.16.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.18.ebuild @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -41,7 +41,7 @@ IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compre RESTRICT="!test? ( test )" COMMON_DEPEND=" - tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.17.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.19.ebuild similarity index 96% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.17.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.19.ebuild index c183d21b68d..18d9d7eda54 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.17.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.19.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2025 Gentoo Authors +# Copyright 1999-2026 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -41,7 +41,7 @@ IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compre RESTRICT="!test? ( test )" COMMON_DEPEND=" - tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.9999.ebuild index c183d21b68d..65cd17e6318 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.9999.ebuild @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -41,7 +41,7 @@ IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compre RESTRICT="!test? ( test )" COMMON_DEPEND=" - tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.8.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.8.ebuild deleted file mode 100644 index 95198f98827..00000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.8.ebuild +++ /dev/null @@ -1,290 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://openssl-library.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == *9999 ]] ; then - [[ ${PV} == *.*.9999 ]] && EGIT_BRANCH="openssl-${PV%%.9999}" - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - inherit verify-sig - SRC_URI=" - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz - verify-sig? ( - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc - ) - " - - if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" - fi - - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND+=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) -" -DEPEND="${COMMON_DEPEND}" -RDEPEND="${COMMON_DEPEND}" -PDEPEND="app-misc/ca-certificates" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/openssl/configuration.h -) - -pkg_setup() { - if use ktls ; then - if kernel_is -lt 4 18 ; then - ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 - append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw - - if multilib_is_native_abi; then - emake build_docs - fi -} - -multilib_src_test() { - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - LD_LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.9999.ebuild deleted file mode 100644 index 1ae5a138a77..00000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.9999.ebuild +++ /dev/null @@ -1,290 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://openssl-library.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == *9999 ]] ; then - [[ ${PV} == *.*.9999 ]] && EGIT_BRANCH="openssl-${PV%%.9999}" - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - inherit verify-sig - SRC_URI=" - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz - verify-sig? ( - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc - ) - " - - if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" - fi - - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND+=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) -" -DEPEND="${COMMON_DEPEND}" -RDEPEND="${COMMON_DEPEND}" -PDEPEND="app-misc/ca-certificates" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/openssl/configuration.h -) - -pkg_setup() { - if use ktls ; then - if kernel_is -lt 4 18 ; then - ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 - append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw - - if multilib_is_native_abi; then - emake build_docs - fi -} - -multilib_src_test() { - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - LD_LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.5.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.5.ebuild deleted file mode 100644 index 270945bf5ed..00000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.5.ebuild +++ /dev/null @@ -1,297 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://openssl-library.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == *9999 ]] ; then - [[ ${PV} == *.*.9999 ]] && EGIT_BRANCH="openssl-${PV%%.9999}" - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - inherit verify-sig - SRC_URI=" - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz - verify-sig? ( - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc - ) - " - - if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" - fi - - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND+=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) - verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 ) -" -DEPEND="${COMMON_DEPEND}" -RDEPEND="${COMMON_DEPEND}" -PDEPEND="app-misc/ca-certificates" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/openssl/configuration.h -) - -pkg_setup() { - if use ktls ; then - if kernel_is -lt 4 18 ; then - ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 -- check inserts GNU ld-compatible arguments - [[ ${CHOST} == *-darwin* ]] || append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw - - if multilib_is_native_abi; then - emake build_docs - fi -} - -multilib_src_test() { - # See https://github.com/openssl/openssl/blob/master/test/README.md for options. - # - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - # - # -j1 here for https://github.com/openssl/openssl/issues/21999, but it - # shouldn't matter as tests were already built earlier, and HARNESS_JOBS - # controls running the tests. - emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - LD_LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.4.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.6.ebuild similarity index 98% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.4.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.6.ebuild index f11e7651601..3036c7f3992 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.4.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.6.ebuild @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -42,7 +42,7 @@ RESTRICT="!test? ( test )" COMMON_DEPEND=" !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.9999.ebuild index 1e01d73e617..dfa2ed35554 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.9999.ebuild @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -42,7 +42,7 @@ RESTRICT="!test? ( test )" COMMON_DEPEND=" !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.3.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.5.ebuild similarity index 97% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.3.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.5.ebuild index 541489aa89b..3813d5430f0 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.3.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.5.ebuild @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -42,7 +42,7 @@ RESTRICT="!test? ( test )" COMMON_DEPEND=" !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 @@ -216,6 +216,9 @@ multilib_src_configure() { multilib_src_compile() { emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi } multilib_src_test() { diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.4.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.6.ebuild similarity index 96% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.4.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.6.ebuild index 5ce8a7074aa..37c84927c78 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.4.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.6.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2025 Gentoo Authors +# Copyright 1999-2026 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -42,7 +42,7 @@ RESTRICT="!test? ( test )" COMMON_DEPEND=" !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 @@ -216,6 +216,9 @@ multilib_src_configure() { multilib_src_compile() { emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi } multilib_src_test() { diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.9999.ebuild index f492950eefa..3acab3cf171 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.9999.ebuild @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -42,7 +42,7 @@ RESTRICT="!test? ( test )" COMMON_DEPEND=" !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 @@ -212,6 +212,9 @@ multilib_src_configure() { multilib_src_compile() { emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi } multilib_src_test() { diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.2.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.3.ebuild similarity index 97% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.2.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.3.ebuild index bb7855a30f9..a0741999964 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.2.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.3.ebuild @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -42,7 +42,7 @@ RESTRICT="!test? ( test )" COMMON_DEPEND=" !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 @@ -212,6 +212,9 @@ multilib_src_configure() { multilib_src_compile() { emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi } multilib_src_test() { diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.1.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.4.ebuild similarity index 97% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.1.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.4.ebuild index bb7855a30f9..aee6f99cf00 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.1.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.4.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2025 Gentoo Authors +# Copyright 1999-2026 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -42,7 +42,7 @@ RESTRICT="!test? ( test )" COMMON_DEPEND=" !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 @@ -212,6 +212,9 @@ multilib_src_configure() { multilib_src_compile() { emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi } multilib_src_test() { diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.9999.ebuild index f492950eefa..3acab3cf171 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.9999.ebuild @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -42,7 +42,7 @@ RESTRICT="!test? ( test )" COMMON_DEPEND=" !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 @@ -212,6 +212,9 @@ multilib_src_configure() { multilib_src_compile() { emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi } multilib_src_test() { diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.4.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.4.ebuild new file mode 100644 index 00000000000..42a318f0f28 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.4.ebuild @@ -0,0 +1,297 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info sysroot toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://openssl-library.org/" + +MY_P=${P/_/-} + +if [[ ${PV} == *9999 ]] ; then + [[ ${PV} == *.*.9999 ]] && EGIT_BRANCH="openssl-${PV%%.9999}" + EGIT_REPO_URI="https://github.com/openssl/openssl.git" + + inherit git-r3 +else + inherit verify-sig + SRC_URI=" + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) + " + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" + fi + + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + !=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND+=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + app-alternatives/bc + sys-process/procps + ) +" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + +src_prepare() { + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile || die + + if ! use vanilla ; then + PATCHES+=( + # Add patches which are Gentoo-specific customisations here + ) + fi + + default + + if use test && use sctp && has network-sandbox ${FEATURES} ; then + einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." + rm test/recipes/80-test_ssl_new.t || die + fi + + # Test fails depending on kernel configuration, bug #699134 + rm test/recipes/30-test_afalg.t || die +} + +src_configure() { + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" + + # Quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (bug #417795 again) + tc-is-clang && append-flags -Qunused-arguments + + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/12247 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing + append-flags -fno-strict-aliasing + # The OpenSSL developers don't test with LTO right now, it leads to various + # warnings/errors (which may or may not be false positives), it's considered + # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. + filter-lto + + append-flags $(test-flags-CC -Wa,--noexecstack) + + # bug #895308 -- check inserts GNU ld-compatible arguments + [[ ${CHOST} == *-darwin* ]] || append-atomic-flags + # Configure doesn't respect LIBS + export LDLIBS="${LIBS}" + + # bug #197996 + unset APPS + # bug #312551 + unset SCRIPTS + # bug #311473 + unset CROSS_COMPILE + + tc-export AR CC CXX RANLIB RC + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths, bug #460790. + #local ec_nistp_64_gcc_128 + # + # Disable it for now though (bug #469976) + # Do NOT re-enable without substantial discussion first! + # + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + #fi + + local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") + einfo "Using configuration: ${sslout:-(openssl knows best)}" + + # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features + local myeconfargs=( + ${sslout} + + $(multilib_is_native_abi || echo "no-docs") + $(use cpu_flags_x86_sse2 || echo "no-sse2") + enable-camellia + enable-ec + enable-ec2m + enable-sm2 + enable-srp + $(use elibc_musl && echo "no-async") + enable-idea + enable-mdc2 + enable-rc5 + $(use fips && echo "enable-fips") + $(use quic && echo "enable-quic") + $(use_ssl asm) + $(use_ssl ktls) + $(use_ssl rfc3779) + $(use_ssl sctp) + $(use test || echo "no-tests") + $(use_ssl tls-compression zlib) + $(use_ssl weak-ssl-ciphers) + + --prefix="${EPREFIX}"/usr + --openssldir="${EPREFIX}"${SSL_CNF_DIR} + --libdir=$(get_libdir) + + shared + threads + ) + + edo perl "${S}/Configure" "${myeconfargs[@]}" +} + +multilib_src_compile() { + emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi +} + +multilib_src_test() { + # See https://github.com/openssl/openssl/blob/master/test/README.md for options. + # + # VFP = show subtests verbosely and show failed tests verbosely + # Normal V=1 would show everything verbosely but this slows things down. + # + # -j1 here for https://github.com/openssl/openssl/issues/21999, but it + # shouldn't matter as tests were already built earlier, and HARNESS_JOBS + # controls running the tests. + emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test +} + +multilib_src_install() { + # Only -j1 is supported for the install targets: + # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 + emake DESTDIR="${D}" -j1 install_sw + if use fips; then + emake DESTDIR="${D}" -j1 install_fips + # Regen this in pkg_preinst, bug 900625 + rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die + fi + + if multilib_is_native_abi; then + emake DESTDIR="${D}" -j1 install_ssldirs + emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs + fi + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + if ! use static-libs ; then + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + fi +} + +multilib_src_install_all() { + # openssl installs perl version of c_rehash by default, but + # we provide a shell version via app-misc/c_rehash + rm "${ED}"/usr/bin/c_rehash || die + + dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + + # bug #254521 + dodir /etc/sandbox.d + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_preinst() { + if use fips; then + # Regen fipsmodule.cnf, bug 900625 + einfo "Running openssl fipsinstall" + LD_LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ + sysroot_run_prefixed "${ED}/usr/bin/openssl" fipsinstall \ + -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" \ + || die "fipsinstall failed" + fi + + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} + +pkg_postinst() { + ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" + openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" + eend $? + + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.5.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.5.ebuild new file mode 100644 index 00000000000..03e01312067 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.5.ebuild @@ -0,0 +1,297 @@ +# Copyright 1999-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info sysroot toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://openssl-library.org/" + +MY_P=${P/_/-} + +if [[ ${PV} == *9999 ]] ; then + [[ ${PV} == *.*.9999 ]] && EGIT_BRANCH="openssl-${PV%%.9999}" + EGIT_REPO_URI="https://github.com/openssl/openssl.git" + + inherit git-r3 +else + inherit verify-sig + SRC_URI=" + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) + " + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" + fi + + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + !=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND+=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + app-alternatives/bc + sys-process/procps + ) +" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + +src_prepare() { + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile || die + + if ! use vanilla ; then + PATCHES+=( + # Add patches which are Gentoo-specific customisations here + ) + fi + + default + + if use test && use sctp && has network-sandbox ${FEATURES} ; then + einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." + rm test/recipes/80-test_ssl_new.t || die + fi + + # Test fails depending on kernel configuration, bug #699134 + rm test/recipes/30-test_afalg.t || die +} + +src_configure() { + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" + + # Quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (bug #417795 again) + tc-is-clang && append-flags -Qunused-arguments + + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/12247 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing + append-flags -fno-strict-aliasing + # The OpenSSL developers don't test with LTO right now, it leads to various + # warnings/errors (which may or may not be false positives), it's considered + # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. + filter-lto + + append-flags $(test-flags-CC -Wa,--noexecstack) + + # bug #895308 -- check inserts GNU ld-compatible arguments + [[ ${CHOST} == *-darwin* ]] || append-atomic-flags + # Configure doesn't respect LIBS + export LDLIBS="${LIBS}" + + # bug #197996 + unset APPS + # bug #312551 + unset SCRIPTS + # bug #311473 + unset CROSS_COMPILE + + tc-export AR CC CXX RANLIB RC + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths, bug #460790. + #local ec_nistp_64_gcc_128 + # + # Disable it for now though (bug #469976) + # Do NOT re-enable without substantial discussion first! + # + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + #fi + + local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") + einfo "Using configuration: ${sslout:-(openssl knows best)}" + + # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features + local myeconfargs=( + ${sslout} + + $(multilib_is_native_abi || echo "no-docs") + $(use cpu_flags_x86_sse2 || echo "no-sse2") + enable-camellia + enable-ec + enable-ec2m + enable-sm2 + enable-srp + $(use elibc_musl && echo "no-async") + enable-idea + enable-mdc2 + enable-rc5 + $(use fips && echo "enable-fips") + $(use quic && echo "enable-quic") + $(use_ssl asm) + $(use_ssl ktls) + $(use_ssl rfc3779) + $(use_ssl sctp) + $(use test || echo "no-tests") + $(use_ssl tls-compression zlib) + $(use_ssl weak-ssl-ciphers) + + --prefix="${EPREFIX}"/usr + --openssldir="${EPREFIX}"${SSL_CNF_DIR} + --libdir=$(get_libdir) + + shared + threads + ) + + edo perl "${S}/Configure" "${myeconfargs[@]}" +} + +multilib_src_compile() { + emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi +} + +multilib_src_test() { + # See https://github.com/openssl/openssl/blob/master/test/README.md for options. + # + # VFP = show subtests verbosely and show failed tests verbosely + # Normal V=1 would show everything verbosely but this slows things down. + # + # -j1 here for https://github.com/openssl/openssl/issues/21999, but it + # shouldn't matter as tests were already built earlier, and HARNESS_JOBS + # controls running the tests. + emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test +} + +multilib_src_install() { + # Only -j1 is supported for the install targets: + # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 + emake DESTDIR="${D}" -j1 install_sw + if use fips; then + emake DESTDIR="${D}" -j1 install_fips + # Regen this in pkg_preinst, bug 900625 + rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die + fi + + if multilib_is_native_abi; then + emake DESTDIR="${D}" -j1 install_ssldirs + emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs + fi + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + if ! use static-libs ; then + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + fi +} + +multilib_src_install_all() { + # openssl installs perl version of c_rehash by default, but + # we provide a shell version via app-misc/c_rehash + rm "${ED}"/usr/bin/c_rehash || die + + dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + + # bug #254521 + dodir /etc/sandbox.d + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_preinst() { + if use fips; then + # Regen fipsmodule.cnf, bug 900625 + einfo "Running openssl fipsinstall" + LD_LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ + sysroot_run_prefixed "${ED}/usr/bin/openssl" fipsinstall \ + -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" \ + || die "fipsinstall failed" + fi + + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} + +pkg_postinst() { + ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" + openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" + eend $? + + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.9999.ebuild index ab2f92680e2..2de7e8ce8aa 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.9999.ebuild @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -42,7 +42,7 @@ RESTRICT="!test? ( test )" COMMON_DEPEND=" !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 @@ -212,6 +212,9 @@ multilib_src_configure() { multilib_src_compile() { emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi } multilib_src_test() { diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.0.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.0.ebuild new file mode 100644 index 00000000000..6dc7d4179ae --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.0.ebuild @@ -0,0 +1,297 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info sysroot toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://openssl-library.org/" + +MY_P=${P/_/-} + +if [[ ${PV} == *9999 ]] ; then + [[ ${PV} == *.*.9999 ]] && EGIT_BRANCH="openssl-${PV%%.9999}" + EGIT_REPO_URI="https://github.com/openssl/openssl.git" + + inherit git-r3 +else + inherit verify-sig + SRC_URI=" + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) + " + + #if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + # KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" + #fi + + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + !=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND+=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + app-alternatives/bc + sys-process/procps + ) +" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + +src_prepare() { + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile || die + + if ! use vanilla ; then + PATCHES+=( + # Add patches which are Gentoo-specific customisations here + ) + fi + + default + + if use test && use sctp && has network-sandbox ${FEATURES} ; then + einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." + rm test/recipes/80-test_ssl_new.t || die + fi + + # Test fails depending on kernel configuration, bug #699134 + rm test/recipes/30-test_afalg.t || die +} + +src_configure() { + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" + + # Quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (bug #417795 again) + tc-is-clang && append-flags -Qunused-arguments + + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/12247 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing + append-flags -fno-strict-aliasing + # The OpenSSL developers don't test with LTO right now, it leads to various + # warnings/errors (which may or may not be false positives), it's considered + # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. + filter-lto + + append-flags $(test-flags-CC -Wa,--noexecstack) + + # bug #895308 -- check inserts GNU ld-compatible arguments + [[ ${CHOST} == *-darwin* ]] || append-atomic-flags + # Configure doesn't respect LIBS + export LDLIBS="${LIBS}" + + # bug #197996 + unset APPS + # bug #312551 + unset SCRIPTS + # bug #311473 + unset CROSS_COMPILE + + tc-export AR CC CXX RANLIB RC + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths, bug #460790. + #local ec_nistp_64_gcc_128 + # + # Disable it for now though (bug #469976) + # Do NOT re-enable without substantial discussion first! + # + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + #fi + + local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") + einfo "Using configuration: ${sslout:-(openssl knows best)}" + + # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features + local myeconfargs=( + ${sslout} + + $(multilib_is_native_abi || echo "no-docs") + $(use cpu_flags_x86_sse2 || echo "no-sse2") + enable-camellia + enable-ec + enable-ec2m + enable-sm2 + enable-srp + $(use elibc_musl && echo "no-async") + enable-idea + enable-mdc2 + enable-rc5 + $(use fips && echo "enable-fips") + $(use quic && echo "enable-quic") + $(use_ssl asm) + $(use_ssl ktls) + $(use_ssl rfc3779) + $(use_ssl sctp) + $(use test || echo "no-tests") + $(use_ssl tls-compression zlib) + $(use_ssl weak-ssl-ciphers) + + --prefix="${EPREFIX}"/usr + --openssldir="${EPREFIX}"${SSL_CNF_DIR} + --libdir=$(get_libdir) + + shared + threads + ) + + edo perl "${S}/Configure" "${myeconfargs[@]}" +} + +multilib_src_compile() { + emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi +} + +multilib_src_test() { + # See https://github.com/openssl/openssl/blob/master/test/README.md for options. + # + # VFP = show subtests verbosely and show failed tests verbosely + # Normal V=1 would show everything verbosely but this slows things down. + # + # -j1 here for https://github.com/openssl/openssl/issues/21999, but it + # shouldn't matter as tests were already built earlier, and HARNESS_JOBS + # controls running the tests. + emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test +} + +multilib_src_install() { + # Only -j1 is supported for the install targets: + # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 + emake DESTDIR="${D}" -j1 install_sw + if use fips; then + emake DESTDIR="${D}" -j1 install_fips + # Regen this in pkg_preinst, bug 900625 + rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die + fi + + if multilib_is_native_abi; then + emake DESTDIR="${D}" -j1 install_ssldirs + emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs + fi + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + if ! use static-libs ; then + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + fi +} + +multilib_src_install_all() { + # openssl installs perl version of c_rehash by default, but + # we provide a shell version via app-misc/c_rehash + rm "${ED}"/usr/bin/c_rehash || die + + dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + + # bug #254521 + dodir /etc/sandbox.d + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_preinst() { + if use fips; then + # Regen fipsmodule.cnf, bug 900625 + einfo "Running openssl fipsinstall" + LD_LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ + sysroot_run_prefixed "${ED}/usr/bin/openssl" fipsinstall \ + -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" \ + || die "fipsinstall failed" + fi + + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} + +pkg_postinst() { + ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" + openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" + eend $? + + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.1.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.1.ebuild new file mode 100644 index 00000000000..63fbdb12b30 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.1.ebuild @@ -0,0 +1,297 @@ +# Copyright 1999-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info sysroot toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://openssl-library.org/" + +MY_P=${P/_/-} + +if [[ ${PV} == *9999 ]] ; then + [[ ${PV} == *.*.9999 ]] && EGIT_BRANCH="openssl-${PV%%.9999}" + EGIT_REPO_URI="https://github.com/openssl/openssl.git" + + inherit git-r3 +else + inherit verify-sig + SRC_URI=" + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) + " + + #if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + # KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" + #fi + + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + !=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND+=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + app-alternatives/bc + sys-process/procps + ) +" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + +src_prepare() { + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile || die + + if ! use vanilla ; then + PATCHES+=( + # Add patches which are Gentoo-specific customisations here + ) + fi + + default + + if use test && use sctp && has network-sandbox ${FEATURES} ; then + einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." + rm test/recipes/80-test_ssl_new.t || die + fi + + # Test fails depending on kernel configuration, bug #699134 + rm test/recipes/30-test_afalg.t || die +} + +src_configure() { + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" + + # Quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (bug #417795 again) + tc-is-clang && append-flags -Qunused-arguments + + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/12247 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing + append-flags -fno-strict-aliasing + # The OpenSSL developers don't test with LTO right now, it leads to various + # warnings/errors (which may or may not be false positives), it's considered + # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. + filter-lto + + append-flags $(test-flags-CC -Wa,--noexecstack) + + # bug #895308 -- check inserts GNU ld-compatible arguments + [[ ${CHOST} == *-darwin* ]] || append-atomic-flags + # Configure doesn't respect LIBS + export LDLIBS="${LIBS}" + + # bug #197996 + unset APPS + # bug #312551 + unset SCRIPTS + # bug #311473 + unset CROSS_COMPILE + + tc-export AR CC CXX RANLIB RC + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths, bug #460790. + #local ec_nistp_64_gcc_128 + # + # Disable it for now though (bug #469976) + # Do NOT re-enable without substantial discussion first! + # + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + #fi + + local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") + einfo "Using configuration: ${sslout:-(openssl knows best)}" + + # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features + local myeconfargs=( + ${sslout} + + $(multilib_is_native_abi || echo "no-docs") + $(use cpu_flags_x86_sse2 || echo "no-sse2") + enable-camellia + enable-ec + enable-ec2m + enable-sm2 + enable-srp + $(use elibc_musl && echo "no-async") + enable-idea + enable-mdc2 + enable-rc5 + $(use fips && echo "enable-fips") + $(use quic && echo "enable-quic") + $(use_ssl asm) + $(use_ssl ktls) + $(use_ssl rfc3779) + $(use_ssl sctp) + $(use test || echo "no-tests") + $(use_ssl tls-compression zlib) + $(use_ssl weak-ssl-ciphers) + + --prefix="${EPREFIX}"/usr + --openssldir="${EPREFIX}"${SSL_CNF_DIR} + --libdir=$(get_libdir) + + shared + threads + ) + + edo perl "${S}/Configure" "${myeconfargs[@]}" +} + +multilib_src_compile() { + emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi +} + +multilib_src_test() { + # See https://github.com/openssl/openssl/blob/master/test/README.md for options. + # + # VFP = show subtests verbosely and show failed tests verbosely + # Normal V=1 would show everything verbosely but this slows things down. + # + # -j1 here for https://github.com/openssl/openssl/issues/21999, but it + # shouldn't matter as tests were already built earlier, and HARNESS_JOBS + # controls running the tests. + emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test +} + +multilib_src_install() { + # Only -j1 is supported for the install targets: + # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 + emake DESTDIR="${D}" -j1 install_sw + if use fips; then + emake DESTDIR="${D}" -j1 install_fips + # Regen this in pkg_preinst, bug 900625 + rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die + fi + + if multilib_is_native_abi; then + emake DESTDIR="${D}" -j1 install_ssldirs + emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs + fi + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + if ! use static-libs ; then + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + fi +} + +multilib_src_install_all() { + # openssl installs perl version of c_rehash by default, but + # we provide a shell version via app-misc/c_rehash + rm "${ED}"/usr/bin/c_rehash || die + + dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + + # bug #254521 + dodir /etc/sandbox.d + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_preinst() { + if use fips; then + # Regen fipsmodule.cnf, bug 900625 + einfo "Running openssl fipsinstall" + LD_LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ + sysroot_run_prefixed "${ED}/usr/bin/openssl" fipsinstall \ + -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" \ + || die "fipsinstall failed" + fi + + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} + +pkg_postinst() { + ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" + openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" + eend $? + + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.2.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.9999.ebuild similarity index 97% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.2.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.9999.ebuild index ab2f92680e2..2de7e8ce8aa 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.2.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.9999.ebuild @@ -27,7 +27,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" @@ -42,7 +42,7 @@ RESTRICT="!test? ( test )" COMMON_DEPEND=" !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + tls-compression? ( >=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND+=" >=dev-lang/perl-5 @@ -212,6 +212,9 @@ multilib_src_configure() { multilib_src_compile() { emake build_sw + if multilib_is_native_abi; then + emake build_docs + fi } multilib_src_test() { From 957c56b5720dba71f9713f15e87989ad05725bc9 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 28 Jan 2026 10:00:42 +0100 Subject: [PATCH 155/213] package.mask: make sure we stay on openssl-3.4.x for this channel Signed-off-by: Mathieu Tortuyaux --- .../coreos-overlay/profiles/coreos/base/package.mask | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask index 7cc46d5f00b..2aa9b2884b7 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask @@ -26,3 +26,7 @@ # who knows. =sys-firmware/intel-microcode-20250512_p20250513 =sys-firmware/intel-microcode-20250812_p20250813 + +# Make sure that we stay on version 3.4.x for OpenSSL on this branch +# even if `::portage-stable` holds more recent version (3.5.x) +>=dev-libs/openssl-3.5 From a06c49c0145c55a7072b1e9d2adbab8c74910f82 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 28 Jan 2026 10:02:40 +0100 Subject: [PATCH 156/213] changelog: add openssl update Signed-off-by: Mathieu Tortuyaux --- changelog/updates/2026-01-28-openssl.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/updates/2026-01-28-openssl.md diff --git a/changelog/updates/2026-01-28-openssl.md b/changelog/updates/2026-01-28-openssl.md new file mode 100644 index 00000000000..f7d8280c541 --- /dev/null +++ b/changelog/updates/2026-01-28-openssl.md @@ -0,0 +1 @@ +- OpenSSL ([3.4.4](https://github.com/openssl/openssl/blob/openssl-3.4/CHANGES.md#changes-between-343-and-344-27-jan-2026) (includes [3.4.3](https://github.com/openssl/openssl/blob/openssl-3.4/CHANGES.md#changes-between-342-and-343-30-sep-2025))) From de95fb57286fcc49a504c77973e8e0fee8014e1f Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Thu, 29 Jan 2026 10:48:08 +0100 Subject: [PATCH 157/213] New version: stable-4459.2.3 Signed-off-by: Mathieu Tortuyaux --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 2b7b0140d8c..b347a32be41 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260127-2100 +FLATCAR_VERSION=4459.2.3 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260127-2100" +FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From bbf4e630b415f81716a9d72cfe4d7410df483e06 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 29 Jan 2026 21:00:26 +0000 Subject: [PATCH 158/213] New version: stable-4459.2.3-nightly-20260129-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index b347a32be41..a05f981d65f 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3 +FLATCAR_VERSION=4459.2.3+nightly-20260129-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="" +FLATCAR_BUILD_ID="nightly-20260129-2100" FLATCAR_SDK_VERSION=4459.0.0 From 6ccd47181fa057d091b37e01215676e2c42807d4 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 5 Feb 2026 15:46:10 +0000 Subject: [PATCH 159/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 02e321579fb..f6b49bfd173 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-1f65cb1fb8d244a6714709b3534e223770474c29 +ghcr.io/flatcar/mantle:git-0bd9e02dd1ec47b1112392d54b30c9db2eb46fe4 From 363f2810702b71e17cba5c543dc9568451e0b1a5 Mon Sep 17 00:00:00 2001 From: Jordi Cid Sierra Date: Tue, 3 Feb 2026 19:07:42 +0100 Subject: [PATCH 160/213] sys-kernel/coreos-modules: arm64: Enable CONFIG_FUNCTION_TRACER & CONFIG_DYNAMIC_FTRACE Signed-off-by: Jordi Cid Sierra Signed-off-by: Mathieu Tortuyaux --- changelog/changes/2026-02-4-enable-tracer-on-arm.md | 1 + .../sys-kernel/coreos-modules/files/commonconfig-6.12 | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 changelog/changes/2026-02-4-enable-tracer-on-arm.md diff --git a/changelog/changes/2026-02-4-enable-tracer-on-arm.md b/changelog/changes/2026-02-4-enable-tracer-on-arm.md new file mode 100644 index 00000000000..ce1994ee3a1 --- /dev/null +++ b/changelog/changes/2026-02-4-enable-tracer-on-arm.md @@ -0,0 +1 @@ +- Function tracer (ftrace) enabled in ARM64 builds. (Enables CONFIG_FUNCTION_TRACER & CONFIG_DYNAMIC_FTRACE for observability and security tools) ([flatcar/scripts#3685](https://github.com/flatcar/scripts/pull/3685)) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 index efc937e08b8..f0b681209a1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 @@ -178,6 +178,7 @@ CONFIG_DRM_VIRTIO_GPU=m CONFIG_DST_CACHE=y CONFIG_DUMMY=m CONFIG_DYNAMIC_DEBUG=y +CONFIG_DYNAMIC_FTRACE=y CONFIG_E100=m CONFIG_E1000=m CONFIG_E1000E=m @@ -214,8 +215,9 @@ CONFIG_FSCACHE_STATS=y CONFIG_FS_DAX=y CONFIG_FS_ENCRYPTION=y CONFIG_FTRACE_SYSCALLS=y -CONFIG_FUSE_FS=m +CONFIG_FUNCTION_TRACER=y CONFIG_FUSE_DAX=y +CONFIG_FUSE_FS=m CONFIG_FUSION=y CONFIG_FUSION_CTL=m CONFIG_FUSION_LOGGING=y @@ -1006,12 +1008,12 @@ CONFIG_VIA_RHINE_MMIO=y CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m CONFIG_VIRTIO_MMIO=y CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y CONFIG_VIRTIO_NET=m CONFIG_VIRTIO_PCI=y -CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_VSOCKETS=m CONFIG_VIRT_DRIVERS=y CONFIG_VLAN_8021Q=m From b9fc0cd9a9161d714559e94775fbd617f1617e95 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 5 Feb 2026 21:00:25 +0000 Subject: [PATCH 161/213] New version: stable-4459.2.3-nightly-20260205-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index a05f981d65f..4cc786f7583 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260129-2100 +FLATCAR_VERSION=4459.2.3+nightly-20260205-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260129-2100" +FLATCAR_BUILD_ID="nightly-20260205-2100" FLATCAR_SDK_VERSION=4459.0.0 From ee31b7ec905e2750cb9e3785961d3794440b837f Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 9 Feb 2026 21:00:40 +0000 Subject: [PATCH 162/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index f6b49bfd173..2466f1b0639 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-0bd9e02dd1ec47b1112392d54b30c9db2eb46fe4 +ghcr.io/flatcar/mantle:git-b3ddad1ab9390f23ab1028aa6feb4c6922ea03a8 From cc7fad081896fef469672b8a9ff0447566085fb7 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 10 Feb 2026 21:00:26 +0000 Subject: [PATCH 163/213] New version: stable-4459.2.3-nightly-20260210-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 4cc786f7583..59ccc9ed8e9 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260205-2100 +FLATCAR_VERSION=4459.2.3+nightly-20260210-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260205-2100" +FLATCAR_BUILD_ID="nightly-20260210-2100" FLATCAR_SDK_VERSION=4459.0.0 From 21fe1fe7e5252720c2957f874e83319543b85e62 Mon Sep 17 00:00:00 2001 From: Daniel Zatovic Date: Wed, 5 Nov 2025 09:52:04 +0100 Subject: [PATCH 164/213] virtual/zlib: Add from Gentoo Gentoo is moving the zlib dependency from sys-libs/zlib to virtual/zlib to allow different zlib implementation (like zlib-ng). We need to pull this virtual dependency because erofs-utils depends on it. Signed-off-by: Daniel Zatovic Signed-off-by: Mathieu Tortuyaux --- .../workflows/portage-stable-packages-list | 1 + .../portage-stable/virtual/zlib/metadata.xml | 11 +++++++++ .../virtual/zlib/zlib-1.3.1-r1.ebuild | 18 +++++++++++++++ .../virtual/zlib/zlib-1.3.1.ebuild | 23 +++++++++++++++++++ 4 files changed, 53 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/virtual/zlib/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1-r1.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1.ebuild diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 7ea7b64a97d..71ee6b8ea03 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -744,6 +744,7 @@ virtual/service-manager virtual/ssh virtual/tmpfiles virtual/udev +virtual/zlib x11-drivers/nvidia-drivers diff --git a/sdk_container/src/third_party/portage-stable/virtual/zlib/metadata.xml b/sdk_container/src/third_party/portage-stable/virtual/zlib/metadata.xml new file mode 100644 index 00000000000..e2171ff9839 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/virtual/zlib/metadata.xml @@ -0,0 +1,11 @@ + + + + + base-system@gentoo.org + Gentoo Base System + + + include the minizip library for quick and dirty zip extraction + + diff --git a/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1-r1.ebuild b/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1-r1.ebuild new file mode 100644 index 00000000000..1ca59a8c388 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1-r1.ebuild @@ -0,0 +1,18 @@ +# Copyright 2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit multilib-build + +DESCRIPTION="Virtual for libz.so providers" +SLOT="0/1" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="static-libs" + +RDEPEND=" + || ( + >=sys-libs/zlib-1.3.1[${MULTILIB_USEDEP},static-libs?] + sys-libs/zlib-ng[${MULTILIB_USEDEP},compat,static-libs(-)?] + ) +" diff --git a/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1.ebuild b/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1.ebuild new file mode 100644 index 00000000000..75bff121845 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1.ebuild @@ -0,0 +1,23 @@ +# Copyright 2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit multilib-build + +DESCRIPTION="Virtual for libz.so providers" +SLOT="0/1" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="minizip static-libs" + +RDEPEND=" + || ( + >=sys-libs/zlib-1.3.1[${MULTILIB_USEDEP},minizip?,static-libs?] + ( + sys-libs/zlib-ng[${MULTILIB_USEDEP},compat,static-libs(-)?] + minizip? ( + sys-libs/minizip-ng[${MULTILIB_USEDEP},compat,static-libs(-)?] + ) + ) + ) +" From 88fb9329283aa31c3bc5b81cb26d1f784a3c2fd2 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 13 Oct 2025 07:11:37 +0000 Subject: [PATCH 165/213] net-misc/openssh: Sync with Gentoo It's from Gentoo commit fff6fa33d9c2e7a3c136031b5e24ee069f784b1a. Signed-off-by: Flatcar Buildbot Signed-off-by: Mathieu Tortuyaux --- .../portage-stable/net-misc/openssh/Manifest | 4 + ...0001-upstream-fix-out-of-bounds-read.patch | 41 ++ ...tream-fix-mistracking-of-MaxStartups.patch | 94 ++++ ...euse-c-isatty-for-signalling-that-th.patch | 76 +++ .../0002-Add-clock_gettime-compat-shim.patch | 69 +++ ...-native-host-keys-for-hostbased-test.patch | 27 ++ ...ST-if-the-remote-host-is-not-UNKNOWN.patch | 32 ++ .../0005-Add-fcntl.h-to-includes.patch | 29 ++ ...for-sshkeys-if-mmap-is-not-supported.patch | 68 +++ ...x-detection-of-setres-id-on-GNU-Hurd.patch | 36 ++ ...002-Add-9.8-branch-to-ci-status-page.patch | 30 ++ ...ast-to-sockaddr-in-systemd-interface.patch | 29 ++ ...ct-keyword-from-Yatao-Su-via-GHPR509.patch | 29 ++ ...support-sntrup761x25519-sha512-alias.patch | 250 ++++++++++ ...-back-out-unrelated-manpages-changes.patch | 206 +++++++++ ...n-sntrup761x25519-sha512-in-manpages.patch | 48 ++ .../files/9.9_p1/0001-fix-utmpx-ifdef.patch | 39 -- ...-construct_utmp-when-USE_BTMP-is-set.patch | 40 -- .../0003-gss-serv.c-needs-sys-param.h.patch | 30 -- ...ression-introduced-when-I-switched-t.patch | 296 ------------ ...vious-change-to-ssh_config-Match-whi.patch | 70 --- ...KEM768x25519-KEX-on-big-endian-syste.patch | 99 ---- ...upstream-explicitly-include-endian.h.patch | 37 -- ...e64-etc-for-systems-without-endian.h.patch | 66 --- ...le32toh-le64toh-htole64-individually.patch | 87 ++++ ...e-autoconf-files-for-endian.h-change.patch | 118 +++++ ...ild-config-files-if-Makefile-changes.patch | 30 ++ ...uiltin_popcount-replacement-function.patch | 92 ++++ ...SourcePenalty-incorrectly-using-cras.patch | 32 ++ ...006-regenerate-configure-config.h.in.patch | 80 ++++ ...aches-for-DNS-names-needed-for-tests.patch | 44 ++ ...nners-are-deprecated-replace-with-15.patch | 41 ++ ...-redundant-field-of-definition-check.patch | 51 +++ ...f-dbclient-supports-SHA1-before-tryi.patch | 64 +++ .../files/openssh-9.8_p1-musl-connect.patch | 14 - ...h-9.9_p2.ebuild => openssh-10.0_p2.ebuild} | 34 +- .../openssh/openssh-10.1_p1-r1.ebuild | 432 ++++++++++++++++++ .../net-misc/openssh/openssh-10.2_p1.ebuild | 432 ++++++++++++++++++ ..._p1-r3.ebuild => openssh-9.8_p1-r4.ebuild} | 3 +- ..._p2-r3.ebuild => openssh-9.9_p2-r4.ebuild} | 2 +- 40 files changed, 2592 insertions(+), 709 deletions(-) create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0001-upstream-fix-out-of-bounds-read.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0002-upstream-fix-mistracking-of-MaxStartups.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0001-fix-utmpx-ifdef.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0002-build-construct_utmp-when-USE_BTMP-is-set.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0003-gss-serv.c-needs-sys-param.h.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0004-upstream-fix-regression-introduced-when-I-switched-t.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0005-upstream-fix-previous-change-to-ssh_config-Match-whi.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0006-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-syste.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0007-upstream-explicitly-include-endian.h.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0008-htole64-etc-for-systems-without-endian.h.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch rename sdk_container/src/third_party/portage-stable/net-misc/openssh/{openssh-9.9_p2.ebuild => openssh-10.0_p2.ebuild} (95%) create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild rename sdk_container/src/third_party/portage-stable/net-misc/openssh/{openssh-9.8_p1-r3.ebuild => openssh-9.8_p1-r4.ebuild} (99%) rename sdk_container/src/third_party/portage-stable/net-misc/openssh/{openssh-9.9_p2-r3.ebuild => openssh-9.9_p2-r4.ebuild} (99%) diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest b/sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest index 84b8056e360..0445960d520 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest @@ -1,5 +1,9 @@ DIST openssh-10.0p1.tar.gz 1972675 BLAKE2B 4ce353adf75aade8f4b2a223ad13e2f92cd23d1e60b4ee52bad0eaf036571229438cd9760dfa99c0e10fa09a8ac47b2bfb04eb183fb7b9287ac564ec75316a75 SHA512 2daa1fcf95793b23810142077e68ddfabdf3732b207ef4f033a027f72d733d0e9bcdb6f757e7f3a5934b972de05bfaae3baae381cfc7a400cd8ab4d4e277a0ed DIST openssh-10.0p1.tar.gz.asc 833 BLAKE2B 105fd1238c9923719fb7fcbafa55806e2e5053095422b95193438d4c536d1f3bae04a1fc674fe1fee8bc14abaa5ea41c4d25134f4fe677cdf1d761c009246f0c SHA512 6ab9deb4233ff159e55a18c9fc07d5ff8a41723dad74aa3d803e1476b585f5662aba34f8a7a1f5fe1d248f3ff3cd663f2c2fb8e399c6a4723b6215b0eb423d13 +DIST openssh-10.1p1.tar.gz 1972831 BLAKE2B 08864c9302935cde87eec9d736a90b0bcf23220349bf77cc177459715c567b6178722e9e5d8eea3d55eddb49fef09c187e0895e72236aede397e67674e10cd31 SHA512 9b88ac5b84461a0d4f6022b4dee294964487ea36d5ba5cb9c35d2edcba49a687c609ea30f272ebf924270a025cf2cd82677d0917e5d37334534cd5bee93452d9 +DIST openssh-10.1p1.tar.gz.asc 833 BLAKE2B c9df62728276464926ac7d28d54dd23a42bef150a9f64bfec14278d0e1817a876ee76b3329aca863997107bb8d4d43a694643f730249d9940d967b4c2a18fed3 SHA512 a4082bf8526d60094b5a3207995793c44448833b1cdd7ec91f04554fd8bddc1df3b45ee9ffe42de3bfc72d4968808834e289159e3c96f031e09a78da844641ae +DIST openssh-10.2p1.tar.gz 1974519 BLAKE2B 8c031b10b1642e21b46f7d1db84ba42692e378a54af3d8e5b5c8706c3a0a06d442a02ed8803063121e7ff325ea275cad4432b9eaa6a7f47a4d7cfad504953ab6 SHA512 66f3dd646179e71aaf41c33b6f14a207dc873d71d24f11c130a89dee317ee45398b818e5b94887b5913240964a38630d7bca3e481e0f1eff2e41d9e1cfdbdfc5 +DIST openssh-10.2p1.tar.gz.asc 833 BLAKE2B 34e1a697e9565f5d4e8139537e76e123512285662576f6f2b513ba129d5e42310c1997e70d7c69b2c4fe1c85f9323ef686b8f83f12a73c5a4f229ff855efd7c6 SHA512 f1f71700b1b0b2117aed505488b98b7ebb51ce26e53184b08df0b07aa2c5a1e54dc4d3cbcbe871b5ad849a2a0e22b02af318ff22a68c980ab53b04be03c9bf3c DIST openssh-9.8p1.tar.gz 1910393 BLAKE2B 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 SHA512 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a DIST openssh-9.8p1.tar.gz.asc 833 BLAKE2B 5291e8c03ab9a75acb44285cd7fc010f4a33551f142499624165dac708fc05a6d077df81555aa41037b45f6301e4e5db3161a7a23404473f8a233a877fc55cc3 SHA512 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7 DIST openssh-9.9p2.tar.gz 1944499 BLAKE2B 1b5bc09482b3a807ccfee52c86c6be3c363acf0c8e774862e0ae64f76bfeb4ce7cf29b3ed2f99c04c89bb4977da0cf50a7a175b15bf1d9925de1e03c66f8306d SHA512 4c6d839aa3189cd5254c745f2bd51cd3f468b02f8e427b8d7a16b9ad017888a41178d2746dc51fb2d3fec5be00e54b9ab7c32c472ca7dec57a1dea4fc9840278 diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0001-upstream-fix-out-of-bounds-read.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0001-upstream-fix-out-of-bounds-read.patch new file mode 100644 index 00000000000..7cbeb90f3ba --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0001-upstream-fix-out-of-bounds-read.patch @@ -0,0 +1,41 @@ +https://github.com/openssh/openssh-portable/commit/4b1f172fe91c253d09d75650981a3e0c87651fa3 + +From 4b1f172fe91c253d09d75650981a3e0c87651fa3 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 30 Apr 2025 05:23:15 +0000 +Subject: [PATCH] upstream: fix a out-of-bounds read if the known_hosts file is + +truncated after the hostname. + +Reported by the OpenAI Security Research Team + +ok deraadt@ + +OpenBSD-Commit-ID: c0b516d7c80c4779a403826f73bcd8adbbc54ebd +--- + hostfile.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/hostfile.c b/hostfile.c +index c5669c70373..a4a5a9a5e3a 100644 +--- a/hostfile.c ++++ b/hostfile.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: hostfile.c,v 1.95 2023/02/21 06:48:18 dtucker Exp $ */ ++/* $OpenBSD: hostfile.c,v 1.96 2025/04/30 05:23:15 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -810,6 +810,12 @@ hostkeys_foreach_file(const char *path, FILE *f, hostkeys_foreach_fn *callback, + /* Find the end of the host name portion. */ + for (cp2 = cp; *cp2 && *cp2 != ' ' && *cp2 != '\t'; cp2++) + ; ++ if (*cp2 == '\0') { ++ verbose_f("truncated line at %s:%lu", path, linenum); ++ if ((options & HKF_WANT_MATCH) == 0) ++ goto bad; ++ continue; ++ } + lineinfo.hosts = cp; + *cp2++ = '\0'; + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0002-upstream-fix-mistracking-of-MaxStartups.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0002-upstream-fix-mistracking-of-MaxStartups.patch new file mode 100644 index 00000000000..17a9b842810 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0002-upstream-fix-mistracking-of-MaxStartups.patch @@ -0,0 +1,94 @@ +https://github.com/openssh/openssh-portable/commit/78af391990b210ae0797c37c30719232cda61fef + +From 78af391990b210ae0797c37c30719232cda61fef Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 4 Jul 2025 09:51:01 +0000 +Subject: [PATCH] upstream: Fix mistracking of MaxStartups process exits in + some + +situations. At worst, this can cause all MaxStartups slots to fill and sshd +to refuse new connections. + +Diagnosis by xnor; ok dtucker@ + +OpenBSD-Commit-ID: 10273033055552557196730f898ed6308b36a78d +--- + sshd.c | 28 ++++++++++++++++------------ + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/sshd.c b/sshd.c +index 4a93e29e4c0..d721a5de36a 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -289,8 +289,10 @@ child_finish(struct early_child *child) + { + if (children_active == 0) + fatal_f("internal error: children_active underflow"); +- if (child->pipefd != -1) ++ if (child->pipefd != -1) { ++ srclimit_done(child->pipefd); + close(child->pipefd); ++ } + sshbuf_free(child->config); + sshbuf_free(child->keys); + free(child->id); +@@ -311,6 +313,7 @@ child_close(struct early_child *child, int force_final, int quiet) + if (!quiet) + debug_f("enter%s", force_final ? " (forcing)" : ""); + if (child->pipefd != -1) { ++ srclimit_done(child->pipefd); + close(child->pipefd); + child->pipefd = -1; + } +@@ -1039,7 +1042,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, + if (ret <= 0) { + if (children[i].early) + listening--; +- srclimit_done(children[i].pipefd); + child_close(&(children[i]), 0, 0); + continue; + } +@@ -1078,23 +1080,19 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, + } + /* FALLTHROUGH */ + case 0: +- /* child exited preauth */ ++ /* child closed pipe */ + if (children[i].early) + listening--; +- srclimit_done(children[i].pipefd); ++ debug3_f("child %lu for %s closed pipe", ++ (long)children[i].pid, children[i].id); + child_close(&(children[i]), 0, 0); + break; + case 1: + if (children[i].config) { + error_f("startup pipe %d (fd=%d)" +- " early read", i, children[i].pipefd); +- if (children[i].early) +- listening--; +- if (children[i].pid > 0) +- kill(children[i].pid, SIGTERM); +- srclimit_done(children[i].pipefd); +- child_close(&(children[i]), 0, 0); +- break; ++ " early read", ++ i, children[i].pipefd); ++ goto problem_child; + } + if (children[i].early && c == '\0') { + /* child has finished preliminaries */ +@@ -1114,6 +1112,12 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, + "child %ld for %s in state %d", + (int)c, (long)children[i].pid, + children[i].id, children[i].early); ++ problem_child: ++ if (children[i].early) ++ listening--; ++ if (children[i].pid > 0) ++ kill(children[i].pid, SIGTERM); ++ child_close(&(children[i]), 0, 0); + } + break; + } + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch new file mode 100644 index 00000000000..6ba29a219cb --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch @@ -0,0 +1,76 @@ +From 979cbc2c1e0c9cd2f60d45d8d1da69519ec425cf Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 7 Oct 2025 08:02:32 +0000 +Subject: [PATCH 1/6] upstream: don't reuse c->isatty for signalling that the + remote channel + +has a tty attached as this causes side effects, e.g. in channel_handle_rfd(). +bz3872 + +ok markus@ + +OpenBSD-Commit-ID: 4cd8a9f641498ca6089442e59bad0fd3dcbe85f8 +--- + channels.c | 9 +++++---- + channels.h | 3 ++- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/channels.c b/channels.c +index f1d7bcf34..80014ff34 100644 +--- a/channels.c ++++ b/channels.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.c,v 1.451 2025/09/25 06:33:19 djm Exp $ */ ++/* $OpenBSD: channels.c,v 1.452 2025/10/07 08:02:32 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -362,7 +362,7 @@ channel_classify(struct ssh *ssh, Channel *c) + { + struct ssh_channels *sc = ssh->chanctxt; + const char *type = c->xctype == NULL ? c->ctype : c->xctype; +- const char *classifier = c->isatty ? ++ const char *classifier = (c->isatty || c->remote_has_tty) ? + sc->bulk_classifier_tty : sc->bulk_classifier_notty; + + c->bulk = type != NULL && match_pattern_list(type, classifier, 0) == 1; +@@ -566,7 +566,7 @@ channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, + void + channel_set_tty(struct ssh *ssh, Channel *c) + { +- c->isatty = 1; ++ c->remote_has_tty = 1; + channel_classify(ssh, c); + } + +@@ -1078,7 +1078,8 @@ channel_format_status(const Channel *c) + c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan, + c->have_ctl_child_id ? "c" : "nc", c->ctl_child_id, + c->io_want, c->io_ready, +- c->isatty ? "T" : "", c->bulk ? "B" : "I"); ++ c->isatty ? "T" : (c->remote_has_tty ? "RT" : ""), ++ c->bulk ? "B" : "I"); + return ret; + } + +diff --git a/channels.h b/channels.h +index df7c7f364..7456541f8 100644 +--- a/channels.h ++++ b/channels.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.h,v 1.161 2025/09/25 06:33:19 djm Exp $ */ ++/* $OpenBSD: channels.h,v 1.162 2025/10/07 08:02:32 djm Exp $ */ + + /* + * Author: Tatu Ylonen +@@ -145,6 +145,7 @@ struct Channel { + int ctl_chan; /* control channel (multiplexed connections) */ + uint32_t ctl_child_id; /* child session for mux controllers */ + int have_ctl_child_id;/* non-zero if ctl_child_id is valid */ ++ int remote_has_tty; /* remote side has a tty */ + int isatty; /* rfd is a tty */ + #ifdef _AIX + int wfd_isatty; /* wfd is a tty */ +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch new file mode 100644 index 00000000000..1c23ababbac --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch @@ -0,0 +1,69 @@ +From 28a2788d609efe363b403432b08511c801d13667 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Tue, 7 Oct 2025 20:04:40 +1100 +Subject: [PATCH 2/6] Add clock_gettime compat shim. + +This fixes the build on macOS prior to 10.12 Sierra, since it does not +have it. Found and tested by Sevan Janiyan. +--- + openbsd-compat/bsd-misc.c | 24 ++++++++++++++++++++++++ + openbsd-compat/bsd-misc.h | 8 ++++++++ + 2 files changed, 32 insertions(+) + +diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c +index 983cd3fe6..2c196ec23 100644 +--- a/openbsd-compat/bsd-misc.c ++++ b/openbsd-compat/bsd-misc.c +@@ -494,6 +494,30 @@ localtime_r(const time_t *timep, struct tm *result) + } + #endif + ++#ifndef HAVE_CLOCK_GETTIME ++int ++clock_gettime(clockid_t clockid, struct timespec *ts) ++{ ++ struct timeval tv; ++ ++ if (clockid != CLOCK_REALTIME) { ++ errno = ENOSYS; ++ return -1; ++ } ++ if (ts == NULL) { ++ errno = EFAULT; ++ return -1; ++ } ++ ++ if (gettimeofday(&tv, NULL) == -1) ++ return -1; ++ ++ ts->tv_sec = tv.tv_sec; ++ ts->tv_nsec = (long)tv.tv_usec * 1000; ++ return 0; ++} ++#endif ++ + #ifdef ASAN_OPTIONS + const char *__asan_default_options(void) { + return ASAN_OPTIONS; +diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h +index 2ad89cd83..8495f471c 100644 +--- a/openbsd-compat/bsd-misc.h ++++ b/openbsd-compat/bsd-misc.h +@@ -202,6 +202,14 @@ int flock(int, int); + struct tm *localtime_r(const time_t *, struct tm *); + #endif + ++#ifndef HAVE_CLOCK_GETTIME ++typedef int clockid_t; ++#ifndef CLOCK_REALTIME ++# define CLOCK_REALTIME 0 ++#endif ++int clock_gettime(clockid_t, struct timespec *); ++#endif ++ + #ifndef HAVE_REALPATH + #define realpath(x, y) (sftp_realpath((x), (y))) + #endif +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch new file mode 100644 index 00000000000..e863233a290 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch @@ -0,0 +1,27 @@ +From aefeee5bedcf117aa9278014eda5f099b5898a10 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Tue, 7 Oct 2025 20:10:56 +1100 +Subject: [PATCH 3/6] Don't copy native host keys for hostbased test. + +Some github runners (notably macos-14) seem to have host keys where +public and private do not match, so generate our own keys for testing +purposes. +--- + .github/run_test.sh | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/.github/run_test.sh b/.github/run_test.sh +index aac9ce579..33c90ac29 100755 +--- a/.github/run_test.sh ++++ b/.github/run_test.sh +@@ -13,7 +13,6 @@ if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then + hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null + echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null + $SUDO mkdir -p $sshconf +- $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf + $SUDO make install + for key in $sshconf/ssh_host*key*.pub; do + echo `hostname` `cat $key` | \ +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch new file mode 100644 index 00000000000..001280ab9c8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch @@ -0,0 +1,32 @@ +From acb690b499e0ec2ce37869c26133615762f53cab Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 20 Mar 2023 20:22:14 +0100 +Subject: [PATCH 4/6] Only set PAM_RHOST if the remote host is not "UNKNOWN" + +When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 +socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then +set as the value of PAM_RHOST, causing pam to try to do a reverse DNS +query of "UNKNOWN", which times out multiple times, causing a +substantial slowdown when logging in. + +To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". +--- + auth-pam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth-pam.c b/auth-pam.c +index 5dee7601b..5591f094e 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -758,7 +758,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) + sshpam_laddr = get_local_ipaddr( + ssh_packet_get_connection_in(ssh)); + } +- if (sshpam_rhost != NULL) { ++ if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) { + debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost); + sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, + sshpam_rhost); +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch new file mode 100644 index 00000000000..0874978ee8e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch @@ -0,0 +1,29 @@ +From 9f0dd9505db695aab1148a977e2668666ad4d177 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Tue, 7 Oct 2025 20:25:07 +1100 +Subject: [PATCH 5/6] Add fcntl.h to includes. + +From FreeBSD via bz#3874: "This was previously included due to nested +includes in Heimdal's headers. Without this, the build fails with an +error due to redefining AT_FDCWD." +--- + includes.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/includes.h b/includes.h +index 8f933568d..96cddbc26 100644 +--- a/includes.h ++++ b/includes.h +@@ -34,6 +34,9 @@ + #ifdef HAVE_ENDIAN_H + # include + #endif ++#ifdef HAVE_FCNTL_H ++# include ++#endif + #ifdef HAVE_TTYENT_H + # include + #endif +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch new file mode 100644 index 00000000000..4a952738d5b --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch @@ -0,0 +1,68 @@ +From fabf4cd14108a60d9486f38ae58694d615592bc9 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Tue, 7 Oct 2025 21:07:05 +1100 +Subject: [PATCH 6/6] Use calloc for sshkeys if mmap is not supported. + +Based on Github PR#597 from Mike Frysinger, any bugs added by me. +--- + configure.ac | 2 ++ + sshkey.c | 8 ++++++++ + 2 files changed, 10 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 3eb6d4697..98f2e3e1c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -536,6 +536,7 @@ AC_CHECK_HEADERS([ \ + nlist.h \ + poll.h \ + stdint.h \ ++ sys/mmap.h \ + sys/stat.h \ + sys/time.h \ + sys/un.h \ +@@ -2103,6 +2104,7 @@ AC_CHECK_FUNCS([ \ + memmove \ + memset_s \ + mkdtemp \ ++ mmap \ + ngetaddrinfo \ + nlist \ + nsleep \ +diff --git a/sshkey.c b/sshkey.c +index e17e929e0..206b72921 100644 +--- a/sshkey.c ++++ b/sshkey.c +@@ -723,6 +723,7 @@ sshkey_sk_cleanup(struct sshkey *k) + static int + sshkey_prekey_alloc(u_char **prekeyp, size_t len) + { ++#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE) + u_char *prekey; + + *prekeyp = NULL; +@@ -734,14 +735,21 @@ sshkey_prekey_alloc(u_char **prekeyp, size_t len) + #endif + *prekeyp = prekey; + return 0; ++#else ++ *prekeyp = calloc(1, len); ++#endif /* HAVE_MMAP et al */ + } + + static void + sshkey_prekey_free(void *prekey, size_t len) + { ++#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE) + if (prekey == NULL) + return; + munmap(prekey, len); ++#else ++ free(prekey); ++#endif /* HAVE_MMAP et al */ + } + + static void +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch new file mode 100644 index 00000000000..1001988825a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch @@ -0,0 +1,36 @@ +From 20950a7c047ca08f9317d27866c06587ed51a338 Mon Sep 17 00:00:00 2001 +Message-ID: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Samuel Thibault +Date: Tue, 26 Mar 2024 22:15:08 +0100 +Subject: [PATCH 1/7] Fix detection of setres*id on GNU/Hurd + +Like Linux, proper _SOURCE macros need to be set to get declarations of +various standard functions, notably setres*id. Now that Debian is using +-Werror=implicit-function-declaration this is really required. While at +it, define other _SOURCE macros like on GNU/Linux, since GNU/Hurd uses +the same glibc. +--- + configure.ac | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 5a865f8e1..2eede34c3 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1348,6 +1348,13 @@ EOD + AC_DEFINE([BROKEN_SETVBUF], [1], + [LynxOS has broken setvbuf() implementation]) + ;; ++*-*-gnu*) ++ dnl GNU Hurd. Needs to be after the linux and the other *-gnu entries. ++ dnl Target SUSv3/POSIX.1-2001 plus BSD specifics. ++ dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE ++ dnl _GNU_SOURCE is needed for setres*id prototypes. ++ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" ++ ;; + esac + + AC_MSG_CHECKING([compiler and flags for sanity]) +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch new file mode 100644 index 00000000000..cc74ec2d304 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch @@ -0,0 +1,30 @@ +From 34f7a962f992a43e33b5b6e2dd71f1582433d551 Mon Sep 17 00:00:00 2001 +Message-ID: <34f7a962f992a43e33b5b6e2dd71f1582433d551.1758727870.git.sam@gentoo.org> +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Darren Tucker +Date: Thu, 4 Jul 2024 20:12:26 +1000 +Subject: [PATCH 2/7] Add 9.8 branch to ci-status page. + +--- + .github/ci-status.md | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/.github/ci-status.md b/.github/ci-status.md +index fbf7c5fd6..4fa73894c 100644 +--- a/.github/ci-status.md ++++ b/.github/ci-status.md +@@ -6,6 +6,10 @@ master : + [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh) + [![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable) + ++9.8 : ++[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8) ++[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8) ++ + 9.7 : + [![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7) + [![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7) +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch new file mode 100644 index 00000000000..aa7d593abf9 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch @@ -0,0 +1,29 @@ +From b35a64dd7d5278af859ff8cca1fbe42d2c308ac0 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Darren Tucker +Date: Sun, 7 Jul 2024 18:46:19 +1000 +Subject: [PATCH 3/7] Cast to sockaddr * in systemd interface. + +Fixes build with musl libx. bz#3707. +--- + openbsd-compat/port-linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 4c024c6d2..8adfec5a7 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) + error_f("socket \"%s\": %s", path, strerror(errno)); + goto out; + } +- if (connect(fd, &addr, sizeof(addr)) != 0) { ++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { + error_f("socket \"%s\" connect: %s", path, strerror(errno)); + goto out; + } +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch new file mode 100644 index 00000000000..7d236829a55 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch @@ -0,0 +1,29 @@ +From c21fc9d953f6d858ea0a9d7da38359d2eb397ed0 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: "djm@openbsd.org" +Date: Wed, 10 Jul 2024 21:58:34 +0000 +Subject: [PATCH 4/7] upstream: correct keyword; from Yatao Su via GHPR509 + +OpenBSD-Commit-ID: 81c778c76dea7ef407603caa157eb0c381c52ad2 +--- + sshd_config.5 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sshd_config.5 b/sshd_config.5 +index 1ab0f41d9..ce872de52 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1586,7 +1586,7 @@ accumulated. + .Pp + Penalties are enabled by default with the default settings listed below + but may disabled using the +-.Cm off ++.Cm no + keyword. + The defaults may be overridden by specifying one or more of the keywords below, + separated by whitespace. +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch new file mode 100644 index 00000000000..d61a90605d2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch @@ -0,0 +1,250 @@ +From 26f73db15e0eee558a11b42a9d794d78c87dd11e Mon Sep 17 00:00:00 2001 +Message-ID: <26f73db15e0eee558a11b42a9d794d78c87dd11e.1758727870.git.sam@gentoo.org> +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Damien Miller +Date: Mon, 11 Aug 2025 16:40:24 +1000 +Subject: [PATCH 5/7] support sntrup761x25519-sha512 alias + +OpenSSH 9.8 supports the sntrup761x25519-sha512@openssh.com +key agreement algorithm. As part of standardisation, this algorithm +has been assigned the name sntrup761x25519-sha512. + +This commit enables the existing algorithm under this new name. +--- + configure | 3 +++ + kex-names.c | 2 ++ + kex.h | 1 + + moduli.0 | 2 +- + myproposal.h | 1 + + scp.0 | 2 +- + sftp-server.0 | 2 +- + sftp.0 | 2 +- + ssh-add.0 | 2 +- + ssh-agent.0 | 2 +- + ssh-keygen.0 | 2 +- + ssh-keyscan.0 | 2 +- + ssh-keysign.0 | 2 +- + ssh-pkcs11-helper.0 | 2 +- + ssh-sk-helper.0 | 2 +- + ssh.0 | 2 +- + ssh_config.0 | 2 +- + sshd.0 | 2 +- + sshd_config.0 | 6 +++--- + 19 files changed, 24 insertions(+), 17 deletions(-) + +diff --git a/configure b/configure +index 07d19fd30..32e38c4cb 100755 +--- a/configure ++++ b/configure +@@ -13317,6 +13317,9 @@ EOD + printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h + + ;; ++*-*-gnu*) ++ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" ++ ;; + esac + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5 +diff --git a/kex-names.c b/kex-names.c +index 339eb1c23..1869b8ee1 100644 +--- a/kex-names.c ++++ b/kex-names.c +@@ -77,6 +77,8 @@ static const struct kexalg kexalgs[] = { + { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, + { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, + #ifdef USE_SNTRUP761X25519 ++ { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, ++ SSH_DIGEST_SHA512 }, + { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, + #endif +diff --git a/kex.h b/kex.h +index 34665eb20..ed22b929f 100644 +--- a/kex.h ++++ b/kex.h +@@ -63,6 +63,7 @@ + #define KEX_CURVE25519_SHA256 "curve25519-sha256" + #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org" + #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512@openssh.com" ++#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" + + #define COMP_NONE 0 + /* pre-auth compression (COMP_ZLIB) is only supported in the client */ +diff --git a/moduli.0 b/moduli.0 +index 057a018ef..90700a16f 100644 +--- a/moduli.0 ++++ b/moduli.0 +@@ -71,4 +71,4 @@ STANDARDS + M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for + the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. + +-OpenBSD 7.5 April 16, 2022 OpenBSD 7.5 ++OpenBSD 7.7 April 16, 2022 OpenBSD 7.7 +diff --git a/myproposal.h b/myproposal.h +index ee6e9f741..0528cd783 100644 +--- a/myproposal.h ++++ b/myproposal.h +@@ -25,6 +25,7 @@ + */ + + #define KEX_SERVER_KEX \ ++ "sntrup761x25519-sha512," \ + "sntrup761x25519-sha512@openssh.com," \ + "curve25519-sha256," \ + "curve25519-sha256@libssh.org," \ +diff --git a/scp.0 b/scp.0 +index e098ddf55..85d5f83d5 100644 +--- a/scp.0 ++++ b/scp.0 +@@ -229,4 +229,4 @@ CAVEATS + requires careful quoting of any characters that have special meaning to + the remote shell, such as quote characters. + +-OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 ++OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 +diff --git a/sftp-server.0 b/sftp-server.0 +index 23fdda399..273b69908 100644 +--- a/sftp-server.0 ++++ b/sftp-server.0 +@@ -95,4 +95,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.5 July 27, 2021 OpenBSD 7.5 ++OpenBSD 7.7 July 27, 2021 OpenBSD 7.7 +diff --git a/sftp.0 b/sftp.0 +index c6a9e60c4..0476733c1 100644 +--- a/sftp.0 ++++ b/sftp.0 +@@ -435,4 +435,4 @@ SEE ALSO + T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + filexfer-00.txt, January 2001, work in progress material. + +-OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 ++OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 +diff --git a/ssh-add.0 b/ssh-add.0 +index 30eed6672..20f1a88e2 100644 +--- a/ssh-add.0 ++++ b/ssh-add.0 +@@ -206,4 +206,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-agent.0 b/ssh-agent.0 +index 2e4ef7b6e..238fa54e2 100644 +--- a/ssh-agent.0 ++++ b/ssh-agent.0 +@@ -137,4 +137,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 August 10, 2023 OpenBSD 7.5 ++OpenBSD 7.7 August 10, 2023 OpenBSD 7.7 +diff --git a/ssh-keygen.0 b/ssh-keygen.0 +index a731a7fa8..13b032f46 100644 +--- a/ssh-keygen.0 ++++ b/ssh-keygen.0 +@@ -904,4 +904,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 +index 110399094..cf0962c82 100644 +--- a/ssh-keyscan.0 ++++ b/ssh-keyscan.0 +@@ -120,4 +120,4 @@ AUTHORS + Davison added support for protocol version + 2. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-keysign.0 b/ssh-keysign.0 +index 577955d1b..ff3305809 100644 +--- a/ssh-keysign.0 ++++ b/ssh-keysign.0 +@@ -47,4 +47,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 +index 564587259..4b1cb8d7d 100644 +--- a/ssh-pkcs11-helper.0 ++++ b/ssh-pkcs11-helper.0 +@@ -32,4 +32,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 ++OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 +diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0 +index ea2117abd..4abc5e8a0 100644 +--- a/ssh-sk-helper.0 ++++ b/ssh-sk-helper.0 +@@ -31,4 +31,4 @@ HISTORY + AUTHORS + Damien Miller + +-OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 ++OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 +diff --git a/ssh.0 b/ssh.0 +index 78863b1b0..9c34e3e6e 100644 +--- a/ssh.0 ++++ b/ssh.0 +@@ -1016,4 +1016,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 27, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 27, 2024 OpenBSD 7.7 +diff --git a/ssh_config.0 b/ssh_config.0 +index ef6c0936a..f9a82781b 100644 +--- a/ssh_config.0 ++++ b/ssh_config.0 +@@ -1428,4 +1428,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/sshd.0 b/sshd.0 +index c7de2d311..eac127dcf 100644 +--- a/sshd.0 ++++ b/sshd.0 +@@ -682,4 +682,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/sshd_config.0 b/sshd_config.0 +index 6883dda4b..ca030fcca 100644 +--- a/sshd_config.0 ++++ b/sshd_config.0 +@@ -950,8 +950,8 @@ DESCRIPTION + accumulated. + + Penalties are enabled by default with the default settings listed +- below but may disabled using the off keyword. The defaults may +- be overridden by specifying one or more of the keywords below, ++ below but may disabled using the no keyword. The defaults may be ++ overridden by specifying one or more of the keywords below, + separated by whitespace. All keywords accept arguments, e.g. + "crash:2m". + +@@ -1390,4 +1390,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.5 June 24, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 24, 2024 OpenBSD 7.7 +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch new file mode 100644 index 00000000000..f5ca5ebacf0 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch @@ -0,0 +1,206 @@ +From d1460a177431d034248b62b36240f634482e48de Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Damien Miller +Date: Wed, 13 Aug 2025 09:19:53 +1000 +Subject: [PATCH 6/7] back out unrelated manpages changes + +spotted by Colin Wilson +--- + configure | 3 --- + moduli.0 | 2 +- + scp.0 | 2 +- + sftp-server.0 | 2 +- + sftp.0 | 2 +- + ssh-add.0 | 2 +- + ssh-agent.0 | 2 +- + ssh-keygen.0 | 2 +- + ssh-keyscan.0 | 2 +- + ssh-keysign.0 | 2 +- + ssh-pkcs11-helper.0 | 2 +- + ssh-sk-helper.0 | 2 +- + ssh.0 | 2 +- + ssh_config.0 | 2 +- + sshd.0 | 2 +- + sshd_config.0 | 6 +++--- + 16 files changed, 17 insertions(+), 20 deletions(-) + +diff --git a/configure b/configure +index 32e38c4cb..07d19fd30 100755 +--- a/configure ++++ b/configure +@@ -13317,9 +13317,6 @@ EOD + printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h + + ;; +-*-*-gnu*) +- CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" +- ;; + esac + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5 +diff --git a/moduli.0 b/moduli.0 +index 90700a16f..057a018ef 100644 +--- a/moduli.0 ++++ b/moduli.0 +@@ -71,4 +71,4 @@ STANDARDS + M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for + the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. + +-OpenBSD 7.7 April 16, 2022 OpenBSD 7.7 ++OpenBSD 7.5 April 16, 2022 OpenBSD 7.5 +diff --git a/scp.0 b/scp.0 +index 85d5f83d5..e098ddf55 100644 +--- a/scp.0 ++++ b/scp.0 +@@ -229,4 +229,4 @@ CAVEATS + requires careful quoting of any characters that have special meaning to + the remote shell, such as quote characters. + +-OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 ++OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 +diff --git a/sftp-server.0 b/sftp-server.0 +index 273b69908..23fdda399 100644 +--- a/sftp-server.0 ++++ b/sftp-server.0 +@@ -95,4 +95,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.7 July 27, 2021 OpenBSD 7.7 ++OpenBSD 7.5 July 27, 2021 OpenBSD 7.5 +diff --git a/sftp.0 b/sftp.0 +index 0476733c1..c6a9e60c4 100644 +--- a/sftp.0 ++++ b/sftp.0 +@@ -435,4 +435,4 @@ SEE ALSO + T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + filexfer-00.txt, January 2001, work in progress material. + +-OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 ++OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 +diff --git a/ssh-add.0 b/ssh-add.0 +index 20f1a88e2..30eed6672 100644 +--- a/ssh-add.0 ++++ b/ssh-add.0 +@@ -206,4 +206,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-agent.0 b/ssh-agent.0 +index 238fa54e2..2e4ef7b6e 100644 +--- a/ssh-agent.0 ++++ b/ssh-agent.0 +@@ -137,4 +137,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 August 10, 2023 OpenBSD 7.7 ++OpenBSD 7.5 August 10, 2023 OpenBSD 7.5 +diff --git a/ssh-keygen.0 b/ssh-keygen.0 +index 13b032f46..a731a7fa8 100644 +--- a/ssh-keygen.0 ++++ b/ssh-keygen.0 +@@ -904,4 +904,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 +index cf0962c82..110399094 100644 +--- a/ssh-keyscan.0 ++++ b/ssh-keyscan.0 +@@ -120,4 +120,4 @@ AUTHORS + Davison added support for protocol version + 2. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-keysign.0 b/ssh-keysign.0 +index ff3305809..577955d1b 100644 +--- a/ssh-keysign.0 ++++ b/ssh-keysign.0 +@@ -47,4 +47,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 +index 4b1cb8d7d..564587259 100644 +--- a/ssh-pkcs11-helper.0 ++++ b/ssh-pkcs11-helper.0 +@@ -32,4 +32,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 ++OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 +diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0 +index 4abc5e8a0..ea2117abd 100644 +--- a/ssh-sk-helper.0 ++++ b/ssh-sk-helper.0 +@@ -31,4 +31,4 @@ HISTORY + AUTHORS + Damien Miller + +-OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 ++OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 +diff --git a/ssh.0 b/ssh.0 +index 9c34e3e6e..78863b1b0 100644 +--- a/ssh.0 ++++ b/ssh.0 +@@ -1016,4 +1016,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 27, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 27, 2024 OpenBSD 7.5 +diff --git a/ssh_config.0 b/ssh_config.0 +index f9a82781b..ef6c0936a 100644 +--- a/ssh_config.0 ++++ b/ssh_config.0 +@@ -1428,4 +1428,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/sshd.0 b/sshd.0 +index eac127dcf..c7de2d311 100644 +--- a/sshd.0 ++++ b/sshd.0 +@@ -682,4 +682,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/sshd_config.0 b/sshd_config.0 +index ca030fcca..6883dda4b 100644 +--- a/sshd_config.0 ++++ b/sshd_config.0 +@@ -950,8 +950,8 @@ DESCRIPTION + accumulated. + + Penalties are enabled by default with the default settings listed +- below but may disabled using the no keyword. The defaults may be +- overridden by specifying one or more of the keywords below, ++ below but may disabled using the off keyword. The defaults may ++ be overridden by specifying one or more of the keywords below, + separated by whitespace. All keywords accept arguments, e.g. + "crash:2m". + +@@ -1390,4 +1390,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.7 June 24, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 24, 2024 OpenBSD 7.5 +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch new file mode 100644 index 00000000000..d9a7a0143d9 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch @@ -0,0 +1,48 @@ +From a38b48e77ccfe9528dd4a8516c114950fa7a111d Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Damien Miller +Date: Wed, 13 Aug 2025 09:16:34 +1000 +Subject: [PATCH 7/7] mention sntrup761x25519-sha512 in manpages + +Spotted by Colin Watson +--- + ssh_config.5 | 1 + + sshd_config.5 | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/ssh_config.5 b/ssh_config.5 +index 2e1902283..9473f4692 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -1281,6 +1281,7 @@ default set. + .Pp + The default is: + .Bd -literal -offset indent ++sntrup761x25519-sha512, + sntrup761x25519-sha512@openssh.com, + curve25519-sha256,curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +diff --git a/sshd_config.5 b/sshd_config.5 +index ce872de52..3c727f4d3 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1050,11 +1050,14 @@ ecdh-sha2-nistp384 + .It + ecdh-sha2-nistp521 + .It ++sntrup761x25519-sha512 ++.It + sntrup761x25519-sha512@openssh.com + .El + .Pp + The default is: + .Bd -literal -offset indent ++sntrup761x25519-sha512, + sntrup761x25519-sha512@openssh.com, + curve25519-sha256,curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0001-fix-utmpx-ifdef.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0001-fix-utmpx-ifdef.patch deleted file mode 100644 index 80597517ddf..00000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0001-fix-utmpx-ifdef.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 27996b32a8b0fe908effc469e5c7d496e40c6671 Mon Sep 17 00:00:00 2001 -Message-ID: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: Christoph Ostarek -Date: Wed, 3 Jul 2024 12:46:59 +0200 -Subject: [PATCH 1/8] fix utmpx ifdef - -02e16ad95fb1f56ab004b01a10aab89f7103c55d did a copy-paste for -utmpx, but forgot to change the ifdef appropriately - -(cherry picked from commit c7fda601186ff28128cfe3eab9c9c0622de096e1) ---- - loginrec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/loginrec.c b/loginrec.c -index 7460bb2c0..45f13dee8 100644 ---- a/loginrec.c -+++ b/loginrec.c -@@ -723,7 +723,7 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx) - void - construct_utmpx(struct logininfo *li, struct utmpx *utx) - { --# ifdef HAVE_ADDR_V6_IN_UTMP -+# ifdef HAVE_ADDR_V6_IN_UTMPX - struct sockaddr_in6 *sa6; - # endif - memset(utx, '\0', sizeof(*utx)); -@@ -769,7 +769,7 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx) - if (li->hostaddr.sa.sa_family == AF_INET) - utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; - # endif --# ifdef HAVE_ADDR_V6_IN_UTMP -+# ifdef HAVE_ADDR_V6_IN_UTMPX - /* this is just a 128-bit IPv6 address */ - if (li->hostaddr.sa.sa_family == AF_INET6) { - sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa); --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0002-build-construct_utmp-when-USE_BTMP-is-set.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0002-build-construct_utmp-when-USE_BTMP-is-set.patch deleted file mode 100644 index 814851b17c7..00000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0002-build-construct_utmp-when-USE_BTMP-is-set.patch +++ /dev/null @@ -1,40 +0,0 @@ -From c606840894ca805472ddbd4ebad4b0a6f231ccb5 Mon Sep 17 00:00:00 2001 -Message-ID: -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: Damien Miller -Date: Wed, 25 Sep 2024 11:13:05 +1000 -Subject: [PATCH 2/8] build construct_utmp() when USE_BTMP is set - -Fixes compile error on Void Linux/Musl - -(cherry picked from commit 2c12ae8cf9b0b7549ae097c4123abeda0ee63e5b) ---- - loginrec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/loginrec.c b/loginrec.c -index 45f13dee8..7b1818b86 100644 ---- a/loginrec.c -+++ b/loginrec.c -@@ -614,7 +614,7 @@ line_abbrevname(char *dst, const char *src, int dstsize) - ** into account. - **/ - --#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) -+#if defined(USE_BTMP) || defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) - - /* build the utmp structure */ - void -@@ -698,7 +698,7 @@ construct_utmp(struct logininfo *li, - } - # endif - } --#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */ -+#endif /* USE_BTMP || USE_UTMP || USE_WTMP || USE_LOGIN */ - - /** - ** utmpx utility functions --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0003-gss-serv.c-needs-sys-param.h.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0003-gss-serv.c-needs-sys-param.h.patch deleted file mode 100644 index cac3a4140f7..00000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0003-gss-serv.c-needs-sys-param.h.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d1e0cfefc3a0f2d371f280d270e9ebc2188950c6 Mon Sep 17 00:00:00 2001 -Message-ID: -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: Damien Miller -Date: Wed, 25 Sep 2024 11:15:45 +1000 -Subject: [PATCH 3/8] gss-serv.c needs sys/param.h - -From Void Linux - -(cherry picked from commit ff2cd1dd5711ff88efdf26662d6189d980439a1f) ---- - gss-serv.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/gss-serv.c b/gss-serv.c -index 00e3d118b..025a118f8 100644 ---- a/gss-serv.c -+++ b/gss-serv.c -@@ -29,6 +29,7 @@ - #ifdef GSSAPI - - #include -+#include - - #include - #include --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0004-upstream-fix-regression-introduced-when-I-switched-t.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0004-upstream-fix-regression-introduced-when-I-switched-t.patch deleted file mode 100644 index 40583d31ca6..00000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0004-upstream-fix-regression-introduced-when-I-switched-t.patch +++ /dev/null @@ -1,296 +0,0 @@ -From dda58ae078f4cba21c3b874e81f1d28121636985 Mon Sep 17 00:00:00 2001 -Message-ID: -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: "djm@openbsd.org" -Date: Wed, 25 Sep 2024 01:24:04 +0000 -Subject: [PATCH 4/8] upstream: fix regression introduced when I switched the - "Match" - -criteria tokeniser to a more shell-like one. Apparently the old tokeniser -(accidentally?) allowed "Match criteria=argument" as well as the "Match -criteria argument" syntax that we tested for. - -People were using this syntax so this adds back support for -"Match criteria=argument" - -bz3739 ok dtucker - -OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a -(cherry picked from commit 66878e12a207fa9746dee3e2bdcca29b704cf035) ---- - misc.c | 23 +++++++++++++++++++++- - misc.h | 3 ++- - readconf.c | 28 ++++++++++++++++++++++----- - servconf.c | 57 ++++++++++++++++++++++++++++++++++++++++-------------- - 4 files changed, 89 insertions(+), 22 deletions(-) - -diff --git a/misc.c b/misc.c -index afdf5142e..1b4b55c50 100644 ---- a/misc.c -+++ b/misc.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */ -+/* $OpenBSD: misc.c,v 1.197 2024/09/25 01:24:04 djm Exp $ */ - /* - * Copyright (c) 2000 Markus Friedl. All rights reserved. - * Copyright (c) 2005-2020 Damien Miller. All rights reserved. -@@ -107,6 +107,27 @@ rtrim(char *s) - } - } - -+/* -+ * returns pointer to character after 'prefix' in 's' or otherwise NULL -+ * if the prefix is not present. -+ */ -+const char * -+strprefix(const char *s, const char *prefix, int ignorecase) -+{ -+ size_t prefixlen; -+ -+ if ((prefixlen = strlen(prefix)) == 0) -+ return s; -+ if (ignorecase) { -+ if (strncasecmp(s, prefix, prefixlen) != 0) -+ return NULL; -+ } else { -+ if (strncmp(s, prefix, prefixlen) != 0) -+ return NULL; -+ } -+ return s + prefixlen; -+} -+ - /* set/unset filedescriptor to non-blocking */ - int - set_nonblock(int fd) -diff --git a/misc.h b/misc.h -index 113403896..efecdf1ad 100644 ---- a/misc.h -+++ b/misc.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */ -+/* $OpenBSD: misc.h,v 1.110 2024/09/25 01:24:04 djm Exp $ */ - - /* - * Author: Tatu Ylonen -@@ -56,6 +56,7 @@ struct ForwardOptions { - char *chop(char *); - void rtrim(char *); - void skip_space(char **); -+const char *strprefix(const char *, const char *, int); - char *strdelim(char **); - char *strdelimw(char **); - int set_nonblock(int); -diff --git a/readconf.c b/readconf.c -index 3d9cc6dbb..de42fb6ff 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */ -+/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - struct passwd *pw, const char *host_arg, const char *original_host, - int final_pass, int *want_final_pass, const char *filename, int linenum) - { -- char *arg, *oattrib, *attrib, *cmd, *host, *criteria; -+ char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria; - const char *ruser; - int r, this_result, result = 1, attributes = 0, negate; - -@@ -731,7 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - - debug2("checking match for '%s' host %s originally %s", - full_line, host, original_host); -- while ((oattrib = attrib = argv_next(acp, avp)) != NULL) { -+ while ((oattrib = argv_next(acp, avp)) != NULL) { -+ attrib = xstrdup(oattrib); - /* Terminate on comment */ - if (*attrib == '#') { - argv_consume(acp); -@@ -777,9 +778,23 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - this_result ? "" : "not ", oattrib); - continue; - } -+ -+ /* Keep this list in sync with below */ -+ if (strprefix(attrib, "host=", 1) != NULL || -+ strprefix(attrib, "originalhost=", 1) != NULL || -+ strprefix(attrib, "user=", 1) != NULL || -+ strprefix(attrib, "localuser=", 1) != NULL || -+ strprefix(attrib, "localnetwork=", 1) != NULL || -+ strprefix(attrib, "tagged=", 1) != NULL || -+ strprefix(attrib, "exec=", 1) != NULL) { -+ arg = strchr(attrib, '='); -+ *(arg++) = '\0'; -+ } else { -+ arg = argv_next(acp, avp); -+ } -+ - /* All other criteria require an argument */ -- if ((arg = argv_next(acp, avp)) == NULL || -- *arg == '\0' || *arg == '#') { -+ if (arg == NULL || *arg == '\0' || *arg == '#') { - error("Missing Match criteria for %s", attrib); - result = -1; - goto out; -@@ -856,6 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - criteria == NULL ? "" : criteria, - criteria == NULL ? "" : "\""); - free(criteria); -+ free(attrib); -+ attrib = NULL; - } - if (attributes == 0) { - error("One or more attributes required for Match"); -@@ -865,6 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - out: - if (result != -1) - debug2("match %sfound", result ? "" : "not "); -+ free(attrib); - free(host); - return result; - } -diff --git a/servconf.c b/servconf.c -index 89b8413e8..dd774f468 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */ -+/* $OpenBSD: servconf.c,v 1.419 2024/09/25 01:24:04 djm Exp $ */ - /* - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland - * All rights reserved -@@ -1033,7 +1033,7 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - int line, struct connection_info *ci) - { - int result = 1, attributes = 0, port; -- char *arg, *attrib; -+ char *arg, *attrib = NULL, *oattrib; - - if (ci == NULL) - debug3("checking syntax for 'Match %s'", full_line); -@@ -1047,7 +1047,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - ci->laddress ? ci->laddress : "(null)", ci->lport); - } - -- while ((attrib = argv_next(acp, avp)) != NULL) { -+ while ((oattrib = argv_next(acp, avp)) != NULL) { -+ attrib = xstrdup(oattrib); - /* Terminate on comment */ - if (*attrib == '#') { - argv_consume(acp); /* mark all arguments consumed */ -@@ -1062,11 +1063,13 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - *arg != '\0' && *arg != '#')) { - error("'all' cannot be combined with other " - "Match attributes"); -- return -1; -+ result = -1; -+ goto out; - } - if (arg != NULL && *arg == '#') - argv_consume(acp); /* consume remaining args */ -- return 1; -+ result = 1; -+ goto out; - } - /* Criterion "invalid-user" also has no argument */ - if (strcasecmp(attrib, "invalid-user") == 0) { -@@ -1078,11 +1081,26 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - debug("matched invalid-user at line %d", line); - continue; - } -+ -+ /* Keep this list in sync with below */ -+ if (strprefix(attrib, "user=", 1) != NULL || -+ strprefix(attrib, "group=", 1) != NULL || -+ strprefix(attrib, "host=", 1) != NULL || -+ strprefix(attrib, "address=", 1) != NULL || -+ strprefix(attrib, "localaddress=", 1) != NULL || -+ strprefix(attrib, "localport=", 1) != NULL || -+ strprefix(attrib, "rdomain=", 1) != NULL) { -+ arg = strchr(attrib, '='); -+ *(arg++) = '\0'; -+ } else { -+ arg = argv_next(acp, avp); -+ } -+ - /* All other criteria require an argument */ -- if ((arg = argv_next(acp, avp)) == NULL || -- *arg == '\0' || *arg == '#') { -+ if (arg == NULL || *arg == '\0' || *arg == '#') { - error("Missing Match criteria for %s", attrib); -- return -1; -+ result = -1; -+ goto out; - } - if (strcasecmp(attrib, "user") == 0) { - if (ci == NULL || (ci->test && ci->user == NULL)) { -@@ -1105,7 +1123,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - match_test_missing_fatal("Group", "user"); - switch (match_cfg_line_group(arg, line, ci->user)) { - case -1: -- return -1; -+ result = -1; -+ goto out; - case 0: - result = 0; - } -@@ -1141,7 +1160,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - result = 0; - break; - case -2: -- return -1; -+ result = -1; -+ goto out; - } - } else if (strcasecmp(attrib, "localaddress") == 0){ - if (ci == NULL || (ci->test && ci->laddress == NULL)) { -@@ -1166,13 +1186,15 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - result = 0; - break; - case -2: -- return -1; -+ result = -1; -+ goto out; - } - } else if (strcasecmp(attrib, "localport") == 0) { - if ((port = a2port(arg)) == -1) { - error("Invalid LocalPort '%s' on Match line", - arg); -- return -1; -+ result = -1; -+ goto out; - } - if (ci == NULL || (ci->test && ci->lport == -1)) { - result = 0; -@@ -1200,16 +1222,21 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - debug("user %.100s matched 'RDomain %.100s' at " - "line %d", ci->rdomain, arg, line); - } else { -- error("Unsupported Match attribute %s", attrib); -- return -1; -+ error("Unsupported Match attribute %s", oattrib); -+ result = -1; -+ goto out; - } -+ free(attrib); -+ attrib = NULL; - } - if (attributes == 0) { - error("One or more attributes required for Match"); - return -1; - } -- if (ci != NULL) -+ out: -+ if (ci != NULL && result != -1) - debug3("match %sfound", result ? "" : "not "); -+ free(attrib); - return result; - } - --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0005-upstream-fix-previous-change-to-ssh_config-Match-whi.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0005-upstream-fix-previous-change-to-ssh_config-Match-whi.patch deleted file mode 100644 index 7495780afd4..00000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0005-upstream-fix-previous-change-to-ssh_config-Match-whi.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 3e95023995e1d0249febab2b804f51b7673e07de Mon Sep 17 00:00:00 2001 -Message-ID: <3e95023995e1d0249febab2b804f51b7673e07de.1730162536.git.sam@gentoo.org> -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: "djm@openbsd.org" -Date: Thu, 26 Sep 2024 23:55:08 +0000 -Subject: [PATCH 5/8] upstream: fix previous change to ssh_config Match, which - broken on - -negated Matches; spotted by phessler@ ok deraadt@ - -OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7 -(cherry picked from commit 19bcb2d90c6caf14abf386b644fb24eb7afab889) ---- - readconf.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/readconf.c b/readconf.c -index de42fb6ff..9f5592698 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */ -+/* $OpenBSD: readconf.c,v 1.392 2024/09/26 23:55:08 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - struct passwd *pw, const char *host_arg, const char *original_host, - int final_pass, int *want_final_pass, const char *filename, int linenum) - { -- char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria; -+ char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria; - const char *ruser; - int r, this_result, result = 1, attributes = 0, negate; - -@@ -731,8 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - - debug2("checking match for '%s' host %s originally %s", - full_line, host, original_host); -- while ((oattrib = argv_next(acp, avp)) != NULL) { -- attrib = xstrdup(oattrib); -+ while ((attrib = argv_next(acp, avp)) != NULL) { -+ attrib = oattrib = xstrdup(attrib); - /* Terminate on comment */ - if (*attrib == '#') { - argv_consume(acp); -@@ -871,8 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - criteria == NULL ? "" : criteria, - criteria == NULL ? "" : "\""); - free(criteria); -- free(attrib); -- attrib = NULL; -+ free(oattrib); -+ oattrib = attrib = NULL; - } - if (attributes == 0) { - error("One or more attributes required for Match"); -@@ -882,7 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - out: - if (result != -1) - debug2("match %sfound", result ? "" : "not "); -- free(attrib); -+ free(oattrib); - free(host); - return result; - } --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0006-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-syste.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0006-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-syste.patch deleted file mode 100644 index 7719f89aee6..00000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0006-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-syste.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 3c10bf179b0029e0412e4b0fecf2e31d53b4ef08 Mon Sep 17 00:00:00 2001 -Message-ID: <3c10bf179b0029e0412e4b0fecf2e31d53b4ef08.1730162536.git.sam@gentoo.org> -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: "djm@openbsd.org" -Date: Sun, 27 Oct 2024 02:06:01 +0000 -Subject: [PATCH 6/8] upstream: fix ML-KEM768x25519 KEX on big-endian systems; - spotted by - -jsg@ feedback/ok deraadt@ - -OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0 -(cherry picked from commit 11f348196b3fb51c3d8d1f4f36db9d73f03149ed) ---- - libcrux_mlkem768_sha3.h | 8 +++++--- - mlkem768.sh | 17 ++++++++++++----- - 2 files changed, 17 insertions(+), 8 deletions(-) - -diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h -index a82d60e83..b8ac1436f 100644 ---- a/libcrux_mlkem768_sha3.h -+++ b/libcrux_mlkem768_sha3.h -@@ -1,4 +1,5 @@ --/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */ -+/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */ -+ - /* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */ - - /* -@@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok, - // CORE STUFF (conversions, endianness, ...) - - static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) { -+ v = htole64(v); - memcpy(buf, &v, sizeof(v)); - } - static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) { - uint64_t v; - memcpy(&v, buf, sizeof(v)); -- return v; -+ return le64toh(v); - } - - static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) { - uint32_t v; - memcpy(&v, buf, sizeof(v)); -- return v; -+ return le32toh(v); - } - - static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) { -diff --git a/mlkem768.sh b/mlkem768.sh -index 2fdc28312..3d12b2ed8 100644 ---- a/mlkem768.sh -+++ b/mlkem768.sh -@@ -1,9 +1,10 @@ - #!/bin/sh --# $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $ -+# $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $ - # Placed in the Public Domain. - # - --WANT_LIBCRUX_REVISION="origin/main" -+#WANT_LIBCRUX_REVISION="origin/main" -+WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35" - - FILES=" - libcrux/libcrux-ml-kem/cg/eurydice_glue.h -@@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))' - echo '#define KRML_HOST_EPRINTF(...)' - echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")' - echo -+ - for i in $FILES; do - echo "/* from $i */" - # Changes to all files: -@@ -56,11 +58,16 @@ for i in $FILES; do - -e 's/[ ]*$//' \ - $i | \ - case "$i" in -- # XXX per-file handling goes here. -+ */libcrux-ml-kem/cg/eurydice_glue.h) -+ # Replace endian functions with versions that work. -+ perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' | -+ perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' | -+ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s' -+ ;; - # Default: pass through. - *) -- cat -- ;; -+ cat -+ ;; - esac - echo - done --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0007-upstream-explicitly-include-endian.h.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0007-upstream-explicitly-include-endian.h.patch deleted file mode 100644 index d92d81f8d42..00000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0007-upstream-explicitly-include-endian.h.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f87403aba3e7926ab47f4c9a821300a705b070f2 Mon Sep 17 00:00:00 2001 -Message-ID: -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: "djm@openbsd.org" -Date: Sun, 27 Oct 2024 02:06:59 +0000 -Subject: [PATCH 7/8] upstream: explicitly include endian.h - -OpenBSD-Commit-ID: 13511fdef7535bdbc35b644c90090013da43a318 -(cherry picked from commit fe8d28a7ebbaa35cfc04a21263627f05c237e460) ---- - kexmlkem768x25519.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/kexmlkem768x25519.c b/kexmlkem768x25519.c -index 679446e97..2b5d39608 100644 ---- a/kexmlkem768x25519.c -+++ b/kexmlkem768x25519.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: kexmlkem768x25519.c,v 1.1 2024/09/02 12:13:56 djm Exp $ */ -+/* $OpenBSD: kexmlkem768x25519.c,v 1.2 2024/10/27 02:06:59 djm Exp $ */ - /* - * Copyright (c) 2023 Markus Friedl. All rights reserved. - * -@@ -34,6 +34,9 @@ - #include - #include - #include -+#ifdef HAVE_ENDIAN_H -+# include -+#endif - - #include "sshkey.h" - #include "kex.h" --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0008-htole64-etc-for-systems-without-endian.h.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0008-htole64-etc-for-systems-without-endian.h.patch deleted file mode 100644 index 9799a82ea14..00000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0008-htole64-etc-for-systems-without-endian.h.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 88e0d4645af6e4d4fb1b0dd320b83dd83ca6e73c Mon Sep 17 00:00:00 2001 -Message-ID: <88e0d4645af6e4d4fb1b0dd320b83dd83ca6e73c.1730162536.git.sam@gentoo.org> -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: Damien Miller -Date: Sun, 27 Oct 2024 13:28:11 +1100 -Subject: [PATCH 8/8] htole64() etc for systems without endian.h - -(cherry picked from commit 33c5f384ae03a5d1a0bd46ca0fac3c62e4eaf784) ---- - configure.ac | 1 - - defines.h | 26 ++++++++++++++++++++++++++ - 2 files changed, 26 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 591d5a388..9053a9a2b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2013,7 +2013,6 @@ AC_CHECK_FUNCS([ \ - strtoll \ - strtoul \ - strtoull \ -- swap32 \ - sysconf \ - tcgetpgrp \ - timegm \ -diff --git a/defines.h b/defines.h -index ed860e78b..b02f2942a 100644 ---- a/defines.h -+++ b/defines.h -@@ -646,6 +646,32 @@ struct winsize { - # endif /* WORDS_BIGENDIAN */ - #endif /* BYTE_ORDER */ - -+#ifndef HAVE_ENDIAN_H -+# define openssh_swap32(v) \ -+ (uint32_t)(((uint32_t)(v) & 0xff) << 24 | \ -+ ((uint32_t)(v) & 0xff00) << 8 | \ -+ ((uint32_t)(v) & 0xff0000) >> 8 | \ -+ ((uint32_t)(v) & 0xff000000) >> 24) -+# define openssh_swap64(v) \ -+ (__uint64_t)((((__uint64_t)(v) & 0xff) << 56) | \ -+ ((__uint64_t)(v) & 0xff00ULL) << 40 | \ -+ ((__uint64_t)(v) & 0xff0000ULL) << 24 | \ -+ ((__uint64_t)(v) & 0xff000000ULL) << 8 | \ -+ ((__uint64_t)(v) & 0xff00000000ULL) >> 8 | \ -+ ((__uint64_t)(v) & 0xff0000000000ULL) >> 24 | \ -+ ((__uint64_t)(v) & 0xff000000000000ULL) >> 40 | \ -+ ((__uint64_t)(v) & 0xff00000000000000ULL) >> 56) -+# ifdef WORDS_BIGENDIAN -+# define le32toh(v) (openssh_swap32(v)) -+# define le64toh(v) (openssh_swap64(v)) -+# define htole64(v) (openssh_swap64(v)) -+# else -+# define le32toh(v) ((uint32_t)v) -+# define le64toh(v) ((uint64_t)v) -+# define htole64(v) ((uint64_t)v) -+# endif -+#endif -+ - /* Function replacement / compatibility hacks */ - - #if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO)) --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch new file mode 100644 index 00000000000..ae9ca600d6f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch @@ -0,0 +1,87 @@ +From 4b8d141ec165aa29a48316768089cb03aed3aada Mon Sep 17 00:00:00 2001 +Message-ID: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Darren Tucker +Date: Wed, 26 Feb 2025 18:16:03 +1100 +Subject: [PATCH 01/10] Check for le32toh, le64toh, htole64 individually. + +It appears that at least some versions of endian.h in glibc do not have +the latter two, so check for and replace each one individually. +bz#3794, ok djm@ +--- + configure.ac | 12 ++++++++++++ + defines.h | 28 +++++++++++++++++++++------- + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9053a9a2b..57a8d1007 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -536,6 +536,18 @@ AC_CHECK_HEADERS([ \ + wchar.h \ + ]) + ++AC_CHECK_DECLS([le32toh, le64toh, htole64], [], [], [ ++#ifdef HAVE_SYS_TYPES_H ++# include ++#endif ++#ifdef HAVE_STDINT_H ++# include ++#endif ++#ifdef HAVE_ENDIAN_H ++# include ++#endif ++]) ++ + # On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h] + # to be included first. + AC_CHECK_HEADERS([sys/audit.h], [], [], [ +diff --git a/defines.h b/defines.h +index c1c21aba6..090f49f55 100644 +--- a/defines.h ++++ b/defines.h +@@ -646,7 +646,9 @@ struct winsize { + # endif /* WORDS_BIGENDIAN */ + #endif /* BYTE_ORDER */ + +-#ifndef HAVE_ENDIAN_H ++#if (defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0) || \ ++ (defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0) || \ ++ (defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0) + # define openssh_swap32(v) \ + (uint32_t)(((uint32_t)(v) & 0xff) << 24 | \ + ((uint32_t)(v) & 0xff00) << 8 | \ +@@ -662,13 +664,25 @@ struct winsize { + ((uint64_t)(v) & 0xff000000000000ULL) >> 40 | \ + ((uint64_t)(v) & 0xff00000000000000ULL) >> 56) + # ifdef WORDS_BIGENDIAN +-# define le32toh(v) (openssh_swap32(v)) +-# define le64toh(v) (openssh_swap64(v)) +-# define htole64(v) (openssh_swap64(v)) ++# if defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0 ++# define le32toh(v) (openssh_swap32(v)) ++# endif ++# if defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0 ++# define le64toh(v) (openssh_swap64(v)) ++# endif ++# if defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0 ++# define htole64(v) (openssh_swap64(v)) ++# endif + # else +-# define le32toh(v) ((uint32_t)v) +-# define le64toh(v) ((uint64_t)v) +-# define htole64(v) ((uint64_t)v) ++# if defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0 ++# define le32toh(v) ((uint32_t)v) ++# endif ++# if defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0 ++# define le64toh(v) ((uint64_t)v) ++# endif ++# if defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0 ++# define htole64(v) ((uint64_t)v) ++# endif + # endif + #endif + +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch new file mode 100644 index 00000000000..778ffba81cf --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch @@ -0,0 +1,118 @@ +From de4bcb51c893d81a741d4fac37c10107738a952f Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Darren Tucker +Date: Wed, 26 Feb 2025 18:25:33 +1100 +Subject: [PATCH 02/10] Update autoconf files for endian.h change. + +--- + config.h.in | 12 +++++++++++ + configure | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 72 insertions(+) + +diff --git a/config.h.in b/config.h.in +index 14bee6087..c841417f4 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -363,10 +363,22 @@ + don't. */ + #undef HAVE_DECL_HOWMANY + ++/* Define to 1 if you have the declaration of `htole64', and to 0 if you ++ don't. */ ++#undef HAVE_DECL_HTOLE64 ++ + /* Define to 1 if you have the declaration of `h_errno', and to 0 if you + don't. */ + #undef HAVE_DECL_H_ERRNO + ++/* Define to 1 if you have the declaration of `le32toh', and to 0 if you ++ don't. */ ++#undef HAVE_DECL_LE32TOH ++ ++/* Define to 1 if you have the declaration of `le64toh', and to 0 if you ++ don't. */ ++#undef HAVE_DECL_LE64TOH ++ + /* Define to 1 if you have the declaration of `loginfailed', and to 0 if you + don't. */ + #undef HAVE_DECL_LOGINFAILED +diff --git a/configure b/configure +index b4d33b7cd..ec1de26c2 100755 +--- a/configure ++++ b/configure +@@ -11325,6 +11325,65 @@ then : + fi + + ++ac_fn_check_decl "$LINENO" "le32toh" "ac_cv_have_decl_le32toh" " ++#ifdef HAVE_SYS_TYPES_H ++# include ++#endif ++#ifdef HAVE_STDINT_H ++# include ++#endif ++#ifdef HAVE_ENDIAN_H ++# include ++#endif ++ ++" "$ac_c_undeclared_builtin_options" "CFLAGS" ++if test "x$ac_cv_have_decl_le32toh" = xyes ++then : ++ ac_have_decl=1 ++else $as_nop ++ ac_have_decl=0 ++fi ++printf "%s\n" "#define HAVE_DECL_LE32TOH $ac_have_decl" >>confdefs.h ++ac_fn_check_decl "$LINENO" "le64toh" "ac_cv_have_decl_le64toh" " ++#ifdef HAVE_SYS_TYPES_H ++# include ++#endif ++#ifdef HAVE_STDINT_H ++# include ++#endif ++#ifdef HAVE_ENDIAN_H ++# include ++#endif ++ ++" "$ac_c_undeclared_builtin_options" "CFLAGS" ++if test "x$ac_cv_have_decl_le64toh" = xyes ++then : ++ ac_have_decl=1 ++else $as_nop ++ ac_have_decl=0 ++fi ++printf "%s\n" "#define HAVE_DECL_LE64TOH $ac_have_decl" >>confdefs.h ++ac_fn_check_decl "$LINENO" "htole64" "ac_cv_have_decl_htole64" " ++#ifdef HAVE_SYS_TYPES_H ++# include ++#endif ++#ifdef HAVE_STDINT_H ++# include ++#endif ++#ifdef HAVE_ENDIAN_H ++# include ++#endif ++ ++" "$ac_c_undeclared_builtin_options" "CFLAGS" ++if test "x$ac_cv_have_decl_htole64" = xyes ++then : ++ ac_have_decl=1 ++else $as_nop ++ ac_have_decl=0 ++fi ++printf "%s\n" "#define HAVE_DECL_HTOLE64 $ac_have_decl" >>confdefs.h ++ ++ + # On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h] + # to be included first. + ac_fn_c_check_header_compile "$LINENO" "sys/audit.h" "ac_cv_header_sys_audit_h" " +@@ -27710,3 +27769,4 @@ if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." + fi ++ +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch new file mode 100644 index 00000000000..ad90441cef5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch @@ -0,0 +1,30 @@ +From ef95df4089f0dba640671ca6acfb876a78794b83 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Darren Tucker +Date: Sat, 1 Mar 2025 10:28:59 +1100 +Subject: [PATCH 03/10] Rebuild config files if Makefile changes. + +This ensures paths are updated if they are changed by re-running configure. +Patch from rapier at psc.edu. +--- + Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index 4243006b0..fc7a1a354 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -267,7 +267,7 @@ $(MANPAGES): $(MANPAGES_IN) + $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \ + fi + +-$(CONFIGFILES): $(CONFIGFILES_IN) ++$(CONFIGFILES): $(CONFIGFILES_IN) Makefile + conffile=`echo $@ | sed 's/.out$$//'`; \ + $(FIXPATHSCMD) $(srcdir)/$${conffile} > $@ + +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch new file mode 100644 index 00000000000..6d0c87adb83 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch @@ -0,0 +1,92 @@ +From 3b4adf2018ae8fdd48623b6b5ede182319a76b8f Mon Sep 17 00:00:00 2001 +Message-ID: <3b4adf2018ae8fdd48623b6b5ede182319a76b8f.1758727915.git.sam@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Damien Miller +Date: Sun, 2 Mar 2025 22:06:53 +1100 +Subject: [PATCH 04/10] include __builtin_popcount replacement function + +Some systems/compilers lack __builtin_popcount(), so replace it as +necessary. Reported by Dennis Clarke; ok dtucker@ +--- + configure.ac | 13 +++++++++++++ + libcrux_mlkem768_sha3.h | 8 ++++++-- + mlkem768.sh | 10 +++++++++- + 3 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 57a8d1007..dbe189066 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2041,6 +2041,19 @@ AC_CHECK_FUNCS([ \ + warn \ + ]) + ++AC_MSG_CHECKING([whether compiler supports __builtin_popcount]) ++AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++ #include ++ ]], ++ [[ int x = 123, y; ++ y = __builtin_popcount(123); ++ exit(y == 6 ? 0 : -1); ]])], ++ [ AC_MSG_RESULT([yes]) ], [ ++ AC_MSG_RESULT([no]) ++ AC_DEFINE([MISSING_BUILTIN_POPCOUNT], [1], [Define if your compiler lacks __builtin_popcount]) ++ ] ++) ++ + AC_CHECK_DECLS([bzero, memmem]) + + dnl Wide character support. +diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h +index b8ac1436f..885e82baf 100644 +--- a/libcrux_mlkem768_sha3.h ++++ b/libcrux_mlkem768_sha3.h +@@ -177,10 +177,14 @@ static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) { + } + + static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) { +-#ifdef _MSC_VER ++#if defined(_MSC_VER) + return __popcnt(x0); +-#else ++#elif !defined(MISSING_BUILTIN_POPCOUNT) + return __builtin_popcount(x0); ++#else ++ const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 }; ++ return v[x0 & 0xf] + v[(x0 >> 4) & 0xf]; ++ + #endif + } + +diff --git a/mlkem768.sh b/mlkem768.sh +index 3d12b2ed8..cbc3d14da 100644 +--- a/mlkem768.sh ++++ b/mlkem768.sh +@@ -49,6 +49,11 @@ echo '#define KRML_HOST_EPRINTF(...)' + echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")' + echo + ++__builtin_popcount_replacement=' ++ const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 }; ++ return v[x0 & 0xf] + v[(x0 >> 4) & 0xf]; ++' ++ + for i in $FILES; do + echo "/* from $i */" + # Changes to all files: +@@ -62,7 +67,10 @@ for i in $FILES; do + # Replace endian functions with versions that work. + perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' | + perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' | +- perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s' ++ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s' | ++ # Compat for popcount. ++ perl -0777 -pe 's/\#ifdef (_MSC_VER)(.*?return __popcnt\(x0\);)/\#if defined(\1)\2/s' | ++ perl -0777 -pe "s/\\#else(\\n\\s+return __builtin_popcount\\(x0\\);)/\\#elif !defined(MISSING_BUILTIN_POPCOUNT)\\1\\n#else$__builtin_popcount_replacement/s" + ;; + # Default: pass through. + *) +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch new file mode 100644 index 00000000000..a2c7e98087d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch @@ -0,0 +1,32 @@ +From d58ae05bb7838e1fdae967752f06b0b2471a63f5 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: "djm@openbsd.org" +Date: Sun, 2 Mar 2025 22:44:00 +0000 +Subject: [PATCH 05/10] upstream: fix PerSourcePenalty incorrectly using + "crash" penalty when + +LoginGraceTime was exceeded. Reported by irwin AT princeton.edu via bz3797 + +OpenBSD-Commit-ID: 1ba3e490a5a9451359618c550d995380af454d25 +--- + srclimit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/srclimit.c b/srclimit.c +index 33116fa52..c63a462e2 100644 +--- a/srclimit.c ++++ b/srclimit.c +@@ -386,7 +386,7 @@ srclimit_penalise(struct xaddr *addr, int penalty_type) + reason = "penalty: connection prohibited by RefuseConnection"; + break; + case SRCLIMIT_PENALTY_GRACE_EXCEEDED: +- penalty_secs = penalty_cfg.penalty_crash; ++ penalty_secs = penalty_cfg.penalty_grace; + reason = "penalty: exceeded LoginGraceTime"; + break; + default: +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch new file mode 100644 index 00000000000..8ba648a4213 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch @@ -0,0 +1,80 @@ +From 7d5b6c7ec3c597a6d57f64d0db925142bccd38a3 Mon Sep 17 00:00:00 2001 +Message-ID: <7d5b6c7ec3c597a6d57f64d0db925142bccd38a3.1758727915.git.sam@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Damien Miller +Date: Mon, 3 Mar 2025 14:21:12 +1100 +Subject: [PATCH 06/10] regenerate configure, config.h.in + +--- + config.h.in | 3 +++ + configure | 35 ++++++++++++++++++++++++++++++++++- + 2 files changed, 37 insertions(+), 1 deletion(-) + +diff --git a/config.h.in b/config.h.in +index c841417f4..57f63355b 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -1748,6 +1748,9 @@ + /* Set this to your mail directory if you do not have _PATH_MAILDIR */ + #undef MAIL_DIRECTORY + ++/* Define if your compiler lacks __builtin_popcount */ ++#undef MISSING_BUILTIN_POPCOUNT ++ + /* Need setpgrp to for controlling tty */ + #undef NEED_SETPGRP + +diff --git a/configure b/configure +index ec1de26c2..a18079da2 100755 +--- a/configure ++++ b/configure +@@ -16785,6 +16785,40 @@ then : + fi + + ++{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether compiler supports __builtin_popcount" >&5 ++printf %s "checking whether compiler supports __builtin_popcount... " >&6; } ++cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++ ++ #include ++ ++int ++main (void) ++{ ++ int x = 123, y; ++ y = __builtin_popcount(123); ++ exit(y == 6 ? 0 : -1); ++ ; ++ return 0; ++} ++_ACEOF ++if ac_fn_c_try_link "$LINENO" ++then : ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++printf "%s\n" "yes" >&6; } ++else $as_nop ++ ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++printf "%s\n" "no" >&6; } ++ ++printf "%s\n" "#define MISSING_BUILTIN_POPCOUNT 1" >>confdefs.h ++ ++ ++ ++fi ++rm -f core conftest.err conftest.$ac_objext conftest.beam \ ++ conftest$ac_exeext conftest.$ac_ext ++ + ac_fn_check_decl "$LINENO" "bzero" "ac_cv_have_decl_bzero" "$ac_includes_default" "$ac_c_undeclared_builtin_options" "CFLAGS" + if test "x$ac_cv_have_decl_bzero" = xyes + then : +@@ -27769,4 +27803,3 @@ if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." + fi +- +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch new file mode 100644 index 00000000000..45ae5eb7844 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch @@ -0,0 +1,44 @@ +From be8026caf9da985638c762c353c397c0922be233 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: "dtucker@openbsd.org" +Date: Tue, 11 Mar 2025 11:46:44 +0000 +Subject: [PATCH 07/10] upstream: Prime caches for DNS names needed for tests. + +When running the SSHFP tests, particularly on an ephemeral VM, the first +query or two can fail for some reason, presumably because something isn't +fully initialized or something. To work around this, issue queries for the +names we'll need before we need them. + +OpenBSD-Regress-ID: 900841133540e7dead253407db5a874a6ed09eca +--- + regress/sshfp-connect.sh | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/regress/sshfp-connect.sh b/regress/sshfp-connect.sh +index f78646922..3c73a35d0 100644 +--- a/regress/sshfp-connect.sh ++++ b/regress/sshfp-connect.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: sshfp-connect.sh,v 1.4 2021/09/01 00:50:27 dtucker Exp $ ++# $OpenBSD: sshfp-connect.sh,v 1.5 2025/03/11 11:46:44 dtucker Exp $ + # Placed in the Public Domain. + + # This test requires external setup and thus is skipped unless +@@ -29,6 +29,12 @@ if ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then + elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then + skip "TEST_SSH_SSHFP_DOMAIN not set." + else ++ # Prime any DNS caches and resolvers. ++ for i in sshtest sshtest-sha1 sshtest-sha256; do ++ host -t sshfp ${i}.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1 ++ host -t sshfp ${i}-bad.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1 ++ done ++ + # Set RSA host key to match fingerprints above. + mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig + $SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch new file mode 100644 index 00000000000..f66f88bba73 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch @@ -0,0 +1,41 @@ +From aab12549a939d07f638df486f910544c6b11b972 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Darren Tucker +Date: Thu, 17 Oct 2024 19:18:23 +1100 +Subject: [PATCH 08/10] MacOS 12 runners are deprecated, replace with 15. + +--- + .github/workflows/c-cpp.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml +index c179f73d1..c49aa5ee8 100644 +--- a/.github/workflows/c-cpp.yml ++++ b/.github/workflows/c-cpp.yml +@@ -17,9 +17,9 @@ jobs: + target: + - ubuntu-20.04 + - ubuntu-22.04 +- - macos-12 + - macos-13 + - macos-14 ++ - macos-15 + - windows-2019 + - windows-2022 + config: [default] +@@ -100,9 +100,9 @@ jobs: + - { target: ubuntu-22.04, config: selinux } + - { target: ubuntu-22.04, config: kitchensink } + - { target: ubuntu-22.04, config: without-openssl } +- - { target: macos-12, config: pam } + - { target: macos-13, config: pam } + - { target: macos-14, config: pam } ++ - { target: macos-15, config: pam } + runs-on: ${{ matrix.target }} + steps: + - name: set cygwin git params +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch new file mode 100644 index 00000000000..0daf93d329a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch @@ -0,0 +1,51 @@ +From 8e4bd6ebdbde0ff22e0c1c1f1a134ef255af7595 Mon Sep 17 00:00:00 2001 +Message-ID: <8e4bd6ebdbde0ff22e0c1c1f1a134ef255af7595.1758727915.git.sam@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: "tb@openbsd.org" +Date: Tue, 3 Dec 2024 15:53:51 +0000 +Subject: [PATCH 09/10] upstream: Remove redundant field of definition check + +This will allow us to get rid of EC_GROUP_method_of() in the near future. + +ok djm + +OpenBSD-Commit-ID: b4a3d2e00990cf5c2ec6881c21ddca67327c2df8 +--- + sshkey.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/sshkey.c b/sshkey.c +index 1db83788d..44be674d1 100644 +--- a/sshkey.c ++++ b/sshkey.c +@@ -2708,14 +2708,6 @@ sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) + * EC_POINT_oct2point then the caller will need to explicitly check. + */ + +- /* +- * We shouldn't ever hit this case because bignum_get_ecpoint() +- * refuses to load GF2m points. +- */ +- if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != +- NID_X9_62_prime_field) +- goto out; +- + /* Q != infinity */ + if (EC_POINT_is_at_infinity(group, public)) + goto out; +@@ -2815,11 +2807,6 @@ sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) + fprintf(stderr, "%s: BN_new failed\n", __func__); + goto out; + } +- if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != +- NID_X9_62_prime_field) { +- fprintf(stderr, "%s: group is not a prime field\n", __func__); +- goto out; +- } + if (EC_POINT_get_affine_coordinates_GFp(group, point, + x, y, NULL) != 1) { + fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch new file mode 100644 index 00000000000..11cd63dfe7c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch @@ -0,0 +1,64 @@ +From 3eeda15eb9d3b9f2fd762ba3493ba88abe6bbcd9 Mon Sep 17 00:00:00 2001 +Message-ID: <3eeda15eb9d3b9f2fd762ba3493ba88abe6bbcd9.1758727915.git.sam@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: "dtucker@openbsd.org" +Date: Tue, 11 Mar 2025 07:42:08 +0000 +Subject: [PATCH 10/10] upstream: Check if dbclient supports SHA1 before trying + SHA1-based + +KEX. + +Dropbear 2025.87 removed SHA1 support by default, which means +diffie-hellman-group14-sha1 is not available. Unfortunately there isn't a +flag to query supported KEX, so instead check MACs and if it doesn't have +SHA1 methods, assuming SHA1 based KEXes are likewise not available. Spotted +by anton@. + +OpenBSD-Regress-ID: acfa8e26c001cb18b9fb81a27271c3b51288d304 +--- + regress/dropbear-kex.sh | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/regress/dropbear-kex.sh b/regress/dropbear-kex.sh +index d9f1b32c0..72717fbb7 100644 +--- a/regress/dropbear-kex.sh ++++ b/regress/dropbear-kex.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: dropbear-kex.sh,v 1.3 2024/06/19 10:10:46 dtucker Exp $ ++# $OpenBSD: dropbear-kex.sh,v 1.4 2025/03/11 07:42:08 dtucker Exp $ + # Placed in the Public Domain. + + tid="dropbear kex" +@@ -10,8 +10,14 @@ fi + cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak + + kex="curve25519-sha256 curve25519-sha256@libssh.org" +-if $SSH -Q kex | grep 'diffie-hellman-group14-sha1'; then +- kex="$kex diffie-hellman-group14-sha256 diffie-hellman-group14-sha1" ++if $SSH -Q kex | grep 'diffie-hellman-group14-sha256' >/dev/null; then ++ kex="$kex diffie-hellman-group14-sha256" ++fi ++# There's no flag to query KEX, so if MACs does not contain SHA1, assume ++# there's also SHA1-based KEX methods either. ++if $SSH -Q kex | grep 'diffie-hellman-group14-sha1' >/dev/null && \ ++ $DBCLIENT -m help hst 2>&1 | grep -- '-sha1' >/dev/null ; then ++ kex="$kex diffie-hellman-group14-sha1" + fi + + for k in $kex; do +@@ -19,8 +25,9 @@ for k in $kex; do + rm -f ${COPY} + # dbclient doesn't have switch for kex, so force in server + (cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy +- env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \ +- -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY} ++ env HOME=$OBJ \ ++ ${DBCLIENT} -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \ ++ -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch deleted file mode 100644 index c0546e747a1..00000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch +++ /dev/null @@ -1,14 +0,0 @@ -https://bugzilla.mindrot.org/show_bug.cgi?id=3707 -https://bugs.gentoo.org/935353 ---- a/openbsd-compat/port-linux.c -+++ b/openbsd-compat/port-linux.c -@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) - error_f("socket \"%s\": %s", path, strerror(errno)); - goto out; - } -- if (connect(fd, &addr, sizeof(addr)) != 0) { -+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { - error_f("socket \"%s\" connect: %s", path, strerror(errno)); - goto out; - } - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild similarity index 95% rename from sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2.ebuild rename to sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild index 86005039f34..9eee63dbddf 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild @@ -11,7 +11,7 @@ inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs # Make it more portable between straight releases # and _p? releases. -PARCH=${P/_} +PARCH=${PN}-10.0p1 DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="https://www.openssh.com/" @@ -19,19 +19,21 @@ SRC_URI=" mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) " -S="${WORKDIR}/${PARCH}" +if [[ ${PV} != 10.0_p2 ]] ; then + die "Please restore the old S/PATCHES. 10.0_p2 had a workaround that should be dropped." +fi +S="${WORKDIR}/${PN}-10.0p1" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug kerberos ldns legacy-ciphers libedit livecd pam +pie security-key selinux +ssl static test xmss" +IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test xmss" RESTRICT="!test? ( test )" REQUIRED_USE=" ldns? ( ssl ) - pie? ( !static ) static? ( !kerberos !pam ) xmss? ( ssl ) test? ( ssl ) @@ -83,9 +85,8 @@ PATCHES=( "${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch" "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" # Backports from upstream release branch - #"${FILESDIR}/${PV}" + "${FILESDIR}/${PV}" # Our own backports - "${FILESDIR}/${PN}-9.9_p1-x-forwarding-slow.patch" ) pkg_pretend() { @@ -192,22 +193,25 @@ src_configure() { # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, # gcc PR104820, gcc PR104817, gcc PR110934)). # - # Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK, - # so we cannot just disable -fzero-call-used-regs=used. + # Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK + # util 10.1_p1, so we cannot just disable -fzero-call-used-regs=used. # # Therefore, just pass --without-hardening, given it doesn't negate # our already hardened toolchain defaults, and avoids adding flags # which are known-broken in both Clang and GCC and haven't been # proven reliable. --without-hardening + --without-pie + --without-stackprotect + + # wtmpdb not yet packaged + --without-wtmpdb $(use_with audit audit linux) $(use_with kerberos kerberos5 "${EPREFIX}"/usr) $(use_with ldns) - $(use_enable legacy-ciphers dsa-keys) $(use_with libedit) $(use_with pam) - $(use_with pie) $(use_with selinux) $(use_with security-key security-key-builtin) $(use_with ssl openssl) @@ -219,10 +223,6 @@ src_configure() { myconf+=( --disable-utmp --disable-wtmp ) fi - # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all - # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) - tc-is-clang && myconf+=( --without-hardening ) - econf "${myconf[@]}" } @@ -299,7 +299,7 @@ src_test() { if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" ewarn "user, so we will run a subset only." - tests+=( interop-tests ) + tests+=( interop-tests file-tests unit ) else tests+=( tests ) fi @@ -315,6 +315,8 @@ src_install() { dobin contrib/ssh-copy-id newinitd "${FILESDIR}"/sshd-r1.initd sshd newconfd "${FILESDIR}"/sshd-r1.confd sshd + exeinto /etc/user/init.d + newexe "${FILESDIR}"/ssh-agent.initd ssh-agent if use pam; then newpamd "${FILESDIR}"/sshd.pam_include.2 sshd diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild new file mode 100644 index 00000000000..9d9f389b16d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild @@ -0,0 +1,432 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Remember to check the upstream release/stable branches for patches +# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2. + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc +inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/" +SRC_URI=" + mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) +" +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + ldns? ( ssl ) + static? ( !kerberos !pam ) + test? ( ssl ) +" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND=" + ${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND=" + ${RDEPEND} + !net-misc/openssh-contrib + pam? ( >=sys-auth/pambase-20081028 ) + !prefix? ( sys-apps/shadow ) +" +BDEPEND=" + dev-build/autoconf + virtual/pkgconfig + verify-sig? ( sec-keys/openpgp-keys-openssh ) +" + +PATCHES=( + "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" + "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" + # Backports from upstream release branch + "${FILESDIR}/${PV}" + # Our own backports +) + +pkg_pretend() { + local i enabled_eol_flags disabled_eol_flags + for i in hpn sctp X509; do + if has_version "net-misc/openssh[${i}]"; then + enabled_eol_flags+="${i}," + disabled_eol_flags+="-${i}," + fi + done + + if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + # Skip for binary packages entirely because of environment saving, bug #907892 + [[ ${MERGE_TYPE} == binary ]] && return + + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." + ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," + ewarn "since these USE flags required third-party patches that often trigger bugs" + ewarn "and are of questionable provenance." + ewarn + ewarn "If you must continue relying on this functionality, switch to" + ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" + ewarn "world file first: 'emerge --deselect net-misc/openssh'" + ewarn + ewarn "In order to prevent loss of SSH remote login access, we will abort the build." + ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" + ewarn "variant, when re-emerging you will have to set" + ewarn + ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + + die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + default + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + # optional at runtime; guarantee a known path + --with-xauth="${EPREFIX}"/usr/bin/xauth + + # --with-hardening adds the following in addition to flags we + # already set in our toolchain: + # * -ftrapv (which is broken with GCC anyway), + # * -ftrivial-auto-var-init=zero (which is nice, but not the end of + # the world to not have) + # * -fzero-call-used-regs=used (history of miscompilations with + # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, + # gcc PR104820, gcc PR104817, gcc PR110934)). + # + # Furthermore, OSSH_CHECK_CFLAG_COMPILE did not use AC_CACHE_CHECK + # until 10.1_p1, so we couldn't disable -fzero-call-used-regs=used. + # + # Therefore, just pass --without-hardening, given it doesn't negate + # our already hardened toolchain defaults, and avoids adding flags + # which are known-broken in both Clang and GCC and haven't been + # proven reliable. + --without-hardening + --without-pie + --without-stackprotect + + # wtmpdb not yet packaged + --without-wtmpdb + + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with selinux) + $(use_with security-key security-key-builtin) + $(use_with ssl openssl) + $(use_with ssl ssl-engine) + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230) + myconf+=( --disable-utmp --disable-wtmp ) + fi + + econf "${myconf[@]}" +} + +create_config_dropins() { + local locale_vars=( + # These are language variables that POSIX defines. + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME + + # These are the GNU extensions. + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE + ) + + mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die + # override default of no subsystems + Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server + EOF + + if use pam ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_compile() { + default + create_config_dropins +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests file-tests unit ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" /dev/null 2>&1; then + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'" + systemctl try-restart sshd + eend $? + elif [[ -d /run/openrc ]]; then + # We don't check for sshd -t here because the OpenRC init script + # has a stop_pre() which does checkconfig, i.e. we defer to it + # to give nicer output for a failed sanity check. + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'" + rc-service -q --ifstarted --nodeps sshd restart + eend $? + fi +} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild new file mode 100644 index 00000000000..52c568cdd3f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild @@ -0,0 +1,432 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Remember to check the upstream release/stable branches for patches +# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2. + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc +inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/" +SRC_URI=" + mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) +" +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + ldns? ( ssl ) + static? ( !kerberos !pam ) + test? ( ssl ) +" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND=" + ${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND=" + ${RDEPEND} + !net-misc/openssh-contrib + pam? ( >=sys-auth/pambase-20081028 ) + !prefix? ( sys-apps/shadow ) +" +BDEPEND=" + dev-build/autoconf + virtual/pkgconfig + verify-sig? ( sec-keys/openpgp-keys-openssh ) +" + +PATCHES=( + "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" + "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" + # Backports from upstream release branch + #"${FILESDIR}/${PV}" + # Our own backports +) + +pkg_pretend() { + local i enabled_eol_flags disabled_eol_flags + for i in hpn sctp X509; do + if has_version "net-misc/openssh[${i}]"; then + enabled_eol_flags+="${i}," + disabled_eol_flags+="-${i}," + fi + done + + if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + # Skip for binary packages entirely because of environment saving, bug #907892 + [[ ${MERGE_TYPE} == binary ]] && return + + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." + ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," + ewarn "since these USE flags required third-party patches that often trigger bugs" + ewarn "and are of questionable provenance." + ewarn + ewarn "If you must continue relying on this functionality, switch to" + ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" + ewarn "world file first: 'emerge --deselect net-misc/openssh'" + ewarn + ewarn "In order to prevent loss of SSH remote login access, we will abort the build." + ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" + ewarn "variant, when re-emerging you will have to set" + ewarn + ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + + die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + default + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + # optional at runtime; guarantee a known path + --with-xauth="${EPREFIX}"/usr/bin/xauth + + # --with-hardening adds the following in addition to flags we + # already set in our toolchain: + # * -ftrapv (which is broken with GCC anyway), + # * -ftrivial-auto-var-init=zero (which is nice, but not the end of + # the world to not have) + # * -fzero-call-used-regs=used (history of miscompilations with + # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, + # gcc PR104820, gcc PR104817, gcc PR110934)). + # + # Furthermore, OSSH_CHECK_CFLAG_COMPILE did not use AC_CACHE_CHECK + # until 10.1_p1, so we couldn't disable -fzero-call-used-regs=used. + # + # Therefore, just pass --without-hardening, given it doesn't negate + # our already hardened toolchain defaults, and avoids adding flags + # which are known-broken in both Clang and GCC and haven't been + # proven reliable. + --without-hardening + --without-pie + --without-stackprotect + + # wtmpdb not yet packaged + --without-wtmpdb + + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with selinux) + $(use_with security-key security-key-builtin) + $(use_with ssl openssl) + $(use_with ssl ssl-engine) + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230) + myconf+=( --disable-utmp --disable-wtmp ) + fi + + econf "${myconf[@]}" +} + +create_config_dropins() { + local locale_vars=( + # These are language variables that POSIX defines. + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME + + # These are the GNU extensions. + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE + ) + + mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die + # override default of no subsystems + Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server + EOF + + if use pam ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_compile() { + default + create_config_dropins +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests file-tests unit ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" /dev/null 2>&1; then + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'" + systemctl try-restart sshd + eend $? + elif [[ -d /run/openrc ]]; then + # We don't check for sshd -t here because the OpenRC init script + # has a stop_pre() which does checkconfig, i.e. we defer to it + # to give nicer output for a failed sanity check. + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'" + rc-service -q --ifstarted --nodeps sshd restart + eend $? + fi +} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r3.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild similarity index 99% rename from sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r3.ebuild rename to sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild index a2850bed23c..6063b9758c4 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r3.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild @@ -79,8 +79,9 @@ PATCHES=( "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" "${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch" "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" - "${FILESDIR}/${PN}-9.8_p1-musl-connect.patch" "${FILESDIR}/${PN}-9.8_p1-inetd.patch" + # Backports from upstream release branch + "${FILESDIR}/${PV}" ) pkg_pretend() { diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r3.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild similarity index 99% rename from sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r3.ebuild rename to sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild index 358011e40e6..2c2aa6bbe81 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r3.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild @@ -83,7 +83,7 @@ PATCHES=( "${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch" "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" # Backports from upstream release branch - #"${FILESDIR}/${PV}" + "${FILESDIR}/${PV}" # Our own backports "${FILESDIR}/${PN}-9.9_p1-x-forwarding-slow.patch" ) From d777708a1a53938db0b31f86120c5322c2951f78 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 3 Nov 2025 07:12:02 +0000 Subject: [PATCH 166/213] net-misc/openssh: Sync with Gentoo It's from Gentoo commit 88156328d40f0af955afe2adbb3b4aa367ff64f6. Signed-off-by: Flatcar Buildbot Signed-off-by: Mathieu Tortuyaux --- .../portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild index 9eee63dbddf..82fad77e8cf 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild @@ -26,7 +26,7 @@ S="${WORKDIR}/${PN}-10.0p1" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test xmss" From 5b820fdf6880b72743466606bc12ab875ce8fc2c Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 17 Nov 2025 07:12:21 +0000 Subject: [PATCH 167/213] net-misc/openssh: Sync with Gentoo It's from Gentoo commit 9e2a2f1a08f1368e1842b3b8f2d4e190bddee73c. Signed-off-by: Flatcar Buildbot Signed-off-by: Mathieu Tortuyaux --- .../portage-stable/net-misc/openssh/openssh-10.0_p1.ebuild | 2 +- .../portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild | 2 +- .../portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild | 2 +- .../portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild | 2 +- .../portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild | 2 +- .../portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p1.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p1.ebuild index b940dbab0cc..88a7125aa72 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p1.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p1.ebuild @@ -51,7 +51,7 @@ LIB_DEPEND=" selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] + >=virtual/zlib-1.2.3:=[static-libs(+)] " RDEPEND=" acct-group/sshd diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild index 82fad77e8cf..4a50ec4928e 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild @@ -53,7 +53,7 @@ LIB_DEPEND=" selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] + >=virtual/zlib-1.2.3:=[static-libs(+)] " RDEPEND=" acct-group/sshd diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild index 9d9f389b16d..4de48e683fd 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild @@ -46,7 +46,7 @@ LIB_DEPEND=" selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] + >=virtual/zlib-1.2.3:=[static-libs(+)] " RDEPEND=" acct-group/sshd diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild index 52c568cdd3f..e89cc04934e 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild @@ -46,7 +46,7 @@ LIB_DEPEND=" selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] + >=virtual/zlib-1.2.3:=[static-libs(+)] " RDEPEND=" acct-group/sshd diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild index 6063b9758c4..74b6d1aea93 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild @@ -48,7 +48,7 @@ LIB_DEPEND=" selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] + >=virtual/zlib-1.2.3:=[static-libs(+)] " RDEPEND=" acct-group/sshd diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild index 2c2aa6bbe81..f5bd288cdc5 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild @@ -51,7 +51,7 @@ LIB_DEPEND=" selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] + >=virtual/zlib-1.2.3:=[static-libs(+)] " RDEPEND=" acct-group/sshd From c4f0531c92a9fa341cd4cf6cdf33e790de460a9a Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 13 Oct 2025 07:13:04 +0000 Subject: [PATCH 168/213] virtual/openssh: Sync with Gentoo It's from Gentoo commit bb03600b8ee5393c8df8e625a873ec4426db6882. Signed-off-by: Flatcar Buildbot Signed-off-by: Mathieu Tortuyaux --- .../portage-stable/virtual/openssh/openssh-0-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/portage-stable/virtual/openssh/openssh-0-r1.ebuild b/sdk_container/src/third_party/portage-stable/virtual/openssh/openssh-0-r1.ebuild index a4c6991584d..7f4e466fd79 100644 --- a/sdk_container/src/third_party/portage-stable/virtual/openssh/openssh-0-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/virtual/openssh/openssh-0-r1.ebuild @@ -6,7 +6,7 @@ EAPI=8 DESCRIPTION="Virtual for net-misc/openssh and variants" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86" IUSE="ssl" RDEPEND=" From f60a6e61328b1722ffa79c0c5ee00179bc287a27 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 14 Oct 2025 08:58:31 +0200 Subject: [PATCH 169/213] overlay profiles: Add accept keywords for net-misc/openssh Signed-off-by: Krzesimir Nowak --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 7cfc1537dd6..20e10942757 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -92,6 +92,9 @@ dev-cpp/azure-security-keyvault-keys =net-misc/ntp-4.2.8_p18-r1 ~arm64 =net-nds/rpcbind-1.2.8 ~arm64 +# CVE-2025-61984, CVE-2025-61985 +=net-misc/openssh-10.2_p1 ~amd64 ~arm64 + # Packages are in Gentoo but not expected to be used outside Flatcar, so they # are generally never stabilised. Thus an unusual form is used to pick up the # latest version of the package with the unstable keywords. From 69a3609b73a2e1a57f8e793d38af1ab788610169 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 14 Oct 2025 14:05:19 +0200 Subject: [PATCH 170/213] changelog: Add entries Signed-off-by: Krzesimir Nowak Signed-off-by: Mathieu Tortuyaux --- changelog/security/2026-02-12-openssh.md | 1 + changelog/updates/2026-02-12-openssh.md | 1 + 2 files changed, 2 insertions(+) create mode 100644 changelog/security/2026-02-12-openssh.md create mode 100644 changelog/updates/2026-02-12-openssh.md diff --git a/changelog/security/2026-02-12-openssh.md b/changelog/security/2026-02-12-openssh.md new file mode 100644 index 00000000000..aa997b2c311 --- /dev/null +++ b/changelog/security/2026-02-12-openssh.md @@ -0,0 +1 @@ +- openssh ([CVE-2025-61984](https://www.cve.org/CVERecord?id=CVE-2025-61984), [CVE-2025-61985](https://www.cve.org/CVERecord?id=CVE-2025-61985)) diff --git a/changelog/updates/2026-02-12-openssh.md b/changelog/updates/2026-02-12-openssh.md new file mode 100644 index 00000000000..d66cdf14bda --- /dev/null +++ b/changelog/updates/2026-02-12-openssh.md @@ -0,0 +1 @@ +- base, dev: openssh ([10.2_p1](https://www.openssh.com/txt/release-10.2) (includes [10.1](https://www.openssh.com/txt/release-10.1))) From 86a2a6fa2f38624213d3d634f395ea1422055219 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 12 Feb 2026 13:50:42 +0000 Subject: [PATCH 171/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 2466f1b0639..1e18fb4e8b3 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-b3ddad1ab9390f23ab1028aa6feb4c6922ea03a8 +ghcr.io/flatcar/mantle:git-61d19496b65c9a683d0ef1545b9a618ee20295b3 From 83ce077677a28ab40e5b697db4831e9fafe1bd2e Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Thu, 12 Feb 2026 14:56:17 +0100 Subject: [PATCH 172/213] Revert "sys-kernel/coreos-modules: arm64: Enable CONFIG_FUNCTION_TRACER & CONFIG_DYNAMIC_FTRACE" This reverts commit 363f2810702b71e17cba5c543dc9568451e0b1a5. This unfortunately breaks the /boot size limit. Signed-off-by: Mathieu Tortuyaux --- changelog/changes/2026-02-4-enable-tracer-on-arm.md | 1 - .../sys-kernel/coreos-modules/files/commonconfig-6.12 | 6 ++---- 2 files changed, 2 insertions(+), 5 deletions(-) delete mode 100644 changelog/changes/2026-02-4-enable-tracer-on-arm.md diff --git a/changelog/changes/2026-02-4-enable-tracer-on-arm.md b/changelog/changes/2026-02-4-enable-tracer-on-arm.md deleted file mode 100644 index ce1994ee3a1..00000000000 --- a/changelog/changes/2026-02-4-enable-tracer-on-arm.md +++ /dev/null @@ -1 +0,0 @@ -- Function tracer (ftrace) enabled in ARM64 builds. (Enables CONFIG_FUNCTION_TRACER & CONFIG_DYNAMIC_FTRACE for observability and security tools) ([flatcar/scripts#3685](https://github.com/flatcar/scripts/pull/3685)) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 index f0b681209a1..efc937e08b8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 @@ -178,7 +178,6 @@ CONFIG_DRM_VIRTIO_GPU=m CONFIG_DST_CACHE=y CONFIG_DUMMY=m CONFIG_DYNAMIC_DEBUG=y -CONFIG_DYNAMIC_FTRACE=y CONFIG_E100=m CONFIG_E1000=m CONFIG_E1000E=m @@ -215,9 +214,8 @@ CONFIG_FSCACHE_STATS=y CONFIG_FS_DAX=y CONFIG_FS_ENCRYPTION=y CONFIG_FTRACE_SYSCALLS=y -CONFIG_FUNCTION_TRACER=y -CONFIG_FUSE_DAX=y CONFIG_FUSE_FS=m +CONFIG_FUSE_DAX=y CONFIG_FUSION=y CONFIG_FUSION_CTL=m CONFIG_FUSION_LOGGING=y @@ -1008,12 +1006,12 @@ CONFIG_VIA_RHINE_MMIO=y CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m CONFIG_VIRTIO_CONSOLE=m -CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m CONFIG_VIRTIO_MMIO=y CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y CONFIG_VIRTIO_NET=m CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_VSOCKETS=m CONFIG_VIRT_DRIVERS=y CONFIG_VLAN_8021Q=m From 357e35e10f4ae26872ca53629f62c25068ba7e3c Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 12 Feb 2026 21:00:23 +0000 Subject: [PATCH 173/213] New version: stable-4459.2.3-nightly-20260212-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 59ccc9ed8e9..334e657bca6 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260210-2100 +FLATCAR_VERSION=4459.2.3+nightly-20260212-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260210-2100" +FLATCAR_BUILD_ID="nightly-20260212-2100" FLATCAR_SDK_VERSION=4459.0.0 From a16d9097fa513235012be620974e8aa0f7a33193 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Fri, 13 Feb 2026 21:00:23 +0000 Subject: [PATCH 174/213] New version: stable-4459.2.3-nightly-20260213-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 334e657bca6..c9bdc27ed5c 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260212-2100 +FLATCAR_VERSION=4459.2.3+nightly-20260213-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260212-2100" +FLATCAR_BUILD_ID="nightly-20260213-2100" FLATCAR_SDK_VERSION=4459.0.0 From 383dbe2805af80c88358555ca9327e48a1fdb701 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 16 Feb 2026 07:31:29 +0000 Subject: [PATCH 175/213] app-misc/ca-certificates: Update from 3.120 to 3.120.1 Signed-off-by: Flatcar Buildbot --- changelog/updates/2026-02-16-ca-certificates-3.120.1-update.md | 1 + .../coreos-overlay/app-misc/ca-certificates/Manifest | 2 +- ...certificates-3.120.ebuild => ca-certificates-3.120.1.ebuild} | 0 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2026-02-16-ca-certificates-3.120.1-update.md rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.120.ebuild => ca-certificates-3.120.1.ebuild} (100%) diff --git a/changelog/updates/2026-02-16-ca-certificates-3.120.1-update.md b/changelog/updates/2026-02-16-ca-certificates-3.120.1-update.md new file mode 100644 index 00000000000..bdcb30113ad --- /dev/null +++ b/changelog/updates/2026-02-16-ca-certificates-3.120.1-update.md @@ -0,0 +1 @@ +- ca-certificates ([3.120.1](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_120_1.html)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest index a3c2af2388e..f96931a66ba 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -1 +1 @@ -DIST nss-3.120.tar.gz 77634611 BLAKE2B f1bff45d52a1c4580d522e1377c0f5af175b9ae52b5ba8edb4cffe0c42bbb1ba1e0382a493abffb9ca7f7a2ee46d8e6857b036f43cdda6328d432c2dc97572e4 SHA512 7ec5b6c94a5c7fde9c02c3f1a10964e9cf5fe99372c8fcdb2866d10ef4c9cd42abc26931574dbfc229c358e2615d7907136a595e3e17944369894c1201fc2c6e +DIST nss-3.120.1.tar.gz 77895555 BLAKE2B 01ef3591010cd33dd61962d58442c6d4eee553d38101d65f9f20a50b576f1ceef0fb9f674b2caf1eadcbef63b12d23c5e494112397cc8f546f7d48dc65ed8b47 SHA512 9eb9aaae7070f0c92612e75922d3c4646f26e989a5c4d935258cc1201ceeb72accc43cbe6af83609457991a9d1d4cb67429dc8a3f3ffeaccf15cca32689921bc diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.1.ebuild From 1b3cca1772ac15a5e54e20d10a35e48a62ce2c65 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Mon, 16 Feb 2026 21:00:25 +0000 Subject: [PATCH 176/213] New version: stable-4459.2.3-nightly-20260216-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index c9bdc27ed5c..61f8feb7313 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260213-2100 +FLATCAR_VERSION=4459.2.3+nightly-20260216-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260213-2100" +FLATCAR_BUILD_ID="nightly-20260216-2100" FLATCAR_SDK_VERSION=4459.0.0 From 5b582464402d15560a9f422c88bff8e8be5e8a1e Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 16 Feb 2026 21:00:37 +0000 Subject: [PATCH 177/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 1e18fb4e8b3..f38c3291e21 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-61d19496b65c9a683d0ef1545b9a618ee20295b3 +ghcr.io/flatcar/mantle:git-f24c29e24715e98bd9980f2ed1bd51323aa97673 From b113c479a6d6fc9d20f7e7c1cbe57885041842c1 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Tue, 17 Feb 2026 07:23:26 +0000 Subject: [PATCH 178/213] sys-kernel/coreos-sources: Update from 6.12.66 to 6.12.73 Signed-off-by: Flatcar Buildbot --- changelog/updates/2026-02-17-linux-6.12.73-update.md | 1 + .../{hv-daemons-6.12.66.ebuild => hv-daemons-6.12.73.ebuild} | 0 ...oreos-kernel-6.12.66.ebuild => coreos-kernel-6.12.73.ebuild} | 0 ...eos-modules-6.12.66.ebuild => coreos-modules-6.12.73.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.66.ebuild => coreos-sources-6.12.73.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2026-02-17-linux-6.12.73-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.66.ebuild => hv-daemons-6.12.73.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.66.ebuild => coreos-kernel-6.12.73.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.66.ebuild => coreos-modules-6.12.73.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.66.ebuild => coreos-sources-6.12.73.ebuild} (100%) diff --git a/changelog/updates/2026-02-17-linux-6.12.73-update.md b/changelog/updates/2026-02-17-linux-6.12.73-update.md new file mode 100644 index 00000000000..18dfbccd19b --- /dev/null +++ b/changelog/updates/2026-02-17-linux-6.12.73-update.md @@ -0,0 +1 @@ +- Linux ([6.12.73](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.73) (includes [6.12.72](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.72), [6.12.71](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.71), [6.12.70](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.70), [6.12.69](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.69), [6.12.68](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.68), [6.12.67](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.67))) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.66.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.73.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.66.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.73.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.73.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.73.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.66.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.73.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.66.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.73.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 0eb81bef4c7..dde1224e6d9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.66.xz 3752552 BLAKE2B ed48dbfe0b583092e82f863702026e477809615f47bf4cab4cfb80bfebbed0dd938c92d2ab269267f5a7ae9a08ce984dbd2aa2ae56c48f0205b96fc3932c0bf9 SHA512 54230c57698f0d891742f70e6f8bb957c0b6d188ab8d5dc219b2a8b2ef9b8e0c7bcf51002a08f0f9c4b584f39378f0ac3f613c1a5a7562f8535d2fd05cfd71a4 +DIST patch-6.12.73.xz 3856712 BLAKE2B e5adcfd54e99e232b6c682b8baee915bc9fb2b1ed1a3b22e3077f6fa27573c1449f57549c4476b1e6f11f864ae9886091dfd335c1a99f81d039277aa75fc0575 SHA512 a93d89091de7931ec187cd3043967e90a6959dd8a223481bbe84e89e98fe0b7166de42e4c9fa97f9bbf11dae6551578d3d18a290d406e87a4aa541ff71cf690d diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.66.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.73.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.66.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.73.ebuild From 8893da08b88ad28c1b29ec6beb2e86d4b88de383 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 17 Feb 2026 10:33:34 +0100 Subject: [PATCH 179/213] app-misc/ca-certificates: use github URLs Between 3.120.1 and 3.120, we noticed this: ``` $ ls /var/tmp/portage/app-misc/ca-certificates-3.120-r1/work nss-3.120 $ ls /var/tmp/portage/app-misc/ca-certificates-3.120.1/work nss-NSS_3_120_1_RTM ``` The last one is using the GitHub release format - it seems the upstream pushed a GitHub release on the Mozilla Archive FTP server? Gentoo did the move as well: https://github.com/gentoo/gentoo/commit/b51bd45dedf684c89b2e5869c00189a13c31c869 Signed-off-by: Mathieu Tortuyaux --- ...tes-3.120.1.ebuild => ca-certificates-3.120.1-r1.ebuild} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.120.1.ebuild => ca-certificates-3.120.1-r1.ebuild} (93%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.1-r1.ebuild similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.1.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.1-r1.ebuild index 6e98e259178..ff112534960 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.1-r1.ebuild @@ -9,11 +9,11 @@ inherit python-any-r1 systemd tmpfiles RTM_NAME="NSS_${PV//./_}_RTM" MY_PN="nss" MY_P="${MY_PN}-${PV}" -S="${WORKDIR}" +S="${WORKDIR}/${MY_PN}-${RTM_NAME}" DESCRIPTION="Mozilla's CA Certificate Store" HOMEPAGE="http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/" -SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${MY_P}.tar.gz" +SRC_URI="https://github.com/nss-dev/nss/archive/refs/tags/${RTM_NAME}.tar.gz -> ${MY_P}.tar.gz" # NSS is licensed under the MPL, files/certdata2pem.py is GPL LICENSE="MPL-2.0 GPL-2" @@ -72,7 +72,7 @@ gen_tmpfiles() { } src_compile() { - local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt" + local certdata="${S}/lib/ckfw/builtins/certdata.txt" ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" certs || die cd certs || die From cf926b3a59255a72168e4255f4e9c00a19593466 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 17 Feb 2026 21:00:25 +0000 Subject: [PATCH 180/213] New version: stable-4459.2.3-nightly-20260217-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 61f8feb7313..762cc8fc81d 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260216-2100 +FLATCAR_VERSION=4459.2.3+nightly-20260217-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260216-2100" +FLATCAR_BUILD_ID="nightly-20260217-2100" FLATCAR_SDK_VERSION=4459.0.0 From a0cf01f760aa17001970d65165339acb31047653 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 18 Feb 2026 21:00:23 +0000 Subject: [PATCH 181/213] New version: stable-4459.2.3-nightly-20260218-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 762cc8fc81d..91a70e2efe4 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260217-2100 +FLATCAR_VERSION=4459.2.3+nightly-20260218-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260217-2100" +FLATCAR_BUILD_ID="nightly-20260218-2100" FLATCAR_SDK_VERSION=4459.0.0 From 7b882040d121f688daf8b2fd08f501fa3fc23543 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 18 Feb 2026 21:00:44 +0000 Subject: [PATCH 182/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index f38c3291e21..f72e4f3b96d 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-f24c29e24715e98bd9980f2ed1bd51323aa97673 +ghcr.io/flatcar/mantle:git-97666ba1295bcd65f40739a4b51c4571b4f8bacd From bc305aaacd623d21dbf58b48e1f499731aadfea7 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 19 Feb 2026 21:00:27 +0000 Subject: [PATCH 183/213] New version: stable-4459.2.3-nightly-20260219-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 91a70e2efe4..24263d32a33 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260218-2100 +FLATCAR_VERSION=4459.2.3+nightly-20260219-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260218-2100" +FLATCAR_BUILD_ID="nightly-20260219-2100" FLATCAR_SDK_VERSION=4459.0.0 From 711c8d05665453e412c3f79de6243f886a281c3a Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Fri, 20 Feb 2026 07:22:50 +0000 Subject: [PATCH 184/213] sys-kernel/coreos-sources: Update from 6.12.73 to 6.12.74 Signed-off-by: Flatcar Buildbot --- changelog/updates/2026-02-20-linux-6.12.74-update.md | 1 + .../{hv-daemons-6.12.73.ebuild => hv-daemons-6.12.74.ebuild} | 0 ...oreos-kernel-6.12.73.ebuild => coreos-kernel-6.12.74.ebuild} | 0 ...eos-modules-6.12.73.ebuild => coreos-modules-6.12.74.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.73.ebuild => coreos-sources-6.12.74.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2026-02-20-linux-6.12.74-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.73.ebuild => hv-daemons-6.12.74.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.73.ebuild => coreos-kernel-6.12.74.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.73.ebuild => coreos-modules-6.12.74.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.73.ebuild => coreos-sources-6.12.74.ebuild} (100%) diff --git a/changelog/updates/2026-02-20-linux-6.12.74-update.md b/changelog/updates/2026-02-20-linux-6.12.74-update.md new file mode 100644 index 00000000000..26c673d94f0 --- /dev/null +++ b/changelog/updates/2026-02-20-linux-6.12.74-update.md @@ -0,0 +1 @@ +- Linux ([6.12.74](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.74)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.73.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.74.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.73.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.74.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.73.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.74.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.73.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.74.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.73.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.74.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.73.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.74.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index dde1224e6d9..7ac8756da11 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.73.xz 3856712 BLAKE2B e5adcfd54e99e232b6c682b8baee915bc9fb2b1ed1a3b22e3077f6fa27573c1449f57549c4476b1e6f11f864ae9886091dfd335c1a99f81d039277aa75fc0575 SHA512 a93d89091de7931ec187cd3043967e90a6959dd8a223481bbe84e89e98fe0b7166de42e4c9fa97f9bbf11dae6551578d3d18a290d406e87a4aa541ff71cf690d +DIST patch-6.12.74.xz 3867664 BLAKE2B 1bebcfc1bdaafcfb9205870d72c815fcd69225ae6216ef859be09dab8798842559bcd9c725c039909e605085f2bf3e67ab56d2cd0baca01c475d0bc4bbd5419d SHA512 aca0c0c0ce0f2cc427aecbe55867297d013af298b3d10cafed5695166185a6933fdffec76fd3bb90a172591fbca9924ec5abd3d6b32bdf5d3eaee16a32abe76b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.73.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.74.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.73.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.74.ebuild From e3850985ce61a36e0ff9f050ca0cbd16dca1d032 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 23 Feb 2026 07:33:10 +0000 Subject: [PATCH 185/213] app-misc/ca-certificates: Update from 3.120 to 3.121 Signed-off-by: Flatcar Buildbot --- changelog/updates/2026-02-23-ca-certificates-3.121-update.md | 1 + .../coreos-overlay/app-misc/ca-certificates/Manifest | 2 +- ...tificates-3.120.1-r1.ebuild => ca-certificates-3.121.ebuild} | 0 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2026-02-23-ca-certificates-3.121-update.md rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.120.1-r1.ebuild => ca-certificates-3.121.ebuild} (100%) diff --git a/changelog/updates/2026-02-23-ca-certificates-3.121-update.md b/changelog/updates/2026-02-23-ca-certificates-3.121-update.md new file mode 100644 index 00000000000..c4e863a7182 --- /dev/null +++ b/changelog/updates/2026-02-23-ca-certificates-3.121-update.md @@ -0,0 +1 @@ +- ca-certificates ([3.121](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_121.html)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest index f96931a66ba..08dcb7765d4 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -1 +1 @@ -DIST nss-3.120.1.tar.gz 77895555 BLAKE2B 01ef3591010cd33dd61962d58442c6d4eee553d38101d65f9f20a50b576f1ceef0fb9f674b2caf1eadcbef63b12d23c5e494112397cc8f546f7d48dc65ed8b47 SHA512 9eb9aaae7070f0c92612e75922d3c4646f26e989a5c4d935258cc1201ceeb72accc43cbe6af83609457991a9d1d4cb67429dc8a3f3ffeaccf15cca32689921bc +DIST nss-3.121.tar.gz 77644546 BLAKE2B 972eedd73c46655a561956ac1a38814d96ce81767392532ecf42fe143f6f256a25a640d3b4b4829f4a7553d6d1961fc3e0279e740ca35d54ab6582742788cc31 SHA512 799cfb07bb806d3ab2786f7f1e88aa20ad490a0021a931b9382c08b08b6e6728367768335b05e15229f134275ee27ff153afaad78f07b394ef4c0b0e554e130c diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.121.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.120.1-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.121.ebuild From 63444d1830cda798e9bc77845e9cb5e93cc4efa4 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 26 Feb 2026 21:00:23 +0000 Subject: [PATCH 186/213] New version: stable-4459.2.3-nightly-20260226-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 24263d32a33..d8b78f5d844 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260219-2100 +FLATCAR_VERSION=4459.2.3+nightly-20260226-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260219-2100" +FLATCAR_BUILD_ID="nightly-20260226-2100" FLATCAR_SDK_VERSION=4459.0.0 From 03170f1a4c2405383e6ad68f7005f5245afef09d Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Tue, 3 Mar 2026 08:49:46 +0000 Subject: [PATCH 187/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index f72e4f3b96d..5dfb27fb184 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-97666ba1295bcd65f40739a4b51c4571b4f8bacd +ghcr.io/flatcar/mantle:git-80a351a1411fa6fcc14071f2ea287cab5fa08c73 From 03b556efd66715744fb7e3f50862b8a0152cf792 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Tue, 3 Mar 2026 15:11:48 +0530 Subject: [PATCH 188/213] New version: stable-4459.2.4 Signed-off-by: Sayan Chowdhury --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index d8b78f5d844..86fb82ad9ea 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260226-2100 -FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260226-2100" +FLATCAR_VERSION=4459.2.4 +FLATCAR_VERSION_ID=4459.2.4 +FLATCAR_BUILD_ID="" FLATCAR_SDK_VERSION=4459.0.0 From c3458962e31dbcd918a2fc033387dcd729da8a9d Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 4 Mar 2026 10:13:44 +0000 Subject: [PATCH 189/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 5dfb27fb184..9640fa624f2 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-80a351a1411fa6fcc14071f2ea287cab5fa08c73 +ghcr.io/flatcar/mantle:git-992d39ffff68eb019182d61ca4cc9e3ca215f29b From 615eb8a85d606f39243382a729eae6ac1922c24c Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 5 Mar 2026 10:41:34 +0000 Subject: [PATCH 190/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 9640fa624f2..291a60fac6c 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-992d39ffff68eb019182d61ca4cc9e3ca215f29b +ghcr.io/flatcar/mantle:git-f2aab0e1888699dce88490d2992e8dc8c28e041a From 6da1177868e22ddc430590f63868faaf518828ea Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 5 Mar 2026 21:00:25 +0000 Subject: [PATCH 191/213] New version: stable-4459.2.3-nightly-20260305-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 86fb82ad9ea..6f2e0f528aa 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.4 -FLATCAR_VERSION_ID=4459.2.4 -FLATCAR_BUILD_ID="" +FLATCAR_VERSION=4459.2.3+nightly-20260305-2100 +FLATCAR_VERSION_ID=4459.2.3 +FLATCAR_BUILD_ID="nightly-20260305-2100" FLATCAR_SDK_VERSION=4459.0.0 From 77be4952c4d89bb3e35d883c8bb70ebf7cbb0feb Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Fri, 6 Mar 2026 14:33:27 +0000 Subject: [PATCH 192/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 291a60fac6c..4543e6ec128 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-f2aab0e1888699dce88490d2992e8dc8c28e041a +ghcr.io/flatcar/mantle:git-11e6d8631fbe754dc4016bed1a18922159abc753 From 6e25557b7133e06b63d31bc26cf102ac9b6a2241 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Fri, 6 Mar 2026 21:00:25 +0000 Subject: [PATCH 193/213] New version: stable-4459.2.3-nightly-20260306-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 6f2e0f528aa..74b35136830 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260305-2100 +FLATCAR_VERSION=4459.2.3+nightly-20260306-2100 FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260305-2100" +FLATCAR_BUILD_ID="nightly-20260306-2100" FLATCAR_SDK_VERSION=4459.0.0 From 66e324754638732d144b8944aee073e31be6702d Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 9 Mar 2026 09:57:00 +0000 Subject: [PATCH 194/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 4543e6ec128..5f66373bff0 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-11e6d8631fbe754dc4016bed1a18922159abc753 +ghcr.io/flatcar/mantle:git-6f8b9b8b4da41917027b2d0a06fb4f15d27635aa From 7efbf93bd824645e11f68c36fc51e4baf8b44fd4 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 9 Mar 2026 13:35:50 +0000 Subject: [PATCH 195/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 5f66373bff0..178f9082e5d 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-6f8b9b8b4da41917027b2d0a06fb4f15d27635aa +ghcr.io/flatcar/mantle:git-188106b2341b5392fe0d9fe03692f2ff45eeaad4 From ce7c7d3d5406d5fff59c4a06a432b7da06572fb4 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 2 Mar 2026 15:05:38 +0100 Subject: [PATCH 196/213] Revert "app-misc/ca-certificates: use github URLs" This reverts commit 25de567365b64397fb9de6245ea80be005001768. I think that the reverted commit was trying to fix a "non-error". On Gentoo distfiles, it that seems a glitch has occured on ca-certificates-3.120.1, as the decompressed archive tree files is not consistent from one release to the other: ``` $ wget http://distfiles.gentoo.org/distfiles/37/nss-3.120.1.tar.gz $ wget http://distfiles.gentoo.org/distfiles/43/nss-3.121.tar.gz $ tar -xf nss-3.120.1.tar.gz $ tar -xf nss-3.121.tar.gz $ ls -l nss-3.121/nss total 88 drwxr-xr-x 8 tormath1 tormath1 160 Mar 2 15:00 automation -rwxr-xr-x 1 tormath1 tormath1 9183 Feb 19 10:30 build.sh ... $ ls -l nss-NSS_3_120_1_RTM/ total 88 drwxr-xr-x 8 tormath1 tormath1 160 Feb 11 19:19 automation -rwxr-xr-x 1 tormath1 tormath1 9183 Feb 11 19:19 build.sh ... ``` Signed-off-by: Mathieu Tortuyaux --- .../app-misc/ca-certificates/ca-certificates-3.121.ebuild | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.121.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.121.ebuild index ff112534960..6e98e259178 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.121.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.121.ebuild @@ -9,11 +9,11 @@ inherit python-any-r1 systemd tmpfiles RTM_NAME="NSS_${PV//./_}_RTM" MY_PN="nss" MY_P="${MY_PN}-${PV}" -S="${WORKDIR}/${MY_PN}-${RTM_NAME}" +S="${WORKDIR}" DESCRIPTION="Mozilla's CA Certificate Store" HOMEPAGE="http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/" -SRC_URI="https://github.com/nss-dev/nss/archive/refs/tags/${RTM_NAME}.tar.gz -> ${MY_P}.tar.gz" +SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${MY_P}.tar.gz" # NSS is licensed under the MPL, files/certdata2pem.py is GPL LICENSE="MPL-2.0 GPL-2" @@ -72,7 +72,7 @@ gen_tmpfiles() { } src_compile() { - local certdata="${S}/lib/ckfw/builtins/certdata.txt" + local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt" ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" certs || die cd certs || die From b2e46ce6ccbab096159879541873e486c175f707 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 9 Mar 2026 16:57:01 +0100 Subject: [PATCH 197/213] image_changes: update PATH variable For some reasons, the '#!/usr/bin/env python3' command of the 'show-fixed-kernel-cves.py' started to resolve 'python3' before reaching the 'ci-automation/python-bin' PATH location. So 'feedparser' was not installed, so it was failing. I guess we shipped some Python updates providing 'python3' resolution, or we stopped masked some Python related stuffs into the SDK. Flipping the 'ci-automation/python-bin' should fix the issue and it should not have any side-effects as this is scopped only on the 'show-changes' script call. Signed-off-by: Mathieu Tortuyaux --- ci-automation/image_changes.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-automation/image_changes.sh b/ci-automation/image_changes.sh index 8c4ffd253a6..8a3b8606372 100644 --- a/ci-automation/image_changes.sh +++ b/ci-automation/image_changes.sh @@ -78,7 +78,7 @@ function ricj_callback() { ) show_changes_env+=( # Provide a python3 command for the CVE DB parsing - "PATH=${PATH}:${PWD}/ci-automation/python-bin" + "PATH=${PWD}/ci-automation/python-bin:${PATH}" # Override the default locations of repositories. "SCRIPTS_REPO=." "COREOS_OVERLAY_REPO=../coreos-overlay" From 8d2f02f1a0adf8034819c35c8cab5a5fc5690a31 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Mon, 9 Mar 2026 21:00:27 +0000 Subject: [PATCH 198/213] New version: stable-4459.2.4-nightly-20260309-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 74b35136830..df26ea359bb 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.3+nightly-20260306-2100 -FLATCAR_VERSION_ID=4459.2.3 -FLATCAR_BUILD_ID="nightly-20260306-2100" +FLATCAR_VERSION=4459.2.4+nightly-20260309-2100 +FLATCAR_VERSION_ID=4459.2.4 +FLATCAR_BUILD_ID="nightly-20260309-2100" FLATCAR_SDK_VERSION=4459.0.0 From 4370a3457fb0ac0b4f79bc6930264aa3219e0b2c Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Tue, 10 Mar 2026 14:07:14 +0100 Subject: [PATCH 199/213] Change shebang for run_sdk_container Signed-off-by: Robin Schneider --- run_sdk_container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/run_sdk_container b/run_sdk_container index 18d45ef0a09..da92212532f 100755 --- a/run_sdk_container +++ b/run_sdk_container @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Copyright (c) 2021 The Flatcar Maintainers. # Use of this source code is governed by a BSD-style license that can be From 168b068a8ecc7f6190c315ee52af2d889e107c4d Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Tue, 10 Mar 2026 12:15:46 +0000 Subject: [PATCH 200/213] ci-automation: Allow overriding Mantle container name and tag MANTLE_REF will be optionally passed by Jenkins. Signed-off-by: James Le Cuirot --- ci-automation/test.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/ci-automation/test.sh b/ci-automation/test.sh index 04890e47467..24ba85bb19e 100644 --- a/ci-automation/test.sh +++ b/ci-automation/test.sh @@ -18,7 +18,8 @@ # # 1. SDK version and OS image version are recorded in sdk_container/.repo/manifests/version.txt # 2. Scripts repo version tag of OS image version to be built is available and checked out. -# 3. Mantle container docker image reference is stored in sdk_container/.repo/manifests/mantle-container. +# 3. Mantle container name and tag is stored in sdk_container/.repo/manifests/mantle-container +# (or MANTLE_REF is set). # 4. Vendor image to run tests for are available on buildcache # ( images/[ARCH]/[FLATCAR_VERSION]/ ) # @@ -36,6 +37,7 @@ # MAX_RETRIES. Environment variable. Number of re-runs to overcome transient failures. Defaults to 20. # PARALLEL_TESTS. Environment variable. Number of test cases to run in parallel. # Default is image / vendor specific and defined in ci-automation/ci-config.env. +# MANTLE_REF. Environment variable. Overrides the Mantle container name and tag to run the tests with. # # OUTPUT: # @@ -129,8 +131,8 @@ function _test_run_impl() { get_git_channel >"${work_dir}/git_channel" local container_name="flatcar-tests-${arch}-${docker_vernum}-${image}" - local mantle_ref - mantle_ref=$(cat sdk_container/.repo/manifests/mantle-container) + local -I MANTLE_REF + : "${MANTLE_REF:=$(< sdk_container/.repo/manifests/mantle-container)}" local tap_merged_summary="results-${image}" local tap_merged_detailed="results-${image}-detailed" @@ -168,7 +170,7 @@ function _test_run_impl() { set +e touch sdk_container/.env docker run --pull always --rm --name="${container_name}" --privileged --net host -v /dev:/dev \ - -w /work -v "$PWD":/work "${mantle_ref}" \ + -w /work -v "$PWD":/work "${MANTLE_REF}" \ bash -c "git config --global --add safe.directory /work && \ source sdk_container/.env && \ ci-automation/vendor-testing/${image_escaped}.sh ${common_test_args_escaped[*]} ${tapfile_escaped} ${tests_escaped[*]}" @@ -177,7 +179,7 @@ function _test_run_impl() { # Note: git safe.directory is not set in this run as it does not use git docker run --pull always --rm --name="${container_name}" --privileged --net host -v /dev:/dev \ - -w /work -v "$PWD":/work "${mantle_ref}" \ + -w /work -v "$PWD":/work "${MANTLE_REF}" \ ci-automation/test_update_reruns.sh \ "${arch}" "${vernum}" "${image}" "${retry}" \ "${tests_dir}/${tapfile}" \ From a06d4cf6ec1d6713f471646bbdf8707def235d62 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 10 Mar 2026 21:00:26 +0000 Subject: [PATCH 201/213] New version: stable-4459.2.4-nightly-20260310-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index df26ea359bb..9974595f265 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.4+nightly-20260309-2100 +FLATCAR_VERSION=4459.2.4+nightly-20260310-2100 FLATCAR_VERSION_ID=4459.2.4 -FLATCAR_BUILD_ID="nightly-20260309-2100" +FLATCAR_BUILD_ID="nightly-20260310-2100" FLATCAR_SDK_VERSION=4459.0.0 From 6be1bbfa095c72efa5422ee4558a958e65d6d385 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 11 Mar 2026 08:43:59 +0000 Subject: [PATCH 202/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 178f9082e5d..d0a919071bd 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-188106b2341b5392fe0d9fe03692f2ff45eeaad4 +ghcr.io/flatcar/mantle:git-a137683fa47b986718750164b7ba15602a2bea3b From de17f218bedeac960e748964ade69617cfc1bbbc Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 11 Mar 2026 17:08:50 +0000 Subject: [PATCH 203/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index d0a919071bd..3fd36550277 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-a137683fa47b986718750164b7ba15602a2bea3b +ghcr.io/flatcar/mantle:git-ae93fe39bddc2b568585c8cad35f403b452af9de From d782e1985bf0c0b13c74b54f4622bb759b5cd5b8 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 11 Mar 2026 21:00:26 +0000 Subject: [PATCH 204/213] New version: stable-4459.2.4-nightly-20260311-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 9974595f265..b6a749ecb79 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.4+nightly-20260310-2100 +FLATCAR_VERSION=4459.2.4+nightly-20260311-2100 FLATCAR_VERSION_ID=4459.2.4 -FLATCAR_BUILD_ID="nightly-20260310-2100" +FLATCAR_BUILD_ID="nightly-20260311-2100" FLATCAR_SDK_VERSION=4459.0.0 From c3b5446b236c05742b584367d38368fda088ba47 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 12 Mar 2026 21:00:23 +0000 Subject: [PATCH 205/213] New version: stable-4459.2.4-nightly-20260312-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index b6a749ecb79..a9c0dd4055d 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.4+nightly-20260311-2100 +FLATCAR_VERSION=4459.2.4+nightly-20260312-2100 FLATCAR_VERSION_ID=4459.2.4 -FLATCAR_BUILD_ID="nightly-20260311-2100" +FLATCAR_BUILD_ID="nightly-20260312-2100" FLATCAR_SDK_VERSION=4459.0.0 From aad16440eff0441ab892a3c03d9830e485de95c0 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Sat, 14 Mar 2026 07:17:16 +0000 Subject: [PATCH 206/213] sys-kernel/coreos-sources: Update from 6.12.74 to 6.12.77 Signed-off-by: Flatcar Buildbot --- changelog/updates/2026-03-14-linux-6.12.77-update.md | 1 + .../{hv-daemons-6.12.74.ebuild => hv-daemons-6.12.77.ebuild} | 0 ...oreos-kernel-6.12.74.ebuild => coreos-kernel-6.12.77.ebuild} | 0 ...eos-modules-6.12.74.ebuild => coreos-modules-6.12.77.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...eos-sources-6.12.74.ebuild => coreos-sources-6.12.77.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2026-03-14-linux-6.12.77-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.12.74.ebuild => hv-daemons-6.12.77.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.12.74.ebuild => coreos-kernel-6.12.77.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.12.74.ebuild => coreos-modules-6.12.77.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.12.74.ebuild => coreos-sources-6.12.77.ebuild} (100%) diff --git a/changelog/updates/2026-03-14-linux-6.12.77-update.md b/changelog/updates/2026-03-14-linux-6.12.77-update.md new file mode 100644 index 00000000000..ca4320334b8 --- /dev/null +++ b/changelog/updates/2026-03-14-linux-6.12.77-update.md @@ -0,0 +1 @@ +- Linux ([6.12.77](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.77) (includes [6.12.76](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.76), [6.12.75](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.75))) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.74.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.77.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.74.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.77.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.74.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.77.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.74.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.77.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.74.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.77.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.74.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.77.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 7ac8756da11..360e28b840d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 -DIST patch-6.12.74.xz 3867664 BLAKE2B 1bebcfc1bdaafcfb9205870d72c815fcd69225ae6216ef859be09dab8798842559bcd9c725c039909e605085f2bf3e67ab56d2cd0baca01c475d0bc4bbd5419d SHA512 aca0c0c0ce0f2cc427aecbe55867297d013af298b3d10cafed5695166185a6933fdffec76fd3bb90a172591fbca9924ec5abd3d6b32bdf5d3eaee16a32abe76b +DIST patch-6.12.77.xz 4122856 BLAKE2B 3f4be903ad737df00882bb90a0640aacccfa9588d7c407b964897f0c10aeb6d85be5285afe56433d018bb4908cae12b2f1890469db19c3417a9e758bbfea758e SHA512 cd1b18ee8af12f0d18c17f7695cbbd74d78f9ff39cc642319b5c7c22f66ab73c83aaa1cca289004fc88d769af8df37d3664e4447854d0eaa15212d916f79d691 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.74.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.77.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.74.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.77.ebuild From d0e48460e4fc77f1dacd1d4b5c162be945306c87 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 16 Mar 2026 11:35:15 +0000 Subject: [PATCH 207/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 3fd36550277..9f46ba2a337 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-ae93fe39bddc2b568585c8cad35f403b452af9de +ghcr.io/flatcar/mantle:git-7c88868bd7fe8c481d115742e552f88b4892721c From 9082c4e1e9ba5c8966e0efdb11364238526866b9 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Mon, 16 Mar 2026 21:00:25 +0000 Subject: [PATCH 208/213] New version: stable-4459.2.4-nightly-20260316-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index a9c0dd4055d..c1fece6c424 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.4+nightly-20260312-2100 +FLATCAR_VERSION=4459.2.4+nightly-20260316-2100 FLATCAR_VERSION_ID=4459.2.4 -FLATCAR_BUILD_ID="nightly-20260312-2100" +FLATCAR_BUILD_ID="nightly-20260316-2100" FLATCAR_SDK_VERSION=4459.0.0 From 850c31638fc37b35d6daf7c37e6b6da7a84628e7 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Tue, 20 May 2025 14:31:43 +0100 Subject: [PATCH 209/213] sys-kernel/coreos-modules: Install external mod build files with script The kernel now includes a script for installing the files needed to build out-of-tree modules, rendering our existing code obsolete. The layout is different, but we were following Ubuntu's non-standard layout when there was no need to. Ubuntu's approach is seemingly designed to save space by symlinking common files across different platforms, but Flatcar doesn't need to do this. More importantly, our previous approach relied on a kernel patch we have carried for years that no longer applies from v6.13. The patch cannot simply be reworked as the underlying mechanism has changed. This clears the last major blocker for the arm64 SDK as the previous approach also relied on implicit execution by QEMU. There has been concern that this may break compatibility with some modules, but I have not seen any issues in practise. I have symlinked `source` to `build` even though we don't install the full kernel sources because this is what Fedora does, and it makes the layout resemble Ubuntu a little more. Should any issues arise, I will gladly work with upstreams to resolve them or otherwise make adjustments. Signed-off-by: James Le Cuirot Signed-off-by: Mathieu Tortuyaux --- changelog/changes/2025-10-30-kmod-build.md | 1 + .../eclass/coreos-kernel.eclass | 86 +------------------ .../coreos-modules-6.12.77.ebuild | 39 ++++----- 3 files changed, 18 insertions(+), 108 deletions(-) create mode 100644 changelog/changes/2025-10-30-kmod-build.md diff --git a/changelog/changes/2025-10-30-kmod-build.md b/changelog/changes/2025-10-30-kmod-build.md new file mode 100644 index 00000000000..009254d3fdf --- /dev/null +++ b/changelog/changes/2025-10-30-kmod-build.md @@ -0,0 +1 @@ +- The way that files for building custom kernel modules are installed has changed from a Ubuntu-inspired method to the standard upstream kernel method. In the unlikely event that this breaks your module builds, please let the Flatcar team know immediately. diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass index 73b2a8b5ca1..8653f315a89 100644 --- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass +++ b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass @@ -117,10 +117,10 @@ kmake() { if gcc-specs-pie; then kernel_cflags="-nopie -fstack-check=no ${kernel_cflags}" fi - emake "--directory=${S}/source" \ + emake "--directory=${KERNEL_DIR}" \ ARCH="${kernel_arch}" \ CROSS_COMPILE="${CHOST}-" \ - KBUILD_OUTPUT="../build" \ + KBUILD_OUTPUT="${S}/build" \ KCFLAGS="${kernel_cflags}" \ LDFLAGS="" \ "V=1" \ @@ -206,85 +206,6 @@ setup_keys() { popd } -# Populate /lib/modules/$(uname -r)/{build,source} -install_build_source() { - local kernel_arch=$(tc-arch-kernel) - local host_kernel_arch=$(tc-ninja_magic_to_arch kern "${CBUILD}") - - # NOTE: We have to get ${archabspaths} before removing symlinks under - # /usr/lib/modules. However, do not exclude "dt-bindings" for now, - # as it looks architecture-independent. - local archabspaths=($(ls -1d ${D}/usr/lib/modules/${KV_FULL}/source/scripts/dtc/include-prefixes/* \ - | grep -v dt-bindings )) - - # remove the broken symlinks referencing $ROOT - rm "${D}/usr/lib/modules/${KV_FULL}/build" || die - - # Compose list of architectures to be excluded from the kernel modules - # tree in the final image. It is an array to be used as a pattern for - # grep command below at the end of "find source/scripts" command for - # fetching kernel modules list, e.g.: - # find source/scripts -follow -print \ - # | grep -E -v -w "include-prefixes/arc|include-prefixes/xtensa" - declare -a excarchlist - local excarchstr - - for apath in "${archabspaths[@]}"; do - local arch - arch=$(basename "${apath}") - if [[ "${arch}" != "${kernel_arch}" ]]; then - excarchlist+=("include-prefixes/${arch}") - - # Do not append delimiter '|' in case of the last element. - if [[ "${apath}" != "${archabspaths[-1]}" ]]; then - excarchlist+=("|") - fi - fi - done - - # Remove every whitespace from the grep pattern string, to make pattern - # matching work well. - excarchstr=$(echo "${excarchlist[@]}" | sed -e 's/[[:space:]]*//g') - - # Install a stripped source for out-of-tree module builds (Debian-derived) - # - # NOTE: we need to exclude unsupported architectures from source/scripts, - # to prevent the final image from having unnecessary directories under - # /usr/lib/modules/${KV_FULL}/source/scripts/dtc/include-prefixes. - # The grep must run with "-w" to exclude exact patterns like either arm - # or arm64. - { - echo source/Makefile - find source/arch/${host_kernel_arch} -follow -maxdepth 1 -name 'Makefile*' -print - find source/arch/${kernel_arch} -follow -maxdepth 1 -name 'Makefile*' -print - find source/arch/${kernel_arch} -follow \( -name 'module.lds' -o -name 'Kbuild.platforms' -o -name 'Platform' \) -print - find $(find source/arch/${kernel_arch} -follow \( -name include -o -name scripts \) -follow -type d -print) -print - find source/include -follow -print - find source/scripts -follow -print | grep -E -v -w "${excarchstr}" - find build/ -print - } | cpio -pd \ - --preserve-modification-time \ - --owner=root:root \ - --dereference \ - "${D}/usr/lib/modules/${KV_FULL}" || die - # ./build/source is a symbolic link so cpio ends up creating an empty dir. - # Restore the symlink. - pushd "${D}/usr/lib/modules/${KV_FULL}" - rmdir build/source || die - ln -sr source build || die - # Symlink includes into the build directory to resemble Ubuntu's /lib/modules - # layout. This lets the Nvidia driver build when passing SYSSRC=/lib/modules/../build - # instead of requiring SYSOUT/SYSSRC. - { - find source/include -mindepth 1 -maxdepth 1 -type d - find source/arch/${kernel_arch}/include -mindepth 1 -maxdepth 1 -type d - } | while read src; do - dst="${src/source/build}" - ln -sr "${src}" "${dst}" || die - done || die - popd -} - coreos-kernel_pkg_pretend() { [[ "${MERGE_TYPE}" == binary ]] && return @@ -302,10 +223,7 @@ coreos-kernel_pkg_setup() { } coreos-kernel_src_unpack() { - # we more or less reproduce the layout in /lib/modules/$(uname -r)/ mkdir -p "${S}/build" || die - mkdir -p "${S}/source" || die - ln -s "${KERNEL_DIR}"/* "${S}/source/" || die } coreos-kernel_src_configure() { diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.77.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.77.ebuild index 88f3f5b5964..983c2321d00 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.77.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.77.ebuild @@ -35,41 +35,32 @@ src_compile() { } src_install() { + local build="lib/modules/${KV_FULL}/build" + # Install modules to /usr. - # Install firmware to a temporary (bogus) location. - # The linux-firmware package will be used instead. # Stripping must be done here, not portage, to preserve sigs. - kmake INSTALL_MOD_PATH="${D}/usr" \ + kmake INSTALL_MOD_PATH="${ED}/usr" \ INSTALL_MOD_STRIP="--strip-debug" \ - INSTALL_FW_PATH="${T}/fw" \ modules_install # Install to /usr/lib/debug with debug symbols intact - kmake INSTALL_MOD_PATH="${D}/usr/lib/debug/usr" \ - INSTALL_FW_PATH="${T}/fw" \ + kmake INSTALL_MOD_PATH="${ED}/usr/lib/debug/usr" \ modules_install - rm "${D}/usr/lib/debug/usr/lib/modules/${KV_FULL}/"modules.* || die - rm "${D}/usr/lib/debug/usr/lib/modules/${KV_FULL}/build" || die - - # Clean up the build tree - kmake clean + rm "${ED}/usr/lib/debug/usr/lib/modules/${KV_FULL}"/{build,modules.*} || die - # TODO: ensure that fixdep and kbuild tools shipped inside the image - # are native (we previously shipped amd64 binaries on arm64). - # Upstream has a new script from v6.12 that we might be able to use: - # scripts/package/install-extmod-build - kmake HOSTLD=$(tc-getLD) HOSTCC=$(tc-getCC) cmd_and_fixdep='$(cmd)' modules_prepare - kmake clean + # Replace the broken /lib/modules/${KV_FULL}/build symlink with a copy of + # the files needed to build out-of-tree modules. + rm "${ED}/usr/${build}" || die + kmake run-command KBUILD_RUN_COMMAND="${KERNEL_DIR}/scripts/package/install-extmod-build ${ED}/usr/${build}" - find "build/" -type d -empty -delete || die - rm "build/.config.old" || die - - # Install /lib/modules/${KV_FULL}/{build,source} - install_build_source + # Install the original config because the above doesn't. + insinto "/usr/${build}" + doins build/.config # Not strictly required but this is where we used to install the config. - dodir "/usr/boot" - local build="lib/modules/${KV_FULL}/build" dosym "../${build}/.config" "/usr/boot/config-${KV_FULL}" dosym "../${build}/.config" "/usr/boot/config" + + # Symlink "source" to "build" for compatibility. Fedora does this. + dosym build "/usr/${build}/../source" } From d5c6465c319283189bfee7777c5e9ab0816c8752 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Thu, 22 May 2025 18:38:21 +0100 Subject: [PATCH 210/213] There is no need to set KERNEL_DIR anymore now linux-mod-r1 is fixed Signed-off-by: James Le Cuirot Signed-off-by: Mathieu Tortuyaux --- .../coreos-overlay/coreos/config/env/sys-fs/zfs-kmod | 3 --- .../coreos/config/env/x11-drivers/nvidia-drivers | 3 --- 2 files changed, 6 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-fs/zfs-kmod b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-fs/zfs-kmod index 5f7fa2a9a89..f7951a4d39f 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-fs/zfs-kmod +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-fs/zfs-kmod @@ -1,6 +1,3 @@ -: ${MODULES_ROOT:=$(echo ${SYSROOT}/lib/modules/*)} -KERNEL_DIR="${MODULES_ROOT}/build" - # This addresses an issue with the kernel version compatibility check # when installing zfs-kmod to /build/ (e.g. via build_packages) # from its binpkg (i.e. not recompiling it). diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/x11-drivers/nvidia-drivers b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/x11-drivers/nvidia-drivers index 5f7fa2a9a89..f7951a4d39f 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/x11-drivers/nvidia-drivers +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/x11-drivers/nvidia-drivers @@ -1,6 +1,3 @@ -: ${MODULES_ROOT:=$(echo ${SYSROOT}/lib/modules/*)} -KERNEL_DIR="${MODULES_ROOT}/build" - # This addresses an issue with the kernel version compatibility check # when installing zfs-kmod to /build/ (e.g. via build_packages) # from its binpkg (i.e. not recompiling it). From b5069383deba7c05a463bed915ba869109792c97 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Tue, 17 Mar 2026 21:00:25 +0000 Subject: [PATCH 211/213] New version: stable-4459.2.4-nightly-20260317-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index c1fece6c424..1c12e6927e6 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.4+nightly-20260316-2100 +FLATCAR_VERSION=4459.2.4+nightly-20260317-2100 FLATCAR_VERSION_ID=4459.2.4 -FLATCAR_BUILD_ID="nightly-20260316-2100" +FLATCAR_BUILD_ID="nightly-20260317-2100" FLATCAR_SDK_VERSION=4459.0.0 From e4a917d0075cee830f77c998263bc61b23b1e15c Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 18 Mar 2026 11:24:39 +0000 Subject: [PATCH 212/213] Update mantle container image to latest HEAD Signed-off-by: Flatcar Buildbot --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index 9f46ba2a337..3066df0de61 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-7c88868bd7fe8c481d115742e552f88b4892721c +ghcr.io/flatcar/mantle:git-eee95857ce80d8740f8bb756ac2358a2b1dee73f From 8998f288e62398b946c2fa67354784c3abf04101 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Wed, 18 Mar 2026 21:00:28 +0000 Subject: [PATCH 213/213] New version: stable-4459.2.4-nightly-20260318-2100 Signed-off-by: flatcar-ci --- sdk_container/.repo/manifests/version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 1c12e6927e6..ed16b4bf944 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4459.2.4+nightly-20260317-2100 +FLATCAR_VERSION=4459.2.4+nightly-20260318-2100 FLATCAR_VERSION_ID=4459.2.4 -FLATCAR_BUILD_ID="nightly-20260317-2100" +FLATCAR_BUILD_ID="nightly-20260318-2100" FLATCAR_SDK_VERSION=4459.0.0