import systemd-256-3.el10

.systemd.metadata

-49cbc5dac1e76e6345b5c594650b7bbe0ec5af0abd38f61b35e4960bcdf3ce24  SOURCES/systemd-256.tar.gz
+4825b82700e1acf02ba81885652406e75d0c674c129a1a7e488e5b5200a17998  SOURCES/systemd-256.tar.gz

SOURCES/0001-Create-CNAME.patch

+From 1c27c902ad8316f490648a0e4415abd51b450b1a Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Tue, 11 Jun 2024 23:04:12 +0100
+Subject: [PATCH] Create CNAME
+
+---
+ docs/CNAME | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 docs/CNAME
+
+diff --git a/docs/CNAME b/docs/CNAME
+new file mode 100644
+index 0000000000..cdcf4d9a52
+--- /dev/null
++++ b/docs/CNAME
+@@ -0,0 +1 @@
++systemd.io
+\ No newline at end of file

SOURCES/0002-man-systemd-reorder-content-a-bit.patch

+From d918804408801bf46a49018e374ebdfbeae08805 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 5 Jun 2024 11:28:21 +0200
+Subject: [PATCH] man/systemd: reorder content a bit
+
+Section "Description" didn't actually say what systemd does. And we had a giant
+"Concepts" section that actually described units types and other details about
+them. So let's move the basic description of functionality to "Description" and
+rename the following section to "Units".
+
+The link to the Original Design Document is moved to "See Also", it is of
+historical interest mostly at this point.
+
+The only actual change is that when talking about API filesystems, /dev is also
+mentioned. (I think /sys+/proc+/dev are the canonical set and should be always
+listed on one breath.)
+
+(cherry picked from commit f11aaf7dfb295de429b1567282b19caaba036bba)
+---
+ man/systemd.xml | 49 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 24 insertions(+), 25 deletions(-)
+
+diff --git a/man/systemd.xml b/man/systemd.xml
+index 66db5bbf25..f4aa7e06ca 100644
+--- a/man/systemd.xml
++++ b/man/systemd.xml
+@@ -62,10 +62,29 @@
+     <filename>user.conf.d</filename> directories. See
+     <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+     for more information.</para>
++
++    <para><command>systemd</command> contains native implementations of various tasks that need to be
++    executed as part of the boot process. For example, it sets the hostname or configures the loopback
++    network device. It also sets up and mounts various API file systems, such as <filename>/sys/</filename>,
++    <filename>/proc/</filename>, and <filename>/dev/</filename>.</para>
++
++    <para>Note that some but not all interfaces provided by systemd are covered by the
++    <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
++
++    <para>The D-Bus API of <command>systemd</command> is described in
++    <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
++    and
++    <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
++    </para>
++
++    <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink
++    url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or
++    <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink>
++    specifications, respectively.</para>
+   </refsect1>
+ 
+   <refsect1>
+-    <title>Concepts</title>
++    <title>Units</title>
+ 
+     <para>systemd provides a dependency system between various
+     entities called "units" of 11 different types. Units encapsulate
+@@ -261,34 +280,10 @@
+     example, start jobs for any of those inactive units getting queued as
+     well.</para>
+ 
+-    <para>systemd contains native implementations of various tasks
+-    that need to be executed as part of the boot process. For example,
+-    it sets the hostname or configures the loopback network device. It
+-    also sets up and mounts various API file systems, such as
+-    <filename>/sys/</filename> or <filename>/proc/</filename>.</para>
+-
+-    <para>For more information about the concepts and
+-    ideas behind systemd, please refer to the
+-    <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
+-
+-    <para>Note that some but not all interfaces provided by systemd are covered by the
+-    <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
+-
+     <para>Units may be generated dynamically at boot and system
+     manager reload time, for example based on other configuration
+     files or parameters passed on the kernel command line. For details, see
+     <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
+-
+-    <para>The D-Bus API of <command>systemd</command> is described in
+-    <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-    and
+-    <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+-    </para>
+-
+-    <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink
+-    url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or
+-    <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink>
+-    specifications, respectively.</para>
+   </refsect1>
+ 
+   <refsect1>
+@@ -1558,6 +1553,10 @@
+       <member><citerefentry project='man-pages'><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+       <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+     </simplelist></para>
++
++    <para>For more information about the concepts and
++    ideas behind systemd, please refer to the
++    <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
+   </refsect1>
+ 
+ </refentry>

SOURCES/0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch

+From f2b5c1ff51b7c7876036c6c722e2a47b696695d9 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 8 May 2024 10:38:11 +0200
+Subject: [PATCH] hostnamed: don't allow hostnamed to exit on idle if varlink
+ connections are still ongoing
+
+And while we are at it, ongoing PK authorizations are also a reason to
+block exit on idle.
+
+(cherry picked from commit ac908152b3b43a49f793d225c075423422cd3e33)
+---
+ src/hostname/hostnamed.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
+index 82d08803fa..fe1216fc1c 100644
+--- a/src/hostname/hostnamed.c
++++ b/src/hostname/hostnamed.c
+@@ -1682,6 +1682,13 @@ static int connect_varlink(Context *c) {
+         return 0;
+ }
+ 
++static bool context_check_idle(void *userdata) {
++        Context *c = ASSERT_PTR(userdata);
++
++        return varlink_server_current_connections(c->varlink_server) == 0 &&
++                hashmap_isempty(c->polkit_registry);
++}
++
+ static int run(int argc, char *argv[]) {
+         _cleanup_(context_destroy) Context context = {
+                 .hostname_source = _HOSTNAME_INVALID, /* appropriate value will be set later */
+@@ -1731,8 +1738,8 @@ static int run(int argc, char *argv[]) {
+                         context.bus,
+                         "org.freedesktop.hostname1",
+                         DEFAULT_EXIT_USEC,
+-                        /* check_idle= */ NULL,
+-                        /* userdata= */ NULL);
++                        context_check_idle,
++                        &context);
+         if (r < 0)
+                 return log_error_errno(r, "Failed to run event loop: %m");
+ 

SOURCES/0004-sd-dhcp-server-clear-buffer-before-receive.patch

+From 0d573787ea1610ba57a359cf437841f62b186e77 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Wed, 12 Jun 2024 00:48:56 +0900
+Subject: [PATCH] sd-dhcp-server: clear buffer before receive
+
+I do not think this is necessary, but all other places in
+libsystemd-network we clear buffer before receive. Without this,
+Coverity warns about use-of-uninitialized-values.
+Let's silence Coverity.
+
+Closes CID#1469721.
+
+(cherry picked from commit 40f9fa0af4c3094d93e833e62f7e301cd453da62)
+---
+ src/libsystemd-network/sd-dhcp-server.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
+index c3b0f82dc4..4967f066dc 100644
+--- a/src/libsystemd-network/sd-dhcp-server.c
++++ b/src/libsystemd-network/sd-dhcp-server.c
+@@ -1252,7 +1252,7 @@ static int server_receive_message(sd_event_source *s, int fd,
+                 /* Preallocate the additional size for DHCP Relay Agent Information Option if needed */
+                 buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2;
+ 
+-        message = malloc(buflen);
++        message = malloc0(buflen);
+         if (!message)
+                 return -ENOMEM;
+ 

SOURCES/0005-rules-Limit-the-number-of-device-units-generated-for.patch

+From a3d94332a2b5128697373d3093c1cfa56649ec61 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Mon, 10 Jun 2024 12:59:58 +0200
+Subject: [PATCH] rules: Limit the number of device units generated for serial
+ ttys
+
+As per the suggestion in https://github.com/systemd/systemd/issues/33242.
+
+This reduces the number of /dev/ttySXX device units generated in
+mkosi from 32 to 4.
+
+(cherry picked from commit dc38f9addd04c34d1fd743efc407bdebb3573d05)
+---
+ rules.d/99-systemd.rules.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
+index ad0c7e2fb5..8ba6f177f8 100644
+--- a/rules.d/99-systemd.rules.in
++++ b/rules.d/99-systemd.rules.in
+@@ -10,6 +10,8 @@
+ ACTION=="remove", GOTO="systemd_end"
+ 
+ SUBSYSTEM=="tty", KERNEL=="tty[a-zA-Z]*|hvc*|xvc*|hvsi*|ttysclp*|sclp_line*|3270/tty[0-9]*", TAG+="systemd"
++# Exclude 8250 serial ports with a zero IO port, as they are not usable until "setserial /dev/ttySxxx port …" is invoked.
++SUBSYSTEM=="tty", KERNEL=="ttyS*", DRIVERS=="serial8250", ATTR{port}=="0x0", ENV{SYSTEMD_READY}="0"
+ KERNEL=="vport*", TAG+="systemd"
+ 
+ SUBSYSTEM=="ptp", TAG+="systemd"

SOURCES/0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch

+From 514ef0f93b76cbe0ba6b4de07a7b21fd0c2b7bae Mon Sep 17 00:00:00 2001
+From: q66 <q66@chimera-linux.org>
+Date: Thu, 6 Jun 2024 13:45:48 +0200
+Subject: [PATCH] strbuf: use GREEDY_REALLOC to grow the buffer
+
+This allows us to reserve a bunch of capacity ahead of time,
+improving the performance of hwdb significantly thanks to not
+having to reallocate so many times.
+
+Before:
+```
+$ sudo time valgrind --leak-check=full ./systemd-hwdb update
+==113297== Memcheck, a memory error detector
+==113297== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
+==113297== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
+==113297== Command: ./systemd-hwdb update
+==113297==
+==113297==
+==113297== HEAP SUMMARY:
+==113297==     in use at exit: 0 bytes in 0 blocks
+==113297==   total heap usage: 1,412,640 allocs, 1,412,640 frees, 117,920,009,195 bytes allocated
+==113297==
+==113297== All heap blocks were freed -- no leaks are possible
+==113297==
+==113297== For lists of detected and suppressed errors, rerun with: -s
+==113297== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
+132.44user 21.15system 2:35.61elapsed 98%CPU (0avgtext+0avgdata 228560maxresident)k
+0inputs+25296outputs (0major+6886930minor)pagefaults 0swaps
+```
+
+After:
+```
+$ sudo time valgrind --leak-check=full ./systemd-hwdb update
+==112572== Memcheck, a memory error detector
+==112572== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
+==112572== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
+==112572== Command: ./systemd-hwdb update
+==112572==
+==112572==
+==112572== HEAP SUMMARY:
+==112572==     in use at exit: 0 bytes in 0 blocks
+==112572==   total heap usage: 1,320,113 allocs, 1,320,113 frees, 70,614,501 bytes allocated
+==112572==
+==112572== All heap blocks were freed -- no leaks are possible
+==112572==
+==112572== For lists of detected and suppressed errors, rerun with: -s
+==112572== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
+21.94user 0.19system 0:22.23elapsed 99%CPU (0avgtext+0avgdata 229876maxresident)k
+0inputs+25264outputs (0major+57275minor)pagefaults 0swaps
+```
+
+Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>
+(cherry picked from commit 621b10fe2c3203c537996e84c7c89b0ff994ad93)
+---
+ src/basic/strbuf.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c
+index 0617acc8d2..6d43955bb1 100644
+--- a/src/basic/strbuf.c
++++ b/src/basic/strbuf.c
+@@ -107,7 +107,6 @@ static void bubbleinsert(struct strbuf_node *node,
+ /* add string, return the index/offset into the buffer */
+ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
+         uint8_t c;
+-        char *buf_new;
+         struct strbuf_child_entry *child;
+         struct strbuf_node *node;
+         ssize_t off;
+@@ -147,10 +146,8 @@ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
+         }
+ 
+         /* add new string */
+-        buf_new = realloc(str->buf, str->len + len+1);
+-        if (!buf_new)
++        if (!GREEDY_REALLOC(str->buf, str->len + len + 1))
+                 return -ENOMEM;
+-        str->buf = buf_new;
+         off = str->len;
+         memcpy(str->buf + off, s, len);
+         str->len += len;

SOURCES/0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch

+From 30df42a9277bbf138d52887c9b79e452db425585 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Fri, 17 May 2024 16:20:11 +0200
+Subject: [PATCH] tpm2-setup: Don't fail if we can't access the TPM due to
+ authorization failure
+
+The TPM might be password/pin protected for various reasons even if
+there is no SRK yet. Let's handle those cases gracefully instead of
+failing the unit as it is enabled by default.
+
+(cherry picked from commit d6518003f8ebbfb6f85dbf227736ae05b0961199)
+---
+ catalog/systemd.catalog.in                | 13 +++++++++++++
+ src/shared/tpm2-util.c                    |  2 ++
+ src/systemd/sd-messages.h                 |  3 +++
+ src/tpm2-setup/tpm2-setup.c               | 13 ++++++++++++-
+ units/systemd-tpm2-setup-early.service.in |  3 +++
+ units/systemd-tpm2-setup.service.in       |  3 +++
+ 6 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
+index 3c9a6860da..2831152763 100644
+--- a/catalog/systemd.catalog.in
++++ b/catalog/systemd.catalog.in
+@@ -780,3 +780,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/
+ A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been
+ detached from the system and is no longer available for use. The list of attached
+ Portable Services can be queried with 'portablectl list'.
++
++-- ad7089f928ac4f7ea00c07457d47ba8a
++Subject: Authorization failure while attempting to enroll SRK into TPM
++Defined-By: systemd
++Support: %SUPPORT_URL%
++Documentation: man:systemd-tpm2-setup.service(8)
++
++An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform
++Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of
++the TPM.
++
++Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password
++protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
+diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
+index 87ce53cf95..9603f1837e 100644
+--- a/src/shared/tpm2-util.c
++++ b/src/shared/tpm2-util.c
+@@ -2119,6 +2119,8 @@ int tpm2_create_primary(
+                         /* creationData= */ NULL,
+                         /* creationHash= */ NULL,
+                         /* creationTicket= */ NULL);
++        if (rc == TPM2_RC_BAD_AUTH)
++                return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM.");
+         if (rc != TSS2_RC_SUCCESS)
+                 return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+                                        "Failed to generate primary key in TPM: %s",
+diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
+index e3f68068a8..16e9986be3 100644
+--- a/src/systemd/sd-messages.h
++++ b/src/systemd/sd-messages.h
+@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS;
+ #define SD_MESSAGE_PORTABLE_DETACHED                  SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
+ #define SD_MESSAGE_PORTABLE_DETACHED_STR              SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
+ 
++#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION     SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
++#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
++
+ _SD_END_DECLARATIONS;
+ 
+ #endif
+diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
+index 35628fc02a..b95c5e7a58 100644
+--- a/src/tpm2-setup/tpm2-setup.c
++++ b/src/tpm2-setup/tpm2-setup.c
+@@ -3,6 +3,8 @@
+ #include <getopt.h>
+ #include <unistd.h>
+ 
++#include "sd-messages.h"
++
+ #include "build.h"
+ #include "fd-util.h"
+ #include "fileio.h"
+@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) {
+                         /* ret_name= */ NULL,
+                         /* ret_qname= */ NULL,
+                         NULL);
++        if (r == -EDEADLK)
++                return r;
+         if (r < 0)
+                 return log_error_errno(r, "Failed to get or create SRK: %m");
+         if (r > 0)
+@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) {
+         }
+ 
+         r = load_public_key_tpm2(&tpm2_key);
++        if (r == -EDEADLK) {
++                log_struct_errno(LOG_INFO, r,
++                                 LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."),
++                                 "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR);
++                return 76; /* Special return value which means "Insufficient permissions to access TPM,
++                            * cannot generate SRK". This isn't really an error when called at boot. */;
++        }
+         if (r < 0)
+                 return r;
+ 
+@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) {
+         return 0;
+ }
+ 
+-DEFINE_MAIN_FUNCTION(run);
++DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
+diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
+index 9982c84aba..7fdb99b53f 100644
+--- a/units/systemd-tpm2-setup-early.service.in
++++ b/units/systemd-tpm2-setup-early.service.in
+@@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
+ Type=oneshot
+ RemainAfterExit=yes
+ ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful
++
++# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
++SuccessExitStatus=76
+diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in
+index 0af7292528..ac29a76966 100644
+--- a/units/systemd-tpm2-setup.service.in
++++ b/units/systemd-tpm2-setup.service.in
+@@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release
+ Type=oneshot
+ RemainAfterExit=yes
+ ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful
++
++# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
++SuccessExitStatus=76

SOURCES/0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch

+From ba031f1fe86e36d7adc0340b047de32399c98bf7 Mon Sep 17 00:00:00 2001
+From: Ronan Pigott <ronan@rjp.ie>
+Date: Fri, 8 Mar 2024 13:40:08 -0700
+Subject: [PATCH] resolved: permit dnssec rrtype questions when we aren't
+ validating
+
+This check introduced in 91adc4db33f6 is intended to spare us from
+encountering broken resolver behavior we don't want to deal with.
+However if we aren't validating we more than likely don't know the state
+of the upstream resolver's support for dnssec. Let's let clients try
+these queries if they want.
+
+This brings the behavior of sd-resolved in-line with previouly stated
+change in the meaning of DNSSEC=no, which now means "don't validate"
+rather than "don't validate, because the upstream resolver is declared to
+be dnssec-unaware".
+
+Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC")
+(cherry picked from commit 364c948707afa097f6ad177b61c2b51a86c0089a)
+---
+ src/resolve/resolved-dns-server.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
+index 340f11f4f4..b37f541c7f 100644
+--- a/src/resolve/resolved-dns-server.c
++++ b/src/resolve/resolved-dns-server.c
+@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
+         if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
+                 return true;
+ 
+-        if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
+-                return false;
+-
+         if (server->packet_bad_opt)
+                 return false;
+ 

SOURCES/0009-repart-Use-crypt_reencrypt_run-if-available.patch

+From 70f5fb2f7ab585458008b1d3144e4ebaf98db42e Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Sun, 2 Jun 2024 16:24:52 +0200
+Subject: [PATCH] repart: Use crypt_reencrypt_run() if available
+
+crypt_reencrypt() is deprecated, so let's look for and prefer
+crypt_reencrypt_run() if it is available.
+
+(cherry picked from commit b99b2941276a74878a23470b36c75b0c21dbdd4a)
+---
+ meson.build                  |  1 +
+ src/partition/repart.c       |  6 +++++-
+ src/shared/cryptsetup-util.c | 19 ++++++++-----------
+ src/shared/cryptsetup-util.h |  6 +++---
+ 4 files changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index ea4e12aa1c..e42151998b 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1262,6 +1262,7 @@ foreach ident : ['crypt_set_metadata_size',
+                  'crypt_token_max',
+                  'crypt_reencrypt_init_by_passphrase',
+                  'crypt_reencrypt',
++                 'crypt_reencrypt_run',
+                  'crypt_set_data_offset',
+                  'crypt_set_keyring_to_link',
+                  'crypt_resume_by_volume_key']
+diff --git a/src/partition/repart.c b/src/partition/repart.c
+index 6f67d46025..2ecae4ca03 100644
+--- a/src/partition/repart.c
++++ b/src/partition/repart.c
+@@ -3913,7 +3913,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget
+ }
+ 
+ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) {
+-#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && HAVE_CRYPT_REENCRYPT
++#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT)
+         const char *node = partition_target_path(target);
+         struct crypt_params_luks2 luks_params = {
+                 .label = strempty(ASSERT_PTR(p)->new_label),
+@@ -4220,7 +4220,11 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
+                 if (r < 0)
+                         return log_error_errno(r, "Failed to load reencryption context: %m");
+ 
++#if HAVE_CRYPT_REENCRYPT_RUN
++                r = sym_crypt_reencrypt_run(cd, NULL, NULL);
++#else
+                 r = sym_crypt_reencrypt(cd, NULL);
++#endif
+                 if (r < 0)
+                         return log_error_errno(r, "Failed to encrypt %s: %m", node);
+         } else {
+diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c
+index 288e6e8942..d0dd434df8 100644
+--- a/src/shared/cryptsetup-util.c
++++ b/src/shared/cryptsetup-util.c
+@@ -54,10 +54,10 @@ DLSYM_FUNCTION(crypt_volume_key_get);
+ #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
+ DLSYM_FUNCTION(crypt_reencrypt_init_by_passphrase);
+ #endif
+-#if HAVE_CRYPT_REENCRYPT
+-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
++#if HAVE_CRYPT_REENCRYPT_RUN
++DLSYM_FUNCTION(crypt_reencrypt_run);
++#elif HAVE_CRYPT_REENCRYPT
+ DLSYM_FUNCTION(crypt_reencrypt);
+-REENABLE_WARNING;
+ #endif
+ DLSYM_FUNCTION(crypt_metadata_locking);
+ #if HAVE_CRYPT_SET_DATA_OFFSET
+@@ -246,11 +246,8 @@ int dlopen_cryptsetup(void) {
+ 
+         /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
+          * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
+-         * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
+-         * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
+-         * warnings about this for now. */
+-
+-        DISABLE_WARNING_DEPRECATED_DECLARATIONS;
++         * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old
++         * symbol if the new one is not available. */
+ 
+         ELF_NOTE_DLOPEN("cryptsetup",
+                         "Support for disk encryption, integrity, and authentication",
+@@ -304,7 +301,9 @@ int dlopen_cryptsetup(void) {
+ #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
+                         DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
+ #endif
+-#if HAVE_CRYPT_REENCRYPT
++#if HAVE_CRYPT_REENCRYPT_RUN
++                        DLSYM_ARG(crypt_reencrypt_run),
++#elif HAVE_CRYPT_REENCRYPT
+                         DLSYM_ARG(crypt_reencrypt),
+ #endif
+                         DLSYM_ARG(crypt_metadata_locking),
+@@ -316,8 +315,6 @@ int dlopen_cryptsetup(void) {
+         if (r <= 0)
+                 return r;
+ 
+-        REENABLE_WARNING;
+-
+         /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
+          * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
+          * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
+diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h
+index f00ac367b6..d255e59004 100644
+--- a/src/shared/cryptsetup-util.h
++++ b/src/shared/cryptsetup-util.h
+@@ -70,10 +70,10 @@ DLSYM_PROTOTYPE(crypt_volume_key_get);
+ #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
+ DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase);
+ #endif
+-#if HAVE_CRYPT_REENCRYPT
+-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
++#if HAVE_CRYPT_REENCRYPT_RUN
++DLSYM_PROTOTYPE(crypt_reencrypt_run);
++#elif HAVE_CRYPT_REENCRYPT
+ DLSYM_PROTOTYPE(crypt_reencrypt);
+-REENABLE_WARNING;
+ #endif
+ DLSYM_PROTOTYPE(crypt_metadata_locking);
+ #if HAVE_CRYPT_SET_DATA_OFFSET

SOURCES/0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch

+From 4a468387acbc8a2bd51bffaeca242e415e55b614 Mon Sep 17 00:00:00 2001
+From: Frantisek Sumsal <frantisek@sumsal.cz>
+Date: Wed, 12 Jun 2024 12:09:25 +0200
+Subject: [PATCH] test: dump a simple summary at the end of TEST-02-UNITTEST
+
+Let's dump a list of skipped tests and logs from failed tests at the end
+of TEST-02-UNITTEST to make debugging fails in CI slightly less painful.
+
+(cherry picked from commit 2ac0e52f29eb5f0040882fc46bcfa369893577f3)
+---
+ test/TEST-02-UNITTESTS/test.sh  |  8 ----
+ test/test-functions             | 68 ---------------------------------
+ test/units/TEST-02-UNITTESTS.sh | 14 +++++++
+ 3 files changed, 14 insertions(+), 76 deletions(-)
+
+diff --git a/test/TEST-02-UNITTESTS/test.sh b/test/TEST-02-UNITTESTS/test.sh
+index f165c99368..2cf9c31096 100755
+--- a/test/TEST-02-UNITTESTS/test.sh
++++ b/test/TEST-02-UNITTESTS/test.sh
+@@ -37,12 +37,4 @@ test_append_files() {
+     fi
+ }
+ 
+-check_result_nspawn() {
+-    check_result_nspawn_unittests "${1}"
+-}
+-
+-check_result_qemu() {
+-    check_result_qemu_unittests
+-}
+-
+ do_test "$@"
+diff --git a/test/test-functions b/test/test-functions
+index be6eb1d9b2..8b497b2e27 100644
+--- a/test/test-functions
++++ b/test/test-functions
+@@ -1860,74 +1860,6 @@ check_result_qemu() {
+     return $ret
+ }
+ 
+-check_result_nspawn_unittests() {
+-    local workspace="${1:?}"
+-    local ret=1
+-
+-    [[ -e "$workspace/testok" ]] && ret=0
+-
+-    if [[ -s "$workspace/failed" ]]; then
+-        ret=$((ret + 1))
+-        echo "=== Failed test log ==="
+-        cat "$workspace/failed"
+-    else
+-        if [[ -s "$workspace/skipped" ]]; then
+-            echo "=== Skipped test log =="
+-            cat "$workspace/skipped"
+-            # We might have only skipped tests - that should not fail the job
+-            ret=0
+-        fi
+-        if [[ -s "$workspace/testok" ]]; then
+-            echo "=== Passed tests ==="
+-            cat "$workspace/testok"
+-        fi
+-    fi
+-
+-    get_bool "${TIMED_OUT:=}" && ret=1
+-    check_coverage_reports "$workspace" || ret=5
+-
+-    save_journal "$workspace/var/log/journal" $ret
+-    echo "${JOURNAL_LIST:-"No journals were saved"}"
+-
+-    _umount_dir "${initdir:?}"
+-
+-    return $ret
+-}
+-
+-check_result_qemu_unittests() {
+-    local ret=1
+-
+-    mount_initdir
+-    [[ -e "${initdir:?}/testok" ]] && ret=0
+-
+-    if [[ -s "$initdir/failed" ]]; then
+-        ret=$((ret + 1))
+-        echo "=== Failed test log ==="
+-        cat "$initdir/failed"
+-    else
+-        if [[ -s "$initdir/skipped" ]]; then
+-            echo "=== Skipped test log =="
+-            cat "$initdir/skipped"
+-            # We might have only skipped tests - that should not fail the job
+-            ret=0
+-        fi
+-        if [[ -s "$initdir/testok" ]]; then
+-            echo "=== Passed tests ==="
+-            cat "$initdir/testok"
+-        fi
+-    fi
+-
+-    get_bool "${TIMED_OUT:=}" && ret=1
+-    check_coverage_reports "$initdir" || ret=5
+-
+-    save_journal "$initdir/var/log/journal" $ret
+-    echo "${JOURNAL_LIST:-"No journals were saved"}"
+-
+-    _umount_dir "$initdir"
+-
+-    return $ret
+-}
+-
+ create_rc_local() {
+     dinfo "Create rc.local"
+     mkdir -p "${initdir:?}/etc/rc.d"
+diff --git a/test/units/TEST-02-UNITTESTS.sh b/test/units/TEST-02-UNITTESTS.sh
+index 6392425130..4448643f9a 100755
+--- a/test/units/TEST-02-UNITTESTS.sh
++++ b/test/units/TEST-02-UNITTESTS.sh
+@@ -95,6 +95,20 @@ export -f run_test
+ find /usr/lib/systemd/tests/unit-tests/ -maxdepth 1 -type f -name "${TESTS_GLOB}" -print0 |
+     xargs -0 -I {} --max-procs="$MAX_QUEUE_SIZE" bash -ec "run_test {}"
+ 
++# Write all pending messages, so they don't get mixed with the summaries below
++journalctl --sync
++
++# No need for full test logs in this case
++if [[ -s /skipped-tests ]]; then
++    : "=== SKIPPED TESTS ==="
++    cat /skipped-tests
++fi
++
++if [[ -s /failed ]]; then
++    : "=== FAILED TESTS ==="
++    cat /failed
++fi
++
+ # Test logs are sometimes lost, as the system shuts down immediately after
+ journalctl --sync
+ 

SOURCES/0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch

+From d316aed5d8e15fb5b13b5618f1b2d1d020b1e7bf Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Mon, 3 Jun 2024 12:35:29 +0200
+Subject: [PATCH] repart: Use CRYPT_ACTIVATE_PRIVATE
+
+Let's skip udev device scanning when activating a LUKS volume in
+systemd-repart as we don't depend on any udev symlinks and don't
+expect anything except repart to access the volume.
+
+Suggested by https://github.com/systemd/systemd/issues/33129#issuecomment-2143390941.
+
+(cherry picked from commit 726fc7ae696510b04c24810f691d34f5d20529d6)
+---
+ src/partition/repart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/partition/repart.c b/src/partition/repart.c
+index 2ecae4ca03..78cf60f724 100644
+--- a/src/partition/repart.c
++++ b/src/partition/repart.c
+@@ -4236,7 +4236,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
+                                 dm_name,
+                                 NULL,
+                                 VOLUME_KEY_SIZE,
+-                                arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0);
++                                (arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0) | CRYPT_ACTIVATE_PRIVATE);
+                 if (r < 0)
+                         return log_error_errno(r, "Failed to activate LUKS superblock: %m");
+ 

SOURCES/0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch

+From 4ebcdcb1360dbb10444f518bad7f04e10bcb6387 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Tue, 11 Jun 2024 23:09:30 +0100
+Subject: [PATCH] NEWS: note that new stable releases will be in the main repo
+
+(cherry picked from commit 40d637bace4041f081088673cb230669c1e34faf)
+---
+ NEWS | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 02ad8b2c79..bbee0852be 100644
+--- a/NEWS
++++ b/NEWS
+@@ -81,6 +81,11 @@ CHANGES WITH 256:
+         * systemd.crash_reboot and related settings are deprecated in favor of
+           systemd.crash_action=.
+ 
++        * Stable releases for version v256 and newer will now be pushed in the
++          main repository. The systemd-stable repository will be used for existing
++          stable branches (v255-stable and lower), and when they reach EOL it will
++          be archived.
++
+         General Changes and New Features:
+ 
+         * Various programs will now attempt to load the main configuration file

SOURCES/0013-shell-completion-only-offer-devices-for-completion.patch

+From 2034de6157cc0d3e60489cdc16c7a5651f38783c Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Wed, 12 Jun 2024 14:35:34 +0200
+Subject: [PATCH] shell-completion: only offer devices for completion
+
+This skips directories and other stuff like /dev/core, /dev/initctl or
+/dev/log.
+
+(cherry picked from commit bde35f4a91663ebb854330f582baeef0f9adcbfb)
+---
+ shell-completion/bash/udevadm | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/shell-completion/bash/udevadm b/shell-completion/bash/udevadm
+index 05f921cf49..3842d722e7 100644
+--- a/shell-completion/bash/udevadm
++++ b/shell-completion/bash/udevadm
+@@ -32,10 +32,7 @@ __get_all_sysdevs() {
+ }
+ 
+ __get_all_device_nodes() {
+-    local i
+-    for i in /dev/* /dev/*/* /dev/*/*/*; do
+-        echo $i
+-    done
++    find /dev -xtype b -o -xtype c
+ }
+ 
+ __get_all_device_units() {

SOURCES/0014-CODING_STYLE-document-reterr_-return-parameters.patch

+From a61a83a22b5f464463f9ab9e3ee3950f299c9f43 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 12 Jun 2024 18:31:56 +0200
+Subject: [PATCH] CODING_STYLE: document "reterr_" return parameters
+
+In some recent PRs (e.g. #32628) I started to systematically name return
+parameters that shall only be initialized on failure (because they carry
+additional error meta information, such as the line/column number of
+parse failures or so). Let's make this official in the coding style.
+
+(cherry picked from commit 7811864b08393eda5ff92145ea2776180d9b28ee)
+---
+ docs/CODING_STYLE.md | 62 ++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 48 insertions(+), 14 deletions(-)
+
+diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md
+index 8f687e6662..309436a397 100644
+--- a/docs/CODING_STYLE.md
++++ b/docs/CODING_STYLE.md
+@@ -164,30 +164,64 @@ SPDX-License-Identifier: LGPL-2.1-or-later
+   thread. Use `is_main_thread()` to detect whether the calling thread is the
+   main thread.
+ 
+-- Do not write functions that clobber call-by-reference variables on
+-  failure. Use temporary variables for these cases and change the passed in
+-  variables only on success. The rule is: never clobber return parameters on
+-  failure, always initialize return parameters on success.
+-
+-- Typically, function parameters fit into three categories: input parameters,
+-  mutable objects, and call-by-reference return parameters. Input parameters
+-  should always carry suitable "const" declarators if they are pointers, to
+-  indicate they are input-only and not changed by the function. Return
+-  parameters are best prefixed with "ret_", to clarify they are return
+-  parameters. (Conversely, please do not prefix parameters that aren't
+-  output-only with "ret_", in particular not mutable parameters that are both
+-  input as well as output). Example:
++- Typically, function parameters fit into four categories: input parameters,
++  mutable objects, call-by-reference return parameters that are initialized on
++  success, and call-by-reference return parameters that are initialized on
++  failure. Input parameters should always carry suitable `const` declarators if
++  they are pointers, to indicate they are input-only and not changed by the
++  function. The name of return parameters that are initialized on success
++  should be prefixed with `ret_`, to clarify they are return parameters. The
++  name of return parameters that are initialized on failure should be prefixed
++  with `reterr_`. (Examples of such parameters: those which carry additional
++  error information, such as the row/column of parse errors or so). –
++  Conversely, please do not prefix parameters that aren't output-only with
++  `ret_` or `reterr_`, in particular not mutable parameters that are both input
++  as well as output.
++
++  Example:
+ 
+   ```c
+   static int foobar_frobnicate(
+                   Foobar* object,            /* the associated mutable object */
+                   const char *input,         /* immutable input parameter */
+-                  char **ret_frobnicated) {  /* return parameter */
++                  char **ret_frobnicated,    /* return parameter on success */
++                  unsigned *reterr_line,     /* return parameter on failure */
++                  unsigned *reterr_column) { /* ditto */
+           …
+           return 0;
+   }
+   ```
+ 
++- Do not write functions that clobber call-by-reference success return
++  parameters on failure (i.e. `ret_xyz`, see above), or that clobber
++  call-by-reference failure return parameters on success
++  (i.e. `reterr_xyz`). Use temporary variables for these cases and change the
++  passed in variables only in the right condition. The rule is: never clobber
++  success return parameters on failure, always initialize success return
++  parameters on success (and the reverse for failure return parameters, of
++  course).
++
++- Please put `reterr_` return parameters in the function parameter list last,
++  and `ret_` return parameters immediately before that.
++
++  Good:
++
++  ```c
++  static int do_something(
++                  const char *input,
++                  const char *ret_on_success,
++                  const char *reterr_on_failure);
++  ```
++
++  Not good:
++
++  ```c
++  static int do_something(
++                  const char *reterr_on_failure,
++                  const char *ret_on_success,
++                  const char *input);
++  ```
++
+ - The order in which header files are included doesn't matter too
+   much. systemd-internal headers must not rely on an include order, so it is
+   safe to include them in any order possible.  However, to not clutter global

SOURCES/0015-analyze-show-pcrs-also-in-sha384-bank.patch

+From 51390a1f41a762ef96d3c496d8a5d890d722907d Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 4 Jun 2024 11:02:34 +0200
+Subject: [PATCH] analyze: show pcrs also in sha384 bank
+
+SHA384 is pretty much the bank we actually *want* to use, since it's
+faster to calculate than SHA256, hence at the very least, start
+considering.
+
+(cherry picked from commit acaca5ab250a51be6ba07768bee80bf0f7b462fa)
+---
+ src/analyze/analyze-pcrs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c
+index 43e415fc6d..1c3da3fd84 100644
+--- a/src/analyze/analyze-pcrs.c
++++ b/src/analyze/analyze-pcrs.c
+@@ -11,7 +11,7 @@
+ static int get_pcr_alg(const char **ret) {
+         assert(ret);
+ 
+-        FOREACH_STRING(alg, "sha256", "sha1") {
++        FOREACH_STRING(alg, "sha256", "sha384", "sha1") {
+                 _cleanup_free_ char *p = NULL;
+ 
+                 if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0)

SOURCES/0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch

+From 3706b5e8e92fe6a4ff21cefe66f2eb27953a3fdf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <cristian@rodriguez.im>
+Date: Thu, 13 Jun 2024 11:59:28 -0400
+Subject: [PATCH] fundamental: declare flex array updated for gcc15 and clang
+ 19
+
+Silly workaround that:
+- allowed flexible arrays in unions
+- allowed flexible arrays in otherwise empty structs
+
+Is no longer needed since https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=adb1c8a0f167c3a1f7593d75f5a10eb07a5d741a
+(GCC15) or clang 19 https://github.com/llvm/llvm-project/commit/14ba782a87e16e9e15460a51f50e67e2744c26d9
+
+(cherry picked from commit 3c2f2146f50c75662987541719bedc4aee9df939)
+---
+ src/fundamental/macro-fundamental.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
+index 5ccbda5186..8aca5f784a 100644
+--- a/src/fundamental/macro-fundamental.h
++++ b/src/fundamental/macro-fundamental.h
+@@ -517,6 +517,10 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
+                 }                                                       \
+         }
+ 
++/* Restriction/bug (see above) was fixed in GCC 15 and clang 19.*/
++#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19)
++#define DECLARE_FLEX_ARRAY(type, name) type name[];
++#else
+ /* Declare a flexible array usable in a union.
+  * This is essentially a work-around for a pointless constraint in C99
+  * and might go away in some future version of the standard.
+@@ -528,6 +532,7 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
+                 dummy_t __empty__ ## name;             \
+                 type name[];                           \
+         }
++#endif
+ 
+ /* Declares an ELF read-only string section that does not occupy memory at runtime. */
+ #define DECLARE_NOALLOC_SECTION(name, text)   \

SOURCES/0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch

+From aedeaf745028a463150fd6d2b1aca778797735ac Mon Sep 17 00:00:00 2001
+From: Nick Rosbrook <enr0n@ubuntu.com>
+Date: Fri, 14 Jun 2024 17:31:22 -0400
+Subject: [PATCH] man: add a bit of a warning to systemd-tmpfiles --purge
+
+Mention that by default, /home is managed by tmpfiles.d/home.conf, and
+recommend that users run systemd-tmpfiles --dry-run --purge first to
+see exactly what will be removed.
+
+(cherry picked from commit 9ebcac3b5125a8b0b11f371731ea167cd4684adc)
+---
+ man/systemd-tmpfiles.xml | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
+index 008bff62da..6f3ec66611 100644
+--- a/man/systemd-tmpfiles.xml
++++ b/man/systemd-tmpfiles.xml
+@@ -150,7 +150,11 @@
+       <varlistentry>
+         <term><option>--purge</option></term>
+         <listitem><para>If this option is passed, all files and directories created by a
+-        <filename>tmpfiles.d/</filename> entry will be deleted.</para>
++        <filename>tmpfiles.d/</filename> entry will be deleted. Keep in mind that by default,
++        <filename>/home</filename> is created by <command>systemd-tmpfiles</command>
++        (see <filename>/usr/lib/tmpfiles.d/home.conf</filename>). Therefore it is recommended
++        to first run <command>systemd-tmpfiles --dry-run --purge</command> to be certain which files
++        and directories will be deleted.</para>
+ 
+         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+       </varlistentry>

SOURCES/0018-man-units-drop-temporary-from-description-of-systemd.patch

+From 1a0e6961cfaed42bda542e111738c136f7b4d73f Mon Sep 17 00:00:00 2001
+From: Mike Yuan <me@yhndnzj.com>
+Date: Sat, 15 Jun 2024 17:27:33 +0200
+Subject: [PATCH] man,units: drop "temporary" from description of
+ systemd-tmpfiles
+
+Historically, systemd-tmpfiles was designed to manager temporary
+files, but nowadays it has become a generic tool for managing
+all kinds of files. To avoid user confusion, let's remove "temporary"
+from the tool's description.
+
+As discussed in #33349
+
+(cherry picked from commit b5c8cc0a3b8e4e2fea0539d6420a76b524ea5735)
+---
+ man/systemd-tmpfiles.xml                  | 8 +++++---
+ units/systemd-tmpfiles-setup.service      | 2 +-
+ units/user/systemd-tmpfiles-setup.service | 2 +-
+ 3 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
+index 6f3ec66611..9767aead85 100644
+--- a/man/systemd-tmpfiles.xml
++++ b/man/systemd-tmpfiles.xml
+@@ -55,9 +55,11 @@
+   <refsect1>
+     <title>Description</title>
+ 
+-    <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up volatile and temporary files
+-    and directories, using the configuration file format and location specified in
+-    <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. It must
++    <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up files and directories, using
++    the configuration file format and location specified in
++    <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
++    Historically, it was designed to manage volatile and temporary files, as the name suggests, but it provides
++    generic file management functionality and can be used to manage any kind of files. It must
+     be invoked with one or more commands <option>--create</option>, <option>--remove</option>, and
+     <option>--clean</option>, to select the respective subset of operations.</para>
+ 
+diff --git a/units/systemd-tmpfiles-setup.service b/units/systemd-tmpfiles-setup.service
+index 6cae32850f..b92beb7314 100644
+--- a/units/systemd-tmpfiles-setup.service
++++ b/units/systemd-tmpfiles-setup.service
+@@ -8,7 +8,7 @@
+ #  (at your option) any later version.
+ 
+ [Unit]
+-Description=Create Volatile Files and Directories
++Description=Create System Files and Directories
+ Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
+ 
+ DefaultDependencies=no
+diff --git a/units/user/systemd-tmpfiles-setup.service b/units/user/systemd-tmpfiles-setup.service
+index 156689edcd..54e453c4fc 100644
+--- a/units/user/systemd-tmpfiles-setup.service
++++ b/units/user/systemd-tmpfiles-setup.service
+@@ -8,7 +8,7 @@
+ #  (at your option) any later version.
+ 
+ [Unit]
+-Description=Create User's Volatile Files and Directories
++Description=Create User Files and Directories
+ Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
+ DefaultDependencies=no
+ Conflicts=shutdown.target

SOURCES/0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch

+From 9f5f3c2f8bc2c3d82678672f3e700c1eb4e52d61 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Sun, 16 Jun 2024 11:16:21 +0100
+Subject: [PATCH] mkosi: enable unprivileged user ns for integration tests
+
+Ubuntu disables them by default in Noble, ship a sysctl to turn them back on
+so that tests can use them
+
+(cherry picked from commit 4cfcde024f34b3e5f682364d4e0c6185ef07d467)
+---
+ .../usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf           | 4 ++++
+ 1 file changed, 4 insertions(+)
+ create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
+
+diff --git a/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
+new file mode 100644
+index 0000000000..657ac72f8d
+--- /dev/null
++++ b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
+@@ -0,0 +1,4 @@
++# Ubuntu since Noble disables unprivileged user namespaces by default, re-enable them as they are needed
++# for integration tests
++kernel.apparmor_restrict_unprivileged_unconfined = 0
++kernel.apparmor_restrict_unprivileged_userns = 0