import systemd-257-3.el10

.systemd.metadata

-6a2e4b3d055966d5c77fc067653da2cdd047b0968a01b181b4e551c00f632f33  SOURCES/systemd-257.tar.gz
+14f6907eb5e289d8c39cbe1ef891ca54d8a0e3582c986a9ef5844b3f29add43b  SOURCES/systemd-257.tar.gz

SOURCES/0001-Create-CNAME.patch

+From 217666530e117eafbed9af56e2e7ab467c02a405 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Tue, 10 Dec 2024 19:39:23 +0000
+Subject: [PATCH] Create CNAME
+
+---
+ docs/CNAME | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 docs/CNAME
+
+diff --git a/docs/CNAME b/docs/CNAME
+new file mode 100644
+index 0000000000..cdcf4d9a52
+--- /dev/null
++++ b/docs/CNAME
+@@ -0,0 +1 @@
++systemd.io
+\ No newline at end of file

SOURCES/0002-sd-json-sd-varlink-drop-unexported-functions-from-pu.patch

+From d7eeb60cdff19e3b2a69cc14118e65e7bfe96421 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 12 Dec 2024 19:42:48 +0900
+Subject: [PATCH] sd-json,sd-varlink: drop unexported functions from public
+ headers
+
+These functions are exported by e11f5aa7226253bf31b2ed61be8599bb213c1819
+and 5fcabde35b8d2592e4ba3f4915839a54d2f246ba in upstream after v257.
+
+Fixes #35554 in v257.
+---
+ src/libsystemd/sd-json/json-util.h | 3 +++
+ src/systemd/sd-json.h              | 3 ---
+ src/systemd/sd-varlink.h           | 1 -
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/libsystemd/sd-json/json-util.h b/src/libsystemd/sd-json/json-util.h
+index 808df64d98..b3b4941dcc 100644
+--- a/src/libsystemd/sd-json/json-util.h
++++ b/src/libsystemd/sd-json/json-util.h
+@@ -8,6 +8,9 @@
+ #include "macro.h"
+ #include "pidref.h"
+ 
++const char* sd_json_variant_type_to_string(sd_json_variant_type_t t);
++sd_json_variant_type_t sd_json_variant_type_from_string(const char *s);
++
+ #define JSON_VARIANT_REPLACE(v, q)        \
+         do {                              \
+                 typeof(v)* _v = &(v);     \
+diff --git a/src/systemd/sd-json.h b/src/systemd/sd-json.h
+index 3930d82b0d..33817f2327 100644
+--- a/src/systemd/sd-json.h
++++ b/src/systemd/sd-json.h
+@@ -339,9 +339,6 @@ int sd_json_variant_strv(sd_json_variant *v, char ***ret);
+ int sd_json_variant_unbase64(sd_json_variant *v, void **ret, size_t *ret_size);
+ int sd_json_variant_unhex(sd_json_variant *v, void **ret, size_t *ret_size);
+ 
+-const char* sd_json_variant_type_to_string(sd_json_variant_type_t t);
+-sd_json_variant_type_t sd_json_variant_type_from_string(const char *s);
+-
+ _sd_const_ static __inline__ int sd_json_format_enabled(sd_json_format_flags_t flags) {
+         return !(flags & SD_JSON_FORMAT_OFF);
+ }
+diff --git a/src/systemd/sd-varlink.h b/src/systemd/sd-varlink.h
+index 816b9b0ebf..17cf8b7386 100644
+--- a/src/systemd/sd-varlink.h
++++ b/src/systemd/sd-varlink.h
+@@ -184,7 +184,6 @@ int sd_varlink_dispatch(sd_varlink *v, sd_json_variant *parameters, const sd_jso
+ /* Write outgoing fds into the socket (to be associated with the next enqueued message) */
+ int sd_varlink_push_fd(sd_varlink *v, int fd);
+ int sd_varlink_push_dup_fd(sd_varlink *v, int fd);
+-int sd_varlink_reset_fds(sd_varlink *v);
+ 
+ /* Read incoming fds from the socket (associated with the currently handled message) */
+ int sd_varlink_peek_fd(sd_varlink *v, size_t i);

SOURCES/0003-test-modernize-generate-sym-test.py.patch

+From e231110a641237817490785bdf3e96df1de524e2 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 12 Dec 2024 10:01:48 +0900
+Subject: [PATCH] test: modernize generate-sym-test.py
+
+(cherry picked from commit 6e399ece1fd6dc8cbf5830c263a118b58d36acac)
+---
+ src/test/generate-sym-test.py | 107 +++++++++++++++++++++-------------
+ 1 file changed, 67 insertions(+), 40 deletions(-)
+
+diff --git a/src/test/generate-sym-test.py b/src/test/generate-sym-test.py
+index 2e5177c934..24223aa7b0 100755
+--- a/src/test/generate-sym-test.py
++++ b/src/test/generate-sym-test.py
+@@ -1,78 +1,99 @@
+ #!/usr/bin/env python3
+ # SPDX-License-Identifier: LGPL-2.1-or-later
++#
++# ruff: noqa: E501 UP015
+ 
+ import os
+ import re
+ import sys
++from typing import IO
+ 
+-def process_sym_file(file):
++
++def process_sym_file(file: IO[str]) -> None:
+     for line in file:
+         m = re.search(r'^ +([a-zA-Z0-9_]+);', line)
+         if m:
+             if m[1] == 'sd_bus_object_vtable_format':
+-                print('        {{"{0}", &{0}}},'.format(m[1]))
++                print(f'        {{ "{m[1]}", &{m[1]} }},')
+             else:
+-                print('        {{"{0}", {0}}},'.format(m[1]))
++                print(f'        {{ "{m[1]}", {m[1]} }},')
++
+ 
+-def process_source_file(file):
++def process_source_file(file: IO[str]) -> None:
+     for line in file:
+         # Functions
+         m = re.search(r'^_public_\s+(\S+\s+)+\**(\w+)\s*\(', line)
+         if m:
+-            print('        {{ "{0}", {0} }},'.format(m[2]))
++            print(f'        {{ "{m[2]}", {m[2]} }},')
++            continue
++
+         # Variables
+         m = re.search(r'^_public_\s+(\S+\s+)+\**(\w+)\s*=', line)
+         if m:
+-            print('        {{ "{0}", &{0} }},'.format(m[2]))
++            print(f'        {{ "{m[2]}", &{m[2]} }},')
++            continue
++
+         # Functions defined through a macro
+         m = re.search(r'^DEFINE_PUBLIC_TRIVIAL_REF_FUNC\([^,]+,\s*(\w+)\s*\)', line)
+         if m:
+-            print('        {{ "{0}_ref", {0}_ref }},'.format(m[1]))
++            print(f'        {{ "{m[1]}_ref", {m[1]}_ref }},')
++            continue
++
+         m = re.search(r'^DEFINE_PUBLIC_TRIVIAL_UNREF_FUNC\([^,]+,\s*(\w+)\s*,', line)
+         if m:
+-            print('        {{ "{0}_unref", {0}_unref }},'.format(m[1]))
+-        m = re.search(r"^DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC\([^,]+,\s*(\w+)\s*,", line)
++            print(f'        {{ "{m[1]}_unref", {m[1]}_unref }},')
++            continue
++
++        m = re.search(r'^DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC\([^,]+,\s*(\w+)\s*,', line)
++        if m:
++            print(f'        {{ "{m[1]}_ref", {m[1]}_ref }},')
++            print(f'        {{ "{m[1]}_unref", {m[1]}_unref }},')
++            continue
++
++        m = re.search(r'^_DEFINE_STRING_TABLE_LOOKUP\((\w+),\s*\w+,\s*_public_\s*\)', line)
+         if m:
+-            print('        {{ "{0}_ref", {0}_ref }},'.format(m[1]))
+-            print('        {{ "{0}_unref", {0}_unref }},'.format(m[1]))
++            print(f'        {{ "{m[1]}_from_string", {m[1]}_from_string }},')
++            print(f'        {{ "{m[1]}_to_string", {m[1]}_to_string }},')
++            continue
+ 
+-print('''/* SPDX-License-Identifier: LGPL-2.1-or-later */
++
++print("""/* SPDX-License-Identifier: LGPL-2.1-or-later */
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ 
+-''')
++""")
+ 
+ for header in sys.argv[3:]:
+     print('#include "{}"'.format(header.split('/')[-1]))
+ 
+-print('''
++print("""
+ /* We want to check deprecated symbols too, without complaining */
+ #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+-''')
++""")
+ 
+-print('''
++print("""
+ struct symbol {
+         const char *name;
+         const void *symbol;
+ };
+-static struct symbol symbols_from_sym[] = {''')
++static struct symbol symbols_from_sym[] = {""")
+ 
+-with open(sys.argv[1], "r") as f:
++with open(sys.argv[1], 'r') as f:
+     process_sym_file(f)
+ 
+-print('''        {}
+-}, symbols_from_source[] = {''')
++print("""        {}
++}, symbols_from_source[] = {""")
+ 
+ for dirpath, _, filenames in sorted(os.walk(sys.argv[2])):
+     for filename in sorted(filenames):
+-        if not filename.endswith(".c") and not filename.endswith(".h"):
++        if not filename.endswith('.c') and not filename.endswith('.h'):
+             continue
+-        with open(os.path.join(dirpath, filename), "r") as f:
++        with open(os.path.join(dirpath, filename), 'r') as f:
+             process_source_file(f)
+ 
+-print('''        {}
++print("""        {}
+ };
+ 
+ static int sort_callback(const void *a, const void *b) {
+@@ -81,34 +102,40 @@ static int sort_callback(const void *a, const void *b) {
+ }
+ 
+ int main(void) {
+-        size_t i, j;
++        size_t size = sizeof(symbols_from_sym[0]),
++                n_sym = sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0]) - 1,
++                n_source = sizeof(symbols_from_source)/sizeof(symbols_from_source[0]) - 1;
+ 
+-        qsort(symbols_from_sym, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
+-        qsort(symbols_from_source, sizeof(symbols_from_source)/sizeof(symbols_from_source[0])-1, sizeof(symbols_from_source[0]), sort_callback);
++        qsort(symbols_from_sym, n_sym, size, sort_callback);
++        qsort(symbols_from_source, n_source, size, sort_callback);
+ 
+         puts("From symbol file:");
+-        for (i = 0; symbols_from_sym[i].name; i++)
++        for (size_t i = 0; i < n_sym; i++)
+                 printf("%p: %s\\n", symbols_from_sym[i].symbol, symbols_from_sym[i].name);
+ 
+         puts("\\nFrom source files:");
+-        for (j = 0; symbols_from_source[j].name; j++)
+-                printf("%p: %s\\n", symbols_from_source[j].symbol, symbols_from_source[j].name);
++        for (size_t i = 0; i < n_source; i++)
++                printf("%p: %s\\n", symbols_from_source[i].symbol, symbols_from_source[i].name);
+ 
+         puts("");
+-        printf("Found %zu symbols from symbol file.\\n", i);
+-        printf("Found %zu symbols from source files.\\n", j);
++        printf("Found %zu symbols from symbol file.\\n", n_sym);
++        printf("Found %zu symbols from source files.\\n", n_source);
++
++        unsigned n_error = 0;
+ 
+-        for (i = 0; symbols_from_sym[i].name; i++) {
+-                struct symbol *n = bsearch(symbols_from_sym+i, symbols_from_source, sizeof(symbols_from_source)/sizeof(symbols_from_source[0])-1, sizeof(symbols_from_source[0]), sort_callback);
+-                if (!n)
++        for (size_t i = 0; i < n_sym; i++) {
++                if (!bsearch(symbols_from_sym+i, symbols_from_source, n_source, size, sort_callback)) {
+                         printf("Found in symbol file, but not in sources: %s\\n", symbols_from_sym[i].name);
++                        n_error++;
++                }
+         }
+ 
+-        for (j = 0; symbols_from_source[j].name; j++) {
+-                struct symbol *n = bsearch(symbols_from_source+j, symbols_from_sym, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
+-                if (!n)
+-                        printf("Found in sources, but not in symbol file: %s\\n", symbols_from_source[j].name);
++        for (size_t i = 0; i < n_source; i++) {
++                if (!bsearch(symbols_from_source+i, symbols_from_sym, n_sym, size, sort_callback)) {
++                        printf("Found in source file, but not in symbol file: %s\\n", symbols_from_source[i].name);
++                        n_error++;
++                }
+         }
+ 
+-        return i == j ? EXIT_SUCCESS : EXIT_FAILURE;
+-}''')
++        return n_error == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
++}""")

SOURCES/0004-test-also-generate-list-of-symbols-from-header-files.patch

+From 1601149c5b14ed9e6e34b46ddb2ba3006b5f5315 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 12 Dec 2024 13:18:59 +0900
+Subject: [PATCH] test: also generate list of symbols from header files
+
+To make the generated tests able to detect issues like #35554.
+
+(cherry picked from commit 0b39dc23ba2d8d3e99f5dc30c3da5d0f6baf10d7)
+---
+ src/test/generate-sym-test.py | 74 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 74 insertions(+)
+
+diff --git a/src/test/generate-sym-test.py b/src/test/generate-sym-test.py
+index 24223aa7b0..7b5ded936c 100755
+--- a/src/test/generate-sym-test.py
++++ b/src/test/generate-sym-test.py
+@@ -19,6 +19,47 @@ def process_sym_file(file: IO[str]) -> None:
+                 print(f'        {{ "{m[1]}", {m[1]} }},')
+ 
+ 
++def process_header_file(file: IO[str]) -> None:
++    for line in file:
++        if (
++            line.startswith('#')
++            or line.startswith('typedef')
++            or line.startswith('extern "C"')
++            or line.startswith('__extension__')
++            or line.startswith('/*')
++            or ' __inline__ ' in line
++            or re.search(r'^\s+', line)
++        ):
++            continue
++
++        m = re.search(r'^(.*)\s*__attribute__', line)
++        if m:
++            line = m[1]
++
++        m = re.search(r'^(.*)\s*_sd_printf_', line)
++        if m:
++            line = m[1]
++
++        # Functions
++        m = re.search(r'^(\S+\s+)+\**(\w+)\s*\(', line)
++        if m:
++            print(f'        {{ "{m[2]}", {m[2]} }},')
++            continue
++
++        # Variables
++        m = re.search(r'^extern\s', line)
++        if m:
++            n = line.split()[-1].rstrip(';')
++            print(f'        {{ "{n}", &{n} }},')
++            continue
++
++        # Functions defined by macro
++        m = re.search(r'_SD_DEFINE_POINTER_CLEANUP_FUNC\(\w+,\s*(\w+)\)', line)
++        if m:
++            print(f'        {{ "{m[1]}", {m[1]} }},')
++            continue
++
++
+ def process_source_file(file: IO[str]) -> None:
+     for line in file:
+         # Functions
+@@ -83,6 +124,13 @@ static struct symbol symbols_from_sym[] = {""")
+ with open(sys.argv[1], 'r') as f:
+     process_sym_file(f)
+ 
++print("""        {}
++}, symbols_from_header[] = {""")
++
++for header in sys.argv[3:]:
++    with open(header, 'r') as f:
++        process_header_file(f)
++
+ print("""        {}
+ }, symbols_from_source[] = {""")
+ 
+@@ -104,37 +152,63 @@ static int sort_callback(const void *a, const void *b) {
+ int main(void) {
+         size_t size = sizeof(symbols_from_sym[0]),
+                 n_sym = sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0]) - 1,
++                n_header = sizeof(symbols_from_header)/sizeof(symbols_from_header[0]) - 1,
+                 n_source = sizeof(symbols_from_source)/sizeof(symbols_from_source[0]) - 1;
+ 
+         qsort(symbols_from_sym, n_sym, size, sort_callback);
++        qsort(symbols_from_header, n_header, size, sort_callback);
+         qsort(symbols_from_source, n_source, size, sort_callback);
+ 
+         puts("From symbol file:");
+         for (size_t i = 0; i < n_sym; i++)
+                 printf("%p: %s\\n", symbols_from_sym[i].symbol, symbols_from_sym[i].name);
+ 
++        puts("\\nFrom header files:");
++        for (size_t i = 0; i < n_header; i++)
++                printf("%p: %s\\n", symbols_from_header[i].symbol, symbols_from_header[i].name);
++
+         puts("\\nFrom source files:");
+         for (size_t i = 0; i < n_source; i++)
+                 printf("%p: %s\\n", symbols_from_source[i].symbol, symbols_from_source[i].name);
+ 
+         puts("");
+         printf("Found %zu symbols from symbol file.\\n", n_sym);
++        printf("Found %zu symbols from header files.\\n", n_header);
+         printf("Found %zu symbols from source files.\\n", n_source);
+ 
+         unsigned n_error = 0;
+ 
+         for (size_t i = 0; i < n_sym; i++) {
++                if (!bsearch(symbols_from_sym+i, symbols_from_header, n_header, size, sort_callback)) {
++                        printf("Found in symbol file, but not in headers: %s\\n", symbols_from_sym[i].name);
++                        n_error++;
++                }
+                 if (!bsearch(symbols_from_sym+i, symbols_from_source, n_source, size, sort_callback)) {
+                         printf("Found in symbol file, but not in sources: %s\\n", symbols_from_sym[i].name);
+                         n_error++;
+                 }
+         }
+ 
++        for (size_t i = 0; i < n_header; i++) {
++                if (!bsearch(symbols_from_header+i, symbols_from_sym, n_sym, size, sort_callback)) {
++                        printf("Found in header file, but not in symbol file: %s\\n", symbols_from_header[i].name);
++                        n_error++;
++                }
++                if (!bsearch(symbols_from_header+i, symbols_from_source, n_source, size, sort_callback)) {
++                        printf("Found in header file, but not in sources: %s\\n", symbols_from_header[i].name);
++                        n_error++;
++                }
++        }
++
+         for (size_t i = 0; i < n_source; i++) {
+                 if (!bsearch(symbols_from_source+i, symbols_from_sym, n_sym, size, sort_callback)) {
+                         printf("Found in source file, but not in symbol file: %s\\n", symbols_from_source[i].name);
+                         n_error++;
+                 }
++                if (!bsearch(symbols_from_source+i, symbols_from_header, n_header, size, sort_callback)) {
++                        printf("Found in source file, but not in header: %s\\n", symbols_from_source[i].name);
++                        n_error++;
++                }
+         }
+ 
+         return n_error == 0 ? EXIT_SUCCESS : EXIT_FAILURE;

SOURCES/0005-man-systemd-cryptenroll-sort-fido2-credential-algori.patch

+From 2f2cd7a8657ebc7cdbddabe1166cbdcb94d66995 Mon Sep 17 00:00:00 2001
+From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
+Date: Wed, 11 Dec 2024 07:32:04 +0100
+Subject: [PATCH] man/systemd-cryptenroll: sort --fido2-credential-algorithm
+ after --fido2-device
+
+And also fix a typo.
+
+(cherry picked from commit 62b7b70bb78f85198509b3327cb29b83ed9218ec)
+---
+ man/systemd-cryptenroll.xml | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
+index 83f8b2d8a1..f3c23adfd0 100644
+--- a/man/systemd-cryptenroll.xml
++++ b/man/systemd-cryptenroll.xml
+@@ -384,24 +384,9 @@
+   <refsect1>
+     <title>FIDO2 Enrollment</title>
+ 
+-    <para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
++    <para>The following options are understood that may be used to enroll FIDO2 tokens:</para>
+ 
+     <variablelist>
+-      <varlistentry>
+-        <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
+-        <listitem><para>Specify COSE algorithm used in credential generation. The default value is
+-        <literal>es256</literal>. Supported values are <literal>es256</literal>, <literal>rs256</literal>
+-        and <literal>eddsa</literal>.</para>
+-
+-        <para><literal>es256</literal> denotes ECDSA over NIST P-256 with SHA-256. <literal>rs256</literal>
+-        denotes 2048-bit RSA with PKCS#1.5 padding and SHA-256. <literal>eddsa</literal> denotes
+-        EDDSA over Curve25519 with SHA-512.</para>
+-
+-        <para>Note that your authenticator may choose not to support some algorithms.</para>
+-
+-        <xi:include href="version-info.xml" xpointer="v251"/></listitem>
+-      </varlistentry>
+-
+       <varlistentry>
+         <term><option>--fido2-device=<replaceable>PATH</replaceable></option></term>
+ 
+@@ -428,6 +413,21 @@
+         <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+       </varlistentry>
+ 
++      <varlistentry>
++        <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
++        <listitem><para>Specify COSE algorithm used in credential generation. The default value is
++        <literal>es256</literal>. Supported values are <literal>es256</literal>, <literal>rs256</literal>
++        and <literal>eddsa</literal>.</para>
++
++        <para><literal>es256</literal> denotes ECDSA over NIST P-256 with SHA-256. <literal>rs256</literal>
++        denotes 2048-bit RSA with PKCS#1.5 padding and SHA-256. <literal>eddsa</literal> denotes
++        EDDSA over Curve25519 with SHA-512.</para>
++
++        <para>Note that your authenticator may choose not to support some algorithms.</para>
++
++        <xi:include href="version-info.xml" xpointer="v251"/></listitem>
++      </varlistentry>
++
+       <varlistentry>
+         <term><option>--fido2-salt-file=<replaceable>PATH</replaceable></option></term>
+ 

SOURCES/0006-analyze-tab-fix.patch

+From f4215e7909a74e01f3275c8537d9574924aefa4c Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 11 Dec 2024 10:31:41 +0100
+Subject: [PATCH] analyze: tab fix
+
+(cherry picked from commit 7167bee6c672f9a0729631ba1f7459dd5e18f549)
+---
+ src/analyze/analyze-plot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/analyze/analyze-plot.c b/src/analyze/analyze-plot.c
+index c50343d71c..20d6811f9b 100644
+--- a/src/analyze/analyze-plot.c
++++ b/src/analyze/analyze-plot.c
+@@ -170,7 +170,7 @@ static void plot_tooltip(const UnitTimes *ut) {
+         svg("%s:\n", ut->name);
+         svg("Activating: %"PRI_USEC".%.3"PRI_USEC"\n", ut->activating / USEC_PER_SEC, ut->activating % USEC_PER_SEC);
+         svg("Activated: %"PRI_USEC".%.3"PRI_USEC"\n", ut->activated / USEC_PER_SEC, ut->activated % USEC_PER_SEC);
+-        
++
+         UnitDependency i;
+         FOREACH_ARGUMENT(i, UNIT_AFTER, UNIT_BEFORE, UNIT_REQUIRES, UNIT_REQUISITE, UNIT_WANTS, UNIT_CONFLICTS, UNIT_UPHOLDS)
+                 if (!strv_isempty(ut->deps[i])) {

SOURCES/0007-analyze-add-missing-mask-option-to-help-text.patch

+From bbeb07ad24f5a4e2e391dc761fa05f3b39b29077 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 11 Dec 2024 10:31:58 +0100
+Subject: [PATCH] analyze: add missing --mask option to --help text
+
+Follow-up for: 3e7a029c2856e7814b930443cc2d4fb089377592
+
+(cherry picked from commit 4d09f976f6c10729619c7f4c87dd121aa34d019b)
+---
+ src/analyze/analyze.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c
+index 0db3547a49..e21f12c65e 100644
+--- a/src/analyze/analyze.c
++++ b/src/analyze/analyze.c
+@@ -284,6 +284,7 @@ static int help(int argc, char *argv[], void *userdata) {
+                "     --root=PATH             Operate on an alternate filesystem root\n"
+                "     --image=PATH            Operate on disk image as filesystem root\n"
+                "     --image-policy=POLICY   Specify disk image dissection policy\n"
++               "  -m --mask                  Parse parameter as numeric capability mask\n"
+                "\nSee the %2$s for details.\n",
+                program_invocation_short_name,
+                link,

SOURCES/0008-test-set-nsec3-salt-length-8-in-knot.conf.patch

+From 1b945fb1a727f85be9230e43d2fdaf78d2567946 Mon Sep 17 00:00:00 2001
+From: Nick Rosbrook <enr0n@ubuntu.com>
+Date: Tue, 10 Dec 2024 16:48:59 -0500
+Subject: [PATCH] test: set nsec3-salt-length=8 in knot.conf
+
+TEST-75-RESOLVED fails on Ubuntu autopkgtest due to this warning from
+knot:
+
+ notice: config, policy 'auto_rollover_nsec3' depends on default nsec3-salt-length=8, since version 3.5 the default becomes 0
+
+Explicitly set nsec3-salt-length=8 to silence.
+
+(cherry picked from commit 59e5108fb4e61957cb40bb15ac7966d085d13af2)
+---
+ test/knot-data/knot.conf | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
+index b8b9e7925d..6d177d7285 100644
+--- a/test/knot-data/knot.conf
++++ b/test/knot-data/knot.conf
+@@ -60,6 +60,7 @@ policy:
+       ksk-submission: parent_zone_sbm
+       nsec3-iterations: 0
+       nsec3: on
++      nsec3-salt-length: 8
+       propagation-delay: 1s
+       signing-threads: 4
+       zone-max-ttl: 1s

SOURCES/0009-test-capability-CAP_LINUX_IMMUTABLE-is-not-available.patch

+From d80ab6aed678ed89327d86ced9fedd24b5baccd3 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Dec 2024 12:10:13 +0000
+Subject: [PATCH] test-capability: CAP_LINUX_IMMUTABLE is not available in
+ unprivileged containers
+
+have ambient caps: yes
+Capabilities:cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
+Failed to drop auxiliary groups list: Operation not permitted
+Failed to change group ID: Operation not permitted
+Capabilities:cap_dac_override,cap_net_raw=ep
+Capabilities:cap_dac_override=ep
+Successfully forked off '(getambient)' as PID 12505.
+Skipping PR_SET_MM, as we don't have privileges.
+Ambient capability cap_linux_immutable requested but missing from bounding set, suppressing automatically.
+Assertion 'x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)' failed at src/test/test-capability.c:273, function test_capability_get_ambient(). Aborting.
+(getambient) terminated by signal ABRT.
+src/test/test-capability.c:258: Assertion failed: expected "r" to succeed, but got error: Protocol error
+
+Partially fixes #35552
+
+(cherry picked from commit 058a07635f3ff70cc99943dcf4f2a079bc9c28b9)
+---
+ src/test/test-capability.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/test/test-capability.c b/src/test/test-capability.c
+index 51bd806348..127f5e3d87 100644
+--- a/src/test/test-capability.c
++++ b/src/test/test-capability.c
+@@ -254,6 +254,13 @@ static void test_capability_get_ambient(void) {
+ 
+         ASSERT_OK(capability_get_ambient(&c));
+ 
++        r = prctl(PR_CAPBSET_READ, CAP_MKNOD);
++        if (r <= 0)
++                return (void) log_tests_skipped("Lacking CAP_MKNOD, skipping getambient test.");
++        r = prctl(PR_CAPBSET_READ, CAP_LINUX_IMMUTABLE);
++        if (r <= 0)
++                return (void) log_tests_skipped("Lacking CAP_LINUX_IMMUTABLE, skipping getambient test.");
++
+         r = safe_fork("(getambient)", FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGTERM|FORK_WAIT|FORK_LOG, NULL);
+         ASSERT_OK(r);
+ 

SOURCES/0010-test-fd-util-skip-test-when-lacking-privileges-to-cr.patch

+From 5573ac7d9c52bed8d38480788b02639ede3881fc Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Dec 2024 12:01:18 +0000
+Subject: [PATCH] test-fd-util: skip test when lacking privileges to create a
+ new namespace
+
+To reproduce, as an unprivileged user start a docker container and build
+and run the unit tests inside it:
+
+$ docker run --rm -ti debian:bookworm bash
+...
+/* test_close_all_fds */
+Successfully forked off '(caf-plain)' as PID 10496.
+Skipping PR_SET_MM, as we don't have privileges.
+(caf-plain) succeeded.
+Failed to fork off '(caf-noproc)': Operation not permitted
+Assertion 'r >= 0' failed at src/test/test-fd-util.c:392, function test_close_all_fds(). Aborting.
+
+Partially fixes #35552
+
+(cherry picked from commit 630a2e7ee195ca96e102acac8df67a278a879124)
+---
+ src/test/test-fd-util.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/test/test-fd-util.c b/src/test/test-fd-util.c
+index 20cf7b7627..5817d92725 100644
+--- a/src/test/test-fd-util.c
++++ b/src/test/test-fd-util.c
+@@ -389,6 +389,8 @@ TEST(close_all_fds) {
+                         test_close_all_fds_inner();
+                 _exit(EXIT_SUCCESS);
+         }
++        if (ERRNO_IS_NEG_PRIVILEGE(r))
++                return (void) log_tests_skipped("Lacking privileges for test in namespace with /proc/ overmounted");
+         assert_se(r >= 0);
+ 
+         if (!is_seccomp_available())

SOURCES/0011-test-fd-util-compare-FDs-to-bin-sh-instead-of-dev-nu.patch

+From c026cecac33c3b19b1a466304058eb0f7f71187b Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Dec 2024 13:40:10 +0000
+Subject: [PATCH] test-fd-util: compare FDs to /bin/sh instead of /dev/null
+
+/dev/null is a character device, so same_fd() in the fallback path
+that compares fstat will fail, as that bails out if the fd refers
+to a char device. This happens on kernels without F_DUPFD_QUERY and
+without kcmp.
+
+/* test_same_fd */
+Assertion 'same_fd(d, e) > 0' failed at src/test/test-fd-util.c:111, function test_same_fd(). Aborting.
+
+Fixes #35552
+
+(cherry picked from commit 3b32d333e88f2a66651d58e32e01599fa84c3d19)
+---
+ src/test/test-fd-util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/test/test-fd-util.c b/src/test/test-fd-util.c
+index 5817d92725..a359efa052 100644
+--- a/src/test/test-fd-util.c
++++ b/src/test/test-fd-util.c
+@@ -76,9 +76,9 @@ TEST(same_fd) {
+ 
+         assert_se(pipe2(p, O_CLOEXEC) >= 0);
+         assert_se((a = fcntl(p[0], F_DUPFD, 3)) >= 0);
+-        assert_se((b = open("/dev/null", O_RDONLY|O_CLOEXEC)) >= 0);
++        assert_se((b = open("/bin/sh", O_RDONLY|O_CLOEXEC)) >= 0);
+         assert_se((c = fcntl(a, F_DUPFD, 3)) >= 0);
+-        assert_se((d = open("/dev/null", O_RDONLY|O_CLOEXEC|O_PATH)) >= 0); /* O_PATH changes error returns in F_DUPFD_QUERY, let's test explicitly */
++        assert_se((d = open("/bin/sh", O_RDONLY|O_CLOEXEC|O_PATH)) >= 0); /* O_PATH changes error returns in F_DUPFD_QUERY, let's test explicitly */
+         assert_se((e = fcntl(d, F_DUPFD, 3)) >= 0);
+ 
+         assert_se(same_fd(p[0], p[0]) > 0);

SOURCES/0012-mkosi-use-inetutils-package-instead-of-hostname-for-.patch

+From e1659133e79d20799a0841f3099f921957743691 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Dec 2024 11:48:09 +0000
+Subject: [PATCH] mkosi: use inetutils package instead of hostname for
+ Archlinux
+
+In Arch the hostname binary is in a different package
+
+Follow-up for cf48bde7aea52b18ac3fa218d3f60fd3d533ef66
+
+(cherry picked from commit 446d737cba3652a9f3dbd07cea9cb4082350b241)
+---
+ mkosi.conf.d/10-arch/mkosi.conf          | 1 +
+ mkosi.conf.d/10-centos-fedora/mkosi.conf | 1 +
+ mkosi.conf.d/10-debian-ubuntu/mkosi.conf | 1 +
+ mkosi.conf.d/10-opensuse/mkosi.conf      | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/mkosi.conf.d/10-arch/mkosi.conf b/mkosi.conf.d/10-arch/mkosi.conf
+index 5a4015e4d7..9ceb6ea6f8 100644
+--- a/mkosi.conf.d/10-arch/mkosi.conf
++++ b/mkosi.conf.d/10-arch/mkosi.conf
+@@ -25,6 +25,7 @@ Packages=
+         f2fs-tools
+         git
+         gnutls
++        inetutils
+         iproute
+         iputils
+         knot
+diff --git a/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.conf.d/10-centos-fedora/mkosi.conf
+index 5b1865a253..8004c089ad 100644
+--- a/mkosi.conf.d/10-centos-fedora/mkosi.conf
++++ b/mkosi.conf.d/10-centos-fedora/mkosi.conf
+@@ -32,6 +32,7 @@ Packages=
+         glibc-langpack-de
+         glibc-langpack-en
+         gnutls-utils
++        hostname
+         integritysetup
+         iproute
+         iproute-tc
+diff --git a/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+index 46dd98828f..c898664f83 100644
+--- a/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
++++ b/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+@@ -48,6 +48,7 @@ Packages=
+         fdisk
+         git-core
+         gnutls-bin
++        hostname
+         iproute2
+         iputils-ping
+         isc-dhcp-server
+diff --git a/mkosi.conf.d/10-opensuse/mkosi.conf b/mkosi.conf.d/10-opensuse/mkosi.conf
+index 8a08b1f8c7..4ee3894c00 100644
+--- a/mkosi.conf.d/10-opensuse/mkosi.conf
++++ b/mkosi.conf.d/10-opensuse/mkosi.conf
+@@ -47,6 +47,7 @@ Packages=
+         grep
+         group(wheel)
+         gzip
++        hostname
+         iputils
+         kernel-default
+         kmod

SOURCES/0013-man-document-unprivileged-is-not-for-reading-propert.patch

+From cd727031a4daafe19f491df360c512433562f469 Mon Sep 17 00:00:00 2001
+From: Katariina Lounento <katariina.lounento@vaisala.com>
+Date: Mon, 9 Dec 2024 16:09:13 +0200
+Subject: [PATCH] man: document unprivileged is not for reading properties
+
+Document the fact that read-only properties may not have the flag
+SD_BUS_VTABLE_UNPRIVILEGED as that is not obvious especially given the
+flag is accepted for writable properties.
+
+Based on the check in `add_object_vtable_internal` called by
+`sd_bus_add_object_vtable` (as of the current tip of the main branch
+f7f5ba019206cacd486b0892fec76f70f525e04d):
+
+    case _SD_BUS_VTABLE_PROPERTY: {
+            [...]
+            if ([...] ||
+                [...]
+                (v->flags & SD_BUS_VTABLE_UNPRIVILEGED && v->type == _SD_BUS_VTABLE_PROPERTY)) {
+                    r = -EINVAL;
+                    goto fail;
+            }
+
+(where `_SD_BUS_VTABLE_PROPERTY` means read-only property whereas
+`_SD_BUS_VTABLE_WRITABLE_PROPERTY` maps to writable property).
+
+This was implemented in the commit
+adacb9575a09981fcf11279f2f661e3fc21e58ff ("bus: introduce "trusted" bus
+concept and encode access control in object vtables") where
+`SD_BUS_VTABLE_UNPRIVILEGED` was introduced:
+
+    Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED
+    and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them.
+    Note however that read access is unrestricted, as PropertiesChanged
+    messages might send out the values anyway as an unrestricted
+    broadcast.
+
+(cherry picked from commit 3ca09aa4dd57327989eceb1298754601046ac041)
+---
+ man/sd_bus_add_object.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/man/sd_bus_add_object.xml b/man/sd_bus_add_object.xml
+index 4d14a7e731..5572f421fb 100644
+--- a/man/sd_bus_add_object.xml
++++ b/man/sd_bus_add_object.xml
+@@ -589,6 +589,9 @@
+           <constant>org.freedesktop.systemd1.Privileged</constant> annotation with value
+           <literal>true</literal> will be shown in introspection data.</para>
+ 
++          <para><constant>SD_BUS_VTABLE_UNPRIVILEGED</constant> may not be applied to read-only properties,
++          but read access (to both read-only and writable properties) is always unrestricted.</para>
++
+           <para>Note that this page describes checks implemented in the D-Bus client. The D-Bus server has an
+           additional policy that may permit or deny connections, see
+           "CONFIGURATION FILE" in

SOURCES/0014-profile.d-don-t-bail-if-SHELL_-variables-are-unset.patch

+From 6b90a137892e18bd3c2cacb4aba2759da7ff3081 Mon Sep 17 00:00:00 2001
+From: Tobias Klauser <tklauser@distanz.ch>
+Date: Wed, 11 Dec 2024 15:10:39 +0100
+Subject: [PATCH] profile.d: don't bail if $SHELL_* variables are unset
+
+If - for whatever reason - a script uses set -u (nounset) and includes
+/etc/profile.d/70-systemd-shell-extra.sh (e.g. transitively via
+/etc/profile) the script would fail with:
+
+    /etc/profile.d/70-systemd-shell-extra.sh: line 15: SHELL_PROMPT_PREFIX: unbound variable
+
+For example:
+
+    $ cat > foo.sh <<EOF
+    #!/bin/sh
+    set -u
+
+    source /etc/profile
+    EOF
+    $ chmod 700 foo.sh
+    $ ./foo.sh
+    /etc/profile.d/70-systemd-shell-extra.sh: line 15: SHELL_PROMPT_PREFIX: unbound variable
+
+Fix this by using shell parameter substitution[^1] (which is a POSIX
+shell concept) to set the $SHELL_* variables to the empty string if
+undefined.
+
+[^1]: https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/utilities/V3_chap02.html
+
+(cherry picked from commit 12e33d332b3f8754f4d5d0d21d5d3f0de8adc54c)
+---
+ profile.d/70-systemd-shell-extra.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/profile.d/70-systemd-shell-extra.sh b/profile.d/70-systemd-shell-extra.sh
+index 70be3341b9..dae77e4bc7 100644
+--- a/profile.d/70-systemd-shell-extra.sh
++++ b/profile.d/70-systemd-shell-extra.sh
+@@ -12,14 +12,14 @@
+ # credentials shell.prompt.prefix, shell.prompt.suffix and shell.welcome, and
+ # are propagated into these environment variables by pam_systemd(8).
+ 
+-if [ -n "$SHELL_PROMPT_PREFIX" ]; then
++if [ -n "${SHELL_PROMPT_PREFIX-}" ]; then
+     PS1="$SHELL_PROMPT_PREFIX$PS1"
+ fi
+ 
+-if [ -n "$SHELL_PROMPT_SUFFIX" ]; then
++if [ -n "${SHELL_PROMPT_SUFFIX-}" ]; then
+     PS1="$PS1$SHELL_PROMPT_SUFFIX"
+ fi
+ 
+-if [ -n "$SHELL_WELCOME" ]; then
++if [ -n "${SHELL_WELCOME-}" ]; then
+    printf '%b\n' "$SHELL_WELCOME"
+ fi

SOURCES/0015-Fixing-VLAN-ranges-in-man-systemd.network.patch

+From 9fad72cc52bdec7f44337b1e48c23ee15fc08d77 Mon Sep 17 00:00:00 2001
+From: andrejpodzimek <andrej@podzimek.org>
+Date: Wed, 11 Dec 2024 12:46:43 +0000
+Subject: [PATCH] Fixing VLAN ranges in man systemd.network.
+
+Otherwise it doesn't hold that VLANs 100-400 are allowed (because 201-299 are disallowed).
+
+(cherry picked from commit ae2f3af63962ba6e2f67cfce07c9fee61722e30e)
+---
+ man/systemd.network.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/systemd.network.xml b/man/systemd.network.xml
+index 9d8dcba509..32cfb207e0 100644
+--- a/man/systemd.network.xml
++++ b/man/systemd.network.xml
+@@ -6431,7 +6431,7 @@ PVID=42
+ EgressUntagged=42
+ 
+ [BridgeVLAN]
+-VLAN=100-200
++VLAN=100-299
+ 
+ [BridgeVLAN]
+ EgressUntagged=300-400</programlisting>

SOURCES/0016-test-bpf-restrict-fs-Migrate-to-new-assertion-macros.patch

+From ab99950f1a0ab9401b44357d226a5880b5f262a7 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Wed, 11 Dec 2024 12:44:26 +0000
+Subject: [PATCH] test-bpf-restrict-fs: Migrate to new assertion macros
+
+(cherry picked from commit 1c658c639db1c902266735754f2e2883fe67d1d9)
+---
+ src/test/test-bpf-restrict-fs.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/test/test-bpf-restrict-fs.c b/src/test/test-bpf-restrict-fs.c
+index 11e97bf922..349c5a6894 100644
+--- a/src/test/test-bpf-restrict-fs.c
++++ b/src/test/test-bpf-restrict-fs.c
+@@ -18,9 +18,9 @@ static int test_restrict_filesystems(Manager *m, const char *unit_name, const ch
+         ExecContext *ec = NULL;
+         int cld_code, r;
+ 
+-        assert_se(u = unit_new(m, sizeof(Service)));
+-        assert_se(unit_add_name(u, unit_name) == 0);
+-        assert_se(ec = unit_get_exec_context(u));
++        ASSERT_NOT_NULL(u = unit_new(m, sizeof(Service)));
++        ASSERT_OK_ZERO(unit_add_name(u, unit_name));
++        ASSERT_NOT_NULL(ec = unit_get_exec_context(u));
+ 
+         STRV_FOREACH(allow_filesystem, allowed_filesystems) {
+                 r = config_parse_restrict_filesystems(
+@@ -30,7 +30,7 @@ static int test_restrict_filesystems(Manager *m, const char *unit_name, const ch
+                         return log_unit_error_errno(u, r, "Failed to parse RestrictFileSystems: %m");
+         }
+ 
+-        assert_se(exec_start = strjoin("cat ", file_path));
++        ASSERT_NOT_NULL(exec_start = strjoin("cat ", file_path));
+         r = config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart",
+                         SERVICE_EXEC_START, exec_start, SERVICE(u)->exec_command, u);
+         if (r < 0)
+@@ -84,19 +84,19 @@ int main(int argc, char *argv[]) {
+ 
+         ASSERT_OK(get_testdata_dir("units", &unit_dir));
+         ASSERT_OK(setenv_unit_path(unit_dir));
+-        assert_se(runtime_dir = setup_fake_runtime_dir());
++        ASSERT_NOT_NULL(runtime_dir = setup_fake_runtime_dir());
+ 
+         ASSERT_OK(manager_new(RUNTIME_SCOPE_SYSTEM, MANAGER_TEST_RUN_BASIC, &m));
+         ASSERT_OK(manager_startup(m, NULL, NULL, NULL));
+ 
+         /* We need to enable access to the filesystem where the binary is so we
+          * add @common-block and @application */
+-        ASSERT_LT(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/tracing/printk_formats", STRV_MAKE("@common-block", "@application")), 0);
++        ASSERT_FAIL(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/tracing/printk_formats", STRV_MAKE("@common-block", "@application")));
+         ASSERT_OK(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/tracing/printk_formats", STRV_MAKE("tracefs", "@common-block", "@application")));
+-        ASSERT_LT(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/tracing/printk_formats", STRV_MAKE("tracefs", "@common-block", "@application", "~tracefs")), 0);
+-        ASSERT_LT(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/debug/sleep_time", STRV_MAKE("@common-block", "@application")), 0);
++        ASSERT_FAIL(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/tracing/printk_formats", STRV_MAKE("tracefs", "@common-block", "@application", "~tracefs")));
++        ASSERT_FAIL(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/debug/sleep_time", STRV_MAKE("@common-block", "@application")));
+         ASSERT_OK(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/debug/sleep_time", STRV_MAKE("debugfs", "@common-block", "@application")));
+-        ASSERT_LT(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/debug/sleep_time", STRV_MAKE("~debugfs")), 0);
++        ASSERT_FAIL(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/debug/sleep_time", STRV_MAKE("~debugfs")));
+ 
+         return 0;
+ }

SOURCES/0017-man-update-example-in-systemd-measure.xml-35506.patch

+From 926f5ab6bf0e3541106e6a6f95af4cbdec50582b Mon Sep 17 00:00:00 2001
+From: cvlc12 <97767846+cvlc12@users.noreply.github.com>
+Date: Wed, 11 Dec 2024 22:09:11 +0100
+Subject: [PATCH] man: update example in systemd-measure.xml (#35506)
+
+In the example from systemd-measure(1), do not bind to PCR 7 in
+addition to the PCR policy.
+
+As long as this is still done by default, see #35280.
+
+(cherry picked from commit 693038fce47a819c5eebeb4fce39c9ac991acf84)
+---
+ man/systemd-measure.xml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
+index 5d697dd62f..368c94f700 100644
+--- a/man/systemd-measure.xml
++++ b/man/systemd-measure.xml
+@@ -328,6 +328,7 @@ $ ukify build \
+      <programlisting># systemd-cryptenroll --tpm2-device=auto \
+      --tpm2-public-key=tpm2-pcr-public-key.pem \
+      --tpm2-signature=tpm2-pcr-signature.json \
++     --tpm2-pcrs="" \
+      /dev/sda5</programlisting>
+ 
+      <para>And then unlock the device with the signature:</para>

SOURCES/0018-systemd-cryptenroll.xml-fix-typo.patch

+From df38ba869ceaf15ee7d5962660d644403c068f7a Mon Sep 17 00:00:00 2001
+From: Carlo Teubner <carlo@cteubner.net>
+Date: Wed, 11 Dec 2024 22:40:07 +0000
+Subject: [PATCH] systemd-cryptenroll.xml: fix typo
+
+(cherry picked from commit dfbd4d8bc5f18746051929e32f772078d6782e90)
+---
+ man/systemd-cryptenroll.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
+index f3c23adfd0..fb36f455ba 100644
+--- a/man/systemd-cryptenroll.xml
++++ b/man/systemd-cryptenroll.xml
+@@ -634,7 +634,7 @@
+         <para>Note the difference between <option>--tpm2-pcrs=</option> and
+         <option>--tpm2-public-key-pcrs=</option>: the former binds decryption to the current, specific PCR
+         values; the latter binds decryption to any set of PCR values for which a signature by the specified
+-        public key can be provided. The latter is hence more useful in scenarios where software updates shell
++        public key can be provided. The latter is hence more useful in scenarios where software updates shall
+         be possible without losing access to all previously encrypted LUKS2 volumes. Like with
+         <option>--tpm2-pcrs=</option>, names defined in the table above can also be used to specify the
+         registers, for instance

SOURCES/0019-semaphore-skip-some-tests.patch

+From e768cf55b19caec6c8936050b245f398aba8b884 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Dec 2024 20:44:25 +0000
+Subject: [PATCH] semaphore: skip some tests
+
+semaphore CI runs are always very close to the limit of 1hr, and often
+time out when it's particularly oversubscribed.
+Skip some low-value test cases to shorten the runtime.
+
+(cherry picked from commit e19cae12ff2e832ce7d79aa483e1aa27ed0ea1f4)
+---
+ .semaphore/semaphore-runner.sh | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh
+index e903ced70d..b663674652 100755
+--- a/.semaphore/semaphore-runner.sh
++++ b/.semaphore/semaphore-runner.sh
+@@ -109,6 +109,9 @@ EOF
+                                                        --env DPKG_DEB_COMPRESSOR_TYPE="none" \
+                                                        --env DEB_BUILD_PROFILES="pkg.systemd.upstream noudeb nodoc" \
+                                                        --env TEST_UPSTREAM=1 \
++                                                       --skip-test localed-locale \
++                                                       --skip-test localed-x11-keymap \
++                                                       --skip-test build-with-static-libsystemd \
+                                                        ../systemd_*.dsc \
+                                                        -o "$ARTIFACTS_DIR" \
+                                                        -- lxc -s "$CONTAINER" \