New Tumbleweed snapshot 20210711 released!
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20210711
Please do not reply to this email to report issues, rather file a bug
on bugzilla.opensuse.org. For more information on filing bugs please
see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
ffmpeg-4
grub2 (2.04 -> 2.06)
hwdata (0.348 -> 0.349)
libcdio-paranoia (10.2+2.0.0 -> 10.2+2.0.1)
libeconf (0.4.0+git20210413.fdb8025 -> 0.4.1+git20210709.cf671f2)
libvirt
polkit-default-privs (1550+20210615.e149f78 -> 1550+20210708.6401347)
python-kiwi (9.23.31 -> 9.23.43)
rubygem-parser (3.0.1.1 -> 3.0.2.0)
rubygem-rubocop (1.17.0 -> 1.18.3)
selinux-policy
=== Details ===
==== ffmpeg-4 ====
Subpackages: libavcodec58_134 libavdevice58_13 libavfilter7_110 libavformat58_76 libavresample4_0 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9
- Remove second hunk of ffmpeg-CVE-2020-22046.patch, that contains
a goto to a none existing label. In order to distinguish this
patch from the original, I renamed it to
ffmpeg-4.4-CVE-2020-22046.patch
- While at it, refresh the other patches with offsets
- Add ffmpeg-CVE-2020-22046.patch: Backport from upstream to fix
a denial of service vulnerability exists in FFmpeg 4.2 due to a
memory leak in the avpriv_float_dsp_allocl function in
libavutil/float_dsp.c (bsc#1186849).
- Add ffmpeg-CVE-2021-33815.patch: Backport from upstream to fix
dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an
out-of-bounds array access because dc_count is not strictly
checked (bsc#1186865).
==== grub2 ====
Version update (2.04 -> 2.06)
Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-xen
- Version bump to 2.06
* rediff
- 0001-add-support-for-UEFI-network-protocols.patch
- 0002-net-read-bracketed-ipv6-addrs-and-port-numbers.patch
- 0003-Make-grub_error-more-verbose.patch
- 0003-bootp-New-net_bootp6-command.patch
- 0005-grub.texi-Add-net_bootp6-doument.patch
- 0006-bootp-Add-processing-DHCPACK-packet-from-HTTP-Boot.patch
- 0006-efi-Set-image-base-address-before-jumping-to-the-PE-.patch
- 0008-efinet-Setting-DNS-server-from-UEFI-protocol.patch
- 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
- grub-install-force-journal-draining-to-ensure-data-i.patch
- grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
- grub2-diskfilter-support-pv-without-metadatacopies.patch
- grub2-efi-HP-workaround.patch
- grub2-efi-xen-cfg-unquote.patch
- grub2-efi-xen-chainload.patch
- grub2-fix-menu-in-xen-host-server.patch
- grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch
- grub2-install-remove-useless-check-PReP-partition-is-empty.patch
- grub2-lvm-allocate-metadata-buffer-from-raw-contents.patch
- grub2-mkconfig-default-entry-correction.patch
- grub2-pass-corret-root-for-nfsroot.patch
- grub2-s390x-03-output-7-bit-ascii.patch
- grub2-s390x-04-grub2-install.patch
- grub2-secureboot-install-signed-grub.patch
- grub2-setup-try-fs-embed-if-mbr-gap-too-small.patch
- use-grub2-as-a-package-name.patch
* update by patch squashed:
- 0001-Add-support-for-Linux-EFI-stub-loading-on-aarch64.patch
- grub2-efi-chainload-harder.patch
- grub2-secureboot-no-insmod-on-sb.patch
- grub2-secureboot-chainloader.patch
- grub2-secureboot-add-linuxefi.patch
* remove squashed patches:
- 0008-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
- 0009-squash-Add-support-for-linuxefi.patch
- 0041-squash-Add-secureboot-support-on-efi-chainloader.patch
- 0042-squash-grub2-efi-chainload-harder.patch
- 0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
- 0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
* drop upstream patches:
- 0001-Warn-if-MBR-gap-is-small-and-user-uses-advanced-modu.patch
- 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch
- 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch
- 0001-mdraid1x_linux-Fix-gcc10-error-Werror-array-bounds.patch
- 0001-normal-Move-common-datetime-functions-out-of-the-nor.patch
- 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
- 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
- 0002-grub-install-Avoid-incompleted-install-on-i386-pc.patch
- 0002-kern-Add-X-option-to-printf-functions.patch
- 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
- 0002-zfs-Fix-gcc10-error-Werror-zero-length-bounds.patch
- 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
- 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
- 0003-normal-main-Search-for-specific-config-files-for-net.patch
- 0004-calloc-Use-calloc-at-most-places.patch
- 0004-datetime-Enable-the-datetime-module-for-the-emu-plat.patch
- 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
- 0005-Make-linux_arm_kernel_header.hdr_offset-be-at-the-ri.patch
- 0005-efi-Add-secure-boot-detection.patch
- 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
- 0006-efi-Only-register-shim_lock-verifier-if-shim_lock-pr.patch
- 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
- 0007-font-Do-not-load-more-than-one-NAME-section.patch
- 0007-verifiers-Move-verifiers-API-to-kernel-image.patch
- 0008-efi-Move-the-shim_lock-verifier-to-the-GRUB-core.patch
- 0008-script-Remove-unused-fields-from-grub_script_functio.patch
- 0009-kern-Add-lockdown-support.patch
- 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
- 0010-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
- 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
- 0011-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
- 0012-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
- 0013-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
- 0014-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
- 0015-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
- 0016-commands-setpci-Restrict-setpci-command-when-locked-.patch
- 0017-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
- 0018-gdb-Restrict-GDB-access-when-locked-down.patch
- 0019-loader-xnu-Don-t-allow-loading-extension-and-package.patch
- 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch
- 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- 0022-lib-arg-Block-repeated-short-options-that-require-an.patch
- 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
- 0024-kern-parser-Fix-resource-leak-if-argc-0.patch
- 0025-kern-parser-Fix-a-memory-leak.patch
- 0026-kern-parser-Introduce-process_char-helper.patch
- 0027-kern-parser-Introduce-terminate_arg-helper.patch
- 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
- 0029-kern-buffer-Add-variable-sized-heap-buffer.patch
- 0030-kern-parser-Fix-a-stack-buffer-overflow.patch
- 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
- 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
- 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
- 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
- 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
- 0036-util-mkimage-Improve-data_size-value-calculation.patch
- 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
- 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
- 0039-grub-install-common-Add-sbat-option.patch
- 0040-shim_lock-Only-skip-loading-shim_lock-verifier-with-.patch
- grub-install-define-default-platform-for-risc-v.patch
- grub2-editenv-add-warning-message.patch
- grub2-efi-gop-add-blt.patch
- grub2-efi-uga-64bit-fb.patch
- grub2-verifiers-fix-system-freeze-if-verify-failed.patch
- risc-v-add-clzdi2-symbol.patch
- risc-v-fix-computation-of-pc-relative-relocation-offset.patch
- Add grub2-instdev-fixup.pl for correcting /etc/default/grub_installdevice to
use disk devie if grub has been installed to it
- Add 0001-30_uefi-firmware-fix-printf-format-with-null-byte.patch to fix
detection of efi fwsetup support
==== hwdata ====
Version update (0.348 -> 0.349)
- Update to version 0.349 (bsc#1187948:
+ Updated pci, usb and vendor ids.
==== libcdio-paranoia ====
Version update (10.2+2.0.0 -> 10.2+2.0.1)
Subpackages: libcdio_cdda2 libcdio_paranoia2
- version 10.2+2.0.1 (2019-09-16)
* cdda toc routines now included
* "make distcheck" broken in 2.0.0 works properly again
* Remove some gcc/clang warnings
- Use %find_lang
- Use correct License
- Drop --with-pic (no effect with --disable-static)
- Trim old rpm macros/constructs
- Update descriptions
==== libeconf ====
Version update (0.4.0+git20210413.fdb8025 -> 0.4.1+git20210709.cf671f2)
Subpackages: libeconf0 libeconf0-32bit
- Update to version 0.4.1+git20210709.cf671f2:
* CMake fixes regarding installation of econftool and man pages.
- Update to version 0.4.0+git20210708.6918ea1:
* Fixed covscan FORWARD_NULL_issues warnings
- Update to version 0.4.0+git20210707.537a8a:
* Fixed resource leaks found by Iker Pedrosa.
==== libvirt ====
Subpackages: libvirt-client libvirt-daemon libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs
- virtlockd: Don't report error if lockspace exists
de1e0ae0-lockd-no-error-if-lockspace.patch
bsc#1184253
==== polkit-default-privs ====
Version update (1550+20210615.e149f78 -> 1550+20210708.6401347)
- Update to version 1550+20210708.6401347:
* fprint.device.enroll: keep restrictive profile in sync with upstream
- Update to version 1550+20210708.c4d6bf4:
* kdenetwork-filesharing: align with upstream (#49)
- Update to version 1550+20210701.3047fcb:
* ModemManager1.USSD: fix inconsistencies in standard and easy profiles
* powerdevil.discretegpuhelper.hasdualgpu: align with upstream settings
* cupspkhelper.mechanism.job-edit: align with upstream setting
* org.fedoraproject.FirewallD1.info: don't be more restrictive than the 'standard' profile
* remove org.selinux.* (policycoreutils) since they no longer exist in Factory
* remove cinnamon.controlcenter.datetime.configure: no longer packaged
* net.connman.vpn.secret: fix invalid label "auth_admin_keep_session"
==== python-kiwi ====
Version update (9.23.31 -> 9.23.43)
- Bump version: 9.23.42 ? 9.23.43
- Re-add suseImportBuildKey
suseImportBuildKey is not required during the image build as kiwi imports the
correct keys by itself. However, the created images lack the repository signing
keys and any `zypper` commands will thus fail.
This fixes https://github.com/OSInside/kiwi/issues/1876
- Bump version: 9.23.41 ? 9.23.42
- Fixed fedora integration test builds
Maintain the repos in the obs prj config which prevents
the weird "nothing provides kernel-obs-build" error
- Bump version: 9.23.40 ? 9.23.41
- Remove util-linux-systemd & util-linux Requires from dracut-kiwi-overlay
These dependencies are pulled in via dracut-kiwi-lib.
- Add missing util-linux-systemd Requires to dracut-kiwi-[live,libs]
- Fixed test-image-orthos integration test
The test was missing btrfs_root_is_snapshot which is required
when using btrfs on tumbleweed.
- Fixed test-image-disk-legacy integration test
The test did not set a device filter for ramdisk devices but
activates unattended mode. In this mode the first device in
the list is taken and this is a ramdisk device which is
by default too small to be used for the installation. Thus
the install usually fails. This commit sets the device filter
for ramdisk devices such that only associated disk devices
can be used for the install process, which is the purpose
of this test. This is related to Issue OSInside/kiwi-functional-tests#8
- Bump version: 9.23.39 ? 9.23.40
- Mount dev and proc filesystems prior dracut
In newer versions of dracut /dev and /proc must be mounted
for dracut to work correctly. If not present the resulting
initrd is incomplete. This Fixes #1867
- Use namespaced files in /var/tmp for large temporary files
Previously, kiwi created staging image files as plain temporary files
in /tmp, which causes issues on operating systems where /tmp is tmpfs.
Notably, image builds would fail with "no space left on the device"
because the tmpfs was not big enough for everything to exist there.
To fix this, we change to use /var/tmp, and additionally add a prefix
for our temporary files so that the user knows which ones kiwi created.
Fixes: https://github.com/OSInside/kiwi/issues/1866
- Use latest stylesheet in STYLEROOT
Use "suse2021-ns" instead of "suse2013-ns" due to new
branding.
- Add missing util-linux-systemd dependency to dracut-kiwi-overlay
The script kiwi-overlay-root.sh requires lsblk which is provided by
util-linux-systemd. If that package is missing in the final image, then booting
an overlayroot image hangs with:
dracut-pre-mount[480]: //lib/dracut/hooks/pre-mount/30-kiwi-overlay-root.sh: line 46: lsblk: command not found
- Make sure chat link points to Element not Riot
Riot has changed to Element. The index page on kiwi still
uses the old location. This updates the information how to
use the Matrix channel and the kiwi room name.
This Fixes #1854
- Bump version: 9.23.38 ? 9.23.39
- Functions integration tests (#1851)
Add integration tests for functions.sh
Implement a container based test system to run shell code for testing.
The concept utilizes pytest-testinfra and runs a container per test.
The nested container in a container feature is supported by the github
actions workflow. Thus the integration of this testing concept runs in
the github actions CI rather than on gitlab
- Don't shell out for calling dnf
refactor the dnf call to install packages and groups in
one call. This allows to prevent calling dnf through a
shell. For installing of a package group the group ID
name is expected. This Fixes #1856
- - Improve the error message if the config file cannot be parsed.
- Do not shell out for calling microdnf.
In fact it can be counter productive if the shell
evaluates eventually existing package name/instruction
patterns. This is related to Issue #1856
- Prevent calling pacman through a shell
There is no reason to shell out for calling pacman.
In fact it can be counter productive if the shell
evaluates eventually existing package name/instruction
patterns. This is related to Issue #1856
- Make sure mypy stubs will be installed
- Allow creation of LUKS system with empty key
To support cloud platforms better we should allow the
creation of an initial(insecure) LUKS encrypted image
with an empty passphrase/keyfile. This Fixes
bsc#1187461 and bsc#1187460
- Bump version: 9.23.37 ? 9.23.38
- Fixed cleanup of temporary directory
In the custom kiwi initrd build process a temporary directory
holding a copy of the initrd root tree is created. That data
got never cleaned up. This commit uses a TemporaryDirectory
object from the tempfile module to make sure it gets deleted
once the execution scope is done. This Fixes #1837
- Bump version: 9.23.36 ? 9.23.37
- Delete deprecated shell functions from docs
suseActivateDefaultServices
suseSetupProductInformation
suseImportBuildKey
suseConfig
baseCleanMount
baseSetupUserPermissions
baseGetPackagesForDeletion
baseGetProfilesUsed
baseStripMans
baseStripDocs
baseStripInfos
Rpm
- Fixed creating grub bios module
If no prebuilt grub bios module was found, kiwi creates one.
In this case kiwi searches for the grub modules and runs
the grub mkimage tool. The search for the modules for the
bios module used the host system (/) grub and that fails if
the host has packaged grub differently than the image target.
This fix moves the lookup into the image root directory
which is the correct place to lookup the grub data
- Bump version: 9.23.35 ? 9.23.36
- Fixed building with custom kiwi initrd setup
The change from allowing to build with initrd_system="none"
broke the build for initrd_system="kiwi". This commit fixes
the regression
- Use zypper --gpg-auto-import-keys option
When building an image against self managed repos the
auto import of the repo gpg key makes sense to me
- Cleanup integration tests from obsolete methods
Cleanup config.sh scripts calling obsolete helper methods
- Cleanup integration tests from obsolete methods
Cleanup config.sh scripts calling obsolete helper methods
- Bump version: 9.23.34 ? 9.23.35
- Corrected preferences timezone code tag
- Refactor config functions code
Reorganize the code into more readable areas like methods
present as helpers, methods for customers, methods which are
distribution specific and also methods that are deprecated
and give a good reason why they are deprecated when they
get called. This is related to Issue #1828
- Revert "Switch test-image-live-disk to Fedora 33"
This reverts commit f80549474c4baa120e6e228bacc7b4a075265753.
- Switch test-image-live-disk to Fedora 33
- Fixed codacy code smells
- Add strong typing for the following API methods
kiwi/boot/image/base.py
kiwi/boot/image/builtin_kiwi.py
kiwi/boot/image/dracut.py
This references issue #1644
- Added support for skipping initrd creation
Embedded systems and other customer use cases sometimes
doesn't require an initrd. So far the initrd creation was
a mandatory step in the process. With this commit it's
possible to configure
participants (1)
-
Dominique Leuenberger