One of the pending commits in Weblate causes conflicts due to an
unfortunate timing with 9e929e4aa7, so
let's pull the changes into the main tree manually (and resolve the
conflicts).
in pcrextend we destroy pcr 11, and if we are booted in a kernel that
has pcr11 sigs, we cannot use that signature anymore. hence, let's do
the nvpcr test first, before doing the pcrextend stuff.
Fixes: #39582
Always abbreviate import/pull/export structs with their first letter
instead of only doing it in some places and using the wrong letter in
other places.
gcry_mpi_t is defined as "typedef struct gcry_mpi *gcry_mpi_t;".
When const is applied to this type, it resolves to
"struct gcry_mpi *const" instead of what we expect ("const struct gcry_mpi *").
So we end up with a const pointer to a mutable object instead of a mutable
pointer to a const object. Since the pointer passed to the function
is copied regardless, making it const has zero benefit.
You'd think we could instead stop using gcry_mpi_t and replace it with
"const struct gcry_mpi *", except that gcrypt leaked this mess into its
api, so it expects const pointers to mutable objects as well, which means
we can't take pointers to const objects as arguments, as we'd discard the qualifier
when calling a gcrypt function.
To avoid confusion, let's drop the const qualifiers from the gcry_mpi_t arguments.
Follow-up for 7336f2c748
This alignes with some other optional modules in shraed/,
and it allows dlopen_libmount() to be optimized out entirely.
Let's avoid emitting pointless symbols.
Follow-up for b3243f4bee
and 5df44d0f6a
Since we now consider this a supported senario, let's hook up
libmount loading with the high-level unit_type_supported() machinery
and gracefully skip the whole unit accordingly.
This got split in 5cabeed80b
to accommodate --empower, and later --empower received
dedicated handling again (c36942916b).
I think the new naming makes more sense - --empower is privileged
after all, just with uid left unchanged. Hence merge
privileged_execution back into it.
Follow-up for 4f6ef13f43
Special casing --area= rather than --empower makes the code
self-explanatory, as --area= is about alternative home dir
after all. On top of that this ensures when --area= and
--empower are specified in combination we honor the home dir
switch, too.
Also, unless --same-root-dir was specified, don't make the executable
absolute if we're running in a chroot. Situations like this are still iffy,
but we might as well handle them a little more gracefully.
Latest glibc uses _Generic to have strstr() and other functions return
const char* or char* based on whether the input is a const char* or a
char*. This causes build failures as we previously always expected a
char*.
Let's fix the compilation failures and add our own macros similar to
glibc's to have string functions that return a mutable or const pointer
depending on the input.
Latest glibc uses _Generic to have strstr() and other functions return
const char* or char* based on whether the input is a const char* or a
char*. This causes build failures as we previously always expected a char*.
Let's fix the compilation failures and add our own macros similar to glibc's
to have string functions that return a mutable or const pointer depending on
the input.
When in --empower mode, all created files will be owned by the current
user, which could be problematic when creating files outside of the
current user's home directory, as other processes running as the same
user would be able to edit those files.
While this is a bit of an edge case since users already have to go through
the effort of writing --empower to indicate they want a privileged session
as the current user, it's not unphatomable to think they could start an
empowered session which they later return to and continue using. Currently,
it's not easy to differentiate a regular run0 session and an empowered session
at a glance, so users might think they're using a regular run0 session when
they're actually using an empowered session.
To address this problem, let's give empowered session their own identify, by
making the background orange, using the pumpkin emoji as the shell prompt
prefix and giving them an orange circle as the PTY title.
In the CentOS Hyperscale SIG, we maintain a backport of systemd with
its own rpm spec forked from rawhide.
Let's make it easy to build upstream rpms using the Hyperscale spec
by adding a mkosi hyperscale profile.
