From 1a422ef716a2cf0e30515ce7a3a7ac3bfb06df2b Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 14 Mar 2023 10:40:06 +0100
Subject: [PATCH 1/8] profiles: Drop accept keywords for net-dns/dnsmasq

It became stable for arm64 too now.
---
 .../profiles/coreos/arm64/package.accept_keywords              | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
index 24c5613d4b..6b6ab4b81a 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
@@ -17,9 +17,6 @@
 
 =net-dns/c-ares-1.17.2 ~arm64
 
-# needed to address CVE-2022-0934
-=net-dns/dnsmasq-2.89 ~arm64
-
 =net-firewall/conntrack-tools-1.4.6-r1 ~arm64
 =net-libs/libnetfilter_cthelper-1.0.0-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.0-r1 ~arm64

From 37f3f7d04902b52b3d818cd1c1b6a13ac613fdb4 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 14 Mar 2023 10:51:18 +0100
Subject: [PATCH 2/8] coreos/config: Add a note when env override can be
 dropped for net-dns/bind-tools

---
 .../coreos-overlay/coreos/config/env/net-dns/bind-tools         | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind-tools b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind-tools
index 73ec86627f..837a89d7a8 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind-tools
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind-tools
@@ -5,6 +5,8 @@
 # and grepping for -Wattributes instead, but we are not yet packaging
 # it. We also know that constructor and destructor attributes are
 # supported - they are available since at least gcc 3.4.
+#
+# Drop this when updating to bind tools 9.17.13 or newer.
 
 EXTRA_ECONF+=" ax_cv_have_func_attribute_constructor=yes"
 EXTRA_ECONF+=" ax_cv_have_func_attribute_destructor=yes"

From 32ffc004607d187e12fe24a896ad578ab296118f Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 14 Mar 2023 12:14:23 +0100
Subject: [PATCH 3/8] profiles: Drop accept keywords for dev-lang/python

It became stable for arm64 too now.
---
 .../coreos-overlay/profiles/coreos/base/package.accept_keywords  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index d6b9a12413..03581e05e8 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -10,7 +10,6 @@
 =coreos-devel/fero-client-0.1.1 **
 
 # Keep versions even for both arches
-=dev-lang/python-3.10.10_p2 ~arm64
 =dev-lang/python-oem-3.10.10_p2 ~arm64
 
 # Accept unstable host Rust compilers

From 981ed883d89cec3b3ad7d3bf77545db5df364ab6 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 14 Mar 2023 12:18:28 +0100
Subject: [PATCH 4/8] dev-lang/python-oem: Sync with Gentoo

---
 .../dev-lang/python-oem/README.md             |  45 -----
 .../dev-lang/python-oem/metadata.xml          |  41 ++++-
 .../python-oem/python-oem-3.10.10_p2.ebuild   | 163 +++++++++++-------
 3 files changed, 136 insertions(+), 113 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md
deleted file mode 100644
index 12b071faeb..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md
+++ /dev/null
@@ -1,45 +0,0 @@
-Modifications made:
-
-- Keep using internal expat and libffi, thus dropping dev-libs/libffi
-  and dev-libs/expat from the dependencies.
-
-- Drop dev-python/gentoo-common dependency, it provides the
-  EXTERNALLY-MANAGED file, but we will provide our own.
-
-- Since this package is installed only for OEM partition as a binary
-  package, and the installation there happens after the packages
-  database is removed, we unset the RDEPEND variable. The RDEPEND
-  variable needs to be empty as it's also used during the binary
-  package installation. The contents of RDEPEND are already inside the
-  DEPEND variable, so we are safe.
-
-- We modify the configure flags:
-
-  - Add `--prefix=/usr/share/oem/python` as `/usr/share/oem` is where
-    the OEM partition is mounted.
-
-  - Add `--with-platlibdir="$(get_libdir)"`, this is to make sure that
-    consistent library directory gets picked. In our case for both
-    amd64 and arm64, it's lib64.
-
-  - Change `--enable-shared` to `--disable-shared`. This will skip
-    building dynamic libraries, as we don't need them.
-
-  - Add `--includedir=/discard/include` and change `--mandir` and
-    `--infodir` to also use `/discard` to install files there. Makes
-    it easy to remove the unnecessary files.
-
-  - We disable loadable sqlite extensions.
-
-  - As we want to use the internal versions of expat and libffi, we
-    change `--with-system-{expat,ffi}` to
-    `--without-system-{expat,ffi}`.
-
-  - Comment out the `--with-wheel-pkg-dir` as it's some ensurepip
-    stuff we are disabling anyway.
-
-- Essentially drop `src_install` and write our own variant, where we
-  run `make altinstall`, remove unnecessary files (the original
-  `src_install` could be read to find out which files to remove),
-  creates a versionless python symlink, adds an EXTERNALLY-MANAGED
-  file, and removes the `/discard` directory.
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/metadata.xml b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/metadata.xml
index 097975e3ad..66d5aec84c 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/metadata.xml
@@ -1,4 +1,43 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
+	<maintainer type="project">
+		<email>python@gentoo.org</email>
+		<name>Python</name>
+	</maintainer>
+	<use>
+		<flag name="bluetooth">
+			Build Bluetooth protocol support in socket module
+		</flag>
+		<flag name="ensurepip">
+			Install the ensurepip module that uses bundled wheels
+			to bootstrap pip and setuptools (if disabled, it will
+			be only possible to use venv `--without-pip`)
+		</flag>
+		<flag name="libedit">
+			Link readline extension against <pkg>dev-libs/libedit</pkg>
+			instead of <pkg>sys-libs/readline</pkg>
+		</flag>
+		<flag name="pgo">
+			Optimize the build using Profile Guided Optimization (PGO)
+			by running Python's test suite and collecting statistics
+			based on its performance. This will take longer to build.
+		</flag>
+		<flag name="lto">
+			Optimize the build using Link Time Optimization (LTO)
+		</flag>
+		<flag name="valgrind">
+			Disable pymalloc when running under
+			<pkg>dev-util/valgrind</pkg> is detected (may incur minor
+			performance penalty even when valgrind is not used)
+		</flag>
+		<flag name="wininst">
+			Install Windows executables required to create an executable
+			installer for MS Windows
+		</flag>
+	</use>
+	<upstream>
+		<remote-id type="cpe">cpe:/a:python:python</remote-id>
+		<remote-id type="github">python/cpython</remote-id>
+	</upstream>
 </pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
index a724285250..3f45df96fd 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
@@ -28,7 +28,7 @@ S="${WORKDIR}/${MY_P}"
 
 LICENSE="PSF-2"
 SLOT="${PYVER}"
-KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
 IUSE="
 	bluetooth build +ensurepip examples gdbm hardened libedit lto
 	+ncurses pgo +readline +sqlite +ssl test tk valgrind +xml
@@ -40,13 +40,11 @@ RESTRICT="!test? ( test )"
 # run the bootstrap code on your dev box and include the results in the
 # patchset. See bug 447752.
 
-# Flatcar: Drop a dependency on dev-libs/expat, we will use the internal one.
-# Flatcar: Drop a dependency on dev-libs/libffi, we will use the internal one.
-# Flatcar: Drop a dependency on dev-python/gentoo-common, we will install our own EXTERNALLY-MANAGED file
 RDEPEND="
 	app-arch/bzip2:=
 	app-arch/xz-utils:=
 	dev-lang/python-exec[python_targets_python3_10(-)]
+	dev-libs/libffi:=
 	dev-python/gentoo-common
 	sys-apps/util-linux:=
 	>=sys-libs/zlib-1.1.3:=
@@ -67,6 +65,7 @@ RDEPEND="
 		dev-tcltk/blt:=
 		dev-tcltk/tix
 	)
+	xml? ( >=dev-libs/expat-2.1:= )
 	!!<sys-apps/sandbox-2.21
 "
 # bluetooth requires headers from bluez
@@ -87,17 +86,14 @@ RDEPEND+="
 	!build? ( app-misc/mime-types )
 "
 
-# Flatcar: Unset RDEPEND, DEPEND already contains it. OEM packages are
-# installed after production images are pruned of the previously
-# installed package database.
-unset RDEPEND
-
 VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/python.org.asc
 
 # large file tests involve a 2.5G file being copied (duplicated)
 CHECKREQS_DISK_BUILD=5500M
 
 QA_PKGCONFIG_VERSION=${PYVER}
+# false positives -- functions specific to *BSD
+QA_CONFIG_IMPL_DECL_SKIP=( chflags lchflags )
 
 pkg_pretend() {
 	use test && check-reqs_pkg_pretend
@@ -115,11 +111,9 @@ src_unpack() {
 }
 
 src_prepare() {
-	# Flatcar: We keep the internal expat copy.
-	# Flatcar: We keep the internal libffi copy.
-	# # Ensure that internal copies of expat and libffi are not used.
-	# rm -r Modules/expat || die
-	# rm -r Modules/_ctypes/libffi* || die
+	# Ensure that internal copies of expat and libffi are not used.
+	rm -r Modules/expat || die
+	rm -r Modules/_ctypes/libffi* || die
 
 	local PATCHES=(
 		"${WORKDIR}/${PATCHSET}"
@@ -215,37 +209,19 @@ src_configure() {
 		# a chance for users rebuilding python before glibc
 		ac_cv_header_stropts_h=no
 
-		# Flatcar: Use oem-specific prefix.
-		--prefix=/usr/share/oem/python
-		# Flatcar: Make sure we put libs into a correct subdirectory.
-		--with-platlibdir="$(get_libdir)"
-		# Flatcar: No need for shared libs.
-		# --enable-shared
-		--disable-shared
+		--enable-shared
 		--without-static-libpython
 		--enable-ipv6
-		# Flatcar: Set includedir to discardable directory
-		--includedir='/discard/include'
-		# Flatcar: Set infodir and mandir to discardable directory
-		# --infodir='/${prefix}/share/info'
-		# --mandir='/${prefix}/share/man'
-		--infodir='/discard/info'
-		--mandir='/discard/man'
+		--infodir='${prefix}/share/info'
+		--mandir='${prefix}/share/man'
 		--with-computed-gotos
 		--with-dbmliborder="${dbmliborder}"
 		--with-libc=
-		# Flatcar: No need for loadable extensions.
-		# --enable-loadable-sqlite-extensions
-		--disable-loadable-sqlite-extensions
+		--enable-loadable-sqlite-extensions
 		--without-ensurepip
-		# Flatcar: We use internal expat
-		# --with-system-expat
-		--without-system-expat
-		# Flatcar: We use internal ffi
-		# --with-system-ffi
-		--without-system-ffi
-		# Flatcar: It's for ensurepip, which we disable
-		# --with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip
+		--with-system-expat
+		--with-system-ffi
+		--with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip
 
 		$(use_with lto)
 		$(use_enable pgo optimizations)
@@ -421,39 +397,92 @@ src_test() {
 	[[ ${ret} -eq 0 ]] || die "emake test failed"
 }
 
-# Flatcar: Rewrite src_install to just run make altinstall, remove
-# some installed files (refer to the original src_install to see which
-# files to drop), adding symlinks and the EXTERNALLY-MANAGED file, and
-# removing the /discard directory.
 src_install() {
-	local prefix=/usr/share/oem/python
-	local eprefix="${ED}${prefix}"
-        local libdir="${prefix}/$(get_libdir)"
-	local elibdir="${eprefix}/$(get_libdir)"
-	local pythonplatlibdir="${libdir}/python${PYVER}"
-	local epythonplatlibdir="${elibdir}/python${PYVER}"
-	local bindir="${prefix}/bin"
-	local ebindir="${eprefix}/bin"
+	local libdir=${ED}/usr/lib/python${PYVER}
 
 	emake DESTDIR="${D}" altinstall
 
-	rm -r "${epythonplatlibdir}"/ensurepip || die
-	rm -r "${epythonplatlibdir}/"{sqlite3,test/test_sqlite*} || die
-	rm -r "${ebindir}/idle${PYVER}" || die
-	rm -r "${epythonplatlibdir}/"{idlelib,tkinter,test/test_tk*} || die
+	# Fix collisions between different slots of Python.
+	rm "${ED}/usr/$(get_libdir)/libpython3.so" || die
 
-	# create a simple versionless 'python' symlink
-	dosym "python${PYVER}" "${bindir}/python"
-	dosym "python${PYVER}" "${bindir}/python3"
+	# Cheap hack to get version with ABIFLAGS
+	local abiver=$(cd "${ED}/usr/include"; echo python*)
+	if [[ ${abiver} != python${PYVER} ]]; then
+		# Replace python3.X with a symlink to python3.Xm
+		rm "${ED}/usr/bin/python${PYVER}" || die
+		dosym "${abiver}" "/usr/bin/python${PYVER}"
+		# Create python3.X-config symlink
+		dosym "${abiver}-config" "/usr/bin/python${PYVER}-config"
+		# Create python-3.5m.pc symlink
+		dosym "python-${PYVER}.pc" "/usr/$(get_libdir)/pkgconfig/${abiver/${PYVER}/-${PYVER}}.pc"
+	fi
 
-	insinto "${pythonplatlibdir}"
-	# https://peps.python.org/pep-0668/
-	newins - EXTERNALLY-MANAGED <<-EOF
-		[externally-managed]
-		Error=
-		 Please contact Flatcar maintainers if some python package
-		 is necessary for this OEM image.
+	# python seems to get rebuilt in src_install (bug 569908)
+	# Work around it for now.
+	if has_version dev-libs/libffi[pax-kernel]; then
+		pax-mark E "${ED}/usr/bin/${abiver}"
+	else
+		pax-mark m "${ED}/usr/bin/${abiver}"
+	fi
+
+	rm -r "${libdir}"/ensurepip/_bundled || die
+	if ! use ensurepip; then
+		rm -r "${libdir}"/ensurepip || die
+	fi
+	if ! use sqlite; then
+		rm -r "${libdir}/"{sqlite3,test/test_sqlite*} || die
+	fi
+	if ! use tk; then
+		rm -r "${ED}/usr/bin/idle${PYVER}" || die
+		rm -r "${libdir}/"{idlelib,tkinter,test/test_tk*} || die
+	fi
+
+	ln -s ../python/EXTERNALLY-MANAGED "${libdir}/EXTERNALLY-MANAGED" || die
+
+	dodoc Misc/{ACKS,HISTORY,NEWS}
+
+	if use examples; then
+		docinto examples
+		find Tools -name __pycache__ -exec rm -fr {} + || die
+		dodoc -r Tools
+	fi
+	insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510
+	local libname=$(
+		printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' |
+		emake --no-print-directory -s -f - 2>/dev/null
+	)
+	newins Tools/gdb/libpython.py "${libname}"-gdb.py
+
+	newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER}
+	newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER}
+	sed \
+		-e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \
+		-e "s:@PYDOC@:pydoc${PYVER}:" \
+		-i "${ED}/etc/conf.d/pydoc-${PYVER}" \
+		"${ED}/etc/init.d/pydoc-${PYVER}" || die "sed failed"
+
+	# python-exec wrapping support
+	local pymajor=${PYVER%.*}
+	local EPYTHON=python${PYVER}
+	local scriptdir=${D}$(python_get_scriptdir)
+	mkdir -p "${scriptdir}" || die
+	# python and pythonX
+	ln -s "../../../bin/${abiver}" "${scriptdir}/python${pymajor}" || die
+	ln -s "python${pymajor}" "${scriptdir}/python" || die
+	# python-config and pythonX-config
+	# note: we need to create a wrapper rather than symlinking it due
+	# to some random dirname(argv[0]) magic performed by python-config
+	cat > "${scriptdir}/python${pymajor}-config" <<-EOF || die
+		#!/bin/sh
+		exec "${abiver}-config" "\${@}"
 	EOF
-
-	rm -r "${ED}/discard" || die
+	chmod +x "${scriptdir}/python${pymajor}-config" || die
+	ln -s "python${pymajor}-config" "${scriptdir}/python-config" || die
+	# 2to3, pydoc
+	ln -s "../../../bin/2to3-${PYVER}" "${scriptdir}/2to3" || die
+	ln -s "../../../bin/pydoc${PYVER}" "${scriptdir}/pydoc" || die
+	# idle
+	if use tk; then
+		ln -s "../../../bin/idle${PYVER}" "${scriptdir}/idle" || die
+	fi
 }

From f0833eeb45dc9cfab8c8d2dfb86e9a1941776e4e Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Thu, 2 Feb 2023 17:01:38 +0100
Subject: [PATCH 5/8] dev-lang/python-oem: Apply Flatcar modifications

I changed the way we modify the ebuild by keeping the modifications as
minimal as possible, leaving disabling whatever that can be disabled
to the USE flags.
---
 .../dev-lang/python-oem/README.md             |  45 +++++
 .../python-oem/python-oem-3.10.10_p2.ebuild   | 159 ++++++++----------
 2 files changed, 111 insertions(+), 93 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md
new file mode 100644
index 0000000000..12b071faeb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md
@@ -0,0 +1,45 @@
+Modifications made:
+
+- Keep using internal expat and libffi, thus dropping dev-libs/libffi
+  and dev-libs/expat from the dependencies.
+
+- Drop dev-python/gentoo-common dependency, it provides the
+  EXTERNALLY-MANAGED file, but we will provide our own.
+
+- Since this package is installed only for OEM partition as a binary
+  package, and the installation there happens after the packages
+  database is removed, we unset the RDEPEND variable. The RDEPEND
+  variable needs to be empty as it's also used during the binary
+  package installation. The contents of RDEPEND are already inside the
+  DEPEND variable, so we are safe.
+
+- We modify the configure flags:
+
+  - Add `--prefix=/usr/share/oem/python` as `/usr/share/oem` is where
+    the OEM partition is mounted.
+
+  - Add `--with-platlibdir="$(get_libdir)"`, this is to make sure that
+    consistent library directory gets picked. In our case for both
+    amd64 and arm64, it's lib64.
+
+  - Change `--enable-shared` to `--disable-shared`. This will skip
+    building dynamic libraries, as we don't need them.
+
+  - Add `--includedir=/discard/include` and change `--mandir` and
+    `--infodir` to also use `/discard` to install files there. Makes
+    it easy to remove the unnecessary files.
+
+  - We disable loadable sqlite extensions.
+
+  - As we want to use the internal versions of expat and libffi, we
+    change `--with-system-{expat,ffi}` to
+    `--without-system-{expat,ffi}`.
+
+  - Comment out the `--with-wheel-pkg-dir` as it's some ensurepip
+    stuff we are disabling anyway.
+
+- Essentially drop `src_install` and write our own variant, where we
+  run `make altinstall`, remove unnecessary files (the original
+  `src_install` could be read to find out which files to remove),
+  creates a versionless python symlink, adds an EXTERNALLY-MANAGED
+  file, and removes the `/discard` directory.
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
index 3f45df96fd..a97cd66392 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
@@ -40,11 +40,13 @@ RESTRICT="!test? ( test )"
 # run the bootstrap code on your dev box and include the results in the
 # patchset. See bug 447752.
 
+# Flatcar: Drop a dependency on dev-libs/expat, we will use the internal one.
+# Flatcar: Drop a dependency on dev-libs/libffi, we will use the internal one.
+# Flatcar: Drop a dependency on dev-python/gentoo-common, we will install our own EXTERNALLY-MANAGED file
 RDEPEND="
 	app-arch/bzip2:=
 	app-arch/xz-utils:=
 	dev-lang/python-exec[python_targets_python3_10(-)]
-	dev-libs/libffi:=
 	dev-python/gentoo-common
 	sys-apps/util-linux:=
 	>=sys-libs/zlib-1.1.3:=
@@ -65,7 +67,6 @@ RDEPEND="
 		dev-tcltk/blt:=
 		dev-tcltk/tix
 	)
-	xml? ( >=dev-libs/expat-2.1:= )
 	!!<sys-apps/sandbox-2.21
 "
 # bluetooth requires headers from bluez
@@ -86,6 +87,11 @@ RDEPEND+="
 	!build? ( app-misc/mime-types )
 "
 
+# Flatcar: Unset RDEPEND, DEPEND already contains it. OEM packages are
+# installed after production images are pruned of the previously
+# installed package database.
+unset RDEPEND
+
 VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/python.org.asc
 
 # large file tests involve a 2.5G file being copied (duplicated)
@@ -111,9 +117,11 @@ src_unpack() {
 }
 
 src_prepare() {
-	# Ensure that internal copies of expat and libffi are not used.
-	rm -r Modules/expat || die
-	rm -r Modules/_ctypes/libffi* || die
+	# Flatcar: We keep the internal expat copy.
+	# Flatcar: We keep the internal libffi copy.
+	# # Ensure that internal copies of expat and libffi are not used.
+	# rm -r Modules/expat || die
+	# rm -r Modules/_ctypes/libffi* || die
 
 	local PATCHES=(
 		"${WORKDIR}/${PATCHSET}"
@@ -209,19 +217,37 @@ src_configure() {
 		# a chance for users rebuilding python before glibc
 		ac_cv_header_stropts_h=no
 
-		--enable-shared
+		# Flatcar: Use oem-specific prefix.
+		--prefix=/usr/share/oem/python
+		# Flatcar: Make sure we put libs into a correct subdirectory.
+		--with-platlibdir="$(get_libdir)"
+		# Flatcar: No need for shared libs.
+		# --enable-shared
+		--disable-shared
 		--without-static-libpython
 		--enable-ipv6
-		--infodir='${prefix}/share/info'
-		--mandir='${prefix}/share/man'
+		# Flatcar: Set includedir to discardable directory
+		--includedir='/discard/include'
+		# Flatcar: Set infodir and mandir to discardable directory
+		# --infodir='/${prefix}/share/info'
+		# --mandir='/${prefix}/share/man'
+		--infodir='/discard/info'
+		--mandir='/discard/man'
 		--with-computed-gotos
 		--with-dbmliborder="${dbmliborder}"
 		--with-libc=
-		--enable-loadable-sqlite-extensions
+		# Flatcar: No need for loadable extensions.
+		# --enable-loadable-sqlite-extensions
+		--disable-loadable-sqlite-extensions
 		--without-ensurepip
-		--with-system-expat
-		--with-system-ffi
-		--with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip
+		# Flatcar: We use internal expat
+		# --with-system-expat
+		--without-system-expat
+		# Flatcar: We use internal ffi
+		# --with-system-ffi
+		--without-system-ffi
+		# Flatcar: It's for ensurepip, which we disable
+		# --with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip
 
 		$(use_with lto)
 		$(use_enable pgo optimizations)
@@ -397,92 +423,39 @@ src_test() {
 	[[ ${ret} -eq 0 ]] || die "emake test failed"
 }
 
+# Flatcar: Rewrite src_install to just run make altinstall, remove
+# some installed files (refer to the original src_install to see which
+# files to drop), adding symlinks and the EXTERNALLY-MANAGED file, and
+# removing the /discard directory.
 src_install() {
-	local libdir=${ED}/usr/lib/python${PYVER}
+	local prefix=/usr/share/oem/python
+	local eprefix="${ED}${prefix}"
+        local libdir="${prefix}/$(get_libdir)"
+	local elibdir="${eprefix}/$(get_libdir)"
+	local pythonplatlibdir="${libdir}/python${PYVER}"
+	local epythonplatlibdir="${elibdir}/python${PYVER}"
+	local bindir="${prefix}/bin"
+	local ebindir="${eprefix}/bin"
 
 	emake DESTDIR="${D}" altinstall
 
-	# Fix collisions between different slots of Python.
-	rm "${ED}/usr/$(get_libdir)/libpython3.so" || die
+	rm -r "${epythonplatlibdir}"/ensurepip || die
+	rm -r "${epythonplatlibdir}/"{sqlite3,test/test_sqlite*} || die
+	rm -r "${ebindir}/idle${PYVER}" || die
+	rm -r "${epythonplatlibdir}/"{idlelib,tkinter,test/test_tk*} || die
 
-	# Cheap hack to get version with ABIFLAGS
-	local abiver=$(cd "${ED}/usr/include"; echo python*)
-	if [[ ${abiver} != python${PYVER} ]]; then
-		# Replace python3.X with a symlink to python3.Xm
-		rm "${ED}/usr/bin/python${PYVER}" || die
-		dosym "${abiver}" "/usr/bin/python${PYVER}"
-		# Create python3.X-config symlink
-		dosym "${abiver}-config" "/usr/bin/python${PYVER}-config"
-		# Create python-3.5m.pc symlink
-		dosym "python-${PYVER}.pc" "/usr/$(get_libdir)/pkgconfig/${abiver/${PYVER}/-${PYVER}}.pc"
-	fi
+	# create a simple versionless 'python' symlink
+	dosym "python${PYVER}" "${bindir}/python"
+	dosym "python${PYVER}" "${bindir}/python3"
 
-	# python seems to get rebuilt in src_install (bug 569908)
-	# Work around it for now.
-	if has_version dev-libs/libffi[pax-kernel]; then
-		pax-mark E "${ED}/usr/bin/${abiver}"
-	else
-		pax-mark m "${ED}/usr/bin/${abiver}"
-	fi
-
-	rm -r "${libdir}"/ensurepip/_bundled || die
-	if ! use ensurepip; then
-		rm -r "${libdir}"/ensurepip || die
-	fi
-	if ! use sqlite; then
-		rm -r "${libdir}/"{sqlite3,test/test_sqlite*} || die
-	fi
-	if ! use tk; then
-		rm -r "${ED}/usr/bin/idle${PYVER}" || die
-		rm -r "${libdir}/"{idlelib,tkinter,test/test_tk*} || die
-	fi
-
-	ln -s ../python/EXTERNALLY-MANAGED "${libdir}/EXTERNALLY-MANAGED" || die
-
-	dodoc Misc/{ACKS,HISTORY,NEWS}
-
-	if use examples; then
-		docinto examples
-		find Tools -name __pycache__ -exec rm -fr {} + || die
-		dodoc -r Tools
-	fi
-	insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510
-	local libname=$(
-		printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' |
-		emake --no-print-directory -s -f - 2>/dev/null
-	)
-	newins Tools/gdb/libpython.py "${libname}"-gdb.py
-
-	newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER}
-	newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER}
-	sed \
-		-e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \
-		-e "s:@PYDOC@:pydoc${PYVER}:" \
-		-i "${ED}/etc/conf.d/pydoc-${PYVER}" \
-		"${ED}/etc/init.d/pydoc-${PYVER}" || die "sed failed"
-
-	# python-exec wrapping support
-	local pymajor=${PYVER%.*}
-	local EPYTHON=python${PYVER}
-	local scriptdir=${D}$(python_get_scriptdir)
-	mkdir -p "${scriptdir}" || die
-	# python and pythonX
-	ln -s "../../../bin/${abiver}" "${scriptdir}/python${pymajor}" || die
-	ln -s "python${pymajor}" "${scriptdir}/python" || die
-	# python-config and pythonX-config
-	# note: we need to create a wrapper rather than symlinking it due
-	# to some random dirname(argv[0]) magic performed by python-config
-	cat > "${scriptdir}/python${pymajor}-config" <<-EOF || die
-		#!/bin/sh
-		exec "${abiver}-config" "\${@}"
+	insinto "${pythonplatlibdir}"
+	# https://peps.python.org/pep-0668/
+	newins - EXTERNALLY-MANAGED <<-EOF
+		[externally-managed]
+		Error=
+		 Please contact Flatcar maintainers if some python package
+		 is necessary for this OEM image.
 	EOF
-	chmod +x "${scriptdir}/python${pymajor}-config" || die
-	ln -s "python${pymajor}-config" "${scriptdir}/python-config" || die
-	# 2to3, pydoc
-	ln -s "../../../bin/2to3-${PYVER}" "${scriptdir}/2to3" || die
-	ln -s "../../../bin/pydoc${PYVER}" "${scriptdir}/pydoc" || die
-	# idle
-	if use tk; then
-		ln -s "../../../bin/idle${PYVER}" "${scriptdir}/idle" || die
-	fi
+
+	rm -r "${ED}/discard" || die
 }

From e54ea81201e24d92c524c779422e3536296a4d9a Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 14 Mar 2023 12:19:57 +0100
Subject: [PATCH 6/8] profiles: Drop accept keywords for dev-lang/python-oem

It became stable for arm64 too now.
---
 .../profiles/coreos/base/package.accept_keywords               | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 03581e05e8..5d8b43e5e4 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -9,9 +9,6 @@
 
 =coreos-devel/fero-client-0.1.1 **
 
-# Keep versions even for both arches
-=dev-lang/python-oem-3.10.10_p2 ~arm64
-
 # Accept unstable host Rust compilers
 =dev-lang/rust-1.67.1 ~amd64 ~arm64
 =virtual/rust-1.67.1 ~amd64 ~arm64

From 5517d085eeed7aee7ceadc1dad9fef1edb86394e Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 14 Mar 2023 13:02:08 +0100
Subject: [PATCH 7/8] profiles: Add accept keywords for app-editors/vim{,-core}

---
 .../profiles/coreos/base/package.accept_keywords              | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 5d8b43e5e4..d2eec7f759 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -7,6 +7,10 @@
 
 =app-arch/zstd-1.4.9 ~amd64 ~arm64
 
+# Necessary to fix CVE-2023-0288 and CVE-2023-0433.
+=app-editors/vim-9.0.1363 ~amd64 ~arm64
+=app-editors/vim-core-9.0.1363 ~amd64 ~arm64
+
 =coreos-devel/fero-client-0.1.1 **
 
 # Accept unstable host Rust compilers

From 17060b7a232a623946e42898b19c005444b883e0 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 14 Mar 2023 13:06:08 +0100
Subject: [PATCH 8/8] profiles: Drop accept keywords for app-arch/ncompress

It became stable for both amd64 and arm64.
---
 .../profiles/coreos/base/package.accept_keywords               | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index d2eec7f759..00ef840a5f 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -2,9 +2,6 @@
 # Copyright (c) 2013 The CoreOS Authors. All rights reserved.
 # Distributed under the terms of the GNU General Public License v2
 
-# Necessary for the symlink fix for uncompress utility.
-=app-arch/ncompress-5.0-r1 ~amd64 ~arm64
-
 =app-arch/zstd-1.4.9 ~amd64 ~arm64
 
 # Necessary to fix CVE-2023-0288 and CVE-2023-0433.