From 959e0715a9d1c4c088cea330e803de4dc33201f5 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Mon, 7 Apr 2025 18:35:18 +0100
Subject: [PATCH] sys-apps/systemd: Avoid initrd bloat by using OpenSSL instead
 of gcrypt

systemd-journal's Forward Secure Sealing feature requires gcrypt, but
Flatcar doesn't need it.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 changelog/changes/2025-04-17-systemd-crypt.md                 | 1 +
 .../coreos-overlay/profiles/coreos/base/package.use           | 4 ++++
 2 files changed, 5 insertions(+)
 create mode 100644 changelog/changes/2025-04-17-systemd-crypt.md

diff --git a/changelog/changes/2025-04-17-systemd-crypt.md b/changelog/changes/2025-04-17-systemd-crypt.md
new file mode 100644
index 0000000000..ac341e986b
--- /dev/null
+++ b/changelog/changes/2025-04-17-systemd-crypt.md
@@ -0,0 +1 @@
+- systemd now uses OpenSSL instead of gcrypt for cryptography to reduce the size of the initrd. This change disables systemd-journal's Forward Secure Sealing feature, but it is generally not useful for Flatcar.
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index 340f92278d..9e82a092a9 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -166,3 +166,7 @@ net-dns/bind-tools gssapi
 # Flatcar can't benefit from this performance boost for several reasons, the
 # main one being the use of binary packages.
 sys-kernel/dracut -dracut-cpio
+
+# Avoid initrd bloat by using OpenSSL instead of gcrypt in systemd.
+# systemd-journal's FSS feature requires gcrypt, but Flatcar doesn't need it.
+sys-apps/systemd -gcrypt