diff --git a/.github/workflows/containerd-apply-patch.sh b/.github/workflows/containerd-apply-patch.sh
deleted file mode 100755
index 0b47f1c4c5..0000000000
--- a/.github/workflows/containerd-apply-patch.sh
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh"
-
-prepare_git_repo
-
-if ! check_remote_branch "containerd-${VERSION_NEW}-${TARGET_BRANCH}"; then
- echo "remote branch already exists, nothing to do"
- exit 0
-fi
-
-pushd "${SDK_OUTER_OVERLAY}"
-
-VERSION_OLD=$(sed -n "s/^DIST containerd-\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p" app-containers/containerd/Manifest | sort -ruV | head -n1)
-if [[ "${VERSION_NEW}" = "${VERSION_OLD}" ]]; then
- echo "already the latest Containerd, nothing to do"
- exit 0
-fi
-
-# we need to update not only the main ebuild file, but also its CONTAINERD_COMMIT,
-# which needs to point to COMMIT_HASH that matches with $VERSION_NEW from upstream containerd.
-containerdEbuildOld=$(get_ebuild_filename app-containers/containerd "${VERSION_OLD}")
-containerdEbuildNew="app-containers/containerd/containerd-${VERSION_NEW}.ebuild"
-git mv "${containerdEbuildOld}" "${containerdEbuildNew}"
-sed -i "s/GIT_REVISION=.*/GIT_REVISION=${COMMIT_HASH}/g" "${containerdEbuildNew}"
-
-# The ebuild is masked by default to maintain compatibility with Gentoo upstream
-# so we add an unmask for Flatcar only.
-keywords_file="profiles/coreos/base/package.accept_keywords"
-ts=$(date +'%Y-%m-%d %H:%M:%S')
-comment="DO NOT EDIT THIS LINE. Added by containerd-apply-patch.sh on ${ts}"
-sed -i "s;^\(=app-containers/containerd\)-${VERSION_OLD} .*;\1-${VERSION_NEW} ~amd64 ~arm64 # ${comment};" "${keywords_file}"
-
-popd
-
-URL="https://github.com/containerd/containerd/releases/tag/v${VERSION_NEW}"
-
-generate_update_changelog 'containerd' "${VERSION_NEW}" "${URL}" 'containerd'
-
-# Commit package changes and updated keyword file
-commit_changes app-containers/containerd "${VERSION_OLD}" "${VERSION_NEW}" "${keywords_file}"
-
-cleanup_repo
-
-echo "VERSION_OLD=${VERSION_OLD}" >>"${GITHUB_OUTPUT}"
-echo 'UPDATE_NEEDED=1' >>"${GITHUB_OUTPUT}"
diff --git a/.github/workflows/containerd-release-main.yaml b/.github/workflows/containerd-release-main.yaml
deleted file mode 100644
index 7e3b1d38a9..0000000000
--- a/.github/workflows/containerd-release-main.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-name: Get the latest Containerd release for main
-on:
- schedule:
- - cron: '00 8 * * 5'
- workflow_dispatch:
-
-jobs:
- get-containerd-release:
- runs-on: ubuntu-latest
- steps:
- - name: Check out scripts
- uses: actions/checkout@v4
- with:
- token: ${{ secrets.BOT_PR_TOKEN }}
- path: scripts
- - name: Figure out latest Containerd release version
- id: containerd-latest-release
- run: |
- versionCommitPair=( $(git ls-remote --tags https://github.com/containerd/containerd | grep 'refs/tags/v[0-9]*\.[0-9]*\.[0-9]*$' | sed -e 's#^\([0-9a-fA-F]*\)[[:space:]]*refs/tags/v\(.*\)$#\2 \1#g' | sort --reverse --unique --version-sort | head --lines 1) )
-
- echo "VERSION_NEW=${versionCommitPair[0]}" >>"${GITHUB_OUTPUT}"
- echo "COMMIT_HASH=${versionCommitPair[1]}" >>"${GITHUB_OUTPUT}"
- - name: Set up Flatcar SDK
- id: setup-flatcar-sdk
- env:
- WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
- CHANNEL: main
- run: scripts/.github/workflows/setup-flatcar-sdk.sh
- - name: Apply patch for main
- id: apply-patch-main
- env:
- GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
- WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
- VERSION_NEW: ${{ steps.containerd-latest-release.outputs.VERSION_NEW }}
- COMMIT_HASH: ${{ steps.containerd-latest-release.outputs.COMMIT_HASH }}
- PACKAGES_CONTAINER: ${{ steps.setup-flatcar-sdk.outputs.PACKAGES_CONTAINER }}
- SDK_NAME: ${{ steps.setup-flatcar-sdk.outputs.SDK_NAME }}
- TARGET_BRANCH: main
- run: scripts/.github/workflows/containerd-apply-patch.sh
- - name: Create pull request for main
- uses: peter-evans/create-pull-request@v6
- if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1
- with:
- token: ${{ secrets.BOT_PR_TOKEN }}
- path: scripts
- branch: "containerd-${{ steps.containerd-latest-release.outputs.VERSION_NEW }}-main"
- base: main
- title: Upgrade Containerd in main from ${{ steps.apply-patch-main.outputs.VERSION_OLD }} to ${{ steps.containerd-latest-release.outputs.VERSION_NEW }}
- body: Subject says it all.
- labels: main
diff --git a/.github/workflows/go-apply-patch.sh b/.github/workflows/go-apply-patch.sh
deleted file mode 100755
index affdb3e3bd..0000000000
--- a/.github/workflows/go-apply-patch.sh
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh"
-
-prepare_git_repo
-
-# create a mapping between short version and new version, e.g. 1.16 -> 1.16.3
-declare -A VERSIONS
-for version_new in ${VERSIONS_NEW}; do
- version_new_trimmed="${version_new%.*}"
- if [[ "${version_new_trimmed%.*}" = "${version_new_trimmed}" ]]; then
- version_new_trimmed="${version_new}"
- fi
- VERSIONS["${version_new_trimmed}"]="${version_new}"
-done
-
-branch_name="go-$(join_by '-and-' ${VERSIONS_NEW})-main"
-
-if ! check_remote_branch "${branch_name}"; then
- echo "remote branch already exists, nothing to do"
- exit 0
-fi
-
-# Parse the Manifest file for already present source files and keep the latest version in the current series
-# DIST go1.17.src.tar.gz ... => 1.17
-# DIST go1.17.1.src.tar.gz ... => 1.17.1
-declare -a UPDATED_VERSIONS_OLD UPDATED_VERSIONS_NEW
-any_different=0
-for version_short in "${!VERSIONS[@]}"; do
- pushd "${SDK_OUTER_OVERLAY}"
- VERSION_NEW="${VERSIONS["${version_short}"]}"
- VERSION_OLD=$(sed -n "s/^DIST go\(${version_short}\(\.*[0-9]*\)\?\)\.src.*/\1/p" dev-lang/go/Manifest | sort -ruV | head -n1)
- if [[ -z "${VERSION_OLD}" ]]; then
- echo "${version_short} is not packaged, skipping"
- popd
- continue
- fi
- if [[ "${VERSION_NEW}" = "${VERSION_OLD}" ]]; then
- echo "${version_short} is already at the latest (${VERSION_NEW}), skipping"
- popd
- continue
- fi
- UPDATED_VERSIONS_OLD+=("${VERSION_OLD}")
- UPDATED_VERSIONS_NEW+=("${VERSION_NEW}")
-
- any_different=1
- EBUILD_FILENAME=$(get_ebuild_filename dev-lang/go "${VERSION_OLD}")
- git mv "${EBUILD_FILENAME}" "dev-lang/go/go-${VERSION_NEW}.ebuild"
-
- popd
-
- URL="https://go.dev/doc/devel/release#go${VERSION_NEW}"
-
- generate_update_changelog 'Go' "${VERSION_NEW}" "${URL}" 'go'
-
- commit_changes dev-lang/go "${VERSION_OLD}" "${VERSION_NEW}"
-done
-
-cleanup_repo
-
-if [[ $any_different -eq 0 ]]; then
- echo "go packages were already at the latest versions, nothing to do"
- exit 0
-fi
-
-vo_gh="$(join_by ' and ' "${UPDATED_VERSIONS_OLD[@]}")"
-vn_gh="$(join_by ' and ' "${UPDATED_VERSIONS_NEW[@]}")"
-
-echo "VERSIONS_OLD=${vo_gh}" >>"${GITHUB_OUTPUT}"
-echo "VERSIONS_NEW=${vn_gh}" >>"${GITHUB_OUTPUT}"
-echo "BRANCH_NAME=${branch_name}" >>"${GITHUB_OUTPUT}"
-echo 'UPDATE_NEEDED=1' >>"${GITHUB_OUTPUT}"
diff --git a/.github/workflows/go-current-major-versions.sh b/.github/workflows/go-current-major-versions.sh
deleted file mode 100755
index d279161b76..0000000000
--- a/.github/workflows/go-current-major-versions.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh"
-
-pushd "${SDK_OUTER_OVERLAY}"
-
-versions=()
-for ebuild in dev-lang/go/go-*.ebuild; do
- version="${ebuild##*/go-}" # 1.20.1-r1.ebuild or 1.19.ebuild
- version="${version%.ebuild}" # 1.20.1-r1 or 1.19
- version="${version%%-*}" # 1.20.1 or 1.19
- short_version="${version%.*}" # 1.20 or 1
- if [[ "${short_version%.*}" = "${short_version}" ]]; then
- # fix short version
- short_version="${version}"
- fi
-
- versions+=($(git ls-remote --tags https://github.com/golang/go | \
- cut -f2 | \
- sed --quiet "/refs\/tags\/go${short_version}\(\.[0-9]*\)\?$/s/^refs\/tags\/go//p" | \
- grep --extended-regexp --invert-match --regexp='(beta|rc)' | \
- sort --reverse --unique --version-sort | \
- head --lines=1))
-done
-
-popd
-
-echo "VERSIONS_NEW=${versions[*]}" >>"${GITHUB_OUTPUT}"
diff --git a/.github/workflows/go-release-main.yaml b/.github/workflows/go-release-main.yaml
deleted file mode 100644
index 3543cf25c1..0000000000
--- a/.github/workflows/go-release-main.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-name: Get the latest Go release for main
-on:
- schedule:
- - cron: '15 7 * * 1'
- workflow_dispatch:
-
-jobs:
- get-go-releases:
- runs-on: ubuntu-latest
- steps:
- - name: Check out scripts
- uses: actions/checkout@v4
- with:
- token: ${{ secrets.BOT_PR_TOKEN }}
- path: scripts
- - name: Figure out latest Go release versions
- id: go-latest-release
- env:
- GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
- WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
- run: scripts/.github/workflows/go-current-major-versions.sh
- - name: Set up Flatcar SDK
- id: setup-flatcar-sdk
- env:
- WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
- CHANNEL: main
- run: scripts/.github/workflows/setup-flatcar-sdk.sh
- - name: Apply patch for main
- id: apply-patch-main
- env:
- GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
- WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
- VERSIONS_NEW: ${{ steps.go-latest-release.outputs.VERSIONS_NEW }}
- PACKAGES_CONTAINER: ${{ steps.setup-flatcar-sdk.outputs.PACKAGES_CONTAINER }}
- SDK_NAME: ${{ steps.setup-flatcar-sdk.outputs.SDK_NAME }}
- TARGET_BRANCH: main
- run: scripts/.github/workflows/go-apply-patch.sh
- - name: Create pull request for main
- uses: peter-evans/create-pull-request@v6
- if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1
- with:
- token: ${{ secrets.BOT_PR_TOKEN }}
- path: scripts
- branch: ${{ steps.apply-patch-main.outputs.BRANCH_NAME }}
- base: main
- title: Upgrade Go from ${{ steps.apply-patch-main.outputs.VERSIONS_OLD }} to ${{ steps.apply-patch-main.outputs.VERSIONS_NEW }}
- body: Subject says it all.
- labels: main
diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
index a45f5c4c47..283e653f3e 100644
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@@ -67,6 +67,7 @@ acct-user/tss
app-admin/eselect
app-admin/perl-cleaner
+app-admin/sudo
app-alternatives/awk
app-alternatives/bc
@@ -103,6 +104,7 @@ app-cdr/cdrtools
app-containers/aardvark-dns
app-containers/catatonit
app-containers/conmon
+app-containers/containerd
app-containers/containers-common
app-containers/containers-image
app-containers/containers-shortnames
@@ -204,6 +206,7 @@ dev-embedded/u-boot-tools
dev-go/go-md2man
dev-lang/duktape
+dev-lang/go
dev-lang/go-bootstrap
dev-lang/nasm
dev-lang/perl
@@ -266,6 +269,7 @@ dev-libs/npth
dev-libs/nspr
dev-libs/oniguruma
dev-libs/opensc
+dev-libs/openssl
dev-libs/popt
dev-libs/protobuf
dev-libs/tree-sitter
@@ -653,6 +657,7 @@ sys-libs/binutils-libs
sys-libs/cracklib
sys-libs/efivar
sys-libs/gdbm
+sys-libs/glibc
sys-libs/ldb
sys-libs/libcap
sys-libs/libcap-ng
@@ -682,6 +687,7 @@ virtual/acl
virtual/dev-manager
virtual/editor
virtual/krb5
+virtual/ldb
virtual/libc
virtual/libcrypt
virtual/libelf
diff --git a/changelog/security/2025-01-29-weekly-updates.md b/changelog/security/2025-01-29-weekly-updates.md
new file mode 100644
index 0000000000..50c9adb2ae
--- /dev/null
+++ b/changelog/security/2025-01-29-weekly-updates.md
@@ -0,0 +1,5 @@
+- git ([CVE-2024-50349](https://nvd.nist.gov/vuln/detail/CVE-2024-50349), [CVE-2024-52005](https://nvd.nist.gov/vuln/detail/CVE-2024-52005), [CVE-2024-52006](https://nvd.nist.gov/vuln/detail/CVE-2024-52006))
+- glib ([CVE-2024-52533](https://nvd.nist.gov/vuln/detail/CVE-2024-52533))
+- glibc ([CVE-2025-0395](https://nvd.nist.gov/vuln/detail/CVE-2025-0395))
+- openssl ([CVE-2024-13176](https://nvd.nist.gov/vuln/detail/CVE-2024-13176))
+- rsync ([CVE-2024-12084](https://nvd.nist.gov/vuln/detail/CVE-2024-12084), [CVE-2024-12085](https://nvd.nist.gov/vuln/detail/CVE-2024-12085), [CVE-2024-12086](https://nvd.nist.gov/vuln/detail/CVE-2024-12086), [CVE-2024-12087](https://nvd.nist.gov/vuln/detail/CVE-2024-12087), [CVE-2024-12088](https://nvd.nist.gov/vuln/detail/CVE-2024-12088), [CVE-2024-12747](https://nvd.nist.gov/vuln/detail/CVE-2024-12747))
diff --git a/changelog/updates/2025-01-29-weekly-updates.md b/changelog/updates/2025-01-29-weekly-updates.md
new file mode 100644
index 0000000000..b457a1857d
--- /dev/null
+++ b/changelog/updates/2025-01-29-weekly-updates.md
@@ -0,0 +1,21 @@
+- SDK: go ([1.23.5](https://go.dev/doc/go1.23))
+- SDK: meson ([1.6.1](https://mesonbuild.com/Release-notes-for-1-6-0.html))
+- SDK: rust ([1.83.0](https://blog.rust-lang.org/2024/11/28/Rust-1.83.0.html))
+- base, dev: cri-tools ([1.32.0](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.32.0) (includes [1.31.1](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.31.1), [1.31.0](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.31.0), [1.30.1](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.30.1), [1.30.0](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.30.0), [1.29.0](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.29.0), [1.28.0](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.28.0), [1.27.1](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.27.1)))
+- base, dev: git ([2.45.3](https://github.com/git/git/blob/v2.45.3/Documentation/RelNotes/2.45.3.txt))
+- base, dev: glib ([2.82.4](https://gitlab.gnome.org/GNOME/glib/-/releases/2.82.4) (includes [2.82.3](https://gitlab.gnome.org/GNOME/glib/-/releases/2.82.3), [2.82.2](https://gitlab.gnome.org/GNOME/glib/-/releases/2.82.2), [2.82.1](https://gitlab.gnome.org/GNOME/glib/-/releases/2.82.1), [2.82.0](https://gitlab.gnome.org/GNOME/glib/-/releases/2.82.0)))
+- base, dev: gnupg ([2.4.7](https://dev.gnupg.org/T7353))
+- base, dev: gnutls ([3.8.8](https://gitlab.com/gnutls/gnutls/-/blob/3.8.8/NEWS))
+- base, dev: ipset ([7.23](https://ipset.netfilter.org/changelog.html))
+- base, dev: kbd ([2.7.1](https://git.kernel.org/pub/scm/linux/kernel/git/legion/kbd.git/tag/?h=v2.7.1) (includes [2.7](https://git.kernel.org/pub/scm/linux/kernel/git/legion/kbd.git/tag/?h=v2.7), [2.7-rc1](https://git.kernel.org/pub/scm/linux/kernel/git/legion/kbd.git/tag/?h=v2.7-rc1)))
+- base, dev: nghttp2 ([1.64.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.64.0) (includes [1.63.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.63.0)))
+- base, dev: socat ([1.8.0.1](https://repo.or.cz/socat.git/blob/6ff391324d2d3b9f6bfb58e7d16a20be43b47af7:/CHANGES))
+- base, dev: sqlite ([3.47.2](https://sqlite.org/releaselog/3_47_2.html))
+- base, dev: sssd ([2.9.6](https://sssd.io/release-notes/sssd-2.9.6.html))
+- base, dev: zram-generator ([1.2.1](https://github.com/systemd/zram-generator/releases/tag/v1.2.1) (includes [1.2.0](https://github.com/systemd/zram-generator/releases/tag/v1.2.0)))
+- containerd: runc ([1.2.4](https://github.com/opencontainers/runc/releases/tag/v1.2.4) (includes [1.2.3](https://github.com/opencontainers/runc/releases/tag/v1.2.3), [1.2.2](https://github.com/opencontainers/runc/releases/tag/v1.2.2), [1.2.1](https://github.com/opencontainers/runc/releases/tag/v1.2.1), [1.2.0](https://github.com/opencontainers/runc/releases/tag/v1.2.0), [1.1.15](https://github.com/opencontainers/runc/releases/tag/v1.1.15)))
+- dev: gcc-config ([2.12.1](https://gitweb.gentoo.org/proj/gcc-config.git/log/?h=v2.12.1))
+- docker: docker ([27.4.1](https://docs.docker.com/engine/release-notes/27/#2741) (includes [27.4.0](https://docs.docker.com/engine/release-notes/27/#2740))
+- docker: docker-buildx ([0.19.1](https://github.com/docker/buildx/releases/tag/v0.19.1) (includes [0.19.0](https://github.com/docker/buildx/releases/tag/v0.19.0), [0.18.0](https://github.com/docker/buildx/releases/tag/v0.18.0), [0.17.1](https://github.com/docker/buildx/releases/tag/v0.17.1), [0.17.0](https://github.com/docker/buildx/releases/tag/v0.17.0), [0.16.2](https://github.com/docker/buildx/releases/tag/v0.16.2), [0.16.1](https://github.com/docker/buildx/releases/tag/v0.16.1), [0.16.0](https://github.com/docker/buildx/releases/tag/v0.16.0), [0.15.1](https://github.com/docker/buildx/releases/tag/v0.15.1), [0.15.0](https://github.com/docker/buildx/releases/tag/v0.15.0), [0.14.1](https://github.com/docker/buildx/releases/tag/v0.14.1)))
+- sysext-python: setuptools ([75.8.0](https://github.com/pypa/setuptools/blob/v75.8.0/NEWS.rst#v7580) (includes [75.7.0](https://github.com/pypa/setuptools/blob/v75.7.0/NEWS.rst#v7570)))
+- vmware: xmlsec ([1.3.6](https://github.com/lsh123/xmlsec/releases/tag/1.3.6))
diff --git a/pkg_auto/impl/pkg_auto_lib.sh b/pkg_auto/impl/pkg_auto_lib.sh
index 437efd619e..d96bc60765 100644
--- a/pkg_auto/impl/pkg_auto_lib.sh
+++ b/pkg_auto/impl/pkg_auto_lib.sh
@@ -2768,7 +2768,7 @@ function grep_pkg() {
pkg=${1}; shift
# rest are directories
- git -C "${scripts}" grep "${pkg}"'\(-[0-9]\|[^a-zA-Z0-9_-]\|$\)' -- "${@}" || :
+ GIT_PAGER= git -C "${scripts}" grep "${pkg}"'\(-[0-9]\|[^a-zA-Z0-9_-]\|$\)' -- "${@}" || :
}
# Prints the passed files preceding and following with BEGIN ENTRY and
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
deleted file mode 100644
index 90f9f2b10c..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
+++ /dev/null
@@ -1,2 +0,0 @@
-DIST sudo-1.9.15p5.tar.gz 5306611 BLAKE2B 73ee598c2a2848d5be24f97492b13eba2f326c514799220e43a1aeafc6692224a7555fb7cc0a96a2720751d3e4d98e752804db589ac3c1476f24e71f5b9bc720 SHA512 ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a
-DIST sudo-1.9.15p5.tar.gz.sig 566 BLAKE2B ddd8fed1b3721aafdb32b762834168063c3f0f003ef5d83f1883615320da6fe89b08d72c8e893c8b2bf9fd892a40e47cc77d72672e43b5a24db50e7194d9bc4c SHA512 97480a3d27b546a93e997c3a1e8169904a7625ab8fa6198d0b7e1d2d040f55b2d58462cd08e5cc97c2f1c817b12343e35cdd7db207aee42785f2b95b17c600b0
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md
deleted file mode 100644
index c90febe8b2..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md
+++ /dev/null
@@ -1,8 +0,0 @@
-## Flatcar changes
-- Remove Perl Runtime Dependency
-- Remove OpenLDAP schema files for sudo
-```
-insinto /etc/openldap/schema
-newins doc/schema.OpenLDAP sudo.schema
-```
-- Remove sudo.conf file as it is shipped via baselayout
diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest
deleted file mode 100644
index f4c5c7b33d..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest
+++ /dev/null
@@ -1,4 +0,0 @@
-DIST containerd-1.7.1.tar.gz 9682254 BLAKE2B f168070caf2b76f0be350a98f41bfdbfe6d78344d68821fb92a29f839a6e847d795e5b79436e36f985aa88028ff1c3f44f134cf6bd502ddac22453a457bd952b SHA512 e9b00ba8f4dd1b5b1088060d3822f684611d43b367ddfeb1bee1660140af85f31e9c9bfc600a67e8fc8645a625dc4e1919d9af7291bdeaa607bff7065a4fc945
-DIST containerd-1.7.2.tar.gz 9688701 BLAKE2B d31cd0e96bb2675390cc63d06114e37d532b7c666b3ffc5b0087dfcef8de23559471f08bf8a52b164c5f645faf1b8102ab2ccdd8ec417a1c74336097f0c3a899 SHA512 c0d4c02991b7e9fc341c4ef3df2d93097f5854a51b99596ed95436a79f7a586820bb8bb7c17fc43b5f38d97ea942e59490fbbf6c9710391ef9caae3d34627bc5
-DIST containerd-1.7.23.tar.gz 10192816 BLAKE2B 592e3a1992a637879f1669a660991f811db6f3d11a788c9809277b3fb9639d8b89445cbbca1de16ed45703e8506c8850d9ce68b64d1213817732d008a1847ea6 SHA512 4cb003a6ef2f9fe856665c3b7099e13b23cf07c77ed9a9ed50988d74de1933e3fe9463ae123635230f25cde38cd8a487133b11e20d829a79517c4d7fbe2ce012
-DIST containerd-1.7.6.tar.gz 9714550 BLAKE2B 863df1a8ab0f0fe6ec62893ed64824763c1b5230fe830fa268820ce0d6254c79e1ac62ab1261a74785b86b01dff83ea9109a899857fa47a48f2cf2eaf298fea8 SHA512 8b7e13c6ea544754ba7d53092d143f3fd2224b9bc874a33d8a00b781e719927f1b22ad5cd1e35b7b95e4890e630f4b92308549a970587ccdf9dbb8eb470e2703
diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.2.ebuild
deleted file mode 100644
index 498fb8d90a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.2.ebuild
+++ /dev/null
@@ -1,86 +0,0 @@
-# Copyright 2022-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-inherit go-module systemd
-GIT_REVISION=0cae528dd6cb557f7201036e9f43420650207b58
-
-DESCRIPTION="A daemon to control runC"
-HOMEPAGE="https://containerd.io/"
-SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
-IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
-
-DEPEND="
- btrfs? ( sys-fs/btrfs-progs )
- seccomp? ( sys-libs/libseccomp )
-"
-
-# recommended version of runc is found in script/setup/runc-version
-RDEPEND="
- ${DEPEND}
- ~app-containers/runc-1.1.7[apparmor?,seccomp?]
-"
-
-BDEPEND="
- dev-go/go-md2man
- virtual/pkgconfig
-"
-
-# tests require root or docker
-RESTRICT+="test"
-
-src_prepare() {
- default
- sed -i \
- -e "s/-s -w//" \
- -e "s/-mod=readonly//" \
- Makefile || die
- sed -i \
- -e "s:/usr/local:/usr:" \
- containerd.service || die
-}
-
-src_compile() {
- local options=(
- $(usev apparmor)
- $(usex btrfs "" "no_btrfs")
- $(usex cri "" "no_cri")
- $(usex device-mapper "" "no_devmapper")
- $(usev seccomp)
- $(usev selinux)
- )
-
- myemakeargs=(
- BUILDTAGS="${options[*]}"
- LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
- REVISION="${GIT_REVISION}"
- VERSION=v${PV}
- )
-
- # race condition in man target https://bugs.gentoo.org/765100
- # we need to explicitly specify GOFLAGS for "go run" to use vendor source
- emake "${myemakeargs[@]}" man -j1 #nowarn
- emake "${myemakeargs[@]}" all
-
-}
-
-src_install() {
- rm "${D}"/bin/gen-manpages
- dobin bin/*
- doman man/*
- newconfd "${FILESDIR}"/${PN}.confd "${PN}"
- newinitd "${FILESDIR}"/${PN}.initd "${PN}"
- systemd_dounit containerd.service
- keepdir /var/lib/containerd
-
- # we already installed manpages, remove markdown source
- # before installing docs directory
- rm -r docs/man || die
-
- local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. )
- einstalldocs
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.6.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.6.ebuild
deleted file mode 100644
index 8ce5ddd813..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.6.ebuild
+++ /dev/null
@@ -1,86 +0,0 @@
-# Copyright 2022-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-inherit go-module systemd
-GIT_REVISION=091922f03c2762540fd057fba91260237ff86acb
-
-DESCRIPTION="A daemon to control runC"
-HOMEPAGE="https://containerd.io/"
-SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
-IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
-
-DEPEND="
- btrfs? ( sys-fs/btrfs-progs )
- seccomp? ( sys-libs/libseccomp )
-"
-
-# recommended version of runc is found in script/setup/runc-version
-RDEPEND="
- ${DEPEND}
- ~app-containers/runc-1.1.9[apparmor?,seccomp?]
-"
-
-BDEPEND="
- dev-go/go-md2man
- virtual/pkgconfig
-"
-
-# tests require root or docker
-RESTRICT+="test"
-
-src_prepare() {
- default
- sed -i \
- -e "s/-s -w//" \
- -e "s/-mod=readonly//" \
- Makefile || die
- sed -i \
- -e "s:/usr/local:/usr:" \
- containerd.service || die
-}
-
-src_compile() {
- local options=(
- $(usev apparmor)
- $(usex btrfs "" "no_btrfs")
- $(usex cri "" "no_cri")
- $(usex device-mapper "" "no_devmapper")
- $(usev seccomp)
- $(usev selinux)
- )
-
- myemakeargs=(
- BUILDTAGS="${options[*]}"
- LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
- REVISION="${GIT_REVISION}"
- VERSION=v${PV}
- )
-
- # race condition in man target https://bugs.gentoo.org/765100
- # we need to explicitly specify GOFLAGS for "go run" to use vendor source
- emake "${myemakeargs[@]}" man -j1 #nowarn
- emake "${myemakeargs[@]}" all
-
-}
-
-src_install() {
- rm "${D}"/bin/gen-manpages
- dobin bin/*
- doman man/*
- newconfd "${FILESDIR}"/${PN}.confd "${PN}"
- newinitd "${FILESDIR}"/${PN}.initd "${PN}"
- systemd_dounit containerd.service
- keepdir /var/lib/containerd
-
- # we already installed manpages, remove markdown source
- # before installing docs directory
- rm -r docs/man || die
-
- local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. )
- einstalldocs
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-eselect/eselect-go/Manifest b/sdk_container/src/third_party/coreos-overlay/app-eselect/eselect-go/Manifest
deleted file mode 100644
index c03364a6ff..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-eselect/eselect-go/Manifest
+++ /dev/null
@@ -1 +0,0 @@
-DIST eselect-go-0.1.0.tar.gz 104232 BLAKE2B 770773f990509bdfcdb1c463f01915526358fe28b440be288dad0833a4e8647cf52ba136569b4e7b46c71b80c6ffd43075fd25bfb516ec5790f80067247e08c5 SHA512 b7e9bf07bc7026115d639ed893c54332d63cd2d7a46a6f3b2f8a6748658dfb82f09e875def8bf9abecfb1e39f054ef194b39b0c415ac9ce69ea03332125d4c1f
diff --git a/sdk_container/src/third_party/coreos-overlay/app-eselect/eselect-go/eselect-go-0.1.0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-eselect/eselect-go/eselect-go-0.1.0-r1.ebuild
deleted file mode 100644
index d7bb345d5e..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-eselect/eselect-go/eselect-go-0.1.0-r1.ebuild
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright 2016 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-DESCRIPTION="Eselect module for managing multiple Go versions"
-HOMEPAGE="https://github.com/coreos/eselect-go"
-SRC_URI="https://github.com/coreos/eselect-go/releases/download/v${PV}/${P}.tar.gz"
-# Note for future releases: the tarball was generated via `make dist` and
-# uploaded to GitHub so there is no need for initializing autotools here.
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="amd64 arm64"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-DEPEND="test? ( dev-libs/glib )"
-RDEPEND="app-admin/eselect
- !dev-lang/go:0"
-
-src_configure() {
- # Go is installed to /usr/lib, not /usr/lib64
- econf --libdir=/usr/lib
-}
-
-src_install() {
- keepdir /etc/env.d/go
- default
-}
-
-pkg_postinst() {
- if has_version 'dev-lang/go'; then
- eselect go update --if-unset
- fi
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-eselect/eselect-go/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-eselect/eselect-go/metadata.xml
deleted file mode 100644
index 8fc934b3a9..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-eselect/eselect-go/metadata.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
-
- This tool is intended for use in the CoreOS SDK in order to support
- packages or architectures that cannot upgrade to the same Go version
- all at the same time. Gentoo doesn't support this use case.
-
-
- coreos/eselect-go
-
-
diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.107.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.107-r1.ebuild
similarity index 96%
rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.107.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.107-r1.ebuild
index 9fbd69bde2..6e98e25917 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.107.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.107-r1.ebuild
@@ -21,11 +21,15 @@ SLOT="0"
KEYWORDS="amd64 arm64"
IUSE=""
-RDEPEND="dev-libs/openssl
+RDEPEND="
+ >=app-misc/c_rehash-1.7-r1
+ dev-libs/openssl
sys-apps/findutils
- sys-apps/systemd"
+ sys-apps/systemd
+"
DEPEND="${RDEPEND}
- ${PYTHON_DEPS}"
+ ${PYTHON_DEPS}
+"
pkg_setup() {
python-any-r1_pkg_setup
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r317.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r318.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r317.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r318.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
index cc54f9fb1e..4810c287f7 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -219,5 +219,8 @@ RDEPEND+="
# Group and user packages to eventually replace passwd in baselayout.
RDEPEND="${RDEPEND}
acct-group/floppy
+ acct-group/man
acct-group/uucp
+
+ acct-user/man
"
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
index b0692afd7f..434f5e22a7 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
@@ -36,7 +36,7 @@ RDEPEND="${RDEPEND}
app-text/xmlto
dev-build/gtk-doc-am
dev-lang/go-bootstrap
- dev-lang/go:1.22
+ dev-lang/go
dev-lang/nasm
=dev-lang/python-3*
dev-lang/swig
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo
new file mode 100644
index 0000000000..89bd428736
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo
@@ -0,0 +1,14 @@
+cros_post_src_install_keep_etc_sudoers_d() {
+ # Flatcar: Build system installs /etc/sudoers.d, let's make
+ # sure we keep having it.
+ #
+ # Upstream PR: https://github.com/gentoo/gentoo/pull/37397
+ keepdir /etc/sudoers.d
+}
+
+# We don't ship OpenLDAP schemas (why?) and we provide sudo.conf
+# through baselayout.
+sudo_install_mask='/etc/openldap/schema /etc/sudo.conf'
+INSTALL_MASK+=" ${sudo_install_mask}"
+PKG_INSTALL_MASK+=" ${sudo_install_mask}"
+unset sudo_install_mask
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/docker b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/docker
new file mode 100644
index 0000000000..e7ee65aa01
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/docker
@@ -0,0 +1,12 @@
+# Fix cross-compilation by setting up the environment properly.
+#
+# This is what go-module_src_unpack does, but docker does not use it.
+cros_pre_src_unpack_set_build_env() {
+ if use amd64 || use arm || use arm64 ||
+ ( use ppc64 && [[ $(tc-endian) == "little" ]] ) || use s390 || use x86; then
+ GOFLAGS="-buildmode=pie ${GOFLAGS}"
+ fi
+ GOFLAGS="${GOFLAGS} -p=$(makeopts_jobs)"
+
+ go-env_set_compile_environment
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/docker-cli b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/docker-cli
new file mode 100644
index 0000000000..e7ee65aa01
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/docker-cli
@@ -0,0 +1,12 @@
+# Fix cross-compilation by setting up the environment properly.
+#
+# This is what go-module_src_unpack does, but docker does not use it.
+cros_pre_src_unpack_set_build_env() {
+ if use amd64 || use arm || use arm64 ||
+ ( use ppc64 && [[ $(tc-endian) == "little" ]] ) || use s390 || use x86; then
+ GOFLAGS="-buildmode=pie ${GOFLAGS}"
+ fi
+ GOFLAGS="${GOFLAGS} -p=$(makeopts_jobs)"
+
+ go-env_set_compile_environment
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/openssl b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/openssl
new file mode 100644
index 0000000000..d2d30ce81b
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/openssl
@@ -0,0 +1,29 @@
+# A hack to avoid rehashing certs in a nonexistent directory.
+flatcar_hacked_openssl=$(command -v openssl)
+openssl() {
+ if [[ ${#} -gt 0 && ${1} = 'rehash' ]]; then
+ return;
+ fi
+ "${flatcar_hacked_openssl}" "${@}"
+}
+
+cros_post_src_install_certs() {
+ # Do not keep the sample CA files in /etc.
+ rm -rf "${ED}${SSL_CNF_DIR}"
+
+ # Save the default openssl.cnf in /etc.
+ diropts -m0755
+ insinto "${SSL_CNF_DIR}"
+ doins "${S}/apps/openssl.cnf"
+ # Recreate the private directory.
+ diropts -m0700
+ keepdir "${SSL_CNF_DIR}/private"
+ diropts -m0755
+
+ # Create a symlink for backward-compatibility.
+ dosym -r /usr/share/flatcar/etc/ssl/openssl.cnf /usr/share/ssl/openssl.cnf
+ # And an empty file, so the compat symlink is not dangling. It
+ # will be replaced later with a valid file from /etc.
+ insinto /usr/share/flatcar/etc/ssl
+ newins - openssl.cnf
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/glibc b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/glibc
new file mode 100644
index 0000000000..75cc098bff
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/glibc
@@ -0,0 +1,27 @@
+# A terrible hack to actually strip our binaries. We want to make
+# "dostrip -x /" a no-op, otherwise pass everything to the original
+# dostrip.
+eval "$(echo 'flatcar_hacked_dostrip()'; declare -pf dostrip | tail -n + 2)"
+dostrip() {
+ if [[ ${#} = 2 && ${1} = '-x' && ${2} = '/' ]]; then
+ return
+ fi
+ flatcar_hacked_dostrip "${@}"
+}
+
+cros_post_src_install_etc_munging() {
+ # Clean out any default configs. Baselayout will provide those.
+ rm -rf "${ED}"/etc
+ # Restore this one for the SDK.
+ test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc
+ # Create nscd directories and config.
+ keepdir /var/db/nscd
+ insinto /etc
+ doins "${S}/nscd/nscd.conf"
+ # Create a symlink for backward-compatibility.
+ dosym -r /usr/share/flatcar/etc/nscd.conf /usr/share/baselayout/nscd.conf
+ # And an empty file, so the compat symlink is not dangling. It
+ # will be replaced later with a valid file from /etc.
+ insinto /usr/share/flatcar/etc
+ newins - nscd.conf
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/cross-aarch64-cros-linux-gnu/gcc b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/cross-aarch64-cros-linux-gnu/gcc
deleted file mode 120000
index c59b0e7dcd..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/cross-aarch64-cros-linux-gnu/gcc
+++ /dev/null
@@ -1 +0,0 @@
-../sys-devel/gcc
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/cross-x86_64-cros-linux-gnu/gcc b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/cross-x86_64-cros-linux-gnu/gcc
deleted file mode 120000
index c59b0e7dcd..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/cross-x86_64-cros-linux-gnu/gcc
+++ /dev/null
@@ -1 +0,0 @@
-../sys-devel/gcc
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-lang/go/0001-cmd-link-stop-forcing-binutils-gold-dependency-on-aa.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-lang/go/0001-cmd-link-stop-forcing-binutils-gold-dependency-on-aa.patch
new file mode 100644
index 0000000000..55c3fa2f40
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-lang/go/0001-cmd-link-stop-forcing-binutils-gold-dependency-on-aa.patch
@@ -0,0 +1,68 @@
+From 6d265b008e3d106b2706645e5a88cd8e2fb98953 Mon Sep 17 00:00:00 2001
+From: Dirk Müller
+Date: Wed, 09 Mar 2022 17:47:23 +0100
+Subject: [PATCH] cmd/link: stop forcing binutils-gold dependency on aarch64
+
+The bfd linker appears to be working just fine at least in version
+2.41 or above. Reject the known broken one instead, which
+avoids an architecture specific linker dependency that
+is cumbersome for distributions.
+
+Fixes #22040.
+
+Change-Id: I9f377e47c22ef20497479c0978c053ed5de46a38
+---
+
+diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go
+index 2d8f964..fcf0bc7 100644
+--- a/src/cmd/link/internal/ld/lib.go
++++ b/src/cmd/link/internal/ld/lib.go
+@@ -1670,27 +1670,6 @@
+ // Use lld to avoid errors from default linker (issue #38838)
+ altLinker = "lld"
+ }
+-
+- if ctxt.Arch.InFamily(sys.ARM64) && buildcfg.GOOS == "linux" {
+- // On ARM64, the GNU linker will fail with
+- // -znocopyreloc if it thinks a COPY relocation is
+- // required. Switch to gold.
+- // https://sourceware.org/bugzilla/show_bug.cgi?id=19962
+- // https://go.dev/issue/22040
+- altLinker = "gold"
+-
+- // If gold is not installed, gcc will silently switch
+- // back to ld.bfd. So we parse the version information
+- // and provide a useful error if gold is missing.
+- name, args := flagExtld[0], flagExtld[1:]
+- args = append(args, "-fuse-ld=gold", "-Wl,--version")
+- cmd := exec.Command(name, args...)
+- if out, err := cmd.CombinedOutput(); err == nil {
+- if !bytes.Contains(out, []byte("GNU gold")) {
+- log.Fatalf("ARM64 external linker must be gold (issue #15696, 22040), but is not: %s", out)
+- }
+- }
+- }
+ }
+ if ctxt.Arch.Family == sys.ARM64 && buildcfg.GOOS == "freebsd" {
+ // Switch to ld.bfd on freebsd/arm64.
+diff --git a/src/make.bash b/src/make.bash
+index b67ae15..7df4910 100755
+--- a/src/make.bash
++++ b/src/make.bash
+@@ -94,6 +94,16 @@
+ ;;
+ esac
+
++# Test for bad bfd.ld
++if test "$(uname -m)" = "aarch64" && ld -v | grep -E "GNU ld.* 2\.([0-3]|40)"; then
++ echo 'ERROR: Your system uses bfd.LD 2.40 or older which has issues with dynamic linking on aarch64'
++ echo 'Consider upgrading or switching to binutils-gold.'
++ echo
++ echo 'See https://sourceware.org/bugzilla/show_bug.cgi?id=30437'
++
++ exit 1
++fi
++
+ # Test for bad ld.
+ if ld --version 2>&1 | grep 'gold.* 2\.20' >/dev/null; then
+ echo 'ERROR: Your system has gold 2.20 installed.'
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-lang/go/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-lang/go/README.md
new file mode 100644
index 0000000000..77663c42ec
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-lang/go/README.md
@@ -0,0 +1,6 @@
+The `0001-cmd-link-stop-forcing-binutils-gold-dependency-on-aa.patch`
+drops the use of the gold linker. Track the following to see when it
+needs to be dropped:
+
+- https://go-review.googlesource.com/c/go/+/391115
+- https://github.com/golang/go/issues/22040
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/sssd/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/sssd/README.md
index 39ecb103a1..decf8bef1e 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/sssd/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/sssd/README.md
@@ -1,3 +1,3 @@
The `0001-Assume-that-callbacks-are-not-broken-in-OpenLDAP-whe.patch` allows
the project to be cross-compiled without disabling LDAP connection
-callbacks. It is being upstreamed.
+callbacks. Drop when updating to >=2.9.7 or >=2.10.2.
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/go/go-1.22.11.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-lang/go/go-1.22.11.ebuild
deleted file mode 100644
index 7951a795c1..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/go/go-1.22.11.ebuild
+++ /dev/null
@@ -1,8 +0,0 @@
-# Copyright 2022 Flatcar Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit coreos-go-lang
-
-KEYWORDS="-* amd64 arm64"
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
deleted file mode 100644
index d8dbdc8175..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
+++ /dev/null
@@ -1,2 +0,0 @@
-DIST openssl-3.2.3.tar.gz 17762604 BLAKE2B 1445336aa92d0fd9df266ad570fe2bf5701279e462dd3fccd4cf662f328bfee923dc6c72c42c1921fd38bce43e1c60cacdec3f1c2963fe0ffda6a0e8e34ac6e4 SHA512 9e9f06ab630914e32e64bfb945dfa375ea3595b3db4eb8ef68288a58909baf753b34998439907c22ff2b8561cfd3f3f6b7fbf22981479e66a98c2e92fda172a2
-DIST openssl-3.2.3.tar.gz.asc 833 BLAKE2B 5a7289ed40534a058b9eb7686ce444b9d453a2973ab7ebda01c99f7245f6ba19197123f8bb3b16940d4bfbc5e313babc0249f280e55911190b47da3a47ed1e6a SHA512 e727adb88f84c48082ef0cae963bf999cce11619f7322014cc7f36c16e8375a60542f518c1b86319208cf8da33044e942b3d65208bc59fd4a5f522ab78ff1c23
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
deleted file mode 100644
index d8788d2929..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-d /etc/ssl - - - - -
-d /etc/ssl/private 0700 - - - -
-L /etc/ssl/openssl.cnf - - - - ../../usr/share/ssl/openssl.cnf
diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-depend.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-depend.eclass
index 542d464ecb..724ed36fca 100644
--- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-depend.eclass
+++ b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-depend.eclass
@@ -13,11 +13,10 @@
# @CODE
# COREOS_GO_VERSION=go1.20
# @CODE
-export COREOS_GO_VERSION="${COREOS_GO_VERSION:-go1.22}"
+export COREOS_GO_VERSION="${COREOS_GO_VERSION:-go1.23}"
case "${EAPI:-0}" in
- 5|6) DEPEND="dev-lang/go:${COREOS_GO_VERSION#go}=" ;;
- 7|8) BDEPEND="dev-lang/go:${COREOS_GO_VERSION#go}=" ;;
+ 7|8) BDEPEND=">=dev-lang/go-${COREOS_GO_VERSION#go}:=" ;;
*) die "Unsupported EAPI=${EAPI} for ${ECLASS}"
esac
diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-lang.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-lang.eclass
deleted file mode 100644
index e5f34fe9d2..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-lang.eclass
+++ /dev/null
@@ -1,121 +0,0 @@
-# Copyright 2016 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-# @ECLASS: coreos-go-lang.eclass
-# @BLURB: Common functionality for building Go itself
-# @DESCRIPTION:
-# Only dev-lang/go ebuilds should inherit this eclass.
-#
-# Native (${CHOST} == ${CTARGET}):
-#
-
-case "${EAPI:-0}" in
- 6|7|8) ;;
- *) die "Unsupported EAPI=${EAPI} for ${ECLASS}"
-esac
-
-inherit coreos-go-utils toolchain-funcs
-
-export CBUILD=${CBUILD:-${CHOST}}
-export CTARGET=${CTARGET:-${CHOST}}
-
-# Determine the main SLOT we will be using, e.g.: PV=1.5.3 SLOT=1.5
-GOSLOT="$(ver_cut 1-2)"
-
-DESCRIPTION="A concurrent garbage collected and typesafe programming language"
-HOMEPAGE="http://www.golang.org"
-SRC_URI="https://storage.googleapis.com/golang/go${PV}.src.tar.gz"
-
-LICENSE="BSD"
-SLOT="${GOSLOT}/${PV}"
-IUSE=""
-
-RDEPEND="app-eselect/eselect-go"
-DEPEND="${RDEPEND}
- >=dev-lang/go-bootstrap-1.17.13"
-
-# These test data objects have writable/executable stacks.
-QA_EXECSTACK="usr/lib/go${GOSLOT}/src/debug/elf/testdata/*.obj"
-
-# Similarly, test data is never executed so don't check link dependencies.
-REQUIRES_EXCLUDE="/usr/lib/go/src/debug/elf/testdata/*"
-
-# The tools in /usr/lib/go should not cause the multilib-strict check to fail.
-QA_MULTILIB_PATHS="usr/lib/go${GOSLOT}/pkg/tool/.*/.*"
-
-# The go language uses *.a files which are _NOT_ libraries and should not be
-# stripped. The test data objects should also be left alone and unstripped.
-STRIP_MASK="*.a /usr/lib/go${GOSLOT}/src/*"
-
-S="${WORKDIR}/go"
-
-coreos-go-lang_pkg_pretend() {
- # make.bash does not understand cross-compiling a cross-compiler
- if [[ $(go_tuple) != $(go_tuple ${CTARGET}) ]]; then
- die "CHOST CTARGET pair unsupported: CHOST=${CHOST} CTARGET=${CTARGET}"
- fi
-}
-
-coreos-go-lang_src_compile() {
- export GOROOT_BOOTSTRAP="${EPREFIX}/usr/lib/go-bootstrap"
- export GOROOT_FINAL="${EPREFIX}/usr/lib/go${GOSLOT}"
- export GOROOT="${S}"
- export GOBIN="${GOROOT}/bin"
-
- # Go's build script does not use BUILD/HOST/TARGET consistently. :(
- go_export
- export GOHOSTARCH=$(go_arch ${CBUILD})
- export GOHOSTOS=$(go_os ${CBUILD})
- export CC_FOR_TARGET=$(tc-getCC)
- export CXX_FOR_TARGET=$(tc-getCXX)
- # Must be set *after* calling tc-getCC
- export CC=$(tc-getBUILD_CC)
-
- cd src
- ./make.bash || die "build failed"
-}
-
-coreos-go-lang_src_test() {
- go_cross_compile && return 0
-
- cd src
- PATH="${GOBIN}:${PATH}" \
- ./run.bash -no-rebuild || die "tests failed"
-}
-
-coreos-go-lang_src_install() {
- exeinto "/usr/lib/go${GOSLOT}/bin"
- if go_cross_compile; then
- doexe "${GOBIN}/$(go_tuple)/"{go,gofmt}
- else
- doexe "${GOBIN}/"{go,gofmt}
- fi
- dosym "../lib/go${GOSLOT}/bin/go" "/usr/bin/go${GOSLOT}"
- dosym "../lib/go${GOSLOT}/bin/gofmt" "/usr/bin/gofmt${GOSLOT}"
-
- exeinto "/usr/lib/go${GOSLOT}/pkg/tool/$(go_tuple)"
- doexe "pkg/tool/$(go_tuple)/"*
-
- insopts -m0644 -p # preserve timestamps
- insinto "/usr/lib/go${GOSLOT}"
- doins -r doc lib src
- insinto "/usr/lib/go${GOSLOT}/pkg"
- doins -r "pkg/include"
-
- # Install pkg/linux_{amd64,arm64} only for Go <= 1.19, as Go 1.20+
- # does not ship pre-compiled package archives for the standard library
- # in $GOROOT/pkg. See https://go.dev/doc/go1.20.
- ver_test "${GOSLOT}" -lt 1.20 && doins -r "pkg/$(go_tuple)"
-
- dodoc CONTRIBUTING.md PATENTS README.md
-}
-
-coreos-go-lang_pkg_postinst() {
- eselect go update
-}
-
-coreos-go-lang_pkg_postrm() {
- eselect go update
-}
-
-EXPORT_FUNCTIONS pkg_pretend src_compile src_test src_install pkg_postinst pkg_postrm
diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-utils.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-utils.eclass
index b5d07016de..ae4f28fa6b 100644
--- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-utils.eclass
+++ b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-utils.eclass
@@ -91,9 +91,7 @@ go_export() {
export CGO_CPPFLAGS="${CPPFLAGS}"
export CGO_CXXFLAGS="${CXXFLAGS}"
export CGO_LDFLAGS="${LDFLAGS}"
-
- # Ensure the `go` wrapper calls the version we expect
- export EGO="${COREOS_GO_VERSION}"
+ export EGO=go
# With Go >= 1.16, GO111MODULE=on is set by default.
# Few of our repos still don't support Go modules so we would need to set
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 9f58d6f1c7..f093864141 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -7,21 +7,8 @@
# Gentoo upstream package stabilisation
# (the following packages are "unstable" upstream; we're stabilising these)
-# Handled by automation
-=app-containers/containerd-1.7.23 ~amd64 ~arm64 # DO NOT EDIT THIS LINE. Added by containerd-apply-patch.sh on 2024-10-18 08:06:10
-
# Keep versions on both arches in sync.
-=app-containers/cri-tools-1.27.0 ~arm64
-
-# Accept unstable for Docker and its CLI.
-=app-containers/docker-27.3.1 ~amd64 ~arm64
-=app-containers/docker-cli-27.3.1 ~amd64 ~arm64
-
-# These seem to be the versions we initially got, but the
-# modifications made to the ebuilds were clobbered, so these are here
-# to keep using the same version. Can be dropped when these or newer
-# get stabilized in Gentoo.
-=app-containers/runc-1.1.14 ~amd64 ~arm64
+=app-containers/cri-tools-1.32.0 ~arm64
# Seems to be the only available ebuild in portage-stable right now.
=app-crypt/adcli-0.9.2 ~arm64
@@ -38,19 +25,19 @@
# We need the new --provider option.
=app-crypt/p11-kit-0.25.5 ~amd64 ~arm64
-# Needed in SDK for Secure Boot.
-=app-emulation/virt-firmware-24.7 ~amd64
-
# Needed by arm64-native SDK.
=app-emulation/open-vmdk-1.0 *
# Keep versions on both arches in sync.
=app-emulation/qemu-guest-agent-8.2.0 ~arm64
-=dev-build/meson-1.5.2 ~arm64
+=dev-build/meson-1.6.1 ~arm64
=dev-cpp/glog-0.6.0 ~arm64
=dev-lang/yasm-1.3.0-r1 ~arm64
=dev-libs/ding-libs-0.6.2-r1 ~arm64
+# Needed to address CVE-2024-52533
+=dev-libs/glib-2.82.4-r1 ~amd64 ~arm64
+
# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
=dev-libs/jose-12 **
@@ -63,7 +50,12 @@
# Catalyst 4 is not stable yet, but earlier versions are masked now.
=dev-util/catalyst-4.0.0 ~amd64 ~arm64
+# Needed to address CVE-2024-52533
+=dev-util/gdbus-codegen-2.82.4 ~amd64 ~arm64
+=dev-util/glib-utils-2.82.4 ~amd64 ~arm64
+
# Keep versions on both arches in sync.
+=dev-util/maturin-1.8.1 ~arm64
=net-firewall/conntrack-tools-1.4.8-r1 ~arm64
=net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
=net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
@@ -78,8 +70,12 @@
=sys-apps/azure-vm-utils-0.4.0 ~amd64 ~arm64
# Keep versions on both arches in sync.
-=sys-apps/zram-generator-1.1.2-r1 ~arm64
-=sys-auth/sssd-2.9.5 ~arm64
+=sys-apps/zram-generator-1.2.1 ~arm64
+
+# Needed to avoid pulling python into production images.
+=sys-auth/sssd-2.9.6-r1 ~amd64 ~arm64
+
+# Keep versions on both arches in sync.
=sys-boot/mokutil-0.7.2 **
# Enable ipvsadm for arm64.
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
index fa9438a09f..d09537a81b 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
@@ -20,6 +20,3 @@
# Pulls in LLVM and clang.
>=sys-block/thin-provisioning-tools-1.0.14
-
-# Pulls in python into production.
->=sys-auth/sssd-2.9.6
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index 5c5c37fcbf..2b4a14af3c 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -59,7 +59,7 @@ sys-libs/glibc nscd
dev-libs/cyrus-sasl kerberos -gdbm
# don't build manpages for sssd
-sys-auth/sssd -python samba kerberos gssapi ssh sudo selinux
+sys-auth/sssd -python samba kerberos gssapi ssh selinux
# enable logging command-line options in update_engine
dev-cpp/glog gflags
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.provided b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.provided
index ff38bc4c54..d4a409acb3 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.provided
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.provided
@@ -21,3 +21,6 @@ app-misc/editor-wrapper-4
acct-group/named-0-r3
acct-user/named-0-r3
sys-process/psmisc-23.7
+
+# Pulled in by app-admin/sudo
+dev-lang/perl-5.40.0
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
deleted file mode 100644
index 7d3514d9b4..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
+++ /dev/null
@@ -1,4 +0,0 @@
-DIST gcc-multilib-bootstrap-20201208.tar.xz 5528452 BLAKE2B 16699a6e4df5b2f28a21776ae9e3728b26a9ea251f5580aa5349545ad7c9f6145b9cb6a12ca8f5f96b9cb2a3c70b7e66ca702e4c6f083ac00408e0a20a69e613 SHA512 a243f505e17d0a7e144e8713c077582412f61d6cf7f79baa846de4fb77f5e0f27e11c9a785e14624e04ac52287b32164e7995323aa11caef59113ac438254347
-DIST glibc-2.38-patches-13.tar.xz 92708 BLAKE2B b2f05a793c92ea0b7901d2124fcd968fa846fdf687f8cbdbc17795c33fae2d538133fae66d575c5b98a7a05a29f9f816e7ecd45f3be5ed10ef65adbf92c7fc4d SHA512 24e45a88fa7676ef22a7e2bb864dff27262f69900c4ef76d21c6fee498d728949b6f5d03dd094d1774a66a8a47b779bf4b16ee31e5306bcdb55cedcc0a1c5e9f
-DIST glibc-2.38.tar.xz 18913712 BLAKE2B f9b039f0ef98a7dd8e1cba228ed10286b9e4fbe4dd89af4d26fa5c4e4cf266f19c2746b44d797ce54739d86499e74cf334aaf311bcf6e30120fd7748453e653f SHA512 a6dd5e42dcd63d58e2820c783522c8c895890b6e8c8e6c83b025553de0cc77cdf227e7044e431ead98c89c68a9ce4dd63509b47e647775fb2075f011849c1900
-DIST glibc-systemd-20210729.tar.gz 1480 BLAKE2B 37722c7579df782d890e44dbab99c3de52ab466eb9de80d82405e9bb5620bf39ffc8c5f466a435bdb86ef6d36dd7019c0736573916bda6c67d02a2581e0ec979 SHA512 efd75af58b50522c28cdac7abd1fc56555bc1bb042512c90d8340c1ec09c5791b3872a305bf83723252bbde5855b75d958c041083457765c4cfd170732d09238
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md
deleted file mode 100644
index 0bcb9dd9ee..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md
+++ /dev/null
@@ -1,9 +0,0 @@
-# GLibc
-
-The system's C library, sometimes referred to as "service pack for the C
-language". The build recipe has a single modification over the one Gentoo
-upstream uses: in the installation callback `glibc_do_src_install`, we remove
-all of glibc's `/etc` files right after the stock glibc build diligently
-installed them, since we ship our own `/etc` stuff via the `baseimage` recipe.
-The addition sits at the end of the `glibc_do_src_install` function and is duly
-labelled `## Flatcar Container Linux: ...`.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
deleted file mode 100644
index 0cf43dcb7a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
+++ /dev/null
@@ -1,2 +0,0 @@
-L /etc/nscd.conf - - - - ../usr/share/baselayout/nscd.conf
-d /var/db/nscd - - - - -
diff --git a/sdk_container/src/third_party/portage-stable/app-admin/sudo/Manifest b/sdk_container/src/third_party/portage-stable/app-admin/sudo/Manifest
new file mode 100644
index 0000000000..746aebd541
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-admin/sudo/Manifest
@@ -0,0 +1,8 @@
+DIST sudo-1.9.15p5.tar.gz 5306611 BLAKE2B 73ee598c2a2848d5be24f97492b13eba2f326c514799220e43a1aeafc6692224a7555fb7cc0a96a2720751d3e4d98e752804db589ac3c1476f24e71f5b9bc720 SHA512 ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a
+DIST sudo-1.9.15p5.tar.gz.sig 566 BLAKE2B ddd8fed1b3721aafdb32b762834168063c3f0f003ef5d83f1883615320da6fe89b08d72c8e893c8b2bf9fd892a40e47cc77d72672e43b5a24db50e7194d9bc4c SHA512 97480a3d27b546a93e997c3a1e8169904a7625ab8fa6198d0b7e1d2d040f55b2d58462cd08e5cc97c2f1c817b12343e35cdd7db207aee42785f2b95b17c600b0
+DIST sudo-1.9.16.tar.gz 5392026 BLAKE2B 19daa789af3ca2c4832950f0dd6f26a97285fdc155f0d7c18ec1f1accafce9b86f2f5730d3bb0b8e7717c0c55f4079928e03acb3974cb2652c58d4bcb2f74a12 SHA512 1b0254eb5b75422bffd31a2ae8c56cb4e8e2ecc08e2fa687eddb638d4f2de2585fa7621c868c03423e9d636bfb5679a3758d504155dbdfd3eebfbdcbd8b58f7c
+DIST sudo-1.9.16.tar.gz.sig 566 BLAKE2B 9eb9fd2db0de5b9ce965c2109a9722e0b5f0793b7c9003123b1540d7cb5b8178043221296fd51c7f0b24ce1b1cda9f196a6d50083da172ca2afcb8f130d8eae1 SHA512 edf066f9ffdf2653468f8b45866a65214f0dff0164318d5f6bd9252f6211e82522161b1b9621798fbc9112253e6940d7137d18e8b42e8c6e5ba52ccac64d99cf
+DIST sudo-1.9.16p1.tar.gz 5396038 BLAKE2B 7f973510658e91af54121d8c4c634b26231ef270abac50f658c9ad8a446a7dbbc44cb878561fb8da51e4ec15ebc8873fdaed05be142907f96964ff42c7e4f896 SHA512 3239d16513c431383b6d54cf40690a9b8fcf905d9b8f5a2085679dd5daeaacbd7efb153b41fd672fc634277c3203aaa1dc18e6a6c01799ebc9948763ec93a038
+DIST sudo-1.9.16p1.tar.gz.sig 566 BLAKE2B 0f68bb4a653cfaacf05d6c148f690ae0022035090e6e60df7efde6b25193ac46d12905ca898e5aadb8339ca3f08e27a4408edeb75f26f7e483f136026835aa24 SHA512 96cdd7f646d2fe7eeefce7710ba421be12a9bfd6811284ba8ccb3f7288b328531bbd7215cf0182c13670f2ec7c0ee25dfd6396214ddd61ee4ee153fec19bef7e
+DIST sudo-1.9.16p2.tar.gz 5398419 BLAKE2B ef9f1c2cd4044454a808d1dff5f865355e1bd061d1b5c93a005207e28e9b9df7c267cf01358ce60dd2c98f6844b51dab00eac4e7a08bade1d621235c3a4774bf SHA512 1e2ea762671890a03b0ea4b95b3849f2d3a4c301432db8767433e9d80c517efd8b7a68e0bbce1b178aff5857907600f1f5e0d889779cb27e38c2f602395f6f06
+DIST sudo-1.9.16p2.tar.gz.sig 566 BLAKE2B 90f90658a7d6ec3b32f6a726a2cd28e156826a65749a88a2a29d970e97804d2d75de856bc85c9a459233b59e35564c5fbf93aff53ffe42d17d0e94dd23724acd SHA512 7f0e3269c9befada535590b2cfc36f96cd70831b5c030df5b3bf8c7cb3eff296d22193429f940db4a0df849b4d8080e4006086c49869b4bbae663836b2632b49
diff --git a/sdk_container/src/third_party/portage-stable/app-admin/sudo/files/sudo-1.9.16-allow-disabling-secure-path.patch b/sdk_container/src/third_party/portage-stable/app-admin/sudo/files/sudo-1.9.16-allow-disabling-secure-path.patch
new file mode 100644
index 0000000000..8fda41a2b7
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-admin/sudo/files/sudo-1.9.16-allow-disabling-secure-path.patch
@@ -0,0 +1,54 @@
+https://github.com/sudo-project/sudo/commit/131e7e2de02ab53cfefefe93978d7fee4cb8142d
+
+From 131e7e2de02ab53cfefefe93978d7fee4cb8142d Mon Sep 17 00:00:00 2001
+From: Andy Fiddaman
+Date: Tue, 17 Sep 2024 12:49:13 +0000
+Subject: [PATCH] Allow --secure-path-value=no
+
+This adds support for --with-secure-path-value=no to allow packagers
+to ship the sudoers configuration file with the secure path
+line commented out if required.
+--- a/configure.ac
++++ b/configure.ac
+@@ -177,6 +177,7 @@ AC_SUBST([sssd_lib])
+ AC_SUBST([nsswitch_conf])
+ AC_SUBST([netsvc_conf])
+ AC_SUBST([secure_path])
++AC_SUBST([secure_path_config])
+ AC_SUBST([secure_path_status])
+ AC_SUBST([editor])
+ AC_SUBST([pam_session])
+@@ -230,6 +231,7 @@ sesh_file="$libexecdir/sudo/sesh"
+ visudo="$sbindir/visudo"
+ nsswitch_conf=/etc/nsswitch.conf
+ secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
++secure_path_config=
+ secure_path_status="disabled"
+ pam_session=on
+ pam_login_service=sudo
+@@ -1068,9 +1070,11 @@ AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path t
+ test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
+ SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file])
+
+-AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file])],
++AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file, or "no" to comment out by default])],
+ [case $with_secure_path_value in
+- yes|no) AC_MSG_ERROR([must give --secure-path-value an argument.])
++ yes) AC_MSG_ERROR([must give --with-secure-path-value an argument.])
++ ;;
++ no) secure_path_config="# "
+ ;;
+ *) secure_path="$with_secure_path_value"
+ ;;
+--- a/plugins/sudoers/sudoers.in
++++ b/plugins/sudoers/sudoers.in
+@@ -48,7 +48,7 @@ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
+ ## Use a hard-coded PATH instead of the user's to find commands.
+ ## This also helps prevent poorly written scripts from running
+ ## artbitrary commands under sudo.
+-Defaults secure_path="@secure_path@"
++@secure_path_config@Defaults secure_path="@secure_path@"
+ ##
+ ## You may wish to keep some of the following environment variables
+ ## when running commands via sudo.
+
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml b/sdk_container/src/third_party/portage-stable/app-admin/sudo/metadata.xml
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml
rename to sdk_container/src/third_party/portage-stable/app-admin/sudo/metadata.xml
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.15_p5.ebuild b/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.15_p5-r1.ebuild
similarity index 92%
rename from sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.15_p5.ebuild
rename to sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.15_p5-r1.ebuild
index 376fb5ea52..918c043541 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.15_p5.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.15_p5-r1.ebuild
@@ -3,7 +3,7 @@
EAPI=8
-inherit pam libtool tmpfiles toolchain-funcs
+inherit flag-o-matic pam libtool tmpfiles toolchain-funcs
MY_P="${P/_/}"
MY_P="${MY_P/beta/b}"
@@ -33,7 +33,7 @@ else
"
if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+ KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
fi
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
@@ -63,14 +63,13 @@ DEPEND="
selinux? ( sys-libs/libselinux )
skey? ( >=sys-auth/skey-1.1.5-r1 )
ssl? ( dev-libs/openssl:= )
- sssd? ( sys-auth/sssd[sudo] )
+ sssd? ( sys-auth/sssd[sudo(+)] )
"
-#Flatcar: Remove Perl runtime dependency
-# ldap? ( dev-lang/perl )
RDEPEND="
${DEPEND}
>=app-misc/editor-wrapper-3
virtual/editor
+ ldap? ( dev-lang/perl )
pam? ( sys-auth/pambase )
selinux? ( sec-policy/selinux-sudo )
sendmail? ( virtual/mta )
@@ -145,6 +144,9 @@ src_configure() {
# bug #767712
tc-export PKG_CONFIG
+ # https://github.com/sudo-project/sudo/issues/420
+ append-cflags -std=gnu17
+
# - audit: somebody got to explain me how I can test this before I
# enable it.. - Diego
# - plugindir: autoconf code is crappy and does not delay evaluation
@@ -179,7 +181,7 @@ src_configure() {
$(use_with offensive all-insults)
$(use_with pam)
$(use_with pam pam-login)
- $(use_with secure-path secure-path "${SECURE_PATH}")
+ "$(use_with secure-path secure-path "${SECURE_PATH}")"
$(use_with selinux)
$(use_with sendmail)
$(use_with skey)
@@ -216,8 +218,8 @@ src_install() {
doins "${T}"/ldap.conf.sudo
fperms 0440 /etc/ldap.conf.sudo
- #Flatcar: we don't ship OpenLDAP schemas
-
+ insinto /etc/openldap/schema
+ newins docs/schema.OpenLDAP sudo.schema
fi
if use pam ; then
@@ -236,15 +238,6 @@ src_install() {
# bug #697812
find "${ED}" -type f -name "*.la" -delete || die
-
- # Flatcar: Remove sudo.conf as it is shipped via baselayout
- rm "${ED}/etc/sudo.conf" || die
-
- # Flatcar: Build system installs /etc/sudoers.d, let's make
- # sure we keep having it.
- #
- # Upstream PR: https://github.com/gentoo/gentoo/pull/37397
- keepdir /etc/sudoers.d
}
pkg_postinst() {
diff --git a/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.16-r2.ebuild b/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.16-r2.ebuild
new file mode 100644
index 0000000000..2403907f5c
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.16-r2.ebuild
@@ -0,0 +1,296 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools flag-o-matic pam tmpfiles toolchain-funcs
+
+MY_P="${P/_/}"
+MY_P="${MY_P/beta/b}"
+
+DESCRIPTION="Allows users or groups to run commands as other users"
+HOMEPAGE="https://www.sudo.ws/"
+
+if [[ ${PV} == 9999 ]] ; then
+ inherit mercurial
+ EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
+else
+ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
+ inherit verify-sig
+
+ uri_prefix=
+ case ${P} in
+ *_beta*|*_rc*) uri_prefix=beta/ ;;
+ esac
+
+ SRC_URI="
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
+ verify-sig? (
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
+ )
+ "
+
+ if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+ fi
+
+ BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
+fi
+
+S="${WORKDIR}/${MY_P}"
+
+# Basic license is ISC-style as-is, some files are released under
+# 3-clause BSD license
+LICENSE="ISC BSD"
+SLOT="0"
+IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+
+DEPEND="
+ sys-libs/zlib:=
+ virtual/libcrypt:=
+ gcrypt? ( dev-libs/libgcrypt:= )
+ ldap? (
+ >=net-nds/openldap-2.1.30-r1:=
+ sasl? (
+ dev-libs/cyrus-sasl
+ net-nds/openldap:=[sasl]
+ )
+ )
+ pam? ( sys-libs/pam )
+ sasl? ( dev-libs/cyrus-sasl )
+ selinux? ( sys-libs/libselinux )
+ skey? ( >=sys-auth/skey-1.1.5-r1 )
+ ssl? ( dev-libs/openssl:= )
+ sssd? ( sys-auth/sssd[sudo(+)] )
+"
+RDEPEND="
+ ${DEPEND}
+ >=app-misc/editor-wrapper-3
+ virtual/editor
+ ldap? ( dev-lang/perl )
+ pam? ( sys-auth/pambase )
+ selinux? ( sec-policy/selinux-sudo )
+ sendmail? ( virtual/mta )
+"
+BDEPEND+="
+ app-alternatives/yacc
+ virtual/pkgconfig
+"
+
+REQUIRED_USE="
+ ?? ( pam skey )
+ ?? ( gcrypt ssl )
+"
+
+MAKEOPTS+=" SAMPLES="
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.9.16-allow-disabling-secure-path.patch
+)
+
+src_prepare() {
+ default
+
+ # eautoreconf temporarily for allow-disabling-secure-path patch
+ # in 1.9.16; revert to elibtoolize once that is gone.
+ eautoreconf
+}
+
+set_secure_path() {
+ # First extract the default ROOTPATH from build env
+ SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
+
+ case "${SECURE_PATH}" in
+ */usr/sbin*)
+ ;;
+ *)
+ SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+ ;;
+ esac
+
+ if [[ -z ${SECURE_PATH} ]] ; then
+ ewarn " Failed to detect SECURE_PATH, please report this"
+ fi
+
+ # Then remove duplicate path entries
+ cleanpath() {
+ local newpath thisp IFS=:
+ for thisp in $1 ; do
+ if [[ :${newpath}: != *:${thisp}:* ]] ; then
+ newpath+=:${thisp}
+ else
+ einfo " Duplicate entry ${thisp} removed..."
+ fi
+ done
+ SECURE_PATH=${newpath#:}
+ }
+ cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+
+ # Finally, strip gcc paths, bug #136027
+ rmpath() {
+ local e newpath thisp IFS=:
+ for thisp in ${SECURE_PATH} ; do
+ for e ; do
+ [[ ${thisp} == ${e} ]] && continue 2 ;
+ done
+ newpath+=:${thisp}
+ done
+ SECURE_PATH=${newpath#:}
+ }
+ rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
+}
+
+src_configure() {
+ local SECURE_PATH
+
+ set_secure_path
+
+ # bug #767712
+ tc-export PKG_CONFIG
+
+ # https://github.com/sudo-project/sudo/issues/420
+ append-cflags -std=gnu17
+
+ # - audit: somebody got to explain me how I can test this before I
+ # enable it.. - Diego
+ # - plugindir: autoconf code is crappy and does not delay evaluation
+ # until `make` time, so we have to use a full path here rather than
+ # basing off other values.
+ local myeconfargs=(
+ # We set all of the relevant options by ourselves (patched
+ # into the toolchain) and setting these in the build system
+ # actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
+ # (it'll downgrade to =2). So, this has no functional effect on
+ # the hardening for users. It's safe.
+ --disable-hardening
+
+ # requires some python eclass
+ --disable-python
+ --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
+ --enable-zlib=system
+ --with-editor="${EPREFIX}"/usr/libexec/editor
+ --with-env-editor
+ --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
+ --with-rundir="${EPREFIX}"/run/sudo
+ --with-vardir="${EPREFIX}"/var/db/sudo
+ --without-linux-audit
+ --without-opie
+ $(use_enable gcrypt)
+ $(use_enable nls)
+ $(use_enable sasl)
+ $(use_enable ssl openssl)
+ $(use_with ldap)
+ $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
+ $(use_with offensive insults)
+ $(use_with offensive all-insults)
+ $(use_with pam)
+ $(use_with pam pam-login)
+ $(use_with secure-path)
+ "$(use_with secure-path secure-path-value "${SECURE_PATH}")"
+ $(use_with selinux)
+ $(use_with sendmail)
+ $(use_with skey)
+ $(use_with sssd)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+
+ if use ldap ; then
+ dodoc README.LDAP.md
+
+ cat <<-EOF > "${T}"/ldap.conf.sudo
+ # See ldap.conf(5) and README.LDAP.md for details
+ # This file should only be readable by root
+
+ # supported directives: host, port, ssl, ldap_version
+ # uri, binddn, bindpw, sudoers_base, sudoers_debug
+ # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
+ EOF
+
+ if use sasl ; then
+ cat <<-EOF >> "${T}"/ldap.conf.sudo
+
+ # SASL directives: use_sasl, sasl_mech, sasl_auth_id
+ # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
+ EOF
+ fi
+
+ insinto /etc
+ doins "${T}"/ldap.conf.sudo
+ fperms 0440 /etc/ldap.conf.sudo
+
+ insinto /etc/openldap/schema
+ newins docs/schema.OpenLDAP sudo.schema
+ fi
+
+ if use pam ; then
+ pamd_mimic system-auth sudo auth account session
+ pamd_mimic system-auth sudo-i auth account session
+ fi
+
+ keepdir /var/db/sudo/lectured
+ fperms 0700 /var/db/sudo/lectured
+ # bug #652958
+ fperms 0711 /var/db/sudo
+
+ # Don't install into /run as that is a tmpfs most of the time
+ # (bug #504854)
+ rm -rf "${ED}"/run || die
+
+ # bug #697812
+ find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+ tmpfiles_process sudo.conf
+
+ # bug #652958
+ local sudo_db="${EROOT}/var/db/sudo"
+ if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
+ chmod 711 "${sudo_db}" || die
+ fi
+
+ if use ldap ; then
+ ewarn
+ ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
+ ewarn
+ if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
+ ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
+ ewarn "configured in ${ROOT}/etc/nsswitch.conf."
+ ewarn
+ ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
+ ewarn " sudoers: ldap files"
+ ewarn
+ fi
+ fi
+ if use prefix ; then
+ ewarn
+ ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
+ ewarn "with root privileges, as follows:"
+ ewarn
+ ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
+ ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
+ ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
+ ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
+ ewarn
+ fi
+
+ elog "To use the -A (askpass) option, you need to install a compatible"
+ elog "password program from the following list. Starred packages will"
+ elog "automatically register for the use with sudo (but will not force"
+ elog "the -A option):"
+ elog ""
+ elog " [*] net-misc/ssh-askpass-fullscreen"
+ elog " net-misc/x11-ssh-askpass"
+ elog ""
+ elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
+ elog "variable to the program you want to use."
+}
diff --git a/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.16_p1-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.16_p1-r1.ebuild
new file mode 100644
index 0000000000..a4c126a9a2
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.16_p1-r1.ebuild
@@ -0,0 +1,294 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit flag-o-matic pam tmpfiles toolchain-funcs
+
+MY_P="${P/_/}"
+MY_P="${MY_P/beta/b}"
+
+DESCRIPTION="Allows users or groups to run commands as other users"
+HOMEPAGE="https://www.sudo.ws/"
+
+if [[ ${PV} == 9999 ]] ; then
+ inherit autotools mercurial
+ EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
+else
+ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
+ inherit libtool verify-sig
+
+ uri_prefix=
+ case ${P} in
+ *_beta*|*_rc*) uri_prefix=beta/ ;;
+ esac
+
+ SRC_URI="
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
+ verify-sig? (
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
+ )
+ "
+
+ if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+ fi
+
+ BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
+fi
+
+S="${WORKDIR}/${MY_P}"
+
+# Basic license is ISC-style as-is, some files are released under
+# 3-clause BSD license
+LICENSE="ISC BSD"
+SLOT="0"
+IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+
+DEPEND="
+ sys-libs/zlib:=
+ virtual/libcrypt:=
+ gcrypt? ( dev-libs/libgcrypt:= )
+ ldap? (
+ >=net-nds/openldap-2.1.30-r1:=
+ sasl? (
+ dev-libs/cyrus-sasl
+ net-nds/openldap:=[sasl]
+ )
+ )
+ pam? ( sys-libs/pam )
+ sasl? ( dev-libs/cyrus-sasl )
+ selinux? ( sys-libs/libselinux )
+ skey? ( >=sys-auth/skey-1.1.5-r1 )
+ ssl? ( dev-libs/openssl:= )
+ sssd? ( sys-auth/sssd[sudo(+)] )
+"
+RDEPEND="
+ ${DEPEND}
+ >=app-misc/editor-wrapper-3
+ virtual/editor
+ ldap? ( dev-lang/perl )
+ pam? ( sys-auth/pambase )
+ selinux? ( sec-policy/selinux-sudo )
+ sendmail? ( virtual/mta )
+"
+BDEPEND+="
+ app-alternatives/yacc
+ virtual/pkgconfig
+"
+
+REQUIRED_USE="
+ ?? ( pam skey )
+ ?? ( gcrypt ssl )
+"
+
+MAKEOPTS+=" SAMPLES="
+
+src_prepare() {
+ default
+
+ if [[ ${PV} == 9999 ]] ; then
+ eautoreconf
+ else
+ elibtoolize
+ fi
+}
+
+set_secure_path() {
+ # First extract the default ROOTPATH from build env
+ SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
+
+ case "${SECURE_PATH}" in
+ */usr/sbin*)
+ ;;
+ *)
+ SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+ ;;
+ esac
+
+ if [[ -z ${SECURE_PATH} ]] ; then
+ ewarn " Failed to detect SECURE_PATH, please report this"
+ fi
+
+ # Then remove duplicate path entries
+ cleanpath() {
+ local newpath thisp IFS=:
+ for thisp in $1 ; do
+ if [[ :${newpath}: != *:${thisp}:* ]] ; then
+ newpath+=:${thisp}
+ else
+ einfo " Duplicate entry ${thisp} removed..."
+ fi
+ done
+ SECURE_PATH=${newpath#:}
+ }
+ cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+
+ # Finally, strip gcc paths, bug #136027
+ rmpath() {
+ local e newpath thisp IFS=:
+ for thisp in ${SECURE_PATH} ; do
+ for e ; do
+ [[ ${thisp} == ${e} ]] && continue 2 ;
+ done
+ newpath+=:${thisp}
+ done
+ SECURE_PATH=${newpath#:}
+ }
+ rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
+}
+
+src_configure() {
+ local SECURE_PATH
+
+ set_secure_path
+
+ # bug #767712
+ tc-export PKG_CONFIG
+
+ # https://github.com/sudo-project/sudo/issues/420
+ append-cflags -std=gnu17
+
+ # - audit: somebody got to explain me how I can test this before I
+ # enable it.. - Diego
+ # - plugindir: autoconf code is crappy and does not delay evaluation
+ # until `make` time, so we have to use a full path here rather than
+ # basing off other values.
+ local myeconfargs=(
+ # We set all of the relevant options by ourselves (patched
+ # into the toolchain) and setting these in the build system
+ # actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
+ # (it'll downgrade to =2). So, this has no functional effect on
+ # the hardening for users. It's safe.
+ --disable-hardening
+
+ # requires some python eclass
+ --disable-python
+ --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
+ --enable-zlib=system
+ --with-editor="${EPREFIX}"/usr/libexec/editor
+ --with-env-editor
+ --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
+ --with-rundir="${EPREFIX}"/run/sudo
+ --with-vardir="${EPREFIX}"/var/db/sudo
+ --without-linux-audit
+ --without-opie
+ $(use_enable gcrypt)
+ $(use_enable nls)
+ $(use_enable sasl)
+ $(use_enable ssl openssl)
+ $(use_with ldap)
+ $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
+ $(use_with offensive insults)
+ $(use_with offensive all-insults)
+ $(use_with pam)
+ $(use_with pam pam-login)
+ $(use_with secure-path)
+ "$(use_with secure-path secure-path-value "${SECURE_PATH}")"
+ $(use_with selinux)
+ $(use_with sendmail)
+ $(use_with skey)
+ $(use_with sssd)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+
+ if use ldap ; then
+ dodoc README.LDAP.md
+
+ cat <<-EOF > "${T}"/ldap.conf.sudo
+ # See ldap.conf(5) and README.LDAP.md for details
+ # This file should only be readable by root
+
+ # supported directives: host, port, ssl, ldap_version
+ # uri, binddn, bindpw, sudoers_base, sudoers_debug
+ # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
+ EOF
+
+ if use sasl ; then
+ cat <<-EOF >> "${T}"/ldap.conf.sudo
+
+ # SASL directives: use_sasl, sasl_mech, sasl_auth_id
+ # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
+ EOF
+ fi
+
+ insinto /etc
+ doins "${T}"/ldap.conf.sudo
+ fperms 0440 /etc/ldap.conf.sudo
+
+ insinto /etc/openldap/schema
+ newins docs/schema.OpenLDAP sudo.schema
+ fi
+
+ if use pam ; then
+ pamd_mimic system-auth sudo auth account session
+ pamd_mimic system-auth sudo-i auth account session
+ fi
+
+ keepdir /var/db/sudo/lectured
+ fperms 0700 /var/db/sudo/lectured
+ # bug #652958
+ fperms 0711 /var/db/sudo
+
+ # Don't install into /run as that is a tmpfs most of the time
+ # (bug #504854)
+ rm -rf "${ED}"/run || die
+
+ # bug #697812
+ find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+ tmpfiles_process sudo.conf
+
+ # bug #652958
+ local sudo_db="${EROOT}/var/db/sudo"
+ if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
+ chmod 711 "${sudo_db}" || die
+ fi
+
+ if use ldap ; then
+ ewarn
+ ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
+ ewarn
+ if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
+ ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
+ ewarn "configured in ${ROOT}/etc/nsswitch.conf."
+ ewarn
+ ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
+ ewarn " sudoers: ldap files"
+ ewarn
+ fi
+ fi
+ if use prefix ; then
+ ewarn
+ ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
+ ewarn "with root privileges, as follows:"
+ ewarn
+ ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
+ ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
+ ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
+ ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
+ ewarn
+ fi
+
+ elog "To use the -A (askpass) option, you need to install a compatible"
+ elog "password program from the following list. Starred packages will"
+ elog "automatically register for the use with sudo (but will not force"
+ elog "the -A option):"
+ elog ""
+ elog " [*] net-misc/ssh-askpass-fullscreen"
+ elog " net-misc/x11-ssh-askpass"
+ elog ""
+ elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
+ elog "variable to the program you want to use."
+}
diff --git a/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.16_p2-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.16_p2-r1.ebuild
new file mode 100644
index 0000000000..3c7cda1458
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-1.9.16_p2-r1.ebuild
@@ -0,0 +1,291 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit flag-o-matic pam tmpfiles toolchain-funcs
+
+MY_P="${P/_/}"
+MY_P="${MY_P/beta/b}"
+
+DESCRIPTION="Allows users or groups to run commands as other users"
+HOMEPAGE="https://www.sudo.ws/"
+
+if [[ ${PV} == 9999 ]] ; then
+ inherit autotools mercurial
+ EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
+else
+ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
+ inherit libtool verify-sig
+
+ uri_prefix=
+ case ${P} in
+ *_beta*|*_rc*) uri_prefix=beta/ ;;
+ esac
+
+ SRC_URI="
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
+ verify-sig? (
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
+ )
+ "
+
+ if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
+ KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+ fi
+
+ BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
+fi
+
+S="${WORKDIR}/${MY_P}"
+
+# Basic license is ISC-style as-is, some files are released under
+# 3-clause BSD license
+LICENSE="ISC BSD"
+SLOT="0"
+IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+
+DEPEND="
+ sys-libs/zlib:=
+ virtual/libcrypt:=
+ gcrypt? ( dev-libs/libgcrypt:= )
+ ldap? (
+ >=net-nds/openldap-2.1.30-r1:=
+ sasl? (
+ dev-libs/cyrus-sasl
+ net-nds/openldap:=[sasl]
+ )
+ )
+ pam? ( sys-libs/pam )
+ sasl? ( dev-libs/cyrus-sasl )
+ selinux? ( sys-libs/libselinux )
+ skey? ( >=sys-auth/skey-1.1.5-r1 )
+ ssl? ( dev-libs/openssl:= )
+ sssd? ( sys-auth/sssd[sudo(+)] )
+"
+RDEPEND="
+ ${DEPEND}
+ >=app-misc/editor-wrapper-3
+ virtual/editor
+ ldap? ( dev-lang/perl )
+ pam? ( sys-auth/pambase )
+ selinux? ( sec-policy/selinux-sudo )
+ sendmail? ( virtual/mta )
+"
+BDEPEND+="
+ app-alternatives/yacc
+ virtual/pkgconfig
+"
+
+REQUIRED_USE="
+ ?? ( pam skey )
+ ?? ( gcrypt ssl )
+"
+
+MAKEOPTS+=" SAMPLES="
+
+src_prepare() {
+ default
+
+ if [[ ${PV} == 9999 ]] ; then
+ eautoreconf
+ else
+ elibtoolize
+ fi
+}
+
+set_secure_path() {
+ # First extract the default ROOTPATH from build env
+ SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
+
+ case "${SECURE_PATH}" in
+ */usr/sbin*)
+ ;;
+ *)
+ SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+ ;;
+ esac
+
+ if [[ -z ${SECURE_PATH} ]] ; then
+ ewarn " Failed to detect SECURE_PATH, please report this"
+ fi
+
+ # Then remove duplicate path entries
+ cleanpath() {
+ local newpath thisp IFS=:
+ for thisp in $1 ; do
+ if [[ :${newpath}: != *:${thisp}:* ]] ; then
+ newpath+=:${thisp}
+ else
+ einfo " Duplicate entry ${thisp} removed..."
+ fi
+ done
+ SECURE_PATH=${newpath#:}
+ }
+ cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+
+ # Finally, strip gcc paths, bug #136027
+ rmpath() {
+ local e newpath thisp IFS=:
+ for thisp in ${SECURE_PATH} ; do
+ for e ; do
+ [[ ${thisp} == ${e} ]] && continue 2 ;
+ done
+ newpath+=:${thisp}
+ done
+ SECURE_PATH=${newpath#:}
+ }
+ rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
+}
+
+src_configure() {
+ local SECURE_PATH
+
+ set_secure_path
+
+ # bug #767712
+ tc-export PKG_CONFIG
+
+ # - audit: somebody got to explain me how I can test this before I
+ # enable it.. - Diego
+ # - plugindir: autoconf code is crappy and does not delay evaluation
+ # until `make` time, so we have to use a full path here rather than
+ # basing off other values.
+ local myeconfargs=(
+ # We set all of the relevant options by ourselves (patched
+ # into the toolchain) and setting these in the build system
+ # actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
+ # (it'll downgrade to =2). So, this has no functional effect on
+ # the hardening for users. It's safe.
+ --disable-hardening
+
+ # requires some python eclass
+ --disable-python
+ --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
+ --enable-zlib=system
+ --with-editor="${EPREFIX}"/usr/libexec/editor
+ --with-env-editor
+ --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
+ --with-rundir="${EPREFIX}"/run/sudo
+ --with-vardir="${EPREFIX}"/var/db/sudo
+ --without-linux-audit
+ --without-opie
+ $(use_enable gcrypt)
+ $(use_enable nls)
+ $(use_enable sasl)
+ $(use_enable ssl openssl)
+ $(use_with ldap)
+ $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
+ $(use_with offensive insults)
+ $(use_with offensive all-insults)
+ $(use_with pam)
+ $(use_with pam pam-login)
+ $(use_with secure-path)
+ "$(use_with secure-path secure-path-value "${SECURE_PATH}")"
+ $(use_with selinux)
+ $(use_with sendmail)
+ $(use_with skey)
+ $(use_with sssd)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+
+ if use ldap ; then
+ dodoc README.LDAP.md
+
+ cat <<-EOF > "${T}"/ldap.conf.sudo
+ # See ldap.conf(5) and README.LDAP.md for details
+ # This file should only be readable by root
+
+ # supported directives: host, port, ssl, ldap_version
+ # uri, binddn, bindpw, sudoers_base, sudoers_debug
+ # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
+ EOF
+
+ if use sasl ; then
+ cat <<-EOF >> "${T}"/ldap.conf.sudo
+
+ # SASL directives: use_sasl, sasl_mech, sasl_auth_id
+ # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
+ EOF
+ fi
+
+ insinto /etc
+ doins "${T}"/ldap.conf.sudo
+ fperms 0440 /etc/ldap.conf.sudo
+
+ insinto /etc/openldap/schema
+ newins docs/schema.OpenLDAP sudo.schema
+ fi
+
+ if use pam ; then
+ pamd_mimic system-auth sudo auth account session
+ pamd_mimic system-auth sudo-i auth account session
+ fi
+
+ keepdir /var/db/sudo/lectured
+ fperms 0700 /var/db/sudo/lectured
+ # bug #652958
+ fperms 0711 /var/db/sudo
+
+ # Don't install into /run as that is a tmpfs most of the time
+ # (bug #504854)
+ rm -rf "${ED}"/run || die
+
+ # bug #697812
+ find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+ tmpfiles_process sudo.conf
+
+ # bug #652958
+ local sudo_db="${EROOT}/var/db/sudo"
+ if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
+ chmod 711 "${sudo_db}" || die
+ fi
+
+ if use ldap ; then
+ ewarn
+ ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
+ ewarn
+ if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
+ ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
+ ewarn "configured in ${ROOT}/etc/nsswitch.conf."
+ ewarn
+ ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
+ ewarn " sudoers: ldap files"
+ ewarn
+ fi
+ fi
+ if use prefix ; then
+ ewarn
+ ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
+ ewarn "with root privileges, as follows:"
+ ewarn
+ ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
+ ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
+ ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
+ ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
+ ewarn
+ fi
+
+ elog "To use the -A (askpass) option, you need to install a compatible"
+ elog "password program from the following list. Starred packages will"
+ elog "automatically register for the use with sudo (but will not force"
+ elog "the -A option):"
+ elog ""
+ elog " [*] net-misc/ssh-askpass-fullscreen"
+ elog " net-misc/x11-ssh-askpass"
+ elog ""
+ elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
+ elog "variable to the program you want to use."
+}
diff --git a/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-9999.ebuild b/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-9999.ebuild
new file mode 100644
index 0000000000..a4c126a9a2
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-admin/sudo/sudo-9999.ebuild
@@ -0,0 +1,294 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit flag-o-matic pam tmpfiles toolchain-funcs
+
+MY_P="${P/_/}"
+MY_P="${MY_P/beta/b}"
+
+DESCRIPTION="Allows users or groups to run commands as other users"
+HOMEPAGE="https://www.sudo.ws/"
+
+if [[ ${PV} == 9999 ]] ; then
+ inherit autotools mercurial
+ EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
+else
+ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
+ inherit libtool verify-sig
+
+ uri_prefix=
+ case ${P} in
+ *_beta*|*_rc*) uri_prefix=beta/ ;;
+ esac
+
+ SRC_URI="
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
+ verify-sig? (
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
+ )
+ "
+
+ if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+ fi
+
+ BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
+fi
+
+S="${WORKDIR}/${MY_P}"
+
+# Basic license is ISC-style as-is, some files are released under
+# 3-clause BSD license
+LICENSE="ISC BSD"
+SLOT="0"
+IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+
+DEPEND="
+ sys-libs/zlib:=
+ virtual/libcrypt:=
+ gcrypt? ( dev-libs/libgcrypt:= )
+ ldap? (
+ >=net-nds/openldap-2.1.30-r1:=
+ sasl? (
+ dev-libs/cyrus-sasl
+ net-nds/openldap:=[sasl]
+ )
+ )
+ pam? ( sys-libs/pam )
+ sasl? ( dev-libs/cyrus-sasl )
+ selinux? ( sys-libs/libselinux )
+ skey? ( >=sys-auth/skey-1.1.5-r1 )
+ ssl? ( dev-libs/openssl:= )
+ sssd? ( sys-auth/sssd[sudo(+)] )
+"
+RDEPEND="
+ ${DEPEND}
+ >=app-misc/editor-wrapper-3
+ virtual/editor
+ ldap? ( dev-lang/perl )
+ pam? ( sys-auth/pambase )
+ selinux? ( sec-policy/selinux-sudo )
+ sendmail? ( virtual/mta )
+"
+BDEPEND+="
+ app-alternatives/yacc
+ virtual/pkgconfig
+"
+
+REQUIRED_USE="
+ ?? ( pam skey )
+ ?? ( gcrypt ssl )
+"
+
+MAKEOPTS+=" SAMPLES="
+
+src_prepare() {
+ default
+
+ if [[ ${PV} == 9999 ]] ; then
+ eautoreconf
+ else
+ elibtoolize
+ fi
+}
+
+set_secure_path() {
+ # First extract the default ROOTPATH from build env
+ SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
+
+ case "${SECURE_PATH}" in
+ */usr/sbin*)
+ ;;
+ *)
+ SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+ ;;
+ esac
+
+ if [[ -z ${SECURE_PATH} ]] ; then
+ ewarn " Failed to detect SECURE_PATH, please report this"
+ fi
+
+ # Then remove duplicate path entries
+ cleanpath() {
+ local newpath thisp IFS=:
+ for thisp in $1 ; do
+ if [[ :${newpath}: != *:${thisp}:* ]] ; then
+ newpath+=:${thisp}
+ else
+ einfo " Duplicate entry ${thisp} removed..."
+ fi
+ done
+ SECURE_PATH=${newpath#:}
+ }
+ cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+
+ # Finally, strip gcc paths, bug #136027
+ rmpath() {
+ local e newpath thisp IFS=:
+ for thisp in ${SECURE_PATH} ; do
+ for e ; do
+ [[ ${thisp} == ${e} ]] && continue 2 ;
+ done
+ newpath+=:${thisp}
+ done
+ SECURE_PATH=${newpath#:}
+ }
+ rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
+}
+
+src_configure() {
+ local SECURE_PATH
+
+ set_secure_path
+
+ # bug #767712
+ tc-export PKG_CONFIG
+
+ # https://github.com/sudo-project/sudo/issues/420
+ append-cflags -std=gnu17
+
+ # - audit: somebody got to explain me how I can test this before I
+ # enable it.. - Diego
+ # - plugindir: autoconf code is crappy and does not delay evaluation
+ # until `make` time, so we have to use a full path here rather than
+ # basing off other values.
+ local myeconfargs=(
+ # We set all of the relevant options by ourselves (patched
+ # into the toolchain) and setting these in the build system
+ # actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
+ # (it'll downgrade to =2). So, this has no functional effect on
+ # the hardening for users. It's safe.
+ --disable-hardening
+
+ # requires some python eclass
+ --disable-python
+ --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
+ --enable-zlib=system
+ --with-editor="${EPREFIX}"/usr/libexec/editor
+ --with-env-editor
+ --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
+ --with-rundir="${EPREFIX}"/run/sudo
+ --with-vardir="${EPREFIX}"/var/db/sudo
+ --without-linux-audit
+ --without-opie
+ $(use_enable gcrypt)
+ $(use_enable nls)
+ $(use_enable sasl)
+ $(use_enable ssl openssl)
+ $(use_with ldap)
+ $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
+ $(use_with offensive insults)
+ $(use_with offensive all-insults)
+ $(use_with pam)
+ $(use_with pam pam-login)
+ $(use_with secure-path)
+ "$(use_with secure-path secure-path-value "${SECURE_PATH}")"
+ $(use_with selinux)
+ $(use_with sendmail)
+ $(use_with skey)
+ $(use_with sssd)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+
+ if use ldap ; then
+ dodoc README.LDAP.md
+
+ cat <<-EOF > "${T}"/ldap.conf.sudo
+ # See ldap.conf(5) and README.LDAP.md for details
+ # This file should only be readable by root
+
+ # supported directives: host, port, ssl, ldap_version
+ # uri, binddn, bindpw, sudoers_base, sudoers_debug
+ # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
+ EOF
+
+ if use sasl ; then
+ cat <<-EOF >> "${T}"/ldap.conf.sudo
+
+ # SASL directives: use_sasl, sasl_mech, sasl_auth_id
+ # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
+ EOF
+ fi
+
+ insinto /etc
+ doins "${T}"/ldap.conf.sudo
+ fperms 0440 /etc/ldap.conf.sudo
+
+ insinto /etc/openldap/schema
+ newins docs/schema.OpenLDAP sudo.schema
+ fi
+
+ if use pam ; then
+ pamd_mimic system-auth sudo auth account session
+ pamd_mimic system-auth sudo-i auth account session
+ fi
+
+ keepdir /var/db/sudo/lectured
+ fperms 0700 /var/db/sudo/lectured
+ # bug #652958
+ fperms 0711 /var/db/sudo
+
+ # Don't install into /run as that is a tmpfs most of the time
+ # (bug #504854)
+ rm -rf "${ED}"/run || die
+
+ # bug #697812
+ find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+ tmpfiles_process sudo.conf
+
+ # bug #652958
+ local sudo_db="${EROOT}/var/db/sudo"
+ if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
+ chmod 711 "${sudo_db}" || die
+ fi
+
+ if use ldap ; then
+ ewarn
+ ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
+ ewarn
+ if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
+ ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
+ ewarn "configured in ${ROOT}/etc/nsswitch.conf."
+ ewarn
+ ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
+ ewarn " sudoers: ldap files"
+ ewarn
+ fi
+ fi
+ if use prefix ; then
+ ewarn
+ ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
+ ewarn "with root privileges, as follows:"
+ ewarn
+ ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
+ ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
+ ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
+ ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
+ ewarn
+ fi
+
+ elog "To use the -A (askpass) option, you need to install a compatible"
+ elog "password program from the following list. Starred packages will"
+ elog "automatically register for the use with sudo (but will not force"
+ elog "the -A option):"
+ elog ""
+ elog " [*] net-misc/ssh-askpass-fullscreen"
+ elog " net-misc/x11-ssh-askpass"
+ elog ""
+ elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
+ elog "variable to the program you want to use."
+}
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/ncompress/ncompress-5.0-r2.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/ncompress/ncompress-5.0-r2.ebuild
index 060af586e0..d257d90209 100644
--- a/sdk_container/src/third_party/portage-stable/app-arch/ncompress/ncompress-5.0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/ncompress/ncompress-5.0-r2.ebuild
@@ -11,7 +11,7 @@ SRC_URI="https://github.com/vapier/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="public-domain"
SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~ppc-macos"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos"
PATCHES=(
"${FILESDIR}"/${PN}-5.0-c23.patch
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/sharutils/files/sharutils-4.15.2-C23.patch b/sdk_container/src/third_party/portage-stable/app-arch/sharutils/files/sharutils-4.15.2-C23.patch
new file mode 100644
index 0000000000..e27ce8ab9b
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-arch/sharutils/files/sharutils-4.15.2-C23.patch
@@ -0,0 +1,50 @@
+https://bugs.gentoo.org/900248
+https://bugs.gentoo.org/894322
+missing include for textdomain and bindtextdomain
+This is only one place we can put include, else weird
+macro dance messes with it or we use gettext before we
+mark it for assembly operations.
+--- a/src/shar-opts.h
++++ b/src/shar-opts.h
+@@ -373,6 +373,8 @@
+ # include
+ # endif
+
++#include "gettext.h"
++
+ # ifndef ATTRIBUTE_FORMAT_ARG
+ # define ATTRIBUTE_FORMAT_ARG(_a)
+ # endif
+--- a/src/unshar-opts.h
++++ b/src/unshar-opts.h
+@@ -210,6 +210,8 @@
+ # include
+ # endif
+
++#include "gettext.h"
++
+ # ifndef ATTRIBUTE_FORMAT_ARG
+ # define ATTRIBUTE_FORMAT_ARG(_a)
+ # endif
+--- a/src/uudecode-opts.h
++++ b/src/uudecode-opts.h
+@@ -188,6 +188,8 @@
+ # include
+ # endif
+
++#include "gettext.h"
++
+ # ifndef ATTRIBUTE_FORMAT_ARG
+ # define ATTRIBUTE_FORMAT_ARG(_a)
+ # endif
+--- a/src/uuencode-opts.h
++++ b/src/uuencode-opts.h
+@@ -184,6 +184,8 @@
+ # include
+ # endif
+
++#include "gettext.h"
++
+ # ifndef ATTRIBUTE_FORMAT_ARG
+ # define ATTRIBUTE_FORMAT_ARG(_a)
+ # endif
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/sharutils/files/sharutils-4.15.2-dewhich.patch b/sdk_container/src/third_party/portage-stable/app-arch/sharutils/files/sharutils-4.15.2-dewhich.patch
new file mode 100644
index 0000000000..a2531ad691
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-arch/sharutils/files/sharutils-4.15.2-dewhich.patch
@@ -0,0 +1,32 @@
+https://bugs.gentoo.org/941724
+which-hunt
+diff '--color=auto' -ru sharutils-4.15.2.old/libopts/m4/libopts.m4 sharutils-4.15.2/libopts/m4/libopts.m4
+--- sharutils-4.15.2.old/libopts/m4/libopts.m4 2025-01-22 13:17:52.302369061 +0000
++++ sharutils-4.15.2/libopts/m4/libopts.m4 2025-01-22 13:19:46.096362975 +0000
+@@ -114,9 +114,9 @@
+ AC_PROG_SED
+ [while :
+ do
+- POSIX_SHELL=`which bash`
++ POSIX_SHELL=`command -v bash`
+ test -x "$POSIX_SHELL" && break
+- POSIX_SHELL=`which dash`
++ POSIX_SHELL=`command -v dash`
+ test -x "$POSIX_SHELL" && break
+ POSIX_SHELL=/usr/xpg4/bin/sh
+ test -x "$POSIX_SHELL" && break
+diff '--color=auto' -ru sharutils-4.15.2.old/m4/libopts.m4 sharutils-4.15.2/m4/libopts.m4
+--- sharutils-4.15.2.old/m4/libopts.m4 2025-01-22 13:17:52.365018511 +0000
++++ sharutils-4.15.2/m4/libopts.m4 2025-01-22 13:19:17.856525747 +0000
+@@ -114,9 +114,9 @@
+ AC_PROG_SED
+ [while :
+ do
+- POSIX_SHELL=`which bash`
++ POSIX_SHELL=`command -v bash`
+ test -x "$POSIX_SHELL" && break
+- POSIX_SHELL=`which dash`
++ POSIX_SHELL=`command -v dash`
+ test -x "$POSIX_SHELL" && break
+ POSIX_SHELL=/usr/xpg4/bin/sh
+ test -x "$POSIX_SHELL" && break
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/sharutils/sharutils-4.15.2-r2.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/sharutils/sharutils-4.15.2-r3.ebuild
similarity index 68%
rename from sdk_container/src/third_party/portage-stable/app-arch/sharutils/sharutils-4.15.2-r2.ebuild
rename to sdk_container/src/third_party/portage-stable/app-arch/sharutils/sharutils-4.15.2-r3.ebuild
index c39766d65c..5507562f71 100644
--- a/sdk_container/src/third_party/portage-stable/app-arch/sharutils/sharutils-4.15.2-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/sharutils/sharutils-4.15.2-r3.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
-EAPI="7"
+EAPI=8
-inherit flag-o-matic strip-linguas
+inherit flag-o-matic strip-linguas autotools
MY_P="${P/_/-}"
DESCRIPTION="Tools to deal with shar archives"
@@ -21,9 +21,15 @@ DEPEND="app-arch/xz-utils
nls? ( >=sys-devel/gettext-0.10.35 )"
PATCHES=(
- "${FILESDIR}"/${PN}-4.15.2-glibc228.patch
- "${FILESDIR}"/${PN}-4.15.2-CVE-2018-1000097.patch
- "${FILESDIR}"/${PN}-4.15.2-gcc-10.patch
+ "${FILESDIR}"/${P}-glibc228.patch
+ "${FILESDIR}"/${P}-CVE-2018-1000097.patch
+ "${FILESDIR}"/${P}-gcc-10.patch
+ "${FILESDIR}"/${P}-dewhich.patch
+ "${FILESDIR}"/${P}-C23.patch
+)
+
+QA_CONFIG_IMPL_DECL_SKIP=(
+ pathfind
)
src_prepare() {
@@ -35,6 +41,10 @@ src_prepare() {
# bug #943901
append-cflags -std=gnu17
+
+ # bug https://bugs.gentoo.org/941724
+ # regenerate config after which removal
+ eautoreconf
}
src_configure() {
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
index d52f361335..1a4437e1b9 100644
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
@@ -4,3 +4,7 @@ DIST xz-5.6.2.tar.gz 2355785 BLAKE2B d2d5f9772714b5b5993ec26c313bd27dc10d88928d9
DIST xz-5.6.2.tar.gz.sig 566 BLAKE2B 9b1f19d0449de18057eb5bd3cceaa073fc245e9a05fb19fabdac98b1d2e708b39c8070130c522b78ff75df724e207f978d8da65e2ccb1c6fa295aa892eda0d23 SHA512 f3d1055a2a6e96eec2fd5c0b733f2ab5e150bac9645f1fe9a7558ed6f34a241b4f57e17fd4504f311be26cf1e2b9b797f2e78b1b9d2db02e9cd0c1548cb6160b
DIST xz-5.6.3.tar.gz 2279396 BLAKE2B 9f09926f1ec7d72e6564f5816101512717bcb37610b551616117818d4e6a3b6c00b4ac74bf13a06cd299ff199a0561f2c05a3884a6f6b7e94951de2c1c2e6dc3 SHA512 b07b45e18615d1946e9d12157af99b54700d757832a638fccab70549574dcd7f28e69e71cc4c0b9c808959f818e79b668a5ccf108429ea0f40b6125bfd55d274
DIST xz-5.6.3.tar.gz.sig 566 BLAKE2B b59899d9ddc3325bd0de084dac420440ccdeb5f57f3656300f235fdae997a8943c2dc44edc3b83150b78717a7bf761152f09b41035d245fa536c45b8c06dd00d SHA512 65a0eb674b804309417d736b3ec9edb9c9bf39485593d81f352ee847662f5a95b3d5084fab21451e3510d74e4e2ee8f9cf4e8615d1128b6e16d5c211481481db
+DIST xz-5.6.4.tar.gz 2280985 BLAKE2B 3d27c143f4856589d501bc47ff5c86c1c49b1d0b8c8fd2143bcbfe86b860ca93f6a103f628e06ce5c2839ce1941cecc7552d91b1aac5c11def40fd9182d93eee SHA512 b966950eb9206e31f284c9dc3bb0a79f2fabbaf515e88c89da53d3da41ddfeebd2fc6d3d3f8fcd150c70caaaefa43dec0bce84aa183e08bf339d1aebbe041751
+DIST xz-5.6.4.tar.gz.sig 566 BLAKE2B 475b576431f573b9ce390ae2c43fc4f307f00ef523a741ec6795f182f5ff2c30f2049b1b4d2a3a7e61769bb7dc568de0f5af89661cb09341a58bbcdcdda3c877 SHA512 1ece59b7a540f6d215206ced14759aa971f192433705f8803b6ad8db0857e246145300c853cb571d8750b8152483d13736c478a7c0abb40d7ed25305d80a841c
+DIST xz-5.7.1alpha.tar.gz 2334409 BLAKE2B 98e98ebde9175fe8b135fa59f8e8acff1b8c6278f75a3ea997ebbe9aac25cb1a6a1f1bde163af4788ca0532bc270fe5baaf6cd89ba4c81ed3e3f7a6f08e741eb SHA512 40349652f3903e1d37e1cdc0b0b6f5479db0bc5bcbdc371f34b7cf7de730b1781748e1a6cad3dcc9e721243a0bd6f1c062a5ae54e966d23ff80ae0f0c9371246
+DIST xz-5.7.1alpha.tar.gz.sig 566 BLAKE2B 33c23b3aace6856f67b927d2f5b46f60f1e96eedde6a7e2cf5085e44b96da6503a8c38d5977a1dd7b068d9cb9ae652d457e9344eb40b482979d810afeb38f888 SHA512 f3fce937be1753b94110f2cf8ea1da52905133f8a62f9b2f91f6b5c91d2400ae63e000b392a0b992cd16495227077c0f26f1e36349b048e84a6bb8d3e618fd28
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.6.3.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.6.3.ebuild
index eaceaea0ff..cd83095c3e 100644
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.6.3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.6.3.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# Remember: we cannot leverage autotools in this ebuild in order
@@ -35,7 +35,7 @@ else
"
if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
- KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+ KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
S="${WORKDIR}/${MY_P}"
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.6.4.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.6.4.ebuild
new file mode 100644
index 0000000000..c27c74e7ee
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.6.4.ebuild
@@ -0,0 +1,203 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# Remember: we cannot leverage autotools in this ebuild in order
+# to avoid circular deps with autotools
+
+EAPI=8
+
+inherit libtool multilib multilib-minimal preserve-libs toolchain-funcs
+
+if [[ ${PV} == 9999 ]] ; then
+ # Per tukaani.org, git.tukaani.org is a mirror of github and
+ # may be behind.
+ EGIT_REPO_URI="
+ https://github.com/tukaani-project/xz
+ https://git.tukaani.org/xz.git
+ "
+ inherit git-r3 autotools
+
+ # bug #272880 and bug #286068
+ BDEPEND="sys-devel/gettext >=dev-build/libtool-2"
+else
+ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
+ inherit verify-sig
+
+ MY_P="${PN/-utils}-${PV/_}"
+ SRC_URI="
+ https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz
+ https://downloads.sourceforge.net/lzmautils/${MY_P}.tar.gz
+ https://tukaani.org/xz/${MY_P}.tar.gz
+ verify-sig? (
+ https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz.sig
+ https://tukaani.org/xz/${MY_P}.tar.gz.sig
+ )
+ "
+
+ if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+ fi
+
+ S="${WORKDIR}/${MY_P}"
+fi
+
+DESCRIPTION="Utils for managing LZMA compressed files"
+HOMEPAGE="https://tukaani.org/xz/"
+
+# See top-level COPYING file as it outlines the various pieces and their licenses.
+LICENSE="0BSD LGPL-2.1+ GPL-2+ doc? ( CC-BY-SA-4.0 )"
+SLOT="0"
+IUSE="cpu_flags_arm_crc32 doc +extra-filters pgo nls static-libs"
+
+if [[ ${PV} != 9999 ]] ; then
+ BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-lassecollin-20240529 )"
+fi
+
+src_prepare() {
+ default
+
+ if [[ ${PV} == 9999 ]] ; then
+ eautopoint
+ eautoreconf
+ else
+ # Allow building shared libs on Solaris/x64
+ elibtoolize
+ fi
+}
+
+multilib_src_configure() {
+ # Workaround for bug #934370 (libtool-2.5.0), drop when dist tarball
+ # uses newer libtool with the fix.
+ export ac_cv_prog_ac_ct_FILECMD='file' FILECMD='file'
+
+ local myconf=(
+ --enable-threads
+ $(multilib_native_use_enable doc)
+ $(use_enable nls)
+ $(use_enable static-libs static)
+ $(use_enable cpu_flags_arm_crc32 arm64-crc32)
+ )
+
+ if ! multilib_is_native_abi ; then
+ myconf+=(
+ --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
+ )
+ fi
+
+ if ! use extra-filters ; then
+ myconf+=(
+ # LZMA1 + LZMA2 for standard .lzma & .xz files
+ --enable-encoders=lzma1,lzma2
+ --enable-decoders=lzma1,lzma2
+
+ # those are used by default, depending on preset
+ --enable-match-finders=hc3,hc4,bt4
+
+ # CRC64 is used by default, though 7-Zip uses CRC32 by default.
+ # Also, XZ Embedded in Linux doesn't support CRC64, so
+ # kernel modules and friends are CRC32.
+ --enable-checks=crc32,crc64
+ )
+ fi
+
+ if [[ ${CHOST} == *-solaris* ]] ; then
+ export gl_cv_posix_shell="${EPREFIX}"/bin/sh
+
+ # Undo Solaris-based defaults pointing to /usr/xpg4/bin
+ myconf+=( --disable-path-for-script )
+ fi
+
+ ECONF_SOURCE="${S}" econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+ local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo")
+ local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo")
+
+ emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
+
+ if use pgo ; then
+ emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
+
+ local tar_pgo_args=()
+
+ if has_version -b "app-alternatives/tar[gnu]" ; then
+ tar_pgo_args+=(
+ --mtime=@2718281828
+ --sort=name
+ )
+ fi
+
+ if multilib_is_native_abi ; then
+ (
+ shopt -s globstar
+
+ tar \
+ "${tar_pgo_args[@]}" \
+ -cf xz-pgo-test-01.tar \
+ {"${S}","${BUILD_DIR}"}/**/*.[cho] \
+ {"${S}","${BUILD_DIR}"}/**/.libs/* \
+ {"${S}","${BUILD_DIR}"}/**/**.txt \
+ {"${S}","${BUILD_DIR}"}/tests/files
+
+ stat --printf="xz-pgo-test-01.tar.tar size: %s\n" xz-pgo-test-01.tar || die
+ md5sum xz-pgo-test-01.tar || die
+ )
+
+ local test_variants=(
+ # Borrowed from ALT Linux
+ # https://packages.altlinux.org/en/sisyphus/srpms/xz/specfiles/#line-80
+ '-0 -C none'
+ '-2 -C crc32'
+ "$(usev extra-filters '-6 --arm --lzma2 -C crc64')"
+ "$(usev extra-filters '-6 --x86 --lzma2=lc=4 -C sha256')"
+ '-7e --format=lzma'
+
+ # Our own variants
+ ''
+ '-e'
+ "$(usev extra-filters '--x86 --lzma2=preset=6e')"
+ )
+ local test_variant
+ for test_variant in "${test_variants[@]}" ; do
+ einfo "Testing '${test_variant}' variant"
+ "${BUILD_DIR}"/src/xz/xz -c ${test_variant} xz-pgo-test-01.tar | "${BUILD_DIR}"/src/xz/xz -c -d - > /dev/null
+ assert "Testing '${test_variant}' variant failed"
+ done
+ fi
+
+ if tc-is-clang; then
+ llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
+ fi
+
+ emake clean
+ emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
+ fi
+}
+
+multilib_src_install() {
+ default
+
+ # bug #934370 and bug #450436 (and bug #934515)
+ if ! tc-is-static-only && [[ ! -f "${ED}/usr/$(get_libdir)/liblzma$(get_libname)" ]] ; then
+ eerror "Sanity check for liblzma$(get_libname) failed."
+ eerror "Shared library wasn't built, possible libtool bug"
+ [[ -z ${I_KNOW_WHAT_I_AM_DOING} ]] && die "liblzma$(get_libname) not found in build, aborting"
+ fi
+}
+
+multilib_src_install_all() {
+ find "${ED}" -type f -name '*.la' -delete || die
+
+ if use doc ; then
+ rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
+ fi
+}
+
+pkg_preinst() {
+ preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
+}
+
+pkg_postinst() {
+ preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
+}
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.7.1_alpha.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.7.1_alpha.ebuild
new file mode 100644
index 0000000000..c27c74e7ee
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.7.1_alpha.ebuild
@@ -0,0 +1,203 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# Remember: we cannot leverage autotools in this ebuild in order
+# to avoid circular deps with autotools
+
+EAPI=8
+
+inherit libtool multilib multilib-minimal preserve-libs toolchain-funcs
+
+if [[ ${PV} == 9999 ]] ; then
+ # Per tukaani.org, git.tukaani.org is a mirror of github and
+ # may be behind.
+ EGIT_REPO_URI="
+ https://github.com/tukaani-project/xz
+ https://git.tukaani.org/xz.git
+ "
+ inherit git-r3 autotools
+
+ # bug #272880 and bug #286068
+ BDEPEND="sys-devel/gettext >=dev-build/libtool-2"
+else
+ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
+ inherit verify-sig
+
+ MY_P="${PN/-utils}-${PV/_}"
+ SRC_URI="
+ https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz
+ https://downloads.sourceforge.net/lzmautils/${MY_P}.tar.gz
+ https://tukaani.org/xz/${MY_P}.tar.gz
+ verify-sig? (
+ https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz.sig
+ https://tukaani.org/xz/${MY_P}.tar.gz.sig
+ )
+ "
+
+ if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+ fi
+
+ S="${WORKDIR}/${MY_P}"
+fi
+
+DESCRIPTION="Utils for managing LZMA compressed files"
+HOMEPAGE="https://tukaani.org/xz/"
+
+# See top-level COPYING file as it outlines the various pieces and their licenses.
+LICENSE="0BSD LGPL-2.1+ GPL-2+ doc? ( CC-BY-SA-4.0 )"
+SLOT="0"
+IUSE="cpu_flags_arm_crc32 doc +extra-filters pgo nls static-libs"
+
+if [[ ${PV} != 9999 ]] ; then
+ BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-lassecollin-20240529 )"
+fi
+
+src_prepare() {
+ default
+
+ if [[ ${PV} == 9999 ]] ; then
+ eautopoint
+ eautoreconf
+ else
+ # Allow building shared libs on Solaris/x64
+ elibtoolize
+ fi
+}
+
+multilib_src_configure() {
+ # Workaround for bug #934370 (libtool-2.5.0), drop when dist tarball
+ # uses newer libtool with the fix.
+ export ac_cv_prog_ac_ct_FILECMD='file' FILECMD='file'
+
+ local myconf=(
+ --enable-threads
+ $(multilib_native_use_enable doc)
+ $(use_enable nls)
+ $(use_enable static-libs static)
+ $(use_enable cpu_flags_arm_crc32 arm64-crc32)
+ )
+
+ if ! multilib_is_native_abi ; then
+ myconf+=(
+ --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
+ )
+ fi
+
+ if ! use extra-filters ; then
+ myconf+=(
+ # LZMA1 + LZMA2 for standard .lzma & .xz files
+ --enable-encoders=lzma1,lzma2
+ --enable-decoders=lzma1,lzma2
+
+ # those are used by default, depending on preset
+ --enable-match-finders=hc3,hc4,bt4
+
+ # CRC64 is used by default, though 7-Zip uses CRC32 by default.
+ # Also, XZ Embedded in Linux doesn't support CRC64, so
+ # kernel modules and friends are CRC32.
+ --enable-checks=crc32,crc64
+ )
+ fi
+
+ if [[ ${CHOST} == *-solaris* ]] ; then
+ export gl_cv_posix_shell="${EPREFIX}"/bin/sh
+
+ # Undo Solaris-based defaults pointing to /usr/xpg4/bin
+ myconf+=( --disable-path-for-script )
+ fi
+
+ ECONF_SOURCE="${S}" econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+ local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo")
+ local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo")
+
+ emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
+
+ if use pgo ; then
+ emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
+
+ local tar_pgo_args=()
+
+ if has_version -b "app-alternatives/tar[gnu]" ; then
+ tar_pgo_args+=(
+ --mtime=@2718281828
+ --sort=name
+ )
+ fi
+
+ if multilib_is_native_abi ; then
+ (
+ shopt -s globstar
+
+ tar \
+ "${tar_pgo_args[@]}" \
+ -cf xz-pgo-test-01.tar \
+ {"${S}","${BUILD_DIR}"}/**/*.[cho] \
+ {"${S}","${BUILD_DIR}"}/**/.libs/* \
+ {"${S}","${BUILD_DIR}"}/**/**.txt \
+ {"${S}","${BUILD_DIR}"}/tests/files
+
+ stat --printf="xz-pgo-test-01.tar.tar size: %s\n" xz-pgo-test-01.tar || die
+ md5sum xz-pgo-test-01.tar || die
+ )
+
+ local test_variants=(
+ # Borrowed from ALT Linux
+ # https://packages.altlinux.org/en/sisyphus/srpms/xz/specfiles/#line-80
+ '-0 -C none'
+ '-2 -C crc32'
+ "$(usev extra-filters '-6 --arm --lzma2 -C crc64')"
+ "$(usev extra-filters '-6 --x86 --lzma2=lc=4 -C sha256')"
+ '-7e --format=lzma'
+
+ # Our own variants
+ ''
+ '-e'
+ "$(usev extra-filters '--x86 --lzma2=preset=6e')"
+ )
+ local test_variant
+ for test_variant in "${test_variants[@]}" ; do
+ einfo "Testing '${test_variant}' variant"
+ "${BUILD_DIR}"/src/xz/xz -c ${test_variant} xz-pgo-test-01.tar | "${BUILD_DIR}"/src/xz/xz -c -d - > /dev/null
+ assert "Testing '${test_variant}' variant failed"
+ done
+ fi
+
+ if tc-is-clang; then
+ llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
+ fi
+
+ emake clean
+ emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
+ fi
+}
+
+multilib_src_install() {
+ default
+
+ # bug #934370 and bug #450436 (and bug #934515)
+ if ! tc-is-static-only && [[ ! -f "${ED}/usr/$(get_libdir)/liblzma$(get_libname)" ]] ; then
+ eerror "Sanity check for liblzma$(get_libname) failed."
+ eerror "Shared library wasn't built, possible libtool bug"
+ [[ -z ${I_KNOW_WHAT_I_AM_DOING} ]] && die "liblzma$(get_libname) not found in build, aborting"
+ fi
+}
+
+multilib_src_install_all() {
+ find "${ED}" -type f -name '*.la' -delete || die
+
+ if use doc ; then
+ rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
+ fi
+}
+
+pkg_preinst() {
+ preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
+}
+
+pkg_postinst() {
+ preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
+}
diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest
new file mode 100644
index 0000000000..237fcc5c6a
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest
@@ -0,0 +1,2 @@
+DIST containerd-2.0.1.tar.gz 10423945 BLAKE2B 7f77678557bf649c71475d3ff08a57579b8959ef19a5f8fc1c27b8e8eacea01572d44d3f6dff1f53b72c1b7cf153413a5152391a78b0d5bd624a4c5267381144 SHA512 7875eee0fb274545acb4d62f5bca808105580177db6007e59164fd57830ea3e8ab646b8e227027016bf8dd4816341d38a620bfef48bb0fd83de006b1a91826b7
+DIST containerd-2.0.2.tar.gz 10379986 BLAKE2B aee39f749f056965b899f6525bebe00d46b72b6c437efbd01ed890c5ae9c5d812464bc6d10e32aea20fd0c6df00d98cd30502dd73f9a27b0d8d143a5542976d9 SHA512 86eb24acfa5d4d87ae396f8888e2484693823fad897a29f1a5ada78e2318640927cfcff1e85415bfd6c66f5417e582203eb94976d52e3dd373997e6e2cbae354
diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.1-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.1.ebuild
similarity index 85%
rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.1-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.1.ebuild
index cc7ea05162..82e4dbe7a8 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.1-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.1.ebuild
@@ -1,9 +1,9 @@
-# Copyright 2022-2023 Gentoo Authors
+# Copyright 2022-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module systemd
-GIT_REVISION=2806fc1057397dbaeefbea0e4e17bddfbd388f38
+GIT_REVISION=88aa2f531d6c2922003cc7929e51daf1c14caa0a
DESCRIPTION="A daemon to control runC"
HOMEPAGE="https://containerd.io/"
@@ -14,15 +14,19 @@ SLOT="0"
KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
-DEPEND="
+COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
seccomp? ( sys-libs/libseccomp )
"
-# recommended version of runc is found in script/setup/runc-version
+DEPEND="
+${COMMON_DEPEND}
+"
+
+# recommended minimum version of runc is found in script/setup/runc-version
RDEPEND="
- ${DEPEND}
- ~app-containers/runc-1.1.7[apparmor?,seccomp?]
+ ${COMMON_DEPEND}
+ >=app-containers/runc-1.2.1[apparmor?,seccomp?]
"
BDEPEND="
@@ -69,7 +73,7 @@ src_compile() {
}
src_install() {
- rm "${D}"/bin/gen-manpages
+ rm bin/gen-manpages || die
dobin bin/*
doman man/*
newconfd "${FILESDIR}"/${PN}.confd "${PN}"
diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.23.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.2.ebuild
similarity index 85%
rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.23.ebuild
rename to sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.2.ebuild
index 0ad8bec307..37fb931e51 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.23.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.2.ebuild
@@ -1,9 +1,9 @@
-# Copyright 2022-2023 Gentoo Authors
+# Copyright 2022-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module systemd
-GIT_REVISION=9b2ad7760328148397346d10c7b2004271249db4
+GIT_REVISION=c507a0257ea6462fbd6f5ba4f5c74facb04021f4
DESCRIPTION="A daemon to control runC"
HOMEPAGE="https://containerd.io/"
@@ -14,15 +14,19 @@ SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
-DEPEND="
+COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
seccomp? ( sys-libs/libseccomp )
"
-# recommended version of runc is found in script/setup/runc-version
+DEPEND="
+${COMMON_DEPEND}
+"
+
+# recommended minimum version of runc is found in script/setup/runc-version
RDEPEND="
- ${DEPEND}
- ~app-containers/runc-1.1.14[apparmor?,seccomp?]
+ ${COMMON_DEPEND}
+ >=app-containers/runc-1.2.4[apparmor?,seccomp?]
"
BDEPEND="
@@ -69,7 +73,7 @@ src_compile() {
}
src_install() {
- rm "${D}"/bin/gen-manpages
+ rm bin/gen-manpages || die
dobin bin/*
doman man/*
newconfd "${FILESDIR}"/${PN}.confd "${PN}"
diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.confd b/sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.confd
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.confd
rename to sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.confd
diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.initd b/sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.initd
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.initd
rename to sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.initd
diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/containerd/metadata.xml
similarity index 89%
rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml
rename to sdk_container/src/third_party/portage-stable/app-containers/containerd/metadata.xml
index 5d63e8606e..4ee50fa856 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/metadata.xml
@@ -12,10 +12,6 @@
williamh@gentoo.org
William Hubbs
-
- gyakovlev@gentoo.org
- Georgy Yakovlev
-