From 90a59bdb6bfad816f1082ecdf2ac226ebdce09cc Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Thu, 2 Mar 2023 17:37:32 +0100
Subject: [PATCH 01/16] sys-devel/glibc: Fix CET handling

---
 .../sys-libs/glibc/glibc-2.36-r5.ebuild             | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild
index 0163db33ee..05c1d5837f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild
@@ -466,7 +466,18 @@ setup_flags() {
 	filter-flags '-fsanitize=*'
 
 	# See end of bug #830454; we handle this via USE=cet
-	filter-flags '-fcf-protection='
+	#
+	# Flatcar: When bootstrapping, we may have a situation where
+	# CET-enabled gcc from seed is used to build CET-disabled
+	# glibc. As such, gcc implicitly enables CET if no
+	# -fcf-protection flag is passed. For a typical package it
+	# should not be a problem, but for glibc it matters as it is
+	# dealing with CET in ld.so. So if CET is supposed to be
+	# disabled for glibc, be explicit about it.
+	filter-flags '-fcf-protection=*'
+	if ! use cet; then
+		append-flags '-fcf-protection=none'
+	fi
 }
 
 use_multiarch() {

From 6ec35a42af4fe69616bee0b6cca99f5e4acb5584 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 28 Feb 2023 09:05:59 +0100
Subject: [PATCH 02/16] profiles: Unmask newer versions of sys-devel/gcc

CET issues in newer versions of gcc should be ironed out by now.
---
 .../coreos-overlay/profiles/coreos/base/package.mask         | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
index fada03a3d7..d1c5bff76f 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
@@ -21,8 +21,3 @@
 # Python 3.11 is stable in portage-stable, so avoid picking it
 # up. Drop this when we switch to it.
 >=dev-lang/python-3.11
-
-# sys-devel/gcc-11.3.1_p20230120-r1 is the latest stable gcc version
-# that fixes the CET build issue of glibc. There are newer versions of
-# gcc that are not tested enough for CET, so mask them.
->sys-devel/gcc-11.3.1_p20230120-r1

From f8f817adeb6c99bc8d864391ccb0d1c13e2621ad Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 28 Feb 2023 09:07:10 +0100
Subject: [PATCH 03/16] coreos/user-patches: Drop patches for sys-devel/gcc

We are updating to gcc 12, where the issue should not be present any
more.
---
 .../sys-devel/gcc/0001-constexpr.patch             | 14 --------------
 .../coreos/user-patches/sys-devel/gcc/README.md    |  6 ------
 2 files changed, 20 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch
deleted file mode 100644
index 938b3d6ace..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-The constexpr keyword is missing for a function that was invoked from
-another constexpr function. Add the missing keyword.
-
---- a/libstdc++-v3/src/c++17/memory_resource.cc	2022-12-09 22:33:43.000000000 -0000
-+++ b/libstdc++-v3/src/c++17/memory_resource.cc	2023-01-25 13:14:24.025359063 -0000
-@@ -603,7 +603,7 @@
-     void* pointer = nullptr;
-     aligned_size<min> _M_size;
- 
--    size_t size() const noexcept
-+    constexpr size_t size() const noexcept
-     {
-       if (_M_size.value == size_t(-1)) [[unlikely]]
- 	return size_t(-1);
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md
deleted file mode 100644
index 9a331e1e86..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md
+++ /dev/null
@@ -1,6 +0,0 @@
-Drop `0001-constexpr.patch` when not applicable any more. It's a weird
-issue, because building the same version of the compiler worked fine
-before. Maybe some patch from gcc patches is at fault here. Didn't
-investigate in hope that the issue is ephemeral. Some newer version of
-gcc is already marked as stable for both amd64 and arm64 in Gentoo, so
-this patch will most likely be dropped next week.

From 8c9b41bf0745b2094ed36bbf832b1962dd1013a9 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 28 Feb 2023 10:41:07 +0100
Subject: [PATCH 04/16] profiles: Add accept keywords for net-misc/curl

---
 .../profiles/coreos/base/package.accept_keywords               | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index fc335ed0ab..4b5e56b33f 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -22,6 +22,9 @@
 # Keep the version of bind-tools the same on all arches.
 =net-dns/bind-tools-9.16.36 ~arm64
 
+# Required for addressing CVE-2023-23914, CVE-2023-23915 and CVE-2023-23916.
+=net-misc/curl-7.88.1-r1 ~amd64 ~arm64
+
 # Required for addressing CVE-2022-29154
 =net-misc/rsync-3.2.7-r2 ~amd64 ~arm64
 

From de89c21023dd352edfa41b93dc057e088db3ff84 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 28 Feb 2023 11:16:28 +0100
Subject: [PATCH 05/16] profiles: Drop accept keywords for net-dns/bind-tools

The updated package is stable for both amd64 and arm64.
---
 .../profiles/coreos/base/package.accept_keywords               | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 4b5e56b33f..a0568c0345 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -19,9 +19,6 @@
 
 =dev-libs/libgcrypt-1.9.4 ~amd64 ~arm64
 
-# Keep the version of bind-tools the same on all arches.
-=net-dns/bind-tools-9.16.36 ~arm64
-
 # Required for addressing CVE-2023-23914, CVE-2023-23915 and CVE-2023-23916.
 =net-misc/curl-7.88.1-r1 ~amd64 ~arm64
 

From 8238745831c62b8c01a2faf0dfb64425ea83c440 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 28 Feb 2023 11:22:16 +0100
Subject: [PATCH 06/16] profiles: Add accept keywords for net-libs/gnutls

---
 .../profiles/coreos/base/package.accept_keywords               | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index a0568c0345..c3b60a2bc2 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -19,6 +19,9 @@
 
 =dev-libs/libgcrypt-1.9.4 ~amd64 ~arm64
 
+# Required for addressing CVE-2023-0361.
+=net-libs/gnutls-3.8.0 ~amd64 ~arm64
+
 # Required for addressing CVE-2023-23914, CVE-2023-23915 and CVE-2023-23916.
 =net-misc/curl-7.88.1-r1 ~amd64 ~arm64
 

From 144badff7dc89eb345e15b08e9da690b11cfa6e0 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Tue, 28 Feb 2023 16:52:44 +0530
Subject: [PATCH 07/16] profiles: remove vim, vim-core keywords

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../profiles/coreos/base/package.accept_keywords              | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index c3b60a2bc2..b565e47b99 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -7,10 +7,6 @@
 
 =app-arch/zstd-1.4.9 ~amd64 ~arm64
 
-# Necessary to fix CVE-2023-0049, CVE-2023-0051 and CVE-2023-0054.
-=app-editors/vim-9.0.1157 ~amd64 ~arm64
-=app-editors/vim-core-9.0.1157 ~amd64 ~arm64
-
 =coreos-devel/fero-client-0.1.1 **
 
 # Accept unstable host Rust compilers

From 18ea360d4ad3c66befbd158f15a9eb302270257d Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Tue, 28 Feb 2023 18:10:13 +0530
Subject: [PATCH 08/16] profiles: stabilize dev-python/cython amd64 to match
 version in both arch

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../profiles/coreos/base/package.accept_keywords              | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index b565e47b99..5d8b43e5e4 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -15,6 +15,10 @@
 
 =dev-libs/libgcrypt-1.9.4 ~amd64 ~arm64
 
+# upstream stabilizes arm64 for dev-lang/cython
+# stabilize dev-python/cython for amd64 to keep the version same for both arch
+=dev-python/cython-0.29.33 ~amd64
+
 # Required for addressing CVE-2023-0361.
 =net-libs/gnutls-3.8.0 ~amd64 ~arm64
 

From fd5306a64453f1da8835eb5a7238fd49d64b9a69 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 28 Feb 2023 14:13:44 +0100
Subject: [PATCH 09/16] profiles: Add accept keywords for dev-lang/python

---
 .../profiles/coreos/base/package.accept_keywords               | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 5d8b43e5e4..d93ec71358 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -9,6 +9,9 @@
 
 =coreos-devel/fero-client-0.1.1 **
 
+# Keep versions even for both arches
+=dev-lang/python-3.10.10_p2 ~arm64
+
 # Accept unstable host Rust compilers
 =dev-lang/rust-1.67.1 ~amd64 ~arm64
 =virtual/rust-1.67.1 ~amd64 ~arm64

From 9750e129d5a7d80e12fd9bba1859dacd85832c20 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 28 Feb 2023 14:43:37 +0100
Subject: [PATCH 10/16] dev-lang/python-oem: Update to 3.10.10_p2

So we have matching versions of python in OEM and SDK.
---
 .../dev-lang/python-oem/Manifest              |   6 +-
 .../dev-lang/python-oem/README.md             |  45 -----
 ...r1.ebuild => python-oem-3.10.10_p2.ebuild} | 161 ++++++++++--------
 3 files changed, 97 insertions(+), 115 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md
 rename sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/{python-oem-3.10.9-r1.ebuild => python-oem-3.10.10_p2.ebuild} (74%)

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/Manifest
index 5cebbd8384..a60f8dcf2a 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/Manifest
@@ -1,3 +1,3 @@
-DIST Python-3.10.9.tar.xz 19612112 BLAKE2B ef2d063a9fbaf234aa4a47149cb184a0379dc403515df10249104a5092750cdaf22ad47916d34e17dd68fff1c30338c0375f4e4e3cc9bde33e0896c1c3ba655b SHA512 d66ea8adeb6dc4951e612175f8838b3092967ff275b7a3470f2d86f470036aa2221e722c3144d90bcd230b88efd53dde204213f72f703e524e4b833e2ccc68e2
-DIST Python-3.10.9.tar.xz.asc 833 BLAKE2B 8895c6cb5031b2463cc6ba3e0dc56bee40c2e99117c062f9c72f2b7adb0d5a49782b968abfc764117e8513bd12816915245677c25b1710e3dae3c9e26937c2b9 SHA512 525e166ede6836086de814c26fc880f41eaf1ed4bff6118f00342e42f7ab1c47148447ced1b565e146d3125fa06b5cd6b394a256bc61096766b26e07f18bbf10
-DIST python-gentoo-patches-3.10.9.tar.xz 12216 BLAKE2B ced4f951089c51ddaab6c62ade9d2c84f69e7e1baf2acf5247559534c7d0fb0e88dca1222f5bd2209b4e61f5aca17279b8054f269535dbc10de0786c2c5779f5 SHA512 2d01f0f3831beeba004517bb82f7d616f25f08e5c755409ecff79cd68e0a619b5bf6802fffd0e5f7f39f1d9d93e65b018b91cdeb337a5e47f1651f36bea0e96e
+DIST Python-3.10.10.tar.xz 19627028 BLAKE2B 57fc6869fa05586158a170c1892d93a3036823bfafb9484b9d70bca6cdc3e76f75357622eace4bde9a4c0ca62a1bb79665e5751b41655f9f4d7e345547013ad8 SHA512 f0aee65970a68287b34c4eafcf35c6fa09c81ba234ac356db16fbbc6c36417e4ac67071e616d118f5e192d541d7f177dcab5585b9780e842f656c09e01c37ced
+DIST Python-3.10.10.tar.xz.asc 833 BLAKE2B fd60e6268f7dd6676ea58bd7e80c513506ac9810c1a62ff060134207b0fd8e7b096d5f11f3cc536a1578144ff54c00bcb076d3c3f5889a69a898660dd280312b SHA512 591746d74c6123bf36c763b6e8e1de1554f02eeff30c855623ef0f12d3864d5573eb5efe96d6e142f24627c77b90738ada3456df4ad59bddcb008658f2ca8af9
+DIST python-gentoo-patches-3.10.10_p2.tar.xz 13992 BLAKE2B e18e708888dd28c8f238d4897aff79483a679396a168d8b5ff4f5e8c7f09cec5f1b13aeb327d3dc3e2149c2117c25da050987f1f1c3322b56c87245ba2d0b54d SHA512 14bc218a2f3c64ef9f42682fd1364208bcaa74f787dee39bd9566e40764c260a65fd42961be47a6e6c6227091cb2fef83e1d689302448647560689e20e07efe0
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md
deleted file mode 100644
index 12b071faeb..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md
+++ /dev/null
@@ -1,45 +0,0 @@
-Modifications made:
-
-- Keep using internal expat and libffi, thus dropping dev-libs/libffi
-  and dev-libs/expat from the dependencies.
-
-- Drop dev-python/gentoo-common dependency, it provides the
-  EXTERNALLY-MANAGED file, but we will provide our own.
-
-- Since this package is installed only for OEM partition as a binary
-  package, and the installation there happens after the packages
-  database is removed, we unset the RDEPEND variable. The RDEPEND
-  variable needs to be empty as it's also used during the binary
-  package installation. The contents of RDEPEND are already inside the
-  DEPEND variable, so we are safe.
-
-- We modify the configure flags:
-
-  - Add `--prefix=/usr/share/oem/python` as `/usr/share/oem` is where
-    the OEM partition is mounted.
-
-  - Add `--with-platlibdir="$(get_libdir)"`, this is to make sure that
-    consistent library directory gets picked. In our case for both
-    amd64 and arm64, it's lib64.
-
-  - Change `--enable-shared` to `--disable-shared`. This will skip
-    building dynamic libraries, as we don't need them.
-
-  - Add `--includedir=/discard/include` and change `--mandir` and
-    `--infodir` to also use `/discard` to install files there. Makes
-    it easy to remove the unnecessary files.
-
-  - We disable loadable sqlite extensions.
-
-  - As we want to use the internal versions of expat and libffi, we
-    change `--with-system-{expat,ffi}` to
-    `--without-system-{expat,ffi}`.
-
-  - Comment out the `--with-wheel-pkg-dir` as it's some ensurepip
-    stuff we are disabling anyway.
-
-- Essentially drop `src_install` and write our own variant, where we
-  run `make altinstall`, remove unnecessary files (the original
-  `src_install` could be read to find out which files to remove),
-  creates a versionless python symlink, adds an EXTERNALLY-MANAGED
-  file, and removes the `/discard` directory.
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.9-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
similarity index 74%
rename from sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.9-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
index 25cd1da064..fd104f5ca5 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.9-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
@@ -28,7 +28,7 @@ S="${WORKDIR}/${MY_P}"
 
 LICENSE="PSF-2"
 SLOT="${PYVER}"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE="
 	bluetooth build +ensurepip examples gdbm hardened libedit lto
 	+ncurses pgo +readline +sqlite +ssl test tk valgrind +xml
@@ -40,13 +40,11 @@ RESTRICT="!test? ( test )"
 # run the bootstrap code on your dev box and include the results in the
 # patchset. See bug 447752.
 
-# Flatcar: Drop a dependency on dev-libs/expat, we will use the internal one.
-# Flatcar: Drop a dependency on dev-libs/libffi, we will use the internal one.
-# Flatcar: Drop a dependency on dev-python/gentoo-common, we will install our own EXTERNALLY-MANAGED file
 RDEPEND="
 	app-arch/bzip2:=
 	app-arch/xz-utils:=
 	dev-lang/python-exec[python_targets_python3_10(-)]
+	dev-libs/libffi:=
 	dev-python/gentoo-common
 	sys-apps/util-linux:=
 	>=sys-libs/zlib-1.1.3:=
@@ -67,6 +65,7 @@ RDEPEND="
 		dev-tcltk/blt:=
 		dev-tcltk/tix
 	)
+	xml? ( >=dev-libs/expat-2.1:= )
 	!!<sys-apps/sandbox-2.21
 "
 # bluetooth requires headers from bluez
@@ -87,11 +86,6 @@ RDEPEND+="
 	!build? ( app-misc/mime-types )
 "
 
-# Flatcar: Unset RDEPEND, DEPEND already contains it. OEM packages are
-# installed after production images are pruned of the previously
-# installed package database.
-unset RDEPEND
-
 VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/python.org.asc
 
 # large file tests involve a 2.5G file being copied (duplicated)
@@ -115,11 +109,9 @@ src_unpack() {
 }
 
 src_prepare() {
-	# Flatcar: We keep the internal expat copy.
-	# Flatcar: We keep the internal libffi copy.
-	# # Ensure that internal copies of expat and libffi are not used.
-	# rm -r Modules/expat || die
-	# rm -r Modules/_ctypes/libffi* || die
+	# Ensure that internal copies of expat and libffi are not used.
+	rm -r Modules/expat || die
+	rm -r Modules/_ctypes/libffi* || die
 
 	local PATCHES=(
 		"${WORKDIR}/${PATCHSET}"
@@ -215,37 +207,19 @@ src_configure() {
 		# a chance for users rebuilding python before glibc
 		ac_cv_header_stropts_h=no
 
-		# Flatcar: Use oem-specific prefix.
-		--prefix=/usr/share/oem/python
-		# Flatcar: Make sure we put libs into a correct subdirectory.
-		--with-platlibdir="$(get_libdir)"
-		# Flatcar: No need for shared libs.
-		# --enable-shared
-		--disable-shared
+		--enable-shared
 		--without-static-libpython
 		--enable-ipv6
-		# Flatcar: Set includedir to discardable directory
-		--includedir='/discard/include'
-		# Flatcar: Set infodir and mandir to discardable directory
-		# --infodir='/${prefix}/share/info'
-		# --mandir='/${prefix}/share/man'
-		--infodir='/discard/info'
-		--mandir='/discard/man'
+		--infodir='${prefix}/share/info'
+		--mandir='${prefix}/share/man'
 		--with-computed-gotos
 		--with-dbmliborder="${dbmliborder}"
 		--with-libc=
-		# Flatcar: No need for loadable extensions.
-		# --enable-loadable-sqlite-extensions
-		--disable-loadable-sqlite-extensions
+		--enable-loadable-sqlite-extensions
 		--without-ensurepip
-		# Flatcar: We use internal expat
-		# --with-system-expat
-		--without-system-expat
-		# Flatcar: We use internal ffi
-		# --with-system-ffi
-		--without-system-ffi
-		# Flatcar: It's for ensurepip, which we disable
-		# --with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip
+		--with-system-expat
+		--with-system-ffi
+		--with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip
 
 		$(use_with lto)
 		$(use_enable pgo optimizations)
@@ -421,39 +395,92 @@ src_test() {
 	[[ ${ret} -eq 0 ]] || die "emake test failed"
 }
 
-# Flatcar: Rewrite src_install to just run make altinstall, remove
-# some installed files (refer to the original src_install to see which
-# files to drop), adding symlinks and the EXTERNALLY-MANAGED file, and
-# removing the /discard directory.
 src_install() {
-	local prefix=/usr/share/oem/python
-	local eprefix="${ED}${prefix}"
-        local libdir="${prefix}/$(get_libdir)"
-	local elibdir="${eprefix}/$(get_libdir)"
-	local pythonplatlibdir="${libdir}/python${PYVER}"
-	local epythonplatlibdir="${elibdir}/python${PYVER}"
-	local bindir="${prefix}/bin"
-	local ebindir="${eprefix}/bin"
+	local libdir=${ED}/usr/lib/python${PYVER}
 
 	emake DESTDIR="${D}" altinstall
 
-	rm -r "${epythonplatlibdir}"/ensurepip || die
-	rm -r "${epythonplatlibdir}/"{sqlite3,test/test_sqlite*} || die
-	rm -r "${ebindir}/idle${PYVER}" || die
-	rm -r "${epythonplatlibdir}/"{idlelib,tkinter,test/test_tk*} || die
+	# Fix collisions between different slots of Python.
+	rm "${ED}/usr/$(get_libdir)/libpython3.so" || die
 
-	# create a simple versionless 'python' symlink
-	dosym "python${PYVER}" "${bindir}/python"
-	dosym "python${PYVER}" "${bindir}/python3"
+	# Cheap hack to get version with ABIFLAGS
+	local abiver=$(cd "${ED}/usr/include"; echo python*)
+	if [[ ${abiver} != python${PYVER} ]]; then
+		# Replace python3.X with a symlink to python3.Xm
+		rm "${ED}/usr/bin/python${PYVER}" || die
+		dosym "${abiver}" "/usr/bin/python${PYVER}"
+		# Create python3.X-config symlink
+		dosym "${abiver}-config" "/usr/bin/python${PYVER}-config"
+		# Create python-3.5m.pc symlink
+		dosym "python-${PYVER}.pc" "/usr/$(get_libdir)/pkgconfig/${abiver/${PYVER}/-${PYVER}}.pc"
+	fi
 
-	insinto "${pythonplatlibdir}"
-	# https://peps.python.org/pep-0668/
-	newins - EXTERNALLY-MANAGED <<-EOF
-		[externally-managed]
-		Error=
-		 Please contact Flatcar maintainers if some python package
-		 is necessary for this OEM image.
+	# python seems to get rebuilt in src_install (bug 569908)
+	# Work around it for now.
+	if has_version dev-libs/libffi[pax-kernel]; then
+		pax-mark E "${ED}/usr/bin/${abiver}"
+	else
+		pax-mark m "${ED}/usr/bin/${abiver}"
+	fi
+
+	rm -r "${libdir}"/ensurepip/_bundled || die
+	if ! use ensurepip; then
+		rm -r "${libdir}"/ensurepip || die
+	fi
+	if ! use sqlite; then
+		rm -r "${libdir}/"{sqlite3,test/test_sqlite*} || die
+	fi
+	if ! use tk; then
+		rm -r "${ED}/usr/bin/idle${PYVER}" || die
+		rm -r "${libdir}/"{idlelib,tkinter,test/test_tk*} || die
+	fi
+
+	ln -s ../python/EXTERNALLY-MANAGED "${libdir}/EXTERNALLY-MANAGED" || die
+
+	dodoc Misc/{ACKS,HISTORY,NEWS}
+
+	if use examples; then
+		docinto examples
+		find Tools -name __pycache__ -exec rm -fr {} + || die
+		dodoc -r Tools
+	fi
+	insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510
+	local libname=$(
+		printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' |
+		emake --no-print-directory -s -f - 2>/dev/null
+	)
+	newins Tools/gdb/libpython.py "${libname}"-gdb.py
+
+	newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER}
+	newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER}
+	sed \
+		-e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \
+		-e "s:@PYDOC@:pydoc${PYVER}:" \
+		-i "${ED}/etc/conf.d/pydoc-${PYVER}" \
+		"${ED}/etc/init.d/pydoc-${PYVER}" || die "sed failed"
+
+	# python-exec wrapping support
+	local pymajor=${PYVER%.*}
+	local EPYTHON=python${PYVER}
+	local scriptdir=${D}$(python_get_scriptdir)
+	mkdir -p "${scriptdir}" || die
+	# python and pythonX
+	ln -s "../../../bin/${abiver}" "${scriptdir}/python${pymajor}" || die
+	ln -s "python${pymajor}" "${scriptdir}/python" || die
+	# python-config and pythonX-config
+	# note: we need to create a wrapper rather than symlinking it due
+	# to some random dirname(argv[0]) magic performed by python-config
+	cat > "${scriptdir}/python${pymajor}-config" <<-EOF || die
+		#!/bin/sh
+		exec "${abiver}-config" "\${@}"
 	EOF
-
-	rm -r "${ED}/discard" || die
+	chmod +x "${scriptdir}/python${pymajor}-config" || die
+	ln -s "python${pymajor}-config" "${scriptdir}/python-config" || die
+	# 2to3, pydoc
+	ln -s "../../../bin/2to3-${PYVER}" "${scriptdir}/2to3" || die
+	ln -s "../../../bin/pydoc${PYVER}" "${scriptdir}/pydoc" || die
+	# idle
+	if use tk; then
+		ln -s "../../../bin/idle${PYVER}" "${scriptdir}/idle" || die
+	fi
 }

From 158d5116a8679e2fe7f8775387ec8ac701d91978 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Thu, 2 Feb 2023 17:01:38 +0100
Subject: [PATCH 11/16] dev-lang/python-oem: Apply Flatcar modifications

I changed the way we modify the ebuild by keeping the modifications as
minimal as possible, leaving disabling whatever that can be disabled
to the USE flags.
---
 .../dev-lang/python-oem/README.md             |  45 +++++
 .../python-oem/python-oem-3.10.10_p2.ebuild   | 159 ++++++++----------
 2 files changed, 111 insertions(+), 93 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md
new file mode 100644
index 0000000000..12b071faeb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md
@@ -0,0 +1,45 @@
+Modifications made:
+
+- Keep using internal expat and libffi, thus dropping dev-libs/libffi
+  and dev-libs/expat from the dependencies.
+
+- Drop dev-python/gentoo-common dependency, it provides the
+  EXTERNALLY-MANAGED file, but we will provide our own.
+
+- Since this package is installed only for OEM partition as a binary
+  package, and the installation there happens after the packages
+  database is removed, we unset the RDEPEND variable. The RDEPEND
+  variable needs to be empty as it's also used during the binary
+  package installation. The contents of RDEPEND are already inside the
+  DEPEND variable, so we are safe.
+
+- We modify the configure flags:
+
+  - Add `--prefix=/usr/share/oem/python` as `/usr/share/oem` is where
+    the OEM partition is mounted.
+
+  - Add `--with-platlibdir="$(get_libdir)"`, this is to make sure that
+    consistent library directory gets picked. In our case for both
+    amd64 and arm64, it's lib64.
+
+  - Change `--enable-shared` to `--disable-shared`. This will skip
+    building dynamic libraries, as we don't need them.
+
+  - Add `--includedir=/discard/include` and change `--mandir` and
+    `--infodir` to also use `/discard` to install files there. Makes
+    it easy to remove the unnecessary files.
+
+  - We disable loadable sqlite extensions.
+
+  - As we want to use the internal versions of expat and libffi, we
+    change `--with-system-{expat,ffi}` to
+    `--without-system-{expat,ffi}`.
+
+  - Comment out the `--with-wheel-pkg-dir` as it's some ensurepip
+    stuff we are disabling anyway.
+
+- Essentially drop `src_install` and write our own variant, where we
+  run `make altinstall`, remove unnecessary files (the original
+  `src_install` could be read to find out which files to remove),
+  creates a versionless python symlink, adds an EXTERNALLY-MANAGED
+  file, and removes the `/discard` directory.
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
index fd104f5ca5..a724285250 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.10.10_p2.ebuild
@@ -40,11 +40,13 @@ RESTRICT="!test? ( test )"
 # run the bootstrap code on your dev box and include the results in the
 # patchset. See bug 447752.
 
+# Flatcar: Drop a dependency on dev-libs/expat, we will use the internal one.
+# Flatcar: Drop a dependency on dev-libs/libffi, we will use the internal one.
+# Flatcar: Drop a dependency on dev-python/gentoo-common, we will install our own EXTERNALLY-MANAGED file
 RDEPEND="
 	app-arch/bzip2:=
 	app-arch/xz-utils:=
 	dev-lang/python-exec[python_targets_python3_10(-)]
-	dev-libs/libffi:=
 	dev-python/gentoo-common
 	sys-apps/util-linux:=
 	>=sys-libs/zlib-1.1.3:=
@@ -65,7 +67,6 @@ RDEPEND="
 		dev-tcltk/blt:=
 		dev-tcltk/tix
 	)
-	xml? ( >=dev-libs/expat-2.1:= )
 	!!<sys-apps/sandbox-2.21
 "
 # bluetooth requires headers from bluez
@@ -86,6 +87,11 @@ RDEPEND+="
 	!build? ( app-misc/mime-types )
 "
 
+# Flatcar: Unset RDEPEND, DEPEND already contains it. OEM packages are
+# installed after production images are pruned of the previously
+# installed package database.
+unset RDEPEND
+
 VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/python.org.asc
 
 # large file tests involve a 2.5G file being copied (duplicated)
@@ -109,9 +115,11 @@ src_unpack() {
 }
 
 src_prepare() {
-	# Ensure that internal copies of expat and libffi are not used.
-	rm -r Modules/expat || die
-	rm -r Modules/_ctypes/libffi* || die
+	# Flatcar: We keep the internal expat copy.
+	# Flatcar: We keep the internal libffi copy.
+	# # Ensure that internal copies of expat and libffi are not used.
+	# rm -r Modules/expat || die
+	# rm -r Modules/_ctypes/libffi* || die
 
 	local PATCHES=(
 		"${WORKDIR}/${PATCHSET}"
@@ -207,19 +215,37 @@ src_configure() {
 		# a chance for users rebuilding python before glibc
 		ac_cv_header_stropts_h=no
 
-		--enable-shared
+		# Flatcar: Use oem-specific prefix.
+		--prefix=/usr/share/oem/python
+		# Flatcar: Make sure we put libs into a correct subdirectory.
+		--with-platlibdir="$(get_libdir)"
+		# Flatcar: No need for shared libs.
+		# --enable-shared
+		--disable-shared
 		--without-static-libpython
 		--enable-ipv6
-		--infodir='${prefix}/share/info'
-		--mandir='${prefix}/share/man'
+		# Flatcar: Set includedir to discardable directory
+		--includedir='/discard/include'
+		# Flatcar: Set infodir and mandir to discardable directory
+		# --infodir='/${prefix}/share/info'
+		# --mandir='/${prefix}/share/man'
+		--infodir='/discard/info'
+		--mandir='/discard/man'
 		--with-computed-gotos
 		--with-dbmliborder="${dbmliborder}"
 		--with-libc=
-		--enable-loadable-sqlite-extensions
+		# Flatcar: No need for loadable extensions.
+		# --enable-loadable-sqlite-extensions
+		--disable-loadable-sqlite-extensions
 		--without-ensurepip
-		--with-system-expat
-		--with-system-ffi
-		--with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip
+		# Flatcar: We use internal expat
+		# --with-system-expat
+		--without-system-expat
+		# Flatcar: We use internal ffi
+		# --with-system-ffi
+		--without-system-ffi
+		# Flatcar: It's for ensurepip, which we disable
+		# --with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip
 
 		$(use_with lto)
 		$(use_enable pgo optimizations)
@@ -395,92 +421,39 @@ src_test() {
 	[[ ${ret} -eq 0 ]] || die "emake test failed"
 }
 
+# Flatcar: Rewrite src_install to just run make altinstall, remove
+# some installed files (refer to the original src_install to see which
+# files to drop), adding symlinks and the EXTERNALLY-MANAGED file, and
+# removing the /discard directory.
 src_install() {
-	local libdir=${ED}/usr/lib/python${PYVER}
+	local prefix=/usr/share/oem/python
+	local eprefix="${ED}${prefix}"
+        local libdir="${prefix}/$(get_libdir)"
+	local elibdir="${eprefix}/$(get_libdir)"
+	local pythonplatlibdir="${libdir}/python${PYVER}"
+	local epythonplatlibdir="${elibdir}/python${PYVER}"
+	local bindir="${prefix}/bin"
+	local ebindir="${eprefix}/bin"
 
 	emake DESTDIR="${D}" altinstall
 
-	# Fix collisions between different slots of Python.
-	rm "${ED}/usr/$(get_libdir)/libpython3.so" || die
+	rm -r "${epythonplatlibdir}"/ensurepip || die
+	rm -r "${epythonplatlibdir}/"{sqlite3,test/test_sqlite*} || die
+	rm -r "${ebindir}/idle${PYVER}" || die
+	rm -r "${epythonplatlibdir}/"{idlelib,tkinter,test/test_tk*} || die
 
-	# Cheap hack to get version with ABIFLAGS
-	local abiver=$(cd "${ED}/usr/include"; echo python*)
-	if [[ ${abiver} != python${PYVER} ]]; then
-		# Replace python3.X with a symlink to python3.Xm
-		rm "${ED}/usr/bin/python${PYVER}" || die
-		dosym "${abiver}" "/usr/bin/python${PYVER}"
-		# Create python3.X-config symlink
-		dosym "${abiver}-config" "/usr/bin/python${PYVER}-config"
-		# Create python-3.5m.pc symlink
-		dosym "python-${PYVER}.pc" "/usr/$(get_libdir)/pkgconfig/${abiver/${PYVER}/-${PYVER}}.pc"
-	fi
+	# create a simple versionless 'python' symlink
+	dosym "python${PYVER}" "${bindir}/python"
+	dosym "python${PYVER}" "${bindir}/python3"
 
-	# python seems to get rebuilt in src_install (bug 569908)
-	# Work around it for now.
-	if has_version dev-libs/libffi[pax-kernel]; then
-		pax-mark E "${ED}/usr/bin/${abiver}"
-	else
-		pax-mark m "${ED}/usr/bin/${abiver}"
-	fi
-
-	rm -r "${libdir}"/ensurepip/_bundled || die
-	if ! use ensurepip; then
-		rm -r "${libdir}"/ensurepip || die
-	fi
-	if ! use sqlite; then
-		rm -r "${libdir}/"{sqlite3,test/test_sqlite*} || die
-	fi
-	if ! use tk; then
-		rm -r "${ED}/usr/bin/idle${PYVER}" || die
-		rm -r "${libdir}/"{idlelib,tkinter,test/test_tk*} || die
-	fi
-
-	ln -s ../python/EXTERNALLY-MANAGED "${libdir}/EXTERNALLY-MANAGED" || die
-
-	dodoc Misc/{ACKS,HISTORY,NEWS}
-
-	if use examples; then
-		docinto examples
-		find Tools -name __pycache__ -exec rm -fr {} + || die
-		dodoc -r Tools
-	fi
-	insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510
-	local libname=$(
-		printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' |
-		emake --no-print-directory -s -f - 2>/dev/null
-	)
-	newins Tools/gdb/libpython.py "${libname}"-gdb.py
-
-	newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER}
-	newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER}
-	sed \
-		-e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \
-		-e "s:@PYDOC@:pydoc${PYVER}:" \
-		-i "${ED}/etc/conf.d/pydoc-${PYVER}" \
-		"${ED}/etc/init.d/pydoc-${PYVER}" || die "sed failed"
-
-	# python-exec wrapping support
-	local pymajor=${PYVER%.*}
-	local EPYTHON=python${PYVER}
-	local scriptdir=${D}$(python_get_scriptdir)
-	mkdir -p "${scriptdir}" || die
-	# python and pythonX
-	ln -s "../../../bin/${abiver}" "${scriptdir}/python${pymajor}" || die
-	ln -s "python${pymajor}" "${scriptdir}/python" || die
-	# python-config and pythonX-config
-	# note: we need to create a wrapper rather than symlinking it due
-	# to some random dirname(argv[0]) magic performed by python-config
-	cat > "${scriptdir}/python${pymajor}-config" <<-EOF || die
-		#!/bin/sh
-		exec "${abiver}-config" "\${@}"
+	insinto "${pythonplatlibdir}"
+	# https://peps.python.org/pep-0668/
+	newins - EXTERNALLY-MANAGED <<-EOF
+		[externally-managed]
+		Error=
+		 Please contact Flatcar maintainers if some python package
+		 is necessary for this OEM image.
 	EOF
-	chmod +x "${scriptdir}/python${pymajor}-config" || die
-	ln -s "python${pymajor}-config" "${scriptdir}/python-config" || die
-	# 2to3, pydoc
-	ln -s "../../../bin/2to3-${PYVER}" "${scriptdir}/2to3" || die
-	ln -s "../../../bin/pydoc${PYVER}" "${scriptdir}/pydoc" || die
-	# idle
-	if use tk; then
-		ln -s "../../../bin/idle${PYVER}" "${scriptdir}/idle" || die
-	fi
+
+	rm -r "${ED}/discard" || die
 }

From 1e90ea69183c461ba5bc96d034226dd3c06ea072 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 28 Feb 2023 14:53:39 +0100
Subject: [PATCH 12/16] profiles: Add accept keywords for dev-lang/python-oem

---
 .../coreos-overlay/profiles/coreos/base/package.accept_keywords  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index d93ec71358..d6b9a12413 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -11,6 +11,7 @@
 
 # Keep versions even for both arches
 =dev-lang/python-3.10.10_p2 ~arm64
+=dev-lang/python-oem-3.10.10_p2 ~arm64
 
 # Accept unstable host Rust compilers
 =dev-lang/rust-1.67.1 ~amd64 ~arm64

From 421013836be7d3d8e09ef807c1954e0e0cf0f391 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 1 Mar 2023 10:32:51 +0100
Subject: [PATCH 13/16] sys-apps/texinfo: Move to portage-stable

The modifications we have made were pointless.
---
 .../coreos-overlay/sys-apps/texinfo/Manifest  |   1 -
 .../coreos-overlay/sys-apps/texinfo/README.md |   5 -
 .../texinfo/files/flatcar-modifications.patch |  26 ---
 .../texinfo-6.8-undo-gnulib-nonnul.patch      | 186 ------------------
 .../sys-apps/texinfo/metadata.xml             |  18 --
 .../sys-apps/texinfo/texinfo-6.8.ebuild       |  75 -------
 6 files changed, 311 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/Manifest
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/README.md
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/files/flatcar-modifications.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/files/texinfo-6.8-undo-gnulib-nonnul.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/metadata.xml
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/texinfo-6.8.ebuild

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/Manifest
deleted file mode 100644
index b6017de329..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/Manifest
+++ /dev/null
@@ -1 +0,0 @@
-DIST texinfo-6.8.tar.gz 10119420 BLAKE2B df9dc1698e7bb4f7c97ba4d44b08631502e3f997b91169ae64161b69701fbb0f85c82295ef6867e716a0addfd7c5677e14079645b167bd74933a0153fee92200 SHA512 f46dfb1c0f324a9c54959a8f256f0dcb8aaa59caccb0f027a5ee39a173b6e51a31a488f9d787707e7aa8401a439b2a01a1f3022dbae24ef377a1c021c1ebeb37
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/README.md b/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/README.md
deleted file mode 100644
index 12d10ae14a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-We keep this package in overlay, because we need CCACHE_DIR for tool
-build, so we need to modify the configure.ac script and run autoreconf
-again. We also skip building doc, man and js for main build.
-
-There wasn't too much information about the reasons for the changes.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/files/flatcar-modifications.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/files/flatcar-modifications.patch
deleted file mode 100644
index f771766217..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/files/flatcar-modifications.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff -ur texinfo-6.8/Makefile.am texinfo-6.8-patched/Makefile.am
---- texinfo-6.8/Makefile.am	2021-02-16 21:07:41.000000000 +0000
-+++ texinfo-6.8-patched/Makefile.am	2021-09-21 11:05:15.495497278 +0000
-@@ -62,9 +62,7 @@
-   SUBDIRS += info
- endif
- endif
--  SUBDIRS += install-info po po_document tp Pod-Simple-Texinfo texindex util \
--             doc man
--  SUBDIRS += js
-+  SUBDIRS += install-info po po_document tp Pod-Simple-Texinfo texindex util
- endif
- 
- distclean-local:
-diff -ur texinfo-6.8/configure.ac texinfo-6.8-patched/configure.ac
---- texinfo-6.8/configure.ac	2021-07-03 09:12:42.000000000 +0000
-+++ texinfo-6.8-patched/configure.ac	2021-09-21 11:03:11.238623956 +0000
-@@ -192,7 +192,7 @@
-   # env -i gives this build host configure a clean environment;
-   # consequently, we have to re-initialize $PATH.
-   env -i CC="$BUILD_CC" AR="$BUILD_AR" RANLIB="$BUILD_RANLIB" \
--      PATH="$PATH" \
-+      PATH="$PATH" CCACHE_DIR="$CCACHE_DIR" \
-       tools_only=1 \
-     ${confdir}/configure --build=${build} --host=${build} \
-                          --disable-rpath --disable-nls
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/files/texinfo-6.8-undo-gnulib-nonnul.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/files/texinfo-6.8-undo-gnulib-nonnul.patch
deleted file mode 100644
index 60f2e63b7c..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/files/texinfo-6.8-undo-gnulib-nonnul.patch
+++ /dev/null
@@ -1,186 +0,0 @@
-
-Patch by Vitezslav Crhonek <vcrhonek@redhat.com>
-Source: https://src.fedoraproject.org/rpms/texinfo/c/9b2cca4817fa4bd8d520fed05e9560fc7183dcdf?branch=rawhide
-
-diff -up texinfo-6.8/gnulib/lib/cdefs.h.orig texinfo-6.8/gnulib/lib/cdefs.h
---- texinfo-6.8/gnulib/lib/cdefs.h.orig	2021-03-11 19:57:53.000000000 +0100
-+++ texinfo-6.8/gnulib/lib/cdefs.h	2021-07-19 12:26:46.985176475 +0200
-@@ -321,15 +321,15 @@
- 
- /* The nonnull function attribute marks pointer parameters that
-    must not be NULL.  */
--#ifndef __attribute_nonnull__
-+#ifndef __nonnull
- # if __GNUC_PREREQ (3,3) || __glibc_has_attribute (__nonnull__)
--#  define __attribute_nonnull__(params) __attribute__ ((__nonnull__ params))
-+#  define __nonnull(params) __attribute__ ((__nonnull__ params))
- # else
--#  define __attribute_nonnull__(params)
-+#  define __nonnull(params)
- # endif
--#endif
--#ifndef __nonnull
--# define __nonnull(params) __attribute_nonnull__ (params)
-+#elif !defined __GLIBC__
-+# undef __nonnull
-+# define __nonnull(params) _GL_ATTRIBUTE_NONNULL (params)
- #endif
- 
- /* If fortification mode, we warn about unused results of certain
-diff -up texinfo-6.8/gnulib/lib/libc-config.h.orig texinfo-6.8/gnulib/lib/libc-config.h
---- texinfo-6.8/gnulib/lib/libc-config.h.orig	2021-03-11 19:57:54.000000000 +0100
-+++ texinfo-6.8/gnulib/lib/libc-config.h	2021-07-19 12:27:58.810590975 +0200
-@@ -33,9 +33,9 @@
- #include <config.h>
- 
- /* On glibc this includes <features.h> and <sys/cdefs.h> and #defines
--   _FEATURES_H, __WORDSIZE, and __set_errno.  On FreeBSD 11 and
--   DragonFlyBSD 5.9 it includes <sys/cdefs.h> which defines __nonnull.
--   Elsewhere it is harmless.  */
-+   _FEATURES_H, __WORDSIZE, and __set_errno.  On FreeBSD 11 it
-+   includes <sys/cdefs.h> which defines __nonnull.  Elsewhere it
-+   is harmless.  */
- #include <errno.h>
- 
- /* From glibc <errno.h>.  */
-diff -up texinfo-6.8/gnulib/lib/malloc/dynarray-skeleton.c.orig texinfo-6.8/gnulib/lib/malloc/dynarray-skeleton.c
---- texinfo-6.8/gnulib/lib/malloc/dynarray-skeleton.c.orig	2021-03-11 19:57:54.000000000 +0100
-+++ texinfo-6.8/gnulib/lib/malloc/dynarray-skeleton.c	2021-07-19 12:24:46.878419397 +0200
-@@ -192,7 +192,7 @@ DYNARRAY_NAME (free__array__) (struct DY
- 
- /* Initialize a dynamic array object.  This must be called before any
-    use of the object.  */
--__attribute_nonnull__ ((1))
-+__nonnull ((1))
- static void
- DYNARRAY_NAME (init) (struct DYNARRAY_STRUCT *list)
- {
-@@ -202,7 +202,7 @@ DYNARRAY_NAME (init) (struct DYNARRAY_ST
- }
- 
- /* Deallocate the dynamic array and its elements.  */
--__attribute_maybe_unused__ __attribute_nonnull__ ((1))
-+__attribute_maybe_unused__ __nonnull ((1))
- static void
- DYNARRAY_FREE (struct DYNARRAY_STRUCT *list)
- {
-@@ -213,7 +213,7 @@ DYNARRAY_FREE (struct DYNARRAY_STRUCT *l
- }
- 
- /* Return true if the dynamic array is in an error state.  */
--__attribute_nonnull__ ((1))
-+__nonnull ((1))
- static inline bool
- DYNARRAY_NAME (has_failed) (const struct DYNARRAY_STRUCT *list)
- {
-@@ -222,7 +222,7 @@ DYNARRAY_NAME (has_failed) (const struct
- 
- /* Mark the dynamic array as failed.  All elements are deallocated as
-    a side effect.  */
--__attribute_nonnull__ ((1))
-+__nonnull ((1))
- static void
- DYNARRAY_NAME (mark_failed) (struct DYNARRAY_STRUCT *list)
- {
-@@ -236,7 +236,7 @@ DYNARRAY_NAME (mark_failed) (struct DYNA
- 
- /* Return the number of elements which have been added to the dynamic
-    array.  */
--__attribute_nonnull__ ((1))
-+__nonnull ((1))
- static inline size_t
- DYNARRAY_NAME (size) (const struct DYNARRAY_STRUCT *list)
- {
-@@ -245,7 +245,7 @@ DYNARRAY_NAME (size) (const struct DYNAR
- 
- /* Return a pointer to the array element at INDEX.  Terminate the
-    process if INDEX is out of bounds.  */
--__attribute_nonnull__ ((1))
-+__nonnull ((1))
- static inline DYNARRAY_ELEMENT *
- DYNARRAY_NAME (at) (struct DYNARRAY_STRUCT *list, size_t index)
- {
-@@ -257,7 +257,7 @@ DYNARRAY_NAME (at) (struct DYNARRAY_STRU
- /* Return a pointer to the first array element, if any.  For a
-    zero-length array, the pointer can be NULL even though the dynamic
-    array has not entered the failure state.  */
--__attribute_nonnull__ ((1))
-+__nonnull ((1))
- static inline DYNARRAY_ELEMENT *
- DYNARRAY_NAME (begin) (struct DYNARRAY_STRUCT *list)
- {
-@@ -267,7 +267,7 @@ DYNARRAY_NAME (begin) (struct DYNARRAY_S
- /* Return a pointer one element past the last array element.  For a
-    zero-length array, the pointer can be NULL even though the dynamic
-    array has not entered the failure state.  */
--__attribute_nonnull__ ((1))
-+__nonnull ((1))
- static inline DYNARRAY_ELEMENT *
- DYNARRAY_NAME (end) (struct DYNARRAY_STRUCT *list)
- {
-@@ -294,7 +294,7 @@ DYNARRAY_NAME (add__) (struct DYNARRAY_S
- /* Add ITEM at the end of the array, enlarging it by one element.
-    Mark *LIST as failed if the dynamic array allocation size cannot be
-    increased.  */
--__attribute_nonnull__ ((1))
-+__nonnull ((1))
- static inline void
- DYNARRAY_NAME (add) (struct DYNARRAY_STRUCT *list, DYNARRAY_ELEMENT item)
- {
-@@ -348,8 +348,7 @@ DYNARRAY_NAME (emplace__) (struct DYNARR
- /* Allocate a place for a new element in *LIST and return a pointer to
-    it.  The pointer can be NULL if the dynamic array cannot be
-    enlarged due to a memory allocation failure.  */
--__attribute_maybe_unused__ __attribute_warn_unused_result__
--__attribute_nonnull__ ((1))
-+__attribute_maybe_unused__ __attribute_warn_unused_result__ __nonnull ((1))
- static
- /* Avoid inlining with the larger initialization code.  */
- #if !(defined (DYNARRAY_ELEMENT_INIT) || defined (DYNARRAY_ELEMENT_FREE))
-@@ -373,7 +372,7 @@ DYNARRAY_NAME (emplace) (struct DYNARRAY
-    existing size, new elements are added (which can be initialized).
-    Otherwise, the list is truncated, and elements are freed.  Return
-    false on memory allocation failure (and mark *LIST as failed).  */
--__attribute_maybe_unused__ __attribute_nonnull__ ((1))
-+__attribute_maybe_unused__ __nonnull ((1))
- static bool
- DYNARRAY_NAME (resize) (struct DYNARRAY_STRUCT *list, size_t size)
- {
-@@ -418,7 +417,7 @@ DYNARRAY_NAME (resize) (struct DYNARRAY_
- }
- 
- /* Remove the last element of LIST if it is present.  */
--__attribute_maybe_unused__ __attribute_nonnull__ ((1))
-+__attribute_maybe_unused__ __nonnull ((1))
- static void
- DYNARRAY_NAME (remove_last) (struct DYNARRAY_STRUCT *list)
- {
-@@ -435,7 +434,7 @@ DYNARRAY_NAME (remove_last) (struct DYNA
- 
- /* Remove all elements from the list.  The elements are freed, but the
-    list itself is not.  */
--__attribute_maybe_unused__ __attribute_nonnull__ ((1))
-+__attribute_maybe_unused__ __nonnull ((1))
- static void
- DYNARRAY_NAME (clear) (struct DYNARRAY_STRUCT *list)
- {
-@@ -453,8 +452,7 @@ DYNARRAY_NAME (clear) (struct DYNARRAY_S
-    stored in *RESULT if LIST refers to an empty list.  On success, the
-    pointer in *RESULT is heap-allocated and must be deallocated using
-    free.  */
--__attribute_maybe_unused__ __attribute_warn_unused_result__
--__attribute_nonnull__ ((1, 2))
-+__attribute_maybe_unused__ __attribute_warn_unused_result__ __nonnull ((1, 2))
- static bool
- DYNARRAY_NAME (finalize) (struct DYNARRAY_STRUCT *list,
-                           DYNARRAY_FINAL_TYPE *result)
-@@ -485,8 +483,7 @@ DYNARRAY_NAME (finalize) (struct DYNARRA
-    have a sentinel at the end).  If LENGTHP is not NULL, the array
-    length is written to *LENGTHP.  *LIST is re-initialized and can be
-    reused.  */
--__attribute_maybe_unused__ __attribute_warn_unused_result__
--__attribute_nonnull__ ((1))
-+__attribute_maybe_unused__ __attribute_warn_unused_result__ __nonnull ((1))
- static DYNARRAY_ELEMENT *
- DYNARRAY_NAME (finalize) (struct DYNARRAY_STRUCT *list, size_t *lengthp)
- {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/metadata.xml
deleted file mode 100644
index fd41c89eb3..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/metadata.xml
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
-<pkgmetadata>
-<maintainer type="project">
-	<email>base-system@gentoo.org</email>
-	<name>Gentoo Base System</name>
-</maintainer>
-<maintainer type="project">
-	<email>perl@gentoo.org</email>
-	<name>Gentoo Perl Project</name>
-</maintainer>
-<use>
-	<flag name="standalone">Build standalone version that survives all Portage bugs</flag>
-</use>
-<upstream>
-	<remote-id type="cpe">cpe:/a:gnu:texinfo</remote-id>
-</upstream>
-</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/texinfo-6.8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/texinfo-6.8.ebuild
deleted file mode 100644
index f0e7bc230b..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/texinfo/texinfo-6.8.ebuild
+++ /dev/null
@@ -1,75 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Note: if your package uses the texi2dvi utility, it must depend on the
-# virtual/texi2dvi package to pull in all the right deps.  The tool is not
-# usable out-of-the-box because it requires the large tex packages.
-
-EAPI=7
-
-inherit autotools flag-o-matic toolchain-funcs
-
-DESCRIPTION="The GNU info program and utilities"
-HOMEPAGE="https://www.gnu.org/software/texinfo/"
-SRC_URI="mirror://gnu/${PN}/${P}.tar.gz"
-
-LICENSE="GPL-3"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-IUSE="nls +standalone static"
-
-RDEPEND="
-	!=app-text/tetex-2*
-	>=sys-libs/ncurses-5.2-r2:0=
-	standalone? ( dev-lang/perl )
-	!standalone?  (
-		dev-lang/perl:=
-		dev-perl/libintl-perl
-		dev-perl/Unicode-EastAsianWidth
-		dev-perl/Text-Unidecode
-	)
-	nls? ( virtual/libintl )"
-DEPEND="${RDEPEND}"
-BDEPEND="nls? ( >=sys-devel/gettext-0.19.6 )"
-
-PATCHES=(
-	"${FILESDIR}/${P}-undo-gnulib-nonnul.patch"
-	"${FILESDIR}/flatcar-modifications.patch"
-)
-
-src_prepare() {
-	default
-
-	if use prefix ; then
-		sed -i -e '1c\#!/usr/bin/env sh' util/texi2dvi util/texi2pdf || die
-		touch doc/{texi2dvi,texi2pdf,pdftexi2dvi}.1
-	fi
-
-	eautoreconf
-}
-
-src_configure() {
-	# Respect compiler and CPPFLAGS/CFLAGS/LDFLAGS for Perl extensions. #622576
-	local -x PERL_EXT_CC="$(tc-getCC)" PERL_EXT_CPPFLAGS="${CPPFLAGS}" PERL_EXT_CFLAGS="${CFLAGS}" PERL_EXT_LDFLAGS="${LDFLAGS}"
-
-	use static && append-ldflags -static
-	local myeconfargs=( $(use_enable nls) )
-
-	if use standalone ; then
-		myeconfargs+=(
-			--without-external-libintl-perl
-			--without-external-Unicode-EastAsianWidth
-			--without-external-Text-Unidecode
-			--disable-perl-xs
-		)
-	else
-		myeconfargs+=(
-			--with-external-libintl-perl
-			--with-external-Unicode-EastAsianWidth
-			--with-external-Text-Unidecode
-			--enable-perl-xs
-		)
-	fi
-
-	econf "${myeconfargs[@]}"
-}

From 5dae6bc293c56125d19ac9afad9632fb36ce8d65 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 1 Mar 2023 12:31:33 +0100
Subject: [PATCH 14/16] sys-apps/baselayout: Replace ROOTPATH with PATH
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ROOTPATH is not a thing any more. And with recent portage update, it
stopped being handled in some special way. Just use PATH. This should
unbreak stage2 of our SDK build, where the failure was:

/usr/bin/env: ‘bash’: No such file or directory
---
 ...elayout-3.6.8-r9.ebuild => baselayout-3.6.8-r10.ebuild} | 0
 .../sys-apps/baselayout/baselayout-9999.ebuild             | 7 +------
 2 files changed, 1 insertion(+), 6 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/{baselayout-3.6.8-r9.ebuild => baselayout-3.6.8-r10.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r10.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r9.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r10.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
index eba79a2be0..29fce7fe13 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
@@ -9,7 +9,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="9082621e94ee6a1cdad9e15aa17a747d46c33c6f" # flatcar-master
+	CROS_WORKON_COMMIT="d4d6da73919bacc5b05a012d3d00dc8e2d669c0d" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
@@ -133,11 +133,6 @@ src_install() {
 
 	doenvd "env.d/99flatcar_ldpath"
 
-	# Add /sbin:/bin into the PATH when they aren't links into /usr.
-	if ! use symlink-usr; then
-		echo ROOTPATH=/sbin:/bin > "${D}"/etc/env.d/99flatcar_bin || die
-	fi
-
 	# handle multilib paths.  do it here because we want this behavior
 	# regardless of the C library that you're using.  we do explicitly
 	# list paths which the native ldconfig searches, but this isn't

From deee1d9be434cf201cd9eca59288b826289a1881 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 1 Mar 2023 18:28:54 +0100
Subject: [PATCH 15/16] coreos/stage1_hooks: Bump good baselayout version and
 update README

We need baselayout with the ROOTPATH and PATH cleanups, so bump the
revision to 10.
---
 .../0000-bump-baselayout-coreos-overlay.sh    |  2 +-
 .../coreos/stage1_hooks/README.md             | 24 ++++++++++++++-----
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/stage1_hooks/0000-bump-baselayout-coreos-overlay.sh b/sdk_container/src/third_party/coreos-overlay/coreos/stage1_hooks/0000-bump-baselayout-coreos-overlay.sh
index e294393eb8..9910b1cfef 100755
--- a/sdk_container/src/third_party/coreos-overlay/coreos/stage1_hooks/0000-bump-baselayout-coreos-overlay.sh
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/stage1_hooks/0000-bump-baselayout-coreos-overlay.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 stage1_repo="${1}"
 new_repo="${2}"
 
-good_version="3.6.8-r9"
+good_version="3.6.8-r10"
 stage1_version=''
 
 for f in "${stage1_repo}/sys-apps/baselayout/baselayout-"*'.ebuild'; do
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/stage1_hooks/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/stage1_hooks/README.md
index 5db213fca4..d31163fe6c 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/stage1_hooks/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/stage1_hooks/README.md
@@ -1,6 +1,18 @@
-The scripts there are called when setting up the portage-stable and
-coreos-overlay repos for the stage1 build. When the scripts are
-invoked, they receive a path to the repository as a parameter. The
-script for portage-stable should end with `-portage-stable.sh`, and
-the script for coreos-overlay with '-coreos-overlay.sh`. For example
-`0000-replace-ROOTPATH-coreos-overlay.sh`.
+The scripts in this directory are called by the SDK bootstrapping
+script when setting up the portage-stable and coreos-overlay repos for
+the stage1 build. The scripts are invoked with two arguments - a path
+to the stage1 repository, and a path to the current repository. The
+difference between the two is that the stage1 repository is a copy of
+a repository saved in the seed SDK (thus it's going to be an older
+version of the repository), whereas the current repository is a
+repository that will be a base of the new SDK. The idea here is that
+something in the stage1 repository may be too old, thus it should be
+replaced with its equivalent from the current repository.
+
+For more information about the bootstrap process, please see the
+`bootstrap_sdk` script in [the scripts
+repository](https://github.com/flatcar/scripts).
+
+The script for portage-stable should end with `-portage-stable.sh`,
+and the script for coreos-overlay with '-coreos-overlay.sh`. For
+example: `0000-replace-ROOTPATH-coreos-overlay.sh`.

From 63c9e114b2f25d1d12b5dbc32a4d761cdd6a588f Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Mon, 6 Mar 2023 10:27:51 +0100
Subject: [PATCH 16/16] sys-kernel/coreos-modules: Explicitly disable stack
 variable initialization

So far, we didn't have the stack variable initialized, so we probably
can keep it like that for a little while longer. The stack variable
initialization gets enabled by default with gcc 12, because gcc 12
supports the -ftrivial-auto-var-init flag. Such configuration is
saved, and is reused for building the external modules.

It's something that we normally would want to have enabled, but this
breaks building falco-module, because despite falco Docker images
having multiple versions of gcc, the versions go from 5 to 8, and
neither support the -ftrivial-auto-var-init flag. The error is as follows:

* Running dkms build failed, dumping /var/lib/dkms/falco/e1d0fd9b043f1c7dfd91c9d030c11cfe2c062931/build/make.log (with GCC /usr/bin/gcc-8)
DKMS make.log for falco-e1d0fd9b043f1c7dfd91c9d030c11cfe2c062931 for kernel 5.15.96-flatcar (x86_64)
Fri Mar  3 16:17:58 UTC 2023
'/tmp/falco-dkms-make' -C /lib/modules/5.15.96-flatcar/build M=/var/lib/dkms/falco/e1d0fd9b043f1c7dfd91c9d030c11cfe2c062931/build modules
make[1]: Entering directory '/host/lib/modules/5.15.96-flatcar/build'
warning: the compiler differs from the one used to build the kernel
  The kernel was built by: x86_64-cros-linux-gnu-gcc (Gentoo Hardened 12.2.1_p20230121-r1 p10) 12.2.1 20230121
  You are using:           gcc-8 (Debian 8.3.0-6) 8.3.0
  CC [M]  /var/lib/dkms/falco/e1d0fd9b043f1c7dfd91c9d030c11cfe2c062931/build/main.o
gcc-8: error: unrecognized command line option '-ftrivial-auto-var-init=zero'
make[2]: *** [/host/lib/modules/5.15.96-flatcar/source/scripts/Makefile.build:289: /var/lib/dkms/falco/e1d0fd9b043f1c7dfd91c9d030c11cfe2c062931/build/main.o] Error 1
make[1]: *** [../source/Makefile:1905: /var/lib/dkms/falco/e1d0fd9b043f1c7dfd91c9d030c11cfe2c062931/build] Error 2
make[1]: Leaving directory '/host/lib/modules/5.15.96-flatcar/build'
make: *** [Makefile:16: all] Error 2

Using one compiler for the kernel and then a different compiler to
build the module certainly made me to raise my eyebrows. Maybe we
should rather try building a module using the developer container, and
if this succeeds - document it.
---
 .../sys-kernel/coreos-modules/files/commonconfig-5.15            | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.15 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.15
index 5b40d02f61..b626e810bd 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.15
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.15
@@ -282,6 +282,7 @@ CONFIG_INFINIBAND_MTHCA=m
 CONFIG_INFINIBAND_OCRDMA=m
 CONFIG_INFINIBAND_SRP=m
 CONFIG_INFINIBAND_USER_MAD=m
+CONFIG_INIT_STACK_NONE=y
 CONFIG_INPUT_EVDEV=m
 CONFIG_INPUT_MISC=y
 CONFIG_INPUT_MOUSEDEV=m