- apply duktape patchset from
https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
(this should be re-fetched from the above MR when forward-porting
to updated polkit versions.)
- fix config install paths, use systemd-tmpfiles (All configs should
be installed to /usr and tmpfiles should be used to create and fix
directory permissions instead of the ebuild's postinst.)
- Carry over our custom tmpfiles and securetty files
- Remove /etc files and install them to /usr, use tmpfiles
- Switch /etc/login.defs edits to /usr/share/shadow/login.defs
- Drop moving passwd out of /usr since we don't have split-usr
- Drop pkg_postinst
- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and exec from init to
unconfined
- add AVC patch for local login and journald
- add python[lxml] to BDEPEND (not pulled through policycoreutils
any more due to our changes there)
- Check out our previous ntp.conf and service units
- Disable USE=threads
- Add USE=perl, disabled to skip the scripts subdir
- Do the /etc -> /usr/share + tmpfiles dance for ntp.conf
- Drop unused init scripts and pkg_postinst
- Add a minimal USE flag for only installing libraries
- Change the Perl and Python run-time deps to build-time only
- Drop a bunch of dependencies with broken cross-compilation
- Enable using bundled libraries in their place
- Disable building libraries requiring Python
- Use EAPI7
- Move libsxlt and stylesheets to BDEPEND
- Introduce some USE flags, so we don't install some tools we don't
need
- Limit the size of bundled libraries
- Make it compatible with newer python versions
- Bump to r2 because of updating EAPI to 7
- Add the tmpfiles configuration for populating /var
- Add service compatibility symlinks (maybe time to drop them)
- Drop moving a binary from /usr/sbin to /sbin
- Drop populating /etc and /var
- Drop pkg_postinst
The policycoreutils ebuild calls `semodule` in postinst to update SELinux stores.
It does not, however, tells `semodule` the correct ROOT to use, so builds that go into `/build/[arch]-usr` end up updating the SDK's store.
Fixes
libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link)
observed when using the SDK Container to build the OS image.
It now also updates the correct store, which it previously did not.
Temporarily accept ssh-rsa algorithm in sshd_config for openssh >= 8.8,
until most ssh clients could deprecate ssh-rsa.
It is the same fix as https://github.com/flatcar-linux/init/pull/54.
However, we should do that again for GCE, because the google-oslogin
ebuild overwrites the existing sshd_config.
It used to be pulled in by dev-lang/python, but not any more. It is
needed for running fsscript during stage4 of SDK build to set up the
default python interpreter.
If python-single-r1.eclass is inherited, then PYTHON_USEDEP can't be
used directly inside dependency variable - either PYTHON_SINGLE_USEDEP
(for single-python-impl packages) should be used or the dependency
should be wrapped into python_gen_cond_dep function (for
multi-python-impl packages). crcmod is a multi-python-impl package, so
use the latter.
Also follow the practice of specifying the BDEPEND in terms of
RDEPEND. For this, we need to bump the EAPI to 7.
