Now that GLSA metadata was updated as of 2021-09-03, we need to
add the following entries to the GLSA allow list, to avoid build
failures caused by `glsa-check -t all`.
202006-03: perl 5.26.2, only SDK, allowlist
202008-01: python 2.7.15 & 3.6.5, only SDK, allowlist
202101-18: python 2.7.15 & 3.6.5, only SDK, allowlist
202104-04: python 2.7.15 & 3.6.5, only SDK, allowlist
202105-22: samba 4.12.9, not affected, samba has no ldap flag, no smbd.
202105-34: bash 4.3, non-trivial to update
202107-31: polkit 0.113, in-progress
202107-48: systemd 247.9, backported the fixes to v247.9.
Included is a dockerfile that installs system deps of kola in an debian:11
image. For the test script, the control flow is:
qemu_uefi.sh
qemu_uefi_arm64.sh
(docker)
qemu_common.sh
qemu_common uses the 'NATIVE_ARM64' variable passed by the jenkins job to control the behavior.
The differences are:
* use git directly to fetch (and verify) the manifest
* setup some symlinks so that /var/tmp is on the same BTRFS partition as $PWD/tmp
* setup symlinks so that we don't have to fixup installation of mantle to chroot
* run things directly instead of in chroot through cork
The whole script is executed as root, because kola requires root privileges
anyway and making kvm and sudo work with an arbitrary host user inside the
container would require a custom entrypoint to setup groups.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
201904-13: git 2.26.3, so not affected
201909-08: dbus 1.12.20, so not affected
201911-01: openssh 8.6, so not affected
202003-12: sudo 1.9.5, so not affected
202003-20: systemd 246+, so not affected
202003-24: file 5.39, so not affected
202003-30: git 2.26.3, so not affected
202003-31: gdb 9.2, so not affected
202003-52: samba 4.12.9, so not affected
202004-10: openssl 1.1.1l, so not affected
202004-13: git 2.26.3, so not affected
202005-02: qemu 5.2, so not affected
- Drop the init.d files.
- Remove the socket unit's rate limiting.
Instead of dropping bindist, enable it with the profiles now so it
doesn't need to be modified on future updates.
Imported commit 20d298fb282ec9d5a060f12aef64c47aede0904d .
Update net-misc/openssh to 8.7_p1-r1, mainly to address CVE-2020-15778.
Goal of the package update is to add the support of a new option `-s`
of scp, i.e. "sftp mode of scp". Openssh 8.7 started to support the
flag, but it is disabled by default. So at the moment users need to
explicitly run `scp -s` to test the feature.
Gentoo ref: 11d6f23704e7ab84191e28e034816bfdb151d406
Now that we started encoding strings to unicode by default,
we should also take care of corner cases, where LC_CYPTE is set to a
different value from the systemd default value in `/etc/locale.gen`.
For example, under a build environment with `LC_CTYPE=C`, when the UTF-8
file name is `AC_Ra�z_Certic�mara_S.A..pem`,
build fails like that.
```
Traceback (most recent call last):
File "/var/tmp/portage/app-misc/ca-certificates-3.27.1-r2/files/certdata2pem.py",
line 127, in <module>
f = open(fname, 'w')
UnicodeEncodeError: 'ascii' codec can't encode character '\xed' in position 5: ordinal not in range(128)
* ERROR: app-misc/ca-certificates-3.27.1-r2::coreos failed (compile phase):
```
To fix that, encode filename with system encoding when opening the file.
