trousers supports TPM 1.2, and fails for TPM 2. This commits
skips the tcsd service if TPM 2 is detected.
Uses ConditionSecurity introduced in systemd v248
Fixesflatcar-linux/Flatcar#208
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
For HTTPS to work and also for it to deliver the security promises we
need to ship the latest certificate database.
Update the package version symlink in oder to fetch the database from
the newest NSS release under
https://ftp.mozilla.org/pub/security/nss/releases/
and do a "ebuild ca-certificates-3.70.ebuild manifest" run.
Signed-off-by: Guillaume Perrin <guillaume28.perrin@gmail.com>
commit 5c4d184e22fd93ab926878a131150047b54d0b6c
Author: Michael Marineau <michael.marineau@coreos.com>
Date: Fri Aug 1 14:48:59 2014 -0700
polkit: fix config install paths, use systemd-tmpfiles
All configs should be installed to /usr and tmpfiles should be used to
create and fix directory permissions instead of the ebuild's postinst.
For HTTPS to work and also for it to deliver the security promises we
need to ship the latest certificate database.
Update the package version symlink in oder to fetch the database from
the newest NSS release under
https://ftp.mozilla.org/pub/security/nss/releases/
and do a "ebuild ca-certificates-3.69.1.ebuild manifest" run.
Hgfs-mounter has been dropped from the repository and it let's make the
patch name independent of the package version so that the patch doesn't
have to be touched on every upgrade.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
systemd v249 changes the usual failed units "●" to show "×".
This commit adapts accordingly to display the correct failed units
For compatibility with the longer-cadence channels, we continue to
support "●"
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Automatically update coreos/open-vm-tools as well as
coreos-base/oem-vmware.
Get the latest open-vm-tools release number, and get its build number
from the Github repo, and replace the old build number with the new one.
Also sync coreos-base/oem-vmware in line with open-vm-tools.
We need to split the beginning of setting up the top-level git repo into
a new function prepare_git_repo, and call it in the beginning of each
script. That is to prevent some corner cases, where applying multiple
patches does not work because the latter overwrites the former patch.
So we should not set up the git repo again in each apply_patch, but only
in the beggining, prepare_git_repo.
`ebuild audit-2.8.5-r1.ebuild manifest` fails like that:
```
>>> Downloading
'017e6c6ab9.patch'
--2021-09-29 04:05:09--
017e6c6ab9.patch
Resolving github.com... 140.82.121.3
Connecting to github.com|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 854 [text/plain]
Saving to: /mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch.__download__
2021-09-29 04:05:09 (57.3 MB/s) -
/mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch.__download__ saved [854/854]
!!! Fetched file:
audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch VERIFY FAILED!
!!! Reason: Filesize does not match recorded size
!!! Got: 854
!!! Expected: 852
Refetching... File renamed to
'/mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch._checksum_failure_.o2889wwd'
!!! Couldn't download 'audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch'. Aborting.
```
That happens because the upstream audit patch
017e6c6ab9.patch
silently changed, so it could have a git commit of 8-bytes instead 7.
Fix the hash in Manifest for now, until we could update
sys-process/audit to 3.0. Upstream Gentoo already has 3.0, dropped 2.8.
However, updating to 3.0 might not so trivial due to Flatcar changes in
audit.
The bug fix https://github.com/flatcar-linux/coreos-overlay/pull/1129
caused a regression that Github Actions cannot determine a correct
$VERSION_OLD if the old ebuild file has a suffix like `-r1`.
We need to create a function to get a correct ebuild file name, by
falling back to the most similar name, in case the expected ebuild
file does not exist.
When the GnuPG keyserver is set to `keys.openpgp.org`, `gpg --recv-keys`
occasionally fails with the following error:
```
gpg: key E52F0DB391453C45: no user ID
```
We need to make GnuPG accept keys even without UIDs.
Original patches come from
f292beac11/debian/patches/import-merge-without-userid .
See also https://dev.gnupg.org/T4393 .
Based on commit 3d9a9c9c3654c6b8c073e306636bf8dc64cfb657 .
Update app-crypt/gnupg to 2.2.29.
One of the key purposes for the update is to be able to use the new
default keyserver `keyserver.ubuntu.com`, which is provided by default
since 2.2.29. It is due to the shutdown of the SKS keyserver pools.
See also https://bugs.gentoo.org/811828 .
I think we still prefer to keep packages in portage-stable and
sometimes add an entry to the accept_keywords file instead of moving
the package to overlay just to edit a keyword. Or a PYTHON_COMPAT
field.
This changes comes together with the change made in portage-stable to
one of the python eclasses where we add support for python3 version
from 3.8 to 3.10. To make this change complete, we need to mask those
new versions, so building packages will not try to depend on python
version we haven't yet packaged.
with the recent update of `dev-lang/perl`, we added the `minimal`
useflag.
This one is not taken in account from `package.use` into the stage 2 of the boostraping,
because we do an `export USE=...`.
Following the precedence of the USE flag with Gentoo, the `export` will
be used in first, so the `package.use` with our `dev-lang/perl minimal`
won't be used.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
