- Make BDEPEND independent from DEPEND (The `BDEPEND` is a
build-time requirement, so it should not be included in the whole
`DEPEND` list. If it does, an installation of `sys-auth/sssd`
causes other dependencies to be installed not only in the
`/build`, but also under the SDK. That's not what we want, so we
need to exclude `BDEPEND` from the list.)
- Move runstatedir option from configure to make (Now that the
upstream sssd 2.3.1 does not support `--runstatedir` option from
its configure script, we need to remove the option, to unblock the
configure issue like `unrecognized option --runstatedir`. Instead
we need to pass `runstatedir=` to emake commands.)
- Disable realm check for nsupdate (At the moment bind-tools does
not enable `gssapi`, so its `nsupdate` tool is also not able to
run `realm` command. As a result, configure script of `sssd` fails
when running `echo realm | nsupdate`, like `syntax error`.
To avoid such issues, we need to disable the nsupdate check for
now. After we could enable `gssapi` for the SDK correctly, we can
bring back the nsupdate check in the future.)
- Add patch for CVE-2021-3621
- Set the conf dir path explicitly (Without passing the
--with-systemdconfdir flag, the configure script will query
pkg-config for the directory itself. In the cross-compilation
setup that we have, this will result in a path sysroot prepended
to the path twice. systemd.eclass has a workaround for this issue,
but it does not provide an elegant getter of the system
configuration directory, thus we call `_systemd_get_dir`
ourselves.)
- Make it compatible with newer python versions.
- apply duktape patchset from
https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
(this should be re-fetched from the above MR when forward-porting
to updated polkit versions.)
- fix config install paths, use systemd-tmpfiles (All configs should
be installed to /usr and tmpfiles should be used to create and fix
directory permissions instead of the ebuild's postinst.)
- Carry over our custom tmpfiles and securetty files
- Remove /etc files and install them to /usr, use tmpfiles
- Switch /etc/login.defs edits to /usr/share/shadow/login.defs
- Drop moving passwd out of /usr since we don't have split-usr
- Drop pkg_postinst
- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and exec from init to
unconfined
- add AVC patch for local login and journald
- add python[lxml] to BDEPEND (not pulled through policycoreutils
any more due to our changes there)
- Check out our previous ntp.conf and service units
- Disable USE=threads
- Add USE=perl, disabled to skip the scripts subdir
- Do the /etc -> /usr/share + tmpfiles dance for ntp.conf
- Drop unused init scripts and pkg_postinst
- Add a minimal USE flag for only installing libraries
- Change the Perl and Python run-time deps to build-time only
- Drop a bunch of dependencies with broken cross-compilation
- Enable using bundled libraries in their place
- Disable building libraries requiring Python
- Use EAPI7
- Move libsxlt and stylesheets to BDEPEND
- Introduce some USE flags, so we don't install some tools we don't
need
- Limit the size of bundled libraries
- Make it compatible with newer python versions
- Bump to r2 because of updating EAPI to 7
- Add the tmpfiles configuration for populating /var
- Add service compatibility symlinks (maybe time to drop them)
- Drop moving a binary from /usr/sbin to /sbin
- Drop populating /etc and /var
- Drop pkg_postinst
The policycoreutils ebuild calls `semodule` in postinst to update SELinux stores.
It does not, however, tells `semodule` the correct ROOT to use, so builds that go into `/build/[arch]-usr` end up updating the SDK's store.
Fixes
libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link)
observed when using the SDK Container to build the OS image.
It now also updates the correct store, which it previously did not.
Temporarily accept ssh-rsa algorithm in sshd_config for openssh >= 8.8,
until most ssh clients could deprecate ssh-rsa.
It is the same fix as https://github.com/flatcar-linux/init/pull/54.
However, we should do that again for GCE, because the google-oslogin
ebuild overwrites the existing sshd_config.
It used to be pulled in by dev-lang/python, but not any more. It is
needed for running fsscript during stage4 of SDK build to set up the
default python interpreter.
If python-single-r1.eclass is inherited, then PYTHON_USEDEP can't be
used directly inside dependency variable - either PYTHON_SINGLE_USEDEP
(for single-python-impl packages) should be used or the dependency
should be wrapped into python_gen_cond_dep function (for
multi-python-impl packages). crcmod is a multi-python-impl package, so
use the latter.
Also follow the practice of specifying the BDEPEND in terms of
RDEPEND. For this, we need to bump the EAPI to 7.
