From afcb4d044454ea6397f3c7b53ce131772c7c9ef1 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Mon, 15 Sep 2025 07:15:25 -0400
Subject: [PATCH 1/2] plume/release: drop metadata URL check

When we update the release index, plume checks if the release we want to
add already exists by checking for a release with the same version _and_
metadata URL. The latter check seems unnecessary and in fact harmful
because there shouldn't ever be two releases in the list with the same
version number at all.

So drop that check.

Noticed this when testing that code locally (with `--local-mode`) in
which we don't pass S3 information, so it's normal that the metadata URL
isn't the same.
---
 mantle/cmd/plume/release.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mantle/cmd/plume/release.go b/mantle/cmd/plume/release.go
index fdd760135f..3b2cbe6147 100644
--- a/mantle/cmd/plume/release.go
+++ b/mantle/cmd/plume/release.go
@@ -368,7 +368,7 @@ func modifyReleaseMetadataIndex(api *aws.API, rel release.Release) {
 }
 
 func compareStaticReleaseInfo(a, b release.IndexRelease) bool {
-	if a.Version != b.Version || a.MetadataURL != b.MetadataURL {
+	if a.Version != b.Version {
 		return false
 	}
 	return true

From 49784b818e39715fef15436d1b08897ed6dbfbbf Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Mon, 15 Sep 2025 16:41:57 -0400
Subject: [PATCH 2/2] build.sh: move chmod
 /usr/lib/containers/storage/overlay-* to `install_rpms`

We already have a few other `chmod`s in `install_rpms` to loosen
restrictions.

This should fix supermin for people like me who run cosa in their pet
containers and only run _some_ of the build.sh commands (notably we run
`install_rpms`, but not `configure_user`).
---
 build.sh | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/build.sh b/build.sh
index 58e1a58768..c4a1dd17b6 100755
--- a/build.sh
+++ b/build.sh
@@ -96,6 +96,10 @@ install_rpms() {
     fi
     # Similarly for kernel data and SELinux policy, which we want to inject into supermin
     chmod -R a+rX /usr/lib/modules /usr/share/selinux/targeted
+    # And a few more from the containers stack we want to inject into supermin too.
+    # Remove when https://github.com/containers/common/pull/2507 has merged
+    chmod 755 /usr/lib/containers/storage/overlay-images
+    chmod 755 /usr/lib/containers/storage/overlay-layers
 
     # Symlink the CentOS Stream GPG keys to /etc to make it easier to build
     # CentOS-based artifacts.
@@ -177,11 +181,6 @@ configure_user(){
     # Lifted from: https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
     echo -e "builder:1:999\nbuilder:1001:64535" > /etc/subuid
     echo -e "builder:1:999\nbuilder:1001:64535" > /etc/subgid
-
-    # Allow a few directories to be accessed by unprivileged users.
-    # Remove when https://github.com/containers/common/pull/2507 has merged
-    chmod 755 /usr/lib/containers/storage/overlay-images
-    chmod 755 /usr/lib/containers/storage/overlay-layers
 }
 
 write_archive_info() {