Merge pull request #3495 from flatcar/buildbot/weekly-portage-stable-package-updates-2025-11-17

Weekly portage-stable package updates 2025-11-17

Author: dongsupark

.github/workflows/portage-stable-packages-list

@@ -29,6 +29,7 @@ acct-group/portage
 acct-group/render
 acct-group/root
 acct-group/sgx
+acct-group/shadow
 acct-group/sshd
 acct-group/systemd-coredump
 acct-group/systemd-journal
@@ -246,6 +247,7 @@ dev-libs/gmp
 dev-libs/gobject-introspection-common
 dev-libs/inih
 dev-libs/jansson
+dev-libs/jose
 dev-libs/json-c
 dev-libs/jsoncpp
 dev-libs/libaio

build_library/build_image_util.sh

@@ -728,6 +728,17 @@ EOF
     sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
   fi
 
+  # Temporary hack: set group ownership of /etc/{g,}shadow to the
+  # shadow group, that way unix_chkpwd, chage and expiry can act on
+  # those files.
+  #
+  # This permissions setting should likely be done in some ebuild, but
+  # currently files in /usr/share/baselayout are installed by the
+  # baselayout package, we don't want to add more deps to it.
+  sudo chgrp \
+      --reference="${root_fs_dir}/usr/bin/chage" \
+      "${root_fs_dir}"/{etc,usr/share/baselayout}/{g,}shadow
+
   # Backup the /etc contents to /usr/share/flatcar/etc to serve as
   # source for creating missing files. Make sure that the preexisting
   # /usr/share/flatcar/etc does not have any meaningful (non-empty)

changelog/changes/2025-11-28-weekly-updates.md

@@ -0,0 +1 @@
+- `/etc/shadow`, `/etc/gshadow` are now owned by the `shadow` group, `/usr/bin/unix_chkpwd`, `/usr/bin/chage` and `/usr/bin/expiry` are now also owned by the `shadow` group with a sticky bit enabled.

changelog/updates/2025-11-24-weekly-updates.md

@@ -0,0 +1,13 @@
+- SDK: meson ([1.9.1](https://mesonbuild.com/Release-notes-for-1-9-0.html) (includes [1.8.0](https://mesonbuild.com/Release-notes-for-1-8-0.html)))
+- SDK: nasm ([3.01](https://www.nasm.us/docs/3.01/nasmac.html) (includes [3.00](https://www.nasm.us/docs/3.00/nasmac.html)))
+- base, dev: hwdata ([0.400](https://github.com/vcrhonek/hwdata/releases/tag/v0.400))
+- base, dev: intel-microcode ([20251111_p20251112](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20251111))
+- base, dev: jose ([14](https://github.com/latchset/jose/releases/tag/v14) (includes [13](https://github.com/latchset/jose/releases/tag/v13)))
+- base, dev: less ([685](https://greenwoodsoftware.com/less/news.685.html))
+- base, dev: libgpg-error ([1.56](https://github.com/gpg/libgpg-error/releases/tag/libgpg-error-1.56))
+- base, dev: openssl ([3.5.4](https://github.com/openssl/openssl/releases/tag/openssl-3.5.4) (includes [3.5.3](https://github.com/openssl/openssl/releases/tag/openssl-3.5.3), [3.5.2](https://github.com/openssl/openssl/releases/tag/openssl-3.5.2), [3.5.1](https://github.com/openssl/openssl/releases/tag/openssl-3.5.1), [3.5.0](https://github.com/openssl/openssl/releases/tag/openssl-3.5.0)))
+- base, dev: thin-provisioning-tools ([1.3.0](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.3.0/CHANGES) (includes [1.2.2](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.2.2/CHANGES), [1.2.1](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.2.1/CHANGES), [1.2.0](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.2.0/CHANGES), [1.1.0](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.1.0/CHANGES), [1.0.14](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.14/CHANGES), [1.0.13](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.13/CHANGES), [1.0.12](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.12/CHANGES), [1.0.11](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.11/CHANGES)))
+- sysext-podman: aardvark-dns ([1.15.0](https://github.com/containers/aardvark-dns/releases/tag/v1.15.0))
+- sysext-python: platformdirs ([4.5.0](https://github.com/tox-dev/platformdirs/releases/tag/4.5.0))
+- sysext-python: resolvelib ([1.2.1](https://raw.githubusercontent.com/sarugaku/resolvelib/refs/tags/1.2.1/CHANGELOG.rst))
+- sysext-python: rich ([14.2.0](https://github.com/Textualize/rich/releases/tag/v14.2.0))

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-block/thin-provisioning-tools

@@ -0,0 +1,2 @@
+# This is to disable building thin_migrate tool.
+export ECARGO_EXTRA_ARGS=--no-default-features

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-block/thin-provisioning-tools/0001-build-Simplify-installation-of-symlinks-and-manpages.patch

@@ -0,0 +1,81 @@
+From c5fbb32be0509e4368268a79e7aacc6b5e34d28e Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <[email protected]>
+Date: Thu, 20 Nov 2025 13:16:09 +0100
+Subject: [PATCH 1/2] [build] Simplify installation of symlinks and manpages
+
+Signed-off-by: Krzesimir Nowak <[email protected]>
+---
+ Makefile | 52 ++++++++--------------------------------------------
+ 1 file changed, 8 insertions(+), 44 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index b04937aa..44c99c99 100644
+--- a/Makefile
++++ b/Makefile
+@@ -55,55 +55,19 @@ TOOLS:=\
+ 	era_invalidate \
+ 	era_restore
+ 
++# This must be two empty lines to get a newline.
++define NEWLINE
++
++
++endef
++
+ MANPAGES:=$(patsubst %,man8/%.8,$(TOOLS))
+ 
+ install: $(MANPAGES)
+ 	$(INSTALL_DIR) $(BINDIR)
+ 	$(INSTALL_PROGRAM) $(PDATA_TOOLS) $(BINDIR)
+-	ln -s -f pdata_tools $(BINDIR)/cache_check
+-	ln -s -f pdata_tools $(BINDIR)/cache_dump
+-	ln -s -f pdata_tools $(BINDIR)/cache_metadata_size
+-	ln -s -f pdata_tools $(BINDIR)/cache_repair
+-	ln -s -f pdata_tools $(BINDIR)/cache_restore
+-	ln -s -f pdata_tools $(BINDIR)/cache_writeback
+-	ln -s -f pdata_tools $(BINDIR)/thin_check
+-	ln -s -f pdata_tools $(BINDIR)/thin_delta
+-	ln -s -f pdata_tools $(BINDIR)/thin_dump
+-	ln -s -f pdata_tools $(BINDIR)/thin_ls
+-	ln -s -f pdata_tools $(BINDIR)/thin_repair
+-	ln -s -f pdata_tools $(BINDIR)/thin_restore
+-	ln -s -f pdata_tools $(BINDIR)/thin_rmap
+-	ln -s -f pdata_tools $(BINDIR)/thin_metadata_size
+-	ln -s -f pdata_tools $(BINDIR)/thin_metadata_pack
+-	ln -s -f pdata_tools $(BINDIR)/thin_metadata_unpack
+-	ln -s -f pdata_tools $(BINDIR)/thin_migrate
+-	ln -s -f pdata_tools $(BINDIR)/thin_trim
+-	ln -s -f pdata_tools $(BINDIR)/era_check
+-	ln -s -f pdata_tools $(BINDIR)/era_dump
+-	ln -s -f pdata_tools $(BINDIR)/era_invalidate
+-	ln -s -f pdata_tools $(BINDIR)/era_restore
++	$(foreach tool, $(TOOLS), ln -s -f pdata_tools $(BINDIR)/$(tool); $(NEWLINE))
+ 	$(INSTALL_DIR) $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/cache_check.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/cache_dump.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/cache_metadata_size.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/cache_repair.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/cache_restore.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/cache_writeback.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_check.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_delta.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_dump.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_ls.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_repair.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_restore.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_rmap.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_metadata_size.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_metadata_pack.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_metadata_unpack.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_migrate.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/era_check.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/era_dump.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/era_restore.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/era_invalidate.8 $(MANPATH)/man8
+-	$(INSTALL_DATA) man8/thin_trim.8 $(MANPATH)/man8
++	$(foreach tool, $(TOOLS), $(INSTALL_DATA) man8/$(tool).8 $(MANPATH)/man8; $(NEWLINE))
+ 
+ .PHONY: install
+-- 
+2.51.2
+

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-block/thin-provisioning-tools/0002-all-Make-thin_migrate-tool-optional.patch

@@ -0,0 +1,135 @@
+From 74215dade7bbddbfc0a46e1903fc289a56df3915 Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <[email protected]>
+Date: Thu, 20 Nov 2025 13:17:36 +0100
+Subject: [PATCH 2/2] [all] Make thin_migrate tool optional
+
+The tool pulls in, indirectly through the devicemapper crate, a
+dependency on libclang. Make it possible to skip the tool to avoid the
+dependency, but keep it enabled by default.
+
+Signed-off-by: Krzesimir Nowak <[email protected]>
+---
+ Cargo.toml             |  4 +++-
+ Makefile               | 20 ++++++++++++++++++--
+ src/bin/pdata_tools.rs |  1 +
+ src/commands/mod.rs    |  1 +
+ src/thin/mod.rs        |  1 +
+ 5 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/Cargo.toml b/Cargo.toml
+index 8594c6ba..155285a8 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -18,7 +18,7 @@ clap = { version = "4.5", default-features = false, features = [
+ ] }
+ crc32c = "0.6"
+ data-encoding = "2.9"
+-devicemapper = "0.34"
++devicemapper ={ version = "0.34", optional = true }
+ exitcode = "1.1.2"
+ fixedbitset = "0.5"
+ flate2 = "1.1"
+@@ -51,9 +51,11 @@ tempfile = "3.23"
+ thinp = { path = ".", features = ["devtools"] }
+ 
+ [features]
++default = ["thin_migrate"]
+ devtools = ["ratatui", "termion"]
+ io_uring = ["dep:io-uring"]
+ no_cleanup = []
++thin_migrate = ["dep:devicemapper"]
+ 
+ [profile.release]
+ debug = true
+diff --git a/Makefile b/Makefile
+index 44c99c99..a2dd51a4 100644
+--- a/Makefile
++++ b/Makefile
+@@ -2,9 +2,10 @@ V=@
+ 
+ PDATA_TOOLS:=\
+ 	target/release/pdata_tools
++CARGO_FLAGS:=$(if $(DISABLE_THIN_MIGRATE),--no-default-features)
+ 
+ $(PDATA_TOOLS):
+-	$(V) cargo build --release
++	$(V) cargo build --release $(CARGO_FLAGS)
+ 
+ PREFIX:=/usr
+ BINDIR:=$(DESTDIR)$(PREFIX)/sbin
+@@ -31,6 +32,21 @@ clean:
+ 	cargo clean
+ 	$(RM) man8/*.8
+ 
++HAS_PDATA_TOOLS_BINARY:=$(shell if [ -f $(PDATA_TOOLS) ]; then echo 1; fi)
++ifneq ($(HAS_PDATA_TOOLS_BINARY),)
++
++HAS_THIN_MIGRATE:=$(shell grep -qF thin_migrate.rs $(PDATA_TOOLS).d && echo 1)
++
++ifneq ($(DISABLE_THIN_MIGRATE),)
++$(warning DISABLE_THIN_MIGRATE variable is ignored, the pdata_tools binary exists and it has $(if $(HAS_THIN_MIGRATE),,no )thin_migrate tool built in)
++endif
++
++else
++
++HAS_THIN_MIGRATE:=$(if $(DISABLE_THIN_MIGRATE),,1)
++
++endif
++
+ TOOLS:=\
+ 	cache_check \
+ 	cache_dump \
+@@ -42,13 +58,13 @@ TOOLS:=\
+ 	thin_delta \
+ 	thin_dump \
+ 	thin_ls \
++	$(if $(HAS_THIN_MIGRATE),thin_migrate) \
+ 	thin_repair \
+ 	thin_restore \
+ 	thin_rmap \
+ 	thin_metadata_size \
+ 	thin_metadata_pack \
+ 	thin_metadata_unpack \
+-	thin_migrate \
+ 	thin_trim \
+ 	era_check \
+ 	era_dump \
+diff --git a/src/bin/pdata_tools.rs b/src/bin/pdata_tools.rs
+index c288fe03..67ef0d7d 100644
+--- a/src/bin/pdata_tools.rs
++++ b/src/bin/pdata_tools.rs
+@@ -29,6 +29,7 @@ fn register_commands<'a>() -> Vec<Box<dyn Command<'a>>> {
+         Box::new(thin_metadata_pack::ThinMetadataPackCommand),
+         Box::new(thin_metadata_size::ThinMetadataSizeCommand),
+         Box::new(thin_metadata_unpack::ThinMetadataUnpackCommand),
++        #[cfg(feature = "thin_migrate")]
+         Box::new(thin_migrate::ThinMigrateCommand),
+         Box::new(thin_repair::ThinRepairCommand),
+         Box::new(thin_restore::ThinRestoreCommand),
+diff --git a/src/commands/mod.rs b/src/commands/mod.rs
+index 5eeb66ab..72481eba 100644
+--- a/src/commands/mod.rs
++++ b/src/commands/mod.rs
+@@ -17,6 +17,7 @@ pub mod thin_ls;
+ pub mod thin_metadata_pack;
+ pub mod thin_metadata_size;
+ pub mod thin_metadata_unpack;
++#[cfg(feature = "thin_migrate")]
+ pub mod thin_migrate;
+ pub mod thin_repair;
+ pub mod thin_restore;
+diff --git a/src/thin/mod.rs b/src/thin/mod.rs
+index 1ef0e1be..eeed031e 100644
+--- a/src/thin/mod.rs
++++ b/src/thin/mod.rs
+@@ -10,6 +10,7 @@ pub mod ls;
+ pub mod metadata;
+ pub mod metadata_repair;
+ pub mod metadata_size;
++#[cfg(feature = "thin_migrate")]
+ pub mod migrate;
+ pub mod repair;
+ pub mod restore;
+-- 
+2.51.2
+

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-block/thin-provisioning-tools/README.md

@@ -0,0 +1,18 @@
+The patches make the thin_migrate tool optional, as this seems to be
+the thing that pulls in devicemapper crate, which in order requires
+bindgen crate, which in turn depends on libclang. Since thin_migrate
+tools was never a part of Flatcar yet, we can skip building it for
+now. If users will need the tool, we can think about adding it at a
+cost of building clang in SDK builds.
+
+The patches were filed to upstream:
+
+https://github.com/device-mapper-utils/thin-provisioning-tools/pull/1
+
+If they get accepted, we can try convincing Gentoo to add
+"USE=+migrate" to the ebuild and hide the clang dependency behind the
+flag. On Flatcar side we could then disable it.
+
+Until that happens, these patches should be accompanied by a hook
+function that will do "export ECARGO_EXTRA_ARGS=--no-default-features"
+and "export MAKEOPTS=THIN_MIGRATE_EXCLUDE=x".