Properly check valgrind_arches

Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>

.zuul.yaml

@@ -1,5 +1,7 @@
 - project:
     vars:
       install_repo_exclude:
+        - systemd-standalone-repart
+        - systemd-standalone-shutdown
+        - systemd-standalone-sysusers
         - systemd-standalone-tmpfiles
-        - systemd-standalone-sysuser

0001-core-add-new-PollLimit-settings-to-.socket-units.patch

@@ -0,0 +1,243 @@
+From df25afd2cf5527fe1bb542bb146fef1be8d9a489 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Sat, 9 Sep 2023 14:46:32 +0200
+Subject: [PATCH 1/3] core: add new "PollLimit" settings to .socket units
+
+This adds a new "PollLimit" pair of settings to .socket units, very
+similar to existing "TriggerLimit" logic. The differences are:
+
+* PollLimit focusses on the polling on the sockets, and pauses that
+  temporarily if a ratelimit on that is reached. TriggerLimit otoh
+  focusses on the triggering effect of socket units, and stops
+  triggering once the ratelimit is hit.
+
+* While the trigger limit being hit is an action that causes the socket
+  unit to fail the polling limit being reached will just temporarily
+  disable polling on the socket fd, and it is resumed once the ratelimit
+  interval is over.
+
+* When a socket unit operates on multiple socket fds (e,g, ListenStream=
+  on both some ipv6 and an ipv4 address or so). Then the PollLimit will
+  be specific to each fd, while the trigger limit is specific to the
+  whole unit.
+
+Implementation-wise this is mostly a wrapper around sd-event's
+sd_event_source_set_ratelimit(), which exposes the desired behaviour
+directly.
+
+Usecase for all of this: socket services which when overloaded with
+connections should just slow down reception of it, but not fail
+persistently.
+
+(cherry picked from commit 2bec84e7a5bf3687ae65205753ba3d8067cf2f0e)
+---
+ man/org.freedesktop.systemd1.xml      | 12 ++++++++++
+ src/core/dbus-socket.c                |  8 +++++++
+ src/core/load-fragment-gperf.gperf.in |  2 ++
+ src/core/socket.c                     | 32 +++++++++++++++++++--------
+ src/core/socket.h                     |  2 ++
+ src/shared/bus-unit-util.c            | 10 +++++----
+ 6 files changed, 53 insertions(+), 13 deletions(-)
+
+diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
+index 56906e2f3b..0557dc2379 100644
+--- a/man/org.freedesktop.systemd1.xml
++++ b/man/org.freedesktop.systemd1.xml
+@@ -4727,6 +4727,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
+       readonly t TriggerLimitIntervalUSec = ...;
+       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+       readonly u TriggerLimitBurst = ...;
++      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
++      readonly t PollLimitIntervalUSec = ...;
++      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
++      readonly u PollLimitBurst = ...;
+       readonly u UID = ...;
+       readonly u GID = ...;
+       @org.freedesktop.DBus.Property.EmitsChangedSignal("invalidates")
+@@ -5961,6 +5965,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
+ 
+     <variablelist class="dbus-property" generated="True" extra-ref="TriggerLimitBurst"/>
+ 
++    <variablelist class="dbus-property" generated="True" extra-ref="PollLimitIntervalUSec"/>
++
++    <variablelist class="dbus-property" generated="True" extra-ref="PollLimitBurst"/>
++
+     <variablelist class="dbus-property" generated="True" extra-ref="UID"/>
+ 
+     <variablelist class="dbus-property" generated="True" extra-ref="GID"/>
+@@ -6497,6 +6505,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
+ 
+     <!--End of Autogenerated section-->
+ 
++    <para><varname>PollLimitIntervalUSec</varname>/<varname>PollLimitBurst</varname> properties configure the
++    polling limit for the socket unit. Expects a time in µs, resp. an unsigned integer. If either is set to
++    zero the limiting feature is turned off.</para>
++
+     <refsect2>
+       <title>Properties</title>
+ 
+diff --git a/src/core/dbus-socket.c b/src/core/dbus-socket.c
+index 09a3a9502b..04552b7c60 100644
+--- a/src/core/dbus-socket.c
++++ b/src/core/dbus-socket.c
+@@ -129,6 +129,8 @@ const sd_bus_vtable bus_socket_vtable[] = {
+         SD_BUS_PROPERTY("SocketProtocol", "i", bus_property_get_int, offsetof(Socket, socket_protocol), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("TriggerLimitIntervalUSec", "t", bus_property_get_usec, offsetof(Socket, trigger_limit.interval), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("TriggerLimitBurst", "u", bus_property_get_unsigned, offsetof(Socket, trigger_limit.burst), SD_BUS_VTABLE_PROPERTY_CONST),
++        SD_BUS_PROPERTY("PollLimitIntervalUSec", "t", bus_property_get_usec, offsetof(Socket, poll_limit_interval), SD_BUS_VTABLE_PROPERTY_CONST),
++        SD_BUS_PROPERTY("PollLimitBurst", "u", bus_property_get_unsigned, offsetof(Socket, poll_limit_burst), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("UID", "u", bus_property_get_uid, offsetof(Unit, ref_uid), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
+         SD_BUS_PROPERTY("GID", "u", bus_property_get_gid, offsetof(Unit, ref_gid), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
+         BUS_EXEC_COMMAND_LIST_VTABLE("ExecStartPre", offsetof(Socket, exec_command[SOCKET_EXEC_START_PRE]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION),
+@@ -248,6 +250,9 @@ static int bus_socket_set_transient_property(
+         if (streq(name, "TriggerLimitBurst"))
+                 return bus_set_transient_unsigned(u, name, &s->trigger_limit.burst, message, flags, error);
+ 
++        if (streq(name, "PollLimitBurst"))
++                return bus_set_transient_unsigned(u, name, &s->poll_limit_burst, message, flags, error);
++
+         if (streq(name, "SocketMode"))
+                 return bus_set_transient_mode_t(u, name, &s->socket_mode, message, flags, error);
+ 
+@@ -275,6 +280,9 @@ static int bus_socket_set_transient_property(
+         if (streq(name, "TriggerLimitIntervalUSec"))
+                 return bus_set_transient_usec(u, name, &s->trigger_limit.interval, message, flags, error);
+ 
++        if (streq(name, "PollLimitIntervalUSec"))
++                return bus_set_transient_usec(u, name, &s->poll_limit_interval, message, flags, error);
++
+         if (streq(name, "SmackLabel"))
+                 return bus_set_transient_string(u, name, &s->smack, message, flags, error);
+ 
+diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in
+index b66adf2811..0d1ee9c231 100644
+--- a/src/core/load-fragment-gperf.gperf.in
++++ b/src/core/load-fragment-gperf.gperf.in
+@@ -507,6 +507,8 @@ Socket.FileDescriptorName,               config_parse_fdname,
+ Socket.Service,                          config_parse_socket_service,                 0,                                  0
+ Socket.TriggerLimitIntervalSec,          config_parse_sec,                            0,                                  offsetof(Socket, trigger_limit.interval)
+ Socket.TriggerLimitBurst,                config_parse_unsigned,                       0,                                  offsetof(Socket, trigger_limit.burst)
++Socket.PollLimitIntervalSec,             config_parse_sec,                            0,                                  offsetof(Socket, poll_limit_interval)
++Socket.PollLimitBurst,                   config_parse_unsigned,                       0,                                  offsetof(Socket, poll_limit_burst)
+ {% if ENABLE_SMACK %}
+ Socket.SmackLabel,                       config_parse_unit_string_printf,             0,                                  offsetof(Socket, smack)
+ Socket.SmackLabelIPIn,                   config_parse_unit_string_printf,             0,                                  offsetof(Socket, smack_ip_in)
+diff --git a/src/core/socket.c b/src/core/socket.c
+index 75034ac357..dc18744f54 100644
+--- a/src/core/socket.c
++++ b/src/core/socket.c
+@@ -101,6 +101,9 @@ static void socket_init(Unit *u) {
+ 
+         s->trigger_limit.interval = USEC_INFINITY;
+         s->trigger_limit.burst = UINT_MAX;
++
++        s->poll_limit_interval = USEC_INFINITY;
++        s->poll_limit_burst = UINT_MAX;
+ }
+ 
+ static void socket_unwatch_control_pid(Socket *s) {
+@@ -310,17 +313,20 @@ static int socket_add_extras(Socket *s) {
+          * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
+          * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
+          * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
+-         * service starts are typical. */
++         * service starts are typical.
++         *
++         * For the poll limit we follow a similar rule, but use 3/4th of the trigger limit parameters, to
++         * trigger this earlier. */
+ 
+         if (s->trigger_limit.interval == USEC_INFINITY)
+                 s->trigger_limit.interval = 2 * USEC_PER_SEC;
++        if (s->trigger_limit.burst == UINT_MAX)
++                s->trigger_limit.burst = s->accept ? 200 : 20;
+ 
+-        if (s->trigger_limit.burst == UINT_MAX) {
+-                if (s->accept)
+-                        s->trigger_limit.burst = 200;
+-                else
+-                        s->trigger_limit.burst = 20;
+-        }
++        if (s->poll_limit_interval == USEC_INFINITY)
++                s->poll_limit_interval = 2 * USEC_PER_SEC;
++        if (s->poll_limit_burst == UINT_MAX)
++                s->poll_limit_burst = s->accept ? 150 : 15;
+ 
+         if (have_non_accept_socket(s)) {
+ 
+@@ -770,9 +776,13 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
+ 
+         fprintf(f,
+                 "%sTriggerLimitIntervalSec: %s\n"
+-                "%sTriggerLimitBurst: %u\n",
++                "%sTriggerLimitBurst: %u\n"
++                "%sPollLimitIntervalSec: %s\n"
++                "%sPollLimitBurst: %u\n",
+                 prefix, FORMAT_TIMESPAN(s->trigger_limit.interval, USEC_PER_SEC),
+-                prefix, s->trigger_limit.burst);
++                prefix, s->trigger_limit.burst,
++                prefix, FORMAT_TIMESPAN(s->poll_limit_interval, USEC_PER_SEC),
++                prefix, s->poll_limit_burst);
+ 
+         str = ip_protocol_to_name(s->socket_protocol);
+         if (str)
+@@ -1765,6 +1775,10 @@ static int socket_watch_fds(Socket *s) {
+ 
+                         (void) sd_event_source_set_description(p->event_source, "socket-port-io");
+                 }
++
++                r = sd_event_source_set_ratelimit(p->event_source, s->poll_limit_interval, s->poll_limit_burst);
++                if (r < 0)
++                        log_unit_debug_errno(UNIT(s), r, "Failed to set poll limit on I/O event source, ignoring: %m");
+         }
+ 
+         return 0;
+diff --git a/src/core/socket.h b/src/core/socket.h
+index 191d27f46d..b03a291e4a 100644
+--- a/src/core/socket.h
++++ b/src/core/socket.h
+@@ -158,6 +158,8 @@ struct Socket {
+         char *fdname;
+ 
+         RateLimit trigger_limit;
++        usec_t poll_limit_interval;
++        unsigned poll_limit_burst;
+ };
+ 
+ SocketPeer *socket_peer_ref(SocketPeer *p);
+diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
+index e7b44cc39b..9f0f37488d 100644
+--- a/src/shared/bus-unit-util.c
++++ b/src/shared/bus-unit-util.c
+@@ -2170,10 +2170,10 @@ static int bus_append_path_property(sd_bus_message *m, const char *field, const
+                 return 1;
+         }
+ 
+-        if (streq(field, "TriggerLimitBurst"))
++        if (STR_IN_SET(field, "TriggerLimitBurst", "PollLimitBurst"))
+                 return bus_append_safe_atou(m, field, eq);
+ 
+-        if (streq(field, "TriggerLimitIntervalSec"))
++        if (STR_IN_SET(field, "TriggerLimitIntervalSec", "PollLimitIntervalSec"))
+                 return bus_append_parse_sec_rename(m, field, eq);
+ 
+         return 0;
+@@ -2382,7 +2382,8 @@ static int bus_append_socket_property(sd_bus_message *m, const char *field, cons
+                               "MaxConnections",
+                               "MaxConnectionsPerSource",
+                               "KeepAliveProbes",
+-                              "TriggerLimitBurst"))
++                              "TriggerLimitBurst",
++                              "PollLimitBurst"))
+                 return bus_append_safe_atou(m, field, eq);
+ 
+         if (STR_IN_SET(field, "SocketMode",
+@@ -2397,7 +2398,8 @@ static int bus_append_socket_property(sd_bus_message *m, const char *field, cons
+                               "KeepAliveTimeSec",
+                               "KeepAliveIntervalSec",
+                               "DeferAcceptSec",
+-                              "TriggerLimitIntervalSec"))
++                              "TriggerLimitIntervalSec",
++                              "PollLimitIntervalSec"))
+                 return bus_append_parse_sec_rename(m, field, eq);
+ 
+         if (STR_IN_SET(field, "ReceiveBuffer",

0001-find_legacy_keymap-extend-variant-match-bonus-again.patch

@@ -0,0 +1,50 @@
+From 537c00c984910f417a2f2d4aad997f822060d4d1 Mon Sep 17 00:00:00 2001
+From: Adam Williamson <awilliam@redhat.com>
+Date: Tue, 19 Sep 2023 16:06:26 -0700
+Subject: [PATCH] find_legacy_keymap: extend variant match bonus again
+
+If the column is "-" and the X context variant specifer only
+contains commas, we should also give the match bonus. The variant
+string is supposed to be a comma-separated list as long as the
+list of layouts, so it's quite natural for consumers to be written
+in such a way that they pass a string only containing commas if
+there are multiple layouts and no variants. anaconda is a real
+world case that does this.
+
+Signed-off-by: Adam Williamson <awilliam@redhat.com>
+---
+ src/locale/localed-util.c      | 2 +-
+ src/locale/test-localed-util.c | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/locale/localed-util.c b/src/locale/localed-util.c
+index eba13a2ac3..9b6949e14d 100644
+--- a/src/locale/localed-util.c
++++ b/src/locale/localed-util.c
+@@ -839,7 +839,7 @@ int find_legacy_keymap(const X11Context *xc, char **ret) {
+                         if (isempty(xc->model) || streq_ptr(xc->model, a[2])) {
+                                 matching++;
+ 
+-                                if (streq_ptr(xc->variant, a[3]) || (isempty(xc->variant) && streq(a[3], "-"))) {
++                                if (streq_ptr(xc->variant, a[3]) || ((isempty(xc->variant) || streq_skip_trailing_chars(xc->variant, "", ",")) && streq(a[3], "-"))) {
+                                         matching++;
+ 
+                                         if (streq_ptr(xc->options, a[4]))
+diff --git a/src/locale/test-localed-util.c b/src/locale/test-localed-util.c
+index f702ff29b0..e92c178a98 100644
+--- a/src/locale/test-localed-util.c
++++ b/src/locale/test-localed-util.c
+@@ -185,6 +185,13 @@ TEST(x11_convert_to_vconsole) {
+         assert_se(streq(vc.keymap, "bg_bds-utf8"));
+         vc_context_clear(&vc);
+ 
++        /* same, but with variant specified as "," */
++        log_info("/* test with variant as ',', desired match second (bg,us:) */");
++        assert_se(free_and_strdup(&xc.variant, ",") >= 0);
++        assert_se(x11_convert_to_vconsole(&xc, &vc) >= 0);
++        assert_se(streq(vc.keymap, "bg_bds-utf8"));
++        vc_context_clear(&vc);
++
+         log_info("/* test with old mapping (fr:latin9) */");
+         assert_se(free_and_strdup(&xc.layout, "fr") >= 0);
+         assert_se(free_and_strdup(&xc.variant, "latin9") >= 0);

0001-find_legacy_keymap-fix-empty-variant-matching.patch

@@ -0,0 +1,58 @@
+From a30ae31351ffa701ca860779495d4f52db4c462c Mon Sep 17 00:00:00 2001
+From: Adam Williamson <awilliam@redhat.com>
+Date: Fri, 15 Sep 2023 15:35:36 -0700
+Subject: [PATCH 1/2] find_legacy_keymap: fix empty variant matching
+
+We should give a match bonus if the X context variant is empty
+and the xvariant column in kbd-model-map is "-" (which means
+none). Currently, we don't, which means that if you call this
+on a context with layouts bg,us and no variant, you get the
+console layout bg_pho-utf8 instead of bg_bds-utf8 (because both
+score the same, and the bg_pho-utf8 row comes first). You should
+get bg_bds-utf8 in this case.
+
+Signed-off-by: Adam Williamson <awilliam@redhat.com>
+---
+ src/locale/localed-util.c      |  2 +-
+ src/locale/test-localed-util.c | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/locale/localed-util.c b/src/locale/localed-util.c
+index 02fac9786b..6a05b50a31 100644
+--- a/src/locale/localed-util.c
++++ b/src/locale/localed-util.c
+@@ -825,7 +825,7 @@ int find_legacy_keymap(const X11Context *xc, char **ret) {
+                         if (isempty(xc->model) || streq_ptr(xc->model, a[2])) {
+                                 matching++;
+ 
+-                                if (streq_ptr(xc->variant, a[3])) {
++                                if (streq_ptr(xc->variant, a[3]) || (isempty(xc->variant) && streq(a[3], "-"))) {
+                                         matching++;
+ 
+                                         if (streq_ptr(xc->options, a[4]))
+diff --git a/src/locale/test-localed-util.c b/src/locale/test-localed-util.c
+index cb66dffd48..a19d80a967 100644
+--- a/src/locale/test-localed-util.c
++++ b/src/locale/test-localed-util.c
+@@ -173,6 +173,18 @@ TEST(x11_convert_to_vconsole) {
+         assert_se(streq(vc.keymap, "es-dvorak"));
+         vc_context_clear(&vc);
+ 
++        /* es no-variant test is not very good as the desired match
++        comes first in the list so will win if both candidates score
++        the same. in this case the desired match comes second so will
++        not win unless we correctly give the no-variant match a bonus
++        */
++        log_info("/* test without variant, desired match second (bg,us:) */");
++        assert_se(free_and_strdup(&xc.layout, "bg,us") >= 0);
++        assert_se(free_and_strdup(&xc.variant, NULL) >= 0);
++        assert_se(x11_convert_to_vconsole(&xc, &vc) >= 0);
++        assert_se(streq(vc.keymap, "bg_bds-utf8"));
++        vc_context_clear(&vc);
++
+         log_info("/* test with old mapping (fr:latin9) */");
+         assert_se(free_and_strdup(&xc.layout, "fr") >= 0);
+         assert_se(free_and_strdup(&xc.variant, "latin9") >= 0);
+-- 
+2.41.0
+

0001-keyboard-model-map-correct-sk-qwerty-entry.patch

@@ -0,0 +1,25 @@
+From ca831de1704f4e28241df513aa89ac465a7c8ab2 Mon Sep 17 00:00:00 2001
+From: Adam Williamson <awilliam@redhat.com>
+Date: Wed, 20 Sep 2023 15:14:31 -0700
+Subject: [PATCH] keyboard-model-map: correct sk-qwerty entry
+
+qwerty here is a variant, not an option.
+
+Signed-off-by: Adam Williamson <awilliam@redhat.com>
+---
+ src/locale/kbd-model-map | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/kbd-model-map b/src/locale/kbd-model-map
+index a145e13ecd..279d1a36d8 100644
+--- a/src/locale/kbd-model-map
++++ b/src/locale/kbd-model-map
+@@ -52,7 +52,7 @@ es			es	pc105		-		terminate:ctrl_alt_bksp
+ ro-cedilla		ro	pc105		cedilla		terminate:ctrl_alt_bksp
+ ie			ie	pc105		-		terminate:ctrl_alt_bksp
+ et			ee	pc105		-		terminate:ctrl_alt_bksp
+-sk-qwerty		sk	pc105		-		terminate:ctrl_alt_bksp,qwerty
++sk-qwerty		sk	pc105		qwerty		terminate:ctrl_alt_bksp
+ sk-qwertz		sk	pc105		-		terminate:ctrl_alt_bksp
+ fr-latin9		fr	pc105		latin9		terminate:ctrl_alt_bksp
+ fr_CH-latin1		ch	pc105		fr		terminate:ctrl_alt_bksp

0002-find_legacy_keymap-try-matching-with-layout-order-re.patch

@@ -0,0 +1,117 @@
+From cf649cc21bf997b90606db664d74726fcaf002de Mon Sep 17 00:00:00 2001
+From: Adam Williamson <awilliam@redhat.com>
+Date: Fri, 15 Sep 2023 16:02:29 -0700
+Subject: [PATCH 2/2] find_legacy_keymap: try matching with layout order
+ reversed
+
+The lines in kbd-model-map date back to ye olde times (RH's old
+system-config-keyboard), and I think predate this bug:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1039185
+
+where we got strong feedback that, for 'switched' layout setups
+like Russian, US English should be the *first* layout and the
+native layout the *second* one. This is how anaconda and, as of
+recently, gnome-initial-setup configure such cases - but that
+means, if we try to use localed to convert these configurations
+using kbd-model-map, we get the wrong result (we get "us" as the
+console layout). See also:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1912609
+
+where we first noticed this wasn't working right, but sadly, we
+'fixed' it with a not-really-correct bodge in anaconda instead
+of doing it properly.
+
+Signed-off-by: Adam Williamson <awilliam@redhat.com>
+---
+ src/locale/localed-util.c      | 44 ++++++++++++++++++++++------------
+ src/locale/test-localed-util.c |  5 +++-
+ 2 files changed, 33 insertions(+), 16 deletions(-)
+
+diff --git a/src/locale/localed-util.c b/src/locale/localed-util.c
+index 6a05b50a31..eba13a2ac3 100644
+--- a/src/locale/localed-util.c
++++ b/src/locale/localed-util.c
+@@ -803,21 +803,35 @@ int find_legacy_keymap(const X11Context *xc, char **ret) {
+                         /* If we got an exact match, this is the best */
+                         matching = 10;
+                 else {
+-                        /* We have multiple X layouts, look for an
+-                         * entry that matches our key with everything
+-                         * but the first layout stripped off. */
+-                        if (startswith_comma(xc->layout, a[1]))
+-                                matching = 5;
++                        /* see if we get an exact match with the order reversed */
++                        _cleanup_strv_free_ char **b = NULL;
++                        _cleanup_free_ char *c = NULL;
++                        r = strv_split_full(&b, a[1], ",", 0);
++                        if (r < 0)
++                                return r;
++                        strv_reverse(b);
++                        c = strv_join(b, ",");
++                        if (!c)
++                                return log_oom();
++                        if (streq(xc->layout, c))
++                                matching = 9;
+                         else {
+-                                _cleanup_free_ char *x = NULL;
+-
+-                                /* If that didn't work, strip off the
+-                                 * other layouts from the entry, too */
+-                                x = strdupcspn(a[1], ",");
+-                                if (!x)
+-                                        return -ENOMEM;
+-                                if (startswith_comma(xc->layout, x))
+-                                        matching = 1;
++                                /* We have multiple X layouts, look for an
++                                 * entry that matches our key with everything
++                                 * but the first layout stripped off. */
++                                if (startswith_comma(xc->layout, a[1]))
++                                        matching = 5;
++                                else {
++                                        _cleanup_free_ char *x = NULL;
++
++                                        /* If that didn't work, strip off the
++                                         * other layouts from the entry, too */
++                                        x = strdupcspn(a[1], ",");
++                                        if (!x)
++                                                return -ENOMEM;
++                                        if (startswith_comma(xc->layout, x))
++                                                matching = 1;
++                                }
+                         }
+                 }
+ 
+@@ -848,7 +862,7 @@ int find_legacy_keymap(const X11Context *xc, char **ret) {
+                 }
+         }
+ 
+-        if (best_matching < 10 && !isempty(xc->layout)) {
++        if (best_matching < 9 && !isempty(xc->layout)) {
+                 _cleanup_free_ char *l = NULL, *v = NULL, *converted = NULL;
+ 
+                 /* The best match is only the first part of the X11
+diff --git a/src/locale/test-localed-util.c b/src/locale/test-localed-util.c
+index a19d80a967..f702ff29b0 100644
+--- a/src/locale/test-localed-util.c
++++ b/src/locale/test-localed-util.c
+@@ -192,11 +192,14 @@ TEST(x11_convert_to_vconsole) {
+         assert_se(streq(vc.keymap, "fr-latin9"));
+         vc_context_clear(&vc);
+ 
++        /* https://bugzilla.redhat.com/show_bug.cgi?id=1039185 */
++        /* us,ru is the x config users want, but they still want ru
++        as the console layout in this case */
+         log_info("/* test with a compound mapping (us,ru:) */");
+         assert_se(free_and_strdup(&xc.layout, "us,ru") >= 0);
+         assert_se(free_and_strdup(&xc.variant, NULL) >= 0);
+         assert_se(x11_convert_to_vconsole(&xc, &vc) >= 0);
+-        assert_se(streq(vc.keymap, "us"));
++        assert_se(streq(vc.keymap, "ru"));
+         vc_context_clear(&vc);
+ 
+         log_info("/* test with a compound mapping (ru,us:) */");
+-- 
+2.41.0
+

0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch

@@ -0,0 +1,80 @@
+From f6b09a2ed646f0a0b54605d4c19a898ab2bbf192 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 18 Sep 2023 17:51:49 +0200
+Subject: [PATCH 2/3] man: document the new
+ PollLimitIntervalSec=/PollLimitBurst= settings
+
+(cherry picked from commit 9373fce68de183a615d44fe100dcf22e3c9b8c3e)
+---
+ man/systemd.socket.xml | 58 ++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 47 insertions(+), 11 deletions(-)
+
+diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
+index 45555302f1..462978d438 100644
+--- a/man/systemd.socket.xml
++++ b/man/systemd.socket.xml
+@@ -830,17 +830,53 @@
+         <term><varname>TriggerLimitIntervalSec=</varname></term>
+         <term><varname>TriggerLimitBurst=</varname></term>
+ 
+-        <listitem><para>Configures a limit on how often this socket unit may be activated within a specific time
+-        interval. The <varname>TriggerLimitIntervalSec=</varname> may be used to configure the length of the time
+-        interval in the usual time units <literal>us</literal>, <literal>ms</literal>, <literal>s</literal>,
+-        <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
+-        <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details on
+-        the various time units understood). The <varname>TriggerLimitBurst=</varname> setting takes a positive integer
+-        value and specifies the number of permitted activations per time interval, and defaults to 200 for
+-        <varname>Accept=yes</varname> sockets (thus by default permitting 200 activations per 2s), and 20 otherwise (20
+-        activations per 2s). Set either to 0 to disable any form of trigger rate limiting. If the limit is hit, the
+-        socket unit is placed into a failure mode, and will not be connectible anymore until restarted. Note that this
+-        limit is enforced before the service activation is enqueued.</para></listitem>
++        <listitem><para>Configures a limit on how often this socket unit may be activated within a specific
++        time interval. The <varname>TriggerLimitIntervalSec=</varname> setting may be used to configure the
++        length of the time interval in the usual time units <literal>us</literal>, <literal>ms</literal>,
++        <literal>s</literal>, <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
++        <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
++        details on the various time units understood). The <varname>TriggerLimitBurst=</varname> setting
++        takes a positive integer value and specifies the number of permitted activations per time interval,
++        and defaults to 200 for <varname>Accept=yes</varname> sockets (thus by default permitting 200
++        activations per 2s), and 20 otherwise (20 activations per 2s). Set either to 0 to disable any form of
++        trigger rate limiting.</para>
++
++        <para>If the limit is hit, the socket unit is placed into a failure mode, and will not be connectible
++        anymore until restarted. Note that this limit is enforced before the service activation is
++        enqueued.</para>
++
++        <para>Compare with <varname>PollLimitIntervalSec=</varname>/<varname>PollLimitBurst=</varname>
++        described below, which implements a temporary slowdown if a socket unit is flooded with incoming
++        traffic, as opposed to the permanent failure state
++        <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> results in.</para>
++        </listitem>
++      </varlistentry>
++
++      <varlistentry>
++        <term><varname>PollLimitIntervalSec=</varname></term>
++        <term><varname>PollLimitBurst=</varname></term>
++
++        <listitem><para>Configures a limit on how often polling events on the file descriptors backing this
++        socket unit will be considered. This pair of settings is similar to
++        <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> but instead of
++        putting a (fatal) limit on the activation frequency puts a (transient) limit on the polling
++        frequency. The expected parameter syntax and range are identical to that of the aforementioned
++        options, and can be disabled the same way.</para>
++
++        <para>If the polling limit is hit polling is temporarily disabled on it until the specified time
++        window passes. The polling limit hence slows down connection attempts if hit, but unlike the trigger
++        limit won't cause permanent failures. It's the recommended mechanism to deal with DoS attempts
++        through packet flooding.</para>
++
++        <para>The polling limit is enforced per file descriptor to listen on, as opposed to the trigger limit
++        which is enforced for the entire socket unit. This distinction matters for socket units that listen
++        on multiple file descriptors (i.e. have multiple <varname>ListenXYZ=</varname> stanzas).</para>
++
++        <para>These setting defaults to 150 (in case of <varname>Accept=yes</varname>) and 15 (otherwise)
++        polling events per 2s. This is considerably lower than the default values for the trigger limit (see
++        above) and means that the polling limit should typically ensure the trigger limit is never hit,
++        unless one of them is reconfigured or disabled.</para>
++        </listitem>
+       </varlistentry>
+ 
+     </variablelist>

0003-ci-add-test-for-poll-limit.patch

@@ -0,0 +1,79 @@
+From ae92a9714744bbf92fe69ffe276a668b031a6d26 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 18 Sep 2023 18:05:27 +0200
+Subject: [PATCH 3/3] ci: add test for poll limit
+
+(cherry picked from commit 065e478a4a8cc8e41a6e87756c081396f253e853)
+---
+ test/TEST-07-PID1/test.sh             |  2 ++
+ test/units/testsuite-07.poll-limit.sh | 48 +++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+)
+ create mode 100755 test/units/testsuite-07.poll-limit.sh
+
+diff --git a/test/TEST-07-PID1/test.sh b/test/TEST-07-PID1/test.sh
+index 1c3d7137fe..d0e35d870f 100755
+--- a/test/TEST-07-PID1/test.sh
++++ b/test/TEST-07-PID1/test.sh
+@@ -32,6 +32,8 @@ Alias=issue2730-alias.mount
+ EOF
+     "${SYSTEMCTL:?}" enable --root="$workspace" issue2730.mount
+     ln -svrf "$workspace/etc/systemd/system/issue2730.mount" "$workspace/etc/systemd/system/issue2730-alias.mount"
++
++    image_install logger
+ }
+ 
+ do_test "$@"
+diff --git a/test/units/testsuite-07.poll-limit.sh b/test/units/testsuite-07.poll-limit.sh
+new file mode 100755
+index 0000000000..480d7ee8df
+--- /dev/null
++++ b/test/units/testsuite-07.poll-limit.sh
+@@ -0,0 +1,48 @@
++#!/usr/bin/env bash
++# SPDX-License-Identifier: LGPL-2.1-or-later
++set -eux
++set -o pipefail
++
++systemd-analyze log-level debug
++
++cat > /run/systemd/system/floodme@.service <<EOF
++[Service]
++ExecStart=/bin/true
++EOF
++
++cat > /run/systemd/system/floodme.socket <<EOF
++[Socket]
++ListenStream=/tmp/floodme
++PollLimitIntervalSec=10s
++Accept=yes
++PollLimitBurst=3
++EOF
++
++systemctl daemon-reload
++systemctl start floodme.socket
++
++START=$(date +%s%N)
++
++# Trigger this 100 times in a flood
++for (( i=0 ; i < 100; i++ )) ; do
++    logger -u /tmp/floodme foo &
++done
++
++# Let some time pass
++sleep 5
++
++END=$(date +%s%N)
++
++PASSED=$((END-START))
++
++# Calculate (round up) how many trigger events could have happened in the passed time
++MAXCOUNT=$(((PASSED+10000000000)*3/10000000000))
++
++# We started 100 connection attempts, but only 3 should have gone through, as per limit
++test "$(systemctl show -P NAccepted floodme.socket)" -le "$MAXCOUNT"
++
++systemctl stop floodme.socket floodme@*.service
++
++rm /run/systemd/system/floodme@.service /run/systemd/system/floodme.socket /tmp/floodme
++
++systemctl daemon-reload

10-map-count.conf

@@ -0,0 +1,3 @@
+# Increase the number of virtual memory areas that one process may request
+# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount
+vm.max_map_count=1048576

10-oomd-per-slice-defaults.conf

@@ -0,0 +1,3 @@
+[Slice]
+ManagedOOMMemoryPressure=kill
+ManagedOOMMemoryPressureLimit=80%

10-oomd-root-slice-defaults.conf

@@ -1,2 +0,0 @@
-[Slice]
-ManagedOOMSwap=kill

10-oomd-user-service-defaults.conf

@@ -1,3 +0,0 @@
-[Service]
-ManagedOOMMemoryPressure=kill
-ManagedOOMMemoryPressureLimit=50%

10-timeout-abort.conf

@@ -0,0 +1,14 @@
+# This file is part of the systemd package.
+# See https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer.
+#
+# To facilitate debugging when a service fails to stop cleanly,
+# TimeoutStopFailureMode=abort is set to "crash" services that fail to stop in
+# the time allotted. This will cause the service to be terminated with SIGABRT
+# and a coredump to be generated.
+#
+# To undo this configuration change, create a mask file:
+#   sudo mkdir -p /etc/systemd/system/service.d
+#   sudo ln -sv /dev/null /etc/systemd/system/service.d/10-timeout-abort.conf
+
+[Service]
+TimeoutStopFailureMode=abort

26494.patch

@@ -0,0 +1,30 @@
+From 6b25470ee28843a49c50442e9d8a98edc842ceca Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 20 Feb 2023 12:00:30 +0900
+Subject: [PATCH] core/manager: run generators directly when we are in initrd
+
+Some initrd system write files at ourside of /run, /etc, or other
+allowed places. This is a kind of workaround, but in most cases, such
+sandboxing is not necessary as the filesystem is on ramfs when we are in
+initrd.
+
+Fixes #26488.
+---
+ src/core/manager.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 7b394794b0d4..306477c6e6c2 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) {
+         /* If we are the system manager, we fork and invoke the generators in a sanitized mount namespace. If
+          * we are the user manager, let's just execute the generators directly. We might not have the
+          * necessary privileges, and the system manager has already mounted /tmp/ and everything else for us.
+-         */
+-        if (MANAGER_IS_USER(m)) {
++         * If we are in initrd, let's also execute the generators directly, as we are in ramfs. */
++        if (MANAGER_IS_USER(m) || in_initrd()) {
+                 r = manager_execute_generators(m, paths, /* remount_ro= */ false);
+                 goto finish;
+         }

631d2b05ec5195d1f8f8fbff8a2dfcbf23d0b7aa.patch

@@ -0,0 +1,94 @@
+From 631d2b05ec5195d1f8f8fbff8a2dfcbf23d0b7aa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 26 Jul 2023 09:02:04 +0200
+Subject: [PATCH] rpm: add %systemd_postun_with_reload and
+ %systemd_user_postun_with_reload
+
+For some units, the package would like to issue a reload. The machinery was
+already in place since c9615f73521986b3607b852c139036d58973043c:
+
+  systemctl reload-or-restart --marked
+
+  Enqueues restart jobs for all units that have the 'needs-restart'
+  mark, and reload jobs for units that have the 'needs-reload' mark.
+  When a unit marked for reload does not support reload, restart will
+  be queued.
+
+The new macros allow a reload to be issued instead of a restart.
+
+Based on the discussion on fedora-devel:
+https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/IJSUGIEJNYZZRE53FF4YFUEBRHRAVIXR/
+
+Tested using dummy package https://github.com/keszybz/rpm-test-reload.
+---
+ src/rpm/macros.systemd.in        | 16 ++++++++++++++++
+ src/rpm/systemd-update-helper.in | 22 ++++++++++++++++++++++
+ 2 files changed, 38 insertions(+)
+
+diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in
+index c07541c7286c..f05553f557e9 100644
+--- a/src/rpm/macros.systemd.in
++++ b/src/rpm/macros.systemd.in
+@@ -101,6 +101,22 @@ if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
+ fi \
+ %{nil}
+ 
++%systemd_postun_with_reload() \
++%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_reload}} \
++if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
++    # Package upgrade, not uninstall \
++    {{SYSTEMD_UPDATE_HELPER_PATH}} mark-reload-system-units %{?*} || : \
++fi \
++%{nil}
++
++%systemd_user_postun_with_reload() \
++%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_postun_with_reload}} \
++if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
++    # Package upgrade, not uninstall \
++    {{SYSTEMD_UPDATE_HELPER_PATH}} mark-reload-user-units %{?*} || : \
++fi \
++%{nil}
++
+ %udev_hwdb_update() %{nil}
+ 
+ %udev_rules_update() %{nil}
+diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in
+index c623a5ea1722..c81e16c3d3ff 100755
+--- a/src/rpm/systemd-update-helper.in
++++ b/src/rpm/systemd-update-helper.in
+@@ -47,6 +47,15 @@ case "$command" in
+         wait
+         ;;
+ 
++    mark-reload-system-units)
++        [ -d /run/systemd/system ] || exit 0
++
++        for unit in "$@"; do
++            systemctl set-property "$unit" Markers=+needs-reload &
++        done
++        wait
++        ;;
++
+     mark-restart-user-units)
+         [ -d /run/systemd/system ] || exit 0
+ 
+@@ -60,6 +69,19 @@ case "$command" in
+         wait
+         ;;
+ 
++    mark-reload-user-units)
++        [ -d /run/systemd/system ] || exit 0
++
++        users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p')
++        for user in $users; do
++            for unit in "$@"; do
++                SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT_SEC}}s \
++                        systemctl --user -M "$user@" set-property "$unit" Markers=+needs-reload &
++            done
++        done
++        wait
++        ;;
++
+     system-reload-restart|system-reload|system-restart)
+         if [ -n "$*" ]; then
+             echo "Unexpected arguments for '$command': $*"

93651582ae.patch

@@ -1,98 +0,0 @@
-From 93651582aef1ee626dc6f8d032195acd73bc9372 Mon Sep 17 00:00:00 2001
-From: Jonathan Lebon <jonathan@jlebon.com>
-Date: Mon, 23 Mar 2020 12:25:19 -0400
-Subject: [PATCH] manager: optionally, do a full preset on first boot
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A compile time option is added to select behaviour: by default
-UNIT_FILE_PRESET_ENABLE_ONLY is still used, but the intent is to change to
-UNIT_FILE_PRESET_FULL at some point in the future. Distros that want to
-opt-in can use the config option to change the behaviour.
-
-(The option is just a boolean: it would be possible to make it multi-valued,
-and allow full, enable-only, disable-only, none. But so far nobody has asked
-for this, and it's better not to complicate things needlessly.)
-
-With the configuration option flipped, instead of only doing enablements,
-perform a full preset on first boot. The reason is that although
-`/etc/machine-id` might be missing, there may be other files provisioned in
-`/etc` (in fact, this use case is mentioned in `log_execution_mode`). Some of
-those possible files include enablement symlinks even if presets dictate it
-should be disabled.
-
-Such a seemingly contradictory situation occurs in {RHEL,Fedora} CoreOS,
-where we ship `/etc` as if `preset-all` were called. However, we want to
-allow users to disable default-enabled services via Ignition, which does
-this by creating preset dropins before switchroot. (For why we do
-`preset-all` at compose time, see:
-https://github.com/coreos/fedora-coreos-config/pull/77).
-
-For example, the composed FCOS image has a `enable zincati.service`
-preset and an enablement for that in `/etc`, while at boot time when we
-switch root, there may be a `disable zincati.service` preset with higher
-precedence. In that case, we want systemd to disable the service.
-
-This is essentially a revert of 304b3079a203. It seems like systemd
-*used* to do this, but it was changed to try to make the container
-workflow a bit faster.
-
-Resolves: https://github.com/coreos/fedora-coreos-tracker/issues/392
-
-Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
----
- meson.build        | 3 +++
- meson_options.txt  | 2 ++
- src/core/manager.c | 4 +++-
- 3 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/meson.build b/meson.build
-index 582e33c9a73d..72e586aa97c7 100644
---- a/meson.build
-+++ b/meson.build
-@@ -285,6 +285,8 @@ conf.set10('MEMORY_ACCOUNTING_DEFAULT',                       memory_accounting_
- conf.set('STATUS_UNIT_FORMAT_DEFAULT',                        'STATUS_UNIT_FORMAT_' + status_unit_format_default.to_upper())
- conf.set_quoted('STATUS_UNIT_FORMAT_DEFAULT_STR',             status_unit_format_default)
- 
-+conf.set10('FIRST_BOOT_FULL_PRESET',                          get_option('first-boot-full-preset'))
-+
- #####################################################################
- 
- cc = meson.get_compiler('c')
-@@ -4271,6 +4273,7 @@ foreach tuple : [
-         ['link-networkd-shared',  get_option('link-networkd-shared')],
-         ['link-timesyncd-shared', get_option('link-timesyncd-shared')],
-         ['link-boot-shared',      get_option('link-boot-shared')],
-+        ['first-boot-full-preset'],
-         ['fexecve'],
-         ['standalone-binaries',   get_option('standalone-binaries')],
-         ['coverage',              get_option('b_coverage')],
-diff --git a/meson_options.txt b/meson_options.txt
-index 2a030ac28ec0..28765f900e87 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -27,6 +27,8 @@ option('link-timesyncd-shared', type: 'boolean',
-        description : 'link systemd-timesyncd and its helpers to libsystemd-shared.so')
- option('link-boot-shared', type: 'boolean',
-        description : 'link bootctl and systemd-bless-boot against libsystemd-shared.so')
-+option('first-boot-full-preset', type: 'boolean', value: false,
-+       description : 'during first boot, do full preset-all (default will be changed to true later)')
- 
- option('static-libsystemd', type : 'combo',
-        choices : ['false', 'true', 'pic', 'no-pic'],
-diff --git a/src/core/manager.c b/src/core/manager.c
-index 18daff66c780..f4dacef1005d 100644
---- a/src/core/manager.c
-+++ b/src/core/manager.c
-@@ -1728,7 +1728,9 @@ static void manager_preset_all(Manager *m) {
-                 return;
- 
-         /* If this is the first boot, and we are in the host system, then preset everything */
--        r = unit_file_preset_all(LOOKUP_SCOPE_SYSTEM, 0, NULL, UNIT_FILE_PRESET_ENABLE_ONLY, NULL, 0);
-+        UnitFilePresetMode mode = FIRST_BOOT_FULL_PRESET ? UNIT_FILE_PRESET_FULL : UNIT_FILE_PRESET_ENABLE_ONLY;
-+
-+        r = unit_file_preset_all(LOOKUP_SCOPE_SYSTEM, 0, NULL, mode, NULL, 0);
-         if (r < 0)
-                 log_full_errno(r == -EEXIST ? LOG_NOTICE : LOG_WARNING, r,
-                                "Failed to populate /etc with preset unit settings, ignoring: %m");

98-default-mac-none.link

@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: MIT-0
+#
+# This config file is installed as part of systemd.
+# It may be freely copied and edited (following the MIT No Attribution license).
+#
+# To make local modifications, one of the following methods may be used:
+# 1. add a drop-in file that extends this file by creating the
+#    /etc/systemd/network/98-default-mac-none.link.d/ directory and creating a
+#    new .conf file there.
+# 2. copy this file into /etc/systemd/network or one of the other paths checked
+#    by systemd-udevd and edit it there.
+# This file should not be edited in place, because it'll be overwritten on upgrades.
+
+[Match]
+Kind=bridge bond team
+
+[Link]
+NamePolicy=keep kernel database onboard slot path
+AlternativeNamesPolicy=database onboard slot path
+MACAddressPolicy=none

README.build-in-place.md

@@ -7,7 +7,7 @@ and his [talk during ASG2019](https://www.youtube.com/watch?v=fVM1kJrymRM).
 git clone https://github.com/systemd/systemd
 fedpkg clone systemd fedora-systemd
 cd systemd
-rpmbuild -bb --build-in-place --noprep --define "_sourcedir $PWD/../fedora-systemd" --define "_rpmdir $PWD/rpms" --with inplace ../systemd.spec
+rpmbuild -bb --build-in-place --noprep --define "_sourcedir $PWD/../fedora-systemd" --define "_rpmdir $PWD/rpms" --with inplace ../fedora-systemd/systemd.spec
 sudo dnf upgrade --setopt install_weak_deps=False rpms/*/*.rpm
 ```
 

changelog

@@ -1,6 +1,3 @@
-* Fri Sep 30 2022 David Abdurachmanov <davidlt@rivosinc.com> - 251.4-53.3.riscv64
-- Rebuild
-
 * Fri Aug 19 2022 Neal Gompa <ngompa@fedoraproject.org> - 251.4-53
 - Set compile-time fallback hostname to "localhost"
   https://fedoraproject.org/wiki/Changes/FallbackHostname

f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch

@@ -1,129 +0,0 @@
-From f58b96d3e8d1cb0dd3666bc74fa673918b586612 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Mon, 14 Sep 2020 17:58:03 +0200
-Subject: [PATCH] test-mountpointutil-util: do not assert in test_mnt_id()
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1803070
-
-I *think* this a kernel bug: the mnt_id as listed in /proc/self/mountinfo is different
-than the one we get from /proc/self/fdinfo/. This only matters when both statx and
-name_to_handle_at are unavailable and we hit the fallback path that goes through fdinfo:
-
-(gdb) !uname -r
-5.6.19-200.fc31.ppc64le
-
-(gdb) !cat /proc/self/mountinfo
-697 664 253:0 /var/lib/mock/fedora-31-ppc64le/root / rw,relatime shared:298 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
-698 697 253:0 /var/cache/mock/fedora-31-ppc64le/yum_cache /var/cache/yum rw,relatime shared:299 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
-699 697 253:0 /var/cache/mock/fedora-31-ppc64le/dnf_cache /var/cache/dnf rw,relatime shared:300 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
-700 697 0:32 /mock-selinux-plugin.7me9bfpi /proc/filesystems rw,nosuid,nodev shared:301 master:18 - tmpfs tmpfs rw,seclabel <==========================================================
-701 697 0:41 / /sys ro,nosuid,nodev,noexec,relatime shared:302 - sysfs sysfs ro,seclabel
-702 701 0:21 / /sys/fs/selinux ro,nosuid,nodev,noexec,relatime shared:306 master:8 - selinuxfs selinuxfs rw
-703 697 0:42 / /dev rw,nosuid shared:303 - tmpfs tmpfs rw,seclabel,mode=755
-704 703 0:43 / /dev/shm rw,nosuid,nodev shared:304 - tmpfs tmpfs rw,seclabel
-705 703 0:45 / /dev/pts rw,nosuid,noexec,relatime shared:307 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=666
-706 703 0:6 /btrfs-control /dev/btrfs-control rw,nosuid shared:308 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-707 703 0:6 /loop-control /dev/loop-control rw,nosuid shared:309 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-708 703 0:6 /loop0 /dev/loop0 rw,nosuid shared:310 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-709 703 0:6 /loop1 /dev/loop1 rw,nosuid shared:311 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-710 703 0:6 /loop10 /dev/loop10 rw,nosuid shared:312 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-711 703 0:6 /loop11 /dev/loop11 rw,nosuid shared:313 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-712 703 0:6 /loop2 /dev/loop2 rw,nosuid shared:314 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-713 703 0:6 /loop3 /dev/loop3 rw,nosuid shared:315 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-714 703 0:6 /loop4 /dev/loop4 rw,nosuid shared:316 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-715 703 0:6 /loop5 /dev/loop5 rw,nosuid shared:317 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-716 703 0:6 /loop6 /dev/loop6 rw,nosuid shared:318 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-717 703 0:6 /loop7 /dev/loop7 rw,nosuid shared:319 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-718 703 0:6 /loop8 /dev/loop8 rw,nosuid shared:320 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-719 703 0:6 /loop9 /dev/loop9 rw,nosuid shared:321 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
-720 697 0:44 / /run rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
-721 720 0:25 /systemd/nspawn/propagate/9cc8a155d0244558b273f773d2b92142 /run/systemd/nspawn/incoming ro master:12 - tmpfs tmpfs rw,seclabel,mode=755
-722 697 0:32 /mock-resolv.dvml91hp /etc/resolv.conf rw,nosuid,nodev shared:322 master:18 - tmpfs tmpfs rw,seclabel
-725 697 0:47 / /proc rw,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
-603 725 0:47 /sys /proc/sys ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
-604 725 0:44 /systemd/inaccessible/reg /proc/kallsyms ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
-605 725 0:44 /systemd/inaccessible/reg /proc/kcore ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
-606 725 0:44 /systemd/inaccessible/reg /proc/keys ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
-607 725 0:44 /systemd/inaccessible/reg /proc/sysrq-trigger ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
-608 725 0:44 /systemd/inaccessible/reg /proc/timer_list ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
-609 725 0:47 /bus /proc/bus ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
-610 725 0:47 /fs /proc/fs ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
-611 725 0:47 /irq /proc/irq ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
-612 725 0:47 /scsi /proc/scsi ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
-613 703 0:46 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:324 - mqueue mqueue rw,seclabel
-614 701 0:26 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:325 - cgroup2 cgroup rw,seclabel,nsdelegate
-615 603 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
-616 725 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
-617 725 0:44 /.#proc-kmsg5b7a8bcfe6717139//deleted /proc/kmsg rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
-
-The test process does
-name_to_handle_at("/proc/filesystems") which returns -EOPNOTSUPP, and then
-openat(AT_FDCWD, "/proc/filesystems") which returns 4, and then
-read(open("/proc/self/fdinfo/4", ...)) which gives
-"pos:\t0\nflags:\t012100000\nmnt_id:\t725\n"
-
-and the "725" is clearly inconsistent with "700" in /proc/self/mountinfo.
-
-We could either drop the fallback path (and fail name_to_handle_at() is not
-avaliable) or ignore the error in the test. Not sure what is better. I think
-this issue only occurs sometimes and with older kernels, so probably continuing
-with the current flaky implementation is better than ripping out the fallback.
-
-Another strace:
-writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/sys is 603", iov_len=27}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/sys is 603
-) = 28
-name_to_handle_at(AT_FDCWD, "/", {handle_bytes=128 => 12, handle_type=129, f_handle=0x52748401000000008b93e20d}, [697], 0) = 0
-writev(2</dev/pts/0>, [{iov_base="mnt ids of / is 697", iov_len=19}, {iov_base="\n", iov_len=1}], 2mnt ids of / is 697
-) = 20
-name_to_handle_at(AT_FDCWD, "/proc/kcore", {handle_bytes=128 => 12, handle_type=1, f_handle=0x92ddcfcd2e802d0100000000}, [605], 0) = 0
-writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/kcore is 605", iov_len=29}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/kcore is 605
-) = 30
-name_to_handle_at(AT_FDCWD, "/dev", {handle_bytes=128 => 12, handle_type=1, f_handle=0x8ae269160c802d0100000000}, [703], 0) = 0
-writev(2</dev/pts/0>, [{iov_base="mnt ids of /dev is 703", iov_len=22}, {iov_base="\n", iov_len=1}], 2mnt ids of /dev is 703
-) = 23
-name_to_handle_at(AT_FDCWD, "/proc/filesystems", {handle_bytes=128}, 0x7fffe36ddb84, 0) = -1 EOPNOTSUPP (Operation not supported)
-openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4</proc/filesystems>
-openat(AT_FDCWD, "/proc/self/fdinfo/4", O_RDONLY|O_CLOEXEC) = 5</proc/20/fdinfo/4>
-fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
-fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
-read(5</proc/20/fdinfo/4>, "pos:\t0\nflags:\t012100000\nmnt_id:\t725\n", 2048) = 36
-read(5</proc/20/fdinfo/4>, "", 1024)    = 0
-close(5</proc/20/fdinfo/4>)             = 0
-close(4</proc/filesystems>)             = 0
-writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/filesystems are 700, 725", iov_len=41}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/filesystems are 700, 725
-) = 42
-writev(2</dev/pts/0>, [{iov_base="the other path for mnt id 725 is /proc", iov_len=38}, {iov_base="\n", iov_len=1}], 2the other path for mnt id 725 is /proc
-) = 39
-writev(2</dev/pts/0>, [{iov_base="Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.", iov_len=108}, {iov_base="\n", iov_len=1}], 2Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.
-) = 109
-rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
-rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
-getpid()                                = 20
-gettid()                                = 20
-tgkill(20, 20, SIGABRT)                 = 0
-rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
---- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=20, si_uid=0} ---
-+++ killed by SIGABRT (core dumped) +++
----
- src/test/test-mountpoint-util.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c
-index 30b00ae4d8b..ffe5144b04a 100644
---- a/src/test/test-mountpoint-util.c
-+++ b/src/test/test-mountpoint-util.c
-@@ -89,8 +89,12 @@ static void test_mnt_id(void) {
-                 /* The ids don't match? If so, then there are two mounts on the same path, let's check if
-                  * that's really the case */
-                 char *t = hashmap_get(h, INT_TO_PTR(mnt_id2));
--                log_debug("the other path for mnt id %i is %s\n", mnt_id2, t);
--                assert_se(path_equal(p, t));
-+                log_debug("Path for mnt id %i from /proc/self/mountinfo is %s\n", mnt_id2, t);
-+
-+                if (!path_equal(p, t))
-+                        /* Apparent kernel bug in /proc/self/fdinfo */
-+                        log_warning("Bad mount id given for %s: %d, should be %d",
-+                                    p, mnt_id2, mnt_id);
-         }
- }
- 

fedora-use-system-auth-in-pam-systemd-user.patch

@@ -0,0 +1,31 @@
+From c4b803dc60b63a35c977d39610b7872175ec03bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Dec 2022 22:24:53 +0100
+Subject: [PATCH] fedora: use system-auth in pam systemd-user
+
+---
+ src/login/systemd-user.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 8a3c9e0165..74ef5f2552 100644
+--- a/src/login/systemd-user.in
++++ b/src/login/systemd-user.in
+@@ -7,7 +7,7 @@
+ -account sufficient pam_systemd_home.so
+ {% endif %}
+ account  sufficient pam_unix.so no_pass_expiry
+-account  required   pam_permit.so
++account  include    system-auth
+ 
+ {% if HAVE_SELINUX %}
+ session  required   pam_selinux.so close
+@@ -20,4 +20,4 @@ session  required   pam_namespace.so
+ -session optional   pam_systemd_home.so
+ {% endif %}
+ session  optional   pam_umask.so silent
+-session  optional   pam_systemd.so
++session  include    system-auth
+-- 
+2.41.0
+

rpminspect.yaml

@@ -1,6 +1,12 @@
  # Disable badfuncs check that has tons of false positives.
 badfuncs:
-  exclude_path: .*
+  allowed:
+    /usr/lib/systemd/tests/unit-tests/*:
+       - inet_addr
+       - inet_aton
+    /usr/bin/networkctl:
+       - inet_addr
+       - inet_aton
 
 # don't report changed content of compiled files
 # that is expected with every update

sources

@@ -1 +1 @@
-SHA512 (systemd-251.4.tar.gz) = 7bbfadd80b88a4c3510a5e4e3572e4eab71dafbf6289da038e552988e09ee8da16da3c9bb8a4fbbde6c6236e0e3c352b0a33f9ee0b84f10241f3499383387738
+SHA512 (systemd-254.5.tar.gz) = 8e9b4f802c4da2a0dea6028df78d20de5d96802d8f614d0392e89dea605cdd8d9c1724ce3ea382378d582402646f8bea2ffcd55a84262461721ee3f691105b7a

split-files.py

@@ -17,6 +17,8 @@ def files(root):
 
 o_libs = open('.file-list-libs', 'w')
 o_udev = open('.file-list-udev', 'w')
+o_ukify = open('.file-list-ukify', 'w')
+o_boot = open('.file-list-boot', 'w')
 o_pam = open('.file-list-pam', 'w')
 o_rpm_macros = open('.file-list-rpm-macros', 'w')
 o_devel = open('.file-list-devel', 'w')
@@ -26,8 +28,10 @@ o_oomd_defaults = open('.file-list-oomd-defaults', 'w')
 o_remote = open('.file-list-remote', 'w')
 o_resolve = open('.file-list-resolve', 'w')
 o_tests = open('.file-list-tests', 'w')
+o_standalone_repart = open('.file-list-standalone-repart', 'w')
 o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w')
 o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w')
+o_standalone_shutdown = open('.file-list-standalone-shutdown', 'w')
 o_main = open('.file-list-main', 'w')
 for file in files(buildroot):
     n = file.path[1:]
@@ -52,12 +56,27 @@ for file in files(buildroot):
                     /var(/cache|/log|/lib|/run|)$
     ''', n, re.X):
         continue
-    if '/security/pam_' in n or '/man8/pam_' in n:
+
+    if n.endswith('.standalone'):
+        if 'repart' in n:
+            o = o_standalone_repart
+        elif 'tmpfiles' in n:
+            o = o_standalone_tmpfiles
+        elif 'sysusers' in n:
+            o = o_standalone_sysusers
+        elif 'shutdown' in n:
+            o = o_standalone_shutdown
+        else:
+            assert False, 'Found .standalone not belonging to known packages'
+
+    elif '/security/pam_' in n or '/man8/pam_' in n:
         o = o_pam
     elif '/rpm/' in n:
         o = o_rpm_macros
     elif '/usr/lib/systemd/tests' in n:
         o = o_tests
+    elif 'ukify' in n:
+        o = o_ukify
     elif re.search(r'/libsystemd-(shared|core)-.*\.so$', n):
         o = o_main
     elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n):
@@ -101,10 +120,10 @@ for file in files(buildroot):
                        hwdb|
                        bootctl|
                        boot-update|
-                       sd-boot|systemd-boot\.|loader.conf|
                        bless-boot|
                        boot-system-token|
                        kernel-install|
+                       installkernel|
                        vconsole|
                        backlight|
                        rfkill|
@@ -119,6 +138,7 @@ for file in files(buildroot):
                        pstore|
                        sleep|suspend|hibernate|
                        systemd-tmpfiles-setup-dev|
+                       network/98-default-mac-none.link|
                        network/99-default.link|
                        growfs|makefs|makeswap|mkswap|
                        fsck|
@@ -129,8 +149,10 @@ for file in files(buildroot):
                        integritysetup|
                        integritytab|
                        remount-fs|
+                       /initrd|
+                       systemd-pcrphase|
+                       systemd-measure|
                        /boot$|
-                       /boot/efi|
                        /kernel/|
                        /kernel$|
                        /modprobe.d|
@@ -144,6 +166,12 @@ for file in files(buildroot):
                        # confused if those user-facing binaries are not available.
         o = o_udev
 
+    elif re.search(r'''/boot/efi|
+                       /usr/lib/systemd/boot|
+                       sd-boot|systemd-boot\.|loader.conf
+    ''', n, re.X):
+        o = o_boot
+
     elif re.search(r'''resolved|resolve1|
                        systemd-resolve|
                        resolvconf|
@@ -154,14 +182,6 @@ for file in files(buildroot):
     elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X):
         o = o_oomd_defaults
 
-    elif n.endswith('.standalone'):
-        if 'tmpfiles' in n:
-            o = o_standalone_tmpfiles
-        elif 'sysusers' in n:
-            o = o_standalone_sysusers
-        else:
-            assert False, 'Found .standalone not belonging to known packages'
-
     else:
         o = o_main
 

systemd-user

@@ -1,14 +0,0 @@
-# This file is part of systemd.
-#
-# Used by systemd --user instances.
-
--account sufficient pam_systemd_home.so
-account  sufficient pam_unix.so no_pass_expiry
-account  include system-auth
-
-session  required pam_selinux.so close
-session  required pam_selinux.so nottys open
-session  required pam_loginuid.so
-session  required pam_namespace.so
--session optional pam_systemd_home.so
-session  include system-auth

systemd.spec

@@ -1,8 +1,6 @@
 #global commit c4b843473a75fb38ed5bf54e9d3cfb1cb3719efa
 %{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})}
 
-%global stable 1
-
 # We ship a .pc file but don't want to have a dep on pkg-config. We
 # strip the automatically generated dep here and instead co-own the
 # directory.
@@ -17,28 +15,37 @@
 %global elf_suffix ()%{elf_bits}
 %endif
 
+%bcond bzip2  1
+%bcond gnutls 1
+%bcond lz4    1
+%bcond xz     1
+%bcond zlib   1
+%bcond zstd   1
+
 # Bootstrap may be needed to break circular dependencies with cryptsetup,
 # e.g. when re-building cryptsetup on a json-c SONAME-bump.
-%bcond_with    bootstrap
-%bcond_without tests
-%bcond_without lto
+%bcond bootstrap 0
+%bcond tests     1
+%bcond lto       1
 
 # Support for quick builds with rpmbuild --build-in-place.
 # See README.build-in-place.
-%bcond_with    inplace
+%bcond inplace 0
 
 Name:           systemd
-Url:            https://www.freedesktop.org/wiki/Software/systemd
+Url:            https://systemd.io
 %if %{without inplace}
-Version:        251.4
+Version:        254.5
 %else
 # determine the build information from local checkout
 Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
 %endif
-Release:        %autorelease -b 28 -e 3.riscv64
+Release:        %autorelease -e 0.riscv64
+
+%global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?)
 
 # For a breakdown of the licensing, see README
-License:        LGPLv2+ and MIT and GPLv2+
+License:        LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later
 Summary:        System and Service Manager
 
 # download tarballs with "spectool -g systemd.spec"
@@ -66,18 +73,21 @@ Source7:        systemd-journal-remote.xml
 Source8:        systemd-journal-gatewayd.xml
 Source9:        20-yama-ptrace.conf
 Source10:       systemd-udev-trigger-no-reload.conf
-Source12:       systemd-user
-Source13:       libsystemd-shared.abignore
+# https://fedoraproject.org/wiki/How_to_filter_libabigail_reports
+Source13:       .abignore
 
 Source14:       10-oomd-defaults.conf
-Source15:       10-oomd-root-slice-defaults.conf
-Source16:       10-oomd-user-service-defaults.conf
+Source15:       10-oomd-per-slice-defaults.conf
+Source16:       10-timeout-abort.conf
+Source17:       10-map-count.conf
 
 Source21:       macros.sysusers
 Source22:       sysusers.attr
 Source23:       sysusers.prov
 Source24:       sysusers.generate-pre.sh
 
+Source25:       98-default-mac-none.link
+
 %if 0
 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable
 i=1; for j in 00*patch; do printf "Patch%04d:      %s\n" $i $j; i=$((i+1));done|xclip
@@ -90,16 +100,32 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
 # than in the next section. Packit CI will drop any patches in this range before
 # applying upstream pull requests.
 
-# https://fedoraproject.org/wiki/Changes/Preset_All_Systemd_Units_on_First_Boot
-Patch0001:      https://github.com/systemd/systemd/commit/93651582ae.patch
+# Work-around for dracut issue: run generators directly when we are in initrd
+# https://bugzilla.redhat.com/show_bug.cgi?id=2164404
+Patch0001:      https://github.com/systemd/systemd/pull/26494.patch
+
+# Backport of patches that allow reloading of units
+Patch0002:      https://github.com/systemd/systemd/pull/28521/commits/631d2b05ec5195d1f8f8fbff8a2dfcbf23d0b7aa.patch
+
+# Backport of improvements to console keyboard layout guessing
+# https://github.com/systemd/systemd/pull/29215
+# https://bugzilla.redhat.com/show_bug.cgi?id=1912609
+Patch0003:      0001-find_legacy_keymap-fix-empty-variant-matching.patch
+Patch0004:      0002-find_legacy_keymap-try-matching-with-layout-order-re.patch
+Patch0005:      0001-find_legacy_keymap-extend-variant-match-bonus-again.patch
+Patch0006:      0001-keyboard-model-map-correct-sk-qwerty-entry.patch
+
+# Requested as an alternative to https://fedoraproject.org/wiki/Changes/Drop_Sshd_Socket
+Patch0010:      0001-core-add-new-PollLimit-settings-to-.socket-units.patch
+Patch0011:      0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch
+Patch0012:      0003-ci-add-test-for-poll-limit.patch
 
 # Those are downstream-only patches, but we don't want them in packit builds:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1738828
 Patch0490:      use-bfq-scheduler.patch
 
-# Other downstream-only patches (5000–9999)
-# https://github.com/systemd/systemd/pull/17050
-Patch0501:      https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch
+# Adjust upstream config to use our shared stack
+Patch0491:      fedora-use-system-auth-in-pam-systemd-user.patch
 
 %ifarch %{ix86} x86_64 aarch64
 %global have_gnu_efi 1
@@ -126,19 +152,31 @@ BuildRequires:  /usr/bin/getfacl
 BuildRequires:  libacl-devel
 BuildRequires:  gobject-introspection-devel
 BuildRequires:  libblkid-devel
+%if %{with xz}
 BuildRequires:  xz-devel
 BuildRequires:  xz
+%endif
+%if %{with lz4}
 BuildRequires:  lz4-devel
 BuildRequires:  lz4
+%endif
+%if %{with bzip2}
 BuildRequires:  bzip2-devel
+%endif
+%if %{with zstd}
 BuildRequires:  libzstd-devel
+%endif
 BuildRequires:  libidn2-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  kmod-devel
 BuildRequires:  elfutils-devel
 BuildRequires:  openssl-devel
+%if %{with gnutls}
 BuildRequires:  gnutls-devel
+%endif
+%if %{undefined rhel}
 BuildRequires:  qrencode-devel
+%endif
 BuildRequires:  libmicrohttpd-devel
 BuildRequires:  libxkbcommon-devel
 BuildRequires:  iptables-devel
@@ -155,12 +193,19 @@ BuildRequires:  gperf
 BuildRequires:  gawk
 BuildRequires:  tree
 BuildRequires:  hostname
-BuildRequires:  python3dist(lxml)
+BuildRequires:  python3
+BuildRequires:  python3-devel
 BuildRequires:  python3dist(jinja2)
-BuildRequires:  firewalld-filesystem
-%if 0%{?have_gnu_efi}
-BuildRequires:  gnu-efi gnu-efi-devel
+BuildRequires:  python3dist(lxml)
+BuildRequires:  python3dist(pefile)
+%if %{undefined rhel}
+BuildRequires:  python3dist(pillow)
+BuildRequires:  python3dist(pytest-flakes)
 %endif
+BuildRequires:  python3dist(pytest)
+BuildRequires:  python3dist(zstd)
+# gzip and lzma are provided by the stdlib
+BuildRequires:  firewalld-filesystem
 BuildRequires:  libseccomp-devel
 BuildRequires:  meson >= 0.43
 BuildRequires:  gettext
@@ -178,19 +223,27 @@ BuildRequires:  bpftool
 %global have_bpf 1
 %endif
 
+%if 0%{?fedora}
+%ifarch x86_64 aarch64
+%global have_xen 1
+# That package is only built for those two architectures
+BuildRequires:  xen-devel
+%endif
+%endif
+
 Requires(post): coreutils
 Requires(post): grep
 # systemd-machine-id-setup requires libssl
 Requires(post): openssl-libs
 Requires:       dbus >= 1.9.18
-Requires:       %{name}-pam = %{version}-%{release}
+Requires:       %{name}-pam%{_isa} = %{version}-%{release}
 Requires(meta): (%{name}-rpm-macros = %{version}-%{release} if rpm-build)
-Requires:       %{name}-libs = %{version}-%{release}
+Requires:       %{name}-libs%{_isa} = %{version}-%{release}
 %{?fedora:Recommends:     %{name}-networkd = %{version}-%{release}}
 %{?fedora:Recommends:     %{name}-resolved = %{version}-%{release}}
 Recommends:     diffutils
 Requires:       (util-linux-core or util-linux)
-Recommends:     libxkbcommon%{?_isa}
+Recommends:     libxkbcommon%{_isa}
 Provides:       /bin/systemctl
 Provides:       /sbin/shutdown
 Provides:       syslog
@@ -208,10 +261,14 @@ Conflicts:      fedora-release < 23-0.12
 %endif
 Obsoletes:      timedatex < 0.6-3
 Provides:       timedatex = 0.6-3
+Conflicts:      %{name}-standalone-repart < %{version}-%{release}^
+Provides:       %{name}-repart = %{version}-%{release}
 Conflicts:      %{name}-standalone-tmpfiles < %{version}-%{release}^
 Provides:       %{name}-tmpfiles = %{version}-%{release}
 Conflicts:      %{name}-standalone-sysusers < %{version}-%{release}^
 Provides:       %{name}-sysusers = %{version}-%{release}
+Conflicts:      %{name}-standalone-shutdown < %{version}-%{release}^
+Provides:       %{name}-shutdown = %{version}-%{release}
 
 # Recommends to replace normal Requires deps for stuff that is dlopen()ed
 Recommends:     libidn2.so.0%{?elf_suffix}
@@ -219,9 +276,11 @@ Recommends:     libidn2.so.0(IDN2_0.0.0)%{?elf_bits}
 Recommends:     libpcre2-8.so.0%{?elf_suffix}
 Recommends:     libpwquality.so.1%{?elf_suffix}
 Recommends:     libpwquality.so.1(LIBPWQUALITY_1.0)%{?elf_bits}
+%if %{undefined rhel}
 Recommends:     libqrencode.so.4%{?elf_suffix}
-Recommends:     libbpf.so.0%{?elf_suffix}
-Recommends:     libbpf.so.0(LIBBPF_0.4.0)%{?elf_bits}
+%endif
+Recommends:     libbpf.so.1%{?elf_suffix}
+Recommends:     libbpf.so.1(LIBBPF_0.4.0)%{?elf_bits}
 
 # used by systemd-coredump and systemd-analyze
 Recommends:     libdw.so.1%{?elf_suffix}
@@ -245,12 +304,12 @@ utilities to control basic system configuration like the hostname, date, locale,
 maintain a list of logged-in users, system accounts, runtime directories and
 settings, and a logging daemons.
 %if 0%{?stable}
-This package was built from the %{version}-stable branch of systemd.
+This package was built from the %(c=%version; echo "v${c%.*}-stable") branch of systemd.
 %endif
 
 %package libs
 Summary:        systemd libraries
-License:        LGPLv2+ and MIT
+License:        LGPL-2.1-or-later AND MIT
 Obsoletes:      libudev < 183
 Obsoletes:      systemd < 185-4
 Conflicts:      systemd < 185-4
@@ -282,8 +341,9 @@ for information how to use those macros.
 
 %package devel
 Summary:        Development headers for systemd
-License:        LGPLv2+ and MIT
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+License:        LGPL-2.1-or-later AND MIT
+Requires:       %{name}-libs%{_isa} = %{version}-%{release}
+Requires(meta): (%{name}-rpm-macros = %{version}-%{release} if rpm-build)
 Provides:       libudev-devel = %{version}
 Provides:       libudev-devel%{_isa} = %{version}
 Obsoletes:      libudev-devel < 183
@@ -294,9 +354,9 @@ to libudev or libsystemd.
 
 %package udev
 Summary: Rule-based device node and kernel event manager
-License:        LGPLv2+
+License:        LGPL-2.1-or-later
 
-Requires:       systemd%{?_isa} = %{version}-%{release}
+Requires:       systemd%{_isa} = %{version}-%{release}
 Requires(post):   systemd
 Requires(preun):  systemd
 Requires(postun): systemd
@@ -307,6 +367,8 @@ Obsoletes:      systemd < 245.6-1
 Provides:       udev = %{version}
 Provides:       udev%{_isa} = %{version}
 Obsoletes:      udev < 183
+Requires:       (grubby > 8.40-72 if grubby)
+Requires:       (sdubby > 1.0-3 if sdubby)
 
 # Recommends to replace normal Requires deps for stuff that is dlopen()ed
 # used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home
@@ -319,8 +381,9 @@ Recommends:     libdw.so.1(ELFUTILS_0.186)%{?elf_bits}
 Recommends:     libelf.so.1%{?elf_suffix}
 Recommends:     libelf.so.1(ELFUTILS_1.7)%{?elf_bits}
 
-# used by home, cryptsetup, cryptenroll
+# used by home, cryptsetup, cryptenroll, logind
 Recommends:     libfido2.so.1%{?elf_suffix}
+Recommends:     libp11-kit.so.0%{?elf_suffix}
 Recommends:     libtss2-esys.so.0%{?elf_suffix}
 Recommends:     libtss2-mu.so.0%{?elf_suffix}
 Recommends:     libtss2-rc.so.0%{?elf_suffix}
@@ -334,6 +397,9 @@ Requires:       kbd
 Provides:       u2f-hidraw-policy = 1.0.2-40
 Obsoletes:      u2f-hidraw-policy < 1.0.2-40
 
+# self-obsoletes to install both packages after split of systemd-boot
+Obsoletes:      systemd-udev < 252.2^
+
 %description udev
 This package contains systemd-udev and the rules and hardware database needed to
 manage device nodes. This package is necessary on physical machines and in
@@ -344,10 +410,49 @@ This package also provides systemd-timesyncd, a network time protocol daemon.
 It also contains tools to manage encrypted home areas and secrets bound to the
 machine, and to create or grow partitions and make file systems automatically.
 
+%if 0%{?have_gnu_efi}
+%package ukify
+Summary:        Tool to build Unified Kernel Images
+Requires:       %{name} = %{version}-%{release}
+
+Requires:       python3dist(pefile)
+Requires:       python3dist(zstd)
+Requires:       python3dist(cryptography)
+Recommends:     python3dist(pillow)
+
+BuildArch:      noarch
+
+%description ukify
+This package provides ukify, a script that combines a kernel image, an initrd,
+with a command line, and possibly PCR measurements and other metadata, into a
+Unified Kernel Image (UKI).
+
+%package boot-unsigned
+Summary: UEFI boot manager (unsigned version)
+
+Provides: systemd-boot-unsigned-%{efi_arch} = %version-%release
+Provides: systemd-boot = %version-%release
+Provides: systemd-boot%{_isa} = %version-%release
+# A provides with just the version, no release or dist, used to build systemd-boot
+Provides: version(systemd-boot-unsigned) = %version
+Provides: version(systemd-boot-unsigned)%{_isa} = %version
+
+# self-obsoletes to install both packages after split of systemd-boot
+Obsoletes:      systemd-udev < 252.2^
+
+%description boot-unsigned
+systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
+graphical menu to select the entry to boot and an editor for the kernel command
+line. systemd-boot supports systems with UEFI firmware only.
+
+This package contains the unsigned version. Install systemd-boot instead to get
+the version that works with Secure Boot.
+%endif
+
 %package container
 # Name is the same as in Debian
 Summary: Tools for containers and VMs
-Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name}%{_isa} = %{version}-%{release}
 Requires(post):   systemd
 Requires(preun):  systemd
 Requires(postun): systemd
@@ -355,7 +460,7 @@ Requires(postun): systemd
 Obsoletes:      %{name} < 229-5
 # Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040)
 Suggests:       libcurl-minimal
-License:        LGPLv2+
+License:        LGPL-2.1-or-later
 
 %description container
 Systemd tools to spawn and manage containers and virtual machines.
@@ -366,8 +471,8 @@ systemd-importd.
 %package journal-remote
 # Name is the same as in Debian
 Summary:        Tools to send journal events over the network
-Requires:       %{name}%{?_isa} = %{version}-%{release}
-License:        LGPLv2+
+Requires:       %{name}%{_isa} = %{version}-%{release}
+License:        LGPL-2.1-or-later
 Requires:       firewalld-filesystem
 Provides:       %{name}-journal-gateway = %{version}-%{release}
 Provides:       %{name}-journal-gateway%{_isa} = %{version}-%{release}
@@ -384,8 +489,8 @@ systemd-journal-upload.
 
 %package networkd
 Summary:        System daemon that manages network configurations
-Requires:       %{name}%{?_isa} = %{version}-%{release}
-License:        LGPLv2+
+Requires:       %{name}%{_isa} = %{version}-%{release}
+License:        LGPL-2.1-or-later
 # https://src.fedoraproject.org/rpms/systemd/pull-request/34
 Obsoletes:      systemd < 246.6-2
 
@@ -396,7 +501,7 @@ devices.
 
 %package resolved
 Summary:        Network Name Resolution manager
-Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name}%{_isa} = %{version}-%{release}
 Obsoletes:      %{name} < 249~~
 Requires:       libidn2.so.0%{?elf_suffix}
 Requires:       libidn2.so.0(IDN2_0.0.0)%{?elf_bits}
@@ -410,7 +515,7 @@ resolver, as well as an LLMNR and MulticastDNS resolver and responder.
 %package oomd-defaults
 Summary:        Configuration files for systemd-oomd
 Requires:       %{name} = %{version}-%{release}
-License:        LGPLv2+
+License:        LGPL-2.1-or-later
 BuildArch:      noarch
 
 %description oomd-defaults
@@ -419,40 +524,69 @@ a userspace out-of-memory (OOM) killer.
 
 %package tests
 Summary:       Internal unit tests for systemd
-Requires:      %{name}%{?_isa} = %{version}-%{release}
-License:       LGPLv2+
+Requires:      %{name}%{_isa} = %{version}-%{release}
+# This dependency is provided transitively. Also add it explicitly to
+# appease rpminspect, https://github.com/rpminspect/rpminspect/issues/1231:
+Requires:      %{name}-libs%{_isa} = %{version}-%{release}
+
+License:       LGPL-2.1-or-later
 
 %description tests
 "Installed tests" that are usually run as part of the build system. They can be
 useful to test systemd internals.
 
+%package standalone-repart
+Summary:       Standalone systemd-repart binary for use on systems without systemd
+Provides:      %{name}-repart = %{version}-%{release}
+RemovePathPostfixes: .standalone
+
+%description standalone-repart
+Standalone systemd-repart binary with no dependencies on the systemd-shared library or
+other libraries from systemd-libs. This package conflicts with the main systemd
+package and is meant for use on systems without systemd.
+
 %package standalone-tmpfiles
-Summary:       Standalone tmpfiles binary for use in non-systemd systems
+Summary:       Standalone systemd-tmpfiles binary for use on systems without systemd
 Provides:      %{name}-tmpfiles = %{version}-%{release}
 RemovePathPostfixes: .standalone
 
 %description standalone-tmpfiles
-Standalone tmpfiles binary with no dependencies on the systemd-shared library or
+Standalone systemd-tmpfiles binary with no dependencies on the systemd-shared library or
 other libraries from systemd-libs. This package conflicts with the main systemd
-package and is meant for use in non-systemd systems.
+package and is meant for use on systems without systemd.
 
 %package standalone-sysusers
-Summary:       Standalone sysusers binary for use in non-systemd systems
+Summary:       Standalone systemd-sysusers binary for use on systems without systemd
 Provides:      %{name}-sysusers = %{version}-%{release}
 RemovePathPostfixes: .standalone
 
 %description standalone-sysusers
-Standalone sysusers binary with no dependencies on the systemd-shared library or
+Standalone systemd-sysusers binary with no dependencies on the systemd-shared library or
 other libraries from systemd-libs. This package conflicts with the main systemd
-package and is meant for use in non-systemd systems.
+package and is meant for use on systems without systemd.
+
+%package standalone-shutdown
+Summary:       Standalone systemd-shutdown binary for use on systems without systemd
+Provides:      %{name}-shutdown = %{version}-%{release}
+RemovePathPostfixes: .standalone
+
+%description standalone-shutdown
+Standalone systemd-shutdown binary with no dependencies on the systemd-shared library or
+other libraries from systemd-libs. This package conflicts with the main systemd
+package and is meant for use in exitrds.
 
 %prep
-%autosetup -n %{?commit:%{name}%{?stable:-stable}-%{commit}}%{!?commit:%{name}%{?stable:-stable}-%{version_no_tilde}} -p1
+%autosetup -n %{?commit:%{name}%[%stable?"-stable":""]-%{commit}}%{!?commit:%{name}%[%stable?"-stable":""]-%{version_no_tilde}} -p1
 
-test -f src/login/systemd-user.in
-# Restore systemd-user pam config from before "removal of Fedora-specific bits".
-# We'll systemd process it and install in the right place.
-cp %{SOURCE12} src/login/systemd-user.in
+%generate_buildrequires
+%if 0%{?have_gnu_efi}
+if grep -q gnu-efi meson_options.txt; then
+  echo 'gnu-efi'
+  echo 'gnu-efi-devel'
+else
+  echo 'python3dist(pyelftools)'
+fi
+%endif
 
 %build
 %global ntpvendor %(source /etc/os-release; echo ${ID})
@@ -477,11 +611,11 @@ CONFIGURE_OPTS=(
         -Dbpf-framework=%[0%{?have_bpf}?"true":"false"]
         -Dapparmor=false
         -Dpolkit=true
-        -Dxz=true
-        -Dzlib=true
-        -Dbzip2=true
-        -Dlz4=true
-        -Dzstd=true
+        -Dxz=%[%{with xz}?"true":"false"]
+        -Dzlib=%[%{with zlib}?"true":"false"]
+        -Dbzip2=%[%{with bzip2}?"true":"false"]
+        -Dlz4=%[%{with lz4}?"true":"false"]
+        -Dzstd=%[%{with zstd}?"true":"false"]
         -Dpam=true
         -Dacl=true
         -Dsmack=true
@@ -494,15 +628,15 @@ CONFIGURE_OPTS=(
         -Dlibcryptsetup=%[%{with bootstrap}?"false":"true"]
         -Delfutils=true
         -Dpwquality=true
-        -Dqrencode=true
-        -Dgnutls=true
+        -Dqrencode=%[%{defined rhel}?"false":"true"]
+        -Dgnutls=%[%{with gnutls}?"true":"false"]
         -Dmicrohttpd=true
         -Dlibidn2=true
         -Dlibiptc=false
         -Dlibcurl=true
         -Dlibfido2=true
+        -Dxenctrl=%[0%{?have_xen}?"true":"false"]
         -Defi=true
-        -Dgnu-efi=%[%{?have_gnu_efi}?"true":"false"]
         -Dtpm=true
         -Dtpm2=true
         -Dhwdb=true
@@ -533,6 +667,9 @@ CONFIGURE_OPTS=(
         -Ddefault-llmnr=resolve
         # https://bugzilla.redhat.com/show_bug.cgi?id=2028169
         -Dstatus-unit-format-default=combined
+        # https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer
+        -Ddefault-timeout-sec=45
+        -Ddefault-user-timeout-sec=45
         -Doomd=true
         -Dadm-gid=4
         -Daudio-gid=63
@@ -557,6 +694,20 @@ CONFIGURE_OPTS=(
         # -Dsystemd-timesync-uid=, not set yet
 )
 
+if grep gnu-efi meson_options.txt; then
+  CONFIGURE_OPTS+=( -Dgnu-efi=%[%{?have_gnu_efi}?"true":"false"] )
+else
+  # For now, let's build the bootloader in the same places where we
+  # built with gnu-efi. Later on, we might want to extend coverage, but
+  # considering that that support is untested, let's not do this now.
+  # Note, ukify requires bootloader, let's also explicitly enable/disable it
+  # here for https://github.com/systemd/systemd/pull/24175.
+  CONFIGURE_OPTS+=(
+        -Dbootloader=%[%{?have_gnu_efi}?"true":"false"]
+        -Dukify=%[%{?have_gnu_efi}?"true":"false"]
+  )
+fi
+
 %if %{without lto}
 %global _lto_cflags %nil
 %endif
@@ -580,6 +731,8 @@ if ! diff -u %{SOURCE1} ${new_triggers}; then
    sleep 5
 fi
 
+sed -r 's|/system/|/user/|g' %{SOURCE16} >10-timeout-abort.conf.user
+
 %install
 %meson_install
 
@@ -665,16 +818,30 @@ install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3}
 
 # systemd-oomd default configuration
 install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/oomd.conf.d/ %{SOURCE14}
-install -Dm0644 -t %{buildroot}%{system_unit_dir}/-.slice.d/ %{SOURCE15}
-install -Dm0644 -t %{buildroot}%{system_unit_dir}/user@.service.d/ %{SOURCE16}
+install -Dm0644 -t %{buildroot}%{system_unit_dir}/system.slice.d/ %{SOURCE15}
+install -Dm0644 -t %{buildroot}%{user_unit_dir}/slice.d/ %{SOURCE15}
+# https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer
+install -Dm0644 -t %{buildroot}%{system_unit_dir}/service.d/ %{SOURCE16}
+install -Dm0644 10-timeout-abort.conf.user %{buildroot}%{user_unit_dir}/service.d/10-timeout-abort.conf
+
+# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount
+install -Dm0644 -t %{buildroot}%{_prefix}/lib/sysctl.d/ %{SOURCE17}
 
 sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py
 
 install -m 0644 -D -t %{buildroot}%{_rpmconfigdir}/macros.d/ %{SOURCE21}
+# Use rpm's own sysusers provides where available
+%if ! (0%{?fedora} >= 39 || 0%{?rhel} >= 10)
 install -m 0644 -D -t %{buildroot}%{_rpmconfigdir}/fileattrs/ %{SOURCE22}
 install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE23}
+%endif
 install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE24}
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=2107754
+install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/network/ %{SOURCE25}
+
+ln -s --relative %{buildroot}%{_bindir}/kernel-install %{buildroot}%{_sbindir}/installkernel
+
 %find_lang %{name}
 
 # Split files in build root into rpms. See split-files.py for the
@@ -682,7 +849,7 @@ install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE24}
 # here.
 python3 %{SOURCE2} %buildroot <<EOF
 %ghost %config(noreplace) /etc/crypttab
-%ghost /etc/udev/hwdb.bin
+%ghost %attr(0444,root,root) /etc/udev/hwdb.bin
 /etc/inittab
 /usr/lib/systemd/purge-nobody-user
 %ghost %config(noreplace) /etc/vconsole.conf
@@ -708,7 +875,7 @@ python3 %{SOURCE2} %buildroot <<EOF
 %ghost %dir /var/lib/systemd/coredump
 %ghost /var/lib/systemd/journal-upload
 %ghost %dir /var/lib/systemd/linger
-%ghost /var/lib/systemd/random-seed
+%ghost %attr(0600,root,root) /var/lib/systemd/random-seed
 %ghost %dir /var/lib/systemd/rfkill
 %ghost %dir %verify(not mode group) /var/log/journal
 %ghost %dir /var/log/journal/remote
@@ -791,10 +958,16 @@ if [ $1 -eq 1 ]; then
    systemd-tmpfiles --create &>/dev/null || :
 fi
 
-%systemd_postun_with_restart systemd-timedated.service systemd-portabled.service systemd-homed.service systemd-hostnamed.service systemd-journald.service systemd-localed.service systemd-userdbd.service systemd-oomd.service
+%systemd_postun_with_restart systemd-timedated.service systemd-hostnamed.service systemd-journald.service systemd-localed.service systemd-userdbd.service systemd-oomd.service
 
 # FIXME: systemd-logind.service is excluded (https://github.com/systemd/systemd/pull/17558)
-# FIXME: user@*.service needs to be restarted, but using systemctl --user daemon-reexec
+
+# This is the explanded form of %%systemd_user_daemon_reexec. We
+# can't use the macro because we define it ourselves.
+if [ $1 -ge 1 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then
+    # Package upgrade, not uninstall
+    /usr/lib/systemd/systemd-update-helper user-reexec || :
+fi
 
 %triggerun resolved -- systemd < 246.1-1
 # This is for upgrades from previous versions before systemd-resolved became the default.
@@ -812,13 +985,18 @@ if systemctl -q is-enabled systemd-resolved.service &>/dev/null; then
   systemctl start systemd-resolved.service &>/dev/null || :
 fi
 
-%triggerpostun -- systemd < 247.3-2
+%triggerun -- systemd < 247.3-2
 # This is for upgrades from previous versions before oomd-defaults is available.
-# We use %%triggerpostun here because rpm doesn't allow a second %%triggerun with
-# a different package version.
 systemctl --no-reload preset systemd-oomd.service &>/dev/null || :
 
-%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-timesyncd.service %{?have_gnu_efi:systemd-boot-update.service}
+%triggerpostun -- systemd < 253~rc1-2
+# This is for upgrades from previous versions where systemd-journald-audit.socket
+# had a static enablement symlink.
+# We use %%triggerpostun here because rpm doesn't allow a second %%triggerun with
+# a different package version.
+systemctl --no-reload preset systemd-journald-audit.socket &>/dev/null || :
+
+%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-homed.service systemd-timesyncd.service %{?have_gnu_efi:systemd-boot-update.service} systemd-portabled.service systemd-pstore.service remote-cryptsetup.target
 
 %post udev
 # Move old stuff around in /var/lib
@@ -913,6 +1091,8 @@ fi
 [ $1 -eq 1 ] || exit 0
 # Initial installation
 
+touch %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation
+
 # Related to https://bugzilla.redhat.com/show_bug.cgi?id=1943263
 if ls /usr/lib/systemd/libsystemd-shared-24[0-8].so &>/dev/null; then
     echo "Skipping presets for systemd-resolved.service, seems we are upgrading from old systemd."
@@ -922,14 +1102,17 @@ fi
 %systemd_post systemd-resolved.service
 
 %posttrans resolved
-[ $1 -eq 1 ] || exit 0
+[ -e %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation ] || exit 0
+rm %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation
 # Initial installation
 
 # Create /etc/resolv.conf symlink.
-# We would also create it using tmpfiles, but let's do this here
-# too before NetworkManager gets a chance. (systemd-tmpfiles invocation above
-# does not do this, because it's marked with ! and we don't specify --boot.)
-# https://bugzilla.redhat.com/show_bug.cgi?id=1873856
+# (https://bugzilla.redhat.com/show_bug.cgi?id=1873856)
+#
+# We would also create it using tmpfiles, but let's do this here too
+# before NetworkManager gets a chance. (systemd-tmpfiles invocation
+# above does not do this, because the line is marked with ! and
+# tmpfiles is invoked without --boot in the scriptlet.)
 #
 # *Create* the symlink if nothing is present yet.
 # (https://bugzilla.redhat.com/show_bug.cgi?id=2032085)
@@ -991,6 +1174,11 @@ fi
 
 %files udev -f .file-list-udev
 
+%if 0%{?have_gnu_efi}
+%files ukify -f .file-list-ukify
+%files boot-unsigned -f .file-list-boot
+%endif
+
 %files container -f .file-list-container
 %ghost %dir %attr(0700,-,-) /var/lib/machines
 
@@ -1002,9 +1190,19 @@ fi
 
 %files tests -f .file-list-tests
 
+%files standalone-repart -f .file-list-standalone-repart
+
 %files standalone-tmpfiles -f .file-list-standalone-tmpfiles
 
 %files standalone-sysusers -f .file-list-standalone-sysusers
 
+%files standalone-shutdown -f .file-list-standalone-shutdown
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+rm -f 10-timeout-abort.conf.user
+rm -f .file-list-*
+rm -f %{name}.lang
+
 %changelog
 %autochangelog

sysusers.generate-pre.sh

@@ -1,79 +1,96 @@
 #!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: true; tab-width: 4; -*-
 
 # This script turns sysuser.d files into scriptlets mandated by Fedora
 # packaging guidelines. The general idea is to define users using the
 # declarative syntax but to turn this into traditional scriptlets.
 
 user() {
-    user="$1"
-    uid="$2"
-    desc="$3"
-    group="$4"
-    home="$5"
-    shell="$6"
+	user="$1"
+	uid="$2"
+	desc="$3"
+	group="$4"
+	home="$5"
+	shell="$6"
 
-    [ "$desc" = '-' ] && desc=
-    { [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/
-    { [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/usr/sbin/nologin
+	[ "$desc" = '-' ] && desc=
+	{ [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/
+	{ [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/usr/sbin/nologin
 
-    if [ "$uid" = '-' ] || [ "$uid" = '' ]; then
-        cat <<EOF
-getent passwd '$user' >/dev/null || \\
-    useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' || :
-EOF
-    else
-        cat <<EOF
-if ! getent passwd '$user' >/dev/null; then
-    if ! getent passwd '$uid' >/dev/null; then
-        useradd -r -u '$uid' -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' || :
-    else
-        useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' || :
-    fi
-fi
+	if [ "$uid" = '-' ] || [ "$uid" = '' ]; then
+		cat <<-EOF
+		getent passwd '$user' >/dev/null || \\
+		    useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
+		EOF
+	else
+		cat <<-EOF
+		if ! getent passwd ${user@Q} >/dev/null; then
+		    if ! getent passwd ${uid@Q} >/dev/null; then
+		        useradd -r -u ${uid@Q} -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
+		    else
+		        useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
+		    fi
+		fi
 
-EOF
-    fi
+		EOF
+	fi
 }
 
 group() {
-    group="$1"
-    gid="$2"
-    if [ "$gid" = '-' ]; then
-        cat <<-EOF
-	getent group '$group' >/dev/null || groupadd -r '$group' || :
+	group="$1"
+	gid="$2"
+
+	if [ "$gid" = '-' ]; then
+		cat <<-EOF
+		getent group ${group@Q} >/dev/null || groupadd -r ${group@Q} || :
+		EOF
+	else
+		cat <<-EOF
+		getent group ${group@Q} >/dev/null || groupadd -f -g ${gid@Q} -r ${group@Q} || :
+		EOF
+	fi
+}
+
+usermod() {
+	user="$1"
+	group="$2"
+
+	cat <<-EOF
+	if getent group ${group@Q} >/dev/null; then
+	    usermod -a -G ${group@Q} '$user' || :
+	fi
 	EOF
-    else
-        cat <<-EOF
-	getent group '$group' >/dev/null || groupadd -f -g '$gid' -r '$group' || :
-	EOF
-    fi
 }
 
 parse() {
-    while read -r line || [ -n "$line" ] ; do
-        { [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue
-        line="${line## *}"
-        [ -z "$line" ] && continue
-        eval "arr=( $line )"
-        case "${arr[0]}" in
-            ('u')
-                group "${arr[1]}" "${arr[2]}"
-                user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
-                # TODO: user:group support
-                ;;
-            ('g')
-                group "${arr[1]}" "${arr[2]}"
-                ;;
-            ('m')
-                group "${arr[2]}" "-"
-                user "${arr[1]}" "-" "" "${arr[2]}"
-                ;;
-        esac
-    done
+	while read -r line || [ -n "$line" ] ; do
+		{ [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue
+		line="${line## *}"
+		[ -z "$line" ] && continue
+		eval "arr=( $line )"
+		case "${arr[0]}" in
+			('u')
+				if [[ "${arr[2]}" == *":"* ]]; then
+					user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}"
+				else
+					group "${arr[1]}" "${arr[2]}"
+					user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
+				fi
+				;;
+			('g')
+				group "${arr[1]}" "${arr[2]}"
+				;;
+			('m')
+				group "${arr[2]}" "-"
+				user "${arr[1]}" "-" "" "${arr[1]}" "" ""
+				usermod "${arr[1]}" "${arr[2]}"
+				;;
+		esac
+	done
 }
 
 for fn in "$@"; do
-    [ -e "$fn" ] || continue
-    echo "# generated from $(basename "$fn")"
-    parse <"$fn"
+	[ -e "$fn" ] || continue
+	echo "# generated from $(basename "$fn")"
+	parse <"$fn"
 done

triggers.systemd

@@ -17,11 +17,7 @@
 /usr/lib/systemd/systemd-update-helper system-reload-restart || :
 
 %transfiletriggerin -P 900899 -- /usr/lib/systemd/user /etc/systemd/user
-if selinuxenabled &>/dev/null; then
-  /usr/lib/systemd/systemd-update-helper user-reload-restart 2>/dev/null || :
-else
-  /usr/lib/systemd/systemd-update-helper user-reload-restart || :
-fi
+/usr/lib/systemd/systemd-update-helper user-reload-restart || :
 
 %transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
 # On removal, we need to run daemon-reload after any units have been
@@ -33,11 +29,7 @@ fi
 
 %transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user /etc/systemd/user
 # Execute daemon-reload in user managers.
-if selinuxenabled &>/dev/null; then
-  /usr/lib/systemd/systemd-update-helper user-reload 2>/dev/null || :
-else
-  /usr/lib/systemd/systemd-update-helper user-reload || :
-fi
+/usr/lib/systemd/systemd-update-helper user-reload || :
 
 %transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system
 # We restart remaining system services that should be restarted here.
@@ -45,11 +37,7 @@ fi
 
 %transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user /etc/systemd/user
 # We restart remaining user services that should be restarted here.
-if selinuxenabled &>/dev/null; then
-  /usr/lib/systemd/systemd-update-helper user-restart 2>/dev/null || :
-else
-  /usr/lib/systemd/systemd-update-helper user-restart || :
-fi
+/usr/lib/systemd/systemd-update-helper user-restart || :
 
 %transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d
 # This script will process files installed in /usr/lib/sysusers.d to create

use-bfq-scheduler.patch

@@ -1,4 +1,4 @@
-From 8a38bc402c8f7c656c7e356c37c432c7b3a8cd6f Mon Sep 17 00:00:00 2001
+From 1990fb757f6d275d807fcb48ad09f5fc7c947bc6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
 Date: Wed, 14 Aug 2019 15:57:42 +0200
 Subject: [PATCH] udev: use bfq as the default scheduler
@@ -17,24 +17,27 @@ See the bug for more discussion and links.
 
 diff --git a/rules.d/60-block-scheduler.rules b/rules.d/60-block-scheduler.rules
 new file mode 100644
-index 0000000000..480b941761
+index 0000000000..850b64540e
 --- /dev/null
 +++ b/rules.d/60-block-scheduler.rules
 @@ -0,0 +1,5 @@
 +# do not edit this file, it will be overwritten on update
 +
-+ACTION=="add", SUBSYSTEM=="block", \
++ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", \
 +  KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
 +  ATTR{queue/scheduler}="bfq"
 diff --git a/rules.d/meson.build b/rules.d/meson.build
-index a582e4e922..d300c382fc 100644
+index 20fca222da..94fee9d7c0 100644
 --- a/rules.d/meson.build
 +++ b/rules.d/meson.build
-@@ -8,6 +8,7 @@ rules = [
+@@ -7,6 +7,7 @@ install_data(
+ rules = [
          [files('60-autosuspend.rules',
                 '60-block.rules',
-                '60-cdrom_id.rules',
 +               '60-block-scheduler.rules',
+                '60-cdrom_id.rules',
+                '60-dmi-id.rules',
                 '60-drm.rules',
-                '60-evdev.rules',
-                '60-fido-id.rules',
+-- 
+2.41.0
+