Add 2 patches for automatic aarch64 DTB selection change

This reverts commit 56377438ba. Dropping
of the option currently doesn't disable anything, it just moves the
file. I don't think we gain anything by moving the file and actually
this causes problems [1], so let's just return to status quo ante.

[1] file /etc/init.d conflicts between attempted installs of systemd-259.999+69+g6ceb76bfc-2548.1.x86_64 and chkconfig-1.33-3.fc44.x86_64

[skip changelog]

.editorconfig

@@ -0,0 +1,11 @@
+root = true
+
+[*]
+charset = utf-8
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.{yml,yaml}]
+indent_size = 2

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -7,3 +7,7 @@
 /systemd-*.tar.xz
 /systemd-*.tar.gz
 /*.rpm
+/mkosi.output/
+/mkosi.cache/
+/mkosi.builddir/
+/mkosi.local.conf

0001-Revert-units-drop-runlevel-0-6-.target.patch

@@ -0,0 +1,88 @@
+From 61750e265ce3f7783a8dba831e91140f84ad89f2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 5 Nov 2025 17:52:16 +0100
+Subject: [PATCH 1/3] Revert "units: drop runlevel[0-6].target"
+
+This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3.
+The unit are still needed for compat.
+---
+ units/meson.build | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/units/meson.build b/units/meson.build
+index 2e04c4aa2b..46eaac4073 100644
+--- a/units/meson.build
++++ b/units/meson.build
+@@ -1,5 +1,7 @@
+ # SPDX-License-Identifier: LGPL-2.1-or-later
+ 
++with_runlevels = conf.get('HAVE_SYSV_COMPAT') == 1
++
+ units = [
+         { 'file' : 'basic.target' },
+         { 'file' : 'blockdev@.target' },
+@@ -49,7 +51,7 @@ units = [
+         },
+         {
+           'file' : 'graphical.target',
+-          'symlinks' : ['default.target'],
++          'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []),
+         },
+         { 'file' : 'halt.target' },
+         {
+@@ -142,7 +144,10 @@ units = [
+           'conditions' : ['ENABLE_MACHINED'],
+         },
+         { 'file' : 'modprobe@.service' },
+-        { 'file' : 'multi-user.target' },
++        {
++          'file' : 'multi-user.target',
++          'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [],
++        },
+         {
+           'file' : 'systemd-mute-console.socket',
+           'symlinks' : ['sockets.target.wants/']
+@@ -155,7 +160,10 @@ units = [
+         { 'file' : 'nss-lookup.target' },
+         { 'file' : 'nss-user-lookup.target' },
+         { 'file' : 'paths.target' },
+-        { 'file' : 'poweroff.target' },
++        {
++          'file' : 'poweroff.target',
++          'symlinks' : with_runlevels ? ['runlevel0.target'] : [],
++        },
+         { 'file' : 'printer.target' },
+         {
+           'file' : 'proc-sys-fs-binfmt_misc.automount',
+@@ -180,7 +188,7 @@ units = [
+         },
+         {
+           'file' : 'reboot.target',
+-          'symlinks' : ['ctrl-alt-del.target'],
++          'symlinks' : ['ctrl-alt-del.target'] + (with_runlevels ? ['runlevel6.target'] : []),
+         },
+         {
+           'file' : 'remote-cryptsetup.target',
+@@ -200,7 +208,10 @@ units = [
+           'symlinks' : ['initrd-root-device.target.wants/'],
+         },
+         { 'file' : 'rescue.service.in' },
+-        { 'file' : 'rescue.target' },
++        {
++          'file' : 'rescue.target',
++          'symlinks' : with_runlevels ? ['runlevel1.target'] : [],
++        },
+         { 'file' : 'rpcbind.target' },
+         { 'file' : 'serial-getty@.service.in' },
+         { 'file' : 'shutdown.target' },
+@@ -1001,4 +1012,10 @@ else
+                             dbussessionservicedir / 'org.freedesktop.systemd1.service'))
+ endif
+ 
++if conf.get('HAVE_SYSV_COMPAT') == 1
++        foreach i : [1, 2, 3, 4, 5]
++                install_emptydir(systemunitdir / 'runlevel@0@.target.wants'.format(i))
++        endforeach
++endif
++
+ subdir('user')

0001-core-add-new-PollLimit-settings-to-.socket-units.patch

@@ -1,243 +0,0 @@
-From df25afd2cf5527fe1bb542bb146fef1be8d9a489 Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Sat, 9 Sep 2023 14:46:32 +0200
-Subject: [PATCH 1/3] core: add new "PollLimit" settings to .socket units
-
-This adds a new "PollLimit" pair of settings to .socket units, very
-similar to existing "TriggerLimit" logic. The differences are:
-
-* PollLimit focusses on the polling on the sockets, and pauses that
-  temporarily if a ratelimit on that is reached. TriggerLimit otoh
-  focusses on the triggering effect of socket units, and stops
-  triggering once the ratelimit is hit.
-
-* While the trigger limit being hit is an action that causes the socket
-  unit to fail the polling limit being reached will just temporarily
-  disable polling on the socket fd, and it is resumed once the ratelimit
-  interval is over.
-
-* When a socket unit operates on multiple socket fds (e,g, ListenStream=
-  on both some ipv6 and an ipv4 address or so). Then the PollLimit will
-  be specific to each fd, while the trigger limit is specific to the
-  whole unit.
-
-Implementation-wise this is mostly a wrapper around sd-event's
-sd_event_source_set_ratelimit(), which exposes the desired behaviour
-directly.
-
-Usecase for all of this: socket services which when overloaded with
-connections should just slow down reception of it, but not fail
-persistently.
-
-(cherry picked from commit 2bec84e7a5bf3687ae65205753ba3d8067cf2f0e)
----
- man/org.freedesktop.systemd1.xml      | 12 ++++++++++
- src/core/dbus-socket.c                |  8 +++++++
- src/core/load-fragment-gperf.gperf.in |  2 ++
- src/core/socket.c                     | 32 +++++++++++++++++++--------
- src/core/socket.h                     |  2 ++
- src/shared/bus-unit-util.c            | 10 +++++----
- 6 files changed, 53 insertions(+), 13 deletions(-)
-
-diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
-index 56906e2f3b..0557dc2379 100644
---- a/man/org.freedesktop.systemd1.xml
-+++ b/man/org.freedesktop.systemd1.xml
-@@ -4727,6 +4727,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
-       readonly t TriggerLimitIntervalUSec = ...;
-       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-       readonly u TriggerLimitBurst = ...;
-+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-+      readonly t PollLimitIntervalUSec = ...;
-+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-+      readonly u PollLimitBurst = ...;
-       readonly u UID = ...;
-       readonly u GID = ...;
-       @org.freedesktop.DBus.Property.EmitsChangedSignal("invalidates")
-@@ -5961,6 +5965,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
- 
-     <variablelist class="dbus-property" generated="True" extra-ref="TriggerLimitBurst"/>
- 
-+    <variablelist class="dbus-property" generated="True" extra-ref="PollLimitIntervalUSec"/>
-+
-+    <variablelist class="dbus-property" generated="True" extra-ref="PollLimitBurst"/>
-+
-     <variablelist class="dbus-property" generated="True" extra-ref="UID"/>
- 
-     <variablelist class="dbus-property" generated="True" extra-ref="GID"/>
-@@ -6497,6 +6505,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
- 
-     <!--End of Autogenerated section-->
- 
-+    <para><varname>PollLimitIntervalUSec</varname>/<varname>PollLimitBurst</varname> properties configure the
-+    polling limit for the socket unit. Expects a time in µs, resp. an unsigned integer. If either is set to
-+    zero the limiting feature is turned off.</para>
-+
-     <refsect2>
-       <title>Properties</title>
- 
-diff --git a/src/core/dbus-socket.c b/src/core/dbus-socket.c
-index 09a3a9502b..04552b7c60 100644
---- a/src/core/dbus-socket.c
-+++ b/src/core/dbus-socket.c
-@@ -129,6 +129,8 @@ const sd_bus_vtable bus_socket_vtable[] = {
-         SD_BUS_PROPERTY("SocketProtocol", "i", bus_property_get_int, offsetof(Socket, socket_protocol), SD_BUS_VTABLE_PROPERTY_CONST),
-         SD_BUS_PROPERTY("TriggerLimitIntervalUSec", "t", bus_property_get_usec, offsetof(Socket, trigger_limit.interval), SD_BUS_VTABLE_PROPERTY_CONST),
-         SD_BUS_PROPERTY("TriggerLimitBurst", "u", bus_property_get_unsigned, offsetof(Socket, trigger_limit.burst), SD_BUS_VTABLE_PROPERTY_CONST),
-+        SD_BUS_PROPERTY("PollLimitIntervalUSec", "t", bus_property_get_usec, offsetof(Socket, poll_limit_interval), SD_BUS_VTABLE_PROPERTY_CONST),
-+        SD_BUS_PROPERTY("PollLimitBurst", "u", bus_property_get_unsigned, offsetof(Socket, poll_limit_burst), SD_BUS_VTABLE_PROPERTY_CONST),
-         SD_BUS_PROPERTY("UID", "u", bus_property_get_uid, offsetof(Unit, ref_uid), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
-         SD_BUS_PROPERTY("GID", "u", bus_property_get_gid, offsetof(Unit, ref_gid), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
-         BUS_EXEC_COMMAND_LIST_VTABLE("ExecStartPre", offsetof(Socket, exec_command[SOCKET_EXEC_START_PRE]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION),
-@@ -248,6 +250,9 @@ static int bus_socket_set_transient_property(
-         if (streq(name, "TriggerLimitBurst"))
-                 return bus_set_transient_unsigned(u, name, &s->trigger_limit.burst, message, flags, error);
- 
-+        if (streq(name, "PollLimitBurst"))
-+                return bus_set_transient_unsigned(u, name, &s->poll_limit_burst, message, flags, error);
-+
-         if (streq(name, "SocketMode"))
-                 return bus_set_transient_mode_t(u, name, &s->socket_mode, message, flags, error);
- 
-@@ -275,6 +280,9 @@ static int bus_socket_set_transient_property(
-         if (streq(name, "TriggerLimitIntervalUSec"))
-                 return bus_set_transient_usec(u, name, &s->trigger_limit.interval, message, flags, error);
- 
-+        if (streq(name, "PollLimitIntervalUSec"))
-+                return bus_set_transient_usec(u, name, &s->poll_limit_interval, message, flags, error);
-+
-         if (streq(name, "SmackLabel"))
-                 return bus_set_transient_string(u, name, &s->smack, message, flags, error);
- 
-diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in
-index b66adf2811..0d1ee9c231 100644
---- a/src/core/load-fragment-gperf.gperf.in
-+++ b/src/core/load-fragment-gperf.gperf.in
-@@ -507,6 +507,8 @@ Socket.FileDescriptorName,               config_parse_fdname,
- Socket.Service,                          config_parse_socket_service,                 0,                                  0
- Socket.TriggerLimitIntervalSec,          config_parse_sec,                            0,                                  offsetof(Socket, trigger_limit.interval)
- Socket.TriggerLimitBurst,                config_parse_unsigned,                       0,                                  offsetof(Socket, trigger_limit.burst)
-+Socket.PollLimitIntervalSec,             config_parse_sec,                            0,                                  offsetof(Socket, poll_limit_interval)
-+Socket.PollLimitBurst,                   config_parse_unsigned,                       0,                                  offsetof(Socket, poll_limit_burst)
- {% if ENABLE_SMACK %}
- Socket.SmackLabel,                       config_parse_unit_string_printf,             0,                                  offsetof(Socket, smack)
- Socket.SmackLabelIPIn,                   config_parse_unit_string_printf,             0,                                  offsetof(Socket, smack_ip_in)
-diff --git a/src/core/socket.c b/src/core/socket.c
-index 75034ac357..dc18744f54 100644
---- a/src/core/socket.c
-+++ b/src/core/socket.c
-@@ -101,6 +101,9 @@ static void socket_init(Unit *u) {
- 
-         s->trigger_limit.interval = USEC_INFINITY;
-         s->trigger_limit.burst = UINT_MAX;
-+
-+        s->poll_limit_interval = USEC_INFINITY;
-+        s->poll_limit_burst = UINT_MAX;
- }
- 
- static void socket_unwatch_control_pid(Socket *s) {
-@@ -310,17 +313,20 @@ static int socket_add_extras(Socket *s) {
-          * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
-          * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
-          * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
--         * service starts are typical. */
-+         * service starts are typical.
-+         *
-+         * For the poll limit we follow a similar rule, but use 3/4th of the trigger limit parameters, to
-+         * trigger this earlier. */
- 
-         if (s->trigger_limit.interval == USEC_INFINITY)
-                 s->trigger_limit.interval = 2 * USEC_PER_SEC;
-+        if (s->trigger_limit.burst == UINT_MAX)
-+                s->trigger_limit.burst = s->accept ? 200 : 20;
- 
--        if (s->trigger_limit.burst == UINT_MAX) {
--                if (s->accept)
--                        s->trigger_limit.burst = 200;
--                else
--                        s->trigger_limit.burst = 20;
--        }
-+        if (s->poll_limit_interval == USEC_INFINITY)
-+                s->poll_limit_interval = 2 * USEC_PER_SEC;
-+        if (s->poll_limit_burst == UINT_MAX)
-+                s->poll_limit_burst = s->accept ? 150 : 15;
- 
-         if (have_non_accept_socket(s)) {
- 
-@@ -770,9 +776,13 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
- 
-         fprintf(f,
-                 "%sTriggerLimitIntervalSec: %s\n"
--                "%sTriggerLimitBurst: %u\n",
-+                "%sTriggerLimitBurst: %u\n"
-+                "%sPollLimitIntervalSec: %s\n"
-+                "%sPollLimitBurst: %u\n",
-                 prefix, FORMAT_TIMESPAN(s->trigger_limit.interval, USEC_PER_SEC),
--                prefix, s->trigger_limit.burst);
-+                prefix, s->trigger_limit.burst,
-+                prefix, FORMAT_TIMESPAN(s->poll_limit_interval, USEC_PER_SEC),
-+                prefix, s->poll_limit_burst);
- 
-         str = ip_protocol_to_name(s->socket_protocol);
-         if (str)
-@@ -1765,6 +1775,10 @@ static int socket_watch_fds(Socket *s) {
- 
-                         (void) sd_event_source_set_description(p->event_source, "socket-port-io");
-                 }
-+
-+                r = sd_event_source_set_ratelimit(p->event_source, s->poll_limit_interval, s->poll_limit_burst);
-+                if (r < 0)
-+                        log_unit_debug_errno(UNIT(s), r, "Failed to set poll limit on I/O event source, ignoring: %m");
-         }
- 
-         return 0;
-diff --git a/src/core/socket.h b/src/core/socket.h
-index 191d27f46d..b03a291e4a 100644
---- a/src/core/socket.h
-+++ b/src/core/socket.h
-@@ -158,6 +158,8 @@ struct Socket {
-         char *fdname;
- 
-         RateLimit trigger_limit;
-+        usec_t poll_limit_interval;
-+        unsigned poll_limit_burst;
- };
- 
- SocketPeer *socket_peer_ref(SocketPeer *p);
-diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
-index e7b44cc39b..9f0f37488d 100644
---- a/src/shared/bus-unit-util.c
-+++ b/src/shared/bus-unit-util.c
-@@ -2170,10 +2170,10 @@ static int bus_append_path_property(sd_bus_message *m, const char *field, const
-                 return 1;
-         }
- 
--        if (streq(field, "TriggerLimitBurst"))
-+        if (STR_IN_SET(field, "TriggerLimitBurst", "PollLimitBurst"))
-                 return bus_append_safe_atou(m, field, eq);
- 
--        if (streq(field, "TriggerLimitIntervalSec"))
-+        if (STR_IN_SET(field, "TriggerLimitIntervalSec", "PollLimitIntervalSec"))
-                 return bus_append_parse_sec_rename(m, field, eq);
- 
-         return 0;
-@@ -2382,7 +2382,8 @@ static int bus_append_socket_property(sd_bus_message *m, const char *field, cons
-                               "MaxConnections",
-                               "MaxConnectionsPerSource",
-                               "KeepAliveProbes",
--                              "TriggerLimitBurst"))
-+                              "TriggerLimitBurst",
-+                              "PollLimitBurst"))
-                 return bus_append_safe_atou(m, field, eq);
- 
-         if (STR_IN_SET(field, "SocketMode",
-@@ -2397,7 +2398,8 @@ static int bus_append_socket_property(sd_bus_message *m, const char *field, cons
-                               "KeepAliveTimeSec",
-                               "KeepAliveIntervalSec",
-                               "DeferAcceptSec",
--                              "TriggerLimitIntervalSec"))
-+                              "TriggerLimitIntervalSec",
-+                              "PollLimitIntervalSec"))
-                 return bus_append_parse_sec_rename(m, field, eq);
- 
-         if (STR_IN_SET(field, "ReceiveBuffer",

0001-find_legacy_keymap-extend-variant-match-bonus-again.patch

@@ -1,50 +0,0 @@
-From 537c00c984910f417a2f2d4aad997f822060d4d1 Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Tue, 19 Sep 2023 16:06:26 -0700
-Subject: [PATCH] find_legacy_keymap: extend variant match bonus again
-
-If the column is "-" and the X context variant specifer only
-contains commas, we should also give the match bonus. The variant
-string is supposed to be a comma-separated list as long as the
-list of layouts, so it's quite natural for consumers to be written
-in such a way that they pass a string only containing commas if
-there are multiple layouts and no variants. anaconda is a real
-world case that does this.
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
----
- src/locale/localed-util.c      | 2 +-
- src/locale/test-localed-util.c | 7 +++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/locale/localed-util.c b/src/locale/localed-util.c
-index eba13a2ac3..9b6949e14d 100644
---- a/src/locale/localed-util.c
-+++ b/src/locale/localed-util.c
-@@ -839,7 +839,7 @@ int find_legacy_keymap(const X11Context *xc, char **ret) {
-                         if (isempty(xc->model) || streq_ptr(xc->model, a[2])) {
-                                 matching++;
- 
--                                if (streq_ptr(xc->variant, a[3]) || (isempty(xc->variant) && streq(a[3], "-"))) {
-+                                if (streq_ptr(xc->variant, a[3]) || ((isempty(xc->variant) || streq_skip_trailing_chars(xc->variant, "", ",")) && streq(a[3], "-"))) {
-                                         matching++;
- 
-                                         if (streq_ptr(xc->options, a[4]))
-diff --git a/src/locale/test-localed-util.c b/src/locale/test-localed-util.c
-index f702ff29b0..e92c178a98 100644
---- a/src/locale/test-localed-util.c
-+++ b/src/locale/test-localed-util.c
-@@ -185,6 +185,13 @@ TEST(x11_convert_to_vconsole) {
-         assert_se(streq(vc.keymap, "bg_bds-utf8"));
-         vc_context_clear(&vc);
- 
-+        /* same, but with variant specified as "," */
-+        log_info("/* test with variant as ',', desired match second (bg,us:) */");
-+        assert_se(free_and_strdup(&xc.variant, ",") >= 0);
-+        assert_se(x11_convert_to_vconsole(&xc, &vc) >= 0);
-+        assert_se(streq(vc.keymap, "bg_bds-utf8"));
-+        vc_context_clear(&vc);
-+
-         log_info("/* test with old mapping (fr:latin9) */");
-         assert_se(free_and_strdup(&xc.layout, "fr") >= 0);
-         assert_se(free_and_strdup(&xc.variant, "latin9") >= 0);

0001-find_legacy_keymap-fix-empty-variant-matching.patch

@@ -1,58 +0,0 @@
-From a30ae31351ffa701ca860779495d4f52db4c462c Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Fri, 15 Sep 2023 15:35:36 -0700
-Subject: [PATCH 1/2] find_legacy_keymap: fix empty variant matching
-
-We should give a match bonus if the X context variant is empty
-and the xvariant column in kbd-model-map is "-" (which means
-none). Currently, we don't, which means that if you call this
-on a context with layouts bg,us and no variant, you get the
-console layout bg_pho-utf8 instead of bg_bds-utf8 (because both
-score the same, and the bg_pho-utf8 row comes first). You should
-get bg_bds-utf8 in this case.
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
----
- src/locale/localed-util.c      |  2 +-
- src/locale/test-localed-util.c | 12 ++++++++++++
- 2 files changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/src/locale/localed-util.c b/src/locale/localed-util.c
-index 02fac9786b..6a05b50a31 100644
---- a/src/locale/localed-util.c
-+++ b/src/locale/localed-util.c
-@@ -825,7 +825,7 @@ int find_legacy_keymap(const X11Context *xc, char **ret) {
-                         if (isempty(xc->model) || streq_ptr(xc->model, a[2])) {
-                                 matching++;
- 
--                                if (streq_ptr(xc->variant, a[3])) {
-+                                if (streq_ptr(xc->variant, a[3]) || (isempty(xc->variant) && streq(a[3], "-"))) {
-                                         matching++;
- 
-                                         if (streq_ptr(xc->options, a[4]))
-diff --git a/src/locale/test-localed-util.c b/src/locale/test-localed-util.c
-index cb66dffd48..a19d80a967 100644
---- a/src/locale/test-localed-util.c
-+++ b/src/locale/test-localed-util.c
-@@ -173,6 +173,18 @@ TEST(x11_convert_to_vconsole) {
-         assert_se(streq(vc.keymap, "es-dvorak"));
-         vc_context_clear(&vc);
- 
-+        /* es no-variant test is not very good as the desired match
-+        comes first in the list so will win if both candidates score
-+        the same. in this case the desired match comes second so will
-+        not win unless we correctly give the no-variant match a bonus
-+        */
-+        log_info("/* test without variant, desired match second (bg,us:) */");
-+        assert_se(free_and_strdup(&xc.layout, "bg,us") >= 0);
-+        assert_se(free_and_strdup(&xc.variant, NULL) >= 0);
-+        assert_se(x11_convert_to_vconsole(&xc, &vc) >= 0);
-+        assert_se(streq(vc.keymap, "bg_bds-utf8"));
-+        vc_context_clear(&vc);
-+
-         log_info("/* test with old mapping (fr:latin9) */");
-         assert_se(free_and_strdup(&xc.layout, "fr") >= 0);
-         assert_se(free_and_strdup(&xc.variant, "latin9") >= 0);
--- 
-2.41.0
-

0001-keyboard-model-map-correct-sk-qwerty-entry.patch

@@ -1,25 +0,0 @@
-From ca831de1704f4e28241df513aa89ac465a7c8ab2 Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Wed, 20 Sep 2023 15:14:31 -0700
-Subject: [PATCH] keyboard-model-map: correct sk-qwerty entry
-
-qwerty here is a variant, not an option.
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
----
- src/locale/kbd-model-map | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/locale/kbd-model-map b/src/locale/kbd-model-map
-index a145e13ecd..279d1a36d8 100644
---- a/src/locale/kbd-model-map
-+++ b/src/locale/kbd-model-map
-@@ -52,7 +52,7 @@ es			es	pc105		-		terminate:ctrl_alt_bksp
- ro-cedilla		ro	pc105		cedilla		terminate:ctrl_alt_bksp
- ie			ie	pc105		-		terminate:ctrl_alt_bksp
- et			ee	pc105		-		terminate:ctrl_alt_bksp
--sk-qwerty		sk	pc105		-		terminate:ctrl_alt_bksp,qwerty
-+sk-qwerty		sk	pc105		qwerty		terminate:ctrl_alt_bksp
- sk-qwertz		sk	pc105		-		terminate:ctrl_alt_bksp
- fr-latin9		fr	pc105		latin9		terminate:ctrl_alt_bksp
- fr_CH-latin1		ch	pc105		fr		terminate:ctrl_alt_bksp

0002-find_legacy_keymap-try-matching-with-layout-order-re.patch

@@ -1,117 +0,0 @@
-From cf649cc21bf997b90606db664d74726fcaf002de Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Fri, 15 Sep 2023 16:02:29 -0700
-Subject: [PATCH 2/2] find_legacy_keymap: try matching with layout order
- reversed
-
-The lines in kbd-model-map date back to ye olde times (RH's old
-system-config-keyboard), and I think predate this bug:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1039185
-
-where we got strong feedback that, for 'switched' layout setups
-like Russian, US English should be the *first* layout and the
-native layout the *second* one. This is how anaconda and, as of
-recently, gnome-initial-setup configure such cases - but that
-means, if we try to use localed to convert these configurations
-using kbd-model-map, we get the wrong result (we get "us" as the
-console layout). See also:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1912609
-
-where we first noticed this wasn't working right, but sadly, we
-'fixed' it with a not-really-correct bodge in anaconda instead
-of doing it properly.
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
----
- src/locale/localed-util.c      | 44 ++++++++++++++++++++++------------
- src/locale/test-localed-util.c |  5 +++-
- 2 files changed, 33 insertions(+), 16 deletions(-)
-
-diff --git a/src/locale/localed-util.c b/src/locale/localed-util.c
-index 6a05b50a31..eba13a2ac3 100644
---- a/src/locale/localed-util.c
-+++ b/src/locale/localed-util.c
-@@ -803,21 +803,35 @@ int find_legacy_keymap(const X11Context *xc, char **ret) {
-                         /* If we got an exact match, this is the best */
-                         matching = 10;
-                 else {
--                        /* We have multiple X layouts, look for an
--                         * entry that matches our key with everything
--                         * but the first layout stripped off. */
--                        if (startswith_comma(xc->layout, a[1]))
--                                matching = 5;
-+                        /* see if we get an exact match with the order reversed */
-+                        _cleanup_strv_free_ char **b = NULL;
-+                        _cleanup_free_ char *c = NULL;
-+                        r = strv_split_full(&b, a[1], ",", 0);
-+                        if (r < 0)
-+                                return r;
-+                        strv_reverse(b);
-+                        c = strv_join(b, ",");
-+                        if (!c)
-+                                return log_oom();
-+                        if (streq(xc->layout, c))
-+                                matching = 9;
-                         else {
--                                _cleanup_free_ char *x = NULL;
--
--                                /* If that didn't work, strip off the
--                                 * other layouts from the entry, too */
--                                x = strdupcspn(a[1], ",");
--                                if (!x)
--                                        return -ENOMEM;
--                                if (startswith_comma(xc->layout, x))
--                                        matching = 1;
-+                                /* We have multiple X layouts, look for an
-+                                 * entry that matches our key with everything
-+                                 * but the first layout stripped off. */
-+                                if (startswith_comma(xc->layout, a[1]))
-+                                        matching = 5;
-+                                else {
-+                                        _cleanup_free_ char *x = NULL;
-+
-+                                        /* If that didn't work, strip off the
-+                                         * other layouts from the entry, too */
-+                                        x = strdupcspn(a[1], ",");
-+                                        if (!x)
-+                                                return -ENOMEM;
-+                                        if (startswith_comma(xc->layout, x))
-+                                                matching = 1;
-+                                }
-                         }
-                 }
- 
-@@ -848,7 +862,7 @@ int find_legacy_keymap(const X11Context *xc, char **ret) {
-                 }
-         }
- 
--        if (best_matching < 10 && !isempty(xc->layout)) {
-+        if (best_matching < 9 && !isempty(xc->layout)) {
-                 _cleanup_free_ char *l = NULL, *v = NULL, *converted = NULL;
- 
-                 /* The best match is only the first part of the X11
-diff --git a/src/locale/test-localed-util.c b/src/locale/test-localed-util.c
-index a19d80a967..f702ff29b0 100644
---- a/src/locale/test-localed-util.c
-+++ b/src/locale/test-localed-util.c
-@@ -192,11 +192,14 @@ TEST(x11_convert_to_vconsole) {
-         assert_se(streq(vc.keymap, "fr-latin9"));
-         vc_context_clear(&vc);
- 
-+        /* https://bugzilla.redhat.com/show_bug.cgi?id=1039185 */
-+        /* us,ru is the x config users want, but they still want ru
-+        as the console layout in this case */
-         log_info("/* test with a compound mapping (us,ru:) */");
-         assert_se(free_and_strdup(&xc.layout, "us,ru") >= 0);
-         assert_se(free_and_strdup(&xc.variant, NULL) >= 0);
-         assert_se(x11_convert_to_vconsole(&xc, &vc) >= 0);
--        assert_se(streq(vc.keymap, "us"));
-+        assert_se(streq(vc.keymap, "ru"));
-         vc_context_clear(&vc);
- 
-         log_info("/* test with a compound mapping (ru,us:) */");
--- 
-2.41.0
-

0002-machined-continue-without-resolve.hook-socket.patch

@@ -0,0 +1,32 @@
+From 8d6d86d1d7e45eeae921e88adde55d6524027c96 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 26 Nov 2025 22:29:53 +0100
+Subject: [PATCH 3/3] machined: continue without resolve.hook socket
+
+---
+ src/machine/machined-varlink.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
+index f83cbb8562..0b30cd0531 100644
+--- a/src/machine/machined-varlink.c
++++ b/src/machine/machined-varlink.c
+@@ -894,9 +894,15 @@ static int manager_varlink_init_resolve_hook(Manager *m) {
+ 
+         r = sd_varlink_server_listen_address(s, VARLINK_PATH_MACHINED_RESOLVE_HOOK,
+                                              0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
+-        if (r < 0)
+-                return log_error_errno(r, "Failed to bind to varlink socket %s: %m",
+-                                       VARLINK_PATH_MACHINED_RESOLVE_HOOK);
++        if (r < 0) {
++                bool ignore = ERRNO_IS_NEG_PRIVILEGE(r);
++                log_full_errno(ignore ? LOG_WARNING : LOG_ERR,
++                               r,
++                               "Failed to bind to varlink socket %s%s: %m",
++                               VARLINK_PATH_MACHINED_RESOLVE_HOOK,
++                               ignore ? ", ignoring" : "");
++                return ignore ? 0 : r;
++        }
+ 
+         r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
+         if (r < 0)

0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch

@@ -1,80 +0,0 @@
-From f6b09a2ed646f0a0b54605d4c19a898ab2bbf192 Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Mon, 18 Sep 2023 17:51:49 +0200
-Subject: [PATCH 2/3] man: document the new
- PollLimitIntervalSec=/PollLimitBurst= settings
-
-(cherry picked from commit 9373fce68de183a615d44fe100dcf22e3c9b8c3e)
----
- man/systemd.socket.xml | 58 ++++++++++++++++++++++++++++++++++--------
- 1 file changed, 47 insertions(+), 11 deletions(-)
-
-diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
-index 45555302f1..462978d438 100644
---- a/man/systemd.socket.xml
-+++ b/man/systemd.socket.xml
-@@ -830,17 +830,53 @@
-         <term><varname>TriggerLimitIntervalSec=</varname></term>
-         <term><varname>TriggerLimitBurst=</varname></term>
- 
--        <listitem><para>Configures a limit on how often this socket unit may be activated within a specific time
--        interval. The <varname>TriggerLimitIntervalSec=</varname> may be used to configure the length of the time
--        interval in the usual time units <literal>us</literal>, <literal>ms</literal>, <literal>s</literal>,
--        <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
--        <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details on
--        the various time units understood). The <varname>TriggerLimitBurst=</varname> setting takes a positive integer
--        value and specifies the number of permitted activations per time interval, and defaults to 200 for
--        <varname>Accept=yes</varname> sockets (thus by default permitting 200 activations per 2s), and 20 otherwise (20
--        activations per 2s). Set either to 0 to disable any form of trigger rate limiting. If the limit is hit, the
--        socket unit is placed into a failure mode, and will not be connectible anymore until restarted. Note that this
--        limit is enforced before the service activation is enqueued.</para></listitem>
-+        <listitem><para>Configures a limit on how often this socket unit may be activated within a specific
-+        time interval. The <varname>TriggerLimitIntervalSec=</varname> setting may be used to configure the
-+        length of the time interval in the usual time units <literal>us</literal>, <literal>ms</literal>,
-+        <literal>s</literal>, <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
-+        <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
-+        details on the various time units understood). The <varname>TriggerLimitBurst=</varname> setting
-+        takes a positive integer value and specifies the number of permitted activations per time interval,
-+        and defaults to 200 for <varname>Accept=yes</varname> sockets (thus by default permitting 200
-+        activations per 2s), and 20 otherwise (20 activations per 2s). Set either to 0 to disable any form of
-+        trigger rate limiting.</para>
-+
-+        <para>If the limit is hit, the socket unit is placed into a failure mode, and will not be connectible
-+        anymore until restarted. Note that this limit is enforced before the service activation is
-+        enqueued.</para>
-+
-+        <para>Compare with <varname>PollLimitIntervalSec=</varname>/<varname>PollLimitBurst=</varname>
-+        described below, which implements a temporary slowdown if a socket unit is flooded with incoming
-+        traffic, as opposed to the permanent failure state
-+        <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> results in.</para>
-+        </listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-+        <term><varname>PollLimitIntervalSec=</varname></term>
-+        <term><varname>PollLimitBurst=</varname></term>
-+
-+        <listitem><para>Configures a limit on how often polling events on the file descriptors backing this
-+        socket unit will be considered. This pair of settings is similar to
-+        <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> but instead of
-+        putting a (fatal) limit on the activation frequency puts a (transient) limit on the polling
-+        frequency. The expected parameter syntax and range are identical to that of the aforementioned
-+        options, and can be disabled the same way.</para>
-+
-+        <para>If the polling limit is hit polling is temporarily disabled on it until the specified time
-+        window passes. The polling limit hence slows down connection attempts if hit, but unlike the trigger
-+        limit won't cause permanent failures. It's the recommended mechanism to deal with DoS attempts
-+        through packet flooding.</para>
-+
-+        <para>The polling limit is enforced per file descriptor to listen on, as opposed to the trigger limit
-+        which is enforced for the entire socket unit. This distinction matters for socket units that listen
-+        on multiple file descriptors (i.e. have multiple <varname>ListenXYZ=</varname> stanzas).</para>
-+
-+        <para>These setting defaults to 150 (in case of <varname>Accept=yes</varname>) and 15 (otherwise)
-+        polling events per 2s. This is considerably lower than the default values for the trigger limit (see
-+        above) and means that the polling limit should typically ensure the trigger limit is never hit,
-+        unless one of them is reconfigured or disabled.</para>
-+        </listitem>
-       </varlistentry>
- 
-     </variablelist>

0003-ci-add-test-for-poll-limit.patch

@@ -1,79 +0,0 @@
-From ae92a9714744bbf92fe69ffe276a668b031a6d26 Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Mon, 18 Sep 2023 18:05:27 +0200
-Subject: [PATCH 3/3] ci: add test for poll limit
-
-(cherry picked from commit 065e478a4a8cc8e41a6e87756c081396f253e853)
----
- test/TEST-07-PID1/test.sh             |  2 ++
- test/units/testsuite-07.poll-limit.sh | 48 +++++++++++++++++++++++++++
- 2 files changed, 50 insertions(+)
- create mode 100755 test/units/testsuite-07.poll-limit.sh
-
-diff --git a/test/TEST-07-PID1/test.sh b/test/TEST-07-PID1/test.sh
-index 1c3d7137fe..d0e35d870f 100755
---- a/test/TEST-07-PID1/test.sh
-+++ b/test/TEST-07-PID1/test.sh
-@@ -32,6 +32,8 @@ Alias=issue2730-alias.mount
- EOF
-     "${SYSTEMCTL:?}" enable --root="$workspace" issue2730.mount
-     ln -svrf "$workspace/etc/systemd/system/issue2730.mount" "$workspace/etc/systemd/system/issue2730-alias.mount"
-+
-+    image_install logger
- }
- 
- do_test "$@"
-diff --git a/test/units/testsuite-07.poll-limit.sh b/test/units/testsuite-07.poll-limit.sh
-new file mode 100755
-index 0000000000..480d7ee8df
---- /dev/null
-+++ b/test/units/testsuite-07.poll-limit.sh
-@@ -0,0 +1,48 @@
-+#!/usr/bin/env bash
-+# SPDX-License-Identifier: LGPL-2.1-or-later
-+set -eux
-+set -o pipefail
-+
-+systemd-analyze log-level debug
-+
-+cat > /run/systemd/system/floodme@.service <<EOF
-+[Service]
-+ExecStart=/bin/true
-+EOF
-+
-+cat > /run/systemd/system/floodme.socket <<EOF
-+[Socket]
-+ListenStream=/tmp/floodme
-+PollLimitIntervalSec=10s
-+Accept=yes
-+PollLimitBurst=3
-+EOF
-+
-+systemctl daemon-reload
-+systemctl start floodme.socket
-+
-+START=$(date +%s%N)
-+
-+# Trigger this 100 times in a flood
-+for (( i=0 ; i < 100; i++ )) ; do
-+    logger -u /tmp/floodme foo &
-+done
-+
-+# Let some time pass
-+sleep 5
-+
-+END=$(date +%s%N)
-+
-+PASSED=$((END-START))
-+
-+# Calculate (round up) how many trigger events could have happened in the passed time
-+MAXCOUNT=$(((PASSED+10000000000)*3/10000000000))
-+
-+# We started 100 connection attempts, but only 3 should have gone through, as per limit
-+test "$(systemctl show -P NAccepted floodme.socket)" -le "$MAXCOUNT"
-+
-+systemctl stop floodme.socket floodme@*.service
-+
-+rm /run/systemd/system/floodme@.service /run/systemd/system/floodme.socket /tmp/floodme
-+
-+systemctl daemon-reload

0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch

@@ -0,0 +1,112 @@
+From 75890d949f92c412c0936b8536b2e0dc8f7dfb40 Mon Sep 17 00:00:00 2001
+From: Nick Rosbrook <enr0n@ubuntu.com>
+Date: Fri, 19 Dec 2025 11:01:49 -0500
+Subject: [PATCH] ukify: omit .osrel section when --os-release= is empty
+
+The primary motivation for this is to allow users of ukify to build
+UKI-like objects, without having them later be detected as a UKI by
+tools like kernel-install and bootctl.
+
+The common code used by these tools to determine if a PE binary is a UKI
+checks that both .osrel and .linux sections are present. Hence, adding
+a mechansim to skip .osrel provides a way to avoid being labeled a UKI.
+---
+ man/ukify.xml                |  5 ++++-
+ src/ukify/test/test_ukify.py | 15 +++++++++++----
+ src/ukify/ukify.py           | 10 +++++++++-
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/man/ukify.xml b/man/ukify.xml
+index 829761642d..7462c5c92f 100644
+--- a/man/ukify.xml
++++ b/man/ukify.xml
+@@ -365,7 +365,10 @@
+           <listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument
+           may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the
+           <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file
+-          will be picked up from the host system.</para>
++          will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section
++          is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact
++          to not be recognized as a UKI by other tools like <command>kernel-install</command>
++          and <command>bootctl</command>).</para>
+ 
+           <xi:include href="version-info.xml" xpointer="v253"/></listitem>
+         </varlistentry>
+diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
+index f75ef0c891..224a38569f 100755
+--- a/src/ukify/test/test_ukify.py
++++ b/src/ukify/test/test_ukify.py
+@@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path):
+ 
+     shutil.rmtree(tmp_path)
+ 
+-def test_inspect(kernel_initrd, tmp_path, capsys):
++def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True):
+     if kernel_initrd is None:
+         pytest.skip('linux+initrd not found')
+     if not shutil.which('sbsign'):
+@@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
+ 
+     output = f'{tmp_path}/signed2.efi'
+     uname_arg='1.2.3'
+-    osrel_arg='Linux'
++    osrel_arg='Linux' if osrel else ''
+     cmdline_arg='ARG1 ARG2 ARG3'
+ 
+     args = [
+@@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
+ 
+     text = capsys.readouterr().out
+ 
+-    expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
+-    assert expected_osrel in text
++    if osrel:
++        expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
++        assert expected_osrel in text
++    else:
++        assert '.osrel:' not in text
++
+     expected_cmdline = f'.cmdline:\n  size: {len(cmdline_arg)}'
+     assert expected_cmdline in text
+     expected_uname = f'.uname:\n  size: {len(uname_arg)}'
+@@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
+ 
+     shutil.rmtree(tmp_path)
+ 
++def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys):
++    test_inspect(kernel_initrd, tmp_path, capsys, osrel=False)
++
+ @pytest.mark.skipif(not slow_tests, reason='slow')
+ def test_pcr_signing(kernel_initrd, tmp_path):
+     if kernel_initrd is None:
+diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
+index c98f8e2a5d..b7542c7eca 100755
+--- a/src/ukify/ukify.py
++++ b/src/ukify/ukify.py
+@@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None:
+         '.profile',
+     }
+ 
++    if not opts.os_release:
++        to_import.remove('.osrel')
++
+     for profile in opts.join_profiles:
+         pe = pefile.PE(profile, fast_load=True)
+         prev_len = len(uki.sections)
+@@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
+ 
+     opts.os_release = resolve_at_path(opts.os_release)
+ 
+-    if not opts.os_release and opts.linux:
++    if opts.os_release == '':
++        # If --os-release= with an empty string was passed, treat that as
++        # explicitly disabling the .osrel section, and do not fallback to the
++        # system's os-release files.
++        pass
++    elif opts.os_release is None and opts.linux:
+         p = Path('/etc/os-release')
+         if not p.exists():
+             p = Path('/usr/lib/os-release')
+-- 
+2.52.0
+

0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch

@@ -0,0 +1,51 @@
+From e57e599e6b11039ab6484e5622b3deae20bfd678 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <johannes.goede@oss.qualcomm.com>
+Date: Mon, 12 Jan 2026 14:56:36 +0100
+Subject: [PATCH] stub: Fix NULL pointer deref when there are no initrds
+
+When n_all_initrds == 0, then all_initrds is unmodified from its initial
+value of:
+
+	_cleanup_free_ struct iovec *all_initrds = NULL;
+
+and in the else block of the "if (n_all_initrds > 1)" the NULL is
+dereferenced:
+
+		final_initrd = all_initrds[0];
+
+Leading to the stub crashing due to a NULL pointer deref.
+
+Fix this by initializing final_initrd to all 0s and only
+running the else block if (n_all_initrds == 1).
+---
+ src/boot/stub.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/boot/stub.c b/src/boot/stub.c
+index 06ecbc7d18..65950262c6 100644
+--- a/src/boot/stub.c
++++ b/src/boot/stub.c
+@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
+ 
+         /* Combine the initrds into one */
+         _cleanup_pages_ Pages initrd_pages = {};
+-        struct iovec final_initrd;
++        struct iovec final_initrd = {};
+         if (n_all_initrds > 1) {
+-                /* There will always be a base initrd, if this counter is higher, we need to combine them */
++                /* If there is more then 1 initrd we need to combine them */
+                 err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len);
+                 if (err != EFI_SUCCESS)
+                         return err;
+@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
+ 
+                 /* Given these might be large let's free them explicitly before we pass control to Linux */
+                 initrds_free(&initrds);
+-        } else
++        } else if (n_all_initrds == 1)
+                 final_initrd = all_initrds[0];
+ 
+         struct iovec kernel = IOVEC_MAKE(
+-- 
+2.52.0
+

30846.patch

@@ -0,0 +1,56 @@
+From 07bedc8f93277f705622625f440a1f56ccff1cd0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 9 Jan 2024 11:28:04 +0100
+Subject: [PATCH] journal: again create user journals for users with high uids
+
+This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d
+'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped
+in an additional check of uid_is_container(uid). The problem is that that change
+is not backwards-compatible at all and very hard for users to handle.
+There is no common agreement on mappings of high-range uids. Systemd declares
+ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/,
+but this is only a recent change and various sites allocated those ranges
+in a different way, in particular FreeIPA uses (used?) uids from this range
+for human users. On big sites with lots of users changing uids is obviously a
+hard problem. We generally assume that uids cannot be "freed" and/or changed
+and/or reused safely, so we shouldn't demand the same from others.
+
+This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN /
+SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing
+huge problems for existing systems with were created with a different
+definition and couldn't be easily updated. For that case, we added a
+configuration time switch and we now parse /etc/login.defs to actually use the
+value that is appropriate for the local system.
+
+Unfortunately, login.defs doesn't have a concept of container allocation ranges
+(and we don't have code to parse and use those nonexistent names either), so we
+can't tell users to adjust logind.defs to work around the changed definition.
+
+login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing,
+because they are used to define where the add allocations for subuids, which is
+generally a much smaller range. Maybe we should talk with other folks about
+the appropriate allocation ranges and define some new settings in login.defs.
+But this would require discussion and coordination with other projects first.
+
+Actualy, it seems that this change was needed at all. The code in the container
+does not log to the outside journal. It talks to its own journald, which does
+journal splitting using its internal logic based on shifted uids. So let's
+revert the change to fix user systems.
+
+Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
+---
+ src/basic/uid-classification.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c
+index 203ce2c68a..2eb384395d 100644
+--- a/src/basic/uid-classification.c
++++ b/src/basic/uid-classification.c
+@@ -129,5 +129,6 @@ bool uid_for_system_journal(uid_t uid) {
+ 
+         /* Returns true if the specified UID shall get its data stored in the system journal. */
+ 
+-        return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_container(uid) || uid_is_foreign(uid);
++        return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_foreign(uid);
++
+ }

38769.patch

@@ -0,0 +1,42 @@
+From 00d70f36a0866660693347009446b7f872a05bf4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 30 Aug 2025 13:55:56 +0200
+Subject: [PATCH] core: create userdb root directory with correct label
+
+Set up the /run/systemd/userdb directory with the default SELinux context
+on creation.
+
+With version 257.7-1 on Debian the directory was automatically created with the
+correct label. Starting with version 258 (only tested with 258~rc3-1) it no
+longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a.
+
+[zjs: edited the patch to apply comments from review and update the description.]
+---
+ src/core/varlink.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/varlink.c b/src/core/varlink.c
+index 99f12c59e5..71a8ffd0e5 100644
+--- a/src/core/varlink.c
++++ b/src/core/varlink.c
+@@ -5,6 +5,7 @@
+ #include "constants.h"
+ #include "errno-util.h"
+ #include "manager.h"
++#include "mkdir-label.h"
+ #include "path-util.h"
+ #include "pidref.h"
+ #include "string-util.h"
+@@ -441,7 +442,11 @@ static int manager_varlink_init_system(Manager *m) {
+                         if (!fresh && varlink_server_contains_socket(m->varlink_server, address))
+                                 continue;
+ 
+-                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
++                        r = mkdir_parents_label(address, 0755);
++                        if (r < 0)
++                                log_warning_errno(r, "Failed to create parent directory of '%s', ignoring: %m", address);
++
++                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666);
+                         if (r < 0)
+                                 return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address);
+                 }

60-block-scheduler.rules

@@ -0,0 +1,5 @@
+# do not edit this file, it will be overwritten on update
+
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", \
+  KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
+  ATTR{queue/scheduler}="bfq"

631d2b05ec5195d1f8f8fbff8a2dfcbf23d0b7aa.patch

@@ -1,94 +0,0 @@
-From 631d2b05ec5195d1f8f8fbff8a2dfcbf23d0b7aa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 26 Jul 2023 09:02:04 +0200
-Subject: [PATCH] rpm: add %systemd_postun_with_reload and
- %systemd_user_postun_with_reload
-
-For some units, the package would like to issue a reload. The machinery was
-already in place since c9615f73521986b3607b852c139036d58973043c:
-
-  systemctl reload-or-restart --marked
-
-  Enqueues restart jobs for all units that have the 'needs-restart'
-  mark, and reload jobs for units that have the 'needs-reload' mark.
-  When a unit marked for reload does not support reload, restart will
-  be queued.
-
-The new macros allow a reload to be issued instead of a restart.
-
-Based on the discussion on fedora-devel:
-https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/IJSUGIEJNYZZRE53FF4YFUEBRHRAVIXR/
-
-Tested using dummy package https://github.com/keszybz/rpm-test-reload.
----
- src/rpm/macros.systemd.in        | 16 ++++++++++++++++
- src/rpm/systemd-update-helper.in | 22 ++++++++++++++++++++++
- 2 files changed, 38 insertions(+)
-
-diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in
-index c07541c7286c..f05553f557e9 100644
---- a/src/rpm/macros.systemd.in
-+++ b/src/rpm/macros.systemd.in
-@@ -101,6 +101,22 @@ if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
- fi \
- %{nil}
- 
-+%systemd_postun_with_reload() \
-+%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_reload}} \
-+if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
-+    # Package upgrade, not uninstall \
-+    {{SYSTEMD_UPDATE_HELPER_PATH}} mark-reload-system-units %{?*} || : \
-+fi \
-+%{nil}
-+
-+%systemd_user_postun_with_reload() \
-+%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_postun_with_reload}} \
-+if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
-+    # Package upgrade, not uninstall \
-+    {{SYSTEMD_UPDATE_HELPER_PATH}} mark-reload-user-units %{?*} || : \
-+fi \
-+%{nil}
-+
- %udev_hwdb_update() %{nil}
- 
- %udev_rules_update() %{nil}
-diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in
-index c623a5ea1722..c81e16c3d3ff 100755
---- a/src/rpm/systemd-update-helper.in
-+++ b/src/rpm/systemd-update-helper.in
-@@ -47,6 +47,15 @@ case "$command" in
-         wait
-         ;;
- 
-+    mark-reload-system-units)
-+        [ -d /run/systemd/system ] || exit 0
-+
-+        for unit in "$@"; do
-+            systemctl set-property "$unit" Markers=+needs-reload &
-+        done
-+        wait
-+        ;;
-+
-     mark-restart-user-units)
-         [ -d /run/systemd/system ] || exit 0
- 
-@@ -60,6 +69,19 @@ case "$command" in
-         wait
-         ;;
- 
-+    mark-reload-user-units)
-+        [ -d /run/systemd/system ] || exit 0
-+
-+        users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p')
-+        for user in $users; do
-+            for unit in "$@"; do
-+                SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT_SEC}}s \
-+                        systemctl --user -M "$user@" set-property "$unit" Markers=+needs-reload &
-+            done
-+        done
-+        wait
-+        ;;
-+
-     system-reload-restart|system-reload|system-restart)
-         if [ -n "$*" ]; then
-             echo "Unexpected arguments for '$command': $*"

README.build-in-place.md

@@ -7,7 +7,7 @@ and his [talk during ASG2019](https://www.youtube.com/watch?v=fVM1kJrymRM).
 git clone https://github.com/systemd/systemd
 fedpkg clone systemd fedora-systemd
 cd systemd
-rpmbuild -bb --build-in-place --noprep --define "_sourcedir $PWD/../fedora-systemd" --define "_rpmdir $PWD/rpms" --with inplace ../fedora-systemd/systemd.spec
+rpmbuild -bb --build-in-place --noprep --define "_sourcedir $PWD/../fedora-systemd" --define "_rpmdir $PWD/rpms" --with upstream ../fedora-systemd/systemd.spec
 sudo dnf upgrade --setopt install_weak_deps=False rpms/*/*.rpm
 ```
 

changelog

@@ -1,3 +1,760 @@
+* Sun Jan 12 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.2-6
+- Rebuilt for the bin-sbin merge (2nd attempt)
+
+* Fri Jan 10 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.2-4
+- Revert use of PrivateTmp=disconnected (rhbz#2334015,
+  https://github.com/coreos/fedora-coreos-tracker/issues/1857)
+
+* Wed Jan 08 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.2-1
+- Version 257.2
+- Fixes for assertion crashes and memory access issues in pid1 and systemd-
+  machined, and other fixes for systemd-repart, systemd-resolved, systemd-
+  stdio-bridge, systemctl, journalctl, sd-device, hibernation, and the
+  hardware database.
+
+* Tue Jan 07 2025 Yu Watanabe <watanabe.yu+github@gmail.com> - 257.1-7
+- Replace 'udevadm hwdb' with systemd-hwdb
+
+* Tue Jan 07 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.1-6
+- Rename source .abignore file
+
+* Fri Dec 20 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 257.1-2
+- Re-enable upstream behaviour of systemd-tmpfiles --purge
+
+* Fri Dec 20 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.1-1
+- Version 257.1
+- A bunch of post-release fixes, incl. for systemd-resolved, tpm2 support,
+  systemd-networkd, systemd-logind, journalct.
+- Should fix rhbz#2325780.
+
+* Sun Dec 15 2024 Yu Watanabe <watanabe.yu+github@gmail.com> - 257-3
+- Add patch for test-time-util
+
+* Sun Dec 15 2024 Yu Watanabe <watanabe.yu+github@gmail.com> - 257-2
+- sysusers: support new ! line flag for creating fully locked accounts
+
+* Tue Dec 10 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257-1
+- Version 257
+- A bunch of small fixes in various components: systemd itself, systemd-
+  cryptenroll, sd-varlink, sd-boot, documentation, tests
+- Includes an update of the hardware database
+
+* Thu Dec 05 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc3-5
+- Enable slow tests during build
+
+* Tue Dec 03 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc3-3
+- Recommend qemu-kvm-core instead of qemu-kvm (rhbz#2329979)
+
+* Fri Nov 29 2024 Yu Watanabe <watanabe.yu+github@gmail.com> - 257~rc3-2
+- Update tmpfiles --destroy-data patch
+
+* Wed Nov 27 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc3-1
+- Version 257~rc3
+- A bunch of small fixes here and there: virtualization detection, udev,
+  systemd-networked, pid1.
+- Includes a hardware database update.
+
+* Tue Nov 26 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc2-4
+- Make systemd-network-generator co-owned by -udev and -networkd
+  (rhbz#2328723)
+
+* Tue Nov 19 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc2-3
+- Pull in qemu from systemd-container
+
+* Fri Nov 15 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc2-2
+- Change sysusers u! lines to u because we don't have support in rpm
+
+* Fri Nov 15 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc2-1
+- Version 257~rc2
+- Changes in systemd-measure, systemd-networkd, documentation, systemd-
+  sysupdated, systemd-sbsign, systemd-boot, systemd-stub, systemd-nspawn,
+  run0, ukify
+- Hardware database update
+
+* Fri Nov 15 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc1-3
+- Disable freezing of user sessions (rhbz#2321268)
+
+* Thu Nov 07 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc1-1
+- Version 257~rc1
+
+* Thu Nov 07 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.7-7
+- Use %%posttrans instead of %%postun to restart services
+
+* Thu Nov 07 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 256.7-6
+- Disable OpenSSL v3 ENGINE on RHEL
+
+* Tue Nov 05 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.7-4
+- Backport user manager reexec changes
+
+* Tue Nov 05 2024 David Tardon <dtardon@redhat.com> - 256.7-3
+- Use %%systemd_preun in systemd-resolved
+
+* Thu Oct 24 2024 Yu Watanabe <watanabe.yu+github@gmail.com> - 256.7-2
+- test_sysusers_defined: support new ! line flag for creating fully locked
+  accounts
+
+* Fri Oct 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.7-1
+- Version 256.7
+- Various small fixes in many components
+- Documentation updates
+
+* Tue Sep 24 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.6-3
+- Move yum/dnf protection removal config file under /usr
+
+* Thu Sep 12 2024 Matteo Croce <teknoraver@meta.com> - 256.6-1
+- Version 256.6
+
+* Thu Aug 29 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.5-6
+- Always build ukify package
+
+* Wed Aug 28 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.5-5
+- Do not use patch to modify systemd-user pam config file
+
+* Tue Aug 27 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.5-3
+- Only make python3-pillow Recommends on Fedora
+
+* Sat Aug 24 2024 Davide Cavalca <dcavalca@fedoraproject.org> - 256.5-2
+- Do not require grubby on CentOS Stream 9
+
+* Tue Aug 20 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.5-1
+- Version 256.5
+- Includes the patches for the kernel change with kernel threads in leaf
+  cgroups (https://github.com/systemd/systemd/pull/33885)
+- Various smaller fixes
+
+* Tue Aug 20 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.4-4
+- Disable integration of userdb in sshd
+
+* Mon Jul 29 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.4-3
+- Backport patch to only read /proc/cmdline when not in container
+
+* Mon Jul 29 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.4-2
+- Backport upstream patch to try more initrd variants in
+  90-loaderentry.install
+
+* Thu Jul 25 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.4-1
+- Version 256.4
+- Hardware db update
+- Minor fixes for systemd-udevd and varlink protocol
+
+* Tue Jul 23 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.3-3
+- Update tmpfiles --destroy-data patch
+
+* Tue Jul 23 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.3-1
+- Version 256.3
+- A bunch of fixes for systemd (pid1)
+- Various upgrades related to running tests in mkosi
+
+* Sat Jul 20 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.2-17
+- Simplify BFQ scheduler enablement
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 256.2-16
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Wed Jul 17 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.2-9
+- Backport udma buffer access patch (rhbz#2298422)
+
+* Tue Jul 16 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.2-8
+- Add support for building from a specific branch
+
+* Tue Jul 16 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.2-7
+- Update PR patch metadata
+
+* Mon Jul 15 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.2-6
+- In standalone subpackages, suggest coreutils-single
+
+* Mon Jul 15 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.2-5
+- Drop versions from Conflicts for standalone packages
+
+* Sun Jul 14 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.2-4
+- Use a more precise Recommends for libkxbcommon
+
+* Thu Jul 11 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.2-3
+- Drop machined revert
+
+* Tue Jul 09 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.2-2
+- Rebuilt for the bin-sbin merge
+
+* Mon Jul 08 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.2-1
+- Version 256.2
+- A bunch of various small fixes
+
+* Mon Jul 08 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.1-13
+- Link systemd-executor statically
+
+* Fri Jul 05 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 256.1-12
+- Update dracut workaround
+
+* Fri Jul 05 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 256.1-11
+- Fix ELN build
+
+* Fri Jul 05 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.1-10
+- Only exclude dracut conflicts on non-fedora on upstream builds
+
+* Fri Jul 05 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.1-9
+- Conditionalize dracut Conflicts more
+
+* Tue Jul 02 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.1-8
+- Use vmlinux.h from kernel-devel
+
+* Tue Jul 02 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.1-7
+- Pull in openssl-devel-engine
+
+* Mon Jul 01 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.1-6
+- Only add Requires on python3-zstd on Fedora
+
+* Mon Jul 01 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.1-5
+- Drop BuildRequires on python3-zstd
+
+* Tue Jun 25 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.1-4
+- Revert "Remove tmpfiles snippet for /home and /srv"
+
+* Tue Jun 18 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.1-3
+- Remove tmpfiles snippet for /home and /srv
+
+* Tue Jun 18 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.1-2
+- Soft-disable tmpfiles --purge until a good use case comes up
+
+* Tue Jun 18 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.1-1
+- Version 256.1
+
+* Sun Jun 16 2024 U2FsdGVkX1 <U2FsdGVkX1@gmail.com> - 256-2
+- disable auto-features when bootstrapping
+
+* Tue Jun 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256-1
+- Version 256
+- Only minor changes since -rc4.
+- Hardward db is updated.
+
+* Fri Jun 07 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc4-2
+- Restore patch to drop varlink method call
+
+* Thu Jun 06 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc4-1
+- Version 256~rc4
+
+* Thu Jun 06 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc3-6
+- Drop sysusers.d/basic.conf
+- We rely on setup to provide all necessary groups.
+
+* Sun Jun 02 2024 Adam Williamson <awilliam@redhat.com> - 256~rc3-4
+- Partially backport PR #33016 to fix crashes in KDE 6.3.0
+
+* Wed May 29 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc3-2
+- Add patch to work-around libbpf bug (rhbz#2280935)
+
+* Thu May 23 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc3-1
+- Version 256~rc3
+
+* Wed May 15 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc2-6
+- Version 256~rc2
+- Various small changes all over
+- A fix for rhbz#2273069
+
+* Mon May 13 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc1^20240509git1781de1-4
+- Make %%release_override overridable from outside
+
+* Sat May 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc1^20240509git1781de1-2
+- Temporarily drop call to varlink method to avoid SELinux denial
+
+* Thu May 09 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc1^20240509git1781de1-1
+- Version 256-rc1^20240509git
+- There were some fixes merged upstream, so let's try again before v256-rc2
+  is released.
+
+* Thu May 02 2024 Jan Macku <jamacku@redhat.com> - 256~rc1-6
+- spec: `systemd-ukify` should depend on `systemd-boot`
+
+* Sat Apr 27 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc1-4
+- Add additional daemon-reexec for upgrades from old systemd versions
+
+* Sat Apr 27 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc1-3
+- Drop trigger scriptlets for upgrades from systemd < 247
+
+* Sat Apr 27 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc1-2
+- Add Recommends for dlopen libraries
+
+* Fri Apr 26 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256~rc1-1
+- Version 256~rc1
+- See https://raw.githubusercontent.com/systemd/systemd/v256-rc1/NEWS. Too
+  many changes to list or discuss here.
+
+* Wed Apr 24 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.5-3
+- Reexec systemd in %%postun
+  (https://github.com/systemd/systemd/issues/5096)
+- The workaround dbus issues in upgrades from systemd-239 is dropped
+
+* Wed Apr 24 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.5-2
+- Drop workaround to run generators without sandboxing (requirement on
+  dracut >= 60 is added)
+
+* Wed Apr 24 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.5-1
+- Version 255.5
+- Many different small fixes: systemd itself, systemd-networkd, systemd-
+  journal-remote, compilation fixes for newer kernels and clang, systemd-
+  homed, systemd-resolved, ukify, systemd-tmpfiles, various other.
+
+* Wed Apr 10 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.4-16
+- Prepare for bin-sbin merge
+
+* Wed Mar 27 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.4-13
+- spec: add %%bcond to build without documentation
+
+* Fri Mar 22 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.4-11
+- Revert "Adjust release tag for riscv64"
+
+* Fri Mar 22 2024 David Abdurachmanov <davidlt@rivosinc.com> - 255.4-10
+- Enable bootloader stack for riscv64
+
+* Fri Mar 22 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.4-9
+- Adjust release tag for riscv64
+
+* Wed Mar 20 2024 David Tardon <dtardon@redhat.com> - 255.4-5
+- Make Requires(*) on systemd versioned
+
+* Wed Mar 20 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.4-4
+- Add R:systemd-udev to systemd-networkd subpackage (rhbz#2173425)
+
+* Mon Mar 18 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.4-3
+- Add psutil dependency to systemd-tests
+
+* Thu Mar 07 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.4-2
+- Build in developer mode when building for upstream
+
+* Fri Mar 01 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.4-1
+- Version 255.4
+
+* Wed Feb 21 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.3-13
+- Allow setting extra configure options using
+  %%meson_extra_configure_options
+
+* Wed Feb 21 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.3-12
+- Apply pam patch when building for upstream
+
+* Wed Feb 21 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.3-11
+- Use %%version_override/%%release_override to specify version/release by
+  users
+
+* Tue Feb 20 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.3-10
+- Let libkmod be a dlopen'ed dependency
+
+* Sat Feb 17 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.3-9
+- Allow overriding the version and release using macros
+
+* Sat Feb 17 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.3-8
+- Stop passing %%{release} to meson when building in upstream mode
+
+* Sat Feb 17 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.3-7
+- Don't pass b_lto to meson
+
+* Thu Feb 15 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.3-6
+- Update usage of meson-vcs-tag.sh to account for upstream changes
+
+* Sun Feb 11 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.3-5
+- Replace inplace macro with upstream macro
+
+* Sun Feb 11 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.3-4
+- Remove reconfiguration logic
+
+* Sun Feb 11 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 255.3-3
+- Stop depending on filelists
+
+* Mon Jan 29 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.3-2
+- Conflicts/Provides with systemd-standalone-repart are moved udev
+  subpackage
+
+* Thu Jan 25 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.3-1
+- Version 255.3
+- A bunch of various fixes for memory and behaviour, in many different
+  components (bootctl, systemd, udev, systemd-networkd, systemd-homed,
+  systemd-logind, systemd-resolve, systemd-repart, systemd-analyze,
+  systemd-dissect, systemd-boot, pam modules, systemd-storagetm, systemd-
+  journal-remote, kernel-install)
+- Improved detection of virtualization (Google Compute Engine, Apple Virt)
+- Updates for shell completions and docs
+- An update for hardware database
+
+* Tue Jan 23 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.2-3
+- Add temporary patch to adjust uid range classification (rhbz#2251843)
+
+* Tue Jan 09 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.2-1
+- Version 255.2
+- Fixes missing DNSSEC validity check in SOA DNS packets (CVE-2023-7008)
+- systemd-resolved and systemd-networkd are restarted after an upgrade.
+
+* Tue Jan 09 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.1-2
+- Add missing %%postun scriptlets for systemd-{resolved,networkd}
+  (rhbz#2255718)
+
+* Sat Dec 16 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255.1-1
+- Version 255.1
+
+* Wed Dec 13 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255-7
+- Do not remove modified config files
+
+* Fri Dec 08 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255-4
+- Add /etc/ssh/sshd_config.d to the file list
+
+* Fri Dec 08 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255-3
+- Move config files to /usr/lib/systemd (e.g. /etc/systemd/system.conf →
+  /usr/lib/systemd/systemd.conf). Both config file locations were already
+  supported, and the files installed in /etc/ were "empty" (i.e. they had
+  only comments and section headers). The move does not change the
+  configuration, but just makes /etc more empty by default. See
+  https://github.com/systemd/systemd/commit/6495361c7d for more discussion
+  and details.
+
+* Fri Dec 08 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255-2
+- Move systemd-bsod is to udev subpackage
+
+* Wed Dec 06 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255-1
+- Version 255
+- Just a few bugfixes since 255-rc4: seccomp filters, logging,
+  documentation, systemd-repart
+- Includes a hardware database update.
+
+* Sat Dec 02 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255~rc4-1
+- Version 255~rc4
+
+* Fri Dec 01 2023 Adam Williamson <awilliam@redhat.com> - 255~rc3-4
+- Backport PRs #30170 and #30266 to fix BPF denials (RHBZ #2250930)
+
+* Wed Nov 29 2023 Adam Williamson <awilliam@redhat.com> - 255~rc3-3
+- Backport #30197 to fix vconsole startup (RHBZ #2251394)
+
+* Thu Nov 23 2023 Peter Robinson <pbrobinson@gmail.com> - 255~rc3-2
+- de-dupe LICENSE.LGPL2.1 in licenses
+
+* Wed Nov 22 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255~rc3-1
+- Version 255~rc3
+
+* Wed Nov 22 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255~rc2-2
+- Add systemd-networkd-defaults subpackage
+
+* Wed Nov 15 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255~rc2-1
+- Version 255~rc2
+- See See https://raw.githubusercontent.com/systemd/systemd/v255-rc2/NEWS
+
+* Wed Nov 08 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
+- Add Conflicts with older dracut which doesn't have required patches
+
+* Tue Nov 07 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255~rc1-3
+- Also build systemd-vmspawn
+
+* Tue Nov 07 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255~rc1-2
+- Move oomd to systemd-udev
+
+* Tue Nov 07 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 255~rc1-1
+- Version 255~rc1
+- See https://raw.githubusercontent.com/systemd/systemd/v255-rc1/NEWS
+- All the files and services related to pcrs are moved to -udev subpackage.
+  This includes the new systemd-pcrlock binary.
+
+* Wed Sep 27 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254.5-2
+- Pull in more patches for keyboard layout matching
+
+* Wed Sep 27 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254.5-1
+- Version 254.5
+- Resolves rhbz#29216.
+
+* Wed Sep 27 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254.2-14
+- Pull in patches to add PollLimit setting
+
+* Wed Sep 27 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254.2-13
+- Change versioned Conflicts to rich Requires (rhbz#2240828)
+
+* Tue Sep 19 2023 Adam Williamson <awilliam@redhat.com> - 254.2-12
+- Backport PR #29215 to improve keyboard layout matching
+
+* Mon Sep 18 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254.2-7
+- Fix creation of installkernel symlink
+
+* Fri Sep 15 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254.2-6
+- Provide /usr/sbin/installkernel (rhbz#2239008).
+
+* Thu Sep 07 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254.2-2
+- Make inter-subpackage dependencies archful
+
+* Thu Sep 07 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254.2-1
+- Version 254.2
+- A bunch of fixes in various areas: manager, coredump, sysupdate,
+  hibernation, journal.
+- Should fix rhbz#2234653.
+
+* Wed Sep 06 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254.1-8
+- Actually reload user managers and backport unit reload macros
+
+* Sat Sep 02 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 254.1-7
+- ukify: Drop obsolete dependency on objcopy
+
+* Sat Sep 02 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 254.1-6
+- Add missing ukify dependency on python-cryptography
+
+* Sun Aug 20 2023 Yu Watanabe <watanabe.yu+github@gmail.com> - 254.1-5
+- spec: also explicitly enable/disable ukify support
+
+* Sun Aug 13 2023 Yu Watanabe <watanabe.yu+github@gmail.com> - 254.1-4
+- spec: explicitly enable/disable xen support
+
+* Wed Aug 09 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254.1-1
+- Version 254.1 (rhbz#2228089, possibly partial fix for rhbz#2229524)
+
+* Wed Aug 09 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254-5
+- Do daemon-reexec of user managers after package upgrade
+
+* Mon Aug 07 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 254-4
+- Revert "Supress errors on selinux systems"
+
+* Thu Aug 03 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 254-3
+- Add a custom %%clean implementation
+
+* Thu Aug 03 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 254-2
+- Update libbpf soname
+
+* Fri Jul 28 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254-1
+- Version 254 (just a bunch of bugfixes, mostly for unusual architectures,
+  since rc3)
+- rhbz#2226908
+- See https://raw.githubusercontent.com/systemd/systemd/v254-rc1/NEWS for
+  the full changeset.
+
+* Mon Jul 24 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254~rc3-1
+- Version 254~rc3
+- A bunch of fixes, e.g. rhbz#2223795. Also a bunch of reverts of commits
+  which were found to cause problems.
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 254~rc2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Mon Jul 17 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254~rc2-4
+- Fix scriptlets for various services and remote-cryptsetup.target
+  (rhbz#2217997)
+
+* Sun Jul 16 2023 Stewart Smith <stewart@flamingspork.com> - 254~rc2-3
+- Convert existing bcond_with[out] to plain bcond
+
+* Sun Jul 16 2023 Stewart Smith <trawets@amazon.com> - 254~rc2-2
+- Move gnutls, zlib, bzip2, lz4, xz, and zstd to bconds
+
+* Sat Jul 15 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254~rc2-1
+- Version 254~rc2
+- Various bug fixes, in particular kernel-install should again work without
+  /proc.
+
+* Thu Jul 13 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 254~rc1-1
+- Version 254~rc1
+- Way too many changes to list. See
+  https://raw.githubusercontent.com/systemd/systemd/v254-rc1/NEWS
+- Fix regression in socket activation of services (rhbz#2213660).
+
+* Mon Jun 26 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 253.5-7
+- Use rpm sysuser provide generation on RHEL >= 10
+
+* Thu Jun 22 2023 Panu Matilainen <pmatilai@redhat.com> - 253.5-6
+- Use rpm's sysuser provide generation on Fedora >= 39
+
+* Wed Jun 21 2023 Anita Zhang <the.anitazha@gmail.com> - 253.5-5
+- fix typos in standalone package provides
+
+* Mon Jun 05 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 253.5-4
+- Avoid pillow and pyflakes in RHEL builds
+
+* Mon Jun 05 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 253.5-3
+- Avoid qrencode dependency in RHEL builds
+
+* Fri Jun 02 2023 Alessandro Astone <ales.astone@gmail.com> - 253.5-2
+- Increase vm.max_map_count
+
+* Thu Jun 01 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253.5-1
+- Version 253.5
+
+* Thu May 11 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253.4-1
+- Version 253.4
+
+* Thu May 11 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 253.2-6
+- Raise ManagedOOMMemoryPressureLimit from 50%% to 80%%
+
+* Tue May 09 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253.2-5
+- Add forgotten Provides and Conflicts for standalones
+
+* Wed Apr 26 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253.2-4
+- sysusers.generate-pre.sh: properly escape quotes in description strings
+  (rhbz#2104141)
+
+* Wed Apr 26 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253.2-3
+- sysusers.generate-pre.sh: fix indentation in generated scripts
+
+* Wed Mar 29 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253.2-1
+- Version 253.2
+
+* Wed Mar 29 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253.1-7
+- oomd: stop monitoring user-*.slice slices (rhbz#2177722)
+
+* Thu Mar 09 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253.1-6
+- Move /usr/lib/systemd/boot/ to systemd-boot-unsigned subpackage
+
+* Fri Mar 03 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253.1-2
+- Fix build with gnu-efi-3.0.11-13
+
+* Fri Mar 03 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253.1-1
+- Version 253.1
+- Fixes rhbz#2148464
+
+* Wed Mar 01 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253-7
+- Move man pages for sd-boot into systemd-boot-unsigned
+
+* Wed Feb 22 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253-6
+- Set TimeoutStopFailureMode=abort for services (see
+  https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer)
+
+* Tue Feb 21 2023 Dusty Mabe <dusty@dustymabe.com> - 253-5
+- remove group write permission from 98-default-mac-none.link
+
+* Tue Feb 21 2023 Dusty Mabe <dusty@dustymabe.com> - 253-4
+- fix comment instructions for 98-default-mac-none.link
+
+* Tue Feb 21 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253-3
+- Backport patch for container compatibility (rhbz#2165004)
+
+* Tue Feb 21 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253-2
+- Add workaround patch for dracut generator issue (rhbz#2164404)
+
+* Mon Feb 20 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253-1
+- Version 253 (mostly some documentation fixes since -rc3).
+
+* Fri Feb 10 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253~rc3-1
+- Version 253-rc3
+- A bunch of bugfixes for regressions, some documentation and bug fixes
+  too.
+- Really fix rhbz#2165692 (previous build carried an unapplied patch).
+
+* Thu Feb 09 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253~rc2-7
+- Revert patch switch causes problems for 'systemctl isolate'
+  (rhbz#2165692)
+
+* Wed Feb 08 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253~rc2-6
+- Disable systemd-boot-update.service in presets
+
+* Wed Feb 08 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253~rc2-4
+- Update License to SPDX
+
+* Mon Feb 06 2023 Thomas Haller <thaller@redhat.com> - 253~rc2-3
+- add "98-default-mac-none.link" to keep default MAC address of
+  bridge/bond/team
+
+* Thu Feb 02 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 253~rc2-2
+- Shorten shutdown timeout to 45 s
+
+* Thu Feb 02 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253~rc2-1
+- Version 253~rc2
+- Sysusers fixup (rhbz#2156900) + other small changes
+
+* Thu Feb 02 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 253~rc1-5
+- Build with xen only on Fedora
+
+* Thu Jan 26 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253~rc1-3
+- Reenable systemd-journald-audit.socket after upgrades (rhbz#2164594)
+
+* Wed Jan 25 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253~rc1-2
+- Add Requires on Python modules to systemd-ukify and Recommends for
+  libp11-kit
+
+* Tue Jan 24 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 253~rc1-1
+- Version 253~rc1
+- See https://raw.githubusercontent.com/systemd/systemd/v253-rc1/NEWS
+- New subpackages: systemd-repart-standalone, systemd-shutdown-standalone,
+  and systemd-ukify.
+
+* Sun Jan 22 2023 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252.4-4
+- Backport patches to fix issues gcc-13 and -D_FORTIFY_SOURCE=3
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 252.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Jan 05 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 252.4-2
+- Add python3 to BuildRequires
+
+* Tue Dec 20 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252.4-1
+- Version 252.4
+- Fixes a few different issues (systemd-timesyncd connectivity problems,
+  broken emoji output on the console, crashes in pid1 unit dependency
+  logic)
+- CVE-2022-4415: systemd: coredump not respecting fs.suid_dumpable kernel
+  setting
+
+* Sat Dec 17 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252.3-4
+- boot: add Provides:systemd-boot(isa)
+
+* Wed Dec 14 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252.3-2
+- Use upstream pam systemd-auth file with a patch, add pam_keyinit
+
+* Thu Dec 08 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252.3-1
+- Version 252.3 (rhbz#2136916, rhbz#2083900)
+
+* Fri Dec 02 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252.2-2
+- Split out systemd-boot-unsigned package
+
+* Thu Nov 24 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252.2-1
+- Version 252.2
+- Latest batch of bugfixes (rhbz#2137631)
+
+* Thu Nov 24 2022 Martin Osvald <mosvald@redhat.com> - 252.1-3
+- Support user:group notation by sysusers.generate-pre.sh script
+
+* Tue Nov 08 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252.1-1
+- Version 252.1 (just some small fixes).
+
+* Mon Oct 31 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252-1
+- Version 252
+
+* Tue Oct 25 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252~rc3-1
+- Version 252-rc3 (#2135778)
+
+* Tue Oct 18 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252~rc2-28
+- Version 252-rc2 (#2134741, #2133792)
+
+* Fri Oct 14 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252~rc1-31
+- Fix upgrade detection in %%posttrans scriptlet (rhbz#2115094)
+
+* Sun Oct 09 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252~rc1-30
+- Fix indentation in %%sysusers_create_compat macro (rhbz#2132835)
+
+* Sun Oct 09 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252~rc1-29
+- Correctly move systemd-measure to systemd-udev subpackage
+
+* Fri Oct 07 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 252~rc1-28
+- Version 252-rc1 (for details see
+  https://raw.githubusercontent.com/systemd/systemd/v252-rc1/NEWS)
+
+* Sat Oct 01 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 251.5-29
+- Fix permissions on %%ghost files (rhbz#2122889)
+
+* Sat Oct 01 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 251.5-28
+- Version 251.5 (rhbz#2129343, rhbz#2121106, rhbz#2130188)
+
+* Fri Sep 30 2022 Yu Watanabe <watanabe.yu+github@gmail.com> - 251.4-41
+- Replace patch for test-mountpoint-util
+
+* Fri Sep 30 2022 Yu Watanabe <watanabe.yu+github@gmail.com> - 251.4-40
+- patch: fix regression in bfq patch
+
+* Fri Sep 30 2022 Luca BRUNO <lucab@lucabruno.net> - 251.4-39
+- sysusers/generate: bridge 'm' entries to usermod
+
+* Fri Sep 30 2022 Anita Zhang <the.anitazha@gmail.com> - 251.4-38
+- Update systemd-oomd defaults to friendlier values
+- Remove swap policy. Default amount of swap (8GB?) is a lot lower than
+  what we use internally with the swap policy. Which frequently leads to
+  GNOME getting killed (e.g.
+  https://bugzilla.redhat.com/show_bug.cgi?id=1941170, and other BZs not
+  linked here). Internally we use 0.5x-1x size of physical memory for swap
+  via swapfiles (this will be documented in systemd upstream). In simple
+  cases of using more memory than is available (but without memory
+  pressure), the Kernel OOM killer can handle killing the offending
+  process.
+
+* Thu Sep 29 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 251.4-37
+- Make systemd-devel conditionally pull in systemd-rpm-macros
+
 * Fri Aug 19 2022 Neal Gompa <ngompa@fedoraproject.org> - 251.4-53
 - Set compile-time fallback hostname to "localhost"
   https://fedoraproject.org/wiki/Changes/FallbackHostname

fedora-use-system-auth-in-pam-systemd-user.patch

@@ -1,31 +0,0 @@
-From c4b803dc60b63a35c977d39610b7872175ec03bd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 14 Dec 2022 22:24:53 +0100
-Subject: [PATCH] fedora: use system-auth in pam systemd-user
-
----
- src/login/systemd-user.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
-index 8a3c9e0165..74ef5f2552 100644
---- a/src/login/systemd-user.in
-+++ b/src/login/systemd-user.in
-@@ -7,7 +7,7 @@
- -account sufficient pam_systemd_home.so
- {% endif %}
- account  sufficient pam_unix.so no_pass_expiry
--account  required   pam_permit.so
-+account  include    system-auth
- 
- {% if HAVE_SELINUX %}
- session  required   pam_selinux.so close
-@@ -20,4 +20,4 @@ session  required   pam_namespace.so
- -session optional   pam_systemd_home.so
- {% endif %}
- session  optional   pam_umask.so silent
--session  optional   pam_systemd.so
-+session  include    system-auth
--- 
-2.41.0
-

macros.sysusers

@@ -2,9 +2,9 @@
 #
 # Turn a sysusers.d file into macros specified by
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
+#
+# After https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers,
+# those macros are not needed anymore.
 
-%sysusers_requires_compat Requires(pre): shadow-utils
-
-%sysusers_create_compat() \
-%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
-%{nil}
+%sysusers_requires_compat %nil
+%sysusers_create_compat() %nil

macros.sysusers.compat

@@ -0,0 +1,10 @@
+# RPM macros for packages creating system accounts
+#
+# Turn a sysusers.d file into macros specified by
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
+
+%sysusers_requires_compat Requires(pre): shadow-utils
+
+%sysusers_create_compat() \
+%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
+%{nil}

plans/run-integration-tests.sh

@@ -0,0 +1,127 @@
+#!/bin/bash
+
+set -eux
+set -o pipefail
+
+# Switch SELinux to permissive if possible, since the tests don't set proper contexts
+setenforce 0 || true
+
+echo "CPU and Memory information:"
+lscpu
+lsmem
+
+echo "Clock source: $(cat /sys/devices/system/clocksource/clocksource0/current_clocksource)"
+
+# Bump inotify limits if we can so nspawn containers don't run out of inotify file descriptors.
+sysctl fs.inotify.max_user_watches=65536 || true
+sysctl fs.inotify.max_user_instances=1024 || true
+
+if [[ -n "${KOJI_TASK_ID:-}" ]]; then
+    koji download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID"
+elif [[ -n "${CBS_TASK_ID:-}" ]]; then
+    cbs download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID"
+elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then
+    COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")"
+    COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")"
+    copr download-build --rpms --chroot "$COPR_CHROOT" "$COPR_BUILD_ID"
+    mv "$COPR_CHROOT"/* .
+else
+    echo "Not running within packit and no CBS/koji task ID provided"
+    exit 1
+fi
+
+PACKAGEDIR="$PWD"
+
+# This will match both the regular and the debuginfo rpm so make sure we select only the
+# non-debuginfo rpm.
+RPMS=(systemd-tests-*.rpm)
+rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract
+pushd usr/lib/systemd/tests
+mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")"
+
+# Now prepare mkosi at the same version required by the systemd repo.
+git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi
+git -C /var/tmp/systemd-integration-tests-mkosi checkout "$mkosi_hash"
+
+export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH"
+
+# shellcheck source=/dev/null
+. /etc/os-release || . /usr/lib/os-release
+
+tee mkosi/mkosi.local.conf <<EOF
+[Distribution]
+Distribution=${MKOSI_DISTRIBUTION:-$ID}
+Release=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
+
+[Content]
+PackageDirectories=$PACKAGEDIR
+SELinuxRelabel=yes
+
+[Build]
+ToolsTreeDistribution=${MKOSI_DISTRIBUTION:-$ID}
+ToolsTreeRelease=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
+ToolsTreePackageDirectories=$PACKAGEDIR
+Environment=NO_BUILD=1
+WithTests=yes
+EOF
+
+if [[ -n "${MKOSI_REPOSITORIES:-}" ]]; then
+    tee --append mkosi/mkosi.local.conf <<EOF
+[Distribution]
+Repositories=$MKOSI_REPOSITORIES
+
+[Build]
+ToolsTreeRepositories=$MKOSI_REPOSITORIES
+EOF
+fi
+
+if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then
+    tee --append mkosi/mkosi.local.conf <<EOF
+[Runtime]
+KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=$TEST_SELINUX_CHECK_AVCS
+EOF
+fi
+
+# If we don't have KVM, skip running in qemu, as it's too slow. But try to load the module first.
+modprobe kvm || true
+if [[ ! -e /dev/kvm ]]; then
+    export TEST_NO_QEMU=1
+fi
+
+NPROC="$(nproc)"
+if [[ "$NPROC" -ge 10 ]]; then
+    export TEST_JOURNAL_USE_TMP=1
+    NPROC="$((NPROC / 3))"
+else
+    NPROC="$((NPROC - 1))"
+fi
+
+# This test is only really useful if we're building with sanitizers and takes a long time, so let's skip it
+# for now.
+export TEST_SKIP="TEST-21-DFUZZER ${TEST_SKIP:-}"
+
+mkosi genkey
+mkosi summary
+mkosi -f box -- true
+mkosi box -- meson setup build integration-tests/standalone
+mkosi -f
+if [[ "$(mkosi box -- meson test --help)" == *"--max-lines"* ]]; then
+    MAX_LINES=(--max-lines 300)
+else
+    MAX_LINES=()
+fi
+mkosi box -- \
+    meson test \
+        -C build \
+        --setup=integration \
+        --print-errorlogs \
+        --no-stdsplit \
+        --num-processes "$NPROC" \
+        "${MAX_LINES[@]}" && EC=0 || EC=$?
+
+[[ -d build/meson-logs ]] && find build/meson-logs -type f -exec mv {} "$TMT_TEST_DATA" \;
+[[ -d build/test/journal ]] && find build/test/journal -type f -exec mv {} "$TMT_TEST_DATA" \;
+
+popd
+
+exit "$EC"

plans/upstream.fmf

@@ -0,0 +1,22 @@
+summary: systemd upstream test suite
+provision:
+  hardware:
+    virtualization:
+      is-supported: true
+prepare:
+  - name: install-dependencies
+    how: install
+    package:
+      - coreutils
+      - distribution-gpg-keys
+      - dnf
+      - git-core
+      - koji
+      - centos-packager
+      - copr-cli
+    exclude:
+      - systemd-standalone-.*
+execute:
+    how: tmt
+    script: exec plans/run-integration-tests.sh
+    duration: 2h

purge-nobody-user

@@ -1,101 +0,0 @@
-#!/bin/bash -eu
-
-if [ $UID -ne 0 ]; then
-    echo "WARNING: This script needs to run as root to be effective"
-    exit 1
-fi
-
-export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
-
-if [ "${1:-}" = "--ignore-journal" ]; then
-    shift
-    ignore_journal=1
-else
-    ignore_journal=0
-fi
-
-echo "Checking processes..."
-if ps h -u 99 | grep .; then
-    echo "ERROR: ps reports processes with UID 99!"
-    exit 2
-fi
-echo "... not found"
-
-echo "Checking UTMP..."
-if w -h 199 | grep . ; then
-    echo "ERROR: w reports UID 99 as active!"
-    exit 2
-fi
-if w -h nobody | grep . ; then
-    echo "ERROR: w reports user nobody as active!"
-    exit 2
-fi
-echo "... not found"
-
-echo "Checking the journal..."
-if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
-    echo "ERROR: journalctl reports messages from UID 99 in current boot!"
-    exit 2
-fi
-echo "... not found"
-
-echo "Looking for files in /etc, /run, /tmp, and /var..."
-if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
-    echo "ERROR: found files belonging to UID 99"
-    exit 2
-fi
-echo "... not found"
-
-echo "Checking if nobody is defined correctly..."
-if getent passwd nobody |
-	grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
-then
-    echo "OK, nothing to do."
-    exit 0
-else
-    echo "NOTICE: User nobody is not defined correctly"
-fi
-
-echo "Checking if nfsnobody or something else is using the uid..."
-if getent passwd 65534 | grep . ; then
-    echo "NOTICE: will have to remove this user"
-else
-    echo "... not found"
-fi
-
-if [ "${1:-}" = "-x" ]; then
-    if getent passwd nobody >/dev/null; then
-	# this will remove both the user and the group.
-	( set -x
-   	  userdel nobody
-	)
-    fi
-
-    if getent passwd 65534 >/dev/null; then
-	# Make sure the uid is unused. This should free gid too.
-	name="$(getent passwd 65534 | cut -d: -f1)"
-	( set -x
-	  userdel "$name"
-	)
-    fi
-
-    if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
-	echo "Sleeping, so sss can catch up"
-	sleep 3
-    fi
-
-    if getent group 65534; then
-	# Make sure the gid is unused, even if uid wasn't.
-	name="$(getent group 65534 | cut -d: -f1)"
-	( set -x
-	  groupdel "$name"
-	)
-    fi
-
-    # systemd-sysusers uses the same gid and uid
-    ( set -x
-      systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
-    )
-else
-    echo "Pass '-x' to perform changes"
-fi

rpminspect.yaml

@@ -13,7 +13,12 @@ badfuncs:
 changedfiles:
   exclude_path: .*
 
-# completely disabled inspections:
+# completely disable inspections:
 inspections:
   # we know about our patches, no need to report anything
   patches: off
+
+  # this inspection uses `udevadm` which comes from this package
+  # disable so we do not check udev rules with a possibly outdated version
+  # of the command
+  udevrules: off

sources

@@ -1 +1 @@
-SHA512 (systemd-254.5.tar.gz) = 8e9b4f802c4da2a0dea6028df78d20de5d96802d8f614d0392e89dea605cdd8d9c1724ce3ea382378d582402646f8bea2ffcd55a84262461721ee3f691105b7a
+SHA512 (systemd-259.tar.gz) = ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50

split-files.py

@@ -1,8 +1,47 @@
 import re, sys, os, collections
 
 buildroot = sys.argv[1]
-known_files = sys.stdin.read().splitlines()
-known_files = {line.split()[-1]:line for line in known_files}
+no_bootloader = '--no-bootloader' in sys.argv
+
+known_files = '''
+%ghost %config(noreplace) /etc/crypttab
+%ghost %attr(0444,root,root) /etc/udev/hwdb.bin
+/etc/inittab
+# This directory is owned by openssh-server, but we don't want to introduce
+# a dependency. So let's copy the config and co-own the directory.
+%dir %attr(0700,root,root) /etc/ssh/sshd_config.d
+%ghost %config(noreplace) /etc/vconsole.conf
+%ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf
+%ghost %attr(0664,root,root) %verify(not group) /run/utmp
+%ghost %attr(0664,root,root) %verify(not group) /var/log/wtmp
+%ghost %attr(0660,root,root) %verify(not group) /var/log/btmp
+%ghost %attr(0664,root,root) %verify(not md5 size mtime group) /var/log/lastlog
+%ghost %config(noreplace) /etc/hostname
+%ghost %config(noreplace) /etc/localtime
+%ghost %config(noreplace) /etc/locale.conf
+%ghost %attr(0444,root,root) %config(noreplace) /etc/machine-id
+%ghost %config(noreplace) /etc/machine-info
+%ghost %attr(0700,root,root) %dir /var/cache/private
+%ghost %attr(0700,root,root) %dir /var/lib/private
+%ghost %dir /var/lib/private/systemd
+%ghost %dir /var/lib/private/systemd/journal-upload
+%ghost /var/lib/private/systemd/journal-upload/state
+%ghost %dir /var/lib/systemd/timesync
+%ghost /var/lib/systemd/timesync/clock
+%ghost %dir /var/lib/systemd/backlight
+%ghost /var/lib/systemd/catalog/database
+%ghost %dir /var/lib/systemd/coredump
+%ghost /var/lib/systemd/journal-upload
+%ghost %dir /var/lib/systemd/linger
+%ghost %attr(0600,root,root) /var/lib/systemd/random-seed
+%ghost %dir /var/lib/systemd/rfkill
+%ghost %dir %verify(not mode group) /var/log/journal
+%ghost %dir /var/log/journal/remote
+%ghost %attr(0700,root,root) %dir /var/log/private
+'''
+
+known_files = {line.split()[-1]:line for line in known_files.splitlines()
+               if line and not line.startswith('#')}
 
 def files(root):
     os.chdir(root)
@@ -15,24 +54,31 @@ def files(root):
             if file.is_dir() and not file.is_symlink():
                 todo.append(file)
 
-o_libs = open('.file-list-libs', 'w')
-o_udev = open('.file-list-udev', 'w')
-o_ukify = open('.file-list-ukify', 'w')
-o_boot = open('.file-list-boot', 'w')
-o_pam = open('.file-list-pam', 'w')
-o_rpm_macros = open('.file-list-rpm-macros', 'w')
-o_devel = open('.file-list-devel', 'w')
-o_container = open('.file-list-container', 'w')
-o_networkd = open('.file-list-networkd', 'w')
-o_oomd_defaults = open('.file-list-oomd-defaults', 'w')
-o_remote = open('.file-list-remote', 'w')
-o_resolve = open('.file-list-resolve', 'w')
-o_tests = open('.file-list-tests', 'w')
-o_standalone_repart = open('.file-list-standalone-repart', 'w')
-o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w')
-o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w')
-o_standalone_shutdown = open('.file-list-standalone-shutdown', 'w')
-o_main = open('.file-list-main', 'w')
+outputs = {suffix: open(f'.file-list-{suffix}', 'w')
+           for suffix in (
+                   'shared',
+                   'libs',
+                   'udev',
+                   'ukify',
+                   'boot',
+                   'pam',
+                   'rpm-macros',
+                   'sysusers',
+                   'devel',
+                   'container',
+                   'networkd',
+                   'networkd-defaults',
+                   'oomd-defaults',
+                   'remote',
+                   'resolve',
+                   'tests',
+                   'standalone-repart',
+                   'standalone-tmpfiles',
+                   'standalone-sysusers',
+                   'standalone-shutdown',
+                   'main',
+           )}
+
 for file in files(buildroot):
     n = file.path[1:]
     if re.match(r'''/usr/(share|include)$|
@@ -59,50 +105,81 @@ for file in files(buildroot):
 
     if n.endswith('.standalone'):
         if 'repart' in n:
-            o = o_standalone_repart
+            o = outputs['standalone-repart']
         elif 'tmpfiles' in n:
-            o = o_standalone_tmpfiles
+            o = outputs['standalone-tmpfiles']
         elif 'sysusers' in n:
-            o = o_standalone_sysusers
+            o = outputs['standalone-sysusers']
         elif 'shutdown' in n:
-            o = o_standalone_shutdown
+            o = outputs['standalone-shutdown']
         else:
             assert False, 'Found .standalone not belonging to known packages'
 
     elif '/security/pam_' in n or '/man8/pam_' in n:
-        o = o_pam
+        o = outputs['pam']
     elif '/rpm/' in n:
-        o = o_rpm_macros
+        o = outputs['rpm-macros']
     elif '/usr/lib/systemd/tests' in n:
-        o = o_tests
-    elif 'ukify' in n:
-        o = o_ukify
-    elif re.search(r'/libsystemd-(shared|core)-.*\.so$', n):
-        o = o_main
+        o = outputs['tests']
+    elif 'ukify' in n and '/man/' not in n:
+        o = outputs['ukify']
+    elif re.search(r'/libsystemd-core-.*\.so$', n):
+        o = outputs['main']
+    elif re.search(r'/libsystemd-shared-.*\.so$', n):
+        o = outputs['shared']
     elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n):
-        o = o_udev
-    elif re.search(r'/lib.*\.pc|/man3/|/usr/include|\.so$', n):
-        o = o_devel
+        o = outputs['udev']
+    elif re.search(r'/lib.*\.pc$|/man3/|/usr/include|\.so$', n):
+        o = outputs['devel']
     elif re.search(r'''journal-(remote|gateway|upload)|
                        systemd-remote\.conf|
                        /usr/share/systemd/gatewayd|
                        /var/log/journal/remote
     ''', n, re.X):
-        o = o_remote
+        o = outputs['remote']
+
+    # Just the binary, the dir, and the man page.
+    elif re.search(r'''systemd-sysusers$|
+                       sysusers\.d$|
+                       man/.*sysusers\.d\.5|
+                       man/.*systemd-sysusers\.8
+    ''', n, re.X):
+        o = outputs['sysusers']
 
     elif re.search(r'''mymachines|
                        machinectl|
+                       mount.ddi|
+                       importctl|
+                       portablectl|
                        systemd-nspawn|
-                       import-pubring.gpg|
-                       systemd-(machined|import|pull)|
+                       systemd\.nspawn|
+                       systemd-vmspawn|
+                       systemd-dissect|
+                       import-pubring|
+                       systemd-machined|
+                       systemd-import|
+                       systemd-export|
+                       systemd-pull|
+                       systemd-mountfsd|
+                       systemd-mountwork|
+                       systemd-nsresource|
                        /machine.slice|
                        /machines.target|
                        var-lib-machines.mount|
                        org.freedesktop.(import|machine)1
     ''', n, re.X):
-        o = o_container
+        o = outputs['container']
 
-    elif re.search(r'''/usr/lib/systemd/network/80-|
+    # .network.example files go into systemd-networkd, and the matching files
+    # without .example go into systemd-networkd-defaults
+    elif (re.search(r'''/usr/lib/systemd/network/.*\.network$''', n)
+          and os.path.exists(f'./{n}.example')):
+        o = outputs['networkd-defaults']
+
+    # Files that are "consumed" by systemd-networkd go into the -networkd
+    # subpackage. As a special case, network-generator is co-owned also by
+    # the -udev subpackage because systemd-udevd reads .link files.
+    elif re.search(r'''/usr/lib/systemd/network/.*\.network|
                        networkd|
                        networkctl|
                        org.freedesktop.network1|
@@ -111,17 +188,24 @@ for file in files(buildroot):
                        systemd\.network|
                        systemd\.netdev
     ''', n, re.X):
-        o = o_networkd
+        o = outputs['networkd']
+    elif 'network-generator' in n:
+        o = (outputs['networkd'], outputs['udev'])
 
     elif '.so.' in n:
-        o = o_libs
+        o = outputs['libs']
+
+    elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X):
+        o = outputs['oomd-defaults']
 
     elif re.search(r'''udev(?!\.pc)|
                        hwdb|
+                       ac-power|
                        bootctl|
                        boot-update|
                        bless-boot|
                        boot-system-token|
+                       bsod|
                        kernel-install|
                        installkernel|
                        vconsole|
@@ -150,7 +234,8 @@ for file in files(buildroot):
                        integritytab|
                        remount-fs|
                        /initrd|
-                       systemd-pcrphase|
+                       systemd[.-]pcr|
+                       /pcrlock\.d|
                        systemd-measure|
                        /boot$|
                        /kernel/|
@@ -160,44 +245,54 @@ for file in files(buildroot):
                        sysctl|
                        coredump|
                        homed|home1|
+                       sysupdate|updatctl|
+                       oomd|
                        portabled|portable1
     ''', n, re.X):     # coredumpctl, homectl, portablectl are included in the main package because
                        # they can be used to interact with remote daemons. Also, the user could be
                        # confused if those user-facing binaries are not available.
-        o = o_udev
+        o = outputs['udev']
 
     elif re.search(r'''/boot/efi|
                        /usr/lib/systemd/boot|
                        sd-boot|systemd-boot\.|loader.conf
     ''', n, re.X):
-        o = o_boot
+        o = outputs['boot']
 
     elif re.search(r'''resolved|resolve1|
                        systemd-resolve|
                        resolvconf|
                        systemd\.(positive|negative)
     ''', n, re.X):     # resolvectl and nss-resolve are in the main package.
-        o = o_resolve
-
-    elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X):
-        o = o_oomd_defaults
+        o = outputs['resolve']
 
     else:
-        o = o_main
+        o = outputs['main']
 
     if n in known_files:
-        prefix = ' '.join(known_files[n].split()[:-1])
-        if prefix:
-            prefix += ' '
-    elif file.is_dir() and not file.is_symlink():
-        prefix = '%dir '
+        prefix = known_files[n].split()[:-1]
+    elif file.is_dir(follow_symlinks=False):
+        prefix = ['%dir']
     elif 'README' in n:
-        prefix = '%doc '
+        prefix = ['%doc']
     elif n.startswith('/etc'):
-        prefix = '%config(noreplace) '
+        prefix = ['%config(noreplace)']
+        if not file.is_symlink() and file.stat().st_size == 0:
+            prefix += ['%ghost']
     else:
-        prefix = ''
+        prefix = []
+    prefix = ' '.join(prefix + ['']) if prefix else ''
 
     suffix = '*' if '/man/' in n else ''
 
-    print(f'{prefix}{n}{suffix}', file=o)
+    if not isinstance(o, tuple):
+        o = (o,)
+    for file in o:
+        print(f'{prefix}{n}{suffix}', file=file)
+
+if [print(f'ERROR: no file names were written to {o.name}')
+    for name, o in outputs.items()
+    if (o.tell() == 0 and
+        not (no_bootloader and name == 'boot'))
+    ]:
+    sys.exit(1)

systemd-user

@@ -0,0 +1,14 @@
+# Used by systemd --user instances.
+
+-account sufficient pam_systemd_home.so
+account  sufficient pam_unix.so no_pass_expiry
+account  include    system-auth
+
+session  required   pam_selinux.so close
+session  required   pam_selinux.so nottys open
+session  required   pam_loginuid.so
+session  optional   pam_keyinit.so force revoke
+session  required   pam_namespace.so
+-session optional   pam_systemd_home.so
+session  optional   pam_umask.so silent
+session  include    system-auth

sysusers.generate-pre.sh

@@ -69,7 +69,7 @@ parse() {
 		[ -z "$line" ] && continue
 		eval "arr=( $line )"
 		case "${arr[0]}" in
-			('u')
+			('u'|'u!')
 				if [[ "${arr[2]}" == *":"* ]]; then
 					user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}"
 				else

sysusers.prov

@@ -42,7 +42,7 @@ parse() {
         [ -z "$line" ] && continue
         set -- $line
         case "$1" in
-            ('u')
+            ('u'|'u!')
                 process_u "$2" "$3"
                 ;;
             ('g')

test_sysusers_defined.py

@@ -0,0 +1,39 @@
+#!/usr/bin/python
+
+import os
+import sys
+
+def parse_sysusers_file(filename):
+    users, groups = set(), set()
+
+    for line in open(filename):
+        line = line.strip()
+        if not line or line.startswith('#'):
+            continue
+        words = line.split()
+        match words[0]:
+            case 'u'|'u!':
+                users.add(words[1])
+            case 'g':
+                groups.add(words[1])
+            case 'm'|'r':
+                continue
+            case _:
+                assert False
+    return users, groups
+
+setup_users, setup_groups = set(), set()
+
+for arg in sys.argv[1:-1]:
+    users, groups = parse_sysusers_file(arg)
+    setup_users |= users
+    setup_groups |= groups
+
+basic_users, basic_groups = parse_sysusers_file(sys.argv[-1])
+
+ignored = set(os.getenv('IGNORED', '').split())
+
+if d := basic_users - setup_users - ignored:
+    exit(f'We have new users: {d}')
+if d := basic_groups - setup_groups - ignored:
+    exit(f'We have new groups: {d}')

tests/tests-reboot.yml

@@ -1,50 +0,0 @@
----
-- hosts: localhost
-  vars:
-  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
-  tags:
-  - classic
-  tasks:
-  # switch SELinux to permissive mode
-  - name: Get default kernel
-    command: "grubby --default-kernel"
-    register: default_kernel
-  - debug: msg="{{ default_kernel.stdout }}"
-  - name: Set permissive mode
-    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
-
-  - name: reboot
-    block:
-      - name: restart host
-        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
-        async: 1
-        poll: 0
-        ignore_errors: true
-
-      - name: wait for host to come back
-        wait_for_connection:
-          delay: 10
-          timeout: 300
-
-      - name: Re-create /tmp/artifacts
-        command: mkdir /tmp/artifacts
-
-      - name: Gather SELinux denials since boot
-        shell: |
-            result=pass
-            dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail
-            ausearch -m avc -m selinux_err -m user_avc -ts boot &>> /tmp/avc.log
-            grep -q '<no matches>' /tmp/avc.log || result=fail
-            echo -e "\nresults:\n- test: reboot and collect AVC\n  result: $result\n  logs:\n  - avc.log\n\n" > /tmp/results.yml
-            ( [ $result = "pass" ] && echo PASS test-reboot || echo FAIL test-reboot ) > /tmp/test.log
-
-    always:
-      - name: Pull out the artifacts
-        fetch:
-          dest: "{{ artifacts }}/"
-          src: "{{ item }}"
-          flat: yes
-        with_items:
-          - /tmp/test.log
-          - /tmp/avc.log
-          - /tmp/results.yml

triggers.systemd

@@ -9,17 +9,17 @@
 #
 # Minimum rpm version supported: 4.14.0
 
-%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
+%transfiletriggerin -P 900900 -- /usr/lib/systemd/system/ /etc/systemd/system/
 # This script will run after any package is initially installed or
 # upgraded. We care about the case where a package is initially
 # installed, because other cases are covered by the *un scriptlets,
 # so sometimes we will reload needlessly.
 /usr/lib/systemd/systemd-update-helper system-reload-restart || :
 
-%transfiletriggerin -P 900899 -- /usr/lib/systemd/user /etc/systemd/user
+%transfiletriggerin -P 900899 -- /usr/lib/systemd/user/ /etc/systemd/user/
 /usr/lib/systemd/systemd-update-helper user-reload-restart || :
 
-%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
+%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system/ /etc/systemd/system/
 # On removal, we need to run daemon-reload after any units have been
 # removed.
 # On upgrade, we need to run daemon-reload after any new unit files
@@ -27,35 +27,35 @@
 # executed.
 /usr/lib/systemd/systemd-update-helper system-reload || :
 
-%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user /etc/systemd/user
+%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user/ /etc/systemd/user/
 # Execute daemon-reload in user managers.
 /usr/lib/systemd/systemd-update-helper user-reload || :
 
-%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system
+%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system/ /etc/systemd/system/
 # We restart remaining system services that should be restarted here.
 /usr/lib/systemd/systemd-update-helper system-restart || :
 
-%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user /etc/systemd/user
+%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user/ /etc/systemd/user/
 # We restart remaining user services that should be restarted here.
 /usr/lib/systemd/systemd-update-helper user-restart || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d
+%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d/
 # This script will process files installed in /usr/lib/sysusers.d to create
 # specified users automatically. The priority is set such that it
 # will run before the tmpfiles file trigger.
 systemd-sysusers || :
 
-%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d
+%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d/
 # This script will automatically invoke hwdb update if files have been
 # installed or updated in /usr/lib/udev/hwdb.d.
 systemd-hwdb update || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog
+%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog/
 # This script will automatically invoke journal catalog update if files
 # have been installed or updated in /usr/lib/systemd/catalog.
 journalctl --update-catalog || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d
+%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d/
 # This script will automatically apply binfmt rules if files have been
 # installed or updated in /usr/lib/binfmt.d.
 if test -d "/run/systemd/system"; then
@@ -64,7 +64,7 @@ if test -d "/run/systemd/system"; then
   /usr/lib/systemd/systemd-binfmt || :
 fi
 
-%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d
+%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d/
 # This script will process files installed in /usr/lib/tmpfiles.d to create
 # tmpfiles automatically. The priority is set such that it will run
 # after the sysusers file trigger, but before any other triggers.
@@ -72,14 +72,12 @@ if test -d "/run/systemd/system"; then
   systemd-tmpfiles --create || :
 fi
 
-%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d
+%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d/
 # This script will automatically update udev with new rules if files
 # have been installed or updated in /usr/lib/udev/rules.d.
-if test -e /run/udev/control; then
-  udevadm control --reload || :
-fi
+/usr/lib/systemd/systemd-update-helper mark-reload-system-units systemd-udevd.service || :
 
-%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d
+%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d/
 # This script will automatically apply sysctl rules if files have been
 # installed or updated in /usr/lib/sysctl.d.
 if test -d "/run/systemd/system"; then

use-bfq-scheduler.patch

@@ -1,43 +0,0 @@
-From 1990fb757f6d275d807fcb48ad09f5fc7c947bc6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 14 Aug 2019 15:57:42 +0200
-Subject: [PATCH] udev: use bfq as the default scheduler
-
-As requested in https://bugzilla.redhat.com/show_bug.cgi?id=1738828.
-Test results are that bfq seems to behave better and more consistently on
-typical hardware. The kernel does not have a configuration option to set
-the default scheduler, and it currently needs to be set by userspace.
-
-See the bug for more discussion and links.
----
- rules.d/60-block-scheduler.rules | 5 +++++
- rules.d/meson.build              | 1 +
- 2 files changed, 6 insertions(+)
- create mode 100644 rules.d/60-block-scheduler.rules
-
-diff --git a/rules.d/60-block-scheduler.rules b/rules.d/60-block-scheduler.rules
-new file mode 100644
-index 0000000000..850b64540e
---- /dev/null
-+++ b/rules.d/60-block-scheduler.rules
-@@ -0,0 +1,5 @@
-+# do not edit this file, it will be overwritten on update
-+
-+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", \
-+  KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
-+  ATTR{queue/scheduler}="bfq"
-diff --git a/rules.d/meson.build b/rules.d/meson.build
-index 20fca222da..94fee9d7c0 100644
---- a/rules.d/meson.build
-+++ b/rules.d/meson.build
-@@ -7,6 +7,7 @@ install_data(
- rules = [
-         [files('60-autosuspend.rules',
-                '60-block.rules',
-+               '60-block-scheduler.rules',
-                '60-cdrom_id.rules',
-                '60-dmi-id.rules',
-                '60-drm.rules',
--- 
-2.41.0
-

yum-protect-systemd.conf

@@ -1,2 +0,0 @@
-systemd
-systemd-udev