Add 2 patches for automatic aarch64 DTB selection change

This reverts commit 56377438ba. Dropping
of the option currently doesn't disable anything, it just moves the
file. I don't think we gain anything by moving the file and actually
this causes problems [1], so let's just return to status quo ante.

[1] file /etc/init.d conflicts between attempted installs of systemd-259.999+69+g6ceb76bfc-2548.1.x86_64 and chkconfig-1.33-3.fc44.x86_64

[skip changelog]

0001-Revert-units-drop-runlevel-0-6-.target.patch

@@ -0,0 +1,88 @@
+From 61750e265ce3f7783a8dba831e91140f84ad89f2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 5 Nov 2025 17:52:16 +0100
+Subject: [PATCH 1/3] Revert "units: drop runlevel[0-6].target"
+
+This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3.
+The unit are still needed for compat.
+---
+ units/meson.build | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/units/meson.build b/units/meson.build
+index 2e04c4aa2b..46eaac4073 100644
+--- a/units/meson.build
++++ b/units/meson.build
+@@ -1,5 +1,7 @@
+ # SPDX-License-Identifier: LGPL-2.1-or-later
+ 
++with_runlevels = conf.get('HAVE_SYSV_COMPAT') == 1
++
+ units = [
+         { 'file' : 'basic.target' },
+         { 'file' : 'blockdev@.target' },
+@@ -49,7 +51,7 @@ units = [
+         },
+         {
+           'file' : 'graphical.target',
+-          'symlinks' : ['default.target'],
++          'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []),
+         },
+         { 'file' : 'halt.target' },
+         {
+@@ -142,7 +144,10 @@ units = [
+           'conditions' : ['ENABLE_MACHINED'],
+         },
+         { 'file' : 'modprobe@.service' },
+-        { 'file' : 'multi-user.target' },
++        {
++          'file' : 'multi-user.target',
++          'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [],
++        },
+         {
+           'file' : 'systemd-mute-console.socket',
+           'symlinks' : ['sockets.target.wants/']
+@@ -155,7 +160,10 @@ units = [
+         { 'file' : 'nss-lookup.target' },
+         { 'file' : 'nss-user-lookup.target' },
+         { 'file' : 'paths.target' },
+-        { 'file' : 'poweroff.target' },
++        {
++          'file' : 'poweroff.target',
++          'symlinks' : with_runlevels ? ['runlevel0.target'] : [],
++        },
+         { 'file' : 'printer.target' },
+         {
+           'file' : 'proc-sys-fs-binfmt_misc.automount',
+@@ -180,7 +188,7 @@ units = [
+         },
+         {
+           'file' : 'reboot.target',
+-          'symlinks' : ['ctrl-alt-del.target'],
++          'symlinks' : ['ctrl-alt-del.target'] + (with_runlevels ? ['runlevel6.target'] : []),
+         },
+         {
+           'file' : 'remote-cryptsetup.target',
+@@ -200,7 +208,10 @@ units = [
+           'symlinks' : ['initrd-root-device.target.wants/'],
+         },
+         { 'file' : 'rescue.service.in' },
+-        { 'file' : 'rescue.target' },
++        {
++          'file' : 'rescue.target',
++          'symlinks' : with_runlevels ? ['runlevel1.target'] : [],
++        },
+         { 'file' : 'rpcbind.target' },
+         { 'file' : 'serial-getty@.service.in' },
+         { 'file' : 'shutdown.target' },
+@@ -1001,4 +1012,10 @@ else
+                             dbussessionservicedir / 'org.freedesktop.systemd1.service'))
+ endif
+ 
++if conf.get('HAVE_SYSV_COMPAT') == 1
++        foreach i : [1, 2, 3, 4, 5]
++                install_emptydir(systemunitdir / 'runlevel@0@.target.wants'.format(i))
++        endforeach
++endif
++
+ subdir('user')

0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch

@@ -1,69 +0,0 @@
-From 0792bb7a9d25a1ab8a5f208f2f5cea8a362dc1c6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Fri, 10 Jan 2025 17:00:08 +0100
-Subject: [PATCH] Revert "units: use PrivateTmp=disconnected instead of 'yes'
- if DefaultDependencies=no"
-
-This reverts commit 1f6e1928488d461d19fd1e4b4d645b0ea5ea8bf5.
----
- units/systemd-coredump@.service.in | 2 +-
- units/systemd-oomd.service.in      | 2 +-
- units/systemd-resolved.service.in  | 2 +-
- units/systemd-timesyncd.service.in | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
-index c74dc7a5a1..fa3206d07b 100644
---- a/units/systemd-coredump@.service.in
-+++ b/units/systemd-coredump@.service.in
-@@ -26,7 +26,7 @@ NoNewPrivileges=yes
- OOMScoreAdjust=500
- PrivateDevices=yes
- PrivateNetwork=yes
--PrivateTmp=disconnected
-+PrivateTmp=yes
- ProtectControlGroups=yes
- ProtectHome=read-only
- ProtectHostname=yes
-diff --git a/units/systemd-oomd.service.in b/units/systemd-oomd.service.in
-index 670d5e6140..82bd6245f8 100644
---- a/units/systemd-oomd.service.in
-+++ b/units/systemd-oomd.service.in
-@@ -37,7 +37,7 @@ MemoryLow=64M
- NoNewPrivileges=yes
- OOMScoreAdjust=-900
- PrivateDevices=yes
--PrivateTmp=disconnected
-+PrivateTmp=yes
- ProtectClock=yes
- ProtectHome=yes
- ProtectHostname=yes
-diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
-index e181b2528a..4aa0788ac4 100644
---- a/units/systemd-resolved.service.in
-+++ b/units/systemd-resolved.service.in
-@@ -29,7 +29,7 @@ LockPersonality=yes
- MemoryDenyWriteExecute=yes
- NoNewPrivileges=yes
- PrivateDevices=yes
--PrivateTmp=disconnected
-+PrivateTmp=yes
- ProtectClock=yes
- ProtectControlGroups=yes
- ProtectHome=yes
-diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
-index 835d6327e7..cf233fbffd 100644
---- a/units/systemd-timesyncd.service.in
-+++ b/units/systemd-timesyncd.service.in
-@@ -31,7 +31,7 @@ LockPersonality=yes
- MemoryDenyWriteExecute=yes
- NoNewPrivileges=yes
- PrivateDevices=yes
--PrivateTmp=disconnected
-+PrivateTmp=yes
- ProtectProc=invisible
- ProtectControlGroups=yes
- ProtectHome=yes
--- 
-2.47.1
-

0002-machined-continue-without-resolve.hook-socket.patch

@@ -0,0 +1,32 @@
+From 8d6d86d1d7e45eeae921e88adde55d6524027c96 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 26 Nov 2025 22:29:53 +0100
+Subject: [PATCH 3/3] machined: continue without resolve.hook socket
+
+---
+ src/machine/machined-varlink.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
+index f83cbb8562..0b30cd0531 100644
+--- a/src/machine/machined-varlink.c
++++ b/src/machine/machined-varlink.c
+@@ -894,9 +894,15 @@ static int manager_varlink_init_resolve_hook(Manager *m) {
+ 
+         r = sd_varlink_server_listen_address(s, VARLINK_PATH_MACHINED_RESOLVE_HOOK,
+                                              0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
+-        if (r < 0)
+-                return log_error_errno(r, "Failed to bind to varlink socket %s: %m",
+-                                       VARLINK_PATH_MACHINED_RESOLVE_HOOK);
++        if (r < 0) {
++                bool ignore = ERRNO_IS_NEG_PRIVILEGE(r);
++                log_full_errno(ignore ? LOG_WARNING : LOG_ERR,
++                               r,
++                               "Failed to bind to varlink socket %s%s: %m",
++                               VARLINK_PATH_MACHINED_RESOLVE_HOOK,
++                               ignore ? ", ignoring" : "");
++                return ignore ? 0 : r;
++        }
+ 
+         r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
+         if (r < 0)

0002-sysusers-emit-audit-events-for-user-and-group-creati.patch

@@ -1,287 +0,0 @@
-From 398049208b4aae5f2a9f0d4914dee6ab6e101118 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Fri, 10 Jan 2025 15:35:13 +0100
-Subject: [PATCH 2/2] sysusers: emit audit events for user and group creation
-
-Background: Fedora/RHEL are switching to sysusers.d metadata for creation of
-users and groups for system users defined by packages
-(https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers).
-Packages carry sysusers files. During package installation, rpm calls an
-program to execute on this config. This program may either be
-/usr/lib/rpm/sysusers.sh which calls useradd/groupadd, or
-/usr/bin/systemd-sysusers. To match the functionality provided by
-useradd/groupadd from the shadow-utils project, systemd-sysusers must emit
-audit events so that it provides a drop-in replacement.
-
-systemd-sysuers will emit audit events AUDIT_ADD_USER/AUDIT_ADD_GROUP when
-adding users and groups. The operation "names" are copied from shadow-utils in
-Fedora (which has a patch to change them from the upstream version), so the
-format of the events that is generated on success should be identical.
-
-The helper code is shared between sysusers and utmp-wtmp. I changed the
-audit_fd variable to be unconditional. This way we can avoid ugly iffdefery
-every time the variable would be used. The cost is that 4 bytes of unused
-storage might be present. This is negligible, and the compiler might even be
-able to optimize that away if it inlines things.
----
- src/basic/audit-util.h        | 33 +++++++++++++++++++++
- src/sysusers/meson.build      |  2 ++
- src/sysusers/sysusers.c       | 56 +++++++++++++++++++++++++++++++++++
- src/update-utmp/update-utmp.c | 23 ++------------
- 4 files changed, 94 insertions(+), 20 deletions(-)
-
-diff --git a/src/basic/audit-util.h b/src/basic/audit-util.h
-index 9a74e4f102..d8ecf14f69 100644
---- a/src/basic/audit-util.h
-+++ b/src/basic/audit-util.h
-@@ -1,10 +1,16 @@
- /* SPDX-License-Identifier: LGPL-2.1-or-later */
- #pragma once
- 
-+#if HAVE_AUDIT
-+#  include <libaudit.h>
-+#endif
-+
- #include <stdbool.h>
- #include <stdint.h>
- #include <sys/types.h>
- 
-+#include "errno-util.h"
-+#include "log.h"
- #include "pidref.h"
- 
- #define AUDIT_SESSION_INVALID UINT32_MAX
-@@ -17,3 +23,30 @@ bool use_audit(void);
- static inline bool audit_session_is_valid(uint32_t id) {
-         return id > 0 && id != AUDIT_SESSION_INVALID;
- }
-+
-+/* The wrappers for audit_open() and audit_close() are inline functions so that we don't get a spurious
-+ * linkage to libaudit in libbasic, but we also don't need to create a separate source file for two very
-+ * short functions. */
-+
-+static inline int close_audit_fd(int fd) {
-+#if HAVE_AUDIT
-+        if (fd >= 0)
-+                audit_close(fd);
-+#else
-+        assert(fd < 0);
-+#endif
-+        return -EBADF;
-+}
-+
-+static inline int open_audit_fd_or_warn(void) {
-+        int fd = -EBADF;
-+
-+#if HAVE_AUDIT
-+        /* If the kernel lacks netlink or audit support, don't worry about it. */
-+        fd = audit_open();
-+        if (fd < 0)
-+                return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING,
-+                                      errno, "Failed to connect to audit log, ignoring: %m");
-+#endif
-+        return fd;
-+}
-diff --git a/src/sysusers/meson.build b/src/sysusers/meson.build
-index 123ff41d3f..c968f55110 100644
---- a/src/sysusers/meson.build
-+++ b/src/sysusers/meson.build
-@@ -9,6 +9,7 @@ executables += [
-                 'name' : 'systemd-sysusers',
-                 'public' : true,
-                 'sources' : files('sysusers.c'),
-+                'dependencies' : libaudit,
-         },
-         executable_template + {
-                 'name' : 'systemd-sysusers.standalone',
-@@ -20,6 +21,7 @@ executables += [
-                         libshared_static,
-                         libsystemd_static,
-                 ],
-+                'dependencies' : libaudit,
-                 'build_by_default' : have_standalone_binaries,
-                 'install' : have_standalone_binaries,
-         },
-diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
-index 44253483db..84eb9fc0c3 100644
---- a/src/sysusers/sysusers.c
-+++ b/src/sysusers/sysusers.c
-@@ -3,6 +3,7 @@
- #include <getopt.h>
- 
- #include "alloc-util.h"
-+#include "audit-util.h"
- #include "build.h"
- #include "chase.h"
- #include "conf-files.h"
-@@ -106,6 +107,8 @@ STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
- STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
- 
- typedef struct Context {
-+        int audit_fd;
-+
-         OrderedHashmap *users, *groups;
-         OrderedHashmap *todo_uids, *todo_gids;
-         OrderedHashmap *members;
-@@ -126,6 +129,8 @@ typedef struct Context {
- static void context_done(Context *c) {
-         assert(c);
- 
-+        c->audit_fd = close_audit_fd(c->audit_fd);
-+
-         ordered_hashmap_free(c->groups);
-         ordered_hashmap_free(c->users);
-         ordered_hashmap_free(c->members);
-@@ -163,6 +168,48 @@ static void maybe_emit_login_defs_warning(Context *c) {
-         c->login_defs_need_warning = false;
- }
- 
-+static void log_audit_accounts(Context *c, ItemType what) {
-+#if HAVE_AUDIT
-+        assert(c);
-+        assert(IN_SET(what, ADD_USER, ADD_GROUP));
-+
-+        if (arg_dry_run || c->audit_fd < 0)
-+                return;
-+
-+        Item *i;
-+        int type = what == ADD_USER ? AUDIT_ADD_USER : AUDIT_ADD_GROUP;
-+        const char *op = what == ADD_USER ? "adding-user" : "adding-group";
-+
-+        /* Notes:
-+         *
-+         * The op must not contain whitespace. The format with a dash matches what Fedora shadow-utils uses.
-+         *
-+         * We send id == -1, even though we know the number, in particular on success. This is because if we
-+         * send the id, the generated audit message will not contain the name. The name seems more useful
-+         * than the number, hence send just the name:
-+         *
-+         * type=ADD_USER msg=audit(01/10/2025 16:02:00.639:3854) :
-+         *   pid=3846380 uid=root auid=zbyszek ses=2 msg='op=adding-user id=unknown(952) exe=systemd-sysusers ... res=success'
-+         * vs.
-+         * type=ADD_USER msg=audit(01/10/2025 16:03:15.457:3908) :
-+         *   pid=3846607 uid=root auid=zbyszek ses=2 msg='op=adding-user acct=foo5 exe=systemd-sysusers ... res=success'
-+         */
-+
-+        ORDERED_HASHMAP_FOREACH(i, what == ADD_USER ? c->todo_uids : c->todo_gids)
-+                audit_log_acct_message(
-+                                c->audit_fd,
-+                                type,
-+                                program_invocation_short_name,
-+                                op,
-+                                i->name,
-+                                /* id= */ (unsigned) -1,
-+                                /* host= */ NULL,
-+                                /* addr= */ NULL,
-+                                /* tty= */ NULL,
-+                                /* success= */ 1);
-+#endif
-+}
-+
- static int load_user_database(Context *c) {
-         _cleanup_fclose_ FILE *f = NULL;
-         const char *passwd_path;
-@@ -971,6 +1018,8 @@ static int write_files(Context *c) {
-                                                group_tmp, group_path);
-                 group_tmp = mfree(group_tmp);
-         }
-+        /* OK, we have written the group entries successfully */
-+        log_audit_accounts(c, ADD_GROUP);
-         if (gshadow) {
-                 r = rename_and_apply_smack_floor_label(gshadow_tmp, gshadow_path);
-                 if (r < 0)
-@@ -988,6 +1037,8 @@ static int write_files(Context *c) {
- 
-                 passwd_tmp = mfree(passwd_tmp);
-         }
-+        /* OK, we have written the user entries successfully */
-+        log_audit_accounts(c, ADD_USER);
-         if (shadow) {
-                 r = rename_and_apply_smack_floor_label(shadow_tmp, shadow_path);
-                 if (r < 0)
-@@ -2232,6 +2283,7 @@ static int run(int argc, char *argv[]) {
- #endif
-         _cleanup_close_ int lock = -EBADF;
-         _cleanup_(context_done) Context c = {
-+                .audit_fd = -EBADF,
-                 .search_uid = UID_INVALID,
-         };
- 
-@@ -2281,6 +2333,10 @@ static int run(int argc, char *argv[]) {
-         assert(!arg_image);
- #endif
- 
-+        /* Prepare to emit audit events, but only if we're operating on the host system. */
-+        if (!arg_root)
-+                c.audit_fd = open_audit_fd_or_warn();
-+
-         /* If command line arguments are specified along with --replace, read all configuration files and
-          * insert the positional arguments at the specified place. Otherwise, if command line arguments are
-          * specified, execute just them, and finally, without --replace= or any positional arguments, just
-diff --git a/src/update-utmp/update-utmp.c b/src/update-utmp/update-utmp.c
-index a10e6d478a..6df9414063 100644
---- a/src/update-utmp/update-utmp.c
-+++ b/src/update-utmp/update-utmp.c
-@@ -5,12 +5,9 @@
- #include <sys/types.h>
- #include <unistd.h>
- 
--#if HAVE_AUDIT
--#include <libaudit.h>
--#endif
--
- #include "sd-bus.h"
- 
-+#include "audit-util.h"
- #include "alloc-util.h"
- #include "bus-error.h"
- #include "bus-locator.h"
-@@ -30,20 +27,14 @@
- 
- typedef struct Context {
-         sd_bus *bus;
--#if HAVE_AUDIT
-         int audit_fd;
--#endif
- } Context;
- 
- static void context_clear(Context *c) {
-         assert(c);
- 
-         c->bus = sd_bus_flush_close_unref(c->bus);
--#if HAVE_AUDIT
--        if (c->audit_fd >= 0)
--                audit_close(c->audit_fd);
--        c->audit_fd = -EBADF;
--#endif
-+        c->audit_fd = close_audit_fd(c->audit_fd);
- }
- 
- static int get_startup_monotonic_time(Context *c, usec_t *ret) {
-@@ -256,22 +247,14 @@ static int run(int argc, char *argv[]) {
-         };
- 
-         _cleanup_(context_clear) Context c = {
--#if HAVE_AUDIT
-                 .audit_fd = -EBADF,
--#endif
-         };
- 
-         log_setup();
- 
-         umask(0022);
- 
--#if HAVE_AUDIT
--        /* If the kernel lacks netlink or audit support, don't worry about it. */
--        c.audit_fd = audit_open();
--        if (c.audit_fd < 0)
--                log_full_errno(IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT) ? LOG_DEBUG : LOG_WARNING,
--                               errno, "Failed to connect to audit log, ignoring: %m");
--#endif
-+        c.audit_fd = open_audit_fd_or_warn();
- 
-         return dispatch_verb(argc, argv, verbs, &c);
- }
--- 
-2.47.1
-

0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch

@@ -0,0 +1,112 @@
+From 75890d949f92c412c0936b8536b2e0dc8f7dfb40 Mon Sep 17 00:00:00 2001
+From: Nick Rosbrook <enr0n@ubuntu.com>
+Date: Fri, 19 Dec 2025 11:01:49 -0500
+Subject: [PATCH] ukify: omit .osrel section when --os-release= is empty
+
+The primary motivation for this is to allow users of ukify to build
+UKI-like objects, without having them later be detected as a UKI by
+tools like kernel-install and bootctl.
+
+The common code used by these tools to determine if a PE binary is a UKI
+checks that both .osrel and .linux sections are present. Hence, adding
+a mechansim to skip .osrel provides a way to avoid being labeled a UKI.
+---
+ man/ukify.xml                |  5 ++++-
+ src/ukify/test/test_ukify.py | 15 +++++++++++----
+ src/ukify/ukify.py           | 10 +++++++++-
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/man/ukify.xml b/man/ukify.xml
+index 829761642d..7462c5c92f 100644
+--- a/man/ukify.xml
++++ b/man/ukify.xml
+@@ -365,7 +365,10 @@
+           <listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument
+           may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the
+           <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file
+-          will be picked up from the host system.</para>
++          will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section
++          is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact
++          to not be recognized as a UKI by other tools like <command>kernel-install</command>
++          and <command>bootctl</command>).</para>
+ 
+           <xi:include href="version-info.xml" xpointer="v253"/></listitem>
+         </varlistentry>
+diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
+index f75ef0c891..224a38569f 100755
+--- a/src/ukify/test/test_ukify.py
++++ b/src/ukify/test/test_ukify.py
+@@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path):
+ 
+     shutil.rmtree(tmp_path)
+ 
+-def test_inspect(kernel_initrd, tmp_path, capsys):
++def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True):
+     if kernel_initrd is None:
+         pytest.skip('linux+initrd not found')
+     if not shutil.which('sbsign'):
+@@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
+ 
+     output = f'{tmp_path}/signed2.efi'
+     uname_arg='1.2.3'
+-    osrel_arg='Linux'
++    osrel_arg='Linux' if osrel else ''
+     cmdline_arg='ARG1 ARG2 ARG3'
+ 
+     args = [
+@@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
+ 
+     text = capsys.readouterr().out
+ 
+-    expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
+-    assert expected_osrel in text
++    if osrel:
++        expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
++        assert expected_osrel in text
++    else:
++        assert '.osrel:' not in text
++
+     expected_cmdline = f'.cmdline:\n  size: {len(cmdline_arg)}'
+     assert expected_cmdline in text
+     expected_uname = f'.uname:\n  size: {len(uname_arg)}'
+@@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
+ 
+     shutil.rmtree(tmp_path)
+ 
++def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys):
++    test_inspect(kernel_initrd, tmp_path, capsys, osrel=False)
++
+ @pytest.mark.skipif(not slow_tests, reason='slow')
+ def test_pcr_signing(kernel_initrd, tmp_path):
+     if kernel_initrd is None:
+diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
+index c98f8e2a5d..b7542c7eca 100755
+--- a/src/ukify/ukify.py
++++ b/src/ukify/ukify.py
+@@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None:
+         '.profile',
+     }
+ 
++    if not opts.os_release:
++        to_import.remove('.osrel')
++
+     for profile in opts.join_profiles:
+         pe = pefile.PE(profile, fast_load=True)
+         prev_len = len(uki.sections)
+@@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
+ 
+     opts.os_release = resolve_at_path(opts.os_release)
+ 
+-    if not opts.os_release and opts.linux:
++    if opts.os_release == '':
++        # If --os-release= with an empty string was passed, treat that as
++        # explicitly disabling the .osrel section, and do not fallback to the
++        # system's os-release files.
++        pass
++    elif opts.os_release is None and opts.linux:
+         p = Path('/etc/os-release')
+         if not p.exists():
+             p = Path('/usr/lib/os-release')
+-- 
+2.52.0
+

0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch

@@ -0,0 +1,51 @@
+From e57e599e6b11039ab6484e5622b3deae20bfd678 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <johannes.goede@oss.qualcomm.com>
+Date: Mon, 12 Jan 2026 14:56:36 +0100
+Subject: [PATCH] stub: Fix NULL pointer deref when there are no initrds
+
+When n_all_initrds == 0, then all_initrds is unmodified from its initial
+value of:
+
+	_cleanup_free_ struct iovec *all_initrds = NULL;
+
+and in the else block of the "if (n_all_initrds > 1)" the NULL is
+dereferenced:
+
+		final_initrd = all_initrds[0];
+
+Leading to the stub crashing due to a NULL pointer deref.
+
+Fix this by initializing final_initrd to all 0s and only
+running the else block if (n_all_initrds == 1).
+---
+ src/boot/stub.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/boot/stub.c b/src/boot/stub.c
+index 06ecbc7d18..65950262c6 100644
+--- a/src/boot/stub.c
++++ b/src/boot/stub.c
+@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
+ 
+         /* Combine the initrds into one */
+         _cleanup_pages_ Pages initrd_pages = {};
+-        struct iovec final_initrd;
++        struct iovec final_initrd = {};
+         if (n_all_initrds > 1) {
+-                /* There will always be a base initrd, if this counter is higher, we need to combine them */
++                /* If there is more then 1 initrd we need to combine them */
+                 err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len);
+                 if (err != EFI_SUCCESS)
+                         return err;
+@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
+ 
+                 /* Given these might be large let's free them explicitly before we pass control to Linux */
+                 initrds_free(&initrds);
+-        } else
++        } else if (n_all_initrds == 1)
+                 final_initrd = all_initrds[0];
+ 
+         struct iovec kernel = IOVEC_MAKE(
+-- 
+2.52.0
+

30846.patch

@@ -1,4 +1,4 @@
-From 9e3d6b193d79ce447cd329617ada941f331570a9 Mon Sep 17 00:00:00 2001
+From 07bedc8f93277f705622625f440a1f56ccff1cd0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
 Date: Tue, 9 Jan 2024 11:28:04 +0100
 Subject: [PATCH] journal: again create user journals for users with high uids
@@ -39,17 +39,18 @@ revert the change to fix user systems.
 
 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
 ---
- src/basic/uid-classification.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ src/basic/uid-classification.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c
-index e2d2cebc6de27..2c8b06c0d3088 100644
+index 203ce2c68a..2eb384395d 100644
 --- a/src/basic/uid-classification.c
 +++ b/src/basic/uid-classification.c
-@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) {
+@@ -129,5 +129,6 @@ bool uid_for_system_journal(uid_t uid) {
  
          /* Returns true if the specified UID shall get its data stored in the system journal. */
  
--        return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid);
-+        return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY;
+-        return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_container(uid) || uid_is_foreign(uid);
++        return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_foreign(uid);
++
  }

38769.patch

@@ -0,0 +1,42 @@
+From 00d70f36a0866660693347009446b7f872a05bf4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 30 Aug 2025 13:55:56 +0200
+Subject: [PATCH] core: create userdb root directory with correct label
+
+Set up the /run/systemd/userdb directory with the default SELinux context
+on creation.
+
+With version 257.7-1 on Debian the directory was automatically created with the
+correct label. Starting with version 258 (only tested with 258~rc3-1) it no
+longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a.
+
+[zjs: edited the patch to apply comments from review and update the description.]
+---
+ src/core/varlink.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/varlink.c b/src/core/varlink.c
+index 99f12c59e5..71a8ffd0e5 100644
+--- a/src/core/varlink.c
++++ b/src/core/varlink.c
+@@ -5,6 +5,7 @@
+ #include "constants.h"
+ #include "errno-util.h"
+ #include "manager.h"
++#include "mkdir-label.h"
+ #include "path-util.h"
+ #include "pidref.h"
+ #include "string-util.h"
+@@ -441,7 +442,11 @@ static int manager_varlink_init_system(Manager *m) {
+                         if (!fresh && varlink_server_contains_socket(m->varlink_server, address))
+                                 continue;
+ 
+-                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
++                        r = mkdir_parents_label(address, 0755);
++                        if (r < 0)
++                                log_warning_errno(r, "Failed to create parent directory of '%s', ignoring: %m", address);
++
++                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666);
+                         if (r < 0)
+                                 return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address);
+                 }

plans/run-integration-tests.sh

@@ -0,0 +1,127 @@
+#!/bin/bash
+
+set -eux
+set -o pipefail
+
+# Switch SELinux to permissive if possible, since the tests don't set proper contexts
+setenforce 0 || true
+
+echo "CPU and Memory information:"
+lscpu
+lsmem
+
+echo "Clock source: $(cat /sys/devices/system/clocksource/clocksource0/current_clocksource)"
+
+# Bump inotify limits if we can so nspawn containers don't run out of inotify file descriptors.
+sysctl fs.inotify.max_user_watches=65536 || true
+sysctl fs.inotify.max_user_instances=1024 || true
+
+if [[ -n "${KOJI_TASK_ID:-}" ]]; then
+    koji download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID"
+elif [[ -n "${CBS_TASK_ID:-}" ]]; then
+    cbs download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID"
+elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then
+    COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")"
+    COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")"
+    copr download-build --rpms --chroot "$COPR_CHROOT" "$COPR_BUILD_ID"
+    mv "$COPR_CHROOT"/* .
+else
+    echo "Not running within packit and no CBS/koji task ID provided"
+    exit 1
+fi
+
+PACKAGEDIR="$PWD"
+
+# This will match both the regular and the debuginfo rpm so make sure we select only the
+# non-debuginfo rpm.
+RPMS=(systemd-tests-*.rpm)
+rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract
+pushd usr/lib/systemd/tests
+mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")"
+
+# Now prepare mkosi at the same version required by the systemd repo.
+git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi
+git -C /var/tmp/systemd-integration-tests-mkosi checkout "$mkosi_hash"
+
+export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH"
+
+# shellcheck source=/dev/null
+. /etc/os-release || . /usr/lib/os-release
+
+tee mkosi/mkosi.local.conf <<EOF
+[Distribution]
+Distribution=${MKOSI_DISTRIBUTION:-$ID}
+Release=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
+
+[Content]
+PackageDirectories=$PACKAGEDIR
+SELinuxRelabel=yes
+
+[Build]
+ToolsTreeDistribution=${MKOSI_DISTRIBUTION:-$ID}
+ToolsTreeRelease=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
+ToolsTreePackageDirectories=$PACKAGEDIR
+Environment=NO_BUILD=1
+WithTests=yes
+EOF
+
+if [[ -n "${MKOSI_REPOSITORIES:-}" ]]; then
+    tee --append mkosi/mkosi.local.conf <<EOF
+[Distribution]
+Repositories=$MKOSI_REPOSITORIES
+
+[Build]
+ToolsTreeRepositories=$MKOSI_REPOSITORIES
+EOF
+fi
+
+if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then
+    tee --append mkosi/mkosi.local.conf <<EOF
+[Runtime]
+KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=$TEST_SELINUX_CHECK_AVCS
+EOF
+fi
+
+# If we don't have KVM, skip running in qemu, as it's too slow. But try to load the module first.
+modprobe kvm || true
+if [[ ! -e /dev/kvm ]]; then
+    export TEST_NO_QEMU=1
+fi
+
+NPROC="$(nproc)"
+if [[ "$NPROC" -ge 10 ]]; then
+    export TEST_JOURNAL_USE_TMP=1
+    NPROC="$((NPROC / 3))"
+else
+    NPROC="$((NPROC - 1))"
+fi
+
+# This test is only really useful if we're building with sanitizers and takes a long time, so let's skip it
+# for now.
+export TEST_SKIP="TEST-21-DFUZZER ${TEST_SKIP:-}"
+
+mkosi genkey
+mkosi summary
+mkosi -f box -- true
+mkosi box -- meson setup build integration-tests/standalone
+mkosi -f
+if [[ "$(mkosi box -- meson test --help)" == *"--max-lines"* ]]; then
+    MAX_LINES=(--max-lines 300)
+else
+    MAX_LINES=()
+fi
+mkosi box -- \
+    meson test \
+        -C build \
+        --setup=integration \
+        --print-errorlogs \
+        --no-stdsplit \
+        --num-processes "$NPROC" \
+        "${MAX_LINES[@]}" && EC=0 || EC=$?
+
+[[ -d build/meson-logs ]] && find build/meson-logs -type f -exec mv {} "$TMT_TEST_DATA" \;
+[[ -d build/test/journal ]] && find build/test/journal -type f -exec mv {} "$TMT_TEST_DATA" \;
+
+popd
+
+exit "$EC"

plans/upstream.fmf

@@ -1,16 +1,22 @@
 summary: systemd upstream test suite
-discover:
-  how: fmf
-  dist-git-source: true
-  dist-git-install-builddeps: false
-prepare:
-  - name: systemd
-    how: install
-    exclude:
-      - systemd-standalone-.*
-execute:
-  how: tmt
 provision:
   hardware:
     virtualization:
       is-supported: true
+prepare:
+  - name: install-dependencies
+    how: install
+    package:
+      - coreutils
+      - distribution-gpg-keys
+      - dnf
+      - git-core
+      - koji
+      - centos-packager
+      - copr-cli
+    exclude:
+      - systemd-standalone-.*
+execute:
+    how: tmt
+    script: exec plans/run-integration-tests.sh
+    duration: 2h

purge-nobody-user

@@ -1,101 +0,0 @@
-#!/bin/bash -eu
-
-if [ $UID -ne 0 ]; then
-    echo "WARNING: This script needs to run as root to be effective"
-    exit 1
-fi
-
-export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
-
-if [ "${1:-}" = "--ignore-journal" ]; then
-    shift
-    ignore_journal=1
-else
-    ignore_journal=0
-fi
-
-echo "Checking processes..."
-if ps h -u 99 | grep .; then
-    echo "ERROR: ps reports processes with UID 99!"
-    exit 2
-fi
-echo "... not found"
-
-echo "Checking UTMP..."
-if w -h 199 | grep . ; then
-    echo "ERROR: w reports UID 99 as active!"
-    exit 2
-fi
-if w -h nobody | grep . ; then
-    echo "ERROR: w reports user nobody as active!"
-    exit 2
-fi
-echo "... not found"
-
-echo "Checking the journal..."
-if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
-    echo "ERROR: journalctl reports messages from UID 99 in current boot!"
-    exit 2
-fi
-echo "... not found"
-
-echo "Looking for files in /etc, /run, /tmp, and /var..."
-if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
-    echo "ERROR: found files belonging to UID 99"
-    exit 2
-fi
-echo "... not found"
-
-echo "Checking if nobody is defined correctly..."
-if getent passwd nobody |
-	grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
-then
-    echo "OK, nothing to do."
-    exit 0
-else
-    echo "NOTICE: User nobody is not defined correctly"
-fi
-
-echo "Checking if nfsnobody or something else is using the uid..."
-if getent passwd 65534 | grep . ; then
-    echo "NOTICE: will have to remove this user"
-else
-    echo "... not found"
-fi
-
-if [ "${1:-}" = "-x" ]; then
-    if getent passwd nobody >/dev/null; then
-	# this will remove both the user and the group.
-	( set -x
-   	  userdel nobody
-	)
-    fi
-
-    if getent passwd 65534 >/dev/null; then
-	# Make sure the uid is unused. This should free gid too.
-	name="$(getent passwd 65534 | cut -d: -f1)"
-	( set -x
-	  userdel "$name"
-	)
-    fi
-
-    if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
-	echo "Sleeping, so sss can catch up"
-	sleep 3
-    fi
-
-    if getent group 65534; then
-	# Make sure the gid is unused, even if uid wasn't.
-	name="$(getent group 65534 | cut -d: -f1)"
-	( set -x
-	  groupdel "$name"
-	)
-    fi
-
-    # systemd-sysusers uses the same gid and uid
-    ( set -x
-      systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
-    )
-else
-    echo "Pass '-x' to perform changes"
-fi

sources

@@ -1 +1 @@
-SHA512 (systemd-257.4.tar.gz) = dfa0f6de38fa30daffabf6b02d6533ca4e7027188186d7e2e9648b99dad5c4afa30773138f18a34111e7bb2e6ddae8302284429b98b580e757dc67535846afbe
+SHA512 (systemd-259.tar.gz) = ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50

split-files.py

@@ -7,7 +7,6 @@ known_files = '''
 %ghost %config(noreplace) /etc/crypttab
 %ghost %attr(0444,root,root) /etc/udev/hwdb.bin
 /etc/inittab
-/usr/lib/systemd/purge-nobody-user
 # This directory is owned by openssh-server, but we don't want to introduce
 # a dependency. So let's copy the config and co-own the directory.
 %dir %attr(0700,root,root) /etc/ssh/sshd_config.d
@@ -122,7 +121,7 @@ for file in files(buildroot):
         o = outputs['rpm-macros']
     elif '/usr/lib/systemd/tests' in n:
         o = outputs['tests']
-    elif 'ukify' in n:
+    elif 'ukify' in n and '/man/' not in n:
         o = outputs['ukify']
     elif re.search(r'/libsystemd-core-.*\.so$', n):
         o = outputs['main']
@@ -130,7 +129,7 @@ for file in files(buildroot):
         o = outputs['shared']
     elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n):
         o = outputs['udev']
-    elif re.search(r'/lib.*\.pc|/man3/|/usr/include|\.so$', n):
+    elif re.search(r'/lib.*\.pc$|/man3/|/usr/include|\.so$', n):
         o = outputs['devel']
     elif re.search(r'''journal-(remote|gateway|upload)|
                        systemd-remote\.conf|
@@ -149,13 +148,14 @@ for file in files(buildroot):
 
     elif re.search(r'''mymachines|
                        machinectl|
+                       mount.ddi|
                        importctl|
                        portablectl|
                        systemd-nspawn|
                        systemd\.nspawn|
                        systemd-vmspawn|
                        systemd-dissect|
-                       import-pubring.gpg|
+                       import-pubring|
                        systemd-machined|
                        systemd-import|
                        systemd-export|
@@ -234,7 +234,8 @@ for file in files(buildroot):
                        integritytab|
                        remount-fs|
                        /initrd|
-                       systemd-pcr|
+                       systemd[.-]pcr|
+                       /pcrlock\.d|
                        systemd-measure|
                        /boot$|
                        /kernel/|
@@ -244,6 +245,7 @@ for file in files(buildroot):
                        sysctl|
                        coredump|
                        homed|home1|
+                       sysupdate|updatctl|
                        oomd|
                        portabled|portable1
     ''', n, re.X):     # coredumpctl, homectl, portablectl are included in the main package because
@@ -269,13 +271,13 @@ for file in files(buildroot):
 
     if n in known_files:
         prefix = known_files[n].split()[:-1]
-    elif file.is_dir() and not file.is_symlink():
+    elif file.is_dir(follow_symlinks=False):
         prefix = ['%dir']
     elif 'README' in n:
         prefix = ['%doc']
     elif n.startswith('/etc'):
         prefix = ['%config(noreplace)']
-        if file.stat().st_size == 0:
+        if not file.is_symlink() and file.stat().st_size == 0:
             prefix += ['%ghost']
     else:
         prefix = []

systemd.spec

@@ -1,6 +1,3 @@
-#global commit 1781de18ab8ebc3e42a607851d8effb3b0355c87
-%{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})}
-
 # We ship a .pc file but don't want to have a dep on pkg-config. We
 # strip the automatically generated dep here and instead co-own the
 # directory.
@@ -27,7 +24,8 @@
 %bcond bootstrap 0
 %bcond tests     1
 %bcond lto       1
-%bcond docs      1
+# Build docs on 64-bit architectures only
+%bcond docs      %[%{?__isa_bits} >= 64]
 
 # Build from git main
 %bcond upstream  0
@@ -40,12 +38,34 @@
 # that depend on libcryptsetup (e.g. libcryptsetup-plugins, homed)
 %if %{with bootstrap}
 %global __meson_auto_features disabled
+# If we're building for upstream, don't unconditionally enable all
+# new features as new features might be introduced for which we're
+# missing build dependencies.
+%elif %{with upstream}
+%global __meson_auto_features auto
 %endif
 
 # Override %%autorelease. This is ugly, but rpmautospec doesn't implement
 # autorelease correctly if the macro is conditionalized in the Release field.
 %{?release_override:%global autorelease %{release_override}%{?dist}}
 
+# In OBS, noarch packages are shared between all architectures and
+# independent architectures can be rebuilt automatically without all
+# the other architectures getting rebuilt. This can result in the noarch
+# packages being newer than the archful packages for some architectures,
+# which means our current strict deps from the noarch packages on the
+# archful packages can't be satisfied.
+#
+# To address this problem, let's relax the dependencies from the noarch
+# packages on the archful packages for OBS builds. Let's only do this for
+# OBS builds because this isn't an issue on Fedora as it's impossible to
+# build a package for only some of the architectures.
+%if %{with obs}
+%define noarch_requires_version %{version}
+%else
+%define noarch_requires_version %{version}-%{release}
+%endif
+
 Name:           systemd
 Url:            https://systemd.io
 # Allow users to specify the version and release when building the rpm by
@@ -53,7 +73,7 @@ Url:            https://systemd.io
 # But don't do that on OBS, otherwise the version subst fails, and will be
 # like 257-123-gabcd257.1 instead of 257-123-gabcd
 %if %{without obs}
-Version:        %{?version_override}%{!?version_override:257.4}
+Version:        %{?version_override}%{!?version_override:259}
 %else
 Version:        %{?version_override}%{!?version_override:%(cat meson.version)}
 %endif
@@ -67,19 +87,20 @@ Summary:        System and Service Manager
 
 # download tarballs with "spectool -g systemd.spec"
 # packit will always rewrite the first Source0 it finds, ignoring any conditionals so list
-# the fallback source that's used if neither %%branch nor %%commit are defined first.
-%if %{undefined branch} && %{undefined commit}
-Source0:        https://github.com/systemd/systemd/archive/v%{version}/%{name}-%{version}.tar.gz
+# the fallback source that's used if neither %%branch, %%commit or %%obs are defined first.
+%if %{undefined branch} && %{undefined commit} && %{without obs}
+Source0:        https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz
 %elif %{defined branch}
 Source0:        https://github.com/systemd/systemd/archive/refs/heads/%{branch}.tar.gz
 %elif %{defined commit}
-Source0:        https://github.com/systemd/systemd/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
+Source0:        https://github.com/systemd/systemd/archive/%{commit}/%{name}-%{commit}.tar.gz
+%elif %{with obs}
+Source0:        https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version}.tar.xz
 %endif
 # This file must be available before %%prep.
 # It is generated during systemd build and can be found at build/src/rpm/triggers.systemd.sh.
 Source1:        triggers.systemd
 Source2:        split-files.py
-Source3:        purge-nobody-user
 Source4:        test_sysusers_defined.py
 
 Source6:        inittab
@@ -115,19 +136,28 @@ Patch:          https://github.com/systemd/systemd/pull/26494.patch
 %endif
 
 %if %{without upstream}
-# Temporarily drop use of PrivateTmp=disconnected. This is causing failures
-# in various places:
-# https://bugzilla.redhat.com/show_bug.cgi?id=2334015
-# https://github.com/coreos/fedora-coreos-tracker/issues/1857
-Patch:          0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch
+# Those are downstream-only patches, but we don't want them in packit builds.
 
-# Backport of sysusers audit support for
-#  https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers.
-Patch:          0002-sysusers-emit-audit-events-for-user-and-group-creati.patch
-
-# Those are downstream-only patches, but we don't want them in packit builds:
+# Create user journals for users with high UIDs
 # https://bugzilla.redhat.com/show_bug.cgi?id=2251843
-Patch:          https://github.com/systemd/systemd/pull/30846.patch
+Patch:          30846.patch
+
+# Again create runlevelX.target. Dropping those files breaks upgrades.
+# https://bugzilla.redhat.com/show_bug.cgi?id=2411195
+Patch:          0001-Revert-units-drop-runlevel-0-6-.target.patch
+
+# userdb: create userdb root directory with correct label
+# We can drop this after SELinux policy is updated to handle the transition.
+Patch:          38769.patch
+
+# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2415701
+Patch:          0002-machined-continue-without-resolve.hook-socket.patch
+
+# 2 patches for https://fedoraproject.org/wiki/Changes/Automatic_DTB_selection_for_aarch64_EFI_systems
+# Upstream commit: https://github.com/systemd/systemd/commit/75890d949f92c412c0936b8536b2e0dc8f7dfb40
+Patch:          0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch
+# Upstream PR: https://github.com/systemd/systemd/pull/40329
+Patch:          0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch
 %endif
 
 %ifarch %{ix86} x86_64 aarch64 riscv64
@@ -139,7 +169,6 @@ BuildRequires:  gcc-c++
 BuildRequires:  clang
 BuildRequires:  coreutils
 BuildRequires:  rpmdevtools
-BuildRequires:  libcap-devel
 BuildRequires:  libmount-devel
 BuildRequires:  libfdisk-devel
 BuildRequires:  libpwquality-devel
@@ -149,6 +178,9 @@ BuildRequires:  libselinux-devel
 BuildRequires:  audit-libs-devel
 %if %{without bootstrap}
 BuildRequires:  cryptsetup-devel
+# Require (previous version) of our macros package.
+# We use the %%systemd_{post,preun,…} macros for various services.
+BuildRequires:  systemd-rpm-macros
 %endif
 BuildRequires:  dbus-devel
 BuildRequires:  util-linux
@@ -253,17 +285,17 @@ Requires(post): coreutils
 Requires(post): grep
 # systemd-machine-id-setup requires libssl
 Requires(post): openssl-libs
-Requires:       dbus >= 1.9.18
-Requires:       %{name}-pam%{_isa} = %{version}-%{release}
-Requires(meta): (%{name}-rpm-macros = %{version}-%{release} if rpm-build)
-Requires:       %{name}-libs%{_isa} = %{version}-%{release}
-%{?fedora:Recommends:     %{name}-networkd = %{version}-%{release}}
-%{?fedora:Recommends:     %{name}-resolved = %{version}-%{release}}
-Requires:       %{name}-shared%{_isa} = %{version}-%{release}
+Recommends:     dbus >= 1.9.18
+Recommends:     systemd-pam%{_isa} = %{version}-%{release}
+Requires(meta): (systemd-rpm-macros = %{version}-%{release} if rpm-build)
+Requires:       systemd-libs%{_isa} = %{version}-%{release}
+%{?fedora:Recommends:     systemd-networkd = %{version}-%{release}}
+%{?fedora:Recommends:     systemd-resolved = %{version}-%{release}}
+Requires:       systemd-shared%{_isa} = %{version}-%{release}
 Requires:       /usr/bin/systemd-sysusers
 # The standalone version doesn't Provide the _isa suffix,
 # so this biases towards the common version.
-Recommends:     %{name}-sysusers%{_isa} = %{version}-%{release}
+Recommends:     systemd-sysusers%{_isa} = %{version}-%{release}
 Recommends:     diffutils
 Requires:       (util-linux-core or util-linux)
 Requires:       (libbpf >= 2:1.4.7 if libbpf)
@@ -296,10 +328,10 @@ Conflicts:      dracut < 060-2
 Conflicts:      dracut < 059-16
 %endif
 
-Conflicts:      %{name}-standalone-tmpfiles
-Provides:       %{name}-tmpfiles = %{version}-%{release}
-Conflicts:      %{name}-standalone-shutdown
-Provides:       %{name}-shutdown = %{version}-%{release}
+Conflicts:      systemd-standalone-tmpfiles
+Provides:       systemd-tmpfiles = %{version}-%{release}
+Conflicts:      systemd-standalone-shutdown
+Provides:       systemd-shutdown = %{version}-%{release}
 
 %if "%{_sbindir}" == "%{_bindir}"
 # Compat symlinks for Requires in other packages.
@@ -309,11 +341,15 @@ Provides:       /usr/sbin/halt
 Provides:       /usr/sbin/init
 Provides:       /usr/sbin/poweroff
 Provides:       /usr/sbin/reboot
-Provides:       /usr/sbin/runlevel
 Provides:       /usr/sbin/shutdown
-Provides:       /usr/sbin/telinit
 %endif
 
+# libmount is always required, even in containers, so make it a hard dependency.
+Requires:       libmount.so.1%{?elf_suffix}
+Requires:       libmount.so.1(MOUNT_2.26)%{?elf_bits}
+# Various systemd services have syscall filters so make libseccomp a hard dependency.
+Requires:       libseccomp.so.2%{?elf_suffix}
+
 # Recommends to replace normal Requires deps for stuff that is dlopen()ed
 Recommends:     libxkbcommon.so.0%{?elf_suffix}
 Recommends:     libidn2.so.0%{?elf_suffix}
@@ -368,6 +404,7 @@ Summary:        systemd libraries
 License:        LGPL-2.1-or-later AND MIT
 Provides:       nss-myhostname = 0.4
 Provides:       nss-myhostname%{_isa} = 0.4
+Conflicts:      systemd-shared < %{version}-%{release}
 
 %description libs
 Libraries for systemd and udev.
@@ -375,13 +412,18 @@ Libraries for systemd and udev.
 %package shared
 Summary:        Internal systemd shared library
 License:        LGPL-2.1-or-later AND MIT
+# in 257.3-6 /usr/lib64/systemd/libsystemd-shared-257.2-14.fc42.so
+# was moved from package systemd to systemd-shared.
+# Add a conflit to allow downgrades across this change.
+Conflicts:      systemd < 257.3-6
+Conflicts:      systemd-libs < %{version}-%{release}
 
 %description shared
 Internal libraries used by various systemd binaries.
 
 %package pam
 Summary:        systemd PAM module
-Requires:       %{name} = %{version}-%{release}
+Requires:       systemd = %{version}-%{release}
 
 %description pam
 Systemd PAM module registers the session with systemd-logind.
@@ -399,8 +441,11 @@ for information how to use those macros.
 
 %package sysusers
 Summary:        systemd-sysusers program
-Requires:       %{name}-shared%{_isa} = %{version}-%{release}
-Conflicts:      %{name}-standalone-sysusers
+Requires:       systemd-shared%{_isa} = %{version}-%{release}
+Conflicts:      systemd-standalone-sysusers
+# in 257.3-6 /usr/bin/systemd-sysusers was moved from package systemd
+# to systemd-sysusers. Add a conflit to allow downgrades across this change.
+Conflicts:      systemd < 257.3-6
 
 %description sysusers
 This package contains the systemd-sysusers program.
@@ -408,8 +453,8 @@ This package contains the systemd-sysusers program.
 %package devel
 Summary:        Development headers for systemd
 License:        LGPL-2.1-or-later AND MIT
-Requires:       %{name}-libs%{_isa} = %{version}-%{release}
-Requires(meta): (%{name}-rpm-macros = %{version}-%{release} if rpm-build)
+Requires:       systemd-libs%{_isa} = %{version}-%{release}
+Requires(meta): (systemd-rpm-macros = %{version}-%{release} if rpm-build)
 Provides:       libudev-devel = %{version}
 Provides:       libudev-devel%{_isa} = %{version}
 
@@ -431,6 +476,8 @@ Provides:       udev = %{version}
 Provides:       udev%{_isa} = %{version}
 %if 0%{?fedora} || 0%{?rhel} >= 10
 Requires:       (grubby > 8.40-72 if grubby)
+%endif
+%if 0%{?fedora}
 Requires:       (sdubby > 1.0-3 if sdubby)
 %endif
 # A backport of systemd-timesyncd is shipped as a separate package in EPEL so
@@ -440,11 +487,15 @@ Conflicts:      systemd-timesyncd < %{version}-%{release}
 Obsoletes:      systemd-timesyncd < %{version}-%{release}
 Provides:       systemd-timesyncd = %{version}-%{release}
 %endif
+Conflicts:      systemd-networkd < %{version}-%{release}
 
 # Libkmod is used to load modules. Assume that if we need udevd, we certainly
 # want to load modules, so make this into a hard dependency here.
 Requires:       libkmod.so.2%{?elf_suffix}
 Requires:       libkmod.so.2(LIBKMOD_5)%{?elf_bits}
+# udev uses libblkid in various builtins so make it a hard dependency.
+Requires:       libblkid.so.1%{?elf_suffix}
+Requires:       libblkid.so.1(BLKID_2.30)%{?elf_bits}
 
 # Recommends to replace normal Requires deps for stuff that is dlopen()ed
 # used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home
@@ -473,8 +524,12 @@ Requires:       kbd
 Provides:       u2f-hidraw-policy = 1.0.2-40
 Obsoletes:      u2f-hidraw-policy < 1.0.2-40
 
-Conflicts:      %{name}-standalone-repart
-Provides:       %{name}-repart = %{version}-%{release}
+Conflicts:      systemd-standalone-repart
+Provides:       systemd-repart = %{version}-%{release}
+
+# Newer versions of those are required to support X11 keycode remapping
+Conflicts:      xorg-x11-drv-evdev < 2.11.0
+Conflicts:      xorg-x11-drv-libinput < 1.5.0
 
 %if "%{_sbindir}" == "%{_bindir}"
 # Compat symlinks for Requires in other packages.
@@ -495,7 +550,7 @@ machine, and to create or grow partitions and make file systems automatically.
 
 %package ukify
 Summary:        Tool to build Unified Kernel Images
-Requires:       %{name} = %{version}-%{release}
+Requires:       systemd = %{noarch_requires_version}
 
 Requires:       (systemd-boot if %{shrink:(
         filesystem(x86-32) or
@@ -504,9 +559,7 @@ Requires:       (systemd-boot if %{shrink:(
         filesystem(riscv64)
 )})
 Requires:       python3dist(pefile)
-%if 0%{?fedora}
 Requires:       python3dist(zstandard)
-%endif
 Requires:       python3dist(cryptography)
 %if 0%{?fedora}
 Recommends:     python3dist(pillow)
@@ -568,7 +621,7 @@ This package contains the signed version.
 %package container
 # Name is the same as in Debian
 Summary: Tools for containers and VMs
-Requires:       %{name}%{_isa} = %{version}-%{release}
+Requires:       systemd%{_isa} = %{version}-%{release}
 Requires(post):   systemd%{_isa} = %{version}-%{release}
 Requires(preun):  systemd%{_isa} = %{version}-%{release}
 Requires(postun): systemd%{_isa} = %{version}-%{release}
@@ -591,11 +644,11 @@ systemd-machined, and systemd-importd.
 %package journal-remote
 # Name is the same as in Debian
 Summary:        Tools to send journal events over the network
-Requires:       %{name}%{_isa} = %{version}-%{release}
+Requires:       systemd%{_isa} = %{version}-%{release}
 License:        LGPL-2.1-or-later
 Requires:       firewalld-filesystem
-Provides:       %{name}-journal-gateway = %{version}-%{release}
-Provides:       %{name}-journal-gateway%{_isa} = %{version}-%{release}
+Provides:       systemd-journal-gateway = %{version}-%{release}
+Provides:       systemd-journal-gateway%{_isa} = %{version}-%{release}
 # Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040)
 Suggests:       libcurl-minimal
 
@@ -608,8 +661,9 @@ systemd-journal-upload.
 
 %package networkd
 Summary:        System daemon that manages network configurations
-Requires:       %{name}%{_isa} = %{version}-%{release}
-%{?fedora:Recommends:     %{name}-udev = %{version}-%{release}}
+Requires:       systemd%{_isa} = %{version}-%{release}
+%{?fedora:Recommends:     systemd-udev = %{version}-%{release}}
+Conflicts:      systemd-udev < %{version}-%{release}
 License:        LGPL-2.1-or-later
 
 %description networkd
@@ -619,7 +673,7 @@ devices.
 
 %package networkd-defaults
 Summary:        Configure network interfaces with networkd by default
-Requires:       %{name}-networkd = %{version}-%{release}
+Requires:       systemd-networkd = %{noarch_requires_version}
 License:        MIT-0
 BuildArch:      noarch
 
@@ -630,7 +684,7 @@ enabled for this to have any effect.
 
 %package resolved
 Summary:        Network Name Resolution manager
-Requires:       %{name}%{_isa} = %{version}-%{release}
+Requires:       systemd%{_isa} = %{version}-%{release}
 Requires:       libidn2.so.0%{?elf_suffix}
 Requires:       libidn2.so.0(IDN2_0.0.0)%{?elf_bits}
 Requires(posttrans): grep
@@ -642,7 +696,7 @@ resolver, as well as an LLMNR and MulticastDNS resolver and responder.
 
 %package oomd-defaults
 Summary:        Configuration files for systemd-oomd
-Requires:       %{name}-udev = %{version}-%{release}
+Requires:       systemd-udev = %{noarch_requires_version}
 License:        LGPL-2.1-or-later
 BuildArch:      noarch
 
@@ -652,10 +706,10 @@ a userspace out-of-memory (OOM) killer.
 
 %package tests
 Summary:       Internal unit tests for systemd
-Requires:      %{name}%{_isa} = %{version}-%{release}
+Requires:      systemd%{_isa} = %{version}-%{release}
 # This dependency is provided transitively. Also add it explicitly to
 # appease rpminspect, https://github.com/rpminspect/rpminspect/issues/1231:
-Requires:      %{name}-libs%{_isa} = %{version}-%{release}
+Requires:      systemd-libs%{_isa} = %{version}-%{release}
 Requires:      python3dist(psutil)
 
 License:       LGPL-2.1-or-later
@@ -666,8 +720,8 @@ Different binaries test different parts of the codebase.
 
 %package standalone-repart
 Summary:       Standalone systemd-repart binary for use on systems without systemd
-Provides:      %{name}-repart = %{version}-%{release}
-Conflicts:     %{name}-udev
+Provides:      systemd-repart = %{version}-%{release}
+Conflicts:     systemd-udev
 Suggests:      coreutils-single
 RemovePathPostfixes: .standalone
 
@@ -678,8 +732,8 @@ main systemd package and is meant for use on systems without systemd.
 
 %package standalone-tmpfiles
 Summary:       Standalone systemd-tmpfiles binary for use on systems without systemd
-Provides:      %{name}-tmpfiles = %{version}-%{release}
-Conflicts:     %{name}
+Provides:      systemd-tmpfiles = %{version}-%{release}
+Conflicts:     systemd
 Suggests:      coreutils-single
 RemovePathPostfixes: .standalone
 
@@ -690,7 +744,7 @@ main systemd package and is meant for use on systems without systemd.
 
 %package standalone-sysusers
 Summary:       Standalone systemd-sysusers binary for use on systems without systemd
-Provides:      %{name}-sysusers = %{version}-%{release}
+Provides:      systemd-sysusers = %{version}-%{release}
 Suggests:      coreutils-single
 RemovePathPostfixes: .standalone
 
@@ -701,8 +755,8 @@ main systemd package and is meant for use on systems without systemd.
 
 %package standalone-shutdown
 Summary:       Standalone systemd-shutdown binary for use in exitrds
-Provides:      %{name}-shutdown = %{version}-%{release}
-Conflicts:     %{name}
+Provides:      systemd-shutdown = %{version}-%{release}
+Conflicts:     systemd
 Suggests:      coreutils-single
 RemovePathPostfixes: .standalone
 
@@ -712,12 +766,15 @@ library or other libraries from systemd-libs. This package conflicts with the
 main systemd package and is meant for use in exitrds.
 
 %prep
-%if %{defined branch}
-%autosetup -n %{name}-%{branch} -p1
-%elif %{defined commit}
-%autosetup -n %{name}-%{commit} -p1
-%else
-%autosetup -n %{name}-%{version} -p1
+%if %{with obs}
+# Recipe files in the OBS build are in a distro-specific dir, as they conflict (e.g. with SUSE ones)
+mv %{_sourcedir}/%{name}.fedora/* %{_sourcedir}
+%endif
+
+# Automatically figure out the name of the top-level directory.
+# TODO: Use %%autosetup -C once we can depend on rpm >= 4.20.
+%if %{undefined _build_in_place}
+%autosetup -n %(tar -tf %{SOURCE0} 2>/dev/null | head -n1) -p1
 %endif
 
 # Disable user lockdown until rpm implements it natively.
@@ -780,7 +837,6 @@ CONFIGURE_OPTS=(
         -Dacl=enabled
         -Dsmack=true
         -Dopenssl=enabled
-        -Dcryptolib=openssl
         -Dp11kit=enabled
         -Dgcrypt=disabled
         -Daudit=enabled
@@ -799,6 +855,8 @@ CONFIGURE_OPTS=(
         -Dlibfido2=enabled
         -Dxenctrl=%[0%{?have_xen}?"enabled":"disabled"]
         -Defi=true
+        -Dsysupdate=enabled
+        -Dsysupdated=enabled
         -Dtpm=true
         -Dtpm2=enabled
         -Dhwdb=true
@@ -857,6 +915,19 @@ CONFIGURE_OPTS=(
         -Dsystemd-resolve-uid=193
         # -Dsystemd-timesync-uid=, not set yet
 
+        # Make sure we use the original paths to maintain compatibility
+        # with unmerged systems
+        -Dquotaon-path=/usr/sbin/quotaon
+        -Dquotacheck-path=/usr/sbin/quotacheck
+        -Dkmod-path=/usr/bin/kmod
+        -Dkexec-path=/usr/sbin/kexec
+        -Dsulogin-path=/usr/sbin/sulogin
+        -Dmount-path=/usr/bin/mount
+        -Dumount-path=/usr/bin/umount
+        -Dloadkeys-path=/usr/bin/loadkeys
+        -Dsetfont-path=/usr/bin/setfont
+        -Dnologin-path=/usr/sbin/nologin
+
         # For now, let's build the bootloader in the same places where we
         # built with gnu-efi. Later on, we might want to extend coverage, but
         # considering that that support is untested, let's not do this now.
@@ -925,8 +996,6 @@ touch %{buildroot}/etc/systemd/coredump.conf \
       %{buildroot}/etc/udev/udev.conf \
       %{buildroot}/etc/udev/iocost.conf
 
-install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3}
-
 # /etc/initab
 install -Dm0644 -t %{buildroot}/etc/ %{SOURCE6}
 
@@ -959,6 +1028,7 @@ touch %{buildroot}%{_sysconfdir}/machine-info
 touch %{buildroot}%{_sysconfdir}/localtime
 mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d
 touch %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/00-keyboard.conf
+install -d -m 0700 %{buildroot}%{_sysconfdir}/userdb
 
 # Make sure the shutdown/sleep drop-in dirs exist
 mkdir -p %{buildroot}%{pkgdir}/system-shutdown/
@@ -1060,9 +1130,14 @@ mv -v %{buildroot}/usr/sbin/* %{buildroot}%{_bindir}/
 # and https://src.fedoraproject.org/rpms/setup/pull-request/10.
 # We skip this on upstream builds so that new users and groups
 # can be added without breaking the build.
+%if 0%{?fedora} >= 43
+IGNORED=empower \
+  %{python3} %{SOURCE4} /usr/lib/sysusers.d/setup.conf %{buildroot}/usr/lib/sysusers.d/basic.conf
+%else
 %{python3} %{SOURCE4} /usr/lib/sysusers.d/20-setup-{users,groups}.conf %{buildroot}/usr/lib/sysusers.d/basic.conf
 %endif
-rm %{buildroot}/usr/lib/sysusers.d/basic.conf
+%endif
+sed -n -r -i '1,7p; /can .do.|empower/p' %{buildroot}/usr/lib/sysusers.d/basic.conf
 %endif
 
 # Disable sshd_config.d/20-systemd-userdb.conf for now.
@@ -1074,15 +1149,6 @@ mv %{buildroot}/usr/lib/tmpfiles.d/20-systemd-userdb.conf{,.example}
 
 install -m 0644 -t %{buildroot}%{_prefix}/lib/pam.d/ %{SOURCE26}
 
-# Disable freezing of user sessions while we're working out the details.
-mkdir -p %{buildroot}/usr/lib/systemd/system/service.d/
-cat >>%{buildroot}/usr/lib/systemd/system/service.d/50-keep-warm.conf <<EOF
-# Disable freezing of user sessions to work around kernel bugs.
-# See https://bugzilla.redhat.com/show_bug.cgi?id=2321268
-[Service]
-Environment=SYSTEMD_SLEEP_FREEZE_USER_SESSIONS=0
-EOF
-
 %find_lang %{name}
 
 # Split files in build root into rpms
@@ -1098,6 +1164,14 @@ BRP_PESIGN_FILES=/usr/lib/systemd/boot/efi/systemd-boot%{efi_arch}.efi BRP_PESIG
 meson test -C %{_vpath_builddir} -t 6 --print-errorlogs
 %endif
 
+%if %{with lto}
+# Make sure that LTO is effective at removing unused code. When compiled
+# without LTO, we end up with all of libbasic_static.a in libsystemd.so.
+# For example, all the configuration stuff is not needed for libsystemd.so.
+# Make sure it is gone.
+(! strings %{buildroot}%{_libdir}/libsystemd.so | grep Config)
+%endif
+
 #############################################################################################
 
 %if %{without upstream} || (0%{?fedora} < 41 && 0%{?rhel} < 11)
@@ -1168,7 +1242,106 @@ systemctl daemon-reexec || :
 # a different package version.
 systemctl --no-reload preset systemd-journald-audit.socket &>/dev/null || :
 
-%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-homed.service %{?want_bootloader:systemd-boot-update.service} systemd-oomd.service systemd-portabled.service systemd-pstore.service systemd-timesyncd.service remote-cryptsetup.target
+%global udev_services %{shrink:
+                        cryptsetup-pre.target
+                        cryptsetup.target
+                        hibernate.target
+                        hybrid-sleep.target
+                        initrd-cleanup.service
+                        initrd-fs.target
+                        initrd-parse-etc.service
+                        initrd-root-device.target
+                        initrd-root-fs.target
+                        initrd-switch-root.service
+                        initrd-switch-root.target
+                        initrd-udevadm-cleanup-db.service
+                        initrd-usr-fs.target
+                        initrd.target
+                        integritysetup-pre.target
+                        integritysetup.target
+                        kmod-static-nodes.service
+                        proc-sys-fs-binfmt_misc.automount
+                        proc-sys-fs-binfmt_misc.mount
+                        quotaon-root.service
+                        quotaon@.service
+                        remote-cryptsetup.target
+                        remote-veritysetup.target
+                        sleep.target
+                        suspend-then-hibernate.target
+                        suspend.target
+                        system-systemd\\x2dcryptsetup.slice
+                        system-systemd\\x2dveritysetup.slice
+                        systemd-backlight@.service
+                        systemd-binfmt.service
+                        systemd-bless-boot.service
+                        systemd-bsod.service
+                        systemd-coredump.socket
+                        systemd-coredump@.service
+                        systemd-fsck-root.service
+                        systemd-fsck@.service
+                        systemd-growfs-root.service
+                        systemd-growfs@.service
+                        systemd-hibernate-clear.service
+                        systemd-hibernate-resume.service
+                        systemd-hibernate.service
+                        systemd-homed-activate.service
+                        systemd-homed-firstboot.service
+                        systemd-homed.service
+                        systemd-hwdb-update.service
+                        systemd-hybrid-sleep.service
+                        systemd-modules-load.service
+                        systemd-network-generator.service
+                        systemd-oomd.service
+                        systemd-oomd.socket
+                        systemd-pcrextend.socket
+                        systemd-pcrextend@.service
+                        systemd-pcrfs-root.service
+                        systemd-pcrfs@.service
+                        systemd-pcrlock-file-system.service
+                        systemd-pcrlock-firmware-code.service
+                        systemd-pcrlock-firmware-config.service
+                        systemd-pcrlock-machine-id.service
+                        systemd-pcrlock-make-policy.service
+                        systemd-pcrlock-secureboot-authority.service
+                        systemd-pcrlock-secureboot-policy.service
+                        systemd-pcrlock.socket
+                        systemd-pcrlock@.service
+                        systemd-pcrmachine.service
+                        systemd-pcrphase-initrd.service
+                        systemd-pcrphase-sysinit.service
+                        systemd-pcrphase.service
+                        systemd-portabled.service
+                        systemd-pstore.service
+                        systemd-quotacheck-root.service
+                        systemd-quotacheck@.service
+                        systemd-random-seed.service
+                        systemd-remount-fs.service
+                        systemd-repart.service
+                        systemd-rfkill.service
+                        systemd-rfkill.socket
+                        systemd-suspend-then-hibernate.service
+                        systemd-suspend.service
+                        systemd-sysctl.service
+                        systemd-timesyncd.service
+                        systemd-tmpfiles-setup-dev-early.service
+                        systemd-tmpfiles-setup-dev.service
+                        systemd-udev-load-credentials.service
+                        systemd-udev-settle.service
+                        systemd-udev-trigger.service
+                        systemd-udevd-control.socket
+                        systemd-udevd-kernel.socket
+                        systemd-udevd.service
+                        systemd-vconsole-setup.service
+                        systemd-volatile-root.service
+                        veritysetup-pre.target
+                        veritysetup.target
+                        %{?want_bootloader:
+                          systemd-boot-random-seed.service
+                          systemd-boot-update.service
+                          systemd-bootctl.socket
+                          systemd-bootctl@.service
+                         }
+                       }
 
 %post udev
 # Move old stuff around in /var/lib
@@ -1202,7 +1375,7 @@ grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null &&
 %posttrans udev
 # Restart some services.
 # Others are either oneshot services, or sockets, and restarting them causes issues (#1378974)
-%systemd_posttrans_with_restart systemd-udevd.service systemd-timesyncd.service
+%systemd_posttrans_with_restart systemd-udevd.service systemd-timesyncd.service systemd-homed.service systemd-oomd.service systemd-portabled.service
 
 %global journal_remote_units_restart systemd-journal-gatewayd.service systemd-journal-remote.service systemd-journal-upload.service
 %global journal_remote_units_norestart systemd-journal-gatewayd.socket systemd-journal-remote.socket
@@ -1224,6 +1397,15 @@ fi
 %systemd_posttrans_with_restart %journal_remote_units_restart
 %firewalld_reload
 
+%global networkd_services %{shrink:
+                            systemd-networkd.service
+                            systemd-networkd.socket
+                            systemd-networkd-varlink.socket
+                            systemd-networkd-wait-online.service
+                            systemd-network-generator.service
+                            systemd-networkd-persistent-storage.service
+                           }
+
 %post networkd
 # systemd-networkd was split out in systemd-246.6-2.
 # Ideally, we would have a trigger scriptlet to record enablement
@@ -1237,11 +1419,11 @@ fi
 if [ $1 -eq 1 ] && ls /usr/lib/systemd/libsystemd-shared-24[0-6].so &>/dev/null; then
     echo "Skipping presets for systemd-networkd.service, seems we are upgrading from old systemd."
 else
-    %systemd_post systemd-networkd.service systemd-networkd-wait-online.service
+    %systemd_post %networkd_services
 fi
 
 %preun networkd
-%systemd_preun systemd-networkd.service systemd-networkd-wait-online.service
+%systemd_preun %networkd_services
 
 %posttrans networkd
 %systemd_posttrans_with_restart systemd-networkd.service

test_sysusers_defined.py

@@ -1,5 +1,6 @@
 #!/usr/bin/python
 
+import os
 import sys
 
 def parse_sysusers_file(filename):
@@ -21,14 +22,18 @@ def parse_sysusers_file(filename):
                 assert False
     return users, groups
 
-setup_users, setup_groups = parse_sysusers_file(sys.argv[1])
-setup_users2, setup_groups2 = parse_sysusers_file(sys.argv[2])
-setup_users |= setup_users2
-setup_groups |= setup_groups2
+setup_users, setup_groups = set(), set()
 
-basic_users, basic_groups = parse_sysusers_file(sys.argv[3])
+for arg in sys.argv[1:-1]:
+    users, groups = parse_sysusers_file(arg)
+    setup_users |= users
+    setup_groups |= groups
 
-if d := basic_users - setup_users:
+basic_users, basic_groups = parse_sysusers_file(sys.argv[-1])
+
+ignored = set(os.getenv('IGNORED', '').split())
+
+if d := basic_users - setup_users - ignored:
     exit(f'We have new users: {d}')
-if d := basic_groups - setup_groups:
+if d := basic_groups - setup_groups - ignored:
     exit(f'We have new groups: {d}')

triggers.systemd

@@ -9,17 +9,17 @@
 #
 # Minimum rpm version supported: 4.14.0
 
-%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
+%transfiletriggerin -P 900900 -- /usr/lib/systemd/system/ /etc/systemd/system/
 # This script will run after any package is initially installed or
 # upgraded. We care about the case where a package is initially
 # installed, because other cases are covered by the *un scriptlets,
 # so sometimes we will reload needlessly.
 /usr/lib/systemd/systemd-update-helper system-reload-restart || :
 
-%transfiletriggerin -P 900899 -- /usr/lib/systemd/user /etc/systemd/user
+%transfiletriggerin -P 900899 -- /usr/lib/systemd/user/ /etc/systemd/user/
 /usr/lib/systemd/systemd-update-helper user-reload-restart || :
 
-%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
+%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system/ /etc/systemd/system/
 # On removal, we need to run daemon-reload after any units have been
 # removed.
 # On upgrade, we need to run daemon-reload after any new unit files
@@ -27,35 +27,35 @@
 # executed.
 /usr/lib/systemd/systemd-update-helper system-reload || :
 
-%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user /etc/systemd/user
+%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user/ /etc/systemd/user/
 # Execute daemon-reload in user managers.
 /usr/lib/systemd/systemd-update-helper user-reload || :
 
-%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system
+%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system/ /etc/systemd/system/
 # We restart remaining system services that should be restarted here.
 /usr/lib/systemd/systemd-update-helper system-restart || :
 
-%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user /etc/systemd/user
+%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user/ /etc/systemd/user/
 # We restart remaining user services that should be restarted here.
 /usr/lib/systemd/systemd-update-helper user-restart || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d
+%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d/
 # This script will process files installed in /usr/lib/sysusers.d to create
 # specified users automatically. The priority is set such that it
 # will run before the tmpfiles file trigger.
 systemd-sysusers || :
 
-%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d
+%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d/
 # This script will automatically invoke hwdb update if files have been
 # installed or updated in /usr/lib/udev/hwdb.d.
 systemd-hwdb update || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog
+%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog/
 # This script will automatically invoke journal catalog update if files
 # have been installed or updated in /usr/lib/systemd/catalog.
 journalctl --update-catalog || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d
+%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d/
 # This script will automatically apply binfmt rules if files have been
 # installed or updated in /usr/lib/binfmt.d.
 if test -d "/run/systemd/system"; then
@@ -64,7 +64,7 @@ if test -d "/run/systemd/system"; then
   /usr/lib/systemd/systemd-binfmt || :
 fi
 
-%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d
+%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d/
 # This script will process files installed in /usr/lib/tmpfiles.d to create
 # tmpfiles automatically. The priority is set such that it will run
 # after the sysusers file trigger, but before any other triggers.
@@ -72,14 +72,12 @@ if test -d "/run/systemd/system"; then
   systemd-tmpfiles --create || :
 fi
 
-%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d
+%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d/
 # This script will automatically update udev with new rules if files
 # have been installed or updated in /usr/lib/udev/rules.d.
-if test -e /run/udev/control; then
-  udevadm control --reload || :
-fi
+/usr/lib/systemd/systemd-update-helper mark-reload-system-units systemd-udevd.service || :
 
-%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d
+%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d/
 # This script will automatically apply sysctl rules if files have been
 # installed or updated in /usr/lib/sysctl.d.
 if test -d "/run/systemd/system"; then