Add 2 patches for automatic aarch64 DTB selection change

This reverts commit 56377438ba. Dropping
of the option currently doesn't disable anything, it just moves the
file. I don't think we gain anything by moving the file and actually
this causes problems [1], so let's just return to status quo ante.

[1] file /etc/init.d conflicts between attempted installs of systemd-259.999+69+g6ceb76bfc-2548.1.x86_64 and chkconfig-1.33-3.fc44.x86_64

[skip changelog]

0001-Revert-units-drop-runlevel-0-6-.target.patch

@@ -0,0 +1,88 @@
+From 61750e265ce3f7783a8dba831e91140f84ad89f2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 5 Nov 2025 17:52:16 +0100
+Subject: [PATCH 1/3] Revert "units: drop runlevel[0-6].target"
+
+This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3.
+The unit are still needed for compat.
+---
+ units/meson.build | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/units/meson.build b/units/meson.build
+index 2e04c4aa2b..46eaac4073 100644
+--- a/units/meson.build
++++ b/units/meson.build
+@@ -1,5 +1,7 @@
+ # SPDX-License-Identifier: LGPL-2.1-or-later
+ 
++with_runlevels = conf.get('HAVE_SYSV_COMPAT') == 1
++
+ units = [
+         { 'file' : 'basic.target' },
+         { 'file' : 'blockdev@.target' },
+@@ -49,7 +51,7 @@ units = [
+         },
+         {
+           'file' : 'graphical.target',
+-          'symlinks' : ['default.target'],
++          'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []),
+         },
+         { 'file' : 'halt.target' },
+         {
+@@ -142,7 +144,10 @@ units = [
+           'conditions' : ['ENABLE_MACHINED'],
+         },
+         { 'file' : 'modprobe@.service' },
+-        { 'file' : 'multi-user.target' },
++        {
++          'file' : 'multi-user.target',
++          'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [],
++        },
+         {
+           'file' : 'systemd-mute-console.socket',
+           'symlinks' : ['sockets.target.wants/']
+@@ -155,7 +160,10 @@ units = [
+         { 'file' : 'nss-lookup.target' },
+         { 'file' : 'nss-user-lookup.target' },
+         { 'file' : 'paths.target' },
+-        { 'file' : 'poweroff.target' },
++        {
++          'file' : 'poweroff.target',
++          'symlinks' : with_runlevels ? ['runlevel0.target'] : [],
++        },
+         { 'file' : 'printer.target' },
+         {
+           'file' : 'proc-sys-fs-binfmt_misc.automount',
+@@ -180,7 +188,7 @@ units = [
+         },
+         {
+           'file' : 'reboot.target',
+-          'symlinks' : ['ctrl-alt-del.target'],
++          'symlinks' : ['ctrl-alt-del.target'] + (with_runlevels ? ['runlevel6.target'] : []),
+         },
+         {
+           'file' : 'remote-cryptsetup.target',
+@@ -200,7 +208,10 @@ units = [
+           'symlinks' : ['initrd-root-device.target.wants/'],
+         },
+         { 'file' : 'rescue.service.in' },
+-        { 'file' : 'rescue.target' },
++        {
++          'file' : 'rescue.target',
++          'symlinks' : with_runlevels ? ['runlevel1.target'] : [],
++        },
+         { 'file' : 'rpcbind.target' },
+         { 'file' : 'serial-getty@.service.in' },
+         { 'file' : 'shutdown.target' },
+@@ -1001,4 +1012,10 @@ else
+                             dbussessionservicedir / 'org.freedesktop.systemd1.service'))
+ endif
+ 
++if conf.get('HAVE_SYSV_COMPAT') == 1
++        foreach i : [1, 2, 3, 4, 5]
++                install_emptydir(systemunitdir / 'runlevel@0@.target.wants'.format(i))
++        endforeach
++endif
++
+ subdir('user')

0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch

@@ -1,69 +0,0 @@
-From 0792bb7a9d25a1ab8a5f208f2f5cea8a362dc1c6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Fri, 10 Jan 2025 17:00:08 +0100
-Subject: [PATCH] Revert "units: use PrivateTmp=disconnected instead of 'yes'
- if DefaultDependencies=no"
-
-This reverts commit 1f6e1928488d461d19fd1e4b4d645b0ea5ea8bf5.
----
- units/systemd-coredump@.service.in | 2 +-
- units/systemd-oomd.service.in      | 2 +-
- units/systemd-resolved.service.in  | 2 +-
- units/systemd-timesyncd.service.in | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
-index c74dc7a5a1..fa3206d07b 100644
---- a/units/systemd-coredump@.service.in
-+++ b/units/systemd-coredump@.service.in
-@@ -26,7 +26,7 @@ NoNewPrivileges=yes
- OOMScoreAdjust=500
- PrivateDevices=yes
- PrivateNetwork=yes
--PrivateTmp=disconnected
-+PrivateTmp=yes
- ProtectControlGroups=yes
- ProtectHome=read-only
- ProtectHostname=yes
-diff --git a/units/systemd-oomd.service.in b/units/systemd-oomd.service.in
-index 670d5e6140..82bd6245f8 100644
---- a/units/systemd-oomd.service.in
-+++ b/units/systemd-oomd.service.in
-@@ -37,7 +37,7 @@ MemoryLow=64M
- NoNewPrivileges=yes
- OOMScoreAdjust=-900
- PrivateDevices=yes
--PrivateTmp=disconnected
-+PrivateTmp=yes
- ProtectClock=yes
- ProtectHome=yes
- ProtectHostname=yes
-diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
-index e181b2528a..4aa0788ac4 100644
---- a/units/systemd-resolved.service.in
-+++ b/units/systemd-resolved.service.in
-@@ -29,7 +29,7 @@ LockPersonality=yes
- MemoryDenyWriteExecute=yes
- NoNewPrivileges=yes
- PrivateDevices=yes
--PrivateTmp=disconnected
-+PrivateTmp=yes
- ProtectClock=yes
- ProtectControlGroups=yes
- ProtectHome=yes
-diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
-index 835d6327e7..cf233fbffd 100644
---- a/units/systemd-timesyncd.service.in
-+++ b/units/systemd-timesyncd.service.in
-@@ -31,7 +31,7 @@ LockPersonality=yes
- MemoryDenyWriteExecute=yes
- NoNewPrivileges=yes
- PrivateDevices=yes
--PrivateTmp=disconnected
-+PrivateTmp=yes
- ProtectProc=invisible
- ProtectControlGroups=yes
- ProtectHome=yes
--- 
-2.47.1
-

0002-machined-continue-without-resolve.hook-socket.patch

@@ -0,0 +1,32 @@
+From 8d6d86d1d7e45eeae921e88adde55d6524027c96 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 26 Nov 2025 22:29:53 +0100
+Subject: [PATCH 3/3] machined: continue without resolve.hook socket
+
+---
+ src/machine/machined-varlink.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
+index f83cbb8562..0b30cd0531 100644
+--- a/src/machine/machined-varlink.c
++++ b/src/machine/machined-varlink.c
+@@ -894,9 +894,15 @@ static int manager_varlink_init_resolve_hook(Manager *m) {
+ 
+         r = sd_varlink_server_listen_address(s, VARLINK_PATH_MACHINED_RESOLVE_HOOK,
+                                              0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
+-        if (r < 0)
+-                return log_error_errno(r, "Failed to bind to varlink socket %s: %m",
+-                                       VARLINK_PATH_MACHINED_RESOLVE_HOOK);
++        if (r < 0) {
++                bool ignore = ERRNO_IS_NEG_PRIVILEGE(r);
++                log_full_errno(ignore ? LOG_WARNING : LOG_ERR,
++                               r,
++                               "Failed to bind to varlink socket %s%s: %m",
++                               VARLINK_PATH_MACHINED_RESOLVE_HOOK,
++                               ignore ? ", ignoring" : "");
++                return ignore ? 0 : r;
++        }
+ 
+         r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
+         if (r < 0)

0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch

@@ -0,0 +1,112 @@
+From 75890d949f92c412c0936b8536b2e0dc8f7dfb40 Mon Sep 17 00:00:00 2001
+From: Nick Rosbrook <enr0n@ubuntu.com>
+Date: Fri, 19 Dec 2025 11:01:49 -0500
+Subject: [PATCH] ukify: omit .osrel section when --os-release= is empty
+
+The primary motivation for this is to allow users of ukify to build
+UKI-like objects, without having them later be detected as a UKI by
+tools like kernel-install and bootctl.
+
+The common code used by these tools to determine if a PE binary is a UKI
+checks that both .osrel and .linux sections are present. Hence, adding
+a mechansim to skip .osrel provides a way to avoid being labeled a UKI.
+---
+ man/ukify.xml                |  5 ++++-
+ src/ukify/test/test_ukify.py | 15 +++++++++++----
+ src/ukify/ukify.py           | 10 +++++++++-
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/man/ukify.xml b/man/ukify.xml
+index 829761642d..7462c5c92f 100644
+--- a/man/ukify.xml
++++ b/man/ukify.xml
+@@ -365,7 +365,10 @@
+           <listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument
+           may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the
+           <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file
+-          will be picked up from the host system.</para>
++          will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section
++          is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact
++          to not be recognized as a UKI by other tools like <command>kernel-install</command>
++          and <command>bootctl</command>).</para>
+ 
+           <xi:include href="version-info.xml" xpointer="v253"/></listitem>
+         </varlistentry>
+diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
+index f75ef0c891..224a38569f 100755
+--- a/src/ukify/test/test_ukify.py
++++ b/src/ukify/test/test_ukify.py
+@@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path):
+ 
+     shutil.rmtree(tmp_path)
+ 
+-def test_inspect(kernel_initrd, tmp_path, capsys):
++def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True):
+     if kernel_initrd is None:
+         pytest.skip('linux+initrd not found')
+     if not shutil.which('sbsign'):
+@@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
+ 
+     output = f'{tmp_path}/signed2.efi'
+     uname_arg='1.2.3'
+-    osrel_arg='Linux'
++    osrel_arg='Linux' if osrel else ''
+     cmdline_arg='ARG1 ARG2 ARG3'
+ 
+     args = [
+@@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
+ 
+     text = capsys.readouterr().out
+ 
+-    expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
+-    assert expected_osrel in text
++    if osrel:
++        expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
++        assert expected_osrel in text
++    else:
++        assert '.osrel:' not in text
++
+     expected_cmdline = f'.cmdline:\n  size: {len(cmdline_arg)}'
+     assert expected_cmdline in text
+     expected_uname = f'.uname:\n  size: {len(uname_arg)}'
+@@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
+ 
+     shutil.rmtree(tmp_path)
+ 
++def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys):
++    test_inspect(kernel_initrd, tmp_path, capsys, osrel=False)
++
+ @pytest.mark.skipif(not slow_tests, reason='slow')
+ def test_pcr_signing(kernel_initrd, tmp_path):
+     if kernel_initrd is None:
+diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
+index c98f8e2a5d..b7542c7eca 100755
+--- a/src/ukify/ukify.py
++++ b/src/ukify/ukify.py
+@@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None:
+         '.profile',
+     }
+ 
++    if not opts.os_release:
++        to_import.remove('.osrel')
++
+     for profile in opts.join_profiles:
+         pe = pefile.PE(profile, fast_load=True)
+         prev_len = len(uki.sections)
+@@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
+ 
+     opts.os_release = resolve_at_path(opts.os_release)
+ 
+-    if not opts.os_release and opts.linux:
++    if opts.os_release == '':
++        # If --os-release= with an empty string was passed, treat that as
++        # explicitly disabling the .osrel section, and do not fallback to the
++        # system's os-release files.
++        pass
++    elif opts.os_release is None and opts.linux:
+         p = Path('/etc/os-release')
+         if not p.exists():
+             p = Path('/usr/lib/os-release')
+-- 
+2.52.0
+

0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch

@@ -0,0 +1,51 @@
+From e57e599e6b11039ab6484e5622b3deae20bfd678 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <johannes.goede@oss.qualcomm.com>
+Date: Mon, 12 Jan 2026 14:56:36 +0100
+Subject: [PATCH] stub: Fix NULL pointer deref when there are no initrds
+
+When n_all_initrds == 0, then all_initrds is unmodified from its initial
+value of:
+
+	_cleanup_free_ struct iovec *all_initrds = NULL;
+
+and in the else block of the "if (n_all_initrds > 1)" the NULL is
+dereferenced:
+
+		final_initrd = all_initrds[0];
+
+Leading to the stub crashing due to a NULL pointer deref.
+
+Fix this by initializing final_initrd to all 0s and only
+running the else block if (n_all_initrds == 1).
+---
+ src/boot/stub.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/boot/stub.c b/src/boot/stub.c
+index 06ecbc7d18..65950262c6 100644
+--- a/src/boot/stub.c
++++ b/src/boot/stub.c
+@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
+ 
+         /* Combine the initrds into one */
+         _cleanup_pages_ Pages initrd_pages = {};
+-        struct iovec final_initrd;
++        struct iovec final_initrd = {};
+         if (n_all_initrds > 1) {
+-                /* There will always be a base initrd, if this counter is higher, we need to combine them */
++                /* If there is more then 1 initrd we need to combine them */
+                 err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len);
+                 if (err != EFI_SUCCESS)
+                         return err;
+@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
+ 
+                 /* Given these might be large let's free them explicitly before we pass control to Linux */
+                 initrds_free(&initrds);
+-        } else
++        } else if (n_all_initrds == 1)
+                 final_initrd = all_initrds[0];
+ 
+         struct iovec kernel = IOVEC_MAKE(
+-- 
+2.52.0
+

38724.patch

@@ -1,64 +0,0 @@
-From 5bc3a82e81355a0aa1fd25bb6232145f868fac12 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 26 Aug 2025 15:00:02 +0200
-Subject: [PATCH] debug: disable ioctl(PIDFD_GET_INFO)
-
-In https://bodhi.fedoraproject.org/updates/FEDORA-2025-a0ce059969 it was
-reported that the tests fail:
-
-> Rootless podman tests all show something like this eventually
->
-> OCI runtime error: crun: join keyctl `7509a871d2ab7df6549f5cb5bd2d4daf990cc45c0022f116bd0882966ae53f30`: Disk quota exceeded
->
-> Each container creates its own keyring but I assume they get leaked so at one
-> point we run our of available keyrings and all following tests fail like
-> that. Given I only see this on this update and from looking at the podman
-> tests logs it only starts happening after we run a bunch of our own systemd
-> services I wonder if systemd maybe leaks keyrings and thus it fails?
-
-After some very tediuos bisecting, I got the answer that
-dcf0ef3f42b0ea12e199540a4088bd582875ddfa is the first bad commit. This doesn't
-make much sense. I thought that maybe the answer is wrong somehow, or the fd we
-pass in has problems, but everything seems to work correctly. Both
-pidfd_get_pid_ioctl and pidfd_get_pid_fdinfo work fine and return the same
-answer. Nevertheless, skipping the call to pidfd_get_pid_ioctl makes the
-problem go away.
-
-bisection recipe:
-1. compile systemd, systemd-executor, pam_systemd:
-   $ ninja -C build systemd systemd-executor pam_systemd.so
-   (Not all intermediate commits compile :) )
-2. use the compiled manager for the user running the tests:
-   # /etc/systemd/system/user@1000.service.d/override.conf
-   [Service]
-   ExecStart=
-   ExecStart=/home/fedora/src/systemd/build/systemd --user
-3. install the new code:
-   # cp ~fedora/src/systemd/build/pam_systemd.so /usr/lib64/security/ && systemctl restart user@1000
-3. log out and log in again (via ssh)
-4. run the test:
-   $ grep -Ec '[a-f0-9]{64}: empty' /proc/keys && podman run -it fedora date && grep -Ec '[a-f0-9]{64}: empty' /proc/keys
-   17
-   Tue Aug 26 12:47:44 UTC 2025
-   18
-
-It seems that both the pam module and the user manager somehow matter.
-
-This smells like a kernel bug or some strange race condition.
----
- src/basic/pidfd-util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/basic/pidfd-util.c b/src/basic/pidfd-util.c
-index 9910819aa79d9..b317be267f445 100644
---- a/src/basic/pidfd-util.c
-+++ b/src/basic/pidfd-util.c
-@@ -74,7 +74,7 @@ int pidfd_get_namespace(int fd, unsigned long ns_type_cmd) {
- }
- 
- static int pidfd_get_info(int fd, struct pidfd_info *info) {
--        static bool cached_supported = true;
-+        static bool cached_supported = false;
- 
-         assert(fd >= 0);
-         assert(info);

38769.patch

@@ -1,4 +1,4 @@
-From e4e1e425394dcef01317c42b34c133768c26b765 Mon Sep 17 00:00:00 2001
+From 00d70f36a0866660693347009446b7f872a05bf4 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
 Date: Sat, 30 Aug 2025 13:55:56 +0200
 Subject: [PATCH] core: create userdb root directory with correct label
@@ -16,18 +16,18 @@ longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a.
  1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/src/core/varlink.c b/src/core/varlink.c
-index 8c6b95e31d1d5..110b281842373 100644
+index 99f12c59e5..71a8ffd0e5 100644
 --- a/src/core/varlink.c
 +++ b/src/core/varlink.c
-@@ -6,6 +6,7 @@
+@@ -5,6 +5,7 @@
+ #include "constants.h"
  #include "errno-util.h"
- #include "json-util.h"
  #include "manager.h"
 +#include "mkdir-label.h"
  #include "path-util.h"
  #include "pidref.h"
  #include "string-util.h"
-@@ -424,7 +425,11 @@ static int manager_varlink_init_system(Manager *m) {
+@@ -441,7 +442,11 @@ static int manager_varlink_init_system(Manager *m) {
                          if (!fresh && varlink_server_contains_socket(m->varlink_server, address))
                                  continue;
  

plans/run-integration-tests.sh

@@ -17,9 +17,9 @@ sysctl fs.inotify.max_user_watches=65536 || true
 sysctl fs.inotify.max_user_instances=1024 || true
 
 if [[ -n "${KOJI_TASK_ID:-}" ]]; then
-    koji download-task --noprogress --arch="src,noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID"
+    koji download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID"
 elif [[ -n "${CBS_TASK_ID:-}" ]]; then
-    cbs download-task --noprogress --arch="src,noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID"
+    cbs download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID"
 elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then
     COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")"
     COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")"
@@ -32,21 +32,12 @@ fi
 
 PACKAGEDIR="$PWD"
 
-# TODO: Remove fallback once v257.6 is released. Also stop downloading source rpms then.
-
 # This will match both the regular and the debuginfo rpm so make sure we select only the
 # non-debuginfo rpm.
 RPMS=(systemd-tests-*.rpm)
 rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract
-if [[ -d usr/lib/systemd/tests/mkosi ]]; then
-    pushd usr/lib/systemd/tests
-    mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")"
-else
-    mkdir systemd
-    rpm2cpio systemd-*.src.rpm | cpio --to-stdout --extract './*.tar.gz' | tar xz --strip-components=1 -C systemd
-    pushd systemd
-    mkosi_hash="$(grep systemd/mkosi@ .github/workflows/mkosi.yml | sed "s|.*systemd/mkosi@||g")"
-fi
+pushd usr/lib/systemd/tests
+mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")"
 
 # Now prepare mkosi at the same version required by the systemd repo.
 git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi
@@ -57,13 +48,7 @@ export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH"
 # shellcheck source=/dev/null
 . /etc/os-release || . /usr/lib/os-release
 
-if [[ -d mkosi ]]; then
-    LOCAL_CONF=mkosi/mkosi.local.conf
-else
-    LOCAL_CONF=mkosi.local.conf
-fi
-
-tee "$LOCAL_CONF" <<EOF
+tee mkosi/mkosi.local.conf <<EOF
 [Distribution]
 Distribution=${MKOSI_DISTRIBUTION:-$ID}
 Release=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
@@ -81,7 +66,7 @@ WithTests=yes
 EOF
 
 if [[ -n "${MKOSI_REPOSITORIES:-}" ]]; then
-    tee --append "$LOCAL_CONF" <<EOF
+    tee --append mkosi/mkosi.local.conf <<EOF
 [Distribution]
 Repositories=$MKOSI_REPOSITORIES
 
@@ -91,23 +76,12 @@ EOF
 fi
 
 if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then
-    tee --append "$LOCAL_CONF" <<EOF
+    tee --append mkosi/mkosi.local.conf <<EOF
 [Runtime]
 KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=$TEST_SELINUX_CHECK_AVCS
 EOF
 fi
 
-# Create missing mountpoint for mkosi sandbox.
-mkdir -p /etc/pacman.d/gnupg
-
-# We don't bother with this change if the mkosi configuration is
-# in mkosi/ as if that's the case then we know for sure that the
-# upstream has this fix as well.
-# TODO: drop once BTRFS regression is fixed.
-if [[ -f mkosi.repart/10-root.conf ]]; then
-    sed -i "s/Format=btrfs/Format=ext4/" mkosi.repart/10-root.conf
-fi
-
 # If we don't have KVM, skip running in qemu, as it's too slow. But try to load the module first.
 modprobe kvm || true
 if [[ ! -e /dev/kvm ]]; then
@@ -124,27 +98,26 @@ fi
 
 # This test is only really useful if we're building with sanitizers and takes a long time, so let's skip it
 # for now.
-export TEST_SKIP="TEST-21-DFUZZER"
+export TEST_SKIP="TEST-21-DFUZZER ${TEST_SKIP:-}"
 
 mkosi genkey
 mkosi summary
-mkosi -f sandbox -- true
-if [[ -d integration-tests/standalone ]]; then
-    mkosi sandbox -- meson setup build integration-tests/standalone
-elif [[ -d test/integration-tests/standalone ]]; then
-    mkosi sandbox -- meson setup build test/integration-tests/standalone
-else
-    mkosi sandbox -- meson setup -Dintegration-tests=true build
-fi
+mkosi -f box -- true
+mkosi box -- meson setup build integration-tests/standalone
 mkosi -f
-mkosi sandbox -- \
+if [[ "$(mkosi box -- meson test --help)" == *"--max-lines"* ]]; then
+    MAX_LINES=(--max-lines 300)
+else
+    MAX_LINES=()
+fi
+mkosi box -- \
     meson test \
-    -C build \
-    --no-rebuild \
-    --suite integration-tests \
-    --print-errorlogs \
-    --no-stdsplit \
-    --num-processes "$NPROC" && EC=0 || EC=$?
+        -C build \
+        --setup=integration \
+        --print-errorlogs \
+        --no-stdsplit \
+        --num-processes "$NPROC" \
+        "${MAX_LINES[@]}" && EC=0 || EC=$?
 
 [[ -d build/meson-logs ]] && find build/meson-logs -type f -exec mv {} "$TMT_TEST_DATA" \;
 [[ -d build/test/journal ]] && find build/test/journal -type f -exec mv {} "$TMT_TEST_DATA" \;

sources

@@ -1 +1 @@
-SHA512 (systemd-258.1.tar.gz) = 0fd62724d4b9cc0789445f3072a7052f52533e2a928cb4a6c3d7375169d087f9cc3941f37c9f208c870042f4e32d90a17cfbb96930a31ac875b41aa7efac8f53
+SHA512 (systemd-259.tar.gz) = ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50

split-files.py

@@ -245,6 +245,7 @@ for file in files(buildroot):
                        sysctl|
                        coredump|
                        homed|home1|
+                       sysupdate|updatctl|
                        oomd|
                        portabled|portable1
     ''', n, re.X):     # coredumpctl, homectl, portablectl are included in the main package because

systemd.spec

@@ -38,6 +38,11 @@
 # that depend on libcryptsetup (e.g. libcryptsetup-plugins, homed)
 %if %{with bootstrap}
 %global __meson_auto_features disabled
+# If we're building for upstream, don't unconditionally enable all
+# new features as new features might be introduced for which we're
+# missing build dependencies.
+%elif %{with upstream}
+%global __meson_auto_features auto
 %endif
 
 # Override %%autorelease. This is ugly, but rpmautospec doesn't implement
@@ -68,7 +73,7 @@ Url:            https://systemd.io
 # But don't do that on OBS, otherwise the version subst fails, and will be
 # like 257-123-gabcd257.1 instead of 257-123-gabcd
 %if %{without obs}
-Version:        %{?version_override}%{!?version_override:258.1}
+Version:        %{?version_override}%{!?version_override:259}
 %else
 Version:        %{?version_override}%{!?version_override:%(cat meson.version)}
 %endif
@@ -82,15 +87,15 @@ Summary:        System and Service Manager
 
 # download tarballs with "spectool -g systemd.spec"
 # packit will always rewrite the first Source0 it finds, ignoring any conditionals so list
-# the fallback source that's used if neither %%branch nor %%commit are defined first.
-%if %{with obs}
-Source0:        https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version}.tar.xz
-%elif %{undefined branch} && %{undefined commit}
+# the fallback source that's used if neither %%branch, %%commit or %%obs are defined first.
+%if %{undefined branch} && %{undefined commit} && %{without obs}
 Source0:        https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz
 %elif %{defined branch}
 Source0:        https://github.com/systemd/systemd/archive/refs/heads/%{branch}.tar.gz
 %elif %{defined commit}
 Source0:        https://github.com/systemd/systemd/archive/%{commit}/%{name}-%{commit}.tar.gz
+%elif %{with obs}
+Source0:        https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version}.tar.xz
 %endif
 # This file must be available before %%prep.
 # It is generated during systemd build and can be found at build/src/rpm/triggers.systemd.sh.
@@ -133,21 +138,26 @@ Patch:          https://github.com/systemd/systemd/pull/26494.patch
 %if %{without upstream}
 # Those are downstream-only patches, but we don't want them in packit builds.
 
-# Temporarily drop use of PrivateTmp=disconnected. This is causing failures
-# in various places:
-# https://bugzilla.redhat.com/show_bug.cgi?id=2334015
-# https://github.com/coreos/fedora-coreos-tracker/issues/1857
-Patch:          0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch
-
+# Create user journals for users with high UIDs
 # https://bugzilla.redhat.com/show_bug.cgi?id=2251843
-Patch:          https://github.com/systemd/systemd/pull/30846.patch
+Patch:          30846.patch
 
-# Workaround for a kernel issue. Fixed in kernel-core-6.17.0-0.rc3.31.fc44.x86_64.
-Patch:          https://github.com/systemd/systemd/pull/38724.patch
+# Again create runlevelX.target. Dropping those files breaks upgrades.
+# https://bugzilla.redhat.com/show_bug.cgi?id=2411195
+Patch:          0001-Revert-units-drop-runlevel-0-6-.target.patch
 
 # userdb: create userdb root directory with correct label
 # We can drop this after SELinux policy is updated to handle the transition.
-Patch:          https://github.com/systemd/systemd/pull/38769.patch
+Patch:          38769.patch
+
+# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2415701
+Patch:          0002-machined-continue-without-resolve.hook-socket.patch
+
+# 2 patches for https://fedoraproject.org/wiki/Changes/Automatic_DTB_selection_for_aarch64_EFI_systems
+# Upstream commit: https://github.com/systemd/systemd/commit/75890d949f92c412c0936b8536b2e0dc8f7dfb40
+Patch:          0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch
+# Upstream PR: https://github.com/systemd/systemd/pull/40329
+Patch:          0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch
 %endif
 
 %ifarch %{ix86} x86_64 aarch64 riscv64
@@ -159,7 +169,6 @@ BuildRequires:  gcc-c++
 BuildRequires:  clang
 BuildRequires:  coreutils
 BuildRequires:  rpmdevtools
-BuildRequires:  libcap-devel
 BuildRequires:  libmount-devel
 BuildRequires:  libfdisk-devel
 BuildRequires:  libpwquality-devel
@@ -169,6 +178,9 @@ BuildRequires:  libselinux-devel
 BuildRequires:  audit-libs-devel
 %if %{without bootstrap}
 BuildRequires:  cryptsetup-devel
+# Require (previous version) of our macros package.
+# We use the %%systemd_{post,preun,…} macros for various services.
+BuildRequires:  systemd-rpm-macros
 %endif
 BuildRequires:  dbus-devel
 BuildRequires:  util-linux
@@ -273,8 +285,8 @@ Requires(post): coreutils
 Requires(post): grep
 # systemd-machine-id-setup requires libssl
 Requires(post): openssl-libs
-Requires:       dbus >= 1.9.18
-Requires:       systemd-pam%{_isa} = %{version}-%{release}
+Recommends:     dbus >= 1.9.18
+Recommends:     systemd-pam%{_isa} = %{version}-%{release}
 Requires(meta): (systemd-rpm-macros = %{version}-%{release} if rpm-build)
 Requires:       systemd-libs%{_isa} = %{version}-%{release}
 %{?fedora:Recommends:     systemd-networkd = %{version}-%{release}}
@@ -329,11 +341,15 @@ Provides:       /usr/sbin/halt
 Provides:       /usr/sbin/init
 Provides:       /usr/sbin/poweroff
 Provides:       /usr/sbin/reboot
-Provides:       /usr/sbin/runlevel
 Provides:       /usr/sbin/shutdown
-Provides:       /usr/sbin/telinit
 %endif
 
+# libmount is always required, even in containers, so make it a hard dependency.
+Requires:       libmount.so.1%{?elf_suffix}
+Requires:       libmount.so.1(MOUNT_2.26)%{?elf_bits}
+# Various systemd services have syscall filters so make libseccomp a hard dependency.
+Requires:       libseccomp.so.2%{?elf_suffix}
+
 # Recommends to replace normal Requires deps for stuff that is dlopen()ed
 Recommends:     libxkbcommon.so.0%{?elf_suffix}
 Recommends:     libidn2.so.0%{?elf_suffix}
@@ -388,6 +404,7 @@ Summary:        systemd libraries
 License:        LGPL-2.1-or-later AND MIT
 Provides:       nss-myhostname = 0.4
 Provides:       nss-myhostname%{_isa} = 0.4
+Conflicts:      systemd-shared < %{version}-%{release}
 
 %description libs
 Libraries for systemd and udev.
@@ -399,6 +416,7 @@ License:        LGPL-2.1-or-later AND MIT
 # was moved from package systemd to systemd-shared.
 # Add a conflit to allow downgrades across this change.
 Conflicts:      systemd < 257.3-6
+Conflicts:      systemd-libs < %{version}-%{release}
 
 %description shared
 Internal libraries used by various systemd binaries.
@@ -475,6 +493,9 @@ Conflicts:      systemd-networkd < %{version}-%{release}
 # want to load modules, so make this into a hard dependency here.
 Requires:       libkmod.so.2%{?elf_suffix}
 Requires:       libkmod.so.2(LIBKMOD_5)%{?elf_bits}
+# udev uses libblkid in various builtins so make it a hard dependency.
+Requires:       libblkid.so.1%{?elf_suffix}
+Requires:       libblkid.so.1(BLKID_2.30)%{?elf_bits}
 
 # Recommends to replace normal Requires deps for stuff that is dlopen()ed
 # used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home
@@ -538,9 +559,7 @@ Requires:       (systemd-boot if %{shrink:(
         filesystem(riscv64)
 )})
 Requires:       python3dist(pefile)
-%if 0%{?fedora}
 Requires:       python3dist(zstandard)
-%endif
 Requires:       python3dist(cryptography)
 %if 0%{?fedora}
 Recommends:     python3dist(pillow)
@@ -747,16 +766,15 @@ library or other libraries from systemd-libs. This package conflicts with the
 main systemd package and is meant for use in exitrds.
 
 %prep
-%if %{defined branch}
-%autosetup -n %{name}-%{branch} -p1
-%elif %{defined commit}
-%autosetup -n %{name}-%{commit} -p1
-%elif %{with obs}
+%if %{with obs}
 # Recipe files in the OBS build are in a distro-specific dir, as they conflict (e.g. with SUSE ones)
 mv %{_sourcedir}/%{name}.fedora/* %{_sourcedir}
-%autosetup -n %{name}-%{version} -p1
-%else
-%autosetup -n %{name}-%{version_no_tilde} -p1
+%endif
+
+# Automatically figure out the name of the top-level directory.
+# TODO: Use %%autosetup -C once we can depend on rpm >= 4.20.
+%if %{undefined _build_in_place}
+%autosetup -n %(tar -tf %{SOURCE0} 2>/dev/null | head -n1) -p1
 %endif
 
 # Disable user lockdown until rpm implements it natively.
@@ -837,6 +855,8 @@ CONFIGURE_OPTS=(
         -Dlibfido2=enabled
         -Dxenctrl=%[0%{?have_xen}?"enabled":"disabled"]
         -Defi=true
+        -Dsysupdate=enabled
+        -Dsysupdated=enabled
         -Dtpm=true
         -Dtpm2=enabled
         -Dhwdb=true
@@ -1111,12 +1131,13 @@ mv -v %{buildroot}/usr/sbin/* %{buildroot}%{_bindir}/
 # We skip this on upstream builds so that new users and groups
 # can be added without breaking the build.
 %if 0%{?fedora} >= 43
-%{python3} %{SOURCE4} /usr/lib/sysusers.d/setup.conf %{buildroot}/usr/lib/sysusers.d/basic.conf
+IGNORED=empower \
+  %{python3} %{SOURCE4} /usr/lib/sysusers.d/setup.conf %{buildroot}/usr/lib/sysusers.d/basic.conf
 %else
 %{python3} %{SOURCE4} /usr/lib/sysusers.d/20-setup-{users,groups}.conf %{buildroot}/usr/lib/sysusers.d/basic.conf
 %endif
 %endif
-rm %{buildroot}/usr/lib/sysusers.d/basic.conf
+sed -n -r -i '1,7p; /can .do.|empower/p' %{buildroot}/usr/lib/sysusers.d/basic.conf
 %endif
 
 # Disable sshd_config.d/20-systemd-userdb.conf for now.
@@ -1379,6 +1400,7 @@ fi
 %global networkd_services %{shrink:
                             systemd-networkd.service
                             systemd-networkd.socket
+                            systemd-networkd-varlink.socket
                             systemd-networkd-wait-online.service
                             systemd-network-generator.service
                             systemd-networkd-persistent-storage.service

test_sysusers_defined.py

@@ -1,5 +1,6 @@
 #!/usr/bin/python
 
+import os
 import sys
 
 def parse_sysusers_file(filename):
@@ -30,7 +31,9 @@ for arg in sys.argv[1:-1]:
 
 basic_users, basic_groups = parse_sysusers_file(sys.argv[-1])
 
-if d := basic_users - setup_users:
+ignored = set(os.getenv('IGNORED', '').split())
+
+if d := basic_users - setup_users - ignored:
     exit(f'We have new users: {d}')
-if d := basic_groups - setup_groups:
+if d := basic_groups - setup_groups - ignored:
     exit(f'We have new groups: {d}')

triggers.systemd

@@ -9,17 +9,17 @@
 #
 # Minimum rpm version supported: 4.14.0
 
-%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
+%transfiletriggerin -P 900900 -- /usr/lib/systemd/system/ /etc/systemd/system/
 # This script will run after any package is initially installed or
 # upgraded. We care about the case where a package is initially
 # installed, because other cases are covered by the *un scriptlets,
 # so sometimes we will reload needlessly.
 /usr/lib/systemd/systemd-update-helper system-reload-restart || :
 
-%transfiletriggerin -P 900899 -- /usr/lib/systemd/user /etc/systemd/user
+%transfiletriggerin -P 900899 -- /usr/lib/systemd/user/ /etc/systemd/user/
 /usr/lib/systemd/systemd-update-helper user-reload-restart || :
 
-%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
+%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system/ /etc/systemd/system/
 # On removal, we need to run daemon-reload after any units have been
 # removed.
 # On upgrade, we need to run daemon-reload after any new unit files
@@ -27,35 +27,35 @@
 # executed.
 /usr/lib/systemd/systemd-update-helper system-reload || :
 
-%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user /etc/systemd/user
+%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user/ /etc/systemd/user/
 # Execute daemon-reload in user managers.
 /usr/lib/systemd/systemd-update-helper user-reload || :
 
-%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system
+%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system/ /etc/systemd/system/
 # We restart remaining system services that should be restarted here.
 /usr/lib/systemd/systemd-update-helper system-restart || :
 
-%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user /etc/systemd/user
+%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user/ /etc/systemd/user/
 # We restart remaining user services that should be restarted here.
 /usr/lib/systemd/systemd-update-helper user-restart || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d
+%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d/
 # This script will process files installed in /usr/lib/sysusers.d to create
 # specified users automatically. The priority is set such that it
 # will run before the tmpfiles file trigger.
 systemd-sysusers || :
 
-%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d
+%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d/
 # This script will automatically invoke hwdb update if files have been
 # installed or updated in /usr/lib/udev/hwdb.d.
 systemd-hwdb update || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog
+%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog/
 # This script will automatically invoke journal catalog update if files
 # have been installed or updated in /usr/lib/systemd/catalog.
 journalctl --update-catalog || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d
+%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d/
 # This script will automatically apply binfmt rules if files have been
 # installed or updated in /usr/lib/binfmt.d.
 if test -d "/run/systemd/system"; then
@@ -64,7 +64,7 @@ if test -d "/run/systemd/system"; then
   /usr/lib/systemd/systemd-binfmt || :
 fi
 
-%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d
+%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d/
 # This script will process files installed in /usr/lib/tmpfiles.d to create
 # tmpfiles automatically. The priority is set such that it will run
 # after the sysusers file trigger, but before any other triggers.
@@ -72,14 +72,12 @@ if test -d "/run/systemd/system"; then
   systemd-tmpfiles --create || :
 fi
 
-%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d
+%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d/
 # This script will automatically update udev with new rules if files
 # have been installed or updated in /usr/lib/udev/rules.d.
-if test -e /run/udev/control; then
-  udevadm control --reload || :
-fi
+/usr/lib/systemd/systemd-update-helper mark-reload-system-units systemd-udevd.service || :
 
-%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d
+%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d/
 # This script will automatically apply sysctl rules if files have been
 # installed or updated in /usr/lib/sysctl.d.
 if test -d "/run/systemd/system"; then