A bunch of fixes for various issues + hwdb update

https://pagure.io/packaging-committee/issue/921

0001-meson-stop-creating-enablement-symlinks-in-etc-durin.patch

@@ -0,0 +1,145 @@
+From c83ec409bbc3c5ceb4b37026d12f892f6c8bdd1c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 1 Apr 2019 13:57:24 +0200
+Subject: [PATCH] meson: stop creating enablement symlinks in /etc during
+ installation
+
+This patch was initially prompted by a report on a Fedora update [1], that the
+upgrade causes systemd-resolved.service and systemd-networkd.service to be
+re-enabled. We generally want to preserve the enablement of all services during
+upgrades, so a reset like this is not expected.
+
+Both services declare two symlinks in their [Install] sections, for their dbus
+names and for multi-user.target.wants/.  It turns out that both services were
+only partially enabled, because their dbus unit symlinks
+/etc/systemd/system/dbus-org.freedesktop.{resolve1,network1}.service were
+created, by the symlinks in /etc/systemd/system/multi-user.target.wants/ were
+not. This means that the units could be activated by dbus, but not in usual
+fashion using systemctl start. Our tools make it rather hard to figure out when
+something like this happens, and it is definitely an area for improvement on its
+own. The symlink in .wants/ was filtered out by during packaging, but the dbus
+symlink was left in (I assume by mistake).
+
+Let's simplify things by not creating the symlinks statically during 'ninja
+install'. This means that the units shipped by systemd have to be enabled in
+the usual fashion, which in turns means that [Install] section and presets
+become the "single source of truth" and we don't have two sets of conflicting
+configuration.
+
+Let's consider a few cases:
+- developer: a developer installs systemd from git on a running system, and they
+  don't want the installation to reset enablement of anything. So this change is
+  either positive for them, or has no effect (if they have everything at
+  defaults).
+
+- package creation: we want to create symlinks using 'preset-all' and 'preset'
+  on upgraded packages, we don't want to have any static symlinks. This change
+  will remove the need to filter out symlinks in packaging and of course fix
+  the original report.
+
+- installation of systemd from scratch: this change means that without
+  'preset-all' the system will not be functional. This case could be affected
+  negatively by this change, but I think it's enough of a corner case to accept
+  this. In practice I expect people to build a package, not installl directly
+  into the file system, so this might not even matter in practice.
+
+Creating those symlinks was probably the right thing in the beginning, but
+nowadays the preset system is very well established and people expect it to
+be honoured. Ignoring the presets and doing static configuration is not welcome
+anymore.
+
+Note: during package installation, either 'preset-all' or 'preset getty@.service
+machines.target remote-cryptsetup.target remote-fs.target
+systemd-networkd.service systemd-resolved.service
+systemd-networkd-wait-online.service systemd-timesyncd.service' should be called.
+
+[1] https://bodhi.fedoraproject.org/updates/FEDORA-2019-616045ca76
+
+(cherry picked from commit 01d2041e41f4886a6dff16a53a950ae8d5b66bc7)
+---
+ units/meson.build | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/units/meson.build b/units/meson.build
+index d69508467f..db6d43399b 100644
+--- a/units/meson.build
++++ b/units/meson.build
+@@ -34,8 +34,7 @@ units = [
+         ['local-fs-pre.target',                 ''],
+         ['local-fs.target',                     ''],
+         ['machine.slice',                       'ENABLE_MACHINED'],
+-        ['machines.target',                     'ENABLE_MACHINED',
+-         join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
++        ['machines.target',                     'ENABLE_MACHINED'],
+         ['multi-user.target',                   '',
+          'runlevel2.target runlevel3.target runlevel4.target'],
+         ['network-online.target',               ''],
+@@ -52,11 +51,9 @@ units = [
+         ['proc-sys-fs-binfmt_misc.mount',       'ENABLE_BINFMT'],
+         ['reboot.target',                       '',
+          'runlevel6.target ctrl-alt-del.target'],
+-        ['remote-cryptsetup.target',            'HAVE_LIBCRYPTSETUP',
+-         join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
++        ['remote-cryptsetup.target',            'HAVE_LIBCRYPTSETUP'],
+         ['remote-fs-pre.target',                ''],
+-        ['remote-fs.target',                    '',
+-         join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
++        ['remote-fs.target',                    ''],
+         ['rescue.target',                       '',
+          'runlevel1.target'],
+         ['rpcbind.target',                      ''],
+@@ -97,8 +94,7 @@ units = [
+          'sockets.target.wants/'],
+         ['systemd-journald.socket',             '',
+          'sockets.target.wants/'],
+-        ['systemd-networkd.socket',             'ENABLE_NETWORKD',
+-         join_paths(pkgsysconfdir, 'system/sockets.target.wants/')],
++        ['systemd-networkd.socket',             'ENABLE_NETWORKD'],
+         ['systemd-poweroff.service',             ''],
+         ['systemd-reboot.service',               ''],
+         ['systemd-rfkill.socket',               'ENABLE_RFKILL'],
+@@ -175,11 +171,8 @@ in_units = [
+          'dbus-org.freedesktop.machine1.service'],
+         ['systemd-modules-load.service',         'HAVE_KMOD',
+          'sysinit.target.wants/'],
+-        ['systemd-networkd.service',             'ENABLE_NETWORKD',
+-         join_paths(pkgsysconfdir, 'system/dbus-org.freedesktop.network1.service') + ' ' +
+-         join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
+-        ['systemd-networkd-wait-online.service', 'ENABLE_NETWORKD',
+-         join_paths(pkgsysconfdir, 'system/network-online.target.wants/')],
++        ['systemd-networkd.service',             'ENABLE_NETWORKD'],
++        ['systemd-networkd-wait-online.service', 'ENABLE_NETWORKD'],
+         ['systemd-nspawn@.service',              ''],
+         ['systemd-portabled.service',            'ENABLE_PORTABLED',
+          'dbus-org.freedesktop.portable1.service'],
+@@ -188,9 +181,7 @@ in_units = [
+          'sysinit.target.wants/'],
+         ['systemd-remount-fs.service',           '',
+          'local-fs.target.wants/'],
+-        ['systemd-resolved.service',             'ENABLE_RESOLVE',
+-         join_paths(pkgsysconfdir, 'system/dbus-org.freedesktop.resolve1.service') + ' ' +
+-         join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
++        ['systemd-resolved.service',             'ENABLE_RESOLVE'],
+         ['systemd-rfkill.service',               'ENABLE_RFKILL'],
+         ['systemd-suspend.service',              ''],
+         ['systemd-sysctl.service',               '',
+@@ -199,8 +190,7 @@ in_units = [
+          'sysinit.target.wants/'],
+         ['systemd-timedated.service',            'ENABLE_TIMEDATED',
+          'dbus-org.freedesktop.timedate1.service'],
+-        ['systemd-timesyncd.service',            'ENABLE_TIMESYNCD',
+-         join_paths(pkgsysconfdir, 'system/sysinit.target.wants/')],
++        ['systemd-timesyncd.service',            'ENABLE_TIMESYNCD'],
+         ['systemd-time-wait-sync.service',       'ENABLE_TIMESYNCD'],
+         ['systemd-tmpfiles-clean.service',       'ENABLE_TMPFILES'],
+         ['systemd-tmpfiles-setup-dev.service',   'ENABLE_TMPFILES',
+@@ -230,8 +220,7 @@ m4_units = [
+         ['console-getty.service',              ''],
+         ['container-getty@.service',           ''],
+         ['getty@.service',                     '',
+-         'autovt@.service ' +
+-         join_paths(pkgsysconfdir, 'system/getty.target.wants/getty@tty1.service')],
++         'autovt@.service '],
+         ['serial-getty@.service',              ''],
+ ]
+ 

sources

@@ -1 +1 @@
-SHA512 (systemd-cbf14c9.tar.gz) = b708db5db65c8fc7ef030c18f97d97b4cbfb03d32bb8952ac69adef0301f879db0ada3932845f4e29fe58374e82f5aa83599a6871bf5d0d0860acb71c0f9722b
+SHA512 (systemd-18dd3fb.tar.gz) = 697a8f714e645a3d090c68a4d4cc102077aca2c32205dc2a0d22bbb6a99324030b5ac262332adcae17ce99e92d01a4e9cdc6546176a1bdab3543be30126602ad

systemd.spec

@@ -1,4 +1,4 @@
-%global commit cbf14c9500d5e6820fd7d96166ca0bf75c6850df
+%global commit 18dd3fb491f71143e632105ba98cd91ca55c4701
 %{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})}
 
 %global stable 1
@@ -15,7 +15,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        241
-Release:        4%{?commit:.git%{shortcommit}}%{?dist}
+Release:        14%{?commit:.git%{shortcommit}}%{?dist}
 # For a breakdown of the licensing, see README
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        System and Service Manager
@@ -52,6 +52,7 @@ i=1; for j in 00*patch; do printf "Patch%04d:      %s\n" $i $j; i=$((i+1));done|
 GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py > hwdb.patch
 %endif
 
+Patch0001:      0001-meson-stop-creating-enablement-symlinks-in-etc-durin.patch
 Patch0002:      0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch
 
 Patch0998:      0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
@@ -154,6 +155,10 @@ date, locale, maintain a list of logged-in users, system accounts,
 runtime directories and settings, and daemons to manage simple network
 configuration, network time synchronization, log forwarding, and name
 resolution.
+%if 0%{stable}
+This package was built from the %{version}-stable branch of systemd,
+commit https://github.com/systemd/systemd-stable/commit/%{shortcommit}.
+%endif
 
 %package libs
 Summary:        systemd libraries
@@ -185,8 +190,11 @@ Summary:        Macros that define paths and scriptlets related to systemd
 BuildArch:      noarch
 
 %description rpm-macros
-Just the definitions of rpm macros. Use %%{?systemd_requires} in the
-binary packages that use any scriptlets from this package.
+Just the definitions of rpm macros.
+
+See
+https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
+for information how to use those macros.
 
 %package devel
 Summary:        Development headers for systemd
@@ -698,6 +706,73 @@ fi
 %files tests -f .file-list-tests
 
 %changelog
+* Thu Feb  6 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-14.git18dd3fb
+- Pull in a bunch of bugfixes (#1798414/CVE-2020-1712, #1709547,
+  #1793980/CVE-2019-20386, #1708213, #1705522, #1614871)
+- The hardware database is updated to v245-rc1 (#1717712)
+
+* Thu Oct 10 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-13.git323cdf4
+- Fix journalctl crash with low stack (#1743230)
+- Fix one crash in systemd-resolved (#1703598)
+- Fix operation of relabel-extra.d on directories
+- Make systemd-networks follow the RFC for DHPCv6 and radv timeouts
+- Make systemd-binfmt.service easier to work with no autofs (#1731772)
+- A bunch of smaller documentation fixes and improved log messages
+
+* Tue Sep  3 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-12.git1e19bcd
+- hwdb entries for keyboards are updated to the latest version (#1725717)
+
+* Tue Sep  3 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-11.git1e19bcd
+- Security issue: unprivileged users were allowed to change DNS
+  servers configured in systemd-resolved. Now proper polkit authorization
+  is required.
+- Various minor fixes (memory issues, compat with newer kernels, log
+  message improvements, etc.).
+- Add hwdb entry for HP laptops to fix "inverted screen" (#1717712)
+
+* Fri Aug  2 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-10.git511646b
+- Fix systemd-networkd incompatibility with kernel >= 5.2 (#1718192)
+
+* Sat Jul 20 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-9.gitb67ecf2
+- Stop re-enabling systemd units on upgrade (#1706629)
+- Ignore bad rdrand output on AMD CPUs (#1729268)
+- A bunch of backported patches from upstream: documentation, memory
+  access fixups, command output tweaks (#1708996)
+
+* Fri Apr 26 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-8.git9ef65cb
+- Fix hang in flush_accept (#1702358)
+- Fix handling of RUN keys in udevd
+- Some documentation and minor logging fixes
+- Backport the addition of RestrictSUIDSGID= from systemd-242 and enable
+  RestrictSUIDSGID=yes for systemd services which use DynamicUser=yes
+  (#1703356, CVE-2019-3843).
+
+  The defaults in v242 were changed to enable RestrictSUIDSGID=yes if
+  DynamicUser=yes is specified, but this backport doesn't do this and
+  RestrictSUIDSGID=yes has to be requested explicitly. Maintainers of
+  other services packages for Fedora should consider doing this.
+
+* Tue Apr 16 2019 Adam Williamson <awilliam@redhat.com> - 241-7.gita2eaa1c
+- Rebuild with Meson fix for #1699099
+
+* Fri Apr 12 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-6.gita2eaa1c
+- fstab-generator: use DefaultDependencies=no for /sysroot mounts (#1666920)
+- return proper error from nss-resolve and nss-mymachines on dbus disconnects
+
+* Tue Apr  9 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-5.git3d835d0
+- Backport more patches:
+  - shared/install: Preserve escape characters for escaped unit names
+      (https://github.com/coreos/bugs/issues/2569)
+  - timedate: fix emitted value when ntp client is enabled/disabled (#1696586)
+  - udev: run programs in the specified order (#1696784)
+  - core: add Manager::honor_device_enumeration flag
+      (https://pagure.io/fedora-silverblue/issue/8)
+  - Various fixes for systemd-networkd, systemd-portabled
+  - Dbus policy fixes
+  - Crash on systax error in sysusers (#1670679)
+  - Do not unescape mount paths received from libmount
+  - Some minor build fixes
+
 * Fri Mar 29 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-4.gitcbf14c9
 - Backport various patches from the v241..v242 range:
   kernel-install will not create the boot loader entry automatically (#1648907),