Add two upstream patches that are already in CentOS Stream 9

This is actually needed for Fedoras 36 and 37, but, at least currently,
not necessary for Fedoras 38 and 39.

https://github.com/containers/podman/issues/17657

.gitignore

@@ -29,3 +29,4 @@
 /toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz
 /toolbox-0.0.99.3.tar.xz
 /toolbox-0.0.99.3-vendor.tar.xz
+/toolbox-0.0.99.4-vendored.tar.xz

gen-vendor-tarball.sh

@@ -1,27 +0,0 @@
-#!/bin/sh
-
-# Process a toolbox tarball to get vendored dependencies for the RHEL build.
-#
-# Yaakov Selkowitz <yselkowi@redhat.com> - 2022
-
-SOURCE="$1"
-DIRECTORY=`echo $SOURCE | sed 's/\.tar\.xz//'`
-VENDOR_SOURCE="${DIRECTORY}-vendor.tar.xz"
-
-error()
-{
-	MESSAGE=$1
-	echo $MESSAGE
-	exit 1
-}
-
-rm -rf $DIRECTORY
-tar xJf $SOURCE || error "Cannot unpack $SOURCE"
-pushd $DIRECTORY/src > /dev/null || error "Cannot open directory \"$DIRECTORY\""
-
-echo "Vendoring dependencies"
-go mod vendor || error "Vendoring failed"
-popd > /dev/null
-
-tar cJf $VENDOR_SOURCE -C $DIRECTORY src/vendor || error "Unable to create $VENDOR_SOURCE"
-echo "$VENDOR_SOURCE is ready to use"

sources

@@ -1,2 +1 @@
-SHA512 (toolbox-0.0.99.3.tar.xz) = d9e4bd1cc7667b6ecdcf25a2c3ad7d7d67cc997168a41e668c936d2de24db774331a78a1b4a06b63e7cef8e0dc4ac5651591b6d9cec0d8e81be2b2dd64854dca
-SHA512 (toolbox-0.0.99.3-vendor.tar.xz) = 51ce5a16276ccc75d2b6fb9cae1c4371ad028f6a820cd176a4a0ee85fab447a6b37b5ec2e969b882c4f04cfe58bd78f92975606297a0db22e72457f012102ec2
+SHA512 (toolbox-0.0.99.4-vendored.tar.xz) = 882cd6ec1c1a193af8774dfdfd0aff72d376c4fec3e0cc702e2d524353c051e408eab2ac3fb43ec00fe622b46ac89fdbe97aca2f7cfbe3822e5d3ff1743f2fd0

toolbox-Don-t-use-Go-s-semantic-import-versioning.patch

@@ -1,72 +0,0 @@
-From 40fbd377ed0b94060ae5fb2a60289500b66486dc Mon Sep 17 00:00:00 2001
-From: Oliver Gutierrez <ogutsua@gmail.com>
-Date: Thu, 29 Jul 2021 14:12:41 +0100
-Subject: [PATCH] Don't use Go's semantic import versioning
-
-Fedora doesn't support Go modules when building Go programs. This
-means that source code using semantic import versioning can't be built.
-
----
- src/cmd/create.go      | 2 +-
- src/go.mod             | 2 +-
- src/go.sum             | 4 ++--
- src/pkg/utils/utils.go | 2 +-
- 4 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/cmd/create.go b/src/cmd/create.go
-index 8b31365..502f691 100644
---- a/src/cmd/create.go
-+++ b/src/cmd/create.go
-@@ -28,7 +28,7 @@ import (
- 	"github.com/containers/toolbox/pkg/podman"
- 	"github.com/containers/toolbox/pkg/shell"
- 	"github.com/containers/toolbox/pkg/utils"
--	"github.com/godbus/dbus/v5"
-+	"github.com/godbus/dbus"
- 	"github.com/sirupsen/logrus"
- 	"github.com/spf13/cobra"
- 	"golang.org/x/crypto/ssh/terminal"
-diff --git a/src/go.mod b/src/go.mod
-index cce3e5a..eb7f70c 100644
---- a/src/go.mod
-+++ b/src/go.mod
-@@ -8,7 +8,7 @@ require (
- 	github.com/briandowns/spinner v1.10.0
- 	github.com/docker/go-units v0.4.0
- 	github.com/fsnotify/fsnotify v1.4.7
--	github.com/godbus/dbus/v5 v5.0.3
-+	github.com/godbus/dbus v4.1.0+incompatible
- 	github.com/mattn/go-isatty v0.0.8
- 	github.com/sirupsen/logrus v1.4.2
- 	github.com/spf13/cobra v0.0.5
-diff --git a/src/go.sum b/src/go.sum
-index fbad155..737f058 100644
---- a/src/go.sum
-+++ b/src/go.sum
-@@ -20,8 +20,8 @@ github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
- github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
- github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
- github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
--github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME=
--github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-+github.com/godbus/dbus v4.1.0+incompatible h1:WqqLRTsQic3apZUK9qC5sGNfXthmPXzUZ7nQPrNITa4=
-+github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
- github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
- github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
- github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
-diff --git a/src/pkg/utils/utils.go b/src/pkg/utils/utils.go
-index ae7c596..4d1556a 100644
---- a/src/pkg/utils/utils.go
-+++ b/src/pkg/utils/utils.go
-@@ -33,7 +33,7 @@ import (
- 	"github.com/acobaugh/osrelease"
- 	"github.com/containers/toolbox/pkg/shell"
- 	"github.com/docker/go-units"
--	"github.com/godbus/dbus/v5"
-+	"github.com/godbus/dbus"
- 	"github.com/sirupsen/logrus"
- 	"github.com/spf13/viper"
- 	"golang.org/x/sys/unix"
--- 
-2.31.1
-

toolbox-Don-t-use-podman-1-when-generating-the-comp.patch

@@ -0,0 +1,89 @@
+From fc5f568c5d82f4a16982268fa67092e52be91fbe Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <rishi@fedoraproject.org>
+Date: Tue, 28 Feb 2023 17:12:04 +0100
+Subject: [PATCH] cmd/root: Don't use podman(1) when generating the completions
+
+Ever since commit bafbbe81c9220cb3, the shell completions are generated
+while building Toolbx using the 'completion' command.  This involves
+running toolbox(1) itself, and hence invoking 'podman version' to decide
+if 'podman system migrate' is needed or not.
+
+Unfortunately, some build environments, like Fedora's, are set up inside
+a chroot(2) or systemd-nspawn(1) or similar, where 'podman version' may
+not work because it does various things with namespaces(7) and clone(2)
+that can, under certain circumstances, encounter an EPERM.
+
+Therefore, it's better to avoid using podman(1) when generating the
+shell completions, especially, since they are generated by Cobra itself
+and podman(1) is not involved at all.
+
+Note that podman(1) is needed when the generated shell completions are
+actually used in interactive command line environments.  The shell
+completions invoke the hidden '__complete' command to get the results
+that are presented to the user, and, if needed, 'podman system migrate'
+will continue to be run as part of that.
+
+This partially reverts commit f3e005d0142d7ec76d5ac8f0a2f331a52fd46011
+because podman(1) is now only an optional runtime dependency for the
+system tests.
+
+https://github.com/containers/podman/issues/17657
+---
+ meson.build     | 2 +-
+ src/cmd/root.go | 9 +++++++--
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index 6f044bb204e3..653a3d3ac588 100644
+--- a/meson.build
++++ b/meson.build
+@@ -18,12 +18,12 @@ subid_dep = cc.find_library('subid', has_headers: ['shadow/subid.h'])
+ 
+ go = find_program('go')
+ go_md2man = find_program('go-md2man')
+-podman = find_program('podman')
+ 
+ bats = find_program('bats', required: false)
+ codespell = find_program('codespell', required: false)
+ htpasswd = find_program('htpasswd', required: false)
+ openssl = find_program('openssl', required: false)
++podman = find_program('podman', required: false)
+ shellcheck = find_program('shellcheck', required: false)
+ skopeo = find_program('skopeo', required: false)
+ 
+diff --git a/src/cmd/root.go b/src/cmd/root.go
+index 304b03dcd889..9975ccc7a4c8 100644
+--- a/src/cmd/root.go
++++ b/src/cmd/root.go
+@@ -166,7 +166,7 @@ func preRun(cmd *cobra.Command, args []string) error {
+ 
+ 	logrus.Debugf("TOOLBOX_PATH is %s", toolboxPath)
+ 
+-	if err := migrate(); err != nil {
++	if err := migrate(cmd, args); err != nil {
+ 		return err
+ 	}
+ 
+@@ -211,13 +211,18 @@ func rootRun(cmd *cobra.Command, args []string) error {
+ 	return rootRunImpl(cmd, args)
+ }
+ 
+-func migrate() error {
++func migrate(cmd *cobra.Command, args []string) error {
+ 	logrus.Debug("Migrating to newer Podman")
+ 
+ 	if utils.IsInsideContainer() {
+ 		return nil
+ 	}
+ 
++	if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName {
++		logrus.Debugf("Migration not needed: command %s doesn't need it", cmdName)
++		return nil
++	}
++
+ 	configDir, err := os.UserConfigDir()
+ 	if err != nil {
+ 		logrus.Debugf("Migrating to newer Podman: failed to get the user config directory: %s", err)
+-- 
+2.39.1
+

toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch

@@ -1,4 +1,4 @@
-From 32aa30a17358598f568991a5375f6182e4135648 Mon Sep 17 00:00:00 2001
+From 17a0e519fd9b1e721b35a823bd244a28e3f87a4a Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 29 Jun 2020 17:57:47 +0200
 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} for
@@ -24,22 +24,22 @@ and should be kept updated to match Fedora's Go guidelines. Use
  1 file changed, 9 insertions(+), 4 deletions(-)
 
 diff --git a/src/go-build-wrapper b/src/go-build-wrapper
-index ef4aafc8b024..f8ea8370792c 100755
+index c572d6dfb02b..cae2de426a96 100755
 --- a/src/go-build-wrapper
 +++ b/src/go-build-wrapper
-@@ -32,9 +32,9 @@ if ! cd "$1"; then
+@@ -33,9 +33,9 @@ if ! cd "$1"; then
      exit 1
  fi
  
 -tags=""
 +tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
- if $6; then
+ if $7; then
 -    tags="-tags migration_path_for_coreos_toolbox"
 +    tags="$tags,migration_path_for_coreos_toolbox"
  fi
  
- if ! libc_dir=$("$4" --print-file-name=libc.so); then
-@@ -69,11 +69,16 @@ fi
+ if ! libc_dir=$("$5" --print-file-name=libc.so); then
+@@ -70,11 +70,16 @@ fi
  
  dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
  
@@ -50,14 +50,14 @@ index ef4aafc8b024..f8ea8370792c 100755
 +        -compiler gc \
          $tags \
 -        -trimpath \
--        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
-+        -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
+-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
++        -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
 +        -a \
 +        -v \
 +        -x \
-         -o "$2/toolbox"
+         -o "$2/$3"
  
  exit "$?"
 -- 
-2.31.1
+2.39.1
 

toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch

@@ -1,4 +1,4 @@
-From 6d913f1fbd6e609957bb01273504b2f479e1b546 Mon Sep 17 00:00:00 2001
+From fd03e31c7d789413700db84af02894d5be70b5ee Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 29 Jun 2020 17:57:47 +0200
 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild}
@@ -23,22 +23,22 @@ PPC64, and should be kept updated to match Fedora's Go guidelines. Use
  1 file changed, 10 insertions(+), 4 deletions(-)
 
 diff --git a/src/go-build-wrapper b/src/go-build-wrapper
-index ef4aafc8b024..4354beceb215 100755
+index c572d6dfb02b..0e6a2efa6853 100755
 --- a/src/go-build-wrapper
 +++ b/src/go-build-wrapper
-@@ -32,9 +32,9 @@ if ! cd "$1"; then
+@@ -33,9 +33,9 @@ if ! cd "$1"; then
      exit 1
  fi
  
 -tags=""
 +tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
- if $6; then
+ if $7; then
 -    tags="-tags migration_path_for_coreos_toolbox"
 +    tags="$tags,migration_path_for_coreos_toolbox"
  fi
  
- if ! libc_dir=$("$4" --print-file-name=libc.so); then
-@@ -69,11 +69,17 @@ fi
+ if ! libc_dir=$("$5" --print-file-name=libc.so); then
+@@ -70,11 +70,17 @@ fi
  
  dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
  
@@ -50,14 +50,14 @@ index ef4aafc8b024..4354beceb215 100755
 +        -compiler gc \
          $tags \
 -        -trimpath \
--        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
-+        -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
+-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
++        -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
 +        -a \
 +        -v \
 +        -x \
-         -o "$2/toolbox"
+         -o "$2/$3"
  
  exit "$?"
 -- 
-2.31.1
+2.39.1
 

toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch

@@ -0,0 +1,76 @@
+From 1fde98456652ddbcb750ade2121c5ceec93fbfae Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <rishi@fedoraproject.org>
+Date: Thu, 13 Jul 2023 13:08:40 +0200
+Subject: [PATCH] cmd/initContainer: Be aware of security hardened mount points
+
+Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump
+and /var/log/journal sit on security hardened mount points that are
+marked as 'nosuid,nodev,noexec' [1].  In such cases, when Toolbx is used
+rootless, an attempt to bind mount these locations read-only at runtime
+with mount(8) fails because of permission problems:
+  # mount --rbind -o ro <source> <containerPath>
+  mount: <containerPath>: filesystem was mounted, but any subsequent
+      operation failed: Unknown error 5005.
+
+(Note that the above error message from mount(8) was subsequently
+improved to show something more meaningful than 'Unknown error' [2].)
+
+The problem is that 'init-container' is running inside the container's
+mount and user namespace, and the source paths were mounted inside the
+host's namespace with 'nosuid,nodev,noexec'.  The above mount(8) call
+tries to remove the 'nosuid,nodev,noexec' flags from the mount point and
+replace them with only 'ro', which is something that can't be done from
+a child namespace.
+
+Note that this doesn't fail when Toolbx is running as root.  This is
+because the container uses the host's user namespace and is able to
+remove the 'nosuid,nodev,noexec' flags from the mount point and replace
+them with only 'ro'.  Even though it doesn't fail, the flags shouldn't
+get replaced like that inside the container, because it removes the
+security hardening of those mount points.
+
+There's actually no benefit in bind mounting these paths as read-only.
+It was historically done this way 'just to be safe' because a user isn't
+expected to write to these locations from inside a container.  However,
+Toolbx doesn't intend to provide any heightened security beyond what's
+already available on the host.
+
+Hence, it's better to get out of the way and leave it to the permissions
+on the source location from the host operating system to guard the
+castle.  This is accomplished by not passing any file system options to
+mount(8) [1].
+
+Based on an idea from Si.
+
+[1] https://man7.org/linux/man-pages/man8/mount.8.html
+
+[2] util-linux commit 9420ca34dc8b6f0f
+    https://github.com/util-linux/util-linux/commit/9420ca34dc8b6f0f
+    https://github.com/util-linux/util-linux/pull/2376
+
+https://github.com/containers/toolbox/issues/911
+---
+ src/cmd/initContainer.go | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go
+index 465ac063b210..c4cd1b02d298 100644
+--- a/src/cmd/initContainer.go
++++ b/src/cmd/initContainer.go
+@@ -62,10 +62,10 @@ var (
+ 		{"/run/udev/data", "/run/host/run/udev/data", ""},
+ 		{"/run/udev/tags", "/run/host/run/udev/tags", ""},
+ 		{"/tmp", "/run/host/tmp", "rslave"},
+-		{"/var/lib/flatpak", "/run/host/var/lib/flatpak", "ro"},
++		{"/var/lib/flatpak", "/run/host/var/lib/flatpak", ""},
+ 		{"/var/lib/libvirt", "/run/host/var/lib/libvirt", ""},
+-		{"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", "ro"},
+-		{"/var/log/journal", "/run/host/var/log/journal", "ro"},
++		{"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", ""},
++		{"/var/log/journal", "/run/host/var/log/journal", ""},
+ 		{"/var/mnt", "/run/host/var/mnt", "rslave"},
+ 	}
+ )
+-- 
+2.41.0
+

toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch

@@ -1,95 +0,0 @@
-From e598e2160323b63310ad7b6def723eb1f8767f90 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
-Date: Thu, 11 Nov 2021 18:18:52 +0200
-Subject: [PATCH 02/13] cmd/root: Work around Cobra 1.1.2's handling of usage
- functions
-
-In version 1.1.2 of Cobra has been included a change[0] that changes
-how custom usage functions are handled.
-
-Example of the wrong behaviour:
-$ toolbox --foo
-Error: unknown flag: --foo
-Run 'toolbox --help' for usage.Error: Run 'toolbox --help' for usage.
-
-Desired behaviour:
-$ toolbox --foo
-Error: unknown flag: --foo
-Run 'toolbox --help' for usage.
-
-A workaround is to define a template string for the usage instead. The
-template uses the templating language of Go[1]. See the default
-template string in version 1.2.1[2].
-
-Because the template is set only once, the executableBase needs to be
-set before the template is applied. That required the move of
-setUpGlobals() into init() of the cmd package. This is a better place
-for the function call as init() is called earlier than Execute()[3].
-
-Upstream issue: https://github.com/spf13/cobra/issues/1532
-
-[0] https://github.com/spf13/cobra/pull/1044
-[1] https://pkg.go.dev/text/template
-[2] https://github.com/spf13/cobra/blob/v1.2.1/command.go#L491
-[3] https://golang.org/doc/effective_go#init
-
-https://github.com/containers/toolbox/pull/917
----
- src/cmd/root.go | 20 ++++++++------------
- 1 file changed, 8 insertions(+), 12 deletions(-)
-
-diff --git a/src/cmd/root.go b/src/cmd/root.go
-index eb0622f..ad0753b 100644
---- a/src/cmd/root.go
-+++ b/src/cmd/root.go
-@@ -62,11 +62,6 @@ var (
- )
- 
- func Execute() {
--	if err := setUpGlobals(); err != nil {
--		fmt.Fprintf(os.Stderr, "Error: %s\n", err)
--		os.Exit(1)
--	}
--
- 	if err := rootCmd.Execute(); err != nil {
- 		os.Exit(1)
- 	}
-@@ -75,6 +70,11 @@ func Execute() {
- }
- 
- func init() {
-+	if err := setUpGlobals(); err != nil {
-+		fmt.Fprintf(os.Stderr, "Error: %s\n", err)
-+		os.Exit(1)
-+	}
-+
- 	persistentFlags := rootCmd.PersistentFlags()
- 
- 	persistentFlags.BoolVarP(&rootFlags.assumeYes,
-@@ -96,7 +96,9 @@ func init() {
- 	persistentFlags.CountVarP(&rootFlags.verbose, "verbose", "v", "Set log-level to 'debug'")
- 
- 	rootCmd.SetHelpFunc(rootHelp)
--	rootCmd.SetUsageFunc(rootUsage)
-+
-+	usageTemplate := fmt.Sprintf("Run '%s --help' for usage.", executableBase)
-+	rootCmd.SetUsageTemplate(usageTemplate)
- }
- 
- func preRun(cmd *cobra.Command, args []string) error {
-@@ -188,12 +190,6 @@ func rootRun(cmd *cobra.Command, args []string) error {
- 	return rootRunImpl(cmd, args)
- }
- 
--func rootUsage(cmd *cobra.Command) error {
--	err := fmt.Errorf("Run '%s --help' for usage.", executableBase)
--	fmt.Fprintf(os.Stderr, "%s", err)
--	return err
--}
--
- func migrate() error {
- 	logrus.Debug("Migrating to newer Podman")
- 
--- 
-2.34.1
-

toolbox.spec

@@ -1,48 +1,57 @@
 %global __brp_check_rpaths %{nil}
 
 Name:          toolbox
-Version:       0.0.99.3
+Version:       0.0.99.4
 
 %global goipath github.com/containers/%{name}
-%gometa
 
-Release:       8%{?dist}
+%if 0%{?rhel} == 9
+%gometa
+%else
+%gometa -f
+%endif
+
+Release:       2%{?dist}
 Summary:       Tool for containerized command line environments on Linux
 
 License:       ASL 2.0
 URL:           https://containertoolbx.org/
-Source0:       https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz
-# RHEL package is built with vendored dependencies
-# created with gen-vendor-tarball.sh from SOURCE2
-Source1:       %{name}-%{version}-vendor.tar.xz
-Source2:       gen-vendor-tarball.sh
+Source0:       https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}-vendored.tar.xz
+
+# Upstream
+Patch0:        toolbox-Don-t-use-podman-1-when-generating-the-comp.patch
+Patch1:        toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch
+Patch2:        toolbox-Simplify-removing-the-user-s-password.patch
 
 # Fedora specific
-Patch100:      toolbox-Don-t-use-Go-s-semantic-import-versioning.patch
-Patch101:      toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch
-Patch102:      toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch
-Patch103:      toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch
+Patch100:      toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch
+Patch101:      toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch
 
-BuildRequires: ShellCheck
+BuildRequires: gcc
 BuildRequires: go-md2man
-BuildRequires: golang >= 1.13
+BuildRequires: golang >= 1.19.4
 %if ! 0%{?rhel}
-BuildRequires: golang(github.com/HarryMichal/go-version)
-BuildRequires: golang(github.com/acobaugh/osrelease)
-BuildRequires: golang(github.com/briandowns/spinner) >= 1.10.0
+BuildRequires: golang(github.com/HarryMichal/go-version) >= 1.0.1
+BuildRequires: golang(github.com/acobaugh/osrelease) >= 0.1.0
+BuildRequires: golang(github.com/briandowns/spinner) >= 1.17.0
 BuildRequires: golang(github.com/docker/go-units) >= 0.4.0
-BuildRequires: golang(github.com/fsnotify/fsnotify) >= 1.4.7
-BuildRequires: golang(github.com/godbus/dbus) >= 5.0.3
-BuildRequires: golang(github.com/mattn/go-isatty) >= 0.0.12
-BuildRequires: golang(github.com/sirupsen/logrus) >= 1.4.2
-# BuildRequires: golang(github.com/stretchr/testify) >= 1.7.0
-BuildRequires: golang(github.com/spf13/cobra) >= 0.0.5
-BuildRequires: golang(github.com/spf13/viper) >= 1.3.2
-BuildRequires: golang(golang.org/x/crypto/ssh/terminal)
+BuildRequires: golang(github.com/fsnotify/fsnotify) >= 1.5.1
+BuildRequires: golang(github.com/godbus/dbus) >= 5.0.6
+BuildRequires: golang(github.com/sirupsen/logrus) >= 1.8.1
+BuildRequires: golang(github.com/spf13/cobra) >= 1.3.0
+BuildRequires: golang(github.com/spf13/viper) >= 1.10.1
 BuildRequires: golang(golang.org/x/sys/unix)
+BuildRequires: golang(golang.org/x/term)
+# for tests
+# BuildRequires: codespell
+# BuildRequires: golang(github.com/stretchr/testify) >= 1.7.0
+# BuildRequires: ShellCheck
 %endif
 BuildRequires: meson >= 0.58.0
 BuildRequires: pkgconfig(bash-completion)
+BuildRequires: pkgconfig(fish)
+BuildRequires: shadow-utils-subid-devel
+BuildRequires: systemd
 BuildRequires: systemd-rpm-macros
 
 Requires:      containers-common
@@ -55,6 +64,8 @@ Toolbox is a tool for Linux operating systems, which allows the use of
 containerized command line environments. It is built on top of Podman and
 other standard container technologies from OCI.
 
+%if ! 0%{?rhel}
+
 # The list of requires packages for -support and -experience should be in sync with:
 # https://github.com/containers/toolbox/blob/master/images/fedora/f33/extra-packages
 %package       support
@@ -128,6 +139,7 @@ on the host.
 The %{name}-experience package should be typically installed from the
 Dockerfile if the image isn't based on the fedora-toolbox image.
 
+%endif
 
 %package       tests
 Summary:       Tests for %{name}
@@ -144,34 +156,29 @@ The %{name}-tests package contains system tests for %{name}.
 
 
 %prep
-%setup -q %{?rhel:-a 1}
-%if ! 0%{?rhel}
-%patch100 -p1
-%endif
+%setup -q
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %ifnarch ppc64
-%patch101 -p1
+%patch100 -p1
 %else
-%patch102 -p1
+%patch101 -p1
 %endif
 
-%if ! 0%{?rhel}
-%patch103 -p1
-%endif
-
-%gomkdir
+%gomkdir -s %{_builddir}/%{extractdir}/src %{?rhel:-k}
 
 
 %build
-export GO111MODULE=off
+export %{gomodulesmode}
 export GOPATH=%{gobuilddir}:%{gopath}
 export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
-ln -s src/cmd cmd
-ln -s src/pkg pkg
-%if 0%{?rhel}
-ln -s src/vendor vendor
-%endif
-%meson --buildtype=plain -Dprofile_dir=%{_sysconfdir}/profile.d -Dtmpfiles_dir=%{_tmpfilesdir}
+
+%meson \
+    -Dprofile_dir=%{_sysconfdir}/profile.d \
+    -Dtmpfiles_dir=%{_tmpfilesdir} \
+    -Dzsh_completions_dir=%{_datadir}/zsh/site-functions
 %meson_build
 
 
@@ -188,21 +195,44 @@ ln -s src/vendor vendor
 %license COPYING %{?rhel:src/vendor/modules.txt}
 %{_bindir}/%{name}
 %{_datadir}/bash-completion
+%{_datadir}/fish
+%{_datadir}/zsh
 %{_mandir}/man1/%{name}.1*
 %{_mandir}/man1/%{name}-*.1*
+%{_mandir}/man5/%{name}.conf.5*
 %config(noreplace) %{_sysconfdir}/containers/%{name}.conf
 %{_sysconfdir}/profile.d/%{name}.sh
 %{_tmpfilesdir}/%{name}.conf
 
+%if ! 0%{?rhel}
+
 %files support
 
 %files experience
 
+%endif
+
 %files tests
 %{_datadir}/%{name}
 
 
 %changelog
+* Fri Nov 10 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-2
+- Be aware of security hardened mount points
+- Simplify removing the user's password
+
+* Wed Feb 22 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-1
+- Update to 0.0.99.4
+
+* Wed Feb 22 2023 Martin Jackson <mhjacks@swbell.net> - 0.0.99.3-11
+- Fix the ExclusiveArch
+
+* Tue Feb 21 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.3-10
+- Add ExclusiveArch to match Podman
+
+* Thu Feb 02 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 0.0.99.3-9
+- Sync packaging changes from CentOS Stream
+
 * Thu Dec 22 2022 Yaakov Selkowitz <yselkowi@redhat.com> - 0.0.99.3-8
 - Use vendored dependencies for RHEL/ELN builds