From 3432bffb9685112f1503b7dabb073298fb929ba29dbc8c9cba125ab072f30a11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 20 Feb 2025 10:02:07 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main python-kiwi revision f8d75180e911fdf7dc2c64c7c0dea27c --- PKGBUILD | 4 +- python-kiwi.changes | 697 ++++++++++++++++++++++++++++++++++++++++++++ python-kiwi.spec | 2 +- python-kiwi.tar.gz | 4 +- 4 files changed, 702 insertions(+), 5 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index 6b386d0..78558c8 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,7 +3,7 @@ pkgname=('python-kiwi' 'kiwi-man-pages' 'dracut-kiwi-lib' 'dracut-kiwi-oem-repart' 'dracut-kiwi-oem-dump' 'dracut-kiwi-live' 'dracut-kiwi-overlay') arch=(x86_64) -pkgver=10.1.16 +pkgver=10.2.10 pkgrel=0 pkgdesc="KIWI - Appliance Builder Next Generation" url="https://github.com/SUSE/kiwi/tarball/master" @@ -12,7 +12,7 @@ makedepends=(make gcc python-build python-docopt python-installer python-lxml py provides=(kiwi-ng kiwi) source=("${pkgname}.tar.gz") changelog="${pkgname}.changes" -md5sums=('812a9cd9a12600a955663baa3f6da1e3') +md5sums=('84f2bafc3002f5a4c83cabd627c16f6f') build() { diff --git a/python-kiwi.changes b/python-kiwi.changes index c51187d..6a73bed 100644 --- a/python-kiwi.changes +++ b/python-kiwi.changes @@ -1,3 +1,670 @@ +------------------------------------------------------------------- +Sun Feb 09 20:16:13 CET 2025 - Marcus Schäfer + +- Bump version: 10.2.9 → 10.2.10 + +------------------------------------------------------------------- +Sun Feb 09 19:36:28 CET 2025 - Marcus Schäfer + +- Poetry build sdist timestamps set to epoch 0 + + Newer versions of poetry set the timestamp for all source + files to epoch 0. Such sources are not accepted by e.g + Debian FTP servers and in general I don't like when tools + changes their behavior just like that. This commit forces + an older version of poetry for the purpose of creating the + sdist tarball which then gets published on pypi. The + argumentation for reproducible builds by forcing source + files to a certain timestamp doesn't fly for me. I'm open + for any better solution though. This Fixes #2730 + +------------------------------------------------------------------- +Sat Feb 01 23:13:22 CET 2025 - Marcus Schäfer + +- Bump version: 10.2.8 → 10.2.9 + +------------------------------------------------------------------- +Thu Jan 30 23:55:51 CET 2025 - Marcus Schäfer + +- Classify missing chkstat as debug message + + chkstat is a distribution specific tool. If it is + present we use it, if not we don't but it's not worth + a warning. This Fixes #2711 + +------------------------------------------------------------------- +Thu Jan 30 22:50:28 CET 2025 - Marcus Schäfer + +- Allow to run setfiles multi threaded + + Use option -T0 for newer setfiles version. + This Fixes #2719 + +------------------------------------------------------------------- +Thu Jan 30 22:39:12 CET 2025 - Marcus Schäfer + +- Add rd.kiwi.dialog.timeout option + + Allow to configure the timeout value for dialogs displayed + by the kiwi dracut code. By default the timeout is set to + 60 seconds. With the special value "off" the dialog will + never timeout. This Fixes #2718 + +------------------------------------------------------------------- +Thu Jan 30 22:10:39 CET 2025 - Marcus Schäfer + +- Make sure copy actions does not drop context + + Use shutil.copy2 to copy files preserving their + attributes in the grub BootLoader space. + This Fixes #2709 + +------------------------------------------------------------------- +Thu Jan 30 21:26:00 CET 2025 - Marcus Schäfer + +- Improve unit test for archive target_dir + + Add a test case with absolute path in the target_dir + to make sure we never unpack the archive to the host + system. The actual issue was resolved together with + the implementation in #1953 and commit + 78238a993c966d1229cd2fc1f5923673a90de14d + This Fixes #2701 + +------------------------------------------------------------------- +Thu Jan 30 20:56:53 CET 2025 - Marcus Schäfer + +- Fixed profiled overlay imports + + When building an image for profile: SOME and providing + an overlay directory named SOME/... kiwi will sync the + contents of this overlay directory to the root tree. + However it took the toplevel name SOME/ into account + which is unwanted because only the sub data structure + should be synced into the new root tree. This + Fixes #2690 + +------------------------------------------------------------------- +Mon Jan 27 11:47:55 CET 2025 - Marcus Schäfer + +- Bump version: 10.2.7 → 10.2.8 + +------------------------------------------------------------------- +Mon Jan 27 11:46:48 CET 2025 - Ondrej Holecek + +- Use multipath child instead of parent device + + On multipath systems we need to find underlying child device + instead of using parent device. + This prevents listing all parent devices for a multipath device + +------------------------------------------------------------------- +Sat Jan 25 17:55:15 CET 2025 - Marcus Schäfer + +- Increase size for agama integration test build + + Agama needs more space to build now + +------------------------------------------------------------------- +Sat Jan 25 17:41:59 CET 2025 - Marcus Schäfer + +- Fixed agama integration test + + rubygem-byebug and rubygem-agama-yast seems to + no longer exist + +------------------------------------------------------------------- +Sat Jan 25 17:38:01 CET 2025 - Marcus Schäfer + +- Update TW integration tests + + Package nscd was dropped from TW + +------------------------------------------------------------------- +Wed Jan 22 10:38:09 CET 2025 - Marcus Schäfer + +- Fix documentation regarding URI styles + + In reference to commit 760a65558f9e2e91d3eaa3a2f9503ff596984b48 + the support for iso:// URI types was dropped some time ago. + However, the documentation was not properly updated. This + commit fixes it + +------------------------------------------------------------------- +Tue Jan 21 10:39:32 CET 2025 - Marcus Schäfer + +- Fix return value of grub helper methods + + The grub helper methods to find grub tools returns a + None value if the tool cannot be found. This None value + could be used later in a Command call where it will be + used in a join() command to log the resulting commandline. + This join() call then fails and raises an unhandled error + causing a stack trace in the application. This commit + fixes it + +------------------------------------------------------------------- +Mon Jan 20 17:54:08 CET 2025 - Marcus Schäfer + +- Added disk validation for duplicate installs + + Installing the same image to different storage disks on the + same machine creates device conflicts with unexpected side + effects. This commit adds a validation based on the PTUUID + of the disk image to check if another device on the system + has the same ID and if yes, does not allow to install the + image again including a message which device takes the same + identifier. This references bsc#1228741 + +------------------------------------------------------------------- +Mon Jan 20 09:13:22 CET 2025 - Marcus Schäfer + +- Fixed documentation for signing key attribute + + The source locator name for local files was incorrect + +------------------------------------------------------------------- +Sat Jan 18 17:58:02 CET 2025 - Marcus Schäfer + +- Bump version: 10.2.6 → 10.2.7 + +------------------------------------------------------------------- +Sat Jan 18 17:53:07 CET 2025 - Marcus Schäfer + +- Update documentation + + Added a new troubleshooting chapter as subsection to + the Build Host Constraints named Package Manager Behavior. + It serves the purpose to describe options for the customer + to change the default package manager behavior which + we from the kiwi side do not influence intentionally. + This is a followup change to bsc#1235448 + +------------------------------------------------------------------- +Tue Jan 14 10:52:43 CET 2025 - Marcus Schäfer + +- Drop still present tox artifacts + + There were still some left over tox files and the + documentation contribution chapter was also wrong at + several places + +------------------------------------------------------------------- +Mon Jan 13 14:45:55 CET 2025 - Marcus Schäfer + +- Add support for reading optional pkgmgr env file + + If there is a file .kiwi.package_manager.env in the root of + the image tree it will be read and put into the caller environment for + the selected package and repository manager. There are features + in e.g zypper which can only be used via env variables. + This Fixes bsc#1235448 + +------------------------------------------------------------------- +Mon Jan 13 10:18:49 CET 2025 - Marcus Schäfer + +- Auto convert unit test XML data to schema v8.3 + +------------------------------------------------------------------- +Mon Jan 13 09:45:32 CET 2025 - Marcus Schäfer + +- Rename btrfs_root_is_snapshot + + Rename btrfs_root_is_snapshot to btrfs_root_is_snapper_snapshot. + This happens in preparation for the changes suggested in #2697 + where we want to get rid of snapper specific btrfs code which + will be available in snapper natively soon. To make sure a btrfs + layout specific to snapper(and SUSE), the implicitly used attribute + named btrfs_root_is_snapshot now becomes explicit and its new + name will indicate that snapper sits behind it. Along with the + rename a XSLT stylesheet to automatically convert the old name + into the new name for schema v8.3 will be performed. + +------------------------------------------------------------------- +Mon Jan 13 09:25:29 CET 2025 - Marcus Schäfer + +- Bump version: 10.2.5 → 10.2.6 + +------------------------------------------------------------------- +Fri Jan 10 16:49:03 CET 2025 - Marcus Schäfer + +- Fixed donate button target + +------------------------------------------------------------------- +Wed Jan 08 21:51:57 CET 2025 - Marcus Schäfer + +- Added LUKS reencryption support + + Added rd.kiwi.oem.luks.reencrypt boot option consumed by the + kiwi-repart dracut module. For OEM LUKS2 encrypted disk images. + If set, reencrypts the disk prior an eventual resize and therefore + creates a new key pool and master key. The reencryption is advisable + if the image binary is not protected. With access to the image + binary it's possible to extract the luks header which then allows to + decrypt the data unless it was reencrypted. The reencryption process + only runs if the checksum of the luks header still matches the one + from the original disk image. Be aware that the reencryption will + ask for the passphrase if the image has been built with an initial + luks passphrase. + +------------------------------------------------------------------- +Wed Jan 08 09:51:06 CET 2025 - Marcus Schäfer + +- Fixed arm/tumbleweed/test-image-rpi + + No ruby required for this integration test build + +------------------------------------------------------------------- +Tue Jan 07 09:58:22 CET 2025 - Marcus Schäfer + +- Plain zipl loader needs boot partition + + If the rootfs is something zipl cannot read, we need an + extra boot partition using a supported filesystem + +------------------------------------------------------------------- +Tue Jan 07 09:44:06 CET 2025 - Marcus Schäfer + +- Fixed IBM-Cloud-Standard profile + + The test-image-MicroOS integration test builds an IBM-Cloud-Standard + profile as encrypted variant with a random key that is not protected + by an encrypted boot image. This doesn't make sense. Thus the + encryption setup for the IBM cloud standard build got removed. + Use the IBM-Cloud-Secure-Execution profile to test encrypted + secure linux builds + +------------------------------------------------------------------- +Tue Jan 07 09:18:55 CET 2025 - Marcus Schäfer + +- Fixed test-image-qcow-openstack + + rsh package was dropped from TW + +------------------------------------------------------------------- +Tue Dec 31 11:28:49 CET 2024 - Marcus Schäfer + +- Fix genprotimg for s390 builds + + A recent change on genprotimg now forbids to use --cert in + combination with --no-verify, even though this was allowed + before. + +------------------------------------------------------------------- +Fri Dec 20 12:57:29 CET 2024 - Marcus Schäfer + +- Fix documentation for repo, package gpg settings + + In contrast to the documentation, kiwi sets default values + for any gpg setting if not explicitly specified differently. + We want to avoid to inherit a behavior from how the distribution + packages the package manager. This commit fixes the documentation + to be in line with the implementation + +------------------------------------------------------------------- +Thu Dec 19 11:26:07 CET 2024 - Marcus Schäfer + +- Drop insecure and unsupported md5 digest + + Decommission the Checksum.md5() method and move all places + in code to sha256(). The md5 digest is considered insecure + and has also been removed from hashlib as a supported digest. + This Fixes #2696 + +------------------------------------------------------------------- +Thu Dec 19 10:48:43 CET 2024 - Marcus Schäfer + +- Fix config functions action + + The action failed on the setup of the runtime because the upgrade + of pip failed. + +------------------------------------------------------------------- +Thu Dec 19 10:35:24 CET 2024 - Marcus Schäfer + +- Bump version: 10.2.4 → 10.2.5 + +------------------------------------------------------------------- +Mon Dec 16 10:19:37 CET 2024 - Marcus Schäfer + +- Changed systemfiles provider + + Instead of providing a static list of filenames, provide a list + of package names. It is expected that the pilot of flake-pilot + resolves this list against the local package database to build + up the filelist for provisioning + +------------------------------------------------------------------- +Sat Dec 14 20:59:03 CET 2024 - Marcus Schäfer + +- Bump version: 10.2.3 → 10.2.4 + +------------------------------------------------------------------- +Wed Dec 11 20:40:19 CET 2024 - Marcus Schäfer + +- Update system files setup for containers + + The attribute provide_system_files creates a meta file in the + root tree named 'systemfiles'. The contents of this file were + produced by just a dump of the package database so far. For + a more generic use of this data some adaptions were needed. + First we allow to skip packages matching a pattern from being + part of the system files. Next we do not put ghost and doc + files into account. And last we handle library files in a different + file named 'systemfiles.libs' where we do not add symlink targets + if the target path is also part of the package. The consumer + of this information is flake-pilot which syncs that library system + files from the host via --copy-links. This allows a more generic + use with regards to versioned libraries e.g. libc + +------------------------------------------------------------------- +Tue Dec 10 19:14:52 CET 2024 - Neal Gompa + +- Drop /dev/pts from bind mount locations + + This has created havoc in the Fedora build environments by + fully unmounting /dev/pts and breaking the builders for + subsquent tasks. + + This is a partial revert of commit daf1323c5ded7e4e7783205f5e30457b40eb322f. + +------------------------------------------------------------------- +Sun Dec 08 20:35:42 CET 2024 - Marcus Schäfer + +- Don't take ghost files into account + + When creating the system files information do not + take ghost files and artifact files into account + +------------------------------------------------------------------- +Tue Dec 03 14:58:40 CET 2024 - Marcus Schäfer + +- Bump version: 10.2.2 → 10.2.3 + +------------------------------------------------------------------- +Tue Dec 03 14:56:47 CET 2024 - Marcus Schäfer + +- Update STYLEROOT to SUSE 2022 + +------------------------------------------------------------------- +Mon Dec 02 14:57:30 CET 2024 - Marcus Schäfer + +- Fix broken links in the documentation + +------------------------------------------------------------------- +Mon Dec 02 11:30:51 CET 2024 - Marcus Schäfer + +- Fix legacy_bios_mode detection + + The code in this method does not work correctly if the + firmware is set to 'bios'. In bios only mode the method + returned a false value which is incorrect as it should + return a true value in this case. Without this patch + ISO images will fail to boot because no loader gets + configured. + +------------------------------------------------------------------- +Mon Dec 02 09:48:50 CET 2024 - Marcus Schäfer + +- Added /dev/pts to bind mount locations + + During runtime several kernel filesystems are bind mounted into + the image root system such that programs expecting it can work. + /dev/pts was not needed so far but seems to be a good addition + to the list to make tools like sudo to work properly when called + e.g. from a config.sh script. This Fixes #2686 + +------------------------------------------------------------------- +Fri Nov 29 20:12:38 CET 2024 - Adam Williamson + +- xorriso: respect efiparttable and gpt_hybrid_mbr + + This should make the xorriso-based ISO build path respect the + 'efiparttable' and 'gpt_hybrid_mbr' settings when building a + UEFI-compatible image, making it write a GPT disk label by default + instead of an MBR (msdos) one. If it's building an image that is not + UEFI-compatible it will always write an MBR label, regardless of + this setting. + + If 'gpt_hybrid_mbr' is set, xorriso will write an Ubuntu-style + MBR/GPT hybrid partition table, where the MBR partition table + includes a partition with type 00 and the bootable flag, as well + as the partition with type ee required by the UEFI spec. This + mildly violates the UEFI spec but may make the image bootable on + native BIOS or CSM firmwares which refuse to boot from a disk with + no partition marked 'bootable' in the MBR. If 'gpt_hybrid_mbr' is + not set, xorriso will write a strictly UEFI-spec compliant label, + with just the 'protective MBR' required by the UEFI spec (no + bootable partition) and the correct GPT partition table. Note + this is somewhat different from what gpt_hybrid_mbr does for + disk images. + + Also, we now pass -compliance no_emul_toc when building ISOs, as + recommended by upstream in + https://lists.gnu.org/archive/html/bug-xorriso/2024-11/msg00012.html + This tool is generally always going to be building ISOs intended + for write-once use, not multi-session use (and which are rarely, + these days, written to physical discs at all anyway). + + Signed-off-by: Adam Williamson + +------------------------------------------------------------------- +Wed Nov 27 15:59:32 CET 2024 - Marcus Schäfer + +- Added provide/require system files for containers + + Added the attributes provide_system_files and require_system_files + to control the provider and requester of system files in + container image builds. systemfiles is a metadata file which + contains all files from the package database at call time. + It is used in flake-pilot to provision the systemfiles data + from the host into the container instance. One possible use + case for this data is a flake registration which uses a + base container that is derived from a runtime container but + all data from the runtime should be provisioned from the + host. Using this feature tightly couples the flake to the + host OS distribution and version. + +------------------------------------------------------------------- +Wed Nov 27 09:59:27 CET 2024 - Marcus Schäfer + +- Bump version: 10.2.1 → 10.2.2 + +------------------------------------------------------------------- +Wed Nov 27 09:49:05 CET 2024 - Marcus Schäfer + +- Fix scope issue + + Increase livetime of the the compressor instances + to the livetime of RootImportOCI. They create temporary + files which are referenced later and need to live longer + than the block they got created in + +------------------------------------------------------------------- +Tue Nov 26 13:14:19 CET 2024 - Marcus Schäfer + +- Bump version: 10.2.0 → 10.2.1 + +------------------------------------------------------------------- +Mon Nov 25 16:30:53 CET 2024 - Marcus Schäfer + +- Fixed use of fscreateoptions for iso type + + The information for fscreateoptions was not passed along to the + tooling if a custom filesystem attribute was specified. + This Fixes #2681 + +------------------------------------------------------------------- +Mon Nov 25 12:32:20 CET 2024 - Marcus Schäfer + +- Allow to derive from multiple containers + + Add support for multi inheritance to the derived_from attribute + In the order of a comma seperated list of docker source URI's + a base tree is created. This was possible only with one container + so far and Fixes #2680 as well as jira#OBS-354 + +------------------------------------------------------------------- +Thu Nov 21 11:52:53 CET 2024 - Marcus Schäfer + +- Bump version: 10.1.18 → 10.2.0 + +------------------------------------------------------------------- +Thu Nov 21 11:33:25 CET 2024 - Marcus Schäfer + +- Add selinux test build to TW + + Also update derived docker integration test to latest Leap + +------------------------------------------------------------------- +Wed Nov 20 02:14:58 CET 2024 - Neal Gompa + +- kiwi/schema: Fix allowed value type for ISO publisher and application ID + + According to the spec, this should be constrained to 128 characters + but also allow quite a few other special characters (as well as spaces). + We didn't allow spaces in application ID, but allowed too much for Publisher. + + Now we set up both correctly. + +------------------------------------------------------------------- +Sun Nov 17 23:25:35 CET 2024 - Marcus Schäfer + +- Fix setup of kiwi environment variables + + Some kiwi env vars are initialized with an empty value + and not overwritten if another value is provided. For + the selected variables an empty value setting is not + allowed because the schema also enforces the value to + be set at least once. In addition a helpful option + named --print-kiwi-env was added to the 'image info' + command which allows to print the environment variables + and their values. + +------------------------------------------------------------------- +Tue Nov 12 09:52:44 CET 2024 - Marcus Schäfer + +- Add random key support for LUKS encryption + + Allow to pass luks="random". In random mode use the + generated keyfile as the only key to decrypt. This is + only secure if the generated initrd also gets protected + e.g. through encryption like it is done with the secure + linux execution on zSystems + +------------------------------------------------------------------- +Thu Nov 07 08:43:03 CET 2024 - Marcus Schäfer + +- Added development group in pyproject setup + + generateDS and other tools are needed and were forgotten + to be added when we deleted the tox dependency + +------------------------------------------------------------------- +Wed Nov 06 10:13:01 CET 2024 - Marcus Schäfer + +- Added containers integration with OBS + + When building in the Open Build Service (OBS) there is no way + to create outgoing connections from the build workers. To allow + the section to fetch containers from the SUSE + registry we need to apply an OCI URI translation into a local + path. The actual OCI container image is expected to be provided + by the obs backend on the worker. Along with this commit also an + integration test named test-image-disk-containers is provided. + This Fixes jira#OBS-351 + +------------------------------------------------------------------- +Sun Nov 03 18:17:43 CET 2024 - Marcus Schäfer + +- Fix rendering of SUSE docs + + The SUSE documentation is produced through a conversion + of the ReST source into docbook. The name kiwi is reserved + in the index and needs to be referenced as kiwi-ng when + used as command. + +------------------------------------------------------------------- +Sun Nov 03 14:37:49 CET 2024 - Marcus Schäfer + +- Remove tox dependency + + tox was used as sort of a make target to run unit tests + and more in a python virtualenv. However, since we switched + everything to poetry it's no longer needed to let tox create + the python virtual environments. This commit moves the tox + targets into the Makefile and adapts the github workflow + files accordingly. In addition the scripts container based + tests were re-activated and fixed such that they succeed + again. + +------------------------------------------------------------------- +Fri Nov 01 13:31:20 CET 2024 - Marcus Schäfer + +- Fix make build target + + Move the actions done by the tox target into the + build target and call them there in a clean and easy + to spot sequence. There is no need to call tox to + prepare for the package submission, instead the + checks and poetry runs to prepare for the package + target should be called directly as part of the + build target. In the future we might get rid of + tox completely. + +------------------------------------------------------------------- +Fri Nov 01 13:08:12 CET 2024 - Marcus Schäfer + +- Bump version: 10.1.17 → 10.1.18 + +------------------------------------------------------------------- +Thu Oct 31 23:21:53 CET 2024 - Marcus Schäfer + +- Fixed zipl caller environment + + zipl gets confused with an active sysfs mount inside + the root tree at call time of zipl. This commit + umounts the /sys bind mount in the image tree prior + calling zipl + +------------------------------------------------------------------- +Thu Oct 31 17:46:31 CET 2024 - Marcus Schäfer + +- Fix s390 test-image-disk build + + Add missing kernel links used by suse tools + +------------------------------------------------------------------- +Thu Oct 31 10:01:54 CET 2024 - Marcus Schäfer + +- Bump version: 10.1.16 → 10.1.17 + +------------------------------------------------------------------- +Wed Oct 30 13:49:02 CET 2024 - Marcus Schäfer + +- Fix coloring of build_status.sh flags + + Depending on the place of the status flag the color + setup might fail. This commit fixes it + +------------------------------------------------------------------- +Wed Oct 30 10:24:38 CET 2024 - Marcus Schäfer + +- Add pytest-container as optional dependency + + The pyproject.toml listed pytest-container as dependency + but it is used only to run the container based integration + tests for the shell helper methods. For building the package + this dependency should not be pulled in + +------------------------------------------------------------------- +Fri Oct 25 10:58:52 CEST 2024 - Marcus Schäfer + +- Fix networking in erofs integration test + + The network setup was systemd-networkd based but + the provided network config was not for systemd + ------------------------------------------------------------------- Wed Oct 23 12:21:32 CEST 2024 - Marcus Schäfer @@ -734,6 +1401,16 @@ Wed Jul 31 16:57:30 CEST 2024 - Marcus Schäfer os.path.basename was called on a MagicMock object which sometimes confused pytest +------------------------------------------------------------------- +Wed Jul 31 15:22:06 CEST 2024 - Neal Gompa + +- CI: Add testing against Python 3.13 + + Python 3.13 is shipping in Fedora Linux for Fedora Linux 41, so we + should ensure kiwi is tested against it. The testing setup is + based on the latest development version of 3.13 as it is not + yet released. + ------------------------------------------------------------------- Wed Jul 31 12:09:20 CEST 2024 - Marcus Schäfer @@ -1594,6 +2271,26 @@ Mon Apr 15 16:43:21 CEST 2024 - Marcus Schäfer not get umounted and keeps a busy state until the lazy umount kicks in. This Fixes #2529 +------------------------------------------------------------------- +Fri Apr 12 10:39:31 CEST 2024 - Marcus Schäfer + +- Added IBM Secure Execution support on s390 + + IBM SEL(Secure Execution for Linux) is supported for s390 + KVM guests. SEL images used to start a confidential computing + protected guest contain an encrypted boot image which encapsulates + the kernel the initrd and the bootparams. The encrypted Image is + provided by the KVM/hypervisor to the Embedded zFirmware of the + system (the ultravisor device). The decryption keys are hardware + based and each system has an individual keypool unique to that + system. The root filesystem is LUKS encrypted with a random key + produced by kiwi at build time and kept inside of the initrd which + exists only inside of the encrypted boot image and the encrypted + rootfs to allow kernel updates. The commit to support secure + execution also comes with an integration test that provides + profiled image builds to target SUSE's LinuxONE as well + as IBM Cloud systems. + ------------------------------------------------------------------- Tue Apr 09 14:13:08 CEST 2024 - Marcus Schäfer diff --git a/python-kiwi.spec b/python-kiwi.spec index ac34768..f22cf77 100644 --- a/python-kiwi.spec +++ b/python-kiwi.spec @@ -52,7 +52,7 @@ %endif Name: python-kiwi -Version: 10.1.16 +Version: 10.2.10 Provides: kiwi-schema = 8.1 Release: 0 Url: https://github.com/OSInside/kiwi diff --git a/python-kiwi.tar.gz b/python-kiwi.tar.gz index f87e405..b2467e2 100644 --- a/python-kiwi.tar.gz +++ b/python-kiwi.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8df8e5a74374dfaacf885846d0e9da957a472bd577b146579225d64f66d1f3a4 -size 1042693 +oid sha256:4ea54c7da7e40f3db0a58036a5445f3c93328a161c7f50501ddbe39a6dffc22c +size 1055584