Accepting request 1193293 from devel:tools:scm

- update to 8.0.1:
  * A change introduced in Forgejo v1.21 allows a Forgejo user with write
    permission on a repository description to inject a client-side script into
    the web page viewed by the visitor. This XSS allows for href in anchor
    elements to be set to a javascript: URI in the repository description,
    which will execute the specified script upon clicking (and not upon
    loading). AllowStandardURLs is now called for the repository description
    policy, which ensures that URIs in anchor elements are mailto:, http:// 
    or https:// and thereby disallowing the javascript: URI.
  * Do not include trailing EOL character when counting lines
  * Add background to reactions on hover
  * Prevent uppercase in header of dashboard context selector
  * Fix page layout in admin settings
  * Ensure all filters are persistent in issue filters
  * Allow 4 charachter SHA in /src/commit
- update to 8.0.0:
  full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0
  Highlights:
    * remove Microsoft SQL Server support
    * introduce a branch/tag dropdown in the code search page
    * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls
    * API endpoints for managing tag protection.
    * add Reviewed-on and Reviewed-by variables to the merge template
    * display an error when an issue comment is edited simultaneously by
      two users instead of silently overriding one of them
    * when installing Forgejo through the built-in installer, open
      (self-) registration is now disabled by default
    * add support for the reddit and Hubspot OAuth providers.
    * CERT management was improved when ENABLE_ACME=true
    * language detection in the repository got additional languages (forwarded request 1193292 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1193293
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=13
This commit is contained in:
Dominique Leuenberger 2024-08-12 10:31:30 +00:00 committed by Git OBS Bridge
commit fe1055e9bc
14 changed files with 4365 additions and 3413 deletions

View File

@ -1,9 +1,8 @@
Index: gitea-1.21.3/custom/conf/app.example.ini
===================================================================
--- gitea-1.21.3.orig/custom/conf/app.example.ini
+++ gitea-1.21.3/custom/conf/app.example.ini
@@ -44,7 +44,7 @@
APP_NAME = ; Gitea: Git with a cup of tea
diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patched/custom/conf/app.example.ini
--- forgejo-src-8.0.0/custom/conf/app.example.ini 2024-07-30 06:40:03.000000000 +0200
+++ forgejo-src-8.0.0-patched/custom/conf/app.example.ini 2024-08-01 20:24:55.972480197 +0200
@@ -51,7 +51,7 @@
;APP_DISPLAY_NAME_FORMAT = {APP_NAME}: {APP_SLOGAN}
;;
;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
-RUN_USER = ; git
@ -11,7 +10,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
@@ -273,15 +273,17 @@ RUN_USER = ; git
@@ -284,15 +284,17 @@
;; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
;; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
;; Paths are relative to CUSTOM_PATH
@ -31,7 +30,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Enable gzip compression for runtime-generated content, static resources excluded
;ENABLE_GZIP = false
@@ -293,6 +295,7 @@ RUN_USER = ; git
@@ -304,6 +306,7 @@
;;
;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
@ -39,16 +38,57 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
@@ -368,7 +371,7 @@ USER = root
@@ -355,10 +358,10 @@
;;
;; MySQL Configuration
;;
-DB_TYPE = mysql
-HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
-NAME = gitea
-USER = root
+;DB_TYPE = mysql
+;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+;NAME = forgejo
+;USER = root
;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
@@ -369,7 +372,7 @@
;;
;DB_TYPE = postgres
;HOST = 127.0.0.1:5432 ; can use socket e.g. /var/run/postgresql/
-;NAME = gitea
+;NAME = forgejo
;USER = root
;PASSWD =
;SCHEMA =
@@ -379,21 +382,10 @@
;;
;; SQLite Configuration
;;
;DB_TYPE = sqlite3
-;DB_TYPE = sqlite3
-;PATH= ; defaults to data/forgejo.db
+;PATH= /var/lib/forgejo/data/gitea.db ; defaults to data/forgejo.db
;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
-;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
-;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
-;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;
-;; MSSQL Configuration
-;;
-;DB_TYPE = mssql
-;HOST = 172.17.0.2:1433
-;NAME = gitea
-;USER = SA
-;PASSWD = MwantsaSecurePassword1
-;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
+DB_TYPE = sqlite3
+PATH= /var/lib/forgejo/data/forgejo.db ; defaults to data/forgejo.db
+SQLITE_TIMEOUT = ; Query timeout defaults to: 500
+SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
;;
@@ -561,14 +564,14 @@ ENABLE = true
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
@@ -579,14 +571,14 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
@ -65,7 +105,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info"
LEVEL = Info
@@ -904,7 +907,7 @@ LEVEL = Info
@@ -946,7 +938,7 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
@ -74,7 +114,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
;SCRIPT_TYPE = bash
@@ -1014,7 +1017,7 @@ LEVEL = Info
@@ -1065,7 +1057,7 @@
;ENABLED = true
;;
;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart)
@ -83,7 +123,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
;ALLOWED_TYPES =
@@ -1368,7 +1371,7 @@ LEVEL = Info
@@ -1444,7 +1436,7 @@
;ISSUE_INDEXER_TYPE = bleve
;;
;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
@ -92,7 +132,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
;ISSUE_INDEXER_CONN_STR =
@@ -1395,7 +1398,7 @@ LEVEL = Info
@@ -1471,7 +1463,7 @@
;REPO_INDEXER_TYPE = bleve
;;
;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
@ -101,7 +141,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
;REPO_INDEXER_CONN_STR =
@@ -1429,6 +1432,7 @@ LEVEL = Info
@@ -1510,6 +1502,7 @@
;;
;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared.
;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
@ -109,16 +149,16 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Default queue length before a channel queue will block
;LENGTH = 100000
@@ -1752,7 +1756,7 @@ LEVEL = Info
;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
;; redis-cluster: `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
@@ -1852,7 +1845,7 @@
;; file: session file path, e.g. `data/sessions`
;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster)
;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
-;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
+;PROVIDER_CONFIG = /var/lib/forgejo/data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
;;
;; Session cookie name
;COOKIE_NAME = i_like_gitea
@@ -1839,7 +1843,7 @@ LEVEL = Info
@@ -1939,7 +1932,7 @@
;;
;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
@ -127,7 +167,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
;MINIO_ENDPOINT = localhost:9000
@@ -1857,7 +1861,7 @@ LEVEL = Info
@@ -1965,7 +1958,7 @@
;MINIO_LOCATION = us-east-1
;;
;; Minio base path on the bucket only available when STORAGE_TYPE is `minio`
@ -136,7 +176,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Minio enabled ssl only available when STORAGE_TYPE is `minio`
;MINIO_USE_SSL = false
@@ -2428,10 +2432,10 @@ LEVEL = Info
@@ -2548,10 +2541,10 @@
;;
;STORAGE_TYPE = local
;; override the minio base path if storage type is minio
@ -149,7 +189,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;
;; Maximum count of package versions a single owner can have (`-1` means no limits)
;LIMIT_TOTAL_OWNER_COUNT = -1
@@ -2498,10 +2502,10 @@ LEVEL = Info
@@ -2618,10 +2611,10 @@
;STORAGE_TYPE = local
;;
;; Where your lfs files reside, default is data/lfs.
@ -162,7 +202,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -2521,10 +2525,10 @@ LEVEL = Info
@@ -2641,10 +2634,10 @@
;STORAGE_TYPE = local
;;
;; Where your lfs files reside, default is data/lfs.

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ba66fa2bf335149d6bda0a943bcbb2021af3692f10c10ede646cdcabfe762029
size 53549049

View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZrYTZAAKCRCkthotxZI3
EPgYAP9o2VTTDnul4cDr6xEfw9k90sk323uk4WhcSktc+qgxqwEAmUKcJ4pk7scZ
O2O5Ru3o7nomtBPrflFoGJXKO8ACrQ8=
=7IAF
-----END PGP SIGNATURE-----

3
forgejo-src-8.0.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:284b2cc2a609d1766bb61f20cea7c6a9e2a34a9972f243d4962df2a24d15204a
size 53413049

View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZrYYFgAKCRCkthotxZI3
EHz8AP90KeP3zRxXpllCJkXngANdUYN4wajU50u8p73dUY2jWAD/Wn87xN7RbrVd
0U3wPsUy4Memvg4WYavNWBOEwDtTtww=
=JG8G
-----END PGP SIGNATURE-----

View File

@ -1,88 +1,64 @@
abi <abi/3.0>,
#include <tunables/global>
include <tunables/global>
profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/user-tmp>
#include <abstractions/mysql>
include <abstractions/base>
include <abstractions/mysql>
include <abstractions/nameservice>
include <abstractions/opencl-pocl>
include <abstractions/openssl>
include <abstractions/user-tmp>
include if exists <local/usr.bin.forgejo>
network inet stream,
network inet6 stream,
/usr/bin/forgejo mr,
/usr/bin/gzip mr,
# Grant read access to config files
/etc/mime.types r,
/usr/share/mime/globs2 r,
/etc/machine-id r,
/etc/forgejo/ r,
/etc/forgejo/{conf,https,mailer}/ r,
/etc/forgejo/https/*.{crt,key,pem} r,
# Access to config file app.ini
/etc/forgejo/conf/app.ini r,
# Config must be writeable for initial setup
# to restrict to read-only access admin can do after setup:
# chown root:gitea /etc/gitea/conf/app.ini
# chmod 0640 /etc/gitea/conf/app.ini
owner /etc/forgejo/conf/app.ini w,
# Grant read access to public custom static content
/etc/forgejo/public/ r,
/etc/forgejo/public/** r,
# allow invoking executables
/usr/bin/{basename,bash,cat,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
/usr/{lib,libexec}/git/git ix,
/usr/{lib,libexec}/git/git-remote-http ix,
/usr/share/git-core/templates/ r,
/usr/share/git-core/templates/** r,
/etc/forgejo/{conf,https,mailer}/ r,
/etc/gitconfig r,
# Grant read access to static content
/usr/share/forgejo/** r,
# Grant read access to some process parameters
/etc/mime.types r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{PROC}/sys/net/core/somaxconn r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
# Grant read access to working directory
/var/lib/forgejo/ r,
# Allow TTY access
/dev/tty rw,
# Grant access to various data/repo directories
owner /tmp/patch* rw,
owner /tmp/index* rw,
owner /tmp/forgejo** rwl,
owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
owner /var/lib/forgejo/data/forgejo-repositories/** rwkl,
owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
owner /var/lib/forgejo/https/** rwkl,
# Ugly!
/usr/bin/forgejo mr,
/usr/bin/git mr,
/usr/bin/gzip mr,
/usr/bin/{basename,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
/usr/libexec/git/git-write-tree mrix,
/usr/share/forgejo/** r,
/usr/share/forgejo/.gitconfig rw,
/usr/share/forgejo/.gitconfig.lock rw,
/usr/share/git-core/templates/ r,
/usr/share/git-core/templates/** r,
/usr/share/mime/globs2 r,
/usr/{lib,libexec}/git/git ix,
/usr/{lib,libexec}/git/git-remote-http ix,
/var/ r,
/var/lib/ r,
/var/lib/forgejo/ r,
/var/lib/forgejo/.local/** rw,
/var/lib/forgejo/.ssh/ rw,
/var/lib/forgejo/.ssh/* rw,
/var/lib/forgejo/.local/** rw,
# for writing access log file
/var/log/forgejo/ rw,
/var/log/forgejo/access.log rw,
/var/log/forgejo/access.log.* w,
/var/log/forgejo/doctors-* rw,
@{PROC}/sys/net/core/somaxconn r,
owner /etc/forgejo/conf/app.ini w,
owner /tmp/forgejo** rwl,
owner /tmp/index* rw,
owner /tmp/patch* rw,
owner /usr/share/forgejo/** rw,
owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
owner /var/lib/forgejo/data/forgejo-repositories/** rwlk,
owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
owner /var/lib/forgejo/https/** rwlk,
owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
owner /var/log/forgejo/gitea.log w,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.forgejo>
}

View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Fri Aug 9 21:25:45 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
- update to 8.0.1:
* A change introduced in Forgejo v1.21 allows a Forgejo user with write
permission on a repository description to inject a client-side script into
the web page viewed by the visitor. This XSS allows for href in anchor
elements to be set to a javascript: URI in the repository description,
which will execute the specified script upon clicking (and not upon
loading). AllowStandardURLs is now called for the repository description
policy, which ensures that URIs in anchor elements are mailto:, http://
or https:// and thereby disallowing the javascript: URI.
* Do not include trailing EOL character when counting lines
* Add background to reactions on hover
* Prevent uppercase in header of dashboard context selector
* Fix page layout in admin settings
* Ensure all filters are persistent in issue filters
* Allow 4 charachter SHA in /src/commit
- update to 8.0.0:
full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0
Highlights:
* remove Microsoft SQL Server support
* introduce a branch/tag dropdown in the code search page
* added support for fuzzy searching in /user/repo/issues and /user/repo/pulls
* API endpoints for managing tag protection.
* add Reviewed-on and Reviewed-by variables to the merge template
* display an error when an issue comment is edited simultaneously by
two users instead of silently overriding one of them
* when installing Forgejo through the built-in installer, open
(self-) registration is now disabled by default
* add support for the reddit and Hubspot OAuth providers.
* CERT management was improved when ENABLE_ACME=true
* language detection in the repository got additional languages
* add an immutable tarball link to archive download headers for Nix
* Show the AGit label on merged pull requests
- fix apparmor profile
- set sqlite3 as the default installation database
- add a rule for firewalld
-------------------------------------------------------------------
Fri Aug 9 18:13:59 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>

6
forgejo.firewalld Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Forgejo</short>
<description>Forgejo is a self-hostable forge. It was forked from gitea, and has the old UI style from GitHub.</description>
<port protocol="tcp" port="3000"/>
</service>

View File

@ -1,56 +0,0 @@
#!/bin/sh -e
DIRNAME=`dirname $0`
cd $DIRNAME
USAGE="$0 [ --update ]"
if [ `id -u` != 0 ]; then
echo 'You must be root to run this script'
exit 1
fi
if [ $# -eq 1 ]; then
if [ "$1" = "--update" ] ; then
time=`ls -l --time-style="+%x %X" forgejo.te | awk '{ printf "%s %s", $6, $7 }'`
rules=`ausearch --start $time -m avc --raw -se forgejo`
if [ x"$rules" != "x" ] ; then
echo "Found avc's to update policy with"
echo -e "$rules" | audit2allow -R
echo "Do you want these changes added to policy [y/n]?"
read ANS
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
echo "Updating policy"
echo -e "$rules" | audit2allow -R >> forgejo.te
# Fall though and rebuild policy
else
exit 0
fi
else
echo "No new avcs found"
exit 0
fi
else
echo -e $USAGE
exit 1
fi
elif [ $# -ge 2 ] ; then
echo -e $USAGE
exit 1
fi
echo "Building and Loading Policy"
set -x
make -f /usr/share/selinux/devel/Makefile forgejo.pp || exit
/usr/sbin/semodule -i forgejo.pp
# Generate a man page of the installed module
sepolicy manpage -p . -d forgejo_t
# Fixing the file context on /usr/bin/forgejo
/sbin/restorecon -F -R -v /usr/bin/forgejo
# Fixing the file context on /var/log/forgejo
/sbin/restorecon -F -R -v /var/log/forgejo
# Fixing the file context on /var/lib/forgejo
/sbin/restorecon -F -R -v /var/lib/forgejo
# Generate a rpm package for the newly generated policy
pwd=$(pwd)
rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba forgejo_selinux.spec

View File

@ -30,7 +30,7 @@
%endif
%endif
Name: forgejo
Version: 7.0.7
Version: 8.0.1
Release: 0
Summary: Self-hostable forge
License: MIT
@ -42,14 +42,13 @@ Source2: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xeb114f5e6
Source3: package-lock.json
Source4: node_modules.spec.inc
%include %{_sourcedir}/node_modules.spec.inc
Source5: node_modules.sums
Source6: %{name}.service
Source7: %{name}.sysusers
Source8: %{name}.fc
Source9: %{name}.if
Source10: %{name}.sh
Source11: %{name}.te
Source12: apparmor-usr.bin.%{name}
Source5: %{name}.service
Source6: %{name}.sysusers
Source7: %{name}.fc
Source8: %{name}.if
Source9: %{name}.te
Source10: %{name}.apparmor
Source11: %{name}.firewalld
Source99: get-sources.sh
Patch0: custom-app.ini.patch
BuildRequires: golang-packaging
@ -61,6 +60,8 @@ BuildRequires: npm-default
%else
BuildRequires: nodejs-packaging
%endif
BuildRequires: firewall-macros
BuildRequires: firewalld
BuildRequires: local-npm-registry
BuildRequires: make
BuildRequires: systemd-rpm-macros
@ -68,6 +69,7 @@ BuildRequires: sysuser-tools
Requires: git-core
Requires: git-lfs
Requires: (%{name}-apparmor if apparmor-abstractions)
Requires: (%{name}-firewalld if firewalld)
Requires: (%{name}-selinux if selinux-policy-targeted)
%if %{with apparmor}
BuildRequires: apparmor-abstractions
@ -81,6 +83,13 @@ BuildRequires: selinux-policy-devel
%{systemd_requires}
%{sysusers_requires}
%package firewalld
Summary: Firewalld profile for %{name}
BuildArch: noarch
%description firewalld
This package adds a firewalld service profile to %{name}
%if %{with apparmor}
%package apparmor
Summary: Apparmor profile for %{name}
@ -111,7 +120,7 @@ Providing Git hosting for your project, friends, company or community? Forgejo (
local-npm-registry %{_sourcedir} install --also=dev
%build
%sysusers_generate_pre %{SOURCE7} %{name} %{name}.conf
%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
export EXTRA_GOFLAGS="-buildmode=pie -mod=vendor"
export TAGS="bindata timetzdata sqlite sqlite_unlock_notify"
%make_build build
@ -126,12 +135,12 @@ install -d %{buildroot}%{_sysconfdir}/%{name}
install -d %{buildroot}%{_localstatedir}/log/%{name}
install -D -m 0644 %{_builddir}/%{name}-src-%{version}/custom/conf/app.example.ini %{buildroot}%{_sysconfdir}/%{name}/conf/app.ini
install -D -m 0755 %{_builddir}/%{name}-src-%{version}/gitea %{buildroot}%{_bindir}/%{name}
install -D -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/%{name}.service
install -D -m 0644 %{SOURCE7} %{buildroot}%{_sysusersdir}/%{name}.conf
install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/%{name}.service
install -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
%if %{with apparmor}
install -d %{buildroot}%{_sysconfdir}/apparmor.d
install -Dm0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
install -Dm0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
%endif
%if %{with selinux}
@ -141,12 +150,18 @@ install -Dm0644 %{name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/%{na
install -Dm0644 %{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
%endif
#firewalld service file
install -D -m 0644 %{SOURCE11} %{buildroot}%{_prefix}/lib/firewalld/services/%{name}.xml
%pre -f %{name}.pre
%service_add_pre %{name}.service
%post
%service_add_post %{name}.service
%post firewalld
%firewalld_reload
%if %{with apparmor}
%post apparmor
%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.%{name}
@ -198,4 +213,7 @@ semodule -r %{name} 2>/dev/null || :
%{_datadir}/selinux/devel/include/distributed/%{name}.if
%endif
%files firewalld
%config(noreplace) %{_prefix}/lib/firewalld/services/%{name}.xml
%changelog

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f5ea0007b140d739de145225fce8a34d2e257d06891cdf39ca350e6bd3136236
size 185686620
oid sha256:b460b33350264ff646c4480d291e710828bff706703ef3e7da7991a692e22e54
size 276597904

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

4360
package-lock.json generated

File diff suppressed because it is too large Load Diff