Accepting request 1302250 from devel:microos

- Do not recommend apparmor-parser and apparmor-abstractions: if
  the system is using apparmor, those packages will be present. If
  the system is selinux enabled, we don't want to recommend those
  packages just becuase we build support for apparmor into the
  package. (forwarded request 1302152 from dimstar)

OBS-URL: https://build.opensuse.org/request/show/1302250
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/podman?expand=0&rev=163

0001-Backport-fix-for-CVE-2024-6104.patch

@@ -1,84 +0,0 @@
-From 1a3445769d0a3c392487ec9480c0bfad07bde063 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
-Date: Sun, 30 Jun 2024 16:09:52 +0200
-Subject: [PATCH] Backport fix for CVE-2024-6104
-
-This is https://github.com/hashicorp/go-retryablehttp/pull/158 only directly
-applied to the vendor/ source tree
-See also https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
----
- .../hashicorp/go-retryablehttp/client.go      | 28 ++++++++++++++-----
- 1 file changed, 21 insertions(+), 7 deletions(-)
-
-diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
-index 12ac50bcc..efee53c40 100644
---- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
-+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
-@@ -658,9 +658,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
- 	if logger != nil {
- 		switch v := logger.(type) {
- 		case LeveledLogger:
--			v.Debug("performing request", "method", req.Method, "url", req.URL)
-+			v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
- 		case Logger:
--			v.Printf("[DEBUG] %s %s", req.Method, req.URL)
-+			v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
- 		}
- 	}
- 
-@@ -715,9 +715,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
- 		if err != nil {
- 			switch v := logger.(type) {
- 			case LeveledLogger:
--				v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
-+				v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
- 			case Logger:
--				v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
-+				v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
- 			}
- 		} else {
- 			// Call this here to maintain the behavior of logging all requests,
-@@ -753,7 +753,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
- 
- 		wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
- 		if logger != nil {
--			desc := fmt.Sprintf("%s %s", req.Method, req.URL)
-+			desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
- 			if resp != nil {
- 				desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
- 			}
-@@ -818,11 +818,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
- 	// communicate why
- 	if err == nil {
- 		return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
--			req.Method, req.URL, attempt)
-+			req.Method, redactURL(req.URL), attempt)
- 	}
- 
- 	return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
--		req.Method, req.URL, attempt, err)
-+		req.Method, redactURL(req.URL), attempt, err)
- }
- 
- // Try to read the response body so we can reuse this connection.
-@@ -903,3 +903,17 @@ func (c *Client) StandardClient() *http.Client {
- 		Transport: &RoundTripper{Client: c},
- 	}
- }
-+
-+// Taken from url.URL#Redacted() which was introduced in go 1.15.
-+// We can switch to using it directly if we'll bump the minimum required go version.
-+func redactURL(u *url.URL) string {
-+	if u == nil {
-+		return ""
-+	}
-+
-+	ru := *u
-+	if _, has := ru.User.Password(); has {
-+		ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
-+	}
-+	return ru.String()
-+}
--- 
-2.45.2
-

0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch

@@ -1,134 +0,0 @@
-From 7766adad2e935fcf5fec3ec3b1bb0a0169fdf4c3 Mon Sep 17 00:00:00 2001
-From: Nicola Murino <nicola.murino@gmail.com>
-Date: Wed, 12 Mar 2025 19:54:12 +0530
-Subject: [PATCH] CVE-2025-22869: ssh: limit the size of the internal packet
- queue while waiting for KEX
-
-In the SSH protocol, clients and servers execute the key exchange to
-generate one-time session keys used for encryption and authentication.
-The key exchange is performed initially after the connection is
-established and then periodically after a configurable amount of data.
-While a key exchange is in progress, we add the received packets to an
-internal queue until we receive SSH_MSG_KEXINIT from the other side.
-This can result in high memory usage if the other party is slow to
-respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a
-malicious client never responds to an SSH_MSG_KEXINIT packet during a
-large file transfer.
-We now limit the internal queue to 64 packets: this means 2MB with the
-typical 32KB packet size.
-When the internal queue is full we block further writes until the
-pending key exchange is completed or there is a read or write error.
-
-Thanks to Yuichi Watanabe for reporting this issue.
-
-Fixes: CVE-2025-22869
-Bugs: bsc#1239330
-
-Signed-off-by: Danish Prakash <contact@danishpraka.sh>
----
- vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
- 1 file changed, 37 insertions(+), 10 deletions(-)
-
-diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
-index 56cdc7c21c3b..a68d20f7f396 100644
---- a/vendor/golang.org/x/crypto/ssh/handshake.go
-+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
-@@ -25,6 +25,11 @@ const debugHandshake = false
- // quickly.
- const chanSize = 16
- 
-+// maxPendingPackets sets the maximum number of packets to queue while waiting
-+// for KEX to complete. This limits the total pending data to maxPendingPackets
-+// * maxPacket bytes, which is ~16.8MB.
-+const maxPendingPackets = 64
-+
- // keyingTransport is a packet based transport that supports key
- // changes. It need not be thread-safe. It should pass through
- // msgNewKeys in both directions.
-@@ -73,11 +78,19 @@ type handshakeTransport struct {
- 	incoming  chan []byte
- 	readError error
- 
--	mu               sync.Mutex
--	writeError       error
--	sentInitPacket   []byte
--	sentInitMsg      *kexInitMsg
--	pendingPackets   [][]byte // Used when a key exchange is in progress.
-+	mu sync.Mutex
-+	// Condition for the above mutex. It is used to notify a completed key
-+	// exchange or a write failure. Writes can wait for this condition while a
-+	// key exchange is in progress.
-+	writeCond      *sync.Cond
-+	writeError     error
-+	sentInitPacket []byte
-+	sentInitMsg    *kexInitMsg
-+	// Used to queue writes when a key exchange is in progress. The length is
-+	// limited by pendingPacketsSize. Once full, writes will block until the key
-+	// exchange is completed or an error occurs. If not empty, it is emptied
-+	// all at once when the key exchange is completed in kexLoop.
-+	pendingPackets   [][]byte
- 	writePacketsLeft uint32
- 	writeBytesLeft   int64
- 
-@@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
- 
- 		config: config,
- 	}
-+	t.writeCond = sync.NewCond(&t.mu)
- 	t.resetReadThresholds()
- 	t.resetWriteThresholds()
- 
-@@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
- 	defer t.mu.Unlock()
- 	if t.writeError == nil && err != nil {
- 		t.writeError = err
-+		t.writeCond.Broadcast()
- 	}
- }
- 
-@@ -362,6 +377,8 @@ write:
- 			}
- 		}
- 		t.pendingPackets = t.pendingPackets[:0]
-+		// Unblock writePacket if waiting for KEX.
-+		t.writeCond.Broadcast()
- 		t.mu.Unlock()
- 	}
- 
-@@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
- 	}
- 
- 	if t.sentInitMsg != nil {
--		// Copy the packet so the writer can reuse the buffer.
--		cp := make([]byte, len(p))
--		copy(cp, p)
--		t.pendingPackets = append(t.pendingPackets, cp)
--		return nil
-+		if len(t.pendingPackets) < maxPendingPackets {
-+			// Copy the packet so the writer can reuse the buffer.
-+			cp := make([]byte, len(p))
-+			copy(cp, p)
-+			t.pendingPackets = append(t.pendingPackets, cp)
-+			return nil
-+		}
-+		for t.sentInitMsg != nil {
-+			// Block and wait for KEX to complete or an error.
-+			t.writeCond.Wait()
-+			if t.writeError != nil {
-+				return t.writeError
-+			}
-+		}
- 	}
- 
- 	if t.writeBytesLeft > 0 {
-@@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
- 
- 	if err := t.pushPacket(p); err != nil {
- 		t.writeError = err
-+		t.writeCond.Broadcast()
- 	}
- 
- 	return nil
--- 
-2.46.0
-

0001-Properly-validate-cache-IDs-and-sources.patch

@@ -1,68 +0,0 @@
-From fe456eed5ac0647250fa5249e663ddb236b2adfb Mon Sep 17 00:00:00 2001
-From: Danish Prakash <contact@danishpraka.sh>
-Date: Tue, 15 Oct 2024 22:14:55 +0530
-Subject: [PATCH 1/2] Properly validate cache IDs and sources
-
-The `--mount type=cache` argument to the `RUN` instruction in
-Dockerfiles was using `filepath.Join` on user input, allowing
-crafted paths to be used to gain access to paths on the host,
-when the command should normally be limited only to Buildah;s own
-cache and context directories. Switch to `filepath.SecureJoin` to
-resolve the issue.
-
-Fixes CVE-2024-9675
-
-Signed-off-by: Matt Heon <mheon@redhat.com>
-Signed-off-by: Danish Prakash <contact@danishpraka.sh>
----
- .../buildah/internal/volumes/volumes.go       | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
-index da6b768fdc21..610e9fcf11b2 100644
---- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
-+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
-@@ -23,6 +23,7 @@ import (
- 	"github.com/containers/storage/pkg/idtools"
- 	"github.com/containers/storage/pkg/lockfile"
- 	"github.com/containers/storage/pkg/unshare"
-+	digest "github.com/opencontainers/go-digest"
- 	specs "github.com/opencontainers/runtime-spec/specs-go"
- 	selinux "github.com/opencontainers/selinux/go-selinux"
- )
-@@ -374,7 +375,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
- 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
- 		}
- 		// path should be /contextDir/specified path
--		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
-+		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
-+		if err != nil {
-+			return newMount, nil, err
-+		}
-+		newMount.Source = evaluated
- 	} else {
- 		// we need to create cache on host if no image is being used
- 
-@@ -391,11 +396,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
- 		}
- 
- 		if id != "" {
--			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
--			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
-+			// Don't let the user control where we place the directory.
-+			dirID := digest.FromString(id).Encoded()[:16]
-+			newMount.Source = filepath.Join(cacheParent, dirID)
-+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
- 		} else {
--			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
--			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
-+			// Don't let the user control where we place the directory.
-+			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
-+			newMount.Source = filepath.Join(cacheParent, dirID)
-+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
- 		}
- 		idPair := idtools.IDPair{
- 			UID: uid,
--- 
-2.46.0
-

0001-remove-appending-rw-as-the-default-mount-option.patch

@@ -1,26 +0,0 @@
-From 31a4b1040e04d711c6863f70561bde234f06f05a Mon Sep 17 00:00:00 2001
-From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
-Date: Mon, 28 Apr 2025 17:40:28 +0530
-Subject: [PATCH] remove appending rw as the default mount option
-
----
- pkg/util/mount_opts.go | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/pkg/util/mount_opts.go b/pkg/util/mount_opts.go
-index c9a773093e..4e37fd74a0 100644
---- a/pkg/util/mount_opts.go
-+++ b/pkg/util/mount_opts.go
-@@ -191,9 +191,6 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
- 		newOptions = append(newOptions, opt)
- 	}
- 
--	if !foundWrite {
--		newOptions = append(newOptions, "rw")
--	}
- 	if !foundProp {
- 		if recursiveBind {
- 			newOptions = append(newOptions, "rprivate")
--- 
-2.49.0
-

0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch

@@ -1,239 +0,0 @@
-From 006e1387eaf2791d7b9c730b135de9648003c7db Mon Sep 17 00:00:00 2001
-From: Danish Prakash <contact@danishpraka.sh>
-Date: Mon, 21 Oct 2024 11:33:43 +0530
-Subject: [PATCH 2/2] Use securejoin.SecureJoin when forming userns paths
-
-We need to read /etc/passwd and /etc/group in the container to
-get an idea of how many UIDs and GIDs we need to allocate for a
-user namespace when `--userns=auto` is specified. We were forming
-paths for these using filepath.Join, which is not safe for paths
-within a container, resulting in this CVE allowing crafted
-symlinks in the container to access paths on the host instead.
-
-Addresses CVE-2024-9676
-
-Signed-off-by: Matt Heon <mheon@redhat.com>
-Signed-off-by: Danish Prakash <contact@danishpraka.sh>
----
- go.mod                                        |  2 +-
- go.sum                                        |  4 +-
- .../github.com/containers/storage/.cirrus.yml |  2 +-
- vendor/github.com/containers/storage/VERSION  |  2 +-
- .../github.com/containers/storage/userns.go   | 87 +++++++++++++------
- .../containers/storage/userns_unsupported.go  | 14 +++
- vendor/modules.txt                            |  2 +-
- 7 files changed, 80 insertions(+), 33 deletions(-)
- create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go
-
-diff --git a/go.mod b/go.mod
-index 02d1876148a4..8f049568e0b8 100644
---- a/go.mod
-+++ b/go.mod
-@@ -20,7 +20,7 @@ require (
- 	github.com/containers/libhvee v0.7.1
- 	github.com/containers/ocicrypt v1.2.0
- 	github.com/containers/psgo v1.9.0
--	github.com/containers/storage v1.55.0
-+	github.com/containers/storage v1.55.1
- 	github.com/containers/winquit v1.1.0
- 	github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
- 	github.com/coreos/stream-metadata-go v0.4.4
-diff --git a/go.sum b/go.sum
-index 60da92454ca2..66795b5b82ad 100644
---- a/go.sum
-+++ b/go.sum
-@@ -97,8 +97,8 @@ github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sir
- github.com/containers/ocicrypt v1.2.0/go.mod h1:ZNviigQajtdlxIZGibvblVuIFBKIuUI2M0QM12SD31U=
- github.com/containers/psgo v1.9.0 h1:eJ74jzSaCHnWt26OlKZROSyUyRcGDf+gYBdXnxrMW4g=
- github.com/containers/psgo v1.9.0/go.mod h1:0YoluUm43Mz2UnBIh1P+6V6NWcbpTL5uRtXyOcH0B5A=
--github.com/containers/storage v1.55.0 h1:wTWZ3YpcQf1F+dSP4KxG9iqDfpQY1otaUXjPpffuhgg=
--github.com/containers/storage v1.55.0/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ=
-+github.com/containers/storage v1.55.1 h1:ius7angdTqxO56hmTJnAznyEcUnYeLOV3ybwLozA/h8=
-+github.com/containers/storage v1.55.1/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ=
- github.com/containers/winquit v1.1.0 h1:jArun04BNDQvt2W0Y78kh9TazN2EIEMG5Im6/JY7+pE=
- github.com/containers/winquit v1.1.0/go.mod h1:PsPeZlnbkmGGIToMPHF1zhWjBUkd8aHjMOr/vFcPxw8=
- github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
-diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml
-index 50b98761694a..49a6e33b7014 100644
---- a/vendor/github.com/containers/storage/.cirrus.yml
-+++ b/vendor/github.com/containers/storage/.cirrus.yml
-@@ -120,7 +120,7 @@ lint_task:
-     env:
-         CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage"
-     container:
--        image: golang
-+        image: golang:1.21
-     modules_cache:
-         fingerprint_script: cat go.sum
-         folder: $GOPATH/pkg/mod
-diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION
-index 094d6ad00ce7..6570a6d0dd76 100644
---- a/vendor/github.com/containers/storage/VERSION
-+++ b/vendor/github.com/containers/storage/VERSION
-@@ -1 +1 @@
--1.55.0
-+1.55.1
-diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go
-index 57120731be57..09919394c026 100644
---- a/vendor/github.com/containers/storage/userns.go
-+++ b/vendor/github.com/containers/storage/userns.go
-@@ -1,18 +1,21 @@
-+//go:build linux
-+
- package storage
- 
- import (
- 	"fmt"
- 	"os"
- 	"os/user"
--	"path/filepath"
- 	"strconv"
- 
- 	drivers "github.com/containers/storage/drivers"
- 	"github.com/containers/storage/pkg/idtools"
- 	"github.com/containers/storage/pkg/unshare"
- 	"github.com/containers/storage/types"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	libcontainerUser "github.com/moby/sys/user"
- 	"github.com/sirupsen/logrus"
-+	"golang.org/x/sys/unix"
- )
- 
- // getAdditionalSubIDs looks up the additional IDs configured for
-@@ -85,40 +88,59 @@ const nobodyUser = 65534
- // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
- // /etc/group files.
- func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
-+	var (
-+		passwd *os.File
-+		group  *os.File
-+		size   int
-+		err    error
-+	)
- 	if passwdFile == "" {
--		passwdFile = filepath.Join(containerMount, "etc/passwd")
--	}
--	if groupFile == "" {
--		groupFile = filepath.Join(groupFile, "etc/group")
-+		passwd, err = secureOpen(containerMount, "/etc/passwd")
-+	} else {
-+		// User-specified override from a volume. Will not be in
-+		// container root.
-+		passwd, err = os.Open(passwdFile)
- 	}
--
--	size := 0
--
--	users, err := libcontainerUser.ParsePasswdFile(passwdFile)
- 	if err == nil {
--		for _, u := range users {
--			// Skip the "nobody" user otherwise we end up with 65536
--			// ids with most images
--			if u.Name == "nobody" {
--				continue
--			}
--			if u.Uid > size && u.Uid != nobodyUser {
--				size = u.Uid
--			}
--			if u.Gid > size && u.Gid != nobodyUser {
--				size = u.Gid
-+		defer passwd.Close()
-+
-+		users, err := libcontainerUser.ParsePasswd(passwd)
-+		if err == nil {
-+			for _, u := range users {
-+				// Skip the "nobody" user otherwise we end up with 65536
-+				// ids with most images
-+				if u.Name == "nobody" || u.Name == "nogroup" {
-+					continue
-+				}
-+				if u.Uid > size && u.Uid != nobodyUser {
-+					size = u.Uid + 1
-+				}
-+				if u.Gid > size && u.Gid != nobodyUser {
-+					size = u.Gid + 1
-+				}
- 			}
- 		}
- 	}
- 
--	groups, err := libcontainerUser.ParseGroupFile(groupFile)
-+	if groupFile == "" {
-+		group, err = secureOpen(containerMount, "/etc/group")
-+	} else {
-+		// User-specified override from a volume. Will not be in
-+		// container root.
-+		group, err = os.Open(groupFile)
-+	}
- 	if err == nil {
--		for _, g := range groups {
--			if g.Name == "nobody" {
--				continue
--			}
--			if g.Gid > size && g.Gid != nobodyUser {
--				size = g.Gid
-+		defer group.Close()
-+
-+		groups, err := libcontainerUser.ParseGroup(group)
-+		if err == nil {
-+			for _, g := range groups {
-+				if g.Name == "nobody" || g.Name == "nogroup" {
-+					continue
-+				}
-+				if g.Gid > size && g.Gid != nobodyUser {
-+					size = g.Gid + 1
-+				}
- 			}
- 		}
- 	}
-@@ -309,3 +331,14 @@ func getAutoUserNSIDMappings(
- 	gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
- 	return uidMap, gidMap, nil
- }
-+
-+// Securely open (read-only) a file in a container mount.
-+func secureOpen(containerMount, file string) (*os.File, error) {
-+	tmpFile, err := securejoin.OpenInRoot(containerMount, file)
-+	if err != nil {
-+		return nil, err
-+	}
-+	defer tmpFile.Close()
-+
-+	return securejoin.Reopen(tmpFile, unix.O_RDONLY)
-+}
-diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go
-new file mode 100644
-index 000000000000..e37c18fe4381
---- /dev/null
-+++ b/vendor/github.com/containers/storage/userns_unsupported.go
-@@ -0,0 +1,14 @@
-+//go:build !linux
-+
-+package storage
-+
-+import (
-+	"errors"
-+
-+	"github.com/containers/storage/pkg/idtools"
-+	"github.com/containers/storage/types"
-+)
-+
-+func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
-+	return nil, nil, errors.New("user namespaces are not supported on this platform")
-+}
-diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 3d35b8be92d7..c0801a56b979 100644
---- a/vendor/modules.txt
-+++ b/vendor/modules.txt
-@@ -354,7 +354,7 @@ github.com/containers/psgo/internal/dev
- github.com/containers/psgo/internal/host
- github.com/containers/psgo/internal/proc
- github.com/containers/psgo/internal/process
--# github.com/containers/storage v1.55.0
-+# github.com/containers/storage v1.55.1
- ## explicit; go 1.21
- github.com/containers/storage
- github.com/containers/storage/drivers
--- 
-2.46.0
-

_service

@@ -2,7 +2,7 @@
   <service name="obs_scm" mode="manual">
     <param name="url">https://github.com/containers/podman.git</param>
     <param name="scm">git</param>
-    <param name="revision">v5.5.2</param>
+    <param name="revision">v5.6.0</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/containers/podman.git</param>
-              <param name="changesrevision">e7d8226745ba07a64b7176a7f128e4ef53225a0e</param></service></servicedata>
+              <param name="changesrevision">da671ef6cfa3fc9ac6225c18f1dd0a70a951e43f</param></service></servicedata>

podman-5.1.1.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1cc6d2195d65f529b4169d96ac8dd20f4a832b314b990eb9faf9588cced425c9
-size 109453838

podman-5.1.2.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:86ae9f9404e0f605de8cb2f056dd61a8929038c4e6eecacb7b5fc903ad4f2471
-size 109458446

podman-5.2.0.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:af6c274fbcbd4b432e137f8ca0c43bd638d2a286bd3cb0a2455e05c22bb64a7a
-size 109566478

podman-5.2.2.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1f2e5bd13e4c0ca13561fe124f44c93898450405ef15e93c6cce1d10d24105c2
-size 109693454

podman-5.2.4.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d98c93f568b31cecc530b86cfd0078fb290f72ec0ab61649b63ca4407173a809
-size 109701646

podman-5.2.5.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bf70c5e307cda183ed60a3222bea20a5001779f804d65e8d8b508679dd9d9349
-size 109704718

podman-5.3.0.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1335489dd8ae33de44593440297cd7d7272c20cc48cbdaf5d95921bebb362ef5
-size 111504910

podman-5.3.1.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:33b098fc56781b1b963652d353634682b3a0d5d15723b760d931185e7b8ea586
-size 111512078

podman-5.4.1.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:16be7292e16b91a3d8ee4ad8dd5d1284c3c910c3392fbc8e66186d9be850c6bc
-size 119042062

podman-5.4.2.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:17125ab81f0fdeb56016afdcd332de557dbc829c920f9a122ae1eb54eb629bc2
-size 119047182

podman-5.5.0.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:090828d216d40f4744977cd727c9c23fd01f4d94d8432df80b8abea6c587f622
-size 96669198

podman-5.5.2.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:31173b15ee5a17d29af7fa1266eb661bc202007bc74c9adc4fe1001aea9851a8
-size 96685582

podman-5.6.0.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8f8fe13947a65924ea92e867d50912efd827f0ec2432d2faa5d9cdb2941ccb05
+size 94526478

podman.changes

@@ -1,3 +1,392 @@
+-------------------------------------------------------------------
+Mon Sep  1 07:27:55 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Do not recommend apparmor-parser and apparmor-abstractions: if
+  the system is using apparmor, those packages will be present. If
+  the system is selinux enabled, we don't want to recommend those
+  packages just becuase we build support for apparmor into the
+  package.
+
+-------------------------------------------------------------------
+Tue Aug 19 03:52:06 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
+
+- Remove patch:
+  * 0001-remove-appending-rw-as-the-default-mount-option.patch (merged upstream)
+- Update to version 5.6.0:
+  * Bump to v5.6.0
+  * Update release notes for v5.6.0 final release
+  * [v5.6] Bump Buildah to v1.41.3
+  * [v5.6] Reverse skipped test for 26773
+  * Add a deprecation notice for users of BoltDB
+  * Bump Podman to v5.6.0-dev
+  * Bump to v5.6.0-rc2
+  * Update release notes for v5.6.0-RC2
+  * feat: add Podman artifact support to Go bindings and remote clients
+  * compat: remove deprecated VirtualSize
+  * compat: add shared-size par to GET /images/json
+  * compat: RepoTags and RepoDigest return [] and not null
+  * compat: remove GET /system/df BuilderSize
+  * compat: GET /_ping return Builder-Version: 1
+  * [v5.6] Bump Buildah to v1.41.1
+  * [v5.6] Skip failing Buildah v1.41.1 test
+  * Remove Experimental from Artifacts man pages
+  * [v5.6] Bump c/storage to v1.59.1, c/image 5.36.1, and
+  * Bump Podman to v5.6.0-dev
+  * Bump to v5.6.0-rc1
+  * Add release notes for Podman v5.6.0-rc1
+  * Temp fix for #26680
+  * Update "podman diff container and image with same name" e2e test
+  * API server: drop inherit-labels/annotations for compat builds
+  * buildah-bud tests: handle "-t oci:" and such, skip a new --output
+  * API handler: don't force the SkipUnusedStages flag
+  * API handler: don't force the CompatVolumes flag
+  * API handler: don't force the IdentityLabel flag
+  * Update compat-volumes setting for remotes
+  * Update inherit-labels setting for remotes
+  * pkg/emulation.parseBinfmtMisc(): accept empty "flags" fields
+  * build endpoint: document the "timestamp" flag
+  * remote build: relay more new flags introduced in buildah 1.41
+  * Feat: send additional build contexts for remote builds
+  * Add Buildah build's passwd test helper
+  * Add CLI updates for inherit and unset annotations
+  * Add missing manpages options for Buildah v1.41.0
+  * Bump to Buildah v1.41.0
+  * fix(deps): update module github.com/onsi/gomega to v1.38.0
+  * test/system: add quadlet drop-in regression test for subdirs
+  * Quadlet - fix dropin overwrites if different parent dirs
+  * chore(deps): update dependency golangci/golangci-lint to v2.3.0
+  * added updated state in podman-auto-update.1.md.in
+  * Initial implementation of `podman quadlet` commands
+  * fix(deps): update module github.com/containers/common to v0.64.0
+  * docs: add description about our code structure
+  * fix(deps): update common, image, and storage deps
+  * podman rm: handle case where conmon was killed
+  * podman inspect: fix error difference between local and remote
+  * Update module github.com/containers/storage to v1.59.0
+  * Update module github.com/opencontainers/cgroups to v0.0.4
+  * Fix test that checks for podman exec leaks
+  * Update common, image, and storage deps
+  * volume export: refuse to write to terminal (TTY)
+  * podman auto-update: include container in invalid policy message
+  * Update module github.com/go-viper/mapstructure/v2 to v2.3.0 [SECURITY]
+  * chore(deps): update dependency golangci/golangci-lint to v2.2.2
+  * Maintainers: add Nicola Sella as Reviewer
+  * Maintainers: add Jan Kaluza as Reviewer
+  * Maintainers: add Lewis Roy as Reviewer
+  * fix(deps): update module golang.org/x/net to v0.42.0
+  * fix(deps): update module golang.org/x/crypto to v0.40.0
+  * test/e2e: podman update make env check stricter
+  * pkg/bindings/containers: do not ignore ErrUnexpectedEOF
+  * pkg/bindings/containers: do not create sub slice
+  * pkg/bindings/containers: don't check for short read
+  * Quadlet - add support for the Policy key for .image files
+  * Clarifies error message when using an improperly formatted secret with kube
+  * Fix seccomp profile path on Windows
+  * fix(deps): update module golang.org/x/term to v0.33.0
+  * docs: replace fuse-overlayfs example with additionalimagestore
+  * hack/podman_cleanup_tracer.bt: check map before deleting keys
+  * hack/podman_cleanup_tracer.bt: clamp str size for strcontains()
+  * hack/podman_cleanup_tracer.bt: use new max str lenth
+  * libpod/build: add headers
+  * Update the journalctl function to ignore No entry message
+  * fix(deps): update common, image, and storage deps
+  * [Artifacts] Remove erroneous ArtifactListOptions var ImagePushOptions
+  * [Artifacts] Add note about ArtifactInspectOptions Remote var
+  * Quadlet - print warning when fail to parse
+  * manpages: adds example for podman system renumber
+  * Add basic locking to Libartifact
+  * Fix documentation around checkpoints
+  * cirrus: setup WSL logging
+  * fix(deps): update github.com/containers/image/v5 digest to 3532547
+  * Fix `podman inspect` to correctly handle log_size_max
+  * warn instead of error, lift logic to main.go
+  * Enforce wsl.exe UTF-8 encoded output
+  * WSL commands execution refactoring
+  * Clarify meaning of --syslog
+  * Quadlet - Error when units define User, Group, or DynamicUser in Service group
+  * fix(deps): update common, image, and storage deps
+  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.25.6
+  * Makefile: add Makefile to sources
+  * rpm: add grpcnotrace build tag
+  * Makefile: add grpcnotrace build tag
+  * Add conditional release-checking system test
+  * api: Don't HTML escape application/json responses
+  * update CI images 2025-06-27
+  * chore(deps): update dependency golangci/golangci-lint to v2.2.1
+  * vendor: update c/{common,image,storage} to main
+  * fix new lint errors from the docker update
+  * Quadlet - Do not override existing Environment in Service group for Pod units
+  * vendor: update docker to v28.3.0
+  * pkg/domain/infra/tunnel: ignore error from removeContainer()
+  * libpod: remove deadcode
+  * remove test/framework/framework.go
+  * pkg/util: remove deadcode
+  * remove pkg/util/camelcase
+  * pkg/rootless: remove deadcode
+  * pkg/parallel: remove deadcode
+  * pkg/namespaces: remove deadcode
+  * pkg/machine: remove deadcode
+  * pkg/libartifact: remove deadcode
+  * pkg/fileserver: remove deadcode
+  * pkg/farm: remove deadcode
+  * pkg/errorhandling: remove deadcode
+  * podman images --sort use ChoiceValue flag
+  * pkg/domain: remove deadcode
+  * pkg/bindings: remove deadcode
+  * pkg/api: remove deadcode
+  * remove unused ShouldRestart() code
+  * cmd/podman: remove deadcode
+  * podman images --sort autocomplete options
+  * Update Neil Smith's GitHub username in MAINTAINERS.md
+  * machine: enable nested virt on libkrun by default
+  * pkg/machine/e2e: add CVE-2025-6032 regression test
+  * test/e2e: fix podman run check dns flake
+  * Bump bundled krunkit from 0.2.1 to 0.2.2
+  * Secret create - add ignore option to allow noop
+  * cmd/podman: add --latest option to update #26380
+  * docs: document when a volume is chowned
+  * Refactor `volume import` to support the remote client
+  * update image_fix -> automation_images#407 skip test duo to rawhide know issues
+  * Podman pull - add policy flag
+  * Pod YAML: Add support for `lifecycle.stopSignal`
+  * machine init: fix tls check
+  * update podman-machine-start with examples for --no-info and --quiet
+  * test/e2e: fix "with unsafe hostPath subpaths" test
+  * quadlet: remove indirect logrus import
+  * docs: add three examples to podman-generate-spec man page
+  * fix panic on state refresh
+  * pkg/systemd: expose [Pod] ExitPolicy key for pod create --exit-policy
+  * volumes: add new --uid and --gid option
+  * docs: add an example to podman-secret-rm man page
+  * chore(deps): update dependency pytest to v8.4.1
+  * [CI:DOCS] Tweak Governace slightly
+  * remove .github/workflows/pr-title.yml
+  * remove hack/install_catatonit.sh
+  * Makefile: remove some old files from clean target
+  * remove cni/
+  * remove pkg/timetype
+  * remove contrib/modules-load.d
+  * remove contrib/snapcraft
+  * remove contrib/script/size.sh
+  * remove contrib/remote/containers.conf
+  * remove contrib/dependabot-dance
+  * remove contrib/dependencies.txt
+  * remove contrib/containers-common
+  * Removed the 'Deleted: ' prefix from each example
+  * add more exmples applying current style for each page
+  * docs: add an example to podman-network-rm man page
+  * [CI] Correct ST1005 staticcheck lint rule
+  * docs: add examples to podman-system-migrate man page
+  * Refactor `podman export` to work with the remote client
+  * artifact mount: add new name option to specify filename
+  * Fixes: #26374 add example network connect with mac address
+  * artifact mount: improve single blob behavior
+  * docs: remove bogus markdown heading in podman-ps
+  * Update podman system prune doc
+  * fix 26348: add container diff --latest doc
+  * Add missing --pod examples to podman ps manpage
+  * Move 'Examples' section down in the podman-volume-create man page
+  * fix(ci): add ST1005 linter rule
+  * Add examples of `--all` flag
+  * Manpages: podman machine init add example with --now
+  * Update docs/source/markdown/podman-secret-inspect.1.md
+  * Improve documentation for podman-secret-inspect, closes #26362
+  * Add Craig Loewen to Reviewer role
+  * man pages: Add an example about --no-prune
+  * Manpages: add podman exec missing example of detach option
+  * fix(cmd): improve ValidURL reliability
+  * Bunch of trivial manpage fixes
+  * libpod: log file doesn't need to be executable
+  * libpod: do not dereference nil pointer
+  * libpod: fix file descriptor leak
+  * podman-update: fix EXAMPLES
+  * test: check podman update errors on non-block devices
+  * pkg/specgen: error out when a block device isn't
+  * pkg/specgen: refactor FinishThrottleDevices, WeightDevices
+  * quadlet: handle generate environment params that inherit from host
+  * fix(deps): update module go.etcd.io/bbolt to v1.4.1
+  * make validate-in-container changes
+  * Clarified the consequences of --network=host
+  * podman machine: pull wsl image from machine-os
+  * remove hack/libdm_tag.sh
+  * rpm: build rpm with libsqlite3 tag
+  * Makefile: use libsqlite3 build when possible
+  * Remove bin/podman.cross Make target
+  * Allow generate-bindings on darwin
+  * Update module github.com/go-swagger/go-swagger to v0.32.3
+  * docs: replace RemapUsers=keep-id with UserNS=keep-id
+  * tmpfs: Add support for noatime mount option
+  * fix(deps): update module golang.org/x/net to v0.41.0
+  * pkg/machine: remove unsused net recover file
+  * Revert "podman machine: fix proxy test"
+  * pkg/machine: remove old fw_cfg service
+  * podman machine: fix proxy test
+  * pkg/machine/e2e: skip rosetta test
+  * RPM: Limit Epoch 102 to podman-next copr
+  * quadlet: generate RequiresMountsFor for Type=bind volumes
+  * Make podman.io update action reusable
+  * Skip layer digests for podman system check --quick
+  * test/buildah-bud: skip new build-with-two-outputs on remote
+  * test/buildah-bud: update buildah-tests.diff
+  * Build the `dumpspec` test helper for the `buildah bud` tests
+  * vendor: update buildah to latest main
+  * vendor: update c/{common,image,storage} to latest main
+  * vendor: update github.com/docker/docker to v28.2.2
+  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.10.2
+  * quadlet: add InterfaceName option to network unit
+  * fix wsl install workflow on machine init command
+  * feat: Add OCI Artifact support to the Podman REST API
+  * build: reuse parse.ContainerIgnoreFile from buildah
+  * podman buildx inspect support
+  * chore(deps): update dependency pytest to v8.4.0
+  * test/system: check --dns-option behavior
+  * podman system check: Fix error check logic
+  * libpod: don't force only network search domains
+  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.25.5
+  * update c/common to latest main
+  * play kube: never add empty alias
+  * fix(deps): update github.com/opencontainers/runtime-tools digest to 0ea5ed0
+  * Don't BuildRequires: ostree-devel
+  * Allow not specifying type with --mount flag
+  * Add "dest" as an alias for "destination" in `--mount`
+  * docs: quadlet can translate names now
+  * e2e: ref full URL for aarch64 criu precheckpoint issues
+  * specgen/generate: Fix log tag priority
+  * e2e: skip pre-checkpoint tests on aarch64
+  * Handle "Entrypoint":[] in compat containers/create API.
+  * system df --verbose don't crash
+  * Fix SQLite volume lookup queries matching too liberally
+  * vendor: update c/{buildah,common,image,storage} to main
+  * Recreate the Rootfs in mountStorage for infra-container.
+  * test: fix race conditions in /dev/kmsg tests
+  * Fix overlay volumes on Windows
+  * chore(deps): update dependency setuptools to ~=80.9.0
+  * libpod: Don't exclude running deps from the container graph inputs
+  * compat API: respect base_hosts_file containers.conf option
+  * Trigger podman.io version bump from release action
+  * Packit: remove propose-downstream for centos stream
+  * Packit: use fedora-all alias for tests
+  * Disable the tests for rootless pods
+  * Support --cpuset-<cpus/mems> in podman kube play
+  * pkg/machine: don't use dummy linger service
+  * pkg/machine: correctly enable lingering
+  * Update expected output for a machine copy test
+  * Replace alpine_nginx with TESTIMAGE in e2e tests
+  * Support '$FOCUS' env variable on winmake too
+  * pre-commit: exclude rpm/gating.yaml from check-yaml
+  * lint: Fix linter issues on TMT files
+  * Update release notes on main
+  * fix CONTRIBUTING to say reference issue number 'or' url
+  * compat: fix Container State.Status JSON values
+  * chore(deps): update dependency setuptools to ~=80.8.0
+  * libpod: fix mount order for "/" volume
+  * Update RELEASE_PROCESS.md
+  * github: remove fcos next image workflow
+  * [skip-ci] Packit: set fedora-all after F40 EOL
+  * test/e2e: do not check dns.podman
+  * compat: Add DefaultAddressPools field to GET /info
+  * Be explicit about ssh configs suitable only for localhost
+  * compat: Add CgroupnsMode to POST /containers/create
+  * Update dependency setuptools to ~=80.7.1
+  * docs: drop --pre-checkpoint requirement
+  * podman: remember hooks-dir on restarts
+  * GHA Release: Fix windows installer uploads
+  * Revert "GHA: Pin Go to 1.24.2"
+  * fix macos compile issue with go 1.24.3
+  * Packit: disable OpenScanHub scans
+  * GHA: Pin Go to 1.24.2
+  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.10.1
+  * fix issues found by nilness
+  * Bump bundled krunkit to 0.2.1
+  * chore(deps): update dependency setuptools to ~=80.4.0
+  * chore(deps): update dependency docker to v7
+  * fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.3.5
+  * fix(deps): update module github.com/crc-org/vfkit to v0.6.1
+  * fix(deps): update module github.com/containernetworking/plugins to v1.7.1
+  * Fix: Use SIGKILL instead of SIGTERM when ExecStopContainer timeout is 0
+  * Fix: Ensure HealthCheck exec session terminates on timeout
+  * [skip-ci] Tighten version match
+  * Quadlet - Update the docs to reflect the default naming of resources
+  * Revert "Quadlet - fix pod name to depend on the name of the generate service"
+  * Fix a shellcheck warning about word splitting
+  * fix(deps): update module github.com/vishvananda/netlink to v1.3.1
+  * Fix parsing of paths for unmask
+  * Take path for wsl instead of forcing through WindowsApps
+  * fix(deps): update module golang.org/x/net to v0.40.0
+  * Update win-installer github job for arm64
+  * Build windows arm64 artifacts
+  * Fix windows arm64 installer build
+  * README.md: add openssf passing badge
+  * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.6
+  * Update podman-secret-create.1.md
+  * Quadlet - fix pod name to depend on the name of the generate service
+  * fix(deps): update module golang.org/x/crypto to v0.38.0
+  * Verify the ExecSession pid before killing it.
+  * fix(deps): update module golang.org/x/term to v0.32.0
+  * fix(deps): update github.com/vishvananda/netlink digest to 9d88d83
+  * fix(deps): update module golang.org/x/sys to v0.33.0
+  * fix(deps): update module golang.org/x/sync to v0.14.0
+  * docs: fix markdown format
+  * chore(deps): update dependency golangci/golangci-lint to v2.1.6
+  * chore(deps): update dependency setuptools to ~=80.2.0
+  * Automatically bump to -dev after tag
+  * Update winmake.ps1 to build arm64 artifacts
+  * [skip-ci] TMT: system tests
+  * pkg/machinie: use TZ env for reading local timezone
+  * pkg/machine: rework getLocalTimeZone on linux
+  * pkg/machine: properly setup zoneinfo symlink
+  * pkg/machine: do not add broken localtime symlink
+  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.10.0
+  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.25.4
+  * fix(deps): update github.com/hugelgupf/p9 digest to abc96d2
+  * chore(deps): update dependency setuptools to ~=80.1.0
+  * pkg/signal: ignore SIGTOP for signal proxy
+  * pkg/signal: rework CatchAll() behavior
+  * sigproxy: ignore if container already removed
+  * ci: Load null_blk for I/O limit tests
+  * test/e2e: Use nullb0 for IO limit tests
+  * test/system: Use correct device for I/O limit tests
+  * inspect: Ignore character devices for IO limits
+  * Do not error on tz detection
+  * Stop setting btrfs_noversion build tag
+  * Remove providers checks from the Windows Installer
+  * Quadlet - remove the usage of cid and podid for container and pod files
+  * Fix running machines with volumes containing spaces
+  * Makefile: move some Go-related variable definitions up
+  * Handle signal preventing Start from completing
+  * Build documentation in a container on Win arm64
+  * Fix mach os pr release action
+  * bump main to 5.6-dev
+  * pkg/bindings: wrap image push decode error
+  * pkg/bindings: fix infinite loop/memory leak in image pull
+  * Update "check.c" to be C23 compliant
+  * feat: Add support for configuring swap in Podman machine
+  * fix(deps): update module github.com/opencontainers/cgroups to v0.0.2
+  * Quadlet - use helper function to initialize service struct
+  * Fix logging podman machine server9 output
+  * OWNERS: Fix Github handle
+  * Fix handling of "r_limits" in Podman REST API /libpod/containers/create
+  * chore(deps): update dependency setuptools to v80
+  * bug: Correct Docker compat REST API image delete endpoint
+  * update podman socket output to include also exposed ports
+  * Disable FS mount in volume only test
+  * Added tests for inheritlabel fix
+  * Fix: inheritlabels=true if query param absent
+  * Add Mohan Boddu as community manager
+  * chore(deps): update dependency golangci/golangci-lint to v2.1.5
+  * fix(deps): update module github.com/cpuguy83/go-md2man/v2 to v2.0.7
+  * Quadlet - use helper function for handling key=val type keys
+  * Add Label to quadlet pod
+  * podman start: remove container if needed
+  * remote: don't print bogus error when starting container attached
+  * [skip-ci] Packit: do not merge PR in CI
+  * [skip-ci] Packit: re-enable fedora-41 targets
+  * hack/bats: Pass --tap (-t) option to bats
+  * hack/bats: Fix to allow multiple tests
+  * Fix: Remove appending rw as the default mount option
+  * hack/bats: Allow specifying PODMAN_ROOTLESS_USER
+  * libpod: fix a confusing error message from 'podman system reset' on FreeBSD
+
 -------------------------------------------------------------------
 Wed Jun 25 04:50:07 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 

podman.obsinfo

@@ -1,4 +1,4 @@
 name: podman
-version: 5.5.2
-mtime: 1750776105
-commit: e7d8226745ba07a64b7176a7f128e4ef53225a0e
+version: 5.6.0
+mtime: 1755265355
+commit: da671ef6cfa3fc9ac6225c18f1dd0a70a951e43f

podman.spec

@@ -22,7 +22,7 @@
 %bcond_without  apparmor
 
 Name:           podman
-Version:        5.5.2
+Version:        5.6.0
 Release:        0
 Summary:        Daemon-less container engine for managing containers, pods and images
 License:        Apache-2.0
@@ -30,7 +30,6 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.gz
 Source1:        podman.conf
-Patch1:         0001-remove-appending-rw-as-the-default-mount-option.patch
 BuildRequires:  man
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
@@ -53,10 +52,6 @@ BuildRequires:  golang(API) >= 1.23
 BuildRequires:  pkgconfig(libselinux)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(systemd)
-%if %{with apparmor}
-Recommends:     apparmor-abstractions
-Recommends:     apparmor-parser
-%endif
 # requirement for `podman machine`
 Recommends:     gvisor-tap-vsock
 Requires:       catatonit >= 0.1.7