- add compatibility %buildroot definition

- backport unshare fix from upstream

OBS-URL: https://build.opensuse.org/package/show/Base:System/rpm?expand=0&rev=679

macrosin.diff

@@ -1,6 +1,16 @@
---- macros.in.orig	2024-12-16 09:16:20.616343895 +0000
+--- macros.in.orig	2024-12-16 12:48:44.110837972 +0000
-+++ macros.in	2024-12-16 09:16:24.676335428 +0000
++++ macros.in	2024-12-16 12:52:32.014378635 +0000
-@@ -163,6 +163,7 @@
+@@ -118,6 +118,9 @@
+ #	The directory where sources/patches will be unpacked and built.
+ %_builddir		%{_topdir}/BUILD
+ 
++#	The build root where built files will be installed into
++%buildroot		%{_builddir}/%{NAME}-%{VERSION}-%{_arch}/BUILDROOT
++
+ #	The interpreter used for build scriptlets.
+ %_buildshell		/bin/sh
+ 
+@@ -163,6 +166,7 @@
      %{?_unique_debug_names:--unique-debug-suffix "-%{VERSION}-%{RELEASE}.%{_arch}"} \\\
      %{?_unique_debug_srcs:--unique-debug-src-base "%{name}-%{VERSION}-%{RELEASE}.%{_arch}"} \\\
      %{?_find_debuginfo_dwz_opts} \\\
@@ -8,7 +18,7 @@
      %{?_find_debuginfo_opts} \\\
      %{?_debugsource_packages:-S debugsourcefiles.list} \\\
      "%{builddir}/%{?buildsubdir}"\
-@@ -216,7 +217,8 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -216,7 +220,8 @@ Supplements:   (%{name} = %{version}-%{r
  %files langpack-%{1}\
  %{nil}
  
@@ -18,7 +28,7 @@
  %_defaultlicensedir	%{_datadir}/licenses
  
  # Following macros for filtering auto deps must not be used in spec files.
-@@ -275,7 +277,8 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -275,7 +280,8 @@ Supplements:   (%{name} = %{version}-%{r
  %_tmppath		%{_var}/tmp
  
  #	Path to top of build area.
@@ -28,7 +38,7 @@
  
  #==============================================================================
  # ---- Optional rpmrc macros.
-@@ -366,7 +369,7 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -366,7 +372,7 @@ Supplements:   (%{name} = %{version}-%{r
  #		"w.ufdio"	uncompressed
  #
  #%_source_payload	w9.gzdio
@@ -37,7 +47,7 @@
  
  #	Algorithm to use for generating file checksum digests on build.
  #	If not specified or 0, MD5 is used.
-@@ -476,6 +479,19 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -476,6 +482,19 @@ Supplements:   (%{name} = %{version}-%{r
  #
  #%_include_minidebuginfo	1
  
@@ -57,7 +67,7 @@
  #
  # Include a .gdb_index section in the .debug files.
  # Requires _enable_debug_packages and gdb-add-index installed.
-@@ -508,39 +524,39 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -508,39 +527,39 @@ Supplements:   (%{name} = %{version}-%{r
  #   Same as for "separate" but if the __debug_package global is set then
  #   the -debuginfo package will have a compatibility link for the main
  #   ELF /usr/lib/debug/.build-id/xx/yyy -> /usr/lib/.build-id/xx/yyy
@@ -104,7 +114,7 @@
  
  #
  # Use internal dependency generator rather than external helpers?
-@@ -559,6 +575,7 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -559,6 +578,7 @@ Supplements:   (%{name} = %{version}-%{r
  %__find_requires	%{_rpmconfigdir}/find-requires
  #%__find_conflicts	???
  #%__find_obsoletes	???
@@ -112,7 +122,7 @@
  
  # 
  # Path to file attribute classifications for automatic dependency 
-@@ -980,7 +997,7 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -980,7 +1000,7 @@ Supplements:   (%{name} = %{version}-%{r
  %_build_vendor		%{_host_vendor}
  %_build_os		%{_host_os}
  %_host			@host@
@@ -121,7 +131,7 @@
  %_host_cpu		@host_cpu@
  %_host_vendor		@host_vendor@
  %_host_os		@host_os@
-@@ -1105,11 +1122,13 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -1105,11 +1125,13 @@ Supplements:   (%{name} = %{version}-%{r
  
  #------------------------------------------------------------------------------
  # arch macro for all supported 32-bit ARM processors

rpm-rpmlintrc

@@ -1 +0,0 @@
-addFilter("file-contains-buildroot")	# until rpmlint is fixed

rpm.changes

@@ -23,6 +23,9 @@ Mon Dec 16 11:55:23 CET 2024 - mls@suse.de
   * auto-config-update-aarch64-ppc64le.diff
   * 0002-log-build-time-if-it-is-set-from-SOURCE_DATE_EPOCH.patch
   * 0003-Error-out-on-a-missing-changelog-date.patch
+- add compatibility %buildroot definition
+- backport unshare fix from upstream
+  * new patch: unshare.diff
 
 -------------------------------------------------------------------
 Mon Nov 11 08:43:56 UTC 2024 - Michal Suchanek <msuchanek@suse.de>

rpm.spec

@@ -65,7 +65,6 @@ URL:            https://rpm.org/
 Source:         https://ftp.osuosl.org/pub/rpm/releases/rpm-4.19.x/rpm-%{version}.tar.bz2
 #Git-Clone:     https://github.com/rpm-software-management/rpmpgp_legacy
 Source1:        rpmpgp_legacy-1.0.tar.gz
-Source2:        rpm-rpmlintrc
 Source5:        rpmsort
 Source8:        rpmconfigcheck
 Source9:        sysconfig.services-rpm
@@ -120,6 +119,7 @@ Patch139:       cmake_python_version.diff
 Patch140:       0001-Add-option-to-set-mtime-of-files-in-rpms.patch
 Patch141:       0002-log-build-time-if-it-is-set-from-SOURCE_DATE_EPOCH.patch
 Patch142:       0003-Error-out-on-a-missing-changelog-date.patch
+Patch150:       unshare.diff
 Patch6464:      auto-config-update-aarch64-ppc64le.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #
@@ -234,6 +234,7 @@ rm -rf sqlite
 %patch -P 140
 %endif
 %patch -P 141 -P 142
+%patch -P 150
 
 %ifarch aarch64 ppc64le riscv64
 %patch -P 6464

unshare.diff

@@ -0,0 +1,51 @@
+--- docs/man/rpm-plugin-unshare.8.md.orig	2024-10-07 09:35:46.000000000 +0000
++++ docs/man/rpm-plugin-unshare.8.md	2024-12-16 12:57:40.781754250 +0000
+@@ -27,6 +27,11 @@ This plugin implements the following con
+     execution. Typical examples would be `/tmp` to protect against
+     insecure temporary file usage inside scriptlets, and `/home` to
+     prevent scriptlets from accessing user home directories.
++    When path unsharing is enabled, any mounts made from scriptlets
++    are also private to the scriptlet (and vice versa, mount changes
++    on the host are not visible to the scriptlet).
++
++    Private mounts in chroot-operations is unimplemented.
+ 
+ `%__transaction_unshare_nonet`
+ 
+--- plugins/unshare.c.orig	2024-10-07 09:35:46.000000000 +0000
++++ plugins/unshare.c	2024-12-16 12:57:40.781754250 +0000
+@@ -19,8 +19,18 @@ static rpmRC unshare_init(rpmPlugin plug
+ {
+     char *paths = rpmExpand("%{?__transaction_unshare_paths}", NULL);
+     private_mounts = argvSplitString(paths, ":", ARGV_SKIPEMPTY);
+-    if (private_mounts)
+-	unshare_flags |= CLONE_NEWNS;
++    if (private_mounts) {
++	/*
++	 * Changing mount propagation from inside a chroot fails if the root
++	 * is not also a mount point, disable for now.
++	 */
++	if (strcmp(rpmtsRootDir(ts), "/")) {
++	    rpmlog(RPMLOG_WARNING,
++			"private mounts in chroot not implemented\n");
++	} else {
++	    unshare_flags |= CLONE_NEWNS;
++	}
++    }
+     free(paths);
+ 
+     if (rpmExpandNumeric("%{?__transaction_unshare_nonet}"))
+@@ -47,9 +57,10 @@ static rpmRC unshare_scriptlet_fork_post
+ 	goto exit;
+     }
+ 
+-    if (private_mounts) {
+-	if (mount("/", "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) {
+-	    rpmlog(RPMLOG_ERR, _("failed to mount private %s: %s\n"),
++    if (unshare_flags & CLONE_NEWNS) {
++	if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) {
++	    rpmlog(RPMLOG_ERR,
++		    _("failed to change mount propagation %s: %s\n"),
+ 		    "/", strerror(errno));
+ 	    goto exit;
+ 	}