Merge pull request 'Synchronize lastrevision' (#8) from mczernek/venv-salt-minion:sync-next into bundle_next

Reviewed-on: #8
Reviewed-by: Pablo Suárez Hernández <psuarezhernandez@noreply.src.opensuse.org>

_lastrevision

@@ -1 +1 @@
-3084db7285ade6f5552ea3e79c11d57a17a6b529
+caf4f89b94862f9ebec043b120b3bc57b3981dd2

add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch

@@ -0,0 +1,26 @@
+From ea87110248948eb61628cda607ae1af34e83fdfe Mon Sep 17 00:00:00 2001
+From: Victor Zhestkov <vzhestkov@suse.com>
+Date: Wed, 1 Oct 2025 14:19:27 +0200
+Subject: [PATCH] Add python3.11 as preferable for salt-ssh to avoid
+ tests fails
+
+---
+ salt/client/ssh/__init__.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py
+index 1d8426b7c2..bfb7d3d1d1 100644
+--- a/salt/client/ssh/__init__.py
++++ b/salt/client/ssh/__init__.py
+@@ -157,7 +157,7 @@ SSH_PY_CODE='import base64;
+ if [ -n "$DEBUG" ]
+     then set -x
+ fi
+-PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
++PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python python3.11 python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
+ for py_cmd in $PYTHON_CMDS
+ do
+     if command -v "$py_cmd" >/dev/null 2>&1 && "$py_cmd" -c "import sys; sys.exit(not (sys.version_info >= (2, 6)));"
+-- 
+2.51.0
+

allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch

@@ -0,0 +1,76 @@
+From 6a57e821f3e16981c01078dc7e928672a6f77b88 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
+ <psuarezhernandez@suse.com>
+Date: Mon, 6 Oct 2025 09:34:17 +0100
+Subject: [PATCH] Allow libgit2 to guess sysdir homedir successfully
+ (bsc#1250520) (bsc#1227207) (#731)
+
+* Allow libgit2 to guess sysdir homedir successfully
+
+This prevents the generic error:
+
+_pygit2.GitError: error loading known_hosts:
+
+which is happening in certain pygit2/libgit2 versions
+
+* Fix pygit2 unit test to check HOME is injected
+---
+ salt/utils/gitfs.py                    | 19 ++++++++++++-------
+ tests/pytests/unit/utils/test_gitfs.py |  4 +++-
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/salt/utils/gitfs.py b/salt/utils/gitfs.py
+index 2a8ecf1d0cb..d597c17b870 100644
+--- a/salt/utils/gitfs.py
++++ b/salt/utils/gitfs.py
+@@ -110,6 +110,15 @@ try:
+ 
+     with warnings.catch_warnings():
+         warnings.simplefilter("ignore")
++        if "HOME" not in os.environ:
++            # Make sure $HOME env variable is set before importing pygit2 to prevent
++            # _pygit2.GitError: error loading known_hosts in some libgit2 versions.
++            # The internal "git_sysdir__dirs" from libgit2, is initializated
++            # when importing pygit2. The $HOME env must be present to allow libgit2
++            # guessing function to successfully set the homedir in the initializated
++            # libgit2 stack.
++            # https://github.com/saltstack/salt/issues/64121
++            os.environ["HOME"] = os.path.expanduser("~")
+         import pygit2
+     PYGIT2_VERSION = Version(pygit2.__version__)
+     LIBGIT2_VERSION = Version(pygit2.LIBGIT2_VERSION)
+@@ -1890,13 +1899,9 @@ class Pygit2(GitProvider):
+         """
+         # https://github.com/libgit2/pygit2/issues/339
+         # https://github.com/libgit2/libgit2/issues/2122
+-        # https://github.com/saltstack/salt/issues/64121
+-        home = os.path.expanduser("~")
+-        if "HOME" not in os.environ:
+-            # Make sure $HOME env variable is set to prevent
+-            # _pygit2.GitError: error loading known_hosts in some libgit2 versions.
+-            os.environ["HOME"] = home
+-        pygit2.settings.search_path[pygit2.GIT_CONFIG_LEVEL_GLOBAL] = home
++        pygit2.settings.search_path[pygit2.GIT_CONFIG_LEVEL_GLOBAL] = (
++            os.path.expanduser("~")
++        )
+         new = False
+         if not os.listdir(self._cachedir):
+             # Repo cachedir is empty, initialize a new repo there
+diff --git a/tests/pytests/unit/utils/test_gitfs.py b/tests/pytests/unit/utils/test_gitfs.py
+index baedd9fd708..4ab8e7735f0 100644
+--- a/tests/pytests/unit/utils/test_gitfs.py
++++ b/tests/pytests/unit/utils/test_gitfs.py
+@@ -251,7 +251,9 @@ def test_checkout_pygit2_with_home_env_unset(_prepare_provider):
+     provider.credentials = None
+     with patched_environ(__cleanup__=["HOME"]):
+         assert "HOME" not in os.environ
+-        provider.init_remote()
++        import importlib
++
++        importlib.reload(salt.utils.gitfs)
+         assert "HOME" in os.environ
+ 
+ 
+-- 
+2.51.0
+

do-not-break-signature-verification-on-latest-m2cryp.patch

@@ -0,0 +1,36 @@
+From 002a58144563a15034f982b19ba851326535570a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
+ <psuarezhernandez@suse.com>
+Date: Wed, 29 Oct 2025 10:30:58 +0000
+Subject: [PATCH] Do not break signature verification on latest
+ M2Crypto versions (bsc#1251776)
+
+---
+ salt/crypt.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/salt/crypt.py b/salt/crypt.py
+index 981f633d51f..29fd159b48c 100644
+--- a/salt/crypt.py
++++ b/salt/crypt.py
+@@ -243,7 +243,7 @@ def sign_message(privkey_path, message, passphrase=None):
+         md = EVP.MessageDigest("sha1")
+         md.update(salt.utils.stringutils.to_bytes(message))
+         digest = md.final()
+-        return key.sign(digest)
++        return key.sign(digest, algo="sha1")
+     else:
+         signer = PKCS1_v1_5.new(key)
+         return signer.sign(SHA.new(salt.utils.stringutils.to_bytes(message)))
+@@ -262,7 +262,7 @@ def verify_signature(pubkey_path, message, signature):
+         md.update(salt.utils.stringutils.to_bytes(message))
+         digest = md.final()
+         try:
+-            return pubkey.verify(digest, signature)
++            return pubkey.verify(digest, signature, algo="sha1")
+         except RSA.RSAError as exc:
+             log.debug("Signature verification failed: %s", exc.args[0])
+             return False
+-- 
+2.51.1
+

even-more-reliable-pillar-timeout-test.patch

@@ -0,0 +1,65 @@
+From dc3027bab4925228cacde00ae626bf651d0a0c3b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
+ <psuarezhernandez@suse.com>
+Date: Wed, 17 Sep 2025 09:56:44 +0200
+Subject: [PATCH] Even more reliable pillar timeout test
+
+* Even more reliable pillar timeout test
+
+* Use sys.executable on test_pillar_timeout test
+
+---------
+
+Co-authored-by: Daniel A. Wozniak <dwozniak@vmware.com>
+---
+ .../integration/minion/test_return_retries.py  | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/tests/pytests/integration/minion/test_return_retries.py b/tests/pytests/integration/minion/test_return_retries.py
+index 45dea9c4c76..9b71bed58c5 100644
+--- a/tests/pytests/integration/minion/test_return_retries.py
++++ b/tests/pytests/integration/minion/test_return_retries.py
+@@ -5,6 +5,7 @@ import pytest
+ from saltfactories.utils import random_string
+ 
+ from tests.support.helpers import dedent
++import salt.utils.files
+ 
+ 
+ @pytest.fixture(scope="function")
+@@ -57,14 +58,13 @@ def test_publish_retry(salt_master, salt_minion_retry, salt_cli, salt_run_cli):
+ 
+ @pytest.mark.slow_test
+ @pytest.mark.flaky(max_runs=4)
+-def test_pillar_timeout(salt_master_factory):
+-    cmd = (
+-        sys.executable
+-        + ' -c "import time; time.sleep(4.8); print(\'{\\"foo\\": \\"bar\\"}\');"'
+-    ).strip()
++def test_pillar_timeout(salt_master_factory, tmp_path):
++    with salt.utils.files.fopen(tmp_path / "script.py", "w") as fp:
++        fp.write('print(\'{"foo": "bar"}\');\n')
++
+     master_overrides = {
+         "ext_pillar": [
+-            {"cmd_json": cmd},
++            {"cmd_json": f"{sys.executable} {tmp_path / 'script.py'}"},
+         ],
+         "auto_accept": True,
+         "worker_threads": 3,
+@@ -110,7 +110,11 @@ def test_pillar_timeout(salt_master_factory):
+     sls_tempfile = master.state_tree.base.temp_file(
+         "{}.sls".format(sls_name), sls_contents
+     )
+-    with master.started(), minion1.started(), minion2.started(), minion3.started(), minion4.started(), sls_tempfile:
++    with master.started(), minion1.started(), minion2.started(), minion3.started(), minion4.started(), (
++        sls_tempfile
++    ):
++        with salt.utils.files.fopen(tmp_path / "script.py", "w") as fp:
++            fp.write('import time; time.sleep(6); print(\'{"foo": "bang"}\');\n')
+         proc = cli.run("state.sls", sls_name, minion_tgt="*")
+         # At least one minion should have a Pillar timeout
+         print(proc)
+-- 
+2.51.0
+

fix-tls-and-x509-modules-for-older-cryptography-modu.patch

@@ -0,0 +1,290 @@
+From 7f15657c26c4e5e9fabc72f4da2d9a91353d5d3a Mon Sep 17 00:00:00 2001
+From: Marek Czernek <marek.czernek@suse.com>
+Date: Tue, 11 Nov 2025 08:46:20 +0100
+Subject: [PATCH] Fix tls and x509 modules for older cryptography
+ module (#737)
+
+---
+ salt/modules/tls.py  |  73 +++++++++++++++++-------
+ salt/modules/x509.py | 128 +++++++++++++++++++++++++++++++++++--------
+ 2 files changed, 158 insertions(+), 43 deletions(-)
+
+diff --git a/salt/modules/tls.py b/salt/modules/tls.py
+index 9d29bd1e9b..4d7db87f93 100644
+--- a/salt/modules/tls.py
++++ b/salt/modules/tls.py
+@@ -104,6 +104,7 @@ import logging
+ import math
+ import os
+ import re
++import sys
+ import time
+ from datetime import datetime
+ 
+@@ -1594,6 +1595,9 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
+ 
+         salt '*' tls.create_pkcs12 test localhost
+     """
++    # Necessary for OSes with older cryptography module
++    compat_mode = sys.version_info < (3,12)
++
+     set_ca_path(cacert_path)
+     p12_path = f"{cert_base_path()}/{ca_name}/certs/{CN}.p12"
+     ca_cert_path = f"{cert_base_path()}/{ca_name}/{ca_name}_ca_cert.crt"
+@@ -1605,7 +1609,12 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
+ 
+     try:
+         with salt.utils.files.fopen(ca_cert_path, "rb") as fhr:
+-            ca_cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
++            if compat_mode:
++                ca_cert = OpenSSL.crypto.load_certificate(
++                    OpenSSL.crypto.FILETYPE_PEM, fhr.read()
++                )
++            else:
++                ca_cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
+     except OSError:
+         return 'There is no CA named "{}"'.format(ca_name)
+     except ValueError as e:
+@@ -1613,34 +1622,58 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
+ 
+     try:
+         with salt.utils.files.fopen(cert_path, "rb") as fhr:
+-            cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
++            if compat_mode:
++                cert = OpenSSL.crypto.load_certificate(
++                    OpenSSL.crypto.FILETYPE_PEM, fhr.read()
++                )
++            else:
++                cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
+         with salt.utils.files.fopen(priv_key_path, "rb") as fhr:
+-            key = cryptography_serialization.load_pem_private_key(
+-                fhr.read(),
+-                password=None,
+-            )
++            if compat_mode:
++                key = OpenSSL.crypto.load_privatekey(
++                    OpenSSL.crypto.FILETYPE_PEM, fhr.read()
++                )
++            else:
++                key = cryptography_serialization.load_pem_private_key(
++                    fhr.read(),
++                    password=None,
++                )
+     except OSError:
+         return 'There is no certificate that matches the CN "{}"'.format(CN)
+     except ValueError as e:
+         return f'Could not load certificate {cert_path}: {e}'
+ 
+-    if passphrase:
+-        encryption_algorithm = cryptography_serialization.BestAvailableEncryption(
+-            salt.utils.stringutils.to_bytes(passphrase)
+-        )
++    if compat_mode:
++        pkcs12 = OpenSSL.crypto.PKCS12()
++
++        pkcs12.set_certificate(cert)
++        pkcs12.set_ca_certificates([ca_cert])
++        pkcs12.set_privatekey(key)
++
++        with salt.utils.files.fopen(
++            "{}/{}/certs/{}.p12".format(cert_base_path(), ca_name, CN), "wb"
++        ) as ofile:
++            ofile.write(
++                pkcs12.export(passphrase=salt.utils.stringutils.to_bytes(passphrase))
++            )
+     else:
+-        encryption_algorithm = cryptography_serialization.NoEncryption()
++        if passphrase:
++            encryption_algorithm = cryptography_serialization.BestAvailableEncryption(
++                salt.utils.stringutils.to_bytes(passphrase)
++            )
++        else:
++            encryption_algorithm = cryptography_serialization.NoEncryption()
+ 
+-    pkcs12 = cryptography_pkcs12.serialize_key_and_certificates(
+-        name=salt.utils.stringutils.to_bytes(CN),
+-        key=key,
+-        cert=cert,
+-        cas=[ca_cert],
+-        encryption_algorithm=encryption_algorithm,
+-    )
++        pkcs12 = cryptography_pkcs12.serialize_key_and_certificates(
++            name=salt.utils.stringutils.to_bytes(CN),
++            key=key,
++            cert=cert,
++            cas=[ca_cert],
++            encryption_algorithm=encryption_algorithm,
++        )
+ 
+-    with salt.utils.files.fopen(p12_path, "wb") as ofile:
+-        ofile.write(pkcs12)
++        with salt.utils.files.fopen(p12_path, "wb") as ofile:
++            ofile.write(pkcs12)
+ 
+     return 'Created PKCS#12 Certificate for "{0}": "{1}/{2}/certs/{0}.p12"'.format(
+         CN,
+diff --git a/salt/modules/x509.py b/salt/modules/x509.py
+index 164541fc76..373e394856 100644
+--- a/salt/modules/x509.py
++++ b/salt/modules/x509.py
+@@ -32,16 +32,20 @@ import tempfile
+ 
+ import salt.exceptions
+ import salt.utils.data
+-import salt.utils.dictupdate
+ import salt.utils.files
+ import salt.utils.path
+ import salt.utils.platform
+ import salt.utils.stringutils
+ import salt.utils.versions
+-import salt.utils.x509 as x509util
+ from salt.state import STATE_INTERNAL_KEYWORDS as _STATE_INTERNAL_KEYWORDS
+ from salt.utils.odict import OrderedDict
+ 
++# Necessary for OSes with older cryptography module
++COMPAT_MODE = sys.version_info < (3,12)
++if not COMPAT_MODE:
++    import salt.utils.dictupdate
++    import salt.utils.x509 as x509util
++
+ try:
+     import M2Crypto
+ 
+@@ -988,35 +992,113 @@ def create_crl(
+ 
+     if revoked is None:
+         revoked = []
++    if COMPAT_MODE:
++        crl = OpenSSL.crypto.CRL()
++        for rev_item in revoked:
++            if "certificate" in rev_item:
++                rev_cert = read_certificate(rev_item["certificate"])
++                rev_item["serial_number"] = rev_cert["Serial Number"]
++                rev_item["not_after"] = rev_cert["Not After"]
+ 
+-    for rev_item in revoked:
+-        if "reason" in rev_item:
+-            salt.utils.dictupdate.set_dict_key_value(
+-                rev_item, "extensions:CRLReason", rev_item["reason"]
++            serial_number = rev_item["serial_number"].replace(":", "")
++            # OpenSSL bindings requires this to be a non-unicode string
++            serial_number = salt.utils.stringutils.to_bytes(serial_number)
++
++            if "not_after" in rev_item and not include_expired:
++                not_after = datetime.datetime.strptime(
++                    rev_item["not_after"], "%Y-%m-%d %H:%M:%S"
++                )
++                if datetime.datetime.now() > not_after:
++                    continue
++
++            if "revocation_date" not in rev_item:
++                rev_item["revocation_date"] = datetime.datetime.now().strftime(
++                    "%Y-%m-%d %H:%M:%S"
++                )
++
++            rev_date = datetime.datetime.strptime(
++                rev_item["revocation_date"], "%Y-%m-%d %H:%M:%S"
+             )
++            rev_date = rev_date.strftime("%Y%m%d%H%M%SZ")
++            rev_date = salt.utils.stringutils.to_bytes(rev_date)
+ 
+-    builder, private_key_obj = x509util.build_crl(
+-        signing_private_key=signing_private_key,
+-        signing_private_key_passphrase=signing_private_key_passphrase,
+-        include_expired=include_expired,
+-        revoked=revoked,
+-        signing_cert=signing_cert,
+-        days_valid=days_valid,
+-    )
++            rev = OpenSSL.crypto.Revoked()
++            rev.set_serial(salt.utils.stringutils.to_bytes(serial_number))
++            rev.set_rev_date(salt.utils.stringutils.to_bytes(rev_date))
++
++            if "reason" in rev_item:
++                # Same here for OpenSSL bindings and non-unicode strings
++                reason = salt.utils.stringutils.to_bytes(rev_item["reason"])
++                rev.set_reason(reason)
++
++            crl.add_revoked(rev)
++
++        signing_cert = _text_or_file(signing_cert)
++        cert = OpenSSL.crypto.load_certificate(
++            OpenSSL.crypto.FILETYPE_PEM, get_pem_entry(signing_cert, pem_type="CERTIFICATE")
++        )
++        signing_private_key = _get_private_key_obj(
++            signing_private_key, passphrase=signing_private_key_passphrase
++        ).as_pem(cipher=None)
++        key = OpenSSL.crypto.load_privatekey(
++            OpenSSL.crypto.FILETYPE_PEM, get_pem_entry(signing_private_key)
++        )
++
++        export_kwargs = {
++            "cert": cert,
++            "key": key,
++            "type": OpenSSL.crypto.FILETYPE_PEM,
++            "days": days_valid,
++        }
++        if digest:
++            export_kwargs["digest"] = salt.utils.stringutils.to_bytes(digest)
++        else:
++            log.warning("No digest specified. The default md5 digest will be used.")
++
++        try:
++            crltext = crl.export(**export_kwargs)
++        except (TypeError, ValueError):
++            log.warning(
++                "Error signing crl with specified digest. Are you using "
++                "pyopenssl 0.15 or newer? The default md5 digest will be used."
++            )
++            export_kwargs.pop("digest", None)
++            crltext = crl.export(**export_kwargs)
++
++        if text:
++            return crltext
++
++        return write_pem(text=crltext, path=path, pem_type="X509 CRL")
+ 
+-    if digest:
+-        hashing_algorithm = x509util.get_hashing_algorithm(digest)
+     else:
+-        log.warning("No digest specified. The default md5 digest will be used.")
+-        hashing_algorithm = x509util.get_hashing_algorithm("MD5")
++        for rev_item in revoked:
++            if "reason" in rev_item:
++                salt.utils.dictupdate.set_dict_key_value(
++                    rev_item, "extensions:CRLReason", rev_item["reason"]
++                )
+ 
+-    crl = builder.sign(private_key_obj, algorithm=hashing_algorithm)
+-    crl_bytes = crl.public_bytes(x509util.serialization.Encoding.PEM)
++        builder, private_key_obj = x509util.build_crl(
++            signing_private_key=signing_private_key,
++            signing_private_key_passphrase=signing_private_key_passphrase,
++            include_expired=include_expired,
++            revoked=revoked,
++            signing_cert=signing_cert,
++            days_valid=days_valid,
++        )
+ 
+-    if text:
+-        return crl_bytes.decode()
++        if digest:
++            hashing_algorithm = x509util.get_hashing_algorithm(digest)
++        else:
++            log.warning("No digest specified. The default md5 digest will be used.")
++            hashing_algorithm = x509util.get_hashing_algorithm("MD5")
+ 
+-    return write_pem(text=crl_bytes, path=path, pem_type="X509 CRL")
++        crl = builder.sign(private_key_obj, algorithm=hashing_algorithm)
++        crl_bytes = crl.public_bytes(x509util.serialization.Encoding.PEM)
++
++        if text:
++            return crl_bytes.decode()
++
++        return write_pem(text=crl_bytes, path=path, pem_type="X509 CRL")
+ 
+ 
+ def sign_remote_certificate(argdic, **kwargs):
+-- 
+2.51.1
+

use-versioned-python-interpreter-for-salt-ssh.patch

@@ -0,0 +1,33 @@
+From 1df479ec297e340bbe5f4913afce02f6c8427bd4 Mon Sep 17 00:00:00 2001
+From: Victor Zhestkov <vzhestkov@suse.com>
+Date: Mon, 6 Oct 2025 16:41:46 +0200
+Subject: [PATCH] Use versioned python interpreter for salt-ssh
+
+---
+ salt/client/ssh/__init__.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py
+index bfb7d3d1d1..86e4bcceb0 100644
+--- a/salt/client/ssh/__init__.py
++++ b/salt/client/ssh/__init__.py
+@@ -157,7 +157,7 @@ SSH_PY_CODE='import base64;
+ if [ -n "$DEBUG" ]
+     then set -x
+ fi
+-PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python python3.11 python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
++PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python {{PY3XX_CMD}}python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
+ for py_cmd in $PYTHON_CMDS
+ do
+     if command -v "$py_cmd" >/dev/null 2>&1 && "$py_cmd" -c "import sys; sys.exit(not (sys.version_info >= (2, 6)));"
+@@ -1533,6 +1533,7 @@ ARGS = {arguments}\n'''.format(
+                 SSH_PY_CODE=py_code_enc,
+                 HOST_PY_MAJOR=sys.version_info[0],
+                 SET_PATH=self.set_path,
++                PY3XX_CMD=f"python3.{sys.version_info.minor} " if sys.version_info >= (3, 11) else "",
+             )
+         else:
+             cmd = saltwinshell.gen_shim(py_code_enc)
+-- 
+2.51.0
+

venv-salt-minion.changes

@@ -1,3 +1,64 @@
+-------------------------------------------------------------------
+Tue Nov 11 08:03:59 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
+
+- Fix TLS and x509 modules for OSes with older cryptography module
+
+- Added:
+  * fix-tls-and-x509-modules-for-older-cryptography-modu.patch
+
+-------------------------------------------------------------------
+Fri Nov  7 16:37:10 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
+
+- Fix Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)
+  * Use external tornado on Python > 3.11
+  * Make tls and x509 to use python-cryptography
+  * Remove usage of spwd
+
+- Added:
+  * fix-salt-for-python-3.11.patch
+
+-------------------------------------------------------------------
+Wed Oct 29 10:38:04 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
+
+- Fix payload signature verification on Tumbleweed (bsc#1251776)
+
+- Added:
+  * do-not-break-signature-verification-on-latest-m2cryp.patch
+
+-------------------------------------------------------------------
+Mon Oct  6 14:54:30 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
+
+- Use versioned python interpreter for salt-ssh
+
+- Added:
+  * use-versioned-python-interpreter-for-salt-ssh.patch
+
+-------------------------------------------------------------------
+Mon Oct  6 08:40:19 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
+
+- Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207)
+
+- Added:
+  * allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch
+
+-------------------------------------------------------------------
+Wed Oct  1 12:46:17 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
+
+- Add python3.11 as preferable for salt-ssh to avoid tests fails
+
+- Added:
+  * add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch
+
+-------------------------------------------------------------------
+Wed Sep 17 08:16:34 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
+
+- Make test_pillar_timeout test more reliable
+- Modify README and other doc files for openSUSE
+
+- Added:
+  * even-more-reliable-pillar-timeout-test.patch
+  * modify-readme-for-opensuse-728.patch
+
 -------------------------------------------------------------------
 Mon Aug 11 14:02:35 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
 

venv-salt-minion.spec

@@ -539,6 +539,23 @@ Patch177:       fix-the-tests-failing-on-almalinux-10-and-other-clon.patch
 Patch178:       fix-functional.states.test_user-for-sles-16-and-micr.patch
 # PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68247
 Patch179:       improve-sl-micro-6.2-detection-with-grains.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/728
+Patch180:       modify-readme-for-opensuse-728.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68331
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/729
+Patch181:       even-more-reliable-pillar-timeout-test.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/730
+Patch182:       add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68366
+Patch183:       allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/732
+Patch184:       use-versioned-python-interpreter-for-salt-ssh.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/735
+Patch185:       do-not-break-signature-verification-on-latest-m2cryp.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/736
+Patch186:       fix-salt-for-python-3.11.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/737
+Patch187:       fix-tls-and-x509-modules-for-older-cryptography-modu.patch
 
 ### IMPORTANT: The line below is used as a snippet marker. Do not touch it.
 ### SALT PATCHES LIST END