Merge pull request #3062 from flatcar/buildbot/weekly-portage-stable-package-updates-2025-06-30

Weekly portage-stable package updates 2025-06-30

Author: krnowak

build_library/vm_image_util.sh

@@ -723,13 +723,23 @@ _write_cpio_common() {
     echo "/.noupdate f 444 root root echo -n" >"${VM_TMP_DIR}/extra"
 
     # Set correct group for PXE/ISO, which has no writeable /etc
-    echo /usr/share/flatcar/update.conf f 644 root root \
+    echo /share/flatcar/update.conf f 644 root root \
         "sed -e 's/GROUP=.*$/GROUP=${VM_GROUP}/' ${base_dir}/share/flatcar/update.conf" \
         >> "${VM_TMP_DIR}/extra"
 
+    local -a mksquashfs_opts=(
+        -pf "${VM_TMP_DIR}/extra"
+        -xattrs-exclude '^btrfs.'
+        # mksquashfs doesn't like overwriting existing files with
+        # pseudo-files, so tell it to ignore the existing file instead
+        #
+        # also, this must be the last option
+        -e share/flatcar/update.conf
+    )
+
     # Build the squashfs, embed squashfs into a gzipped cpio
     pushd "${cpio_target}" >/dev/null
-    sudo mksquashfs "${base_dir}" "./usr.squashfs" -pf "${VM_TMP_DIR}/extra" -xattrs-exclude '^btrfs.'
+    sudo mksquashfs "${base_dir}" "./usr.squashfs" "${mksquashfs_opts[@]}"
     find . | cpio -o -H newc | gzip > "$2"
     popd >/dev/null
 

changelog/updates/2025-06-30-weekly-updates.md

@@ -0,0 +1,20 @@
+- SDK: pkgcheck ([0.10.36](https://github.com/pkgcore/pkgcheck/blob/v0.10.36/NEWS.rst))
+- azure, dev, gce, sysext-python: python ([3.11.13](https://www.python.org/downloads/release/python-31113/))
+- base, dev: elfutils ([0.193](https://inbox.sourceware.org/elfutils-devel/CAJDtP-RjuT13zehLgSvz9TnwQZ1VYPOS=q_kuut5a2g+KLamgw@mail.gmail.com/T/#u))
+- base, dev: gnupg ([2.4.8](https://dev.gnupg.org/T7428))
+- base, dev: ipset ([7.24](https://lwn.net/Articles/1021623/))
+- base, dev: jansson ([2.14.1](https://jansson.readthedocs.io/en/latest/changes.html#version-2-14-1))
+- base, dev: libarchive ([3.8.1](https://github.com/libarchive/libarchive/releases/tag/v3.8.1) (includes [3.8.0](https://github.com/libarchive/libarchive/releases/tag/v3.8.0)))
+- base, dev: libcap ([2.76](https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.wqnp1zp1o8bm) (includes [2.75](https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.7xqcoecpcnn8), [2.74](https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.ccbrq82zh7n9), [2.73](https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.7yd7ab9ppagk), [2.72](https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.ulglddlojmy0)))
+- base, dev: libgcrypt ([1.11.1](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=NEWS;h=84bc61a49f3a09302b3438cb529baf67576ad859;hb=81ce5321b1b79bde6dfdc3c164efb40c13cf656b))
+- base, dev: libnftnl ([1.2.9](https://lwn.net/Articles/1017463/))
+- base, dev: libunistring ([1.3](https://lists.gnu.org/archive/html/info-gnu/2024-10/msg00000.html))
+- base, dev: libunwind ([1.8.2](https://github.com/libunwind/libunwind/releases/tag/v1.8.2))
+- base, dev: openssl ([3.4.1](https://github.com/openssl/openssl/releases/tag/openssl-3.4.1) (includes [3.4.0](https://github.com/openssl/openssl/blob/openssl-3.4.0/NEWS.md#openssl-34)))
+- dev, sysext-incus: squashfs-tools ([4.7](https://lkml.org/lkml/2025/6/3/1214))
+- dev: portage ([3.0.68](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.68))
+- sysext-docker: docker ([28.0.4](https://github.com/moby/moby/releases/tag/v28.0.4) (includes [28.0.3](https://github.com/moby/moby/releases/tag/v28.0.3), [28.0.2](https://github.com/moby/moby/releases/tag/v28.0.2)))
+- sysext-podman: containers-common ([0.63.0](https://github.com/containers/common/releases/tag/v0.63.0))
+- sysext-podman: passt ([2025.04.15](https://archives.passt.top/passt-user/20250415233140.35074c4b@elisabeth/T/#u))
+- sysext-python: msgpack ([1.1.1](https://github.com/msgpack/msgpack-python/releases/tag/v1.1.1))
+- sysext-python: typing-extensions ([4.14.0](https://github.com/python/typing_extensions/releases/tag/4.14.0))

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/0001-pam-cap-Fix-potential-configuration-parsing-error.patch

@@ -8,33 +8,42 @@
 # (the following packages are "unstable" upstream; we're stabilising these)
 
 # Needed to address CVE-2024-40635, CVE-2025-47291
-=app-containers/containerd-2.0.5 ~amd64 ~arm64
+=app-containers/containerd-2.0.5 ~arm64
 
 # Keep versions on both arches in sync.
+=app-containers/containers-common-0.63.0 ~arm64
 =app-containers/cri-tools-1.32.0 ~arm64
 
 # Needed to address CVE-2025-24965.
-=app-containers/crun-1.20 ~amd64 ~arm64
+=app-containers/crun-1.20 ~arm64
 
 # Keep versions on both arches in sync.
-=app-containers/lxc-6.0.4-r1 ~amd64 ~arm64
-=app-containers/incus-6.0.4-r1 ~amd64 ~arm64
-
-# Needed by app-containers/containerd-2.0.5
-=app-containers/runc-1.2.6 ~amd64 ~arm64
+=app-containers/docker-28.0.4 ~arm64
+=app-containers/docker-cli-28.0.4 ~arm64
+=app-containers/incus-6.0.4-r1 ~arm64
+=app-containers/lxc-6.0.4-r1 ~arm64
+=app-containers/runc-1.2.6 ~arm64
 
 # No stable keywords.
 =app-containers/syft-1.18.1 ~amd64 ~arm64
 
 # Seems to be the only available ebuild in portage-stable right now.
 =app-crypt/adcli-0.9.2 ~arm64
 
+# Packages are in Gentoo but not expected to be used outside Flatcar, so they
+# are generally never stabilised. Thus an unusual form is used to pick up the
+# latest version of the package with the unstable keywords.
+app-crypt/azure-keyvault-pkcs11
+
 # Needed by arm64-native SDK
 =app-crypt/ccid-1.6.1 ~arm64
 
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =app-crypt/clevis-19-r1 **
 
+# Keep versions on both arches in sync.
+=app-crypt/gnupg-2.4.8 ~arm64
+
 # Needed to address CVE-2025-1215, CVE-2025-22134, CVE-2025-24014, GHSA-63p5-mwg2-787v, CVE-2025-27423, CVE-2025-29768
 =app-editors/vim-9.1.1436 ~amd64 ~arm64
 =app-editors/vim-core-9.1.1436 ~amd64 ~arm64
@@ -50,24 +59,46 @@
 
 # Keep versions on both arches in sync.
 =dev-build/meson-1.7.2 ~arm64
-=dev-db/sqlite-3.49.2 ~arm64
-=dev-lang/go-1.24.4 ~arm64
+
+# Packages are in Gentoo but not expected to be used outside Flatcar, so they
+# are generally never stabilised. Thus an unusual form is used to pick up the
+# latest version of the package with the unstable keywords.
+dev-cpp/azure-core
+dev-cpp/azure-identity
+dev-cpp/azure-security-keyvault-certificates
+dev-cpp/azure-security-keyvault-keys
 
 # Keep versions on both arches in sync.
+=dev-db/sqlite-3.49.2 ~arm64
+=dev-lang/go-1.24.4 ~arm64
+=dev-lang/python-3.11.13 ~arm64
 =dev-lang/yasm-1.3.0-r1 ~arm64
-=dev-libs/ding-libs-0.6.2-r1 ~arm64
 =dev-libs/cowsql-1.15.8 ~arm64
+=dev-libs/ding-libs-0.6.2-r1 ~arm64
 
 # Needed to address CVE-2025-4373
-=dev-libs/glib-2.84.3 ~amd64 ~arm64
-=dev-libs/gobject-introspection-common-1.84.0 ~amd64 ~arm64
+=dev-libs/glib-2.84.3 ~arm64
+=dev-libs/gobject-introspection-common-1.84.0 ~arm64
+
+# Keep versions on both arches in sync.
+=dev-libs/jansson-2.14.1 ~arm64
 
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =dev-libs/jose-12 **
+
+# Keep versions on both arches in sync.
+=dev-libs/libgcrypt-1.11.1 ~arm64
+=dev-libs/libtracefs-1.8.2 ~arm64
+=dev-libs/libunistring-1.3 ~arm64
+
+# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =dev-libs/luksmeta-9-r1 **
 
 # Keep versions on both arches in sync.
 =dev-libs/raft-0.22.1 ~arm64
+=dev-python/cryptography-45.0.4 ~arm64
+=dev-python/cython-3.1.2 ~arm64
+=dev-python/msgpack-1.1.1 ~arm64
 
 # No arm64 keyword in package.
 =dev-util/bsdiff-4.3-r4 **
@@ -76,52 +107,55 @@
 =dev-util/catalyst-4.0.0 ~amd64 ~arm64
 
 # Needed to address CVE-2025-4373
-=dev-util/glib-utils-2.84.3 ~amd64 ~arm64
-=dev-util/gdbus-codegen-2.84.3 ~amd64 ~arm64
+=dev-util/gdbus-codegen-2.84.3 ~arm64
+=dev-util/glib-utils-2.84.3 ~arm64
 
 # Keep versions on both arches in sync.
 =dev-util/xdelta-3.0.11-r1 ~arm64
 
 # Needed to address CVE-2024-11187, CVE-2024-12705
-=net-dns/bind-9.18.37-r1 ~amd64 ~arm64
+=net-dns/bind-9.18.37-r1 ~arm64
 
 # Keep versions on both arches in sync.
 =net-firewall/conntrack-tools-1.4.8-r1 ~arm64
+=net-firewall/ipset-7.24 ~arm64
 
 # Needed to address CVE-2025-2312.
 =net-fs/cifs-utils-7.3 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
 =net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
+=net-libs/libnftnl-1.2.9 ~arm64
 
 # Needed for addressing CVE-2025-47268 and CVE-2025-48964
 =net-misc/iputils-20250605 ~amd64 ~arm64
 
+# Keep versions on both arches in sync.
+=net-misc/passt-2025.04.15 ~arm64
+
 # Packages are in Gentoo but not expected to be used outside Flatcar, so they
 # are generally never stabilised. Thus an unusual form is used to pick up the
 # latest version of the package with the unstable keywords.
-app-crypt/azure-keyvault-pkcs11
-dev-cpp/azure-core
-dev-cpp/azure-identity
-dev-cpp/azure-security-keyvault-certificates
-dev-cpp/azure-security-keyvault-keys
 sys-apps/azure-vm-utils
 
 # Keep versions on both arches in sync.
+=sys-apps/dtc-1.7.2-r2 ~arm64
+=sys-apps/portage-3.0.68 ~arm64
 =sys-apps/zram-generator-1.2.1 ~arm64
-=sys-auth/polkit-126-r1 ~amd64
 
 # Needed to avoid pulling python into production images.
 =sys-auth/sssd-2.9.6-r3 ~arm64
 
 # Keep versions on both arches in sync.
+=sys-boot/gnu-efi-4.0.1 ~arm64
 =sys-boot/mokutil-0.7.2 **
 
 # Enable ipvsadm for arm64.
 =sys-cluster/ipvsadm-1.31-r1 ~arm64
 
 # Keep versions on both arches in sync.
-=sys-fs/fuse-3.17.2 ~arm64
 =sys-fs/lxcfs-6.0.4 ~arm64
+=sys-libs/libcap-2.76 ~arm64
+=sys-libs/libunwind-1.8.2 ~arm64
 =sys-process/audit-4.0.2-r1 ~arm64

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/README.md

@@ -1,4 +1,2 @@
-DIST logrotate-3.21.0.tar.xz 168532 BLAKE2B f7fa0050bde51e2517eac8456ecf87648bc8423621830894ceb2a3ff6b9dfe32c5b53df6a4ee59aa91bd563ed94376a635159535f4fdc170fbc673354bcef508 SHA512 c576df7d2bc1a1db2f99befdd0ea627aef2d97bdcd4a7cdea76870623ba92fb1f04f1af6d15b75e4a9085f4aef2ae5e9843c4094cdd01e24d89872ccaf9c0d4a
-DIST logrotate-3.21.0.tar.xz.asc 833 BLAKE2B b2099a0b8c15d1ea7f7325884027dff08dcc8305113411448797b8089d17026242a3f10bd6d7f3d865e3e339ec6fb5faf4ff48f8fd65bca3af4da8b335c3b5f1 SHA512 8f4c1853cd84f85c796b72b43048f4cf04e3409703e7669ee91e1d1aa5e9e5c04261fac1cdf85ec303508d5b6dbf126a44eb9ec819bcc772c664830d39e1068c
 DIST logrotate-3.22.0.tar.xz 172108 BLAKE2B c1c9f1ff792905d2917e9ba3cee360c50259e1520e04073cb69abe475499adcf01aeb3cb4c6933af61255fbb5978577c4fdf9d6ab6ebf9568358d2446791c7f3 SHA512 16fd95b4daef779212008c4a968c7a7130be8d550f58531d24fc04599cb9adff6323a745725b3b14d7312ad36cb6646fe33a3defdb5b70cda2cec9646aab066a
 DIST logrotate-3.22.0.tar.xz.asc 833 BLAKE2B 379d4fd71c6161211234903560770cf14a7ddf769b83e76ef27ad96d1204e2f4dc73d1e44aa69401db87c252c4471d5bdbace0555dfbb66c8751c20131a7751f SHA512 93664c45bfe9ea20aedc54fe216825db38eaf81d43b238cd7bf8ea3e03f7d282f53743fb6d914766a9ed0cb5b33376435d253db5b9ec7039facd66e25d349dd4

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -1,4 +1,4 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -18,13 +18,13 @@ IUSE="acl +cron selinux"
 
 DEPEND="
 	>=dev-libs/popt-1.5
-	selinux? ( sys-libs/libselinux )
 	acl? ( virtual/acl )
+	selinux? ( sys-libs/libselinux )
 "
 RDEPEND="
 	${DEPEND}
-	selinux? ( sec-policy/selinux-logrotate )
 	cron? ( virtual/cron )
+	selinux? ( sec-policy/selinux-logrotate )
 "
 BDEPEND="verify-sig? ( sec-keys/openpgp-keys-cgzones )"