SUSE-SU-2025:0857-1

Описание

This update for build fixes the following issues:

• CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469)

Other fixes:

• Fixed behaviour when using '--shell' aka 'osc shell' option in a VM build. Startup is faster and permissions stay intact now.

• fixes for POSIX compatibility for obs-docker-support adn mkbaselibs

• Add support for apk in docker/podman builds

• Add support for 'wget' in Docker images

• Fix debian support for Dockerfile builds

• Fix preinstallimages in containers

• mkosi: add back system-packages used by build-recipe directly

• pbuild: parse the Release files for debian repos

• mkosi: drop most systemd/build-packages deps and use obs_scm directory as source if present

• improve source copy handling

• Introduce --repos-directory and --containers-directory options

• productcompose: support of building against a baseiso

• preinstallimage: avoid inclusion of build script generated files

• preserve timestamps on sources copy-in for kiwi and productcompose

• alpine package support updates

• tumbleweed config update

• debian: Support installation of foreign architecture packages (required for armv7l setups)

• Parse unknown timezones as UTC

• Apk (Alpine Linux) format support added

• Implement default value in parameter expansion

• Also support supplements that use & as 'and'

• Add workaround for skopeo's argument parser

• add cap-htm=off on power9

• Fixed usage of chown calls

• Remove leading go from purl locators

• container related:

  • Implement support for the new element in kiwi recipes
  • Fixes for SBOM and dependencies of multi stage container builds
  • obs-docker-support: enable dnf and yum substitutions

• Arch Linux:

  • fix file path for Arch repo
  • exclude unsupported arch
  • Use root as download user

• build-vm-qemu: force sv48 satp mode on riscv64

• mkosi:

  • Create .sha256 files after mkosi builds
  • Always pass --image-version to mkosi

• General improvements and bugfixes (mkosi, pbuild, appimage/livebuild, obs work detection, documention, SBOM)

• Support slsa v1 in unpack_slsa_provenance

• generate_sbom: do not clobber spdx supplier

• Harden export_debian_orig_from_git (bsc#1230469)

• SBOM generation:

  • Adding golang introspection support
  • Adding rust binary introspection support
  • Keep track of unknwon licenses and add a 'hasExtractedLicensingInfos' section
  • Also normalize licenses for cyclonedx
  • Make generate_sbom errors fatal
  • general improvements

• Fix noprep building not working because the buildir is removed

• kiwi image: also detect a debian build if /var/lib/dpkg/status is present

• Do not use the Encode module to convert a code point to utf8

• Fix personality syscall number for riscv

• add more required recommendations for KVM builds

• set PACKAGER field in build-recipe-arch

• fix writing _modulemd.yaml

• pbuild: support --release and --baselibs option

• container:

  • copy base container information from the annotation into the containerinfo
  • track base containers over multiple stages
  • always put the base container last in the dependencies

• providing fileprovides in createdirdeps tool

• Introduce buildflag nochecks

• productcompose: support all option

• config update: tumbleweed using preinstallexpand

• minor improvements

• tumbleweed build config update

• support the %load macro

• improve container filename generation (docker)

• fix hanging curl calls during build (docker)

• productcompose: fix milestone query

• tumbleweed build config update

• 15.6 build config fixes

• sourcerpm & sourcedep handling fixes

• productcompose:

  • Fix milestone handling
  • Support bcntsynctag

• Adding debian support to generate_sbom

• Add syscall for personality switch on loongarch64 kernel

• vm-build: ext3 & ext4: fix disk space allocation

• mkosi format updates, not fully working yet

• pbuild exception fixes

• Fixes for current fedora and centos distros

• Don't copy original dsc sources if OBS-DCH-RELEASE set

• Unbreak parsing of sources/patches

• Support ForceMultiVersion in the dockerfile parser

• Support %bcond of rpm 4.17.1

• Add a hack for systemd 255.3, creating an empty /etc/os-release if missing after preinstall.

• docker: Fix HEAD request in dummyhttpserver

• pbuild: Make docker-nobasepackages expand flag the default

• rpm: Support a couple of builtin rpm macros

• rpm: Implement argument expansion for define/with/bcond...

• Fix multiline macro handling

• Accept -N parameter of %autosetup

• documentation updates

• various code cleanup and speedup work.

• ProductCompose: multiple improvements

• Add buildflags:define_specfile support

• Fix copy-in of git subdirectory sources

• pbuild: Speed up XML parsing

• pubild: product compose support

• generate_sbom: add help option

• podman: enforce runtime=runc

• Implement direct conflicts from the distro config

• changelog2spec: fix time zone handling

• Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts

• spec file cleanup

• documentation updates

• productcompose:

  • support schema 0.1
  • support milestones

• Leap 15.6 config

• SLE 15 SP6 config

• productcompose: follow incompatible flavor syntax change

• pbuild: support for zstd

• fixed handling for cmdline parameters via kernel packages

• productcompose:

  • BREAKING: support new schema
  • adapt flavor architecture parsing

• productcompose:

  • support filtered package lists
  • support default architecture listing
  • fix copy in binaries in VM builds^

• obsproduct build type got renamed to productcompose

• Support zstd compressed rpm-md meta data (bsc#1217269)

• Added Debian 12 configuration

• First ObsProduct build format support

• fix SLE 15 SP5 build configuration

• Improve user agent handling for obs repositories

• Docker:

  • Support flavor specific build descriptions via Dockerfile.$flavor
  • support 'PlusRecommended' hint to also provide recommended packages
  • use the name/version as filename if both are known
  • Produce docker format containers by default

• pbuild: Support for signature authentification of OBS resources

• Fix wiping build root for --vm-type podman

• Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv

• build-vm-kvm: use -cpu host on riscv64

• small fixes and cleanups

• Added parser for BcntSyncTag in sources

• pbuild:

  • fix dependency expansion for build types other than spec
  • Reworked cycle handling code
  • add --extra-packs option
  • add debugflags option

• Pass-through --buildtool-opt

• Parse Patch and Source lines more accurately

• fix tunefs functionality

• minor bugfixes

• --vm-type=podman added (supports also root-less builds)

• Also support build constraints in the Dockerfile

• minor fixes

• Add SUSE ALP build config

• BREAKING: Record errors when parsing the project config former behaviour was undefined

• container: Support compression format configuration option

• Don't setup ccache with --no-init

• improved loongarch64 support

• sbom: SPDX supplier tag added

• kiwi: support different versions per profile

• preinstallimage: fail when recompression fails

• Add support for recommends and supplements dependencies

• Support the 'keepfilerequires' expand flag

• add '--buildtool-opt=OPTIONS' to pass options to the used build tool

• distro config updates

  • ArchLinux
  • Tumbleweed

• documentation updates

• openSUSE Tumbleweed: sync config and move to suse_version 1699.

• universal post-build hook, just place a file in /usr/lib/build/post_build.d/

• mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3)

• KiwiProduct: add --use-newest-package hint if the option is set

• Dockerfile support:

  • export multibuild flavor as argument
  • allow parameters in FROM .. scratch lines
  • include OS name in build result if != linux

• Workaround directory->symlink usrmerge problems for cross arch sysroot

• multiple fixes for SBOM support

• KIWI VM image SBOM support added