Weekly portage-stable package updates 2023-10-09

[github-actions]

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/1103/cldsv

--

• app-arch/pigz: [PROD] [DEV]

  • from 2.7-r1 to 2.8
  • added signature verification
  • still unstable on amd64, so added accept keywords to overlay
  • release notes: https://zlib.net/pipermail/pigz-announce_zlib.net/2023-August/000018.html

• app-portage/portage-utils: [DEV]

  • still at 0.96.1
  • updated metadata

• dev-libs/libxml2: [DEV]

  • still at 2.11.5
  • updated keywords for other arches

• dev-python/lxml: [DEV]

  • still at 4.9.3-r1
  • became stable for arm64 so dropped accept keywords from overlay

• eclass/flag-o-matic.eclass:

  • allow some more compiler flags

• net-dns/c-ares: [DEV]

  • still at 1.19.1
  • updated license from MIT to MIT ISC

• net-misc/whois: [PROD] [DEV]

  • from 5.5.17-r1 to 5.5.18-r1
  • still unstable on amd64, so added accept keywords overlay
  • release notes: https://github.com/rfc1036/whois/blob/v5.5.18/debian/changelog

• profiles:

  • masked dev-python/cython-3.0.3

• sys-apps/portage: [DEV]

  • still at 3.0.51
  • bumped dep on dev-util/meson to 1.2.1-r1 (exactly the version we have)

• sys-devel/gcc: [DEV]

  • still at 13.2.1_p20230826
  • it's already stable, so dropped accept keywords from overlay

• sys-devel/gdb: [DEV]

  • still at 13.2-r1
  • updated keywords for other arches

--

• changelog
• image diff

[tormath1]

As a side note, in the selinux-container downstream patch, we can drop the following lines:

scripts/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch

Lines 69 to 74 in 4a9ae3d

	+# required for cilium, can be upstreamed
	+# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { open } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
	+# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { kernel } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
	+# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { cpu } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
	+# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { read } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
	+allow spc_t self:perf_event { open cpu kernel read };

I upstreamed those: SELinuxProject/refpolicy@feaf607.

[krnowak]

Cool, thanks for letting me know.

[krnowak]

Er, I mean, this needs to wait until we pick up the update of sec-policy/selinux-container from Gentoo, right?

[tormath1]

I think it's already there: we're upgrading to selinux-container-2.20231002 and the commit is part of the release: RELEASE_2_20231002 (SELinuxProject/refpolicy@feaf607)

[krnowak]

The ebuild is still unstable, so we didn't pick it up. Should we add accept keywords for it?

[tormath1]

Ah yes indeed - then I guess we can follow Gentoo for this as we just upgraded the SELinux policies, no need to rush.

[krnowak]

CI passed.

[github-actions]

Build action triggered: https://github.com/flatcar/scripts/actions/runs/6494336660