IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
resolved rejected RRsets containing a RR with a zero TTL and a RR with a nonzero TTL. In practice—see the linked issues—, this case triggered when an AF_UNSPEC query to a CNAMEd domain returned a zero TTL for the CNAME on one address family and a nonzero TTL for the CNAME on the other address family.
The zero-nonzero TTL check cites RFC 2181 § 5.2 in a comment. That section says DNS clients should reject any RRset containing differing TTLs, which the check only implements a very special case of. That the old behavior caused real-world false NXDOMAIN results is reason enough to completely ignore the RFC's recommendation. However, mDNS treats zero TTLs specially, so the error case needs to be kept for mDNS.
Fixes https://github.com/systemd/systemd/issues/22177
Fixes https://github.com/systemd/systemd/issues/20617
Fixes https://github.com/systemd/systemd/issues/19118
This is not intended as a user guide, but to describe the generic security
posture of the UEFI components. Hence we do not publish it on systemd.io
but only in the repository.
When we're starting early boot services such as systemd-userdbd.service,
/tmp might not yet be mounted, so let's use a directory in /run instead
which is guaranteed to be available.
Debugging mount unit failures caused by systemd not being able to
create the mount point is currently rather hard. Let's log about
failures to create mount points to simplify debugging.
In discover_next_boot(), first we find a new boot ID based on the value
stored in the entry object. Then, find the tail (or head when we are going
upwards) entry of the boot based on the _BOOT_ID= field data.
If boot IDs of an entry in the entry object and _BOOT_ID field data
are inconsistent, which may happen on corrupted journal, then previously
discover_next_boot() failed with -ENODATA.
This makes the function check if the two boot IDs in each entry are
consistent, and skip the entry if not.
Fixes the failure of `journalctl -b -1` for 'truncated' journal:
https://github.com/systemd/systemd/pull/29334#issuecomment-1736567951
When READ_FULL_FILE_UNBASE64 (or READ_FULL_FILE_UNHEX) is specified,
setting size argument by caller is difficult, as it is hard to estimate
the encoded length.
This makes when size is specified with decoding option, let's read file
more, and check decoded size later with the specified size.
This adds a new script tools/check-version-history.py and a corresponding
test when building in developer mode. It checks manpages (except dbus
documentation which is handled by update-dbus-docs) for missing version
history information.
It also adds ignore lists based on version 183 (the version that our version
annotations go back to). These can be augmented if we want to ignore other
elements if it doesn't make sense for them to have version annotations.
Because journal_file_next_entry_for_data() provides the first entry, while
journal_file_next_entry() actually provides the next entry of the input,
this also renames it to journal_file_move_to_entry_for_data().
Also, previously, on DIRECTION_UP the function did not fall back to the
'extra' entry when all entries linked in the chained array are broken.
This also fixes the issue, and now it fall back to the extra entry.
When we reach an empty array, there are at least two possibilities:
- journal file is corrupted,
- invalid index is requested.
We cannot distinguish them here, let's simply return earlier.
If there's corruption and we are going upwards, then the 'total'
must be decreased when we go to the previous array. However,
previously, we wrongly kept or increased the number. This fixes
the behavior.
This effectively reverts d9b61db922404a216de018cc5ddff9b69bcaf1db.
In the do-while loop, we do not read any other entry array object, hence
the current object is always in the mmap cache and not necessary to re-read it.
Doing that in VMs without acceleration is prohibitively expensive (i.e.
20+ seconds in the C8S job). Thankfully, the recent [0] --lines=+n syntax
makes this all quite easy to fix.
[0] 8d6791d2aa9
Since the soft-reboot drops the enqueued end.service, we won't shutdown
the test VM if the test fails and have to wait for the watchdog to kill
us (which may take quite a long time). Let's just forcibly kill the
machine instead to save CI resources.
Let's ake sure we check confexts against the confext api level, and
sysext against the sysext api level.
Previously the test would simply be skipped for confexts...
This adds an explicit service for initializing the TPM2 SRK. This is
implicitly also done by systemd-cryptsetup, hence strictly speaking
redundant, but doing this early has the benefit that we can parallelize
this in a nicer way. This also write a copy of the SRK public key in PEM
format to /run/ + /var/lib/, thus pinning the disk image to the TPM.
Making the SRK public key is also useful for allowing easy offline
encryption for a specific TPM.
Sooner or later we should probably grow what this service does, the
above is just the first step. For example, the service should probably
offer the ability to reset the TPM (clear the owner hierarchy?) on a
factory reset, if such a policy is needed. And we might want to install
some default AK (?).
Fixes: #27986
Also see: #22637
Given that gold is pretty much unmaintained and does not support
`-static-pie` for bootloader components it should be safe to drop.
Also switch to clang-17 while we're at it.
The biggest reason for forcing bfd was the use of linker scrips. Since
we don't rely on those anymore we can lift the requirement.
The biggest issue is gold as it does not understand -static-pie. Given
that it's pretty much on life support it's safe to just declare it not
supported anymore.
Don't link addons with libefi as clang/lld is sometimes very eager to
include memset etc., causing needless binary bloat and link errors with
LTO.
Fixes: #29165
