From 1caf30dbca9598e4386c24f075c08b3ea72f7290 Mon Sep 17 00:00:00 2001 From: Antonio Salinas Date: Fri, 26 Jun 2026 20:27:02 +0000 Subject: [PATCH] refactor: replacing modify_sources script with toml driven archive overlays --- .../apache-commons-compress.comp.toml | 42 +-- base/comps/espeak-ng/espeak-ng.comp.toml | 17 +- base/comps/exfatprogs/exfatprogs.comp.toml | 11 +- base/comps/firefox/firefox.comp.toml | 33 +-- base/comps/gdal/gdal.comp.toml | 17 +- .../comps/kf6-karchive/kf6-karchive.comp.toml | 22 +- base/comps/libabigail/libabigail.comp.toml | 22 +- base/comps/libkml/libkml.comp.toml | 23 +- .../rubygem-pdf-reader.comp.toml | 260 +++++++++++++++++- base/comps/yara/yara.comp.toml | 77 +++++- locks/apache-commons-compress.lock | 2 +- locks/espeak-ng.lock | 2 +- locks/exfatprogs.lock | 2 +- locks/firefox.lock | 2 +- locks/gdal.lock | 2 +- locks/kf6-karchive.lock | 2 +- locks/libabigail.lock | 2 +- locks/libkml.lock | 2 +- locks/rubygem-pdf-reader.lock | 2 +- locks/yara.lock | 2 +- .../apache-commons-compress.spec | 6 +- specs/a/apache-commons-compress/sources | 2 +- specs/e/espeak-ng/espeak-ng.spec | 2 +- specs/e/espeak-ng/sources | 2 +- specs/e/exfatprogs/exfatprogs.spec | 6 +- specs/e/exfatprogs/sources | 2 +- specs/f/firefox/sources | 2 +- specs/g/gdal/gdal.spec | 2 +- specs/g/gdal/sources | 2 +- specs/k/kf6-karchive/kf6-karchive.spec | 2 +- specs/k/kf6-karchive/sources | 2 +- specs/l/libabigail/libabigail.spec | 2 +- specs/l/libabigail/sources | 2 +- specs/l/libkml/libkml.spec | 2 +- specs/l/libkml/sources | 2 +- .../rubygem-pdf-reader.spec | 2 +- specs/r/rubygem-pdf-reader/sources | 2 +- specs/y/yara/sources | 2 +- specs/y/yara/yara.spec | 6 +- 39 files changed, 448 insertions(+), 146 deletions(-) diff --git a/base/comps/apache-commons-compress/apache-commons-compress.comp.toml b/base/comps/apache-commons-compress/apache-commons-compress.comp.toml index d794db4cc55..fccf6af3a0d 100644 --- a/base/comps/apache-commons-compress/apache-commons-compress.comp.toml +++ b/base/comps/apache-commons-compress/apache-commons-compress.comp.toml @@ -17,25 +17,25 @@ # will be skipped/excluded at build time if they reference these # fixtures. # -# We replace Source0 (effectively) with a deterministically-repacked -# tarball that is byte-identical to upstream except for the stripped -# files. The repack is produced by -# base/comps/apache-commons-compress/modify_source.sh, which is -# reproducible — re-running it always yields the same SHA-512. We keep -# the upstream filename (commons-compress-1.27.1-src.tar.gz) and use the -# `replace-upstream` mechanism on the source-files entry below to swap it -# in place in the Fedora `sources` manifest — no spec edit required. -# -# When bumping the apache-commons-compress version (or changing -# REMOVE_PATHS): -# 1. Edit VERSION and UPSTREAM_SHA512 in modify_source.sh. -# 2. Re-run the script and copy the new SHA-512 into the source-files entry. -# 3. Upload the new tarball to the modified-source lookaside (see script output). +# Archive overlays strip the scanner-flagged fixtures from upstream Source0 +# during source preparation, avoiding a separate modified-source tarball. + +[[components.apache-commons-compress.overlays]] +type = "file-remove" +file = "commons-compress-1.27.1-src.tar.gz/src/test/resources/bla.encrypted.7z" +description = "Remove encrypted 7-Zip test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.apache-commons-compress.overlays]] +type = "file-remove" +file = "commons-compress-1.27.1-src.tar.gz/src/test/resources/password-encrypted.zip" +description = "Remove encrypted ZIP test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.apache-commons-compress.overlays]] +type = "file-remove" +file = "commons-compress-1.27.1-src.tar.gz/src/test/resources/COMPRESS-256.7z" +description = "Remove crafted 7-Zip test fixture flagged by AZL signing-pipeline AV scanner" -[[components.apache-commons-compress.source-files]] -filename = "commons-compress-1.27.1-src.tar.gz" -hash = "aeecee8776c60a549cbca9fc3c0312c8c98a953d024db64e5c480c643357be7b270193df69fc2172632e472feb9b9221eedf3b40dd933997b881a398dfb3a02b" -hash-type = "SHA512" -origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/apache-commons-compress/commons-compress-1.27.1-src.tar.gz/sha512/aeecee8776c60a549cbca9fc3c0312c8c98a953d024db64e5c480c643357be7b270193df69fc2172632e472feb9b9221eedf3b40dd933997b881a398dfb3a02b/commons-compress-1.27.1-src.tar.gz" } -replace-upstream = true -replace-reason = "AZL-repacked tarball with scanner-flagged encrypted and crafted-archive test fixtures stripped; see modify_source.sh REMOVE_PATHS" +[[components.apache-commons-compress.overlays]] +type = "file-remove" +file = "commons-compress-1.27.1-src.tar.gz/src/test/resources/zip64support.tar.bz2" +description = "Remove crafted tar.bz2 test fixture flagged by AZL signing-pipeline AV scanner" diff --git a/base/comps/espeak-ng/espeak-ng.comp.toml b/base/comps/espeak-ng/espeak-ng.comp.toml index 49a9f37936d..51292775f95 100644 --- a/base/comps/espeak-ng/espeak-ng.comp.toml +++ b/base/comps/espeak-ng/espeak-ng.comp.toml @@ -12,16 +12,11 @@ # our spec does not reference it or ship it in any binary RPM, so stripping # this file is functionally inert. # -# Replace upstream Source0 with a deterministically-repacked tarball produced -# by base/comps/espeak-ng/modify_source.sh. The upstream filename is preserved -# so `replace-upstream = true` swaps the entry in place in the Fedora `sources` -# manifest without requiring a `Source0`/filename change. +# Archive overlays strip this scanner-flagged fixture from upstream Source0 +# during source preparation, avoiding a separate modified-source tarball. [components.espeak-ng] -[[components.espeak-ng.source-files]] -filename = "espeak-ng-1.51.1.tar.gz" -hash = "84685a24e93e743c4f0be73dd9d553a96ed95bc8c2c0c683d84935183e517ae039066de93e3f83617b2114b27b427ec18ff8169972188d2a81b55f839c7c726f" -hash-type = "SHA512" -origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/espeak-ng/espeak-ng-1.51.1.tar.gz/sha512/84685a24e93e743c4f0be73dd9d553a96ed95bc8c2c0c683d84935183e517ae039066de93e3f83617b2114b27b427ec18ff8169972188d2a81b55f839c7c726f/espeak-ng-1.51.1.tar.gz" } -replace-upstream = true -replace-reason = "Strips the `chromium_extension/index.php` demo file flagged as PHP/Webshell.NWM by anti-malware scanners on the AZL RPM-signing pipeline. See `modify_source.sh` next to this file." +[[components.espeak-ng.overlays]] +type = "file-remove" +file = "espeak-ng-1.51.1.tar.gz/chromium_extension/index.php" +description = "Remove PHP webshell demo flagged as PHP/Webshell.NWM by AZL signing-pipeline AV scanner" diff --git a/base/comps/exfatprogs/exfatprogs.comp.toml b/base/comps/exfatprogs/exfatprogs.comp.toml index b64f4750708..25be0c93c3f 100644 --- a/base/comps/exfatprogs/exfatprogs.comp.toml +++ b/base/comps/exfatprogs/exfatprogs.comp.toml @@ -1,9 +1,6 @@ [components.exfatprogs] -[[components.exfatprogs.source-files]] -filename = "exfatprogs-1.3.1.tar.xz" -hash = "ded26326feab2b0013c1031fda7add53100e0581711555b8a64e8036448775a51304e4c5c368049cb26633dbf02e814b6f97bd804cafff324921a8e6a3a975d0" -hash-type = "SHA512" -origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/exfatprogs/exfatprogs-1.3.1.tar.xz/sha512/ded26326feab2b0013c1031fda7add53100e0581711555b8a64e8036448775a51304e4c5c368049cb26633dbf02e814b6f97bd804cafff324921a8e6a3a975d0/exfatprogs-1.3.1.tar.xz" } -replace-upstream = true -replace-reason = "The upstream `tests/` tree ships 19 deliberately-corrupted exFAT filesystem images (e.g. bad_bitmap, bad_dentries, bs_bad_csum, loop_chain) whose malformed metadata sends the malware scanner into runaway behaviour on the crafted FAT/dentry structures -- the shell harness alongside them (tests/upcase_table/, test_fsck.sh) is not itself problematic; it is removed as collateral because it becomes unused once the images are gone. The `tests/` tree is EXTRA_DIST-only, never built or installed, and the spec has no %check, so stripping it is functionally inert. See modify_source.sh." +[[components.exfatprogs.overlays]] +type = "file-remove" +file = "exfatprogs-1.3.1.tar.xz/tests/**" +description = "Remove tests/ directory containing deliberately-corrupted exFAT filesystem images that trip AZL signing-pipeline AV scanner" diff --git a/base/comps/firefox/firefox.comp.toml b/base/comps/firefox/firefox.comp.toml index 007f649083d..05d088b35a3 100644 --- a/base/comps/firefox/firefox.comp.toml +++ b/base/comps/firefox/firefox.comp.toml @@ -143,28 +143,19 @@ replacement = 'Release: %[1 + %{azl_release}]%{?pre_tag}%{?dist}' # The authoritative list of stripped files lives in # base/comps/firefox/modify_source.sh (REMOVE_PATHS). # -# We replace Source0 with a deterministically-repacked tarball that is -# byte-identical to the upstream one except for the stripped files. -# The repack is produced by base/comps/firefox/modify_source.sh, which -# is reproducible — re-running it always yields the same SHA-512. We keep -# the upstream filename (firefox-.source.tar.xz) and use the -# `replace-upstream` mechanism on the source-files entry below to swap it -# in place in the Fedora `sources` manifest — no spec edit required. +# Archive overlays strip the scanner-flagged fixtures from upstream Source0 +# during source preparation, avoiding a separate modified-source tarball. # # When bumping the firefox version (or changing REMOVE_PATHS): -# 1. Edit VERSION and UPSTREAM_SHA512 in modify_source.sh. -# 2. Re-run the script and copy the new SHA-512 into the source-files entry. -# 3. Upload the new tarball to the modified-source lookaside (see script output). +# 1. Update the overlay paths below if upstream fixture paths change. +# 2. Re-render and build to verify the archive overlays still apply. -# Drop the upstream firefox-.source.tar.xz entry from the Fedora -# `sources` lookaside manifest so the build does not also try to fetch the -# unmodified upstream tarball alongside our repacked one. This is handled -# by `replace-upstream = true` on the source-files entry below. +[[components.firefox.overlays]] +type = "file-remove" +file = "firefox-148.0.source.tar.xz/toolkit/components/mediasniffer/test/unit/data/ff-inst.exe" +description = "Remove obfuscated Windows executable test fixture flagged by AZL signing-pipeline AV scanner" -[[components.firefox.source-files]] -filename = "firefox-148.0.source.tar.xz" -hash = "c9c9f29fbd8f889bf3cf3d88776e1a62da7b2a65d386538d2bd048dd70caaaf8324adb5303a5fa9aa73c2cf6eb9f89cb4b34f9e67c4208d88636dd5376af90a9" -hash-type = "SHA512" -origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/firefox/firefox-148.0.source.tar.xz/sha512/c9c9f29fbd8f889bf3cf3d88776e1a62da7b2a65d386538d2bd048dd70caaaf8324adb5303a5fa9aa73c2cf6eb9f89cb4b34f9e67c4208d88636dd5376af90a9/firefox-148.0.source.tar.xz" } -replace-upstream = true -replace-reason = "AZL-repacked tarball with malware-flagged upstream test fixtures stripped (trips RPM signing pipeline); see modify_source.sh REMOVE_PATHS" +[[components.firefox.overlays]] +type = "file-remove" +file = "firefox-148.0.source.tar.xz/dom/base/crashtests/607222.html" +description = "Remove crashtest HTML fixture flagged by AZL signing-pipeline AV scanner" diff --git a/base/comps/gdal/gdal.comp.toml b/base/comps/gdal/gdal.comp.toml index 7c116a3c9e9..cbfab9586ed 100644 --- a/base/comps/gdal/gdal.comp.toml +++ b/base/comps/gdal/gdal.comp.toml @@ -12,19 +12,14 @@ # no-op (exits 0; gcore tests were OOM-killing the build POD), so stripping # this fixture is functionally inert. # -# Replace upstream Source1 with a deterministically-repacked tarball produced -# by base/comps/gdal/modify_source.sh. The upstream filename is preserved so -# `replace-upstream = true` swaps the entry in place in the Fedora `sources` -# manifest -- no spec edit required. +# Archive overlays strip this scanner-flagged fixture from upstream Source1 +# during source preparation, avoiding a separate modified-source tarball. [components.gdal] -[[components.gdal.source-files]] -filename = "gdalautotest-3.11.5.tar.gz" -hash = "a39cc826885a2336c80545203947c4693851aae3de02b980be25b4b579658e6314e058dc228660294b2370242df8f298c4fe64c6d3b1cd0bf5adf56b3e321b77" -hash-type = "SHA512" -origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/gdal/gdalautotest-3.11.5.tar.gz/sha512/a39cc826885a2336c80545203947c4693851aae3de02b980be25b4b579658e6314e058dc228660294b2370242df8f298c4fe64c6d3b1cd0bf5adf56b3e321b77/gdalautotest-3.11.5.tar.gz" } -replace-upstream = true -replace-reason = "Repacked source tarball without gcore/data/zero_5GB_sozip_of_sozip.zip which was flagged as a Trojan. See modify_source.sh." +[[components.gdal.overlays]] +type = "file-remove" +file = "gdalautotest-3.11.5.tar.gz/gcore/data/zero_5GB_sozip_of_sozip.zip" +description = "Remove large test fixture to reduce source size" [components.gdal.build] # Azure Linux does not support MinGW cross-compilation. diff --git a/base/comps/kf6-karchive/kf6-karchive.comp.toml b/base/comps/kf6-karchive/kf6-karchive.comp.toml index 23b4fc399a2..5ee222ef5d9 100644 --- a/base/comps/kf6-karchive/kf6-karchive.comp.toml +++ b/base/comps/kf6-karchive/kf6-karchive.comp.toml @@ -12,16 +12,16 @@ # upstream's CMake gates them on BUILD_TESTING=ON, which we don't set), so # stripping these test fixtures is functionally inert. # -# Replace upstream Source0 with a deterministically-repacked tarball produced -# by base/comps/kf6-karchive/modify_source.sh. The upstream filename is -# preserved so `replace-upstream = true` swaps the entry in place in the -# Fedora `sources` manifest -- no spec edit required. +# Archive overlays strip these scanner-flagged fixtures from upstream Source0 +# during source preparation, avoiding a separate modified-source tarball. [components.kf6-karchive] -[[components.kf6-karchive.source-files]] -filename = "karchive-6.23.0.tar.xz" -hash = "dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a" -hash-type = "SHA512" -origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/kf6-karchive/karchive-6.23.0.tar.xz/sha512/dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a/karchive-6.23.0.tar.xz" } -replace-upstream = true -replace-reason = "AZL-repacked tarball with autotest fixtures stripped that trip anti-malware scanning on the AZL RPM-signing pipeline: autotests/data/password_protected.7z (password-protected 7-Zip) and autotests/data/zip64_extra_zip64_size_first.zip.gz (ZIP64 edge-case fixture whose inner .zip the scanner rejects after decompressing the .gz wrapper). The autotests are not built or run in our spec (no %check, BUILD_TESTING is off), so removing these test fixtures is functionally inert. See modify_source.sh." +[[components.kf6-karchive.overlays]] +type = "file-remove" +file = "karchive-6.23.0.tar.xz/autotests/data/password_protected.7z" +description = "Remove password-protected 7-Zip test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.kf6-karchive.overlays]] +type = "file-remove" +file = "karchive-6.23.0.tar.xz/autotests/data/zip64_extra_zip64_size_first.zip.gz" +description = "Remove ZIP64 edge-case test fixture flagged by AZL signing-pipeline AV scanner" diff --git a/base/comps/libabigail/libabigail.comp.toml b/base/comps/libabigail/libabigail.comp.toml index fce2d75e19a..4d01155d6e6 100644 --- a/base/comps/libabigail/libabigail.comp.toml +++ b/base/comps/libabigail/libabigail.comp.toml @@ -10,24 +10,18 @@ # across separated-debuginfo + dwz layouts. The scanner flags both # .debug files as "packer_high_entropy:eod". # -# Replace upstream Source0 with a deterministically-repacked tarball produced -# by base/comps/libabigail/modify_source.sh, which strips the entire -# PR30329/ fixture directory so nothing in-tree references the missing -# files. The two corresponding `InOutSpec in_out_specs[]` entries in +# Archive overlays strip the entire PR30329/ fixture directory from upstream +# Source0 so nothing in-tree references the missing files. The two +# corresponding `InOutSpec in_out_specs[]` entries in # tests/test-abidiff-exit.cc are dropped by a companion overlay patch # (`tests-drop-PR30329-fixture-entries.patch`, applied below), keeping -# `make check` green. The upstream filename is preserved so -# `replace-upstream = true` swaps the entry in place in the Fedora `sources` -# manifest -- no spec edit required. +# `make check` green. This avoids a separate modified-source tarball. [components.libabigail] -[[components.libabigail.source-files]] -filename = "libabigail-2.9.tar.xz" -hash = "efa38b7de791d97910e292dc638537c98d920a68201110727bb5c2d6a6055b6da24beace05db5d540ef4349ce2b4f1592a6aceb4e4249e30a179a037bec2f5d4" -hash-type = "SHA512" -origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/libabigail/libabigail-2.9.tar.xz/sha512/efa38b7de791d97910e292dc638537c98d920a68201110727bb5c2d6a6055b6da24beace05db5d540ef4349ce2b4f1592a6aceb4e4249e30a179a037bec2f5d4/libabigail-2.9.tar.xz" } -replace-upstream = true -replace-reason = "Repacked source tarball with tests/data/test-abidiff-exit/PR30329/ removed (two libsqlite3.so.0.8.6.debug fixtures inside it were flagged as packer_high_entropy:eod by the AZL signing-pipeline AV scanner). The matching InOutSpec entries in tests/test-abidiff-exit.cc are dropped by the companion overlay patch tests-drop-PR30329-fixture-entries.patch. See modify_source.sh." +[[components.libabigail.overlays]] +type = "file-remove" +file = "libabigail-2.9.tar.xz/tests/data/test-abidiff-exit/PR30329/**" +description = "Remove PR30329 fixture directory (two libsqlite3.so.0.8.6.debug files flagged as packer_high_entropy:eod by AZL signing-pipeline AV scanner)" [[components.libabigail.overlays]] description = "Drop the two tests/test-abidiff-exit.cc InOutSpec entries that exercise the PR30329 fixture set (removed from the AZL-repacked Source0 because its two libsqlite3.so.0.8.6.debug files are flagged packer_high_entropy:eod by the AZL signing-pipeline AV scanner). Without this patch `make check` fails trying to open the missing fixtures." diff --git a/base/comps/libkml/libkml.comp.toml b/base/comps/libkml/libkml.comp.toml index b6251c7f145..f2237e2c05d 100644 --- a/base/comps/libkml/libkml.comp.toml +++ b/base/comps/libkml/libkml.comp.toml @@ -1,9 +1,18 @@ [components.libkml] -[[components.libkml.source-files]] -filename = "libkml-1.3.0.tar.gz" -hash = "6f93fcd390c6b21e307638df5d85b15dcb81af81c7409797a247b322df843fb1c36dc6c5eb7dc1346adbf228e09ec4ffdbf450dfe1f9b73cbc32e8803a098c58" -hash-type = "SHA512" -origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/libkml/libkml-1.3.0.tar.gz/sha512/6f93fcd390c6b21e307638df5d85b15dcb81af81c7409797a247b322df843fb1c36dc6c5eb7dc1346adbf228e09ec4ffdbf450dfe1f9b73cbc32e8803a098c58/libkml-1.3.0.tar.gz" } -replace-upstream = true -replace-reason = "Strips the scanner-flagged `testdata/kmz/bad-too-large.kmz` test fixture (a benign-by-intent crafted-malformed ZIP whose on-disk shape matches malicious-archive heuristics) and the matching `ZipFileTest.TestBadTooLarge` block from `tests/kml/base/zip_file_test.cc`. See `modify_source.sh` next to this file." +# Remove decompression-bomb test fixture flagged by AV scanner +[[components.libkml.overlays]] +type = "file-remove" +file = "libkml-1.3.0.tar.gz/testdata/kmz/bad-too-large.kmz" +description = "Remove crafted decompression-bomb KMZ fixture flagged by AZL signing-pipeline AV scanner" + +# Surgically remove the TEST_F block that exercises the stripped fixture. +# The sed range `TEST_F(ZipFileTest, TestBadTooLarge) {` through the next +# column-0 `}` is safe because nested braces inside the test body are +# always indented. +[[components.libkml.overlays]] +type = "file-search-replace" +file = "libkml-1.3.0.tar.gz/tests/kml/base/zip_file_test.cc" +regex = 'TEST_F\(ZipFileTest, TestBadTooLarge\) \{[^}]*\}\n' +replacement = '' +description = "Remove TestBadTooLarge test block that references stripped bad-too-large.kmz fixture" diff --git a/base/comps/rubygem-pdf-reader/rubygem-pdf-reader.comp.toml b/base/comps/rubygem-pdf-reader/rubygem-pdf-reader.comp.toml index 2f4fa99c669..9ac14c10015 100644 --- a/base/comps/rubygem-pdf-reader/rubygem-pdf-reader.comp.toml +++ b/base/comps/rubygem-pdf-reader/rubygem-pdf-reader.comp.toml @@ -1,9 +1,255 @@ [components.rubygem-pdf-reader] -[[components.rubygem-pdf-reader.source-files]] -filename = "pdf-reader-2.4.2-spec.txz" -hash = "49de5d0e3bb8067101624ecc00a6e5f646a6dbdb4200343b15b1b268776e2248071056e7c73432a3b038130d7e8d5f81e9911742bc016272335bee18c51fd708" -hash-type = "SHA512" -origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/rubygem-pdf-reader/pdf-reader-2.4.2-spec.txz/sha512/49de5d0e3bb8067101624ecc00a6e5f646a6dbdb4200343b15b1b268776e2248071056e7c73432a3b038130d7e8d5f81e9911742bc016272335bee18c51fd708/pdf-reader-2.4.2-spec.txz" } -replace-upstream = true -replace-reason = "Serve a locally-modified `pdf-reader-2.4.2-spec.txz` with 47 pathological PDF fixtures removed from `spec/data/` to avoid scan failures. All fixtures are benign upstream regression PDFs not consumed at AZL runtime. Companion patch in `modify_source.sh` makes `pdf_spec_file()` call rspec's `skip` only for the 47 removed filenames; it still raises `ArgumentError` for any other missing fixture." +# Remove all 47 pathological PDF test fixtures from spec/data/ that trip +# AZL signing-pipeline AV scanner. All are benign upstream regression +# PDFs not consumed at AZL runtime. +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/broken_string.pdf" +description = "Remove broken_string.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/clearscan-with-image-removed.pdf" +description = "Remove clearscan-with-image-removed.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/clearscan.pdf" +description = "Remove clearscan.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/content_stream_as_array.pdf" +description = "Remove content_stream_as_array.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/content_stream_missing_final_operator.pdf" +description = "Remove content_stream_missing_final_operator.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/content_stream_refers_to_invalid_font.pdf" +description = "Remove content_stream_refers_to_invalid_font.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/difference_table2.pdf" +description = "Remove difference_table2.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/difference_table_encrypted.pdf" +description = "Remove difference_table_encrypted.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/encrypted_*.pdf" +description = "Remove encrypted PDF test fixtures flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/form_xobject_recursive.pdf" +description = "Remove form_xobject_recursive.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/hard_lock_under_osx.pdf" +description = "Remove hard_lock_under_osx.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/indirect_mediabox.pdf" +description = "Remove indirect_mediabox.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/invisible.pdf" +description = "Remove invisible.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/junk_prefix.pdf" +description = "Remove junk_prefix.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/junk_prefix_1024.pdf" +description = "Remove junk_prefix_1024.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/kids-as-direct-objects.pdf" +description = "Remove kids-as-direct-objects.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/mediabox_and_cropbox_are_references.pdf" +description = "Remove mediabox_and_cropbox_are_references.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/mediabox_missing.pdf" +description = "Remove mediabox_missing.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/one-byte-identity.pdf" +description = "Remove one-byte-identity.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/overlapping-chars-x-fake-bold.pdf" +description = "Remove overlapping-chars-x-fake-bold.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/overlapping-chars-xy-fake-bold.pdf" +description = "Remove overlapping-chars-xy-fake-bold.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/pages_object_missing_type.pdf" +description = "Remove pages_object_missing_type.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/rotate-180.pdf" +description = "Remove rotate-180.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/rotate-then-undo.pdf" +description = "Remove rotate-then-undo.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/screwey_xref_offsets.pdf" +description = "Remove screwey_xref_offsets.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/standard_font_with_no_difference.pdf" +description = "Remove standard_font_with_no_difference.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/symbol.pdf" +description = "Remove symbol.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/times-with-control-character.pdf" +description = "Remove times-with-control-character.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/truetype-arial.pdf" +description = "Remove truetype-arial.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/type1-arial.pdf" +description = "Remove type1-arial.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/type3_font.pdf" +description = "Remove type3_font.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/type3_font_with_rare_font_matrix.pdf" +description = "Remove type3_font_with_rare_font_matrix.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/zapf.pdf" +description = "Remove zapf.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/zeroed_xref_entry.pdf" +description = "Remove zeroed_xref_entry.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +[[components.rubygem-pdf-reader.overlays]] +type = "file-remove" +file = "pdf-reader-2.4.2-spec.txz/data/zlib_stream_issue.pdf" +description = "Remove zlib_stream_issue.pdf test fixture flagged by AZL signing-pipeline AV scanner" + +# Patch the test helper to insert the AZL_STRIPPED_FIXTURES constant after +# `module ReaderSpecHelper` so tests for stripped fixtures skip gracefully +# instead of raising ArgumentError. +[[components.rubygem-pdf-reader.overlays]] +type = "file-search-replace" +file = "pdf-reader-2.4.2-spec.txz/support/reader_spec_helper.rb" +regex = 'module ReaderSpecHelper\n' +replacement = """module ReaderSpecHelper + + # AZL downstream: fixtures stripped from spec/data/ for package- + # signing-scan compliance. pdf_spec_file() skips (rather than raises) + # ONLY for entries in this set; any other missing fixture still raises. + AZL_STRIPPED_FIXTURES = %w[ + broken_string.pdf + clearscan-with-image-removed.pdf + clearscan.pdf + content_stream_as_array.pdf + content_stream_missing_final_operator.pdf + content_stream_refers_to_invalid_font.pdf + difference_table2.pdf + difference_table_encrypted.pdf + encrypted_version1_revision2_128bit_rc4_blank_user_password.pdf + encrypted_version1_revision2_128bit_rc4_no_doc_id.pdf + encrypted_version1_revision2_40bit_rc4_user_pass_apples.pdf + encrypted_version2_revision3_128bit_rc4_blank_user_pass.pdf + encrypted_version2_revision3_128bit_rc4_user_pass_apples.pdf + encrypted_version4_revision4_128bit_aes_user_pass_apples_enc_metadata.pdf + encrypted_version4_revision4_128bit_aes_user_pass_apples_unenc_metadata.pdf + encrypted_version4_revision4_128bit_rc4_user_pass_apples_enc_metadata.pdf + encrypted_version4_revision4_128bit_rc4_user_pass_apples_unenc_metadata.pdf + encrypted_version5_revision5_256bit_aes_user_pass_apples_enc_metadata.pdf + encrypted_version5_revision5_256bit_aes_user_pass_apples_unenc_metadata.pdf + encrypted_version5_revision6_256bit_aes_user_pass_apples_enc_metadata.pdf + encrypted_version5_revision6_256bit_aes_user_pass_apples_unenc_metadata.pdf + form_xobject_recursive.pdf + hard_lock_under_osx.pdf + indirect_mediabox.pdf + invisible.pdf + junk_prefix.pdf + junk_prefix_1024.pdf + kids-as-direct-objects.pdf + mediabox_and_cropbox_are_references.pdf + mediabox_missing.pdf + one-byte-identity.pdf + overlapping-chars-x-fake-bold.pdf + overlapping-chars-xy-fake-bold.pdf + pages_object_missing_type.pdf + rotate-180.pdf + rotate-then-undo.pdf + screwey_xref_offsets.pdf + standard_font_with_no_difference.pdf + symbol.pdf + times-with-control-character.pdf + truetype-arial.pdf + type1-arial.pdf + type3_font.pdf + type3_font_with_rare_font_matrix.pdf + zapf.pdf + zeroed_xref_entry.pdf + zlib_stream_issue.pdf + ].freeze +""" +description = "Insert AZL_STRIPPED_FIXTURES constant listing stripped PDF filenames" + +# Insert an elsif branch before the existing else/raise so stripped fixtures +# get rspec `skip` instead of ArgumentError +[[components.rubygem-pdf-reader.overlays]] +type = "file-search-replace" +file = "pdf-reader-2.4.2-spec.txz/support/reader_spec_helper.rb" +regex = ' else\n raise ArgumentError, "#{valid_filename} not found"' +replacement = ''' elsif AZL_STRIPPED_FIXTURES.include?("#{base}.pdf") + skip "PDF fixture #{File.basename(valid_filename)} stripped for downstream scan compliance" + else + raise ArgumentError, "#{valid_filename} not found"''' +description = "Make pdf_spec_file() skip (not raise) for stripped fixtures; still raises for any other missing fixture" diff --git a/base/comps/yara/yara.comp.toml b/base/comps/yara/yara.comp.toml index d0c07d7b8af..2fd8a67a300 100644 --- a/base/comps/yara/yara.comp.toml +++ b/base/comps/yara/yara.comp.toml @@ -1,9 +1,72 @@ [components.yara] -[[components.yara.source-files]] -filename = "yara-4.5.4.tar.gz" -hash = "94d4aab0466c847dd04313754767ba7d022bfcd5dba403a260c9a3ff76fb7a8e6d731ad08e40d64e78169b034ae978fb03f617490aff25bf317b39402d7b646b" -hash-type = "SHA512" -origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/yara/yara-4.5.4.tar.gz/sha512/94d4aab0466c847dd04313754767ba7d022bfcd5dba403a260c9a3ff76fb7a8e6d731ad08e40d64e78169b034ae978fb03f617490aff25bf317b39402d7b646b/yara-4.5.4.tar.gz" } -replace-upstream = true -replace-reason = "Strips benign oss-fuzz seed corpora and `tests/data/` PE fixtures from `yara-4.5.4.tar.gz` that match generic malware-scan heuristics. See `modify_source.sh` next to this file for the full strip list and the companion `Makefile.am` edit that drops `test-pe` from `check_PROGRAMS`." +# Strip oss-fuzz seed corpus entries flagged by AV scanner +[[components.yara.overlays]] +type = "file-remove" +file = "yara-4.5.4.tar.gz/tests/data/05cd06e6a202e12be22a02700ed6f1604e803ca8867277d852e8971efded0650" +description = "Remove PE fixture flagged by AZL signing-pipeline AV scanner" + +[[components.yara.overlays]] +type = "file-remove" +file = "yara-4.5.4.tar.gz/tests/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885" +description = "Remove PE fixture flagged by AZL signing-pipeline AV scanner" + +[[components.yara.overlays]] +type = "file-remove" +file = "yara-4.5.4.tar.gz/tests/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885.upx" +description = "Remove UPX-packed PE fixture flagged by AZL signing-pipeline AV scanner" + +[[components.yara.overlays]] +type = "file-remove" +file = "yara-4.5.4.tar.gz/tests/data/e3d45a2865818756068757d7e319258fef40dad54532ee4355b86bc129f27345" +description = "Remove PE fixture flagged by AZL signing-pipeline AV scanner" + +[[components.yara.overlays]] +type = "file-remove" +file = "yara-4.5.4.tar.gz/tests/oss-fuzz/dex_fuzzer_corpus/27fb31059503773723597edb875c937af971a6c15f91aac8c03c1fbdfa9e918c" +description = "Remove dex_fuzzer seed corpus entry flagged by AZL signing-pipeline AV scanner" + +[[components.yara.overlays]] +type = "file-remove" +file = "yara-4.5.4.tar.gz/tests/oss-fuzz/dex_fuzzer_corpus/b343d1058063e6e4b652ccf0589f93d0dbb6b092960e4aebc3c3c58894831359" +description = "Remove dex_fuzzer seed corpus entry flagged by AZL signing-pipeline AV scanner" + +[[components.yara.overlays]] +type = "file-remove" +file = "yara-4.5.4.tar.gz/tests/oss-fuzz/dotnet_fuzzer_corpus/buggy_stream_names" +description = "Remove dotnet_fuzzer seed corpus entry flagged by AZL signing-pipeline AV scanner" + +[[components.yara.overlays]] +type = "file-remove" +file = "yara-4.5.4.tar.gz/tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated" +description = "Remove dotnet_fuzzer seed corpus entry flagged by AZL signing-pipeline AV scanner" + +# Drop test-pe from check_PROGRAMS — references the stripped PE fixtures +[[components.yara.overlays]] +type = "file-search-replace" +file = "yara-4.5.4.tar.gz/Makefile.am" +regex = ' test-pe \\\n' +replacement = '' +description = "Remove test-pe from check_PROGRAMS list (stripped PE fixtures make it fail)" + +# Drop orphan test_pe_* variable declarations — automake -Werror rejects them +[[components.yara.overlays]] +type = "file-search-replace" +file = "yara-4.5.4.tar.gz/Makefile.am" +regex = 'test_pe_SOURCES = tests/test-pe.c tests/util.c\n' +replacement = '' +description = "Remove orphan test_pe_SOURCES variable (automake -Werror rejects it)" + +[[components.yara.overlays]] +type = "file-search-replace" +file = "yara-4.5.4.tar.gz/Makefile.am" +regex = 'test_pe_LDADD = libyara.la\n' +replacement = '' +description = "Remove orphan test_pe_LDADD variable (automake -Werror rejects it)" + +[[components.yara.overlays]] +type = "file-search-replace" +file = "yara-4.5.4.tar.gz/Makefile.am" +regex = 'test_pe_LDFLAGS = -static\n' +replacement = '' +description = "Remove orphan test_pe_LDFLAGS variable (automake -Werror rejects it)" diff --git a/locks/apache-commons-compress.lock b/locks/apache-commons-compress.lock index 8e5321bbabb..141efbeb3e8 100644 --- a/locks/apache-commons-compress.lock +++ b/locks/apache-commons-compress.lock @@ -2,5 +2,5 @@ version = 1 import-commit = 'bdaf66ef9ff399da1630157e23cdad5cd4f37b17' upstream-commit = 'bdaf66ef9ff399da1630157e23cdad5cd4f37b17' -input-fingerprint = 'sha256:c1965768510759f29d4f8c2a004ae0df70a9879fdda0c66a58a955a66dc0748f' +input-fingerprint = 'sha256:cc01359bb354b7bf093b5116092c12f5323ee618e1b9f237537b669935bd3cdf' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/locks/espeak-ng.lock b/locks/espeak-ng.lock index 2658ef24cca..22ab0cba07c 100644 --- a/locks/espeak-ng.lock +++ b/locks/espeak-ng.lock @@ -2,5 +2,5 @@ version = 1 import-commit = '9298ed58af8b48ab1611b8b503dcd1e347e64c5d' upstream-commit = '9298ed58af8b48ab1611b8b503dcd1e347e64c5d' -input-fingerprint = 'sha256:e5ed9a686469a8cf6bd37c2dcd8d19c7a09a41367e375a7d64c869704ac45d07' +input-fingerprint = 'sha256:a816cf9133581492b678e43fd69ddf1ba1bccad347dc9451bf5281dee32ff4fb' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/locks/exfatprogs.lock b/locks/exfatprogs.lock index 02de5cc7cde..f90c1791ed2 100644 --- a/locks/exfatprogs.lock +++ b/locks/exfatprogs.lock @@ -2,5 +2,5 @@ version = 1 import-commit = '9f5fcad16a203b067f983d436d76ee183aa03e8f' upstream-commit = '9f5fcad16a203b067f983d436d76ee183aa03e8f' -input-fingerprint = 'sha256:1b04a779025e397b1ef63abf3ad1f829cc14833601a4fffac5ad610b9557cf70' +input-fingerprint = 'sha256:519d8b73a37aebb10c81abea2487f60b2e8c1a900506333a35dda95d855aac95' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/locks/firefox.lock b/locks/firefox.lock index 8be565737a1..580ec8f2c4a 100644 --- a/locks/firefox.lock +++ b/locks/firefox.lock @@ -2,5 +2,5 @@ version = 1 import-commit = 'e6f01c53ca35f9fbad3bf45f227275550935b9d9' upstream-commit = 'e6f01c53ca35f9fbad3bf45f227275550935b9d9' -input-fingerprint = 'sha256:55ad1d0be4dafff74e28791ed3f44081c8cd20af3633969754d65d5062c2f1e1' +input-fingerprint = 'sha256:7d3b55fe26b9bd7bcb097f15de64442dd269a0c215f9c89efe64e170d7ce312b' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/locks/gdal.lock b/locks/gdal.lock index 4b9fd7306f5..0ccc50489dc 100644 --- a/locks/gdal.lock +++ b/locks/gdal.lock @@ -2,5 +2,5 @@ version = 1 import-commit = '2665a7f24c0056d1838f8019ad58da8ad2119297' upstream-commit = '2665a7f24c0056d1838f8019ad58da8ad2119297' -input-fingerprint = 'sha256:21d7ce0edaaeea22874da3f9ea6eb7f95deacd26aea057d0183555445653e89c' +input-fingerprint = 'sha256:a69bd8bdf75ab2470bd211087e876a59330d5be3306c8e5103506b52b447c523' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/locks/kf6-karchive.lock b/locks/kf6-karchive.lock index 47c75941e33..64d22c89630 100644 --- a/locks/kf6-karchive.lock +++ b/locks/kf6-karchive.lock @@ -2,5 +2,5 @@ version = 1 import-commit = '9f43e605c01ce0c7a14978cbcbc9f0226c043616' upstream-commit = '9f43e605c01ce0c7a14978cbcbc9f0226c043616' -input-fingerprint = 'sha256:827fa4eec374c0e1905908a3c77453f1503b8c4df9edcaf5d2dd9c4e666c449b' +input-fingerprint = 'sha256:e48ae8b4b56cf95f0a7cba8aa8be37e54db485e04766b411b1a4ec9ef878bedd' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/locks/libabigail.lock b/locks/libabigail.lock index 07d59cfe7a9..b67c101ac55 100644 --- a/locks/libabigail.lock +++ b/locks/libabigail.lock @@ -2,5 +2,5 @@ version = 1 import-commit = 'c90c403e2296469fc2120e6c36d876019dbccdb7' upstream-commit = 'c90c403e2296469fc2120e6c36d876019dbccdb7' -input-fingerprint = 'sha256:08c8fcd70b13bc7bd751b8254df5002a33fc13ed4c19691fbc0c951cd2c1d7bf' +input-fingerprint = 'sha256:431cb48247d57b3137275be7e72f06288cb070de70f5ca2916ec83bf3fddb5e5' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/locks/libkml.lock b/locks/libkml.lock index 80b177b3bbf..e090b4ff772 100644 --- a/locks/libkml.lock +++ b/locks/libkml.lock @@ -2,5 +2,5 @@ version = 1 import-commit = '981a062c9c0811deaf3f431410e94a88e3013496' upstream-commit = '981a062c9c0811deaf3f431410e94a88e3013496' -input-fingerprint = 'sha256:2ad63a827ae18f69b764389ae3a32ab957206f2c78a8f95d86d8d86364c87604' +input-fingerprint = 'sha256:00a054abf40d0a6e67d3deb2aeab3f23195ddaa762d20700b51012cbca8c45d8' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/locks/rubygem-pdf-reader.lock b/locks/rubygem-pdf-reader.lock index c254c8e11a4..8ffc8aa791d 100644 --- a/locks/rubygem-pdf-reader.lock +++ b/locks/rubygem-pdf-reader.lock @@ -2,5 +2,5 @@ version = 1 import-commit = 'd0b8e95c28bd4c7d6652c47bb59a58147aaeaad3' upstream-commit = 'd0b8e95c28bd4c7d6652c47bb59a58147aaeaad3' -input-fingerprint = 'sha256:75eea57b8b52622f97983b89f43897d1efa044c49900583b09dd43c4e8d570f5' +input-fingerprint = 'sha256:77f50506f59f97bee3b36fc128186d374b0233f0a00d0d2f0450df77827514de' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/locks/yara.lock b/locks/yara.lock index 7f8bff69266..16d85d916bb 100644 --- a/locks/yara.lock +++ b/locks/yara.lock @@ -2,5 +2,5 @@ version = 1 import-commit = 'ec3a8c26f3312d5d8c24c3e66d53cd8c75e416b3' upstream-commit = 'ec3a8c26f3312d5d8c24c3e66d53cd8c75e416b3' -input-fingerprint = 'sha256:eb7c1312e657a648c1785857bb4b3b0e365570625d4d3ff443a774d0ddde99ee' +input-fingerprint = 'sha256:e79d3957a3e193a97fa7e167a3402ddf73a7edd53ed7705bef4b11c209063c46' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/specs/a/apache-commons-compress/apache-commons-compress.spec b/specs/a/apache-commons-compress/apache-commons-compress.spec index 3c52e7df9f4..83a4af8341f 100644 --- a/specs/a/apache-commons-compress/apache-commons-compress.spec +++ b/specs/a/apache-commons-compress/apache-commons-compress.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.8.3) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 14; + release_number = 15; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -93,6 +93,10 @@ rm src/test/java/org/apache/commons/compress/archivers/tar/TarMemoryFileSystemTe %changelog ## START: Generated by rpmautospec +* Fri Jun 26 2026 Antonio Salinas - 1.27.1-15 +- refactor: replacing modify_sources script with toml driven archive + overlays + * Wed May 13 2026 Andrew Phelps - 1.27.1-14 - fix(apache-commons-compress): strip scanner-flagged test fixtures diff --git a/specs/a/apache-commons-compress/sources b/specs/a/apache-commons-compress/sources index fbeb8cc40f4..df5b698cef4 100644 --- a/specs/a/apache-commons-compress/sources +++ b/specs/a/apache-commons-compress/sources @@ -1 +1 @@ -SHA512 (commons-compress-1.27.1-src.tar.gz) = aeecee8776c60a549cbca9fc3c0312c8c98a953d024db64e5c480c643357be7b270193df69fc2172632e472feb9b9221eedf3b40dd933997b881a398dfb3a02b +SHA512 (commons-compress-1.27.1-src.tar.gz) = c7a2cef26959e687ad19b96b5ba8393d7514095e13bf0f29bd41e6b3c3cb2260d8ff23283ff3d5fd137b2522b843e7f0f50ab46bcf0f66df5383674f35f223ab diff --git a/specs/e/espeak-ng/espeak-ng.spec b/specs/e/espeak-ng/espeak-ng.spec index a0a10866eb1..3664a1c3f7d 100644 --- a/specs/e/espeak-ng/espeak-ng.spec +++ b/specs/e/espeak-ng/espeak-ng.spec @@ -3,7 +3,7 @@ Name: espeak-ng Version: 1.51.1 -Release: 14%{?dist} +Release: 15%{?dist} Summary: eSpeak NG Text-to-Speech License: GPL-3.0-only AND GPL-3.0-or-later AND Apache-2.0 AND BSD-2-Clause AND Unicode-DFS-2016 AND CC-BY-SA-3.0 diff --git a/specs/e/espeak-ng/sources b/specs/e/espeak-ng/sources index cf5c1585909..a98e09eac7a 100644 --- a/specs/e/espeak-ng/sources +++ b/specs/e/espeak-ng/sources @@ -1 +1 @@ -SHA512 (espeak-ng-1.51.1.tar.gz) = 84685a24e93e743c4f0be73dd9d553a96ed95bc8c2c0c683d84935183e517ae039066de93e3f83617b2114b27b427ec18ff8169972188d2a81b55f839c7c726f +SHA512 (espeak-ng-1.51.1.tar.gz) = 291958c2d3a1e38f9006416347d40d98be7afc84057475c9394788610897d19c02fabc32ebb8efa6dac291d106f97bf63907d0688ef7d93ea24439cba22392d1 diff --git a/specs/e/exfatprogs/exfatprogs.spec b/specs/e/exfatprogs/exfatprogs.spec index 7cf644eab8f..c8ae685073e 100644 --- a/specs/e/exfatprogs/exfatprogs.spec +++ b/specs/e/exfatprogs/exfatprogs.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.8.3) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 4; + release_number = 5; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -70,6 +70,10 @@ autoreconf -vif %changelog ## START: Generated by rpmautospec +* Fri Jun 26 2026 Antonio Salinas - 1.3.1-5 +- refactor: replacing modify_sources script with toml driven archive + overlays + * Wed May 13 2026 Pawel Winogrodzki - 1.3.1-4 - exfatprogs: serve modified Source0 with upstream tests/ stripped diff --git a/specs/e/exfatprogs/sources b/specs/e/exfatprogs/sources index b23049d383f..7799a03c8d6 100644 --- a/specs/e/exfatprogs/sources +++ b/specs/e/exfatprogs/sources @@ -1 +1 @@ -SHA512 (exfatprogs-1.3.1.tar.xz) = ded26326feab2b0013c1031fda7add53100e0581711555b8a64e8036448775a51304e4c5c368049cb26633dbf02e814b6f97bd804cafff324921a8e6a3a975d0 +SHA512 (exfatprogs-1.3.1.tar.xz) = 28afefa6a4460a52d8078c47bcb63fdde42778a44e428481beff401f5f2ea305409ba42ae4357e03d7f3c9169e874c99c8caf00aca4d6223561cde11ac886cad diff --git a/specs/f/firefox/sources b/specs/f/firefox/sources index 38d70f86ccc..196a838428f 100644 --- a/specs/f/firefox/sources +++ b/specs/f/firefox/sources @@ -4,4 +4,4 @@ SHA512 (wasi-sdk-25.tar.gz) = 1285981d26aa5eff27f08ed4b409909639ddcd62c94ee0cff7 SHA512 (wasm-component-ld-vendor.tar.xz) = 707d942d31455ae0a4f68bf419fb09a20407b6747f831ca554dcd00925b7ea98ef4d03a8652b6d2ae54cf48d7ad15d85aa7eb8d0778ef66b89593eaa8b5c3465 SHA512 (cbindgen-vendor.tar.xz) = bea420e66bdd1c7c944655dd3e01abd6e7d6ac4b245c7ee190f31d800f7786f21e5cae11715b479bf795f4369d18c40dc12df19e0b643664f2f78e5c8a681415 SHA512 (firefox-langpacks-148.0-20260223.tar.xz) = 7e5d283e1a83787984e63901c915f6672eae48c38c5fd64b9f8055f154d83be77f76cb77de2048f2ea263353313a90eefa54b7c173533bec2db4dddf32436302 -SHA512 (firefox-148.0.source.tar.xz) = c9c9f29fbd8f889bf3cf3d88776e1a62da7b2a65d386538d2bd048dd70caaaf8324adb5303a5fa9aa73c2cf6eb9f89cb4b34f9e67c4208d88636dd5376af90a9 +SHA512 (firefox-148.0.source.tar.xz) = b0e862091f3a07a02890f6414e77b433893364a8beaf522d440e97ed0060c9b14bdb2fffdecdf12dca849efce8c57d95a534b23e04259d83a96ee8f29e078349 diff --git a/specs/g/gdal/gdal.spec b/specs/g/gdal/gdal.spec index 70f8a8fea31..804ac6654f9 100644 --- a/specs/g/gdal/gdal.spec +++ b/specs/g/gdal/gdal.spec @@ -58,7 +58,7 @@ Name: gdal Version: 3.11.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: GIS file format library License: MIT URL: http://www.gdal.org diff --git a/specs/g/gdal/sources b/specs/g/gdal/sources index f4c6c40d1ec..032d71f9b6b 100644 --- a/specs/g/gdal/sources +++ b/specs/g/gdal/sources @@ -1,2 +1,2 @@ SHA512 (gdal-3.11.5-fedora.tar.xz) = a5492d5f45a35bbadc7c4af2b24ed40743c7f36e4c8b0824373495b3d2c032eb940e1239b64252920db9dd5bc0b2253052dbaac27ee9c69005b0957c5f6700a3 -SHA512 (gdalautotest-3.11.5.tar.gz) = a39cc826885a2336c80545203947c4693851aae3de02b980be25b4b579658e6314e058dc228660294b2370242df8f298c4fe64c6d3b1cd0bf5adf56b3e321b77 +SHA512 (gdalautotest-3.11.5.tar.gz) = cb97beed516fa74d3744da62e8cf0c1438d32063ec8bc5fea5b8a4bc3c7097553bb4045766e7d77f7c87456f44b37aae0961ff73b1a5f8cd4ad1ecb5351c3986 diff --git a/specs/k/kf6-karchive/kf6-karchive.spec b/specs/k/kf6-karchive/kf6-karchive.spec index 4083b7ac0ec..c2624aaf9d2 100644 --- a/specs/k/kf6-karchive/kf6-karchive.spec +++ b/specs/k/kf6-karchive/kf6-karchive.spec @@ -5,7 +5,7 @@ Name: kf6-%{framework} Version: 6.23.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: KDE Frameworks 6 Tier 1 addon with archive functions License: LGPL-2.0-or-later AND BSD-2-Clause URL: https://invent.kde.org/frameworks/%{framework} diff --git a/specs/k/kf6-karchive/sources b/specs/k/kf6-karchive/sources index f5311c074ca..e95122e8fa0 100644 --- a/specs/k/kf6-karchive/sources +++ b/specs/k/kf6-karchive/sources @@ -1,2 +1,2 @@ -SHA512 (karchive-6.23.0.tar.xz) = dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a +SHA512 (karchive-6.23.0.tar.xz) = 28e10e9de84304a0d025fd1304738de2fc15812cbca33c77ed174e3ec614ebd4b2ff2896380b600f978682cdecdb464e1b8bd0abacde1d3d92197d18d6957cd8 SHA512 (karchive-6.23.0.tar.xz.sig) = 80c15a80cbc6c27ff49272e05ad4402e7c93b80f08aae9e2cef0a0159c111a4c0ffb6e093a7049d65fa1366c505f4326a674481438f2f7e19c8522fd657db28a diff --git a/specs/l/libabigail/libabigail.spec b/specs/l/libabigail/libabigail.spec index 37fe3810483..434fd8a74e4 100644 --- a/specs/l/libabigail/libabigail.spec +++ b/specs/l/libabigail/libabigail.spec @@ -9,7 +9,7 @@ Name: libabigail Version: 2.9 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Set of ABI analysis tools License: Apache-2.0 WITH LLVM-exception diff --git a/specs/l/libabigail/sources b/specs/l/libabigail/sources index 55e55c25342..ee4135f100d 100644 --- a/specs/l/libabigail/sources +++ b/specs/l/libabigail/sources @@ -1 +1 @@ -SHA512 (libabigail-2.9.tar.xz) = efa38b7de791d97910e292dc638537c98d920a68201110727bb5c2d6a6055b6da24beace05db5d540ef4349ce2b4f1592a6aceb4e4249e30a179a037bec2f5d4 +SHA512 (libabigail-2.9.tar.xz) = 5bdf5ec49a5931a61bf28317b41eee583d6277d00ac621b2d2a97bbc0d816c3662bcfe13a5ac7aeee11c947afb69a5a0a9a8015fcebad09965b45af9b1e23606 diff --git a/specs/l/libkml/libkml.spec b/specs/l/libkml/libkml.spec index 29ef1f3f97b..9491881b787 100644 --- a/specs/l/libkml/libkml.spec +++ b/specs/l/libkml/libkml.spec @@ -17,7 +17,7 @@ Name: libkml Version: 1.3.0 -Release: 59%{?dist} +Release: 60%{?dist} Summary: Reference implementation of OGC KML 2.2 License: BSD-3-Clause diff --git a/specs/l/libkml/sources b/specs/l/libkml/sources index 81346c35975..be7d6042fc8 100644 --- a/specs/l/libkml/sources +++ b/specs/l/libkml/sources @@ -1,2 +1,2 @@ -SHA512 (libkml-1.3.0.tar.gz) = 6f93fcd390c6b21e307638df5d85b15dcb81af81c7409797a247b322df843fb1c36dc6c5eb7dc1346adbf228e09ec4ffdbf450dfe1f9b73cbc32e8803a098c58 +SHA512 (libkml-1.3.0.tar.gz) = aa48158103d3af764bf98c1fb4cf3e1356b9cc6c8e79d80b96850916f0a8ccb1dac3a46427735dd0bf20647daa047d10e722ac3da2a214d4c1559bf6d5d7c853 SHA512 (minizip-1.3.0.tar.gz) = 4dab3635c09ba3f3832867b4e03ba9d45b6f1e87b98083a50164e6477b765c927fbf5256fe92860b38690f389ef6e07f56cba020b83bfee86e2b30afc816b906 diff --git a/specs/r/rubygem-pdf-reader/rubygem-pdf-reader.spec b/specs/r/rubygem-pdf-reader/rubygem-pdf-reader.spec index 2f1385bb903..a69538e077a 100644 --- a/specs/r/rubygem-pdf-reader/rubygem-pdf-reader.spec +++ b/specs/r/rubygem-pdf-reader/rubygem-pdf-reader.spec @@ -5,7 +5,7 @@ Name: rubygem-%{gem_name} Version: 2.4.2 -Release: 12%{?dist} +Release: 13%{?dist} Summary: A library for accessing the content of PDF files License: MIT URL: https://github.com/yob/pdf-reader diff --git a/specs/r/rubygem-pdf-reader/sources b/specs/r/rubygem-pdf-reader/sources index 8672f0cb8fb..b6a9a666ff0 100644 --- a/specs/r/rubygem-pdf-reader/sources +++ b/specs/r/rubygem-pdf-reader/sources @@ -1,2 +1,2 @@ -SHA512 (pdf-reader-2.4.2-spec.txz) = 49de5d0e3bb8067101624ecc00a6e5f646a6dbdb4200343b15b1b268776e2248071056e7c73432a3b038130d7e8d5f81e9911742bc016272335bee18c51fd708 +SHA512 (pdf-reader-2.4.2-spec.txz) = 2421b51f1c8d8dbc23f9b542a1c0f32542667639c859656b44b67b34e0262a132d443419604469d7fb1ef7b2861401fd4f8fb7fb94bc14f8d11fc3c04abe3c3c SHA512 (pdf-reader-2.4.2.gem) = 746a22d871acf23f26557af87b6b9590bdb95df07a5307ed60c4c1dfa4ae9803035cd686c8d648cfc6b46725a5324410dc2e836efd170ed5231b60decd258a9a diff --git a/specs/y/yara/sources b/specs/y/yara/sources index 3010463b8ff..97951e017c9 100644 --- a/specs/y/yara/sources +++ b/specs/y/yara/sources @@ -1 +1 @@ -SHA512 (yara-4.5.4.tar.gz) = 94d4aab0466c847dd04313754767ba7d022bfcd5dba403a260c9a3ff76fb7a8e6d731ad08e40d64e78169b034ae978fb03f617490aff25bf317b39402d7b646b +SHA512 (yara-4.5.4.tar.gz) = b1da40636f9e55bb07cc911479e6dfa8dc7a4fa3f6b9f10b9f669d741d7af51a1d31e044f9842ec3ab9c6ac9788fbdb89a1686c9e3f22f68d1f9e5fb3db22167 diff --git a/specs/y/yara/yara.spec b/specs/y/yara/yara.spec index 45d693623ce..4cec675e868 100644 --- a/specs/y/yara/yara.spec +++ b/specs/y/yara/yara.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.8.3) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 6; + release_number = 7; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -201,6 +201,10 @@ make check || ( %changelog ## START: Generated by rpmautospec +* Fri Jun 26 2026 Antonio Salinas - 4.5.4-7 +- refactor: replacing modify_sources script with toml driven archive + overlays + * Mon May 18 2026 Pawel Winogrodzki - 4.5.4-6 - fix(yara): strip 3 more oss-fuzz corpus fixtures flagged by fresh scan