- Update to version 10.3.0 (bsc#1227308, bsc#1222985)
  + Add support for sidecar registry
    Podman and rootless Docker support to set up the necessary
    configuration for the container engines to run as defined
  + Add running command as root through sudoers file

- Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016)
  + In addition to logging, write message to stderr when registration fails
  + Detect transactional-update system with read only setup and use
    the transactional-update command to register
  + Handle operation in a different target root directory for credentials
    checking

- Revert noarch for devel subpackage
  Switching to noarch causes issues on SLES maintenance updates, reverting it
  fixes our image builds

[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.6-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/25.0/#2506>
- This update includes a fix for CVE-2024-41110. bsc#1228324
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
  * 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch

- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Fix BuildKit's symlink resolution logic to correctly handle non-lexical
  symlinks. Backport of <https://github.com/moby/buildkit/pull/4896> and
  <https://github.com/moby/buildkit/pull/5060>. bsc#1221916
  + 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
- Write volume options atomically so sudden system crashes won't result in
  future Docker starts failing due to empty files. Backport of
  <https://github.com/moby/moby/pull/48034>. bsc#1214855
  + 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch

[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.5-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/25.0/#2505> bsc#1223409
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
  - 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- Update --add-runtime to point to correct binary path.

- Update to version 055+suse.388.g70c21afa:
  * feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529)
  * fix(mdraid): try to assemble the missing raid device (bsc#1226412)
  * fix(dracut-install): continue parsing if ldd prints "cannot be preloaded" (bsc#1208690)

- Fix vulnerabilities in GSS message token handling, add patch
  0011-Fix-vulnerabilities-in-GSS-message-token-handling.patch
  * CVE-2024-37370, bsc#1227186
  * CVE-2024-37371, bsc#1227187

- Added oniguruma-6.8.2-CVE-2019-13225-fix.patch (boo#1141157 CVE-2019-13225)
  oniguruma: null-pointer dereference in match_at() in regexec.c

- Update version to 1.11
  - Added uname as collector
  - Added SAP workload detection
  - Added detection of container runtimes
  - Multiple fixes on ARM64 detection
  - Use `read_values` for the CPU collector on Z
  - Fixed data collection for ppc64le
  - Grab the home directory from /etc/passwd if needed (bsc#1226128)

- Update version to 1.10.0
  * Build zypper-migration and zypper-packages-search as standalone
    binaries rather then one single binary
  * Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004)
  * Include /etc/products.d in directories whose content are backed
    up and restored if a zypper-migration rollback happens. (bsc#1219004)
  * Add the ability to upload the system uptime logs, produced by the
    suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report.
    (jsc#PED-7982) (jsc#PED-8018)
  * Add support for third party packages in SUSEConnect
  * Refactor existing system information collection implementation

- Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in
  xmlHTMLPrintFileContext in xmllint.c
  * Added libxml2-CVE-2024-34459.patch

- bsc#1228770: Fix not copying of skel files
  Update shadow-CVE-2013-4235.patch

- bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition
  Add shadow-CVE-2013-4235.patch

- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
  depends on it and will create a broken, empty config, if sed is
  missing (bsc#1227918)

- update to NSS 3.101.2
  * bmo#1905691 - ChaChaXor to return after the function

- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
- Removed some dead code from nss-fips-constructor-self-tests.patch.
- Rebased nss-fips-approved-crypto-non-ec.patch on above changes.
- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
  bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118.
- Updated nss-fips-approved-crypto-non-ec.patch and
  nss-fips-constructor-self-tests.patch, fixing bsc#1222807,
  bsc#1222828, bsc#1222834.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804,
  bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116.

- update to NSS 3.101.1
  * bmo#1901932 - missing sqlite header.
  * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- update to NSS 3.101
  * bmo#1900413 - add diagnostic assertions for SFTKObject refcount.
  * bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed
  * bmo#1899883 - fix formatting issues.
  * bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS.
  * bmo#1899593 - remove invalid acvp fuzz test vectors.
  * bmo#1898830 - pad short P-384 and P-521 signatures gtests.
  * bmo#1898627 - remove unused FreeBL ECC code.
  * bmo#1898830 - pad short P-384 and P-521 signatures.
  * bmo#1898825 - be less strict about ECDSA private key length.
  * bmo#1854439 - Integrate HACL* P-521.
  * bmo#1854438 - Integrate HACL* P-384.
  * bmo#1898074 - memory leak in create_objects_from_handles.
  * bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix
  * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * bmo#1748105 - clean up escape handling
  * bmo#1896353 - Use lib::pkix as default validator instead of the old-one
  * bmo#1827444 - Need to add high level support for PQ signing.
  * bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
  * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * bmo#1893404 - Allow for non-full length ecdsa signature when using softoken
  * bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects
  * bmo#1793811 - Implement support for PBMAC1 in PKCS#12
  * bmo#1897487 - disable VLA warnings for fuzz builds.
  * bmo#1895032 - remove redundant AllocItem implementation.
  * bmo#1893334 - add PK11_ReadDistrustAfterAttribute.
  * bmo#215997  - Clang-formatting of SEC_GetMgfTypeByOidTag update
  * bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
  * bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile.
  * bmo#1830415 - Switch to the mozillareleases/image_builder image
- Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain)
- Remove part of nss-fips-zeroization.patch that got removed upstream
- update to NSS 3.100
  - bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for
    faster Xyber operations.
  - bmo#1893752 - remove ckcapi.
  - bmo#1893162 - avoid a potential PK11GenericObject memory leak.
  - bmo#671060  - Remove incomplete ESDH code.
  - bmo#215997  - Decrypt RSA OAEP encrypted messages.
  - bmo#1887996 - Fix certutil CRLDP URI code.
  - bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
  - bmo#676118  - Add ability to encrypt and decrypt CMS messages using ECDH.
  - bmo#676100  - Correct Templates for key agreement in smime/cmsasn.c.
  - bmo#1548723 - Moving the decodedCert allocation to NSS.
  - bmo#1885404 - Allow developers to speed up repeated local execution
    of NSS tests that depend on certificates.
- update to NSS 3.99
  * Removing check for message len in ed25519 (bmo#1325335)
  * add ed25519 to SECU_ecName2params. (bmo#1884276)
  * add EdDSA wycheproof tests. (bmo#1325335)
  * nss/lib layer code for EDDSA. (bmo#1325335)
  * Adding EdDSA implementation. (bmo#1325335)
  * Exporting Certificate Compression types (bmo#1881027)
  * Updating ACVP docker to rust 1.74 (bmo#1880857)
  * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
  * Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
- update to NSS 3.98
  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
    in TLS
  * bmo#1879513 - Certificate Compression: enabling the check that
    the compression was advertised
  * bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
  * bmo#1879945 - Remove Email trust bit from OISTE WISeKey
    Global Root GC CA
  * bmo#1877344 - Replace `distutils.spawn.find_executable` with
    `shutil.which` within `mach` in `nss`
  * bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
    support Certificate compression
  * bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
  * bmo#1875356 - Add valgrind annotations to freebl kyber operations
    for constant-time execution tests
  * bmo#1870673 - Set nssckbi version number to 2.66
  * bmo#1874017 - Add Telekom Security roots
  * bmo#1873095 - Add D-Trust 2022 S/MIME roots
  * bmo#1865450 - Remove expired Security Communication RootCA1 root
  * bmo#1876179 - move keys to a slot that supports concatenation in
    PK11_ConcatSymKeys
  * bmo#1876800 - remove unmaintained tls-interop tests
  * bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
    flags
  * bmo#1874937 - bogo: add support for the -curves shim flag and
    update Kyber expectations
  * bmo#1874937 - bogo: adjust expectation for a key usage bit test
  * bmo#1757758 - mozpkix: add option to ignore invalid subject
    alternative names
  * bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
  * bmo#1876390 - take ownership of ecckilla shims
  * bmo#1874458 - add valgrind annotations to freebl/ec.c
  * bmo#864039  - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
  * bmo#1875965 - Update zlib to 1.3.1
- Use %patch -P N instead of deprecated %patchN.
- update to NSS 3.97
  * bmo#1875506 - make Xyber768d00 opt-in by policy
  * bmo#1871631 - add libssl support for xyber768d00
  * bmo#1871630 - add PK11_ConcatSymKeys
  * bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken
  * bmo#1871152 - add a FreeBL API for Kyber
  * bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
  * bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo
  * bmo#1835828 - Removing the calls to RSA Blind from loader.*
  * bmo#1874111 - fix worker type for level3 mac tasks
  * bmo#1835828 - RSA Blind implementation
  * bmo#1869642 - Remove DSA selftests
  * bmo#1873296 - read KWP testvectors from JSON
  * bmo#1822450 - Backed out changeset dcb174139e4f
  * bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
  * bmo#1871219 - Wrap CC shell commands in gyp expansions
- update to NSS 3.96.1
  * bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
  * bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups)
  * bmo#1867408 - add a defensive check for large ssl_DefSend return values
  * bmo#1869378 - Add dependency to the taskcluster script for Darwin
  * bmo#1869378 - Upgrade version of the MacOS worker for the CI
- add nss-allow-slow-tests-s390x.patch: "certutil dump keys with
  explicit default trust flags" test needs longer than the allowed
  6 seconds on s390x
- update to NSS 3.95
  * bmo#1842932 - Bump builtins version number.
  * bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion
    Firmaprofesional CIF A62634068 root cert.
  * bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates
  * bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS.
  * bmo#1850982 - Remove Camerfirma root certificates from NSS.
  * bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional
    Certificate.
  * bmo#1860670 - Add four Commscope root certificates to NSS.
  * bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates.
  * bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL*
  * bmo#1861728 - Include P-256 Scalar Validation from HACL*.
  * bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes
    256 ECC without DER wrapping at the softoken level
  * bmo#1837987 - Add means to provide library parameters to C_Initialize
  * bmo#1573097 - clang format
  * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
  * bmo#1858241 - Typo in ssl3_AppendHandshakeNumber
  * bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber
  * bmo#1573097 - Fix Invalid casts in instance.c
- update to NSS 3.94
  * bmo#1853737 - Updated code and commit ID for HACL*
  * bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
    current NSS
  * bmo#1827303 - Softoken C_ calls should use system FIPS setting
    to select NSC_ or FC_ variants
  * bmo#1774659 - NSS needs a database tool that can dump the low level
    representation of the database
  * bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
  * bmo#1852179 - avoid implicit conversion for ByteString
  * bmo#1818766 - update rust version for acvp docker
  * bmo#1852011 - Moving the init function of the mpi_ints before
    clean-up in ec.c
  * bmo#1615555 - P-256 ECDH and ECDSA from HACL*
  * bmo#1840510 - Add ACVP test vectors to the repository
  * bmo#1849077 - Stop relying on std::basic_string<uint8_t>
  * bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test
- Update to NSS 3.93:
  * bmo#1849471 - Update zlib in NSS to 1.3.
  * bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
  * bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
- Rebase nss-fips-pct-pubkeys.patch.
- update to NSS 3.92
  * bmo#1822935 - Set nssckbi version number to 2.62
  * bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS
  * bmo#1839992 - Add 4 SSL.com Root CA certificates
  * bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates
  * bmo#1840437 - Add LAWtrust Root CA2 (4096)
  * bmo#1822936 - Remove E-Tugra Certification Authority root
  * bmo#1827224 - Remove Camerfirma Chambers of Commerce Root.
  * bmo#1840505 - Remove Hongkong Post Root CA 1
  * bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3
  * bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux
- update to NSS 3.91
  * bmo#1837431 - Implementation of the HW support check for ADX instruction
  * bmo#1836925 - Removing the support of Curve25519
  * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
  * bmo#1839327 - Adding args to enable-legacy-db build
  * bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
    default trust flags"
  * bmo#1837617 - Initialize flags in slot structures
  * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
  * bmo#1829112 - Followup Fixes
  * bmo#1784253 - avoid processing unexpected inputs by checking for
    m_exptmod base sign
  * bmo#1826652 - add a limit check on order_k to avoid infinite loop
  * bmo#1834851 - Update HACL* to commit 5f6051d2
  * bmo#1753026 - add SHA3 to cryptohi and softoken
  * bmo#1753026 - HACL SHA3
  * bmo#1836781 - Disabling ASM C25519 for A but X86_64
- removed upstreamed patch nss-fix-bmo1836925.patch

- update to NSS 3.90.3
  * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
  * bmo#1748105 - clean up escape handling.
  * bmo#1895032 - remove redundant AllocItem implementation.
  * bmo#1836925 - Disable ASM support for Curve25519.
  * bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64.
- remove upstreamed nss-fix-bmo1836925.patch

- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
  when using FIPS-mode (bsc#1223724).

- Added "Provides: nss" so other RPMs that require 'nss' can
  be installed (jira PED-6358).

- Added a fips-certified pattern matching the exact certified
  FIPS versions

- Add libexpat-2.6.0-backport.patch to fix compatibility with system
  libexpat in tests (bsc#1222075, CVE-2023-52425).

- Speed up salt.matcher.confirm_top by using __context__
- Do not call the async wrapper calls with the separate thread
- Prevent OOM with high amount of batch async calls (bsc#1216063)
- Add missing contextvars dependency in salt.version
- Skip tests for unsupported algorithm on old OpenSSL version
- Remove redundant `_file_find` call to the master
- Prevent possible exception in tornado.concurrent.Future._set_done
- Make reactor engine less blocking the EventPublisher
- Make salt-master self recoverable on killing EventPublisher
- Improve broken events catching and reporting
- Make logging calls lighter
- Remove unused import causing delays on starting salt-master
- Mark python3-CherryPy as recommended package for the testsuite
- Added:
  * skip-tests-for-unsupported-algorithm-on-old-openssl-.patch
  * make-reactor-engine-less-blocking-the-eventpublisher.patch
  * remove-unused-import-causing-delays-on-starting-salt.patch
  * make-logging-calls-lighter.patch
  * remove-redundant-_file_find-call-to-the-master.patch
  * prevent-possible-exception-in-tornado.concurrent.fut.patch
  * do-not-call-the-async-wrapper-calls-with-the-separat.patch
  * add-missing-contextvars-dependency-in-salt.version.patch
  * prevent-oom-with-high-amount-of-batch-async-calls-bs.patch
  * speed-up-salt.matcher.confirm_top-by-using-__context.patch
  * improve-broken-events-catching-and-reporting.patch
  * make-salt-master-self-recoverable-on-killing-eventpu.patch

- Add CVE-2024-37891.patch (bsc#1226469, CVE-2024-37891)

[ This was only ever released for SLES and Leap. ]
- Update to runc v1.1.13. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>.
- Rebase patches:
  * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
- Backport <https://github.com/opencontainers/runc/pull/3931> to fix a
  performance issue when running lots of containers, caused by system getting
  too many mount notifications. bsc#1214960
  + 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch

n/a

n/a

n/a

n/a

n/a

n/a

n/a

- added missing ; in shell script (bsc#1227681)

- Added new keys of the SLE Micro 6.0 / SLES 16 series, and auto import
  them. (bsc#1227429)
  gpg-pubkey-09d9ea69-645b99ce.asc: Main SLE Micro 6/SLES 16 key
  gpg-pubkey-73f03759-626bd414.asc: Backup SLE Micro 6/SLES 16 key.

- Update to version 0.6.76
  - compat-suse: warn user and create missing parent config of
    infiniband children (gh#openSUSE/wicked#1027)
  - client: fix origin in loaded xml-config with obsolete port
    references but missing port interface config, causing a
    no-carrier of master (bsc#1226125)
  - ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
  - wireless: add frequency-list in station mode (jsc#PED-8715)
  - client: fix crash while hierarchy traversing due to loop in
    e.g. systemd-nspawn containers (bsc#1226664)
  - man: add supported bonding options to ifcfg-bonding(5) man page
    (gh#openSUSE/wicked#1021)
  - arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019)
  - man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018)
  - client: warn on interface wait time reached (gh#openSUSE/wicked#1017)
  - compat-suse: fix dummy type detection from ifname to not cause
    conflicts with e.g. correct vlan config on dummy0.42 interfaces
    (gh#openSUSE/wicked#1016)
  - compat-suse: fix infiniband and infiniband child type detection
    from ifname (gh#openSUSE/wicked#1015)
- Removed patches included in the source archive:
  [- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]
  [- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]

- xfs_copy: don't use cached buffer reads until after libxfs_mount
  (bsc#1227150)
  - Add xfsprogs-xfs_copy-don-t-use-cached-buffer-reads-until-after-l.patch