Avoid build failures in some distros.
ERROR: Assert failed: systemd required but not found, please provide a valid systemd user generator dir or disable it
Fixes: 636fb5ef24 ('systemd: install initrd services using a generator')
Add a new public function nm_utils_copy_cert_as_user() to libnm. It
reads a certificate or key file on behalf of the given user and writes
it to a directory in /run/NetworkManager. It is useful for VPN plugins
that run as root and need to verify that the user owning the
connection (the one listed in the connection.permissions property) can
access the file.
This build option allowed non-admin users to create system-wide
connections. Generally, this is not a good idea as system-wide changes
should be done by administrators.
However, the main reason for the change is that this can be used to
bypass filesystem permissions, among possibly other attacks. As the
daemon runs as root, a user can create a system-wide connection that
uses a certificate from a different user to authenticate in a WiFi
network protected with 802.1X or a VPN, because as root user the daemon
can access to the file.
This patch does not completely fix the issue, as users can still create
private connections specifying a path to another user's connection. This
will be addressed in other patch. However, this patch is needed too,
because in system-wide connections we don't store which user created the
connection, so there woudn't be any way to check his/her permissions.
This is part of the fix for CVE-2025-9615
See: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809
It has been deprecated for a long time, so it would be probably
fine to stop building with it enabled. RHEL 9 is excluded since
it still supports the ifcfg-rh format.
Since both `NetworkManager.service` and `NetworkManager-initrd.service` are
allocated for the same bus name (`org.freedesktop.NetworkManager`) and this is
not allowed, the best option is to use a systemd generator to install them only
in the initrd, instead of setting fixed Install sections.
Fixes#1814
The URL to the tarball needs the git tag, that might be 1.54-rc1 instead
of 1.53.90. Allow to define it as a separate variable in the spec file.
It can be set as `git_tag_version %{real_version}` when they are
identical.
It is not really needed here in the upstream spec file, as the "Source"
line is commented out, but add it as a reference for donwstream spec
files.
It appears that xsltproc is not installed there. It is generally needed
for the docs build too, so as a crude CI heuristic, don't build anywhere
that docs are disabled.
They cannot be used yet as Dracut need changes. They are not really
tested, neither, so better not to install them as they might cause
confusion about their purpose.
Decouple from a specific initrd generator (dracut) the systemd services that
provide networking in the initrd using NM, thus allowing other systemd-based
initrd generators to take advantage of it.
These new services are:
- `NetworkManager-config-initrd.service`: it starts very early at boot, parses
the kernel command line using `nm-initrd-generator` and sets the
`/run/NetworkManager/initrd/neednet` flag to activate the other initrd services,
and also sets the hostname if needed.
- `NetworkManager-initrd.service`: it basically does the same job as the
`NetworkManager.service`, but in the initrd.
- `NetworkManager-wait-online-initrd.service`: ordered before
`network-online.target`, it will allow other services that require networking to
delay their start until NM has finished.
Now "fedpkg prep" command is generating a directory with the "-build"
suffix containing the build directory inside. We need to extract it.
Real example:
If the script is used for a branch related to nm-1-46, the "fedpkg prep"
command will generate a NetworkManager-1.46-build/ directory containing
the NetworkManager-1.46/ sources directory. We just need to move the
NetworkManager-1.46/ out.
The regex for "Fixes" also matches with "Ignore-Fixes", so the commit is
added twice and then removed only once by the "Ignore-Fixes". It still
remains once in the list of commits to backport, making that
"Ignore-Fixes" does not work. Fix it.
Now we are using scheduled pipelines for various purposes like
regenerating the container images and triage the issues and MRs. That
means that the last pipeline ran for main might not be the pipeline with
the jobs building and testing the code.
Use `source=push` to retrieve only pipelines that are not scheduled.
The help text is read from the comments at the top of the script itself.
However, to detect what lines belongs to the help text, a range was
defined as:
- Start: any line starting with `# `
- End: any line starting `# Run with --no-test`
If any later line starts with `# ` is considered as a new matching
range, and from it to the end of the file is printed too.
Fix it by defining the range:
- Start: line 2
- End: blank line
GNOME has changed the process to publish releases to download.gnome.org.
Now, it is required to do it from the CI of projects hosted in GNOME's
repositories.
As we don't have the project hosted there, we have 2 options:
- Create a mirror and set up the CI so we continue using
download.gnome.org.
- Stop publishing the tarballs there and do it in gitlab.freedesktop.org
from now on.
After a brief discussion we have decided that the second makes more
sense, so adapt release.sh to do that.
https://discourse.gnome.org/t/gnome-release-service-ftpadmin-replacement-coming-11th-december/25487https://handbook.gnome.org/maintainers/making-a-release.html
NetworkManager relies on the ping command provided by `/usr/bin/ping`
from the iputils package to proceed the gateway or ip addresses
connectivity check. This change ensures that iputils is recommended as a
dependency, making the ping command available for use during runtime but
not enforcing its installation as mandatory since NM can still proceed
to activate the connection even if the ping operation failed.
Since NMSettingIPConfig is an abstract type that cannot be
instantiated, the overrides for the direct properties are defined on
the subclasses (NMSettingIP4Config and NMSettingIP6Config).
Silence the warning about using direct properties.
