diff --git a/.gitignore b/.gitignore
index 0df9088..1d8d3e8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/rpm-ostree-2019.3.tar.xz
+SOURCES/rpm-ostree-2019.6.tar.xz
diff --git a/.rpm-ostree.metadata b/.rpm-ostree.metadata
index d703be9..bb08118 100644
--- a/.rpm-ostree.metadata
+++ b/.rpm-ostree.metadata
@@ -1 +1 @@
-982c3b335debe04763c0b0b8769f7e43229beebc SOURCES/rpm-ostree-2019.3.tar.xz
+4394f32b43403577dd738675cbf8e28efbf8866f SOURCES/rpm-ostree-2019.6.tar.xz
diff --git a/SOURCES/0001-app-status-Fix-printf-format-string-for-32-bit.patch b/SOURCES/0001-app-status-Fix-printf-format-string-for-32-bit.patch
new file mode 100644
index 0000000..a48c3ed
--- /dev/null
+++ b/SOURCES/0001-app-status-Fix-printf-format-string-for-32-bit.patch
@@ -0,0 +1,35 @@
+From 08c98eda94381f0147af5783960121574043fa5a Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Wed, 25 Sep 2019 12:42:59 -0400
+Subject: [PATCH] app/status: Fix printf format string for 32-bit
+
+Hit this when compiling in Koji.
+---
+ src/app/rpmostree-builtin-status.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/app/rpmostree-builtin-status.c b/src/app/rpmostree-builtin-status.c
+index 2bc2c4b5..8b38fc83 100644
+--- a/src/app/rpmostree-builtin-status.c
++++ b/src/app/rpmostree-builtin-status.c
+@@ -1119,7 +1119,7 @@ fetch_history_deployment_gvariant (RORHistoryEntry *entry,
+ GError **error)
+ {
+ g_autofree char *fn =
+- g_strdup_printf ("%s/%lu", RPMOSTREE_HISTORY_DIR, entry->deploy_timestamp);
++ g_strdup_printf ("%s/%" PRIu64, RPMOSTREE_HISTORY_DIR, entry->deploy_timestamp);
+
+ *out_deployment = NULL;
+
+@@ -1165,7 +1165,7 @@ print_history_entry (RORHistoryEntry *entry,
+ print_timestamp_and_relative ("BootTimestamp", entry->last_boot_timestamp);
+ if (entry->boot_count > 1)
+ {
+- g_print ("%s BootCount: %lu; first booted on ",
++ g_print ("%s BootCount: %" PRIu64 "; first booted on ",
+ libsd_special_glyph (TREE_RIGHT), entry->boot_count);
+ print_timestamp_and_relative (NULL, entry->first_boot_timestamp);
+ }
+--
+2.21.0
+
diff --git a/SOURCES/0001-libpriv-kernel-Use-g_build_filename-instead-of-g_str.patch b/SOURCES/0001-libpriv-kernel-Use-g_build_filename-instead-of-g_str.patch
new file mode 100644
index 0000000..6965c4b
--- /dev/null
+++ b/SOURCES/0001-libpriv-kernel-Use-g_build_filename-instead-of-g_str.patch
@@ -0,0 +1,47 @@
+From 6aa496e3128321f911dae10bf1a0f32c5e9a11fd Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Tue, 29 Oct 2019 16:38:56 -0400
+Subject: [PATCH 1/2] libpriv/kernel: Use g_build_filename instead of
+ g_strconcat
+
+It's much easier to mess up with the latter than the former when
+building filenames. There's a bunch more all over the codebase; just did
+this bit to be consistent with the next commit which also uses it.
+---
+ src/libpriv/rpmostree-kernel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/libpriv/rpmostree-kernel.c b/src/libpriv/rpmostree-kernel.c
+index 9eb052bd..2266f9c7 100644
+--- a/src/libpriv/rpmostree-kernel.c
++++ b/src/libpriv/rpmostree-kernel.c
+@@ -353,7 +353,7 @@ rpmostree_finalize_kernel (int rootfs_dfd,
+ GError **error)
+ {
+ const char slash_bootdir[] = "boot";
+- g_autofree char *modules_bootdir = g_strconcat ("usr/lib/modules/", kver, NULL);
++ g_autofree char *modules_bootdir = g_build_filename ("usr/lib/modules", kver, NULL);
+
+ /* Calculate the sha256sum of the kernel+initramfs (called the "boot
+ * checksum"). We checksum the initramfs from the tmpfile fd (via mmap()) to
+@@ -371,7 +371,7 @@ rpmostree_finalize_kernel (int rootfs_dfd,
+ }
+ const char *boot_checksum_str = g_checksum_get_string (boot_checksum);
+
+- g_autofree char *kernel_modules_path = g_strconcat (modules_bootdir, "/vmlinuz", NULL);;
++ g_autofree char *kernel_modules_path = g_build_filename (modules_bootdir, "vmlinuz", NULL);
+ /* It's possible the bootdir is already the modules directory; in that case,
+ * we don't need to rename.
+ */
+@@ -394,7 +394,7 @@ rpmostree_finalize_kernel (int rootfs_dfd,
+ }
+
+ /* Replace the initramfs */
+- g_autofree char *initramfs_modules_path = g_strconcat (modules_bootdir, "/initramfs.img", NULL);
++ g_autofree char *initramfs_modules_path = g_build_filename (modules_bootdir, "initramfs.img", NULL);
+ if (unlinkat (rootfs_dfd, initramfs_modules_path, 0) < 0)
+ {
+ if (errno != ENOENT)
+--
+2.21.0
+
diff --git a/SOURCES/0001-libpriv-kernel-add-cap_mknod-to-dracut-run.patch b/SOURCES/0001-libpriv-kernel-add-cap_mknod-to-dracut-run.patch
new file mode 100644
index 0000000..bbe19f6
--- /dev/null
+++ b/SOURCES/0001-libpriv-kernel-add-cap_mknod-to-dracut-run.patch
@@ -0,0 +1,43 @@
+From 3b8a1ec6c400a4e5af0f7f5889b360d2ed16f572 Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Tue, 3 Dec 2019 21:36:40 -0500
+Subject: [PATCH] libpriv/kernel: add cap_mknod to dracut run
+
+A lot of history with this. But essentially, dracut tries to `mknod` a
+few character devices like `/dev/random` and `/dev/urandom` and fails.
+
+We originally blocked `cap_mknod` because, well, `%post` scripts don't
+really need to do that, and it would get wiped anyway. But there is a
+use case for dracut's CPIO: we want `/dev/*random` to be available in
+early boot *before* systemd even mounts `devtmpfs` because libgcrypt as
+part of its constructor-time selftests in FIPS mode wants to read from
+there.
+
+For more fun, see:
+https://bugzilla.redhat.com/show_bug.cgi?id=1778940
+https://bugzilla.redhat.com/show_bug.cgi?id=1401444
+https://bugzilla.redhat.com/show_bug.cgi?id=1380866
+---
+ src/libpriv/rpmostree-kernel.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/libpriv/rpmostree-kernel.c b/src/libpriv/rpmostree-kernel.c
+index 2bea504c..a7fffcb6 100644
+--- a/src/libpriv/rpmostree-kernel.c
++++ b/src/libpriv/rpmostree-kernel.c
+@@ -564,6 +564,12 @@ rpmostree_run_dracut (int rootfs_dfd,
+ rpmostree_bwrap_bind_read (bwrap, "usr", "/usr");
+ }
+
++ /* Need to let dracut create devices like /dev/urandom:
++ * https://bugzilla.redhat.com/show_bug.cgi?id=1778940
++ * https://bugzilla.redhat.com/show_bug.cgi?id=1401444
++ * https://bugzilla.redhat.com/show_bug.cgi?id=1380866 */
++ rpmostree_bwrap_append_bwrap_argv (bwrap, "--cap-add", "cap_mknod", NULL);
++
+ if (dracut_host_tmpdir)
+ rpmostree_bwrap_bind_readwrite (bwrap, dracut_host_tmpdir->path, "/tmp/dracut");
+
+--
+2.23.0
+
diff --git a/SOURCES/0001-rebase-Support-identical-checksum-rebases.patch b/SOURCES/0001-rebase-Support-identical-checksum-rebases.patch
deleted file mode 100644
index cd1addc..0000000
--- a/SOURCES/0001-rebase-Support-identical-checksum-rebases.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 76ae779635afcd3984dedc57fa7c0e80c6410bba Mon Sep 17 00:00:00 2001
-From: Colin Walters <walters@verbum.org>
-Date: Fri, 29 Mar 2019 14:39:34 +0000
-Subject: [PATCH] rebase: Support identical checksum rebases
-
-Change things to only throw this error for non-checksum rebases; for
-RHEL CoreOS + https://github.com/openshift/pivot/
-we've had it happen that the same ostree commit can end up
-in separate oscontainers. We want to support changing
-the custom origin that might point to the same commit.
----
- src/daemon/rpmostreed-transaction-types.c | 12 +++++++++---
- src/daemon/rpmostreed-utils.c | 10 ----------
- 2 files changed, 9 insertions(+), 13 deletions(-)
-
-diff --git a/src/daemon/rpmostreed-transaction-types.c b/src/daemon/rpmostreed-transaction-types.c
-index 9edfeecb..86112d1b 100644
---- a/src/daemon/rpmostreed-transaction-types.c
-+++ b/src/daemon/rpmostreed-transaction-types.c
-@@ -100,9 +100,6 @@ change_origin_refspec (GVariantDict *options,
- error))
- return FALSE;
-
-- if (strcmp (current_refspec, new_refspec) == 0)
-- return glnx_throw (error, "Old and new refs are equal: %s", new_refspec);
--
- /* Re-classify after canonicalization to ensure we handle TYPE_CHECKSUM */
- if (!rpmostree_refspec_classify (new_refspec, &refspectype, &refspecdata, error))
- return FALSE;
-@@ -128,6 +125,15 @@ change_origin_refspec (GVariantDict *options,
- }
- else
- {
-+ /* We only throw this error for non-checksum rebases; for
-+ * RHEL CoreOS + https://github.com/openshift/pivot/
-+ * we've had it happen that the same ostree commit can end up
-+ * in separate oscontainers. We want to support changing
-+ * the custom origin that might point to the same commit.
-+ */
-+ if (strcmp (current_refspec, new_refspec) == 0)
-+ return glnx_throw (error, "Old and new refs are equal: %s", new_refspec);
-+
- if (!rpmostree_origin_set_rebase (origin, new_refspec, error))
- return FALSE;
- }
-diff --git a/src/daemon/rpmostreed-utils.c b/src/daemon/rpmostreed-utils.c
-index 686965a3..19b45a01 100644
---- a/src/daemon/rpmostreed-utils.c
-+++ b/src/daemon/rpmostreed-utils.c
-@@ -202,16 +202,6 @@ rpmostreed_refspec_parse_partial (const gchar *new_provided_refspec,
- }
- }
-
-- if (g_strcmp0 (origin_remote, remote) == 0 &&
-- g_strcmp0 (origin_ref, ref) == 0)
-- {
-- g_set_error (error, RPM_OSTREED_ERROR,
-- RPM_OSTREED_ERROR_INVALID_REFSPEC,
-- "Old and new refs are equal: %s:%s",
-- remote, ref);
-- return FALSE;
-- }
--
- if (remote == NULL)
- *out_refspec = g_steal_pointer (&ref);
- else
---
-2.20.1
-
diff --git a/SOURCES/0001-unpacker-Build-with-older-libarchive-without-zstd.patch b/SOURCES/0001-unpacker-Build-with-older-libarchive-without-zstd.patch
new file mode 100644
index 0000000..0e993bb
--- /dev/null
+++ b/SOURCES/0001-unpacker-Build-with-older-libarchive-without-zstd.patch
@@ -0,0 +1,43 @@
+From 11ee20c1cdcc7a76d9e1047e8063b8349a6c6da6 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Tue, 15 Oct 2019 15:16:06 +0000
+Subject: [PATCH] unpacker: Build with older libarchive without zstd
+
+It's not in RHEL8.1, and I'm trying to rebase rpm-ostree.
+---
+ configure.ac | 4 ++++
+ src/libpriv/rpmostree-unpacker-core.c | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 873dc6b9..a0c5cce4 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -122,6 +122,10 @@ dnl bundled libdnf
+ PKGDEP_RPMOSTREE_CFLAGS="-I $(pwd)/libdnf -I $(pwd)/libdnf-build $PKGDEP_RPMOSTREE_CFLAGS"
+ PKGDEP_RPMOSTREE_LIBS="-L$(pwd)/libdnf-build/libdnf -ldnf $PKGDEP_RPMOSTREE_LIBS"
+
++dnl RHEL8.1 has old libarchive
++AS_IF([pkg-config --atleast-version=3.3.3 libarchive],
++ [AC_DEFINE([HAVE_LIBARCHIVE_ZSTD], 1, [Define if we have libarchive with zstd])])
++
+ dnl This is the current version in Fedora 25.
+ AS_IF([pkg-config --atleast-version=4.14.2 rpm], [], [AC_MSG_ERROR([librpm 4.14.2 required])])
+
+diff --git a/src/libpriv/rpmostree-unpacker-core.c b/src/libpriv/rpmostree-unpacker-core.c
+index 3bd574a4..2d741b1e 100644
+--- a/src/libpriv/rpmostree-unpacker-core.c
++++ b/src/libpriv/rpmostree-unpacker-core.c
+@@ -74,7 +74,9 @@ rpmostree_unpack_rpm2cpio (int fd, GError **error)
+ archive_read_support_filter_gzip,
+ archive_read_support_filter_xz,
+ archive_read_support_filter_bzip2,
++#ifdef HAVE_LIBARCHIVE_ZSTD
+ archive_read_support_filter_zstd,
++#endif
+ archive_read_support_format_cpio };
+
+ for (i = 0; i < G_N_ELEMENTS (archive_setup_funcs); i++)
+--
+2.21.0
+
diff --git a/SOURCES/0002-libpriv-kernel-Hack-around-vmlinuz-path-in-HMAC-file.patch b/SOURCES/0002-libpriv-kernel-Hack-around-vmlinuz-path-in-HMAC-file.patch
new file mode 100644
index 0000000..c797777
--- /dev/null
+++ b/SOURCES/0002-libpriv-kernel-Hack-around-vmlinuz-path-in-HMAC-file.patch
@@ -0,0 +1,66 @@
+From fec61ce5778910bac7779191ee8deeb0a24593c8 Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Tue, 29 Oct 2019 16:40:39 -0400
+Subject: [PATCH 2/2] libpriv/kernel: Hack around vmlinuz path in HMAC file
+
+As mentioned in the comment block:
+
+```
+If there's an HMAC file, fix the path to the kernel in it to be
+relative. Right now, the kernel spec encodes `/boot/vmlinux-$kver`,
+which of course not going to work for us. We should work towards making
+this change directly into the kernel spec.
+```
+
+For background, see this comment and following:
+https://github.com/ostreedev/ostree/pull/1962#issuecomment-547488164
+---
+ src/libpriv/rpmostree-kernel.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/src/libpriv/rpmostree-kernel.c b/src/libpriv/rpmostree-kernel.c
+index 2266f9c7..2bea504c 100644
+--- a/src/libpriv/rpmostree-kernel.c
++++ b/src/libpriv/rpmostree-kernel.c
+@@ -393,6 +393,38 @@ rpmostree_finalize_kernel (int rootfs_dfd,
+ return glnx_throw_errno_prefix (error, "linkat(%s)", kernel_modules_path);
+ }
+
++ /* If there's an HMAC file, fix the path to the kernel in it to be relative. Right now,
++ * the kernel spec encodes `/boot/vmlinux-$kver`, which of course not going to work for
++ * us. We should work towards making this change directly into the kernel spec. */
++ g_autofree char *hmac_path = g_build_filename (modules_bootdir, ".vmlinuz.hmac", NULL);
++ if (!glnx_fstatat_allow_noent (rootfs_dfd, hmac_path, NULL, 0, error))
++ return FALSE;
++ if (errno == 0)
++ {
++ g_autofree char *contents = glnx_file_get_contents_utf8_at (rootfs_dfd, hmac_path,
++ NULL, cancellable, error);
++ if (contents == NULL)
++ return FALSE;
++
++ /* rather than trying to parse and understand the *sum format, just hackily replace */
++ g_autofree char *old_path = g_strconcat (" /boot/vmlinuz-", kver, NULL);
++ g_autofree char *new_path = g_strconcat (" vmlinuz-", kver, NULL);
++ g_autofree char *new_contents =
++ rpmostree_str_replace (contents, old_path, new_path, error);
++ if (!new_contents)
++ return FALSE;
++
++ /* sanity check there are no '/' in there; that way too we just error out if the path
++ * or format changes (but really, this should be a temporary hack...) */
++ if (strchr (new_contents, '/') != 0)
++ return glnx_throw (error, "Unexpected / in .vmlinuz.hmac: %s", new_contents);
++
++ if (!glnx_file_replace_contents_at (rootfs_dfd, hmac_path,
++ (guint8*)new_contents, -1, 0,
++ cancellable, error))
++ return FALSE;
++ }
++
+ /* Replace the initramfs */
+ g_autofree char *initramfs_modules_path = g_build_filename (modules_bootdir, "initramfs.img", NULL);
+ if (unlinkat (rootfs_dfd, initramfs_modules_path, 0) < 0)
+--
+2.21.0
+
diff --git a/SPECS/rpm-ostree.spec b/SPECS/rpm-ostree.spec
index 47c267e..684a92d 100644
--- a/SPECS/rpm-ostree.spec
+++ b/SPECS/rpm-ostree.spec
@@ -1,15 +1,23 @@
+# The canonical copy of this spec file is upstream at:
+# https://github.com/projectatomic/rpm-ostree/blob/master/packaging/rpm-ostree.spec.in
+
Summary: Hybrid image/package system
Name: rpm-ostree
-Version: 2019.3
-Release: 3%{?dist}
+Version: 2019.6
+Release: 6%{?dist}
#VCS: https://github.com/cgwalters/rpm-ostree
# This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
# in the upstream git. If rust is enabled, it contains vendored sources.
Source0: rpm-ostree-%{version}.tar.xz
-Patch0: 0001-rebase-Support-identical-checksum-rebases.patch
License: LGPLv2+
URL: https://github.com/projectatomic/rpm-ostree
+Patch0: 0001-app-status-Fix-printf-format-string-for-32-bit.patch
+Patch1: 0001-unpacker-Build-with-older-libarchive-without-zstd.patch
+Patch2: 0001-libpriv-kernel-Use-g_build_filename-instead-of-g_str.patch
+Patch3: 0002-libpriv-kernel-Hack-around-vmlinuz-path-in-HMAC-file.patch
+Patch4: 0001-libpriv-kernel-add-cap_mknod-to-dracut-run.patch
+
%if !%{defined rust_arches}
# It's not defined yet in the base CentOS7 root
%define rust_arches x86_64 i686 armv7hl aarch64 ppc64 ppc64le s390x
@@ -37,7 +45,7 @@ BuildRequires: gnome-common
BuildRequires: /usr/bin/g-ir-scanner
# Core requirements
# One way to check this: `objdump -p /path/to/rpm-ostree | grep LIBOSTREE` and pick the highest (though that might miss e.g. new struct members)
-BuildRequires: pkgconfig(ostree-1) >= 2018.9
+BuildRequires: pkgconfig(ostree-1) >= 2019.2
BuildRequires: pkgconfig(polkit-gobject-1)
BuildRequires: pkgconfig(json-glib-1.0)
BuildRequires: pkgconfig(rpm)
@@ -79,7 +87,7 @@ BuildRequires: pkgconfig(sqlite3)
BuildRequires: pkgconfig(smartcols)
BuildRequires: gpgme-devel
-Requires: libmodulemd%{?_isa} >= %{libmodulemd_version}
+Requires: libmodulemd1%{?_isa} >= %{libmodulemd_version}
# For now...see https://github.com/projectatomic/rpm-ostree/pull/637
# and https://github.com/fedora-infra/fedmsg-atomic-composer/pull/17
@@ -154,7 +162,7 @@ $PYTHON autofiles.py > files \
'%{_bindir}/*' \
'%{_libdir}/%{name}' \
'%{_mandir}/man*/*' \
- '%{_sysconfdir}/dbus-1/system.d/*' \
+ '%{_datadir}/dbus-1/system.d/*' \
'%{_sysconfdir}/rpm-ostreed.conf' \
'%{_prefix}/lib/systemd/system/*' \
'%{_libexecdir}/rpm-ostree*' \
@@ -175,13 +183,28 @@ $PYTHON autofiles.py > files.devel \
'%{_datadir}/gir-1.0/*-1.0.gir'
%files -f files
-%doc COPYING README.md
+%doc COPYING.GPL COPYING.LGPL LICENSE README.md
%files libs -f files.lib
%files devel -f files.devel
%changelog
+* Thu Dec 05 2019 Jonathan Lebon <jlebon@redhat.com> - 2019.6-6
+- Backport dracut mknod patch for FIPS:
+ https://github.com/coreos/rpm-ostree/pull/1946
+
+* Thu Oct 31 2019 Jonathan Lebon <jlebon@redhat.com> - 2019.6-5
+- Backport HMAC patch for FIPS:
+ https://github.com/coreos/rpm-ostree/pull/1934
+
+* Fri Oct 18 2019 Colin Walters <walters@verbum.org> - 2019.6-4
+- Backport zchunk patch
+
+* Tue Oct 15 2019 Colin Walters <walters@verbum.org> - 2019.6-3
+- https://github.com/coreos/rpm-ostree/releases/tag/v20196
+- Backport zstd patch
+
* Fri May 17 2019 Jonathan Lebon <jlebon@redhat.com> - 2019.3-3
- Rebuild for rhel-8.1.0 branch