diff --git a/SOURCES/0001-Add-limits-to-autopatch-macro.patch b/SOURCES/0001-Add-limits-to-autopatch-macro.patch
new file mode 100644
index 0000000..3235922
--- /dev/null
+++ b/SOURCES/0001-Add-limits-to-autopatch-macro.patch
@@ -0,0 +1,44 @@
+From f00bb5be9caa62220c6aeaf3f7264840d5c089e3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 5 Feb 2019 18:15:47 +0100
+Subject: [PATCH] Add limits to autopatch macro
+
+Limits allow to apply only range of patches with given parameters.
+Useful if something needs to be done between patch sets. Allows applying
+of patches with different -pX parameter in one spec file.
+
+Resolves: #626
+Co-authored-by: Florian Festi <ffesti@redhat.com>
+---
+ macros.in | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/macros.in b/macros.in
+index 7b5b63020..912ad5997 100644
+--- a/macros.in
++++ b/macros.in
+@@ -1265,11 +1265,19 @@ else\
+ end}
+
+ # Automatically apply all patches
+-%autopatch(vp:)\
++# -m<min> Apply patches with number >= min only
++# -M<max> Apply patches with number <= max only
++%autopatch(vp:m:M:)\
+ %{lua:\
+ local options = rpm.expand("%{!-v:-q} %{-p:-p%{-p*}} ")\
++local low_limit = tonumber(rpm.expand("%{-m:%{-m*}}"))\
++local high_limit = tonumber(rpm.expand("%{-M:%{-M*}}"))\
+ for i, p in ipairs(patches) do\
+- print(rpm.expand("%apply_patch -m %{basename:"..p.."} "..options..p.." "..i.."\\n"))\
++ local inum = patch_nums[i]\
++ if ((not low_limit or inum>=low_limit) and (not high_limit or inum<=high_limit)) \
++ then\
++ print(rpm.expand("%apply_patch -m %{basename:"..p.."} "..options..p.." "..i.."\\n")) \
++ end\
+ end}
+
+ # One macro to (optionally) do it all.
+--
+2.26.2
+
diff --git a/SOURCES/0001-Always-close-libelf-handle-1313.patch b/SOURCES/0001-Always-close-libelf-handle-1313.patch
new file mode 100644
index 0000000..81a1296
--- /dev/null
+++ b/SOURCES/0001-Always-close-libelf-handle-1313.patch
@@ -0,0 +1,32 @@
+From 38c03ddb18e86c84d89af695f72442d8365eb64e Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Tue, 21 Jul 2020 10:45:20 +0200
+Subject: [PATCH] Always close libelf handle (#1313)
+
+Otherwise executables that are not proper elf files are leaking libelf
+handles. This results in file being left open (mmap'ed) and fails the
+build on NFS as those files can't be deleted properly there.
+
+Resolves: rhbz#1840728
+See also: https://bugzilla.redhat.com/show_bug.cgi?id=1840728
+---
+ build/files.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/build/files.c b/build/files.c
+index f675306f7..62489c07c 100644
+--- a/build/files.c
++++ b/build/files.c
+@@ -1935,8 +1935,8 @@ static int generateBuildIDs(FileList fl, ARGV_t *files)
+ if (terminate)
+ rc = 1;
+ }
+- elf_end (elf);
+ }
++ elf_end (elf);
+ close (fd);
+ }
+ }
+--
+2.26.2
+
diff --git a/SOURCES/0001-Fix-python-ts.addErase-not-raising-exception-on-not-.patch b/SOURCES/0001-Fix-python-ts.addErase-not-raising-exception-on-not-.patch
new file mode 100644
index 0000000..809f065
--- /dev/null
+++ b/SOURCES/0001-Fix-python-ts.addErase-not-raising-exception-on-not-.patch
@@ -0,0 +1,102 @@
+From 60066aba510b3ff4a7db092021aae71948e3f8be Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 4 Jun 2020 11:18:01 +0300
+Subject: [PATCH] Fix python ts.addErase() not raising exception on not-found
+ packages
+
+The code would only raise an exception if TransactionSetCore.addErase()
+returned an error, but the catch is that with many kinds of argument
+types we'd silently skip the whole addition because no headers were found.
+This looks to be a regression introduced some eleven years ago in
+commit 9b20c706a4f93266450fae2f94007343b2e8fd9e.
+
+As a special case, a match iterator argument will not raise an exception
+if it doesn't actually match anything.
+
+Fixes: #1214
+---
+ python/rpm/transaction.py | 26 +++++++++++++++-----------
+ tests/rpmpython.at | 22 ++++++++++++++++++++++
+ 2 files changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/python/rpm/transaction.py b/python/rpm/transaction.py
+index 7c4a551d3..3c9ddb207 100644
+--- a/python/rpm/transaction.py
++++ b/python/rpm/transaction.py
+@@ -91,14 +91,22 @@ class TransactionSet(TransactionSetCore):
+
+ def addErase(self, item):
+ hdrs = []
+- if isinstance(item, rpm.hdr):
+- hdrs = [item]
+- elif isinstance(item, rpm.mi):
++ # match iterators are passed on as-is
++ if isinstance(item, rpm.mi):
+ hdrs = item
+- elif isinstance(item, int):
+- hdrs = self.dbMatch(rpm.RPMDBI_PACKAGES, item)
+- elif isinstance(item, _string_types):
+- hdrs = self.dbMatch(rpm.RPMDBI_LABEL, item)
++ elif isinstance(item, rpm.hdr):
++ hdrs.append(item)
++ elif isinstance(item, (int, _string_types)):
++ if isinstance(item, int):
++ dbi = rpm.RPMDBI_PACKAGES
++ else:
++ dbi = rpm.RPMDBI_LABEL
++
++ for h in self.dbMatch(dbi, item):
++ hdrs.append(h)
++
++ if not hdrs:
++ raise rpm.error("package not installed")
+ else:
+ raise TypeError("invalid type %s" % type(item))
+
+@@ -106,10 +114,6 @@ class TransactionSet(TransactionSetCore):
+ if not TransactionSetCore.addErase(self, h):
+ raise rpm.error("package not installed")
+
+- # garbage collection should take care but just in case...
+- if isinstance(hdrs, rpm.mi):
+- del hdrs
+-
+ def run(self, callback, data):
+ rc = TransactionSetCore.run(self, callback, data, self._probFilter)
+
+diff --git a/tests/rpmpython.at b/tests/rpmpython.at
+index 3a7c251f1..de39c8417 100644
+--- a/tests/rpmpython.at
++++ b/tests/rpmpython.at
+@@ -201,6 +201,28 @@ for e in ts:
+ [foo-1.0-1.noarch]
+ )
+
++RPMPY_TEST([add erasure to transaction],[
++ts = rpm.ts()
++for i in ['foo', 1234]:
++ myprint('addErase %s' % i)
++ try:
++ ts.addErase(i)
++ except rpm.error as err:
++ myprint(err)
++myprint('addErase mi')
++mi = ts.dbMatch('name', 'foo')
++try:
++ ts.addErase(mi)
++except rpm.error as err:
++ myprint(err)
++],
++[addErase foo
++package not installed
++addErase 1234
++package not installed
++addErase mi]
++)
++
+ RPMPY_TEST([add bogus package to transaction 1],[
+ ts = rpm.ts()
+ h = rpm.hdr()
+--
+2.26.2
+
diff --git a/SOURCES/0001-Introduce-patch_nums-and-source_nums-Lua-variables-i.patch b/SOURCES/0001-Introduce-patch_nums-and-source_nums-Lua-variables-i.patch
new file mode 100644
index 0000000..ccf39e3
--- /dev/null
+++ b/SOURCES/0001-Introduce-patch_nums-and-source_nums-Lua-variables-i.patch
@@ -0,0 +1,63 @@
+From 9ad4b813483f8cf6c641f56387248b33b6dfc570 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Wed, 20 Feb 2019 15:28:30 +0200
+Subject: [PATCH] Introduce patch_nums and source_nums Lua variables in spec
+ context
+
+The pre-existing patches and sources variables only contains patch and
+source filenames, but for some purposes we need access to the associated
+patch/source number too. We could use the number as the table key, but
+that would make the table unsorted. That we could handle in our own
+macros, but would break compatibility for anybody doing custom stuff
+with these. So it seems best to just add parallel arrays sharing the
+same array indexes so that both values are as easily accessible,
+depending on the need.
+
+Inspired by Pascal "Pixel" Rigaux's similar patch in Mageia, which differs
+in that the number-arrays are indexed by the filename and is unordered.
+Compared to patches/sources this seemed against principle of least
+surprise, and is slightly more cumbersome int the case we want the number
+directly, such as in PR #626. The variable names differ so there
+is no incompatibility to that downstream patch introduced.
+---
+ build/parsePreamble.c | 9 +++++++++
+ build/spec.c | 3 ++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/build/parsePreamble.c b/build/parsePreamble.c
+index 812c41f9f..9520bac4b 100644
+--- a/build/parsePreamble.c
++++ b/build/parsePreamble.c
+@@ -322,6 +322,15 @@ static int addSource(rpmSpec spec, Package pkg, const char *field, rpmTagVal tag
+ rpmluaSetVar(lua, var);
+ rpmluavFree(var);
+ rpmluaPop(lua);
++
++ what = (flag & RPMBUILD_ISPATCH) ? "patch_nums" : "source_nums";
++ rpmluaPushTable(lua, what);
++ var = rpmluavNew();
++ rpmluavSetListMode(var, 1);
++ rpmluavSetValueNum(var, p->num);
++ rpmluaSetVar(lua, var);
++ rpmluavFree(var);
++ rpmluaPop(lua);
+ }
+ #endif
+ free(body);
+diff --git a/build/spec.c b/build/spec.c
+index 80eaca611..55095c6ce 100644
+--- a/build/spec.c
++++ b/build/spec.c
+@@ -305,7 +305,8 @@ rpmSpec newSpec(void)
+ #ifdef WITH_LUA
+ /* make sure patches and sources tables always exist */
+ rpmlua lua = NULL; /* global state */
+- const char * luavars[] = { "patches", "sources", NULL, };
++ const char * luavars[] = { "patches", "sources",
++ "patch_nums", "source_nums", NULL, };
+ for (const char **vp = luavars; vp && *vp; vp++) {
+ rpmluaDelVar(lua, *vp);
+ rpmluaPushTable(lua, *vp);
+--
+2.26.2
+
diff --git a/SOURCES/0001-When-doing-the-same-thing-more-than-once-use-a-loop.patch b/SOURCES/0001-When-doing-the-same-thing-more-than-once-use-a-loop.patch
new file mode 100644
index 0000000..9e9ee45
--- /dev/null
+++ b/SOURCES/0001-When-doing-the-same-thing-more-than-once-use-a-loop.patch
@@ -0,0 +1,38 @@
+From 9cbc1fe444b048c3f7cf5ea09ab650d1c146d54a Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Wed, 20 Feb 2019 14:49:19 +0200
+Subject: [PATCH] When doing the same thing more than once, use a loop...
+
+No functional changes but this'll simplify the next commit quite a bit.
+---
+ build/spec.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/build/spec.c b/build/spec.c
+index e414e4102..80eaca611 100644
+--- a/build/spec.c
++++ b/build/spec.c
+@@ -303,15 +303,13 @@ rpmSpec newSpec(void)
+ spec->pool = rpmstrPoolCreate();
+
+ #ifdef WITH_LUA
+- {
+ /* make sure patches and sources tables always exist */
+ rpmlua lua = NULL; /* global state */
+- rpmluaDelVar(lua, "patches");
+- rpmluaDelVar(lua, "sources");
+- rpmluaPushTable(lua, "patches");
+- rpmluaPushTable(lua, "sources");
+- rpmluaPop(lua);
+- rpmluaPop(lua);
++ const char * luavars[] = { "patches", "sources", NULL, };
++ for (const char **vp = luavars; vp && *vp; vp++) {
++ rpmluaDelVar(lua, *vp);
++ rpmluaPushTable(lua, *vp);
++ rpmluaPop(lua);
+ }
+ #endif
+ return spec;
+--
+2.26.2
+
diff --git a/SOURCES/0001-Work-around-buggy-signature-region-preventing-resign.patch b/SOURCES/0001-Work-around-buggy-signature-region-preventing-resign.patch
new file mode 100644
index 0000000..54dd45f
--- /dev/null
+++ b/SOURCES/0001-Work-around-buggy-signature-region-preventing-resign.patch
@@ -0,0 +1,44 @@
+From 8fefd2bd21b30996ad0748eab6baadf915610642 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 13 Aug 2020 13:29:10 +0300
+Subject: [PATCH] Work around buggy signature region preventing resigning
+ (RhBug:1851508)
+
+Various proprietary packages in the wild have subtly malformed data
+in the signature header, in particular wrt the immutable region size,
+presumably from using some in-house/3rd party signing tools which do
+not understand the immutable region business at all. This can prevent
+resigning and signature deletion on such packages due to the more
+thorough checking that rpmsign does.
+
+As the old wisdom goes, be liberal in what you accept... we can easily
+work around the crud by just taking a fresh copy of the contents that
+are legit as such (otherwise the package would be uninstallable).
+
+
+Adjusted for 4.14.3
+
+--- rpm-4.14.3/sign/rpmgensig.c.orig 2020-10-29 16:00:38.785229048 +0100
++++ rpm-4.14.3/sign/rpmgensig.c 2020-10-29 16:08:55.997791345 +0100
+@@ -401,12 +401,19 @@
+
+ if (headerGet(*hdrp, tag, utd, HEADERGET_DEFAULT)) {
+ oh = headerCopyLoad(utd->data);
+- nh = headerCopy(oh);
+- headerFree(oh);
+ rpmtdFreeData(utd);
++ } else {
++ /* XXX should we warn if the immutable region is corrupt/missing? */
++ oh = headerLink(*hdrp);
++ }
++
++ if (oh) {
++ /* Perform a copy to eliminate crud from buggy signing tools etc */
++ nh = headerCopy(oh);
+ headerFree(*hdrp);
+ *hdrp = headerLink(nh);
+ headerFree(nh);
++ headerFree(oh);
+ }
+ }
+
diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec
index 1cef8f9..00927d7 100644
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@@ -30,7 +30,7 @@
%global rpmver 4.14.3
#global snapver rc2
-%global rel 4
+%global rel 10
%global srcver %{version}%{?snapver:-%{snapver}}
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
@@ -92,6 +92,12 @@ Patch140: 0001-Fix-resource-leaks-on-zstd-open-error-paths.patch
# XXX should be before 0001-Pass-RPM_BUILD_NCPUS-to-build-scripts.patch
Patch141: 0001-Isolate-_smp_build_ncpus-and-use-it-for-_smp_mflags.patch
Patch142: rpm-4.14.3-GPG-Switch-back-to-pipe-7-for-signing.patch
+Patch143: 0001-Work-around-buggy-signature-region-preventing-resign.patch
+Patch144: 0001-Fix-python-ts.addErase-not-raising-exception-on-not-.patch
+Patch145: 0001-Always-close-libelf-handle-1313.patch
+Patch146: 0001-When-doing-the-same-thing-more-than-once-use-a-loop.patch
+Patch147: 0001-Introduce-patch_nums-and-source_nums-Lua-variables-i.patch
+Patch148: 0001-Add-limits-to-autopatch-macro.patch
# Python 3 string API sanity
Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
@@ -653,6 +659,20 @@ make check || cat tests/rpmtests.log
%doc doc/librpm/html/*
%changelog
+* Sun Jan 10 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-10
+- Rebuild for libimaevm soname bump, now for real (#1896046)
+
+* Thu Jan 07 2021 Florian Festi <ffesti@redhat.com> - 4.14.3-8
+- Add limits to autopatch macro (#1834931)
+
+* Thu Dec 03 2020 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-6
+- Rebuild for libimaevm soname bump (#1896046)
+
+* Fri Oct 30 2020 Florian Festi <ffesti@redhat.com> - 4.14.3-5
+- Don't error out when replacing an invalid signature (#1874062)
+- Raise an expection when erasing a package fails in Python (#1872623)
+- Fix builds on NFS filesystems (#1840728)
+
* Fri Jun 26 2020 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-4
- Fix hang when signing with expired key (#1746353)