Recent change in socat made it prefer ::1 address for localhost. This
breaks updates proxy, beca...

* origin/pr/487:
#8991 - support for the dhcp4-change event in qubes-nmhook

Fixes QubesOS/qub...

* origin/pr/486:
Use O_NOFOLLOW for the log file

* origin/pr/485:
Ensure gnome-keyring always available

* origin/pr/484:
Refuse to copy "." or ".."

* origin/pr/483:
Skip sudo for unprivileged ports binds

Found by shellcheck

GnuPG in F39 seems to use keyboxd and as a consequence, keyring choice
on import seems to be ign...

Prevents easy escalation to the "qubes" group via a symlink attack.

Sandboxed applications use a secrets portal implementation to store
secrets. Without it, Elemen...

In R4.2, these will be rejected on the receiving side with a confusing
error. Furthermore, the ...

Fixes: https://github.com/QubesOS/qubes-issues/issues/8923

Sandboxed applications use this to store secrets. Without it, Element
cannot access its secrets...

* origin/pr/478:
Minor docs fix

* xfce-displays:
Do not show "Displays" prompt in every VM when new display is connected

Improve information for qvm-copy.

fixes QubesOS/qubes-issues#6374

Default Xfce setting is to prompt what to do when new display is
connected. It makes sense in do...

* origin/pr/474:
Parse '.rc' files in rc.local.d directory on boot

* origin/pr/476:
qvm-copy-to-vm.gnome: fix progress_kdialog() for large transfers
qvm-copy-t...

* origin/pr/473:
qubes-run-terminal: add gnome-console support

The estimated total size in bytes can be too large to use as kdialog's
maximum. Use the default ...

The new syntax has existed for more than six years:

https://invent.kde.org/utilities/kdialog/-/...

A while ago qfile-agent was changed to show graphical error messages (in
addition to stderr mess...

In practice kdialog wasn't used, because the package was built without
USE_KDIALOG being defined...

Fixes https://github.com/QubesOS/qubes-issues/issues/8690
Fixes https://github.com/QubesOS/qubes...

* origin/pr/469:
Detect and terminate infinite qrexec launch chains

* origin/pr/470:
setup-ip: adapt path for Gentoo compat

* origin/pr/472:
improve formatting of /etc/fstab

qubes-run-gnome-console is added for future proofness.
from kgx --help
--wait Wait until the ...

Some packages are named differently than on Fedora:
- python3-gobject-base -> python311-gobject
...

Move parts to appropriate subpackages (specifically dom0-updates part).
Call parts related to sp...

It isn't packaged there.

QubesOS/qubes-issues#6567

It was over 10 years ago, it isn't needed anymore.

QubesOS/qubes-issues#6567

openSUSE checks for directory ownership at rpm build time, so some
runtime dependencies needs to...

It isn't packaged there.

QubesOS/qubes-issues#6567

It is optional.

QubesOS/qubes-issues#6567

RPM does it itself there (moves to fstab.rpmorig).

QubesOS/qubes-issues#6567

It's no-op nowadays, because packages install their udev rules in
/lib/udev/rules.d. And removin...

python2 is not supported anymore

QubesOS/qubes-issues#5297

QubesOS/qubes-issues#6567

QubesOS/qubes-issues#6567

/usr/share/qubes/xdg-overrides ships a bunch of symlinks not present
during build. This will req...

To require systemd-random-seed, show a config file in the package
instead of a (seemingly) broke...

It's a Fedora-specific package

QubesOS/qubes-issues#6567

OBS does not support @BACKEND_VMM@ replacement, use rpm macro instead.

QubesOS/qubes-issues#6567

If a VM is set to use a disposable VM to handle URLs and is also its
also default disposable VM ...

* origin/pr/468:
qfile-unpacker should not be an easy root hole

qfile-unpacker is setuid root so that it can call chroot(). Right now,
it will happily change i...

QubesDB path length limit doesn't allow full qrexec service name length.
This needs some better ...

Checking for qubes-qrexec-agent service is meant (among other things) to
detect for chroot, but ...

* origin/pr/466:
Make gnome-software work a bit better in a template

Set GIO_USE_NETWORK_MONITOR=base variable to avoid gnome-software
refusing any actual action jus...

'du --files0-from' was added to coreutils v5.3.0 on 2005-01-08, but
'find -files0-from' was add...

Some users report than with the current reclaim speed still take a long
time to release memory a...

Recent Fedora broke firefox.desktop, by setting DBusActivatable=true,
while having invalid dbus ...

* origin/pr/461:
Add missing nft rule for ipv6 that is present for ipv4.
Add missing nft rul...

* origin/pr/459:
qvm-copy(-to-vm.gnome): fix size calculation for directories
qfile-agent: f...

* origin/pr/458:
Provide a alternate qfile-unpacker that is not SELinux-confined

* origin/pr/456:
ci: clone qubes-linux-utils, build and install its qrexec-lib
qfile-agent: ...

Fix mixed up IPv4 vs IPv6 gateway with NetworkManager based setup

Fix the case when qube provides IPv6 to others (for example via VPN), but
isn't itself connected...

Sum up only the sizes of regular files but not of directory inodes
themselves, so as to match qr...

$FILECOPY_TOTAL_SIZE was rounded up to the next KB by du, so qfile-agent
should round up the run...

Using this in the Qubes executor will allow using the Qubes executor
with SELinux enforcing.

Do not try to convert a relative pathname argument to an absolute
pathname. There were several w...

* origin/pr/451:
Fix qubes.TemplateSearch with repo_gpgcheck=1

* origin/pr/453:
Remove outdated comment

* origin/pr/454:
Fix missing path separator for /net-config qubesdb prefix

These protocols increase the attack surface of a VM that is exposed to
attackers that are networ...

Fixes QubesOS/qubes-issues#7237
Replaces #449

* origin/pr/450:
Do not disable tracker and evolution-data-server in AppVMs

Add the signature from the master key.

It used to be changed with a patch, but now we can configure the value
with unmodified kernel to...

qubes-core-agent-dom0-updates was missing a dependency on
qubes-repo-templates, so the OpenPGP k...

Contrary to initial tests, disbling those do break some applications.
So, do not disable them by...