app-containers/podman: add 4.7.2, drop 4.7.{0,1}, update live

4.7.2 fixes security issue
https://github.com/moby/moby/security/advisories/GHSA-jq35-85cj-fj4p

Just to be safe removing 4.7.0 and 4.7.1 as well.

For non-live versions, prevent git operations which causes sandbox violations
https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493

Signed-off-by: Rahil Bhimjiani <rahil3108@gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/33607
Signed-off-by: Zac Medico <zmedico@gentoo.org>

4 files changed, 31 insertions, 132 deletions

diff --git a/app-containers/podman/Manifest b/app-containers/podman/Manifest
index 2be1c3640e72..c5c4bef92c86 100644
--- a/app-containers/podman/Manifest
+++ b/app-containers/podman/Manifest
@@ -1,3 +1,2 @@
 DIST podman-4.5.0.tar.gz 17423692 BLAKE2B ba28e77626bb4bcdb85b20031e12cf93f2eb3174b678cb8e99557df13e2cdf377ea402eb373a51ea44302f878f8e1cdedda14a2f3ad8c9e88895754fc50c272e SHA512 8a699dc01fc3d7c4a9e5ef4f166170303fc30e0f6695c61f763944e1cb755e75896108e0c4166d184fe49e3a6859f045aa3883047ebba9290e851fc128d77cac
-DIST podman-4.7.0.tar.gz 20554573 BLAKE2B a98e52ec9fe48d5b70489ed6bd6961877cf67735048425ad30fe9de3e163f8266d6510c37b0c43effa90cc8ce1b39bdc46c5add90dabd8f78c79602824f132a6 SHA512 4cab8698a819cd42de4cb588978c94c91b0c85693db2476aa6d20d7f4e4a7674d417703f70bdbb5a0e94b678fd585ae03a95ff0e5b7eb2682d9f400b92915742
-DIST podman-4.7.1.tar.gz 20557503 BLAKE2B f34cc0e2c9bd46d8f538c51b7353b36aea3380233f998467f26aeee6c35850bc26ca25234d39426ae7e4951fb40bc9cf1b8218b1db92fc95bb4ce0f221827dbf SHA512 cb89a687900bdc8ab9aec01d11c4e3062d8735122aa03639fa6eeecde10ea4bc3633381bce1e65955bf112d4fda330182f81d81054916b1eca8b7354c0f55c14
+DIST podman-4.7.2.tar.gz 20554551 BLAKE2B a53bbe6b21145ab394b4a9bc540d4335ca6cdd0e0a98e741e5cfb8aa19aaeb2801ca8d117d42b0d66f618018a2d4b1d736fc851b58b661cbae6ee815712fb936 SHA512 1873a158f2e0527b6e57929f391c4ea5adee5fba33e861eb7744cd0ac845f7296f6149b5e824142e701e5b4db95466585206f37402298301f99cc40b781a51ba
diff --git a/app-containers/podman/podman-4.7.0.ebuild b/app-containers/podman/podman-4.7.0.ebuild
deleted file mode 100644
index 2c7ededf36fd..000000000000
--- a/app-containers/podman/podman-4.7.0.ebuild
+++ /dev/null
@@ -1,122 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit go-module tmpfiles linux-info
-
-DESCRIPTION="A tool for managing OCI containers and pods with Docker-compatible CLI"
-HOMEPAGE="https://github.com/containers/podman/ https://podman.io/"
-if [[ ${PV} == *9999* ]]; then
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/containers/podman.git"
-else
-	SRC_URI="https://github.com/containers/podman/archive/v${PV}.tar.gz -> ${P}.tar.gz"
-	KEYWORDS="~amd64 ~arm64 ~riscv"
-fi
-LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
-SLOT="0"
-IUSE="apparmor btrfs cgroup-hybrid wrapper +fuse +init +rootless +seccomp selinux systemd"
-RESTRICT="test"
-
-RDEPEND="
-	app-crypt/gpgme:=
-	>=app-containers/conmon-2.0.0
-	>=app-containers/containers-common-0.56.0
-	dev-libs/libassuan:=
-	dev-libs/libgpg-error:=
-	sys-apps/shadow:=
-
-	apparmor? ( sys-libs/libapparmor )
-	btrfs? ( sys-fs/btrfs-progs )
-	cgroup-hybrid? ( >=app-containers/runc-1.0.0_rc6  )
-	!cgroup-hybrid? ( app-containers/crun )
-	wrapper? ( !app-containers/docker-cli )
-	fuse? ( sys-fs/fuse-overlayfs )
-	init? ( app-containers/catatonit )
-	rootless? ( app-containers/slirp4netns )
-	seccomp? ( sys-libs/libseccomp:= )
-	selinux? ( sec-policy/selinux-podman sys-libs/libselinux:= )
-	systemd? ( sys-apps/systemd:= )
-"
-DEPEND="${RDEPEND}"
-BDEPEND="
-	dev-go/go-md2man
-"
-
-PATCHES=(
-	"${FILESDIR}/seccomp-toggle-4.7.0.patch"
-)
-
-CONFIG_CHECK="
-	~USER_NS
-"
-
-pkg_setup() {
-	use btrfs && CONFIG_CHECK+=" ~BTRFS_FS"
-	linux-info_pkg_setup
-}
-
-src_prepare() {
-	default
-	local file
-	for file in apparmor_tag btrfs_installed_tag btrfs_tag selinux_tag systemd_tag; do
-		[[ -f hack/"${file}".sh ]] || die
-	done
-
-	local feature
-	for feature in apparmor selinux systemd; do
-		cat <<-EOF > hack/"${feature}"_tag.sh || die
-		#!/usr/bin/env bash
-		$(usex ${feature} "echo ${feature}" echo)
-EOF
-	done
-
-	echo -e "#!/usr/bin/env bash\n echo" > hack/btrfs_installed_tag.sh || die
-	cat <<-EOF > hack/btrfs_tag.sh || die
-	#!/usr/bin/env bash
-	$(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion')
-EOF
-}
-
-src_compile() {
-	export PREFIX="${EPREFIX}/usr"
-	emake BUILDFLAGS="-v -work -x" GOMD2MAN="go-md2man" BUILD_SECCOMP="$(usex seccomp)" all $(usev wrapper docker-docs)
-}
-
-src_install() {
-	emake DESTDIR="${D}" install install.completions $(usev wrapper install.docker-full)
-
-	insinto /etc/cni/net.d
-	doins cni/87-podman-bridge.conflist
-
-	newconfd "${FILESDIR}"/podman.confd podman
-	newinitd "${FILESDIR}"/podman.initd podman
-
-	insinto /etc/logrotate.d
-	newins "${FILESDIR}/podman.logrotated" podman
-
-	keepdir /var/lib/containers
-}
-
-pkg_preinst() {
-	PODMAN_ROOTLESS_UPGRADE=false
-	if use rootless; then
-		has_version 'app-containers/podman[rootless]' || PODMAN_ROOTLESS_UPGRADE=true
-	fi
-}
-
-pkg_postinst() {
-	tmpfiles_process podman.conf $(usev wrapper podman-docker.conf)
-
-	local want_newline=false
-	if [[ ${PODMAN_ROOTLESS_UPGRADE} == true ]] ; then
-		${want_newline} && elog ""
-		elog "For rootless operation, you need to configure subuid/subgid"
-		elog "for user running podman. In case subuid/subgid has only been"
-		elog "configured for root, run:"
-		elog "usermod --add-subuids 1065536-1131071 <user>"
-		elog "usermod --add-subgids 1065536-1131071 <user>"
-		want_newline=true
-	fi
-}
diff --git a/app-containers/podman/podman-4.7.1.ebuild b/app-containers/podman/podman-4.7.2.ebuild
index f10c9b0ec10a..85842e6a4f69 100644
--- a/app-containers/podman/podman-4.7.1.ebuild
+++ b/app-containers/podman/podman-4.7.2.ebuild
@@ -8,7 +8,7 @@ inherit go-module tmpfiles linux-info
 DESCRIPTION="A tool for managing OCI containers and pods with Docker-compatible CLI"
 HOMEPAGE="https://github.com/containers/podman/ https://podman.io/"
 
-if [[ ${PV} == *9999* ]]; then
+if [[ ${PV} == 9999* ]]; then
 	inherit git-r3
 	EGIT_REPO_URI="https://github.com/containers/podman.git"
 else
@@ -16,7 +16,10 @@ else
 	KEYWORDS="~amd64 ~arm64 ~riscv"
 fi
 
-LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
+# main pkg
+LICENSE="Apache-2.0"
+# deps
+LICENSE+=" BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
 SLOT="0"
 IUSE="apparmor btrfs cgroup-hybrid wrapper +fuse +init +rootless +seccomp selinux systemd"
 RESTRICT="test"
@@ -61,6 +64,8 @@ pkg_setup() {
 
 src_prepare() {
 	default
+
+	# assure necessary files are present
 	local file
 	for file in apparmor_tag btrfs_installed_tag btrfs_tag systemd_tag; do
 		[[ -f hack/"${file}".sh ]] || die
@@ -71,18 +76,24 @@ src_prepare() {
 		cat <<-EOF > hack/"${feature}"_tag.sh || die
 		#!/usr/bin/env bash
 		$(usex ${feature} "echo ${feature}" echo)
-EOF
+		EOF
 	done
 
 	echo -e "#!/usr/bin/env bash\n echo" > hack/btrfs_installed_tag.sh || die
 	cat <<-EOF > hack/btrfs_tag.sh || die
 	#!/usr/bin/env bash
 	$(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion')
-EOF
+	EOF
 }
 
 src_compile() {
 	export PREFIX="${EPREFIX}/usr"
+
+	# For non-live versions, prevent git operations which causes sandbox violations
+	# https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493
+	[[ ${PV} != 9999* ]] && export COMMIT_NO="" GIT_COMMIT=""
+
+	# BUILD_SECCOMP is used in the patch to toggle seccomp
 	emake BUILDFLAGS="-v -work -x" GOMD2MAN="go-md2man" BUILD_SECCOMP="$(usex seccomp)" all $(usev wrapper docker-docs)
 }
 
diff --git a/app-containers/podman/podman-9999.ebuild b/app-containers/podman/podman-9999.ebuild
index f10c9b0ec10a..85842e6a4f69 100644
--- a/app-containers/podman/podman-9999.ebuild
+++ b/app-containers/podman/podman-9999.ebuild
@@ -8,7 +8,7 @@ inherit go-module tmpfiles linux-info
 DESCRIPTION="A tool for managing OCI containers and pods with Docker-compatible CLI"
 HOMEPAGE="https://github.com/containers/podman/ https://podman.io/"
 
-if [[ ${PV} == *9999* ]]; then
+if [[ ${PV} == 9999* ]]; then
 	inherit git-r3
 	EGIT_REPO_URI="https://github.com/containers/podman.git"
 else
@@ -16,7 +16,10 @@ else
 	KEYWORDS="~amd64 ~arm64 ~riscv"
 fi
 
-LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
+# main pkg
+LICENSE="Apache-2.0"
+# deps
+LICENSE+=" BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
 SLOT="0"
 IUSE="apparmor btrfs cgroup-hybrid wrapper +fuse +init +rootless +seccomp selinux systemd"
 RESTRICT="test"
@@ -61,6 +64,8 @@ pkg_setup() {
 
 src_prepare() {
 	default
+
+	# assure necessary files are present
 	local file
 	for file in apparmor_tag btrfs_installed_tag btrfs_tag systemd_tag; do
 		[[ -f hack/"${file}".sh ]] || die
@@ -71,18 +76,24 @@ src_prepare() {
 		cat <<-EOF > hack/"${feature}"_tag.sh || die
 		#!/usr/bin/env bash
 		$(usex ${feature} "echo ${feature}" echo)
-EOF
+		EOF
 	done
 
 	echo -e "#!/usr/bin/env bash\n echo" > hack/btrfs_installed_tag.sh || die
 	cat <<-EOF > hack/btrfs_tag.sh || die
 	#!/usr/bin/env bash
 	$(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion')
-EOF
+	EOF
 }
 
 src_compile() {
 	export PREFIX="${EPREFIX}/usr"
+
+	# For non-live versions, prevent git operations which causes sandbox violations
+	# https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493
+	[[ ${PV} != 9999* ]] && export COMMIT_NO="" GIT_COMMIT=""
+
+	# BUILD_SECCOMP is used in the patch to toggle seccomp
 	emake BUILDFLAGS="-v -work -x" GOMD2MAN="go-md2man" BUILD_SECCOMP="$(usex seccomp)" all $(usev wrapper docker-docs)
 }