ilot/authentik: use latest py3-django-rest-framework

2025-03-31 21:00:18 -04:00
17 changed files with 27 additions and 709 deletions
--- a/.forgejo/bin/check_ver.sh
+++ b/.forgejo/bin/check_ver.sh
@ -18,30 +18,8 @@ for pkg in $owned_by_you; do
 	downstream_version=$(sed -n "/^P:$pkg$/,/^$/p" APKINDEX | awk -F ':' '{if($1=="V"){print $2}}' | sort -V | tail -n 1)
 	downstream_version=${downstream_version/-*}
-	# special cases
+	# special case for forgejo-aneksajo:
-	case $pkg in
+	upstream_version=${upstream_version/-git-annex/_git}
 		forgejo-aneksajo)upstream_version=${upstream_version/-git-annex/_git};;
 		authentik)
 			upstream_version=$(curl --fail -X GET -sS -H 'Content-Type: application/json' "https://release-monitoring.org/api/v2/projects/?name=$pkg&distribution=Alpine" | jq -r '.items.[].stable_versions' | jq -r ".[] | match(\"${downstream_version%.*}.*\").string" | head -n 1)
 			latest_version=$(curl --fail -X GET -sS -H 'Content-Type: application/json' "https://release-monitoring.org/api/v2/packages/?name=$pkg&distribution=Alpine" | jq -r '.items.[].stable_version' )
 			# append version number to signal that this is not latest major version
 			if [ "${upstream_version%.*}" != "${latest_version%.*}" ]; then
 				echo "$pkg${latest_version%.*} major version available"
 				echo "$pkg${latest_version%.*} $downstream_version $latest_version $repo" >> out_of_date
 				pkg=$pkg${upstream_version%.*}
 			fi
 		;;
 		mastodon)
 			upstream_version=$(curl --fail -X GET -sS -H 'Content-Type: application/json' "https://release-monitoring.org/api/v2/projects/?name=$pkg&distribution=Alpine" | jq -r '.items.[].stable_versions' | jq -r ".[] | match(\"${downstream_version%.*}.*\").string" | head -n 1)
 			latest_version=$(curl --fail -X GET -sS -H 'Content-Type: application/json' "https://release-monitoring.org/api/v2/packages/?name=$pkg&distribution=Alpine" | jq -r '.items.[].stable_version' )
 			# append version number to signal that this is not latest major version
 			if [ "${upstream_version%.*}" != "${latest_version%.*}" ]; then
 				echo "$pkg${latest_version%.*} major version available"
 				echo "$pkg${latest_version%.*} $downstream_version $latest_version $repo" >> out_of_date
 				pkg=$pkg${upstream_version%.*}
 			fi
 		;;
 	esac
 	if [ -z "$upstream_version" ]; then
 		echo "$pkg not in anitya"
--- a/.forgejo/bin/create_issue.sh
+++ b/.forgejo/bin/create_issue.sh
@ -15,10 +15,10 @@ does_it_exist() {
 	repo=$4
 	query="$repo/$name: upgrade to $upstream_version"
-	query="%22$(echo $query | sed 's| |%20|g' | sed 's|:|%3A|g' | sed 's|/|%2F|g' )%22"
+	query="$(echo $query | sed 's| |%20|g' | sed 's|:|%3A|g' | sed 's|/|%2F|g' )"
 	result="$(curl --silent -X 'GET' \
-		"$GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/issues?state=open&q=$query&type=issues&sort=latest" \
+		"$GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/issues?state=open&q=$query&type=issues" \
 		-H 'accept: application/json' \
 		-H "Authorization: token $ISSUE_TOKEN"
 	)"
@ -35,10 +35,10 @@ is_it_old() {
 	repo=$4
 	query="$repo/$name: upgrade to"
-	query="%22$(echo $query | sed 's| |%20|g' | sed 's|:|%3A|g' | sed 's|/|%2F|g' )%22"
+	query="$(echo $query | sed 's| |%20|g' | sed 's|:|%3A|g' | sed 's|/|%2F|g' )"
 	result="$(curl --silent -X 'GET' \
-		"$GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/issues?state=open&q=$query&type=issues&sort=latest" \
+		"$GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/issues?state=open&q=$query&type=issues" \
 		-H 'accept: application/json' \
 		-H "authorization: token $ISSUE_TOKEN"
 	)"
@ -126,10 +126,10 @@ fi
 if [ -f not_in_anitya ]; then
 	query="Add missing $repo packages to anitya"
-	query="%22$(echo $query | sed 's| |%20|g')%22"
+	query="$(echo $query | sed 's| |%20|g')"
 	result="$(curl --silent -X 'GET' \
-		"$GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/issues?state=open&q=$query&type=issues&sort=latest" \
+		"$GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/issues?state=open&q=$query&type=issues" \
 		-H 'accept: application/json' \
 		-H "authorization: token $ISSUE_TOKEN"
 	)"
--- a/.forgejo/workflows/build-aarch64.yaml
+++ b/.forgejo/workflows/build-aarch64.yaml
@ -19,7 +19,6 @@ jobs:
    steps:
      - name: Environment setup
        run: |
          doas apk upgrade -a
          doas apk add nodejs git patch curl net-tools
          doas hostname host.docker.internal
          cd /etc/apk/keys
@ -48,7 +47,7 @@ jobs:
      GITHUB_EVENT_NUMBER: ${{ github.event.number }}
    steps:
      - name: Setting up environment
-        run: apk add nodejs-current curl findutils git gawk jq
+        run: apk add nodejs curl findutils git gawk jq
      - name: Repo pull
        uses: actions/checkout@v4
      - name: Package download
--- a/.forgejo/workflows/build-x86_64.yaml
+++ b/.forgejo/workflows/build-x86_64.yaml
@ -19,7 +19,6 @@ jobs:
    steps:
      - name: Environment setup
        run: |
          doas apk upgrade -a
          doas apk add nodejs git patch curl net-tools
          doas hostname host.docker.internal
          cd /etc/apk/keys
@ -48,7 +47,7 @@ jobs:
      GITHUB_EVENT_NUMBER: ${{ github.event.number }}
    steps:
      - name: Setting up environment
-        run: apk add nodejs-current curl findutils git gawk jq
+        run: apk add nodejs curl findutils git gawk jq
      - name: Repo pull
        uses: actions/checkout@v4
      - name: Package download
--- a/.forgejo/workflows/check-ilot.yml
+++ b/.forgejo/workflows/check-ilot.yml
@ -16,7 +16,7 @@ jobs:
      LABEL_NUMBER: 8
    steps:
      - name: Environment setup
-        run: apk add grep coreutils gawk curl wget bash nodejs-current git jq sed
+        run: apk add grep coreutils gawk curl wget bash nodejs git jq sed
      - name: Get scripts
        uses: actions/checkout@v4
        with:
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@ -14,9 +14,7 @@ jobs:
      CI_MERGE_REQUEST_PROJECT_URL: ${{ github.server_url }}/${{ github.repository }}
      CI_MERGE_REQUEST_TARGET_BRANCH_NAME: ${{ github.base_ref }}
    steps:
-      - run: |
+      - run: doas apk add nodejs git
          doas apk upgrade -a
          doas apk add nodejs git
      - uses: actions/checkout@v4
        with:
          fetch-depth: 500
--- a/ilot/authentik/APKBUILD
+++ b/ilot/authentik/APKBUILD
@ -1,8 +1,8 @@
 # Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
 # Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
 pkgname=authentik
-pkgver=2025.2.4
+pkgver=2025.2.3
-pkgrel=0
+pkgrel=1
 pkgdesc="An open-source Identity Provider focused on flexibility and versatility"
 url="https://github.com/goauthentik/authentik"
 # s390x: missing py3-celery py3-flower and py3-kombu
@ -41,7 +41,7 @@ depends="
 	py3-django-prometheus
 	py3-django-pglock
 	py3-django-redis
-	py3-django-rest-framework~3.14.0
+	py3-django-rest-framework
 	py3-django-rest-framework-guardian
 	py3-django-storages
 	py3-django-tenants
@ -284,7 +284,7 @@ pyc() {
 }
 sha512sums="
-75928b3ab9ae126f3cbe88ff1256de8adba7add099b0d93615abb8c91a2b7f275e83664a232e8c5393c5031bd9757af2f20fdb9d0153dacdf9a482b6b4bb8b00  authentik-2025.2.4.tar.gz
+20dc45060ebccab996c19cef96291baefdf0f9af609e7e3e58fbda55b3dfb75c46bcb25b51a1e3c48d768fcf5dd9a05612e7cdb06fdf5d904d90d546ef4607d6  authentik-2025.2.3.tar.gz
 4defb4fe3a4230f4aa517fbecd5e5b8bcef2a64e1b40615660ae9eec33597310a09df5e126f4d39ce7764bd1716c0a7040637699135c103cbc1879593c6c06f1  authentik.openrc
 6cb03b9b69df39bb4539fe05c966536314d766b2e9307a92d87070ba5f5b7e7ab70f1b5ee1ab3c0c50c23454f9c5a4caec29e63fdf411bbb7a124ad687569b89  authentik-worker.openrc
 351e6920d987861f8bf0d7ab2f942db716a8dbdad1f690ac662a6ef29ac0fd46cf817cf557de08f1c024703503d36bc8b46f0d9eb1ecaeb399dce4c3bb527d17  authentik-ldap.openrc
--- a/ilot/forgejo-aneksajo/APKBUILD
+++ b/ilot/forgejo-aneksajo/APKBUILD
@ -4,7 +4,7 @@
 # Contributor: Patrycja Rosa <alpine@ptrcnull.me>
 # Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
 pkgname=forgejo-aneksajo
-pkgver=11.0.0_git0
+pkgver=10.0.3_git0
 _gittag=v${pkgver/_git/-git-annex}
 pkgrel=0
 pkgdesc="Self-hosted Git service written in Go with git-annex support"
@ -60,7 +60,7 @@ build() {
 	export CGO_LDFLAGS="$LDFLAGS"
 	unset LDFLAGS
 	## make FHS compliant
-	local setting="forgejo.org/modules/setting"
+	local setting="code.gitea.io/gitea/modules/setting"
 	export LDFLAGS="$LDFLAGS -X $setting.CustomConf=/etc/forgejo/app.ini"
 	export LDFLAGS="$LDFLAGS -X $setting.AppWorkPath=/var/lib/forgejo/"
@ -106,7 +106,7 @@ package() {
 }
 sha512sums="
-07f72fcd3bb02a6bbfbcf73f8526c51f1f3fe39d2a504395dfb0997743a190bd210389d58114aaf546fb6d0fabaa80a54240632e11eeba35250b9e6b9b63f438  forgejo-aneksajo-v11.0.0-git-annex0.tar.gz
+e32c919228df167374e8f3099e2e59bfab610aac6c87465318efe1cac446d014535e270f57b0bf8b2a7eb3843c5dcb189eac4dad2e230b57acd9096ead647eca  forgejo-aneksajo-v10.0.3-git-annex0.tar.gz
 497d8575f2eb5ac43baf82452e76007ef85e22cca2cc769f1cf55ffd03d7ce4d50ac4dc2b013e23086b7a5577fc6de5a4c7e5ec7c287f0e3528e908aaa2982aa  forgejo-aneksajo.initd
 b537b41b6b3a945274a6028800f39787b48c318425a37cf5d40ace0d1b305444fd07f17b4acafcd31a629bedd7d008b0bb3e30f82ffeb3d7e7e947bdbe0ff4f3  forgejo-aneksajo.ini
 "
--- a/ilot/freescout/APKBUILD
+++ b/ilot/freescout/APKBUILD
@ -1,7 +1,7 @@
 # Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
 # Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
 pkgname=freescout
-pkgver=1.8.175
+pkgver=1.8.173
 pkgrel=0
 pkgdesc="Free self-hosted help desk & shared mailbox"
 arch="noarch"
@ -76,7 +76,7 @@ package() {
 	install -m755 -D "$srcdir"/freescout-manage.sh "$pkgdir"/usr/bin/freescout-manage
 }
 sha512sums="
-aa5f762eddaac34977a42bb59a0c2ec2113b0ad4f04b767465e9c23c4bb5d0dd722432735fb10975c23b0a5ca4a11abcfc52d893a3c6678d4908ceb29cefa736  freescout-1.8.175.tar.gz
+1d349d2a84985e2ce9e767cdbf40943ffd1926db5e8b56cb9c3c4436f5a3c56f3c63265c4382acaadccf32965c0896e84eed3e2ef970ba2398a57440bf8dbeea  freescout-1.8.173.tar.gz
 e4af6c85dc12f694bef2a02e4664e31ed50b2c109914d7ffad5001c2bbd764ef25b17ecaa59ff55ef41bccf17169bf910d1a08888364bdedd0ecc54d310e661f  freescout.nginx
 7ce9b3ee3a979db44f5e6d7daa69431e04a5281f364ae7be23e5a0a0547f96abc858d2a8010346be2fb99bd2355fb529e7030ed20d54f310249e61ed5db4d0ba  freescout-manage.sh
 0cba00b7d945ce84f72a2812d40028a073a5278856f610e46dbfe0ac78deff6bf5eba7643635fa4bc64d070c4d49eb47d24ea0a05ba1e6ea76690bfd77906366  rename-client-to-membre-fr-en.patch
--- a/ilot/go/0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch
+++ b/ilot/go/0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch
@ -1,45 +0,0 @@
 From fa8e52baedd21265f69b5f425157e11c8c4ec24a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net>
 Date: Sat, 25 Mar 2023 09:08:04 +0100
 Subject: [PATCH] cmd/link: prefer musl's over glibc's ld.so during dynamic
 linking
 Without this commit glibc's is preferred over musl by default. This
 causes issues on Alpine when a dynamically linked Go binary is created
 while gcompat is installed, causing the binary to be linked against
 the ld.so provided by the gcompat package.
 This commit changes the logic to check for musl's ld.so first, if it
 does not exist we fallback to glibc. This default can be overwritten
 using the `-I` option of cmd/link.
 See https://gitlab.alpinelinux.org/alpine/aports/-/issues/14737
 ---
 src/cmd/link/internal/ld/elf.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
 diff --git a/src/cmd/link/internal/ld/elf.go b/src/cmd/link/internal/ld/elf.go
 index 713f7739a5..8cf9377858 100644
 --- a/src/cmd/link/internal/ld/elf.go
 +++ b/src/cmd/link/internal/ld/elf.go
@@ -1886,14 +1886,14 @@ func asmbElf(ctxt *Link) {
 						Exitf("ELF interpreter not set")
 					}
 				} else {
 -					interpreter = thearch.ELF.Linuxdynld
 -					// If interpreter does not exist, try musl instead.
 +					interpreter = thearch.ELF.LinuxdynldMusl
 +					// If interpreter does not exist, try glibc instead.
 					// This lets the same cmd/link binary work on
 -					// both glibc-based and musl-based systems.
 +					// both musl-based and glibc-based systems.
 					if _, err := os.Stat(interpreter); err != nil {
 -						if musl := thearch.ELF.LinuxdynldMusl; musl != "" {
 -							if _, err := os.Stat(musl); err == nil {
 -								interpreter = musl
 +						if glibc := thearch.ELF.Linuxdynld; glibc != "" {
 +							if _, err := os.Stat(glibc); err == nil {
 +								interpreter = glibc
 							}
 						}
 					}
--- a/ilot/go/0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch
+++ b/ilot/go/0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch
@ -1,29 +0,0 @@
 From 82ac7268f746c31d771e584c1c83f93890b33404 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net>
 Date: Tue, 11 Jul 2023 05:18:00 +0200
 Subject: [PATCH] go.env: Don't switch Go toolchain version as directed in
 go.mod
 We want users and packages to use the version of Go that is provided
 in our package repository. We don't want to download pre-built
 toolchains from golang.org.
 Also note that prior to Go 1.21, pre-built Go binaries are linked
 against glibc and hence do not work on Alpine.
 ---
 go.env | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 diff --git a/go.env b/go.env
 index 6ff2b921d4..a106fb4638 100644
 --- a/go.env
 +++ b/go.env
@@ -7,6 +7,5 @@
 GOPROXY=https://proxy.golang.org,direct
 GOSUMDB=sum.golang.org
 -# Automatically download newer toolchains as directed by go.mod files.
 -# See https://go.dev/doc/toolchain for details.
 -GOTOOLCHAIN=auto
 +# Don't attempt to switch to a newer toolchains by default.
 +GOTOOLCHAIN=local
--- a/ilot/go/0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch
+++ b/ilot/go/0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch
@ -1,245 +0,0 @@
 From 5c5b24702f5542fba019d6b98eec6121bc21df31 Mon Sep 17 00:00:00 2001
 From: Michael Pratt <mpratt@google.com>
 Date: Thu, 3 Apr 2025 11:15:13 +0000
 Subject: [PATCH] runtime: cleanup M vgetrandom state before dropping P
 When an M is destroyed, we put its vgetrandom state back on the shared
 list for another M to reuse. This list is simply a slice, so appending
 to the slice may allocate. Currently this operation is performed in
 mdestroy, after the P is released, meaning allocation is not allowed.
 More the cleanup earlier in mdestroy when allocation is still OK.
 Also add //go:nowritebarrierrec to mdestroy since it runs without a P,
 which would have caught this bug.
 Fixes #73141.
 Change-Id: I6a6a636c3fbf5c6eec09d07a260e39dbb4d2db12
 Reviewed-on: https://go-review.googlesource.com/c/go/+/662455
 Reviewed-by: Jason Donenfeld <Jason@zx2c4.com>
 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 Reviewed-by: Keith Randall <khr@golang.org>
 Reviewed-by: Keith Randall <khr@google.com>
 ---
 src/runtime/os3_solaris.go            |  5 ++++-
 src/runtime/os_aix.go                 |  5 ++++-
 src/runtime/os_darwin.go              |  5 ++++-
 src/runtime/os_dragonfly.go           |  5 ++++-
 src/runtime/os_linux.go               |  9 ++++-----
 src/runtime/os_netbsd.go              |  5 ++++-
 src/runtime/os_openbsd.go             |  5 ++++-
 src/runtime/os_plan9.go               |  5 ++++-
 src/runtime/os_windows.go             |  4 +++-
 src/runtime/proc.go                   |  3 +++
 src/runtime/vgetrandom_linux.go       | 11 +++++++++--
 src/runtime/vgetrandom_unsupported.go |  2 +-
 12 files changed, 48 insertions(+), 16 deletions(-)
 diff --git a/src/runtime/os3_solaris.go b/src/runtime/os3_solaris.go
 index cf163a6bf4..ded821b2e6 100644
 --- a/src/runtime/os3_solaris.go
 +++ b/src/runtime/os3_solaris.go
@@ -234,8 +234,11 @@ func unminit() {
 	getg().m.procid = 0
 }
 -// Called from exitm, but not from drop, to undo the effect of thread-owned
 +// Called from mexit, but not from dropm, to undo the effect of thread-owned
 // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
 +//
 +// This always runs without a P, so //go:nowritebarrierrec is required.
 +//go:nowritebarrierrec
 func mdestroy(mp *m) {
 }
 diff --git a/src/runtime/os_aix.go b/src/runtime/os_aix.go
 index 93464cb997..1b483c2a7e 100644
 --- a/src/runtime/os_aix.go
 +++ b/src/runtime/os_aix.go
@@ -186,8 +186,11 @@ func unminit() {
 	getg().m.procid = 0
 }
 -// Called from exitm, but not from drop, to undo the effect of thread-owned
 +// Called from mexit, but not from dropm, to undo the effect of thread-owned
 // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
 +//
 +// This always runs without a P, so //go:nowritebarrierrec is required.
 +//go:nowritebarrierrec
 func mdestroy(mp *m) {
 }
 diff --git a/src/runtime/os_darwin.go b/src/runtime/os_darwin.go
 index 0ecbea7ae4..6eab3b5c3d 100644
 --- a/src/runtime/os_darwin.go
 +++ b/src/runtime/os_darwin.go
@@ -344,8 +344,11 @@ func unminit() {
 	getg().m.procid = 0
 }
 -// Called from exitm, but not from drop, to undo the effect of thread-owned
 +// Called from mexit, but not from dropm, to undo the effect of thread-owned
 // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
 +//
 +// This always runs without a P, so //go:nowritebarrierrec is required.
 +//go:nowritebarrierrec
 func mdestroy(mp *m) {
 }
 diff --git a/src/runtime/os_dragonfly.go b/src/runtime/os_dragonfly.go
 index a02696eb4f..9b3235084d 100644
 --- a/src/runtime/os_dragonfly.go
 +++ b/src/runtime/os_dragonfly.go
@@ -216,8 +216,11 @@ func unminit() {
 	getg().m.procid = 0
 }
 -// Called from exitm, but not from drop, to undo the effect of thread-owned
 +// Called from mexit, but not from dropm, to undo the effect of thread-owned
 // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
 +//
 +// This always runs without a P, so //go:nowritebarrierrec is required.
 +//go:nowritebarrierrec
 func mdestroy(mp *m) {
 }
 diff --git a/src/runtime/os_linux.go b/src/runtime/os_linux.go
 index 8b3c4d0ecc..fb46b81682 100644
 --- a/src/runtime/os_linux.go
 +++ b/src/runtime/os_linux.go
@@ -412,13 +412,12 @@ func unminit() {
 	getg().m.procid = 0
 }
 -// Called from exitm, but not from drop, to undo the effect of thread-owned
 +// Called from mexit, but not from dropm, to undo the effect of thread-owned
 // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
 +//
 +// This always runs without a P, so //go:nowritebarrierrec is required.
 +//go:nowritebarrierrec
 func mdestroy(mp *m) {
 -	if mp.vgetrandomState != 0 {
 -		vgetrandomPutState(mp.vgetrandomState)
 -		mp.vgetrandomState = 0
 -	}
 }
 // #ifdef GOARCH_386
 diff --git a/src/runtime/os_netbsd.go b/src/runtime/os_netbsd.go
 index 735ace25ad..a06e5febbd 100644
 --- a/src/runtime/os_netbsd.go
 +++ b/src/runtime/os_netbsd.go
@@ -320,8 +320,11 @@ func unminit() {
 	// must continue working after unminit.
 }
 -// Called from exitm, but not from drop, to undo the effect of thread-owned
 +// Called from mexit, but not from dropm, to undo the effect of thread-owned
 // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
 +//
 +// This always runs without a P, so //go:nowritebarrierrec is required.
 +//go:nowritebarrierrec
 func mdestroy(mp *m) {
 }
 diff --git a/src/runtime/os_openbsd.go b/src/runtime/os_openbsd.go
 index 574bfa8b17..4ce4c3c58d 100644
 --- a/src/runtime/os_openbsd.go
 +++ b/src/runtime/os_openbsd.go
@@ -182,8 +182,11 @@ func unminit() {
 	getg().m.procid = 0
 }
 -// Called from exitm, but not from drop, to undo the effect of thread-owned
 +// Called from mexit, but not from dropm, to undo the effect of thread-owned
 // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
 +//
 +// This always runs without a P, so //go:nowritebarrierrec is required.
 +//go:nowritebarrierrec
 func mdestroy(mp *m) {
 }
 diff --git a/src/runtime/os_plan9.go b/src/runtime/os_plan9.go
 index 2dbb42ad03..3b5965ab99 100644
 --- a/src/runtime/os_plan9.go
 +++ b/src/runtime/os_plan9.go
@@ -217,8 +217,11 @@ func minit() {
 func unminit() {
 }
 -// Called from exitm, but not from drop, to undo the effect of thread-owned
 +// Called from mexit, but not from dropm, to undo the effect of thread-owned
 // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
 +//
 +// This always runs without a P, so //go:nowritebarrierrec is required.
 +//go:nowritebarrierrec
 func mdestroy(mp *m) {
 }
 diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go
 index 7183e79f7d..54407a320c 100644
 --- a/src/runtime/os_windows.go
 +++ b/src/runtime/os_windows.go
@@ -906,9 +906,11 @@ func unminit() {
 	mp.procid = 0
 }
 -// Called from exitm, but not from drop, to undo the effect of thread-owned
 +// Called from mexit, but not from dropm, to undo the effect of thread-owned
 // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
 //
 +// This always runs without a P, so //go:nowritebarrierrec is required.
 +//go:nowritebarrierrec
 //go:nosplit
 func mdestroy(mp *m) {
 	if mp.highResTimer != 0 {
 diff --git a/src/runtime/proc.go b/src/runtime/proc.go
 index e9873e54cd..21bee4df71 100644
 --- a/src/runtime/proc.go
 +++ b/src/runtime/proc.go
@@ -1935,6 +1935,9 @@ func mexit(osStack bool) {
 		mp.gsignal = nil
 	}
 +	// Free vgetrandom state.
 +	vgetrandomDestroy(mp)
 +
 	// Remove m from allm.
 	lock(&sched.lock)
 	for pprev := &allm; *pprev != nil; pprev = &(*pprev).alllink {
 diff --git a/src/runtime/vgetrandom_linux.go b/src/runtime/vgetrandom_linux.go
 index a6ec4b701c..40be022f24 100644
 --- a/src/runtime/vgetrandom_linux.go
 +++ b/src/runtime/vgetrandom_linux.go
@@ -73,9 +73,16 @@ func vgetrandomGetState() uintptr {
 	return state
 }
 -func vgetrandomPutState(state uintptr) {
 +// Free vgetrandom state from the M (if any) prior to destroying the M.
 +//
 +// This may allocate, so it must have a P.
 +func vgetrandomDestroy(mp *m) {
 +	if mp.vgetrandomState == 0 {
 +		return
 +	}
 +
 	lock(&vgetrandomAlloc.statesLock)
 -	vgetrandomAlloc.states = append(vgetrandomAlloc.states, state)
 +	vgetrandomAlloc.states = append(vgetrandomAlloc.states, mp.vgetrandomState)
 	unlock(&vgetrandomAlloc.statesLock)
 }
 diff --git a/src/runtime/vgetrandom_unsupported.go b/src/runtime/vgetrandom_unsupported.go
 index 070392cfaa..43c53e1198 100644
 --- a/src/runtime/vgetrandom_unsupported.go
 +++ b/src/runtime/vgetrandom_unsupported.go
@@ -13,6 +13,6 @@ func vgetrandom(p []byte, flags uint32) (ret int, supported bool) {
 	return -1, false
 }
 -func vgetrandomPutState(state uintptr) {}
 +func vgetrandomDestroy(mp *m) {}
 func vgetrandomInit() {}
--- a/ilot/go/APKBUILD
+++ b/ilot/go/APKBUILD
@ -1,318 +0,0 @@
 # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
 # Contributor: Eivind Uggedal <eu@eju.no>
 # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
 pkgname=go
 # go binaries are statically linked, security updates require rebuilds
 pkgver=1.24.2
 pkgrel=1
 pkgdesc="Go programming language compiler"
 url="https://go.dev/"
 arch="all"
 license="BSD-3-Clause"
 depends="binutils gcc musl-dev"
 makedepends="bash"
 options="!check"
 checkdepends="binutils-gold git git-daemon"
 subpackages="$pkgname-doc"
 source="https://go.dev/dl/go$pkgver.src.tar.gz
 	0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch
 	0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch
 	0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch
 	tests-fchmodat-not-supported.patch
 	"
 case "$CARCH" in
 	arm*|aarch64) depends="$depends binutils-gold";;
 	riscv64|loongarch64)
 		# binutils-gold is not supported on riscv64 and loongarch64.
 		checkdepends="${checkdepends/binutils-gold/}"
 		;;
 esac
 # secfixes:
 #   0:
 #     - CVE-2022-41716
 #     - CVE-2022-41720
 #     - CVE-2022-41722
 #     - CVE-2024-24787
 #   1.24.2-r0:
 #     - CVE-2025-22871
 #   1.24.1-r0:
 #     - CVE-2025-22870
 #   1.23.6-r0:
 #     - CVE-2025-22866
 #   1.23.5-r0:
 #     - CVE-2024-45336
 #     - CVE-2024-45341
 #   1.23.1-r0:
 #     - CVE-2024-34155
 #     - CVE-2024-34156
 #     - CVE-2024-34158
 #   1.22.5-r0:
 #     - CVE-2024-24791
 #   1.22.4-r0:
 #     - CVE-2024-24789
 #     - CVE-2024-24790
 #   1.22.3-r0:
 #     - CVE-2024-24788
 #   1.22.2-r0:
 #     - CVE-2023-45288
 #   1.22.1-r0:
 #     - CVE-2024-24783
 #     - CVE-2023-45290
 #     - CVE-2023-45289
 #     - CVE-2024-24785
 #     - CVE-2024-24784
 #   1.21.5-r0:
 #     - CVE-2023-39324
 #     - CVE-2023-39326
 #   1.21.3-r0:
 #     - CVE-2023-39325
 #     - CVE-2023-44487
 #   1.21.2-r0:
 #     - CVE-2023-39323
 #   1.21.1-r0:
 #     - CVE-2023-39318
 #     - CVE-2023-39319
 #     - CVE-2023-39320
 #     - CVE-2023-39321
 #     - CVE-2023-39322
 #   1.20.7-r0:
 #     - CVE-2023-29409
 #   1.20.6-r0:
 #     - CVE-2023-29406
 #   1.20.5-r0:
 #     - CVE-2023-29402
 #     - CVE-2023-29403
 #     - CVE-2023-29404
 #     - CVE-2023-29405
 #   1.20.4-r0:
 #     - CVE-2023-24539
 #     - CVE-2023-24540
 #     - CVE-2023-29400
 #   1.20.3-r0:
 #     - CVE-2023-24537
 #     - CVE-2023-24538
 #     - CVE-2023-24534
 #     - CVE-2023-24536
 #   1.20.2-r0:
 #     - CVE-2023-24532
 #   1.20.1-r0:
 #     - CVE-2022-41725
 #     - CVE-2022-41724
 #     - CVE-2022-41723
 #   1.19.4-r0:
 #     - CVE-2022-41717
 #   1.19.2-r0:
 #     - CVE-2022-2879
 #     - CVE-2022-2880
 #     - CVE-2022-41715
 #   1.19.1-r0:
 #     - CVE-2022-27664
 #     - CVE-2022-32190
 #   1.18.5-r0:
 #     - CVE-2022-32189
 #   1.18.4-r0:
 #     - CVE-2022-1705
 #     - CVE-2022-1962
 #     - CVE-2022-28131
 #     - CVE-2022-30630
 #     - CVE-2022-30631
 #     - CVE-2022-30632
 #     - CVE-2022-30633
 #     - CVE-2022-30635
 #     - CVE-2022-32148
 #   1.18.1-r0:
 #     - CVE-2022-28327
 #     - CVE-2022-27536
 #     - CVE-2022-24675
 #   1.17.8-r0:
 #     - CVE-2022-24921
 #   1.17.7-r0:
 #     - CVE-2022-23772
 #     - CVE-2022-23773
 #     - CVE-2022-23806
 #   1.17.6-r0:
 #     - CVE-2021-44716
 #     - CVE-2021-44717
 #   1.17.3-r0:
 #     - CVE-2021-41772
 #     - CVE-2021-41771
 #   1.17.2-r0:
 #     - CVE-2021-38297
 #   1.17.1-r0:
 #     - CVE-2021-39293
 #   1.17-r0:
 #     - CVE-2020-29509
 #     - CVE-2020-29511
 #     - CVE-2021-29923
 #   1.16.7-r0:
 #     - CVE-2021-36221
 #   1.16.6-r0:
 #     - CVE-2021-34558
 #   1.16.5-r0:
 #     - CVE-2021-33195
 #     - CVE-2021-33196
 #     - CVE-2021-33197
 #     - CVE-2021-33198
 #   1.16.4-r0:
 #     - CVE-2021-31525
 #   1.16.2-r0:
 #     - CVE-2021-27918
 #     - CVE-2021-27919
 #   1.15.7-r0:
 #     - CVE-2021-3114
 #     - CVE-2021-3115
 #   1.15.5-r0:
 #     - CVE-2020-28362
 #     - CVE-2020-28366
 #     - CVE-2020-28367
 #   1.15.2-r0:
 #     - CVE-2020-24553
 #   1.15-r0:
 #     - CVE-2020-16845
 #   1.14.5-r0:
 #     - CVE-2020-15586
 #   1.13.7-r0:
 #     - CVE-2020-7919
 #   1.13.2-r0:
 #     - CVE-2019-17596
 #   1.13.1-r0:
 #     - CVE-2019-16276
 #   1.12.8-r0:
 #     - CVE-2019-9512
 #     - CVE-2019-9514
 #     - CVE-2019-14809
 #   1.11.5-r0:
 #     - CVE-2019-6486
 #   1.9.4-r0:
 #     - CVE-2018-6574
 if [ "$CBUILD" = "$CTARGET" ]; then
 	makedepends="go-bootstrap $makedepends"
 	provides="go-bootstrap=$pkgver-r$pkgrel"
 else
 	pkgname="go-bootstrap"
 	makedepends="go $makedepends"
 	# Go expect host linker instead of the cross-compiler
 	export CC_FOR_TARGET="$CC"
 	export CC="${HOSTLD:-gcc}"
 	export CXX="${HOSTLD:-g++}"
 	export LD="${HOSTLD:-ld}"
 fi
 case "$CTARGET_ARCH" in
 aarch64) export GOARCH="arm64" ;;
 armel)   export GOARCH="arm" GOARM=5 ;;
 armhf)   export GOARCH="arm" GOARM=6 ;;
 armv7)   export GOARCH="arm" GOARM=7 ;;
 s390x)   export GOARCH="s390x" ;;
 x86)     export GOARCH="386" ;;
 x86_64)  export GOARCH="amd64" ;;
 ppc64)   export GOARCH="ppc64" ;;
 ppc64le) export GOARCH="ppc64le" ;;
 riscv64) export GOARCH="riscv64" ;;
 loongarch64) export GOARCH="loong64" ;;
 *)       export GOARCH="unsupported";;
 esac
 # compile go itself as a PIE on supported arches.
 case "$CARCH" in
 x86_64|s390x|aarch64) export GO_LDFLAGS=-buildmode=pie ;;
 esac
 prepare() {
 	default_prepare
 	# The GitLab CI builds aports in a container. On ppc64le, ASLR
 	# needs to be disabled in order to have the following test case
 	# pass. However, the container doesn't have permissions to
 	# disable ASLR, hence we just disable this test for now.
 	#
 	# See https://github.com/golang/go/issues/49066#issuecomment-1252948861
 	if [ "$CTARGET_ARCH" = "ppc64le" ]; then
 		rm test/fixedbugs/bug513.go
 	fi
 }
 builddir="$srcdir"/go
 build() {
 	cd "$builddir/src"
 	export GOOS="linux"
 	export GOPATH="$srcdir"
 	export GOROOT="$builddir"
 	export GOBIN="$GOROOT"/bin
 	export GOROOT_FINAL=/usr/lib/go
 	local p; for p in /usr/lib/go-bootstrap /usr/lib/go-linux-$GOARCH-bootstrap /usr/lib/go; do
 		if [ -d "$p" ]; then
 			export GOROOT_BOOTSTRAP="$p"
 			break
 		fi
 	done
 	./make.bash -v
 	# copied from bootstrap.bash to fixup cross-built bootstrap go
 	if [ "$CBUILD" != "$CTARGET" ]; then
 		local gohostos="$(../bin/go env GOHOSTOS)"
 		local gohostarch="$(../bin/go env GOHOSTARCH)"
 		mv ../bin/*_*/* ../bin
 		rmdir ../bin/*_*
 		rm -rf "../pkg/${gohostos}_$gohostarch"* "../pkg/tool/${gohostos}_$gohostarch"*
 		rm -rf ../pkg/bootstrap ../pkg/obj
 	fi
 }
 check() {
 	cd "$builddir/src"
 	if [ "$CTARGET_ARCH" = "armhf" ]; then
 		export GO_TEST_TIMEOUT_SCALE=2
 	fi
 	# Test suite does not pass with ccache, thus remove it form $PATH.
 	export PATH="$(echo "$PATH" | sed 's|/usr/lib/ccache/bin:||g')"
 	PATH="$builddir/bin:$PATH" ./run.bash -no-rebuild
 }
 package() {
 	mkdir -p "$pkgdir"/usr/bin "$pkgdir"/usr/lib/go/bin "$pkgdir"/usr/share/doc/go
 	for binary in go gofmt; do
 		install -Dm755 bin/"$binary" "$pkgdir"/usr/lib/go/bin/"$binary"
 		ln -s /usr/lib/go/bin/"$binary" "$pkgdir"/usr/bin/
 	done
 	cp -a misc pkg src lib "$pkgdir"/usr/lib/go
 	cp -r doc "$pkgdir"/usr/share/doc/go
 	rm -rf "$pkgdir"/usr/lib/go/pkg/obj
 	rm -rf "$pkgdir"/usr/lib/go/pkg/bootstrap
 	rm -f  "$pkgdir"/usr/lib/go/pkg/tool/*/api
 	# Install go.env, see https://go.dev/doc/toolchain#GOTOOLCHAIN.
 	install -Dm644 "$builddir"/go.env "$pkgdir"/usr/lib/go/go.env
 	install -Dm644 VERSION "$pkgdir/usr/lib/go/VERSION"
 	# Remove tests from /usr/lib/go/src to reduce package size,
 	# these should not be needed at run-time by any program.
 	find "$pkgdir"/usr/lib/go/src \( -type f -a -name "*_test.go" \) \
 		-exec rm -rf \{\} \+
 	find "$pkgdir"/usr/lib/go/src \( -type d -a -name "testdata" \) \
 		-exec rm -rf \{\} \+
 	# Remove rc (plan 9) and bat scripts (windows) to reduce package
 	# size further. The bash scripts are actually needed at run-time.
 	#
 	# See: https://gitlab.alpinelinux.org/alpine/aports/issues/11091
 	find "$pkgdir"/usr/lib/go/src -type f -a \( -name "*.rc" -o -name "*.bat" \) \
 		-exec rm -rf \{\} \+
 }
 sha512sums="
 6366a32f6678e7908b138f62dafeed96f7144b3b93505e75fba374b33727da8b1d087c1f979f493382b319758ebfcbeb30e9d7dadcb2923b628c8abe7db41c6f  go1.24.2.src.tar.gz
 34dbe032c5f08dd8a7aad36fc4d54e746a876fdadc25466888a2f04f5a9d53103190ebd68d3cf978d3a041976185e30ffb25611fb577d031c159810d2d4c7c41  0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch
 8061e4ef9d7dd31804bd8d98c95afa5dd82567940b3436f45f874e0419e324b49713d8a814df04617e575ec3c6155199c4661352ea8aef63ead81ca3020f3dc4  0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch
 d56b796ac81f8901cf426711e381b386ec6e039090fd914ebb2246e5b2ccaa6c1dcb40810a886c5e1b0a748c9bcd4cfe9749d85da91e7ce4c11aaf470295e549  0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch
 33ecefca77fa0af52a3b2b66a76977af27a88c8dddb89f03e0a5ae6794b9aac53a62d7be33020b49022e9a89d4cdfa383038ee10e160eb94548b2430bf3cfb5e  tests-fchmodat-not-supported.patch
 "
--- a/ilot/go/tests-fchmodat-not-supported.patch
+++ b/ilot/go/tests-fchmodat-not-supported.patch
@ -1,19 +0,0 @@
 Without this patch, the TestFchmodat fails on our arm CI with:
 	syscall_linux_test.go:139: Fchmodat: unexpected error: operation not permitted, expected EOPNOTSUPP
 The "operation not permitted" means that EPERM was returned which
 is likely due to the security policy of our CI container.
 diff -upr go.orig/src/syscall/syscall_linux_test.go go/src/syscall/syscall_linux_test.go
 --- go.orig/src/syscall/syscall_linux_test.go	2024-02-07 22:54:39.316022227 +0100
 +++ go/src/syscall/syscall_linux_test.go	2024-02-07 22:56:05.104871102 +0100
@@ -135,7 +135,7 @@ func TestFchmodat(t *testing.T) {
 	}
 	err = syscall.Fchmodat(_AT_FDCWD, "symlink1", 0444, _AT_SYMLINK_NOFOLLOW)
 -	if err != syscall.EOPNOTSUPP {
 +	if !testenv.SyscallIsNotSupported(err) && err != syscall.EOPNOTSUPP {
 		t.Fatalf("Fchmodat: unexpected error: %v, expected EOPNOTSUPP", err)
 	}
 }
--- a/ilot/listmonk/APKBUILD
+++ b/ilot/listmonk/APKBUILD
@ -1,7 +1,7 @@
 # Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
 # Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
 pkgname=listmonk
-pkgver=5.0.0
+pkgver=4.1.0
 pkgrel=0
 pkgdesc='Self-hosted newsletter and mailing list manager with a modern dashboard'
 arch="all"
@ -67,7 +67,7 @@ package() {
 	ln -s /etc/listmonk/config.toml "$pkgdir"/usr/share/webapps/listmonk/config.toml
 }
 sha512sums="
-b0875124106ac737550eb340c209f079698c0b9e1f1e55c70eca113720dbc9dcfaac63aa65722299a1448a582cedf0f9ee20b24ea0625d4e780d83e0d6bab198  listmonk-5.0.0.tar.gz
+936b33d6de1d69ee4e7f768810116ac997c516754aace0371089bc8106bebee944197864afc11b7bc5725afa9a4f195d6629957bfcdd37c847e3780aa34558ec  listmonk-4.1.0.tar.gz
 939450af4b23708e3d23a5a88fad4c24b957090bdd21351a6dd520959e52e45e5fcac117a3eafa280d9506616dae39ad3943589571f008cac5abe1ffd8062424  listmonk.sh
 8e9c0b1f335c295fb741418246eb17c7566e5e4200a284c6483433e8ddbf5250aa692435211cf062ad1dfcdce3fae9148def28f03f2492d33fe5e66cbeebd4bd  listmonk.openrc
 "
--- a/ilot/mastodon/APKBUILD
+++ b/ilot/mastodon/APKBUILD
@ -2,7 +2,7 @@
 # Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
 pkgname=mastodon
 _pkgname=$pkgname
-pkgver=4.2.20
+pkgver=4.2.19
 _gittag=v$pkgver
 pkgrel=0
 pkgdesc="Self-hosted social media and network server based on ActivityPub and OStatus"
@ -192,7 +192,7 @@ assets() {
 }
 sha512sums="
-132df11b54bf0f900e2ee6e149ddb730706a67fc6130ead63b327028fa590944f21a19bcba07d859885717208b6abc005d0aee7675fd8e0fb09ad8d6f8f631b7  mastodon-v4.2.20.tar.gz
+cb57227876fbf8ca358104970de6d0c3c9b5913246df4a0d0cfa35b79fa3961d98c309d77222bf596941842062d099065d4502fc1f3dd4531394350e10a9860c  mastodon-v4.2.19.tar.gz
 d49fea9451c97ccefe5e35b68e4274aeb427f9d1e910b89c1f6c810489c3bec1ccff72952fdaef95abf944b8aff0da84a52347540d36ff1fba5ccc19e1d935c6  mastodon.initd
 eefe12a31268245f802222c0001dac884e03adb0d301e53a1512a3cd204836ca03ad083908cd14d146cf0dce99e3a4366570efd0e40a9a490ccd381d4c63c32f  mastodon.web.initd
 8fc9249c01693bb02b8d1a6177288d5d3549addde8c03eb35cc7a32dde669171872ebc2b5deb8019dc7a12970098f1af707171fa41129be31b04e1dc1651a777  mastodon.sidekiq.initd
--- a/ilot/nextcloud30/APKBUILD
+++ b/ilot/nextcloud30/APKBUILD
@ -2,7 +2,7 @@
 # Contributor: jahway603 <jahway603@protonmail.com>
 # Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
 _pkgname=nextcloud
-pkgver=30.0.10
+pkgver=30.0.8
 pkgrel=0
 is_latest=true
 _pkgvermaj=${pkgver%%.*}
@ -310,7 +310,7 @@ _package_app() {
 }
 sha512sums="
-c8c9800fff46c5634576b9e0696afd4083e34d24000762ebf3a66192d1dea3f664d1c1d42e6ae262535757991d0a60ee7ee1e1d24757677be56bb8ea7d4d3fd5  nextcloud-30.0.10.tar.bz2
+0bca2f42ccfb7db4befdd2aeeb1df72d2f9acad88907706f8524ced55bd0213b30b687a5e4c623615e59f22246562e195fd74bbb409c4f60b713482e1237d755  nextcloud-30.0.8.tar.bz2
 daeabeaa315bb908cc1e49612cce4b2debd71d17acb84b5d14e15fe124c907884b72d54e9aa669ec209eee1b1934d0bc242d72a28d8db7339cfb08383f66fd5c  nextcloud-dont-chmod.patch
 12f4a39aef0f81a0115c81bf2b345cc194537a7e8300748b800b0e35bc07928091296074b23c2019c17aced69854a11d1ed7225f67eefd27cf00c3969a75c5b0  dont-update-htaccess.patch
 cb04252d01407c7030e87dd54616c621ea0f85ef0212674b1161288182538cae0fb31c67e7cc07c66f9607075774c64e386009cc66365b1f1b155f6ad4f83ac0  disable-integrity-check-as-default.patch