5 files changed, 621 insertions, 4 deletions
diff --git a/sys-apps/systemd/Manifest b/sys-apps/systemd/Manifest
index 90a728185911..3f3c7a4b45b2 100644
--- a/sys-apps/systemd/Manifest
+++ b/sys-apps/systemd/Manifest
@@ -1,5 +1,7 @@
 AUX 254-PrivateDevices-userdbd.patch 9905 BLAKE2B ecc0cac69ddb680f57b537ac239c2b561b41635e1a6208dd72b7ae85b437f8ddfc0a026fe3530df7777b6c35f2e79edf73ab26e8ea590dd15865836e55eff3c0 SHA512 ce2b9e10854d87a6f179ed9b3ef85b5caf7b51ecd65584d70a90a3151b113158fd5565dbf9806e177f801a555161bf783e77230f9c6c67904484d04de3aac497
-AUX 255-dnssec.patch 1270 BLAKE2B c2d3f2ad5accf0d6a15735d1b77d70bf90933516cb48f8581809f1b710624e7016b9f43c4ea373dbdc80b3e02e24253616c5c17d40bd56b5c2a420616a7fdad4 SHA512 1f8a7fbfb68cadac22226f8373e7e30f210ba801ee9e4932dcb52c1f6965ca7730635c1cf3893408d1be00d291006c0787575e0b4fcfe541fea4bce113861c11
+AUX 255-dnssec-2.patch 2475 BLAKE2B 75378a8567786a880dae58d726e0c5dad946a58b3cb816b257b5894e87358726f80709bdd9dc08b991a05e9f980a27cd54ec4ef0fa7c479ecd5c217ce609f0ae SHA512 99cd7dd7c4139069c506dad31e3abef3b2aba849a96709ac3ea1e0d3c517d754ae3d488cf646189ebeb1830698f78df542b49c81194a47fbf50359214f0bc938
+AUX 255-dnssec-3.patch 1656 BLAKE2B 8a3556ee8338d8b3bfea178d56c843f65af8a8a92892f13d2aa7c6228cdc128a29d706cfcb2e91eb8e4be0d198a65bfcf1071c35a8c3883b68045a14d2be2101 SHA512 e6217a94e8f18b765d7088cbb570cb59c904aaf65f278e0d3dc4d0a2d8186d0b3b91f3d961e97fd84921490b2b2ae8f0afff62605e550e053b4d5606b0813aa1
+AUX 255-dnssec.patch 1476 BLAKE2B cb4406c3b19aca762557827e64e78a83bee709c596453275060d6a69b044014f92a5ccc54ea8da8a65fa1e745c3f9fe5a06d0d0519730b21deda28c6237c2239 SHA512 cfe01b27df92ad06847fd01fdbafc151a0dd39d865c95b72ce001dc130ee3bdf95f13b84cf318f0c37628477b829a406ba8c5f999a619d109f5474fad477a87f
 AUX 255-install-format-overflow.patch 2190 BLAKE2B 8e0660f4b84174b0946f5f069e0d4bcf55d0c4b5964a978648364a84a3d3f04b21a8434794c58c035eac76b4114f32372ed8017de0cd77cbddcf934e60d9202b SHA512 dab24bd709c41723ddbd43cde51f525b8b959fe55ebd343e3f04d4977430d9eca5cc7c06bbc9c4ef3444747e9780621b648247cd946d3baa28820b03011e72ad
 AUX gentoo-generator-path-r2.patch 994 BLAKE2B 2bfb42623221291030fa9f7310e9bf747351a26f6ffd842628298787b74d4ec562bacaa9fc5365f7e854f695dab5f74bc06883fefc1f210dce4fd415926817ac SHA512 98054222ea232e120625573b6a532c312eccc02fe657152610b7d056b964bb2165fffae9d17fd986cf547af885d44c26b117fe68df5b24e2607d37f3729d0ada
 AUX gentoo-journald-audit-r1.patch 1941 BLAKE2B 93f1a0ba8dd575359e5ab4bd04f99ed3172dbe1ba14d8cade6fc08b0158e66847900d8531898ee9ec3855ac3857cf07a3e10804a3cb67719f0e9378437eba836 SHA512 affbe58aa65ebca7c1c6d790f9f68ffc44bda70a08165f5298ee4a84ab1c16cf534950ac50ffdb61b647e5eb068f51c333a76e39d8336e21e5d1b0199192139c
@@ -23,6 +25,7 @@ EBUILD systemd-254.9-r1.ebuild 15526 BLAKE2B 8dcef82b133f49b1916c107575b64e695f0
 EBUILD systemd-255.3-r1.ebuild 14914 BLAKE2B 1166b26b9b4f9149007879f9502f6923459a4eb2faa8474fc23ef66e76b81a6d8541069e3382f26b3fb75043c0cac828223632181f3007f6637ffc41a27cc37b SHA512 61b4888e9d4f208bcbd32da4c6da7b101d5b757518ff22b8013bdfcac055a70b20e43ff5cf6bd2debc14b73e97cebd1e0cc48f17b40639fefe56e4e30154fab5
 EBUILD systemd-255.4.ebuild 14942 BLAKE2B 6023a35d0614ba98ca0fe00ebce0621933d62c7d350acd992c8287e471836b61acd2a46cfd07ab918823bb16f6c18542e1e5fdfe6c1d560dc44847bb50969d36 SHA512 3a2075dfba437da5de587afe478570afc6b309d300a931c82ac3645b13d0fd08f1a56fbc49703032906aaf667b090b2aacf8f44e0849ac4015ad4ba1d5435377
 EBUILD systemd-255.5-r1.ebuild 14932 BLAKE2B 9ad711f9156e83f500d789ff07bf7bdfb573da079c7462f4fb1bab2f54a95809dc5cad2a458a112a8363053ce91762ae90589fb9ec81beb5078a85f6e5fdae77 SHA512 660de7bf8aeb0d7797ef1f27b8abe16dfac51d0d403dc1ff3e73392c4c9ecd98eec7f59d79493a0d0f14e314342a4171cf14d383bca6e5f9f175841017377c64
+EBUILD systemd-255.5-r2.ebuild 15002 BLAKE2B 9cb0ece809e4bbe8d76e3798546331e6c28fea70def1da6a030fbb3197d7cbf002565ef78f8f94b2776eca34df6e10dcc26ab6632af0398e7ed3d8633f51496c SHA512 a1cb198768f8e29972e580447938b5a2068e790069107d4e1e9e6bf5ac663291abc07ae8fcb6b08cecec302c9ca5faaeaddc13cb8082c9424876dd7d9851a0fc
 EBUILD systemd-255.5.ebuild 14899 BLAKE2B 821ecbb2502896c89a293c75047b79695281127336c8fde824834ffd6390187ebb9c3563e55ae66868fc9591bb41857c9db0f54db2d086a60ef1c1f9c831de7a SHA512 faa9ea73c23062b2cd3e6ce973495364d9d410de95b2847364009fe441adff098c79cac13abd34bc52aea06a962c72ced44000e40e930470950ecc317beb154c
 EBUILD systemd-9999.ebuild 14899 BLAKE2B 821ecbb2502896c89a293c75047b79695281127336c8fde824834ffd6390187ebb9c3563e55ae66868fc9591bb41857c9db0f54db2d086a60ef1c1f9c831de7a SHA512 faa9ea73c23062b2cd3e6ce973495364d9d410de95b2847364009fe441adff098c79cac13abd34bc52aea06a962c72ced44000e40e930470950ecc317beb154c
 MISC metadata.xml 2609 BLAKE2B 8947f3b696fbba7b90e838a54fbb4fd933c71907c8011652fc2b7d68d4ce5f78a19f350a309e4c0f66ef0159376c9064ba9c15941ecf1748c359c4ae3b072102 SHA512 dfeea24b7a93f5d4af4ac47b87ba08092d069fb1a4749c0c1f36a669be6115eaea8f67e6183b6a4f155ef90d7714f74299109420d569c2b0545d80584ed0e97e
diff --git a/sys-apps/systemd/files/255-dnssec-2.patch b/sys-apps/systemd/files/255-dnssec-2.patch
new file mode 100644
index 000000000000..e8eaf9782b3e
--- /dev/null
+++ b/sys-apps/systemd/files/255-dnssec-2.patch
@@ -0,0 +1,48 @@
+https://github.com/systemd/systemd/pull/32598
+https://github.com/systemd/systemd-stable/commit/ee15f5efaf2f6cdbb867fca601e92761276e2b1e
+
+From ee15f5efaf2f6cdbb867fca601e92761276e2b1e Mon Sep 17 00:00:00 2001
+From: Ronan Pigott <ronan@rjp.ie>
+Date: Tue, 30 Apr 2024 22:15:18 -0700
+Subject: [PATCH] resolved: probe for dnssec support in allow-downgrade mode
+
+Previously, sd-resolved unnecessarily requested SOA records for each dns
+label in the query, even though they are not needed for the chain of
+trust. Since 47690634f157, only the necessary records are queried when
+validating.
+
+This is actually a problem in allow-downgrade mode, since we will no
+longer attempt a query for a record that we know is signed a priori, and
+will therefore never update our belief about the state of dnssec support
+in the recursive resolver.
+
+Rectify this by reintroducing a query for the root zone SOA in the
+allow-downgrade case, specifically to test that the resolver attaches
+the RRSIGs which we know must exist.
+
+Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
+(cherry picked from commit 5237ffdf2b63a5afea77c3470d9981a2c29643cc)
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2622,6 +2622,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
+                         if (r < 0)
+                                 return r;
+ 
++                        if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && dns_name_is_root(name)) {
++                                _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
++                                /* We made it all the way to the root zone. If we are in allow-downgrade
++                                 * mode, we need to make at least one request that we can be certain should
++                                 * have been signed, to test for servers that are not dnssec aware. */
++                                soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
++                                if (!soa)
++                                        return -ENOMEM;
++
++                                log_debug("Requesting root zone SOA to probe dnssec support.");
++                                r = dns_transaction_request_dnssec_rr(t, soa);
++                                if (r < 0)
++                                        return r;
++                        }
++
+                         break;
+                 }
+ 
diff --git a/sys-apps/systemd/files/255-dnssec-3.patch b/sys-apps/systemd/files/255-dnssec-3.patch
new file mode 100644
index 000000000000..4fd231d6d157
--- /dev/null
+++ b/sys-apps/systemd/files/255-dnssec-3.patch
@@ -0,0 +1,32 @@
+https://github.com/systemd/systemd/pull/32593
+https://github.com/systemd/systemd-stable/commit/a1580223a5dd67ab61c5f888b114de43b65fffbf
+
+From a1580223a5dd67ab61c5f888b114de43b65fffbf Mon Sep 17 00:00:00 2001
+From: Ronan Pigott <ronan@rjp.ie>
+Date: Tue, 30 Apr 2024 13:19:14 -0700
+Subject: [PATCH] resolved: validate authentic insecure delegation to CNAME
+
+If the parent zone uses a non-opt-out method that provides authenticated
+negative DS replies, we still can't expect signatures from the child
+zone. sd-resolved was using the authenticated status of the DS reply to
+require signatures for CNAMEs, even though it had already proved that no
+signature exists.
+
+Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
+(cherry picked from commit 414a9b8e5e1e772261b0ffaedc853f5c0aba5719)
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2863,7 +2863,12 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
++                                return false;
++
++                        /* We expect this to be signed when the DS record exists, and don't expect it to be
++                         * signed when the DS record is proven not to exist. */
++                        return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
+                 }
+ 
+                 return true;
diff --git a/sys-apps/systemd/files/255-dnssec.patch b/sys-apps/systemd/files/255-dnssec.patch
index 5c720c58ce4a..978c26ff15f4 100644
--- a/sys-apps/systemd/files/255-dnssec.patch
+++ b/sys-apps/systemd/files/255-dnssec.patch
@@ -1,6 +1,8 @@
+https://github.com/systemd/systemd/issues/32531
 https://github.com/systemd/systemd/commit/d840783db5208219c78d73b9b46ef5daae9fea0a
+https://github.com/systemd/systemd-stable/commit/52c17febf14c866d9808d1804f13ac98d76e665b
 
-From d840783db5208219c78d73b9b46ef5daae9fea0a Mon Sep 17 00:00:00 2001
+From 52c17febf14c866d9808d1804f13ac98d76e665b Mon Sep 17 00:00:00 2001
 From: Ronan Pigott <ronan@rjp.ie>
 Date: Mon, 29 Apr 2024 02:17:23 -0700
 Subject: [PATCH] resolved: always progress DS queries
@@ -11,9 +13,10 @@ might not make any progress toward finding the DS we need. Let's ensure
 that we at least always check the parent in this case.
 
 Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
+(cherry picked from commit d840783db5208219c78d73b9b46ef5daae9fea0a)
 --- a/src/resolve/resolved-dns-transaction.c
 +++ b/src/resolve/resolved-dns-transaction.c
-@@ -2618,6 +2618,10 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
+@@ -2545,6 +2545,10 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                                          return r;
                                  if (r == 0)
                                          continue;
@@ -24,4 +27,3 @@ Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
                          }
  
                          r = dnssec_has_rrsig(t->answer, rr->key);
-
diff --git a/sys-apps/systemd/systemd-255.5-r2.ebuild b/sys-apps/systemd/systemd-255.5-r2.ebuild
new file mode 100644
index 000000000000..533779767069
--- /dev/null
+++ b/sys-apps/systemd/systemd-255.5-r2.ebuild
@@ -0,0 +1,532 @@
+# Copyright 2011-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+PYTHON_COMPAT=( python3_{10..12} )
+
+# Avoid QA warnings
+TMPFILES_OPTIONAL=1
+UDEV_OPTIONAL=1
+
+QA_PKGCONFIG_VERSION=$(ver_cut 1)
+
+if [[ ${PV} == 9999 ]]; then
+	EGIT_REPO_URI="https://github.com/systemd/systemd.git"
+	inherit git-r3
+else
+	if [[ ${PV} == *.* ]]; then
+		MY_PN=systemd-stable
+	else
+		MY_PN=systemd
+	fi
+	MY_PV=${PV/_/-}
+	MY_P=${MY_PN}-${MY_PV}
+	S=${WORKDIR}/${MY_P}
+	SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz"
+
+	if [[ ${PV} != *rc* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+	fi
+fi
+
+inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1
+inherit secureboot systemd toolchain-funcs udev
+
+DESCRIPTION="System and service manager for Linux"
+HOMEPAGE="http://systemd.io/"
+
+LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
+SLOT="0/2"
+IUSE="
+	acl apparmor audit boot cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
+	fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod
+	+lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode
+	+resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd
+"
+REQUIRED_USE="
+	${PYTHON_REQUIRED_USE}
+	dns-over-tls? ( || ( gnutls openssl ) )
+	fido2? ( cryptsetup openssl )
+	homed? ( cryptsetup pam openssl )
+	importd? ( curl lzma || ( gcrypt openssl ) )
+	pwquality? ( homed )
+	boot? ( kernel-install )
+	ukify? ( boot )
+"
+RESTRICT="!test? ( test )"
+
+MINKV="4.15"
+
+COMMON_DEPEND="
+	>=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}]
+	sys-libs/libcap:0=[${MULTILIB_USEDEP}]
+	virtual/libcrypt:=[${MULTILIB_USEDEP}]
+	acl? ( sys-apps/acl:0= )
+	apparmor? ( >=sys-libs/libapparmor-2.13:0= )
+	audit? ( >=sys-process/audit-2:0= )
+	cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= )
+	curl? ( >=net-misc/curl-7.32.0:0= )
+	elfutils? ( >=dev-libs/elfutils-0.158:0= )
+	fido2? ( dev-libs/libfido2:0= )
+	gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
+	gnutls? ( >=net-libs/gnutls-3.6.0:0= )
+	http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] )
+	idn? ( net-dns/libidn2:= )
+	importd? (
+		app-arch/bzip2:0=
+		sys-libs/zlib:0=
+	)
+	kmod? ( >=sys-apps/kmod-15:0= )
+	lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
+	lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] )
+	iptables? ( net-firewall/iptables:0= )
+	openssl? ( >=dev-libs/openssl-1.1.0:0= )
+	pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] )
+	pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= )
+	pcre? ( dev-libs/libpcre2 )
+	pwquality? ( >=dev-libs/libpwquality-1.4.1:0= )
+	qrcode? ( >=media-gfx/qrencode-3:0= )
+	seccomp? ( >=sys-libs/libseccomp-2.3.3:0= )
+	selinux? ( >=sys-libs/libselinux-2.1.9:0= )
+	tpm? ( app-crypt/tpm2-tss:0= )
+	xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )
+	zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] )
+"
+
+# Newer linux-headers needed by ia64, bug #480218
+DEPEND="${COMMON_DEPEND}
+	>=sys-kernel/linux-headers-${MINKV}
+"
+
+PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]'
+
+# baselayout-2.2 has /run
+RDEPEND="${COMMON_DEPEND}
+	>=acct-group/adm-0-r1
+	>=acct-group/wheel-0-r1
+	>=acct-group/kmem-0-r1
+	>=acct-group/tty-0-r1
+	>=acct-group/utmp-0-r1
+	>=acct-group/audio-0-r1
+	>=acct-group/cdrom-0-r1
+	>=acct-group/dialout-0-r1
+	>=acct-group/disk-0-r1
+	>=acct-group/input-0-r1
+	>=acct-group/kvm-0-r1
+	>=acct-group/lp-0-r1
+	>=acct-group/render-0-r1
+	acct-group/sgx
+	>=acct-group/tape-0-r1
+	acct-group/users
+	>=acct-group/video-0-r1
+	>=acct-group/systemd-journal-0-r1
+	>=acct-user/root-0-r1
+	acct-user/nobody
+	>=acct-user/systemd-journal-remote-0-r1
+	>=acct-user/systemd-coredump-0-r1
+	>=acct-user/systemd-network-0-r1
+	acct-user/systemd-oom
+	>=acct-user/systemd-resolve-0-r1
+	>=acct-user/systemd-timesync-0-r1
+	>=sys-apps/baselayout-2.2
+	ukify? (
+		${PYTHON_DEPS}
+		$(python_gen_cond_dep "${PEFILE_DEPEND}")
+	)
+	selinux? (
+		sec-policy/selinux-base-policy[systemd]
+		sec-policy/selinux-ntp
+	)
+	sysv-utils? (
+		!sys-apps/openrc[sysv-utils(-)]
+		!sys-apps/sysvinit
+	)
+	!sysv-utils? ( sys-apps/sysvinit )
+	resolvconf? ( !net-dns/openresolv )
+	!sys-apps/hwids[udev]
+	!sys-auth/nss-myhostname
+	!sys-fs/eudev
+	!sys-fs/udev
+"
+
+# sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
+PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
+	>=sys-fs/udev-init-scripts-34
+	policykit? ( sys-auth/polkit )
+	!vanilla? ( sys-apps/gentoo-systemd-integration )"
+
+BDEPEND="
+	app-arch/xz-utils:0
+	dev-util/gperf
+	>=dev-build/meson-0.46
+	>=sys-apps/coreutils-8.16
+	sys-devel/gettext
+	virtual/pkgconfig
+	test? (
+		app-text/tree
+		dev-lang/perl
+		sys-apps/dbus
+	)
+	app-text/docbook-xml-dtd:4.2
+	app-text/docbook-xml-dtd:4.5
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt:0
+	${PYTHON_DEPS}
+	$(python_gen_cond_dep "
+		dev-python/jinja[\${PYTHON_USEDEP}]
+		dev-python/lxml[\${PYTHON_USEDEP}]
+		boot? ( >=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}] )
+		ukify? ( test? ( ${PEFILE_DEPEND} ) )
+	")
+"
+
+QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*"
+QA_EXECSTACK="usr/lib/systemd/boot/efi/*"
+
+pkg_pretend() {
+	if use split-usr; then
+		eerror "Please complete the migration to merged-usr."
+		eerror "https://wiki.gentoo.org/wiki/Merge-usr"
+		die "systemd no longer supports split-usr"
+	fi
+	if [[ ${MERGE_TYPE} != buildonly ]]; then
+		local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS
+			~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
+			~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
+			~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS
+			~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH
+			~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED
+			~!SYSFS_DEPRECATED_V2"
+
+		use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL"
+		use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER"
+
+		if kernel_is -ge 5 10 20; then
+			CONFIG_CHECK+=" ~KCMP"
+		else
+			CONFIG_CHECK+=" ~CHECKPOINT_RESTORE"
+		fi
+
+		if kernel_is -ge 4 18; then
+			CONFIG_CHECK+=" ~AUTOFS_FS"
+		else
+			CONFIG_CHECK+=" ~AUTOFS4_FS"
+		fi
+
+		if linux_config_exists; then
+			local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH)
+			if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then
+				ewarn "It's recommended to set an empty value to the following kernel config option:"
+				ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}"
+			fi
+			if linux_chkconfig_present X86; then
+				CONFIG_CHECK+=" ~DMIID"
+			fi
+		fi
+
+		if kernel_is -lt ${MINKV//./ }; then
+			ewarn "Kernel version at least ${MINKV} required"
+		fi
+
+		check_extra_config
+	fi
+}
+
+pkg_setup() {
+	use boot && secureboot_pkg_setup
+}
+
+src_unpack() {
+	default
+	[[ ${PV} != 9999 ]] || git-r3_src_unpack
+}
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}/systemd-test-process-util.patch"
+		"${FILESDIR}/255-dnssec.patch"
+		"${FILESDIR}/255-dnssec-2.patch"
+		"${FILESDIR}/255-dnssec-3.patch"
+	)
+
+	if ! use vanilla; then
+		PATCHES+=(
+			"${FILESDIR}/gentoo-generator-path-r2.patch"
+			"${FILESDIR}/gentoo-journald-audit-r1.patch"
+		)
+	fi
+
+	default
+}
+
+src_configure() {
+	# Prevent conflicts with i686 cross toolchain, bug 559726
+	tc-export AR CC NM OBJCOPY RANLIB
+
+	python_setup
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	local myconf=(
+		--localstatedir="${EPREFIX}/var"
+		# default is developer, bug 918671
+		-Dmode=release
+		-Dsupport-url="https://gentoo.org/support/"
+		-Dpamlibdir="$(getpam_mod_dir)"
+		# avoid bash-completion dep
+		-Dbashcompletiondir="$(get_bashcompdir)"
+		-Dsplit-bin=false
+		# Disable compatibility with sysvinit
+		-Dsysvinit-path=
+		-Dsysvrcnd-path=
+		# Avoid infinite exec recursion, bug 642724
+		-Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit"
+		# no deps
+		-Dima=true
+		-Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified)
+		# Match /etc/shells, bug 919749
+		-Ddebug-shell="${EPREFIX}/bin/sh"
+		-Ddefault-user-shell="${EPREFIX}/bin/bash"
+		# Optional components/dependencies
+		$(meson_native_use_bool acl)
+		$(meson_native_use_bool apparmor)
+		$(meson_native_use_bool audit)
+		$(meson_native_use_bool boot bootloader)
+		$(meson_native_use_bool cryptsetup libcryptsetup)
+		$(meson_native_use_bool curl libcurl)
+		$(meson_native_use_bool dns-over-tls dns-over-tls)
+		$(meson_native_use_bool elfutils)
+		$(meson_native_use_bool fido2 libfido2)
+		$(meson_use gcrypt)
+		$(meson_native_use_bool gnutls)
+		$(meson_native_use_bool homed)
+		$(meson_native_use_bool http microhttpd)
+		$(meson_native_use_bool idn)
+		$(meson_native_use_bool importd)
+		$(meson_native_use_bool importd bzip2)
+		$(meson_native_use_bool importd zlib)
+		$(meson_native_use_bool kernel-install)
+		$(meson_native_use_bool kmod)
+		$(meson_use lz4)
+		$(meson_use lzma xz)
+		$(meson_use test tests)
+		$(meson_use zstd)
+		$(meson_native_use_bool iptables libiptc)
+		$(meson_native_use_bool openssl)
+		$(meson_use pam)
+		$(meson_native_use_bool pkcs11 p11kit)
+		$(meson_native_use_bool pcre pcre2)
+		$(meson_native_use_bool policykit polkit)
+		$(meson_native_use_bool pwquality)
+		$(meson_native_use_bool qrcode qrencode)
+		$(meson_native_use_bool seccomp)
+		$(meson_native_use_bool selinux)
+		$(meson_native_use_bool tpm tpm2)
+		$(meson_native_use_bool test dbus)
+		$(meson_native_use_bool ukify)
+		$(meson_native_use_bool xkb xkbcommon)
+		-Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
+		# Breaks screen, tmux, etc.
+		-Ddefault-kill-user-processes=false
+		-Dcreate-log-dirs=false
+
+		# multilib options
+		$(meson_native_true backlight)
+		$(meson_native_true binfmt)
+		$(meson_native_true coredump)
+		$(meson_native_true environment-d)
+		$(meson_native_true firstboot)
+		$(meson_native_true hibernate)
+		$(meson_native_true hostnamed)
+		$(meson_native_true ldconfig)
+		$(meson_native_true localed)
+		$(meson_native_true man)
+		$(meson_native_true networkd)
+		$(meson_native_true quotacheck)
+		$(meson_native_true randomseed)
+		$(meson_native_true rfkill)
+		$(meson_native_true sysusers)
+		$(meson_native_true timedated)
+		$(meson_native_true timesyncd)
+		$(meson_native_true tmpfiles)
+		$(meson_native_true vconsole)
+		$(meson_native_enabled vmspawn)
+	)
+
+	meson_src_configure "${myconf[@]}"
+}
+
+multilib_src_test() {
+	(
+		unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
+		export COLUMNS=80
+		addpredict /dev
+		addpredict /proc
+		addpredict /run
+		addpredict /sys/fs/cgroup
+		meson_src_test
+	) || die
+}
+
+multilib_src_install_all() {
+	# meson doesn't know about docdir
+	mv "${ED}"/usr/share/doc/{systemd,${PF}} || die
+
+	einstalldocs
+	dodoc "${FILESDIR}"/nsswitch.conf
+
+	insinto /usr/lib/tmpfiles.d
+	doins "${FILESDIR}"/legacy.conf
+
+	if ! use resolvconf; then
+		rm -f "${ED}"/usr/bin/resolvconf || die
+	fi
+
+	if ! use sysv-utils; then
+		rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die
+		rm "${ED}"/usr/share/man/man1/init.1 || die
+		rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die
+	fi
+
+	# https://bugs.gentoo.org/761763
+	rm -r "${ED}"/usr/lib/sysusers.d || die
+
+	# Preserve empty dirs in /etc & /var, bug #437008
+	keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
+	keepdir /etc/kernel/install.d
+	keepdir /etc/systemd/{network,system,user}
+	keepdir /etc/udev/rules.d
+
+	keepdir /etc/udev/hwdb.d
+
+	keepdir /usr/lib/systemd/{system-sleep,system-shutdown}
+	keepdir /usr/lib/{binfmt.d,modules-load.d}
+	keepdir /usr/lib/systemd/user-generators
+	keepdir /var/lib/systemd
+	keepdir /var/log/journal
+
+	if use pam; then
+		newpamd "${FILESDIR}"/systemd-user.pam systemd-user
+	fi
+
+	if use kernel-install; then
+		# Dummy config, remove to make room for sys-kernel/installkernel
+		rm "${ED}/usr/lib/kernel/install.conf" || die
+	fi
+
+	use ukify && python_fix_shebang "${ED}"
+	use boot && secureboot_auto_sign
+}
+
+migrate_locale() {
+	local envd_locale_def="${EROOT}/etc/env.d/02locale"
+	local envd_locale=( "${EROOT}"/etc/env.d/??locale )
+	local locale_conf="${EROOT}/etc/locale.conf"
+
+	if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then
+		# If locale.conf does not exist...
+		if [[ -e ${envd_locale} ]]; then
+			# ...either copy env.d/??locale if there's one
+			ebegin "Moving ${envd_locale} to ${locale_conf}"
+			mv "${envd_locale}" "${locale_conf}"
+			eend ${?} || FAIL=1
+		else
+			# ...or create a dummy default
+			ebegin "Creating ${locale_conf}"
+			cat > "${locale_conf}" <<-EOF
+				# This file has been created by the sys-apps/systemd ebuild.
+				# See locale.conf(5) and localectl(1).
+
+				# LANG=${LANG}
+			EOF
+			eend ${?} || FAIL=1
+		fi
+	fi
+
+	if [[ ! -L ${envd_locale} ]]; then
+		# now, if env.d/??locale is not a symlink (to locale.conf)...
+		if [[ -e ${envd_locale} ]]; then
+			# ...warn the user that he has duplicate locale settings
+			ewarn
+			ewarn "To ensure consistent behavior, you should replace ${envd_locale}"
+			ewarn "with a symlink to ${locale_conf}. Please migrate your settings"
+			ewarn "and create the symlink with the following command:"
+			ewarn "ln -s -n -f ../locale.conf ${envd_locale}"
+			ewarn
+		else
+			# ...or just create the symlink if there's nothing here
+			ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink"
+			ln -n -s ../locale.conf "${envd_locale_def}"
+			eend ${?} || FAIL=1
+		fi
+	fi
+}
+
+pkg_preinst() {
+	if [[ -e ${EROOT}/etc/sysctl.conf ]]; then
+		# Symlink /etc/sysctl.conf for easy migration.
+		dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
+	fi
+
+	if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then
+		ewarn "The 'gnuefi' USE flag has been renamed to 'boot'."
+		ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot."
+	fi
+}
+
+pkg_postinst() {
+	systemd_update_catalog
+
+	# Keep this here in case the database format changes so it gets updated
+	# when required.
+	systemd-hwdb --root="${ROOT}" update
+
+	udev_reload || FAIL=1
+
+	# Bug 465468, make sure locales are respected, and ensure consistency
+	# between OpenRC & systemd
+	migrate_locale
+
+	if [[ -z ${REPLACING_VERSIONS} ]]; then
+		if type systemctl &>/dev/null; then
+			systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1
+		fi
+		elog "To enable a useful set of services, run the following:"
+		elog "  systemctl preset-all --preset-mode=enable-only"
+	fi
+
+	if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then
+		rm "${EROOT}/var/lib/systemd/timesync"
+	fi
+
+	if [[ -z ${ROOT} && -d /run/systemd/system ]]; then
+		ebegin "Reexecuting system manager (systemd)"
+		systemctl daemon-reexec
+		eend $? || FAIL=1
+	fi
+
+	if [[ ${FAIL} ]]; then
+		eerror "One of the postinst commands failed. Please check the postinst output"
+		eerror "for errors. You may need to clean up your system and/or try installing"
+		eerror "systemd again."
+		eerror
+	fi
+
+	if use boot; then
+		optfeature "installing kernels in systemd-boot's native layout and update loader entries" \
+			"sys-kernel/installkernel[systemd-boot]"
+	fi
+	if use ukify; then
+		optfeature "generating unified kernel image on each kernel installation" \
+			"sys-kernel/installkernel[ukify]"
+	fi
+}
+
+pkg_prerm() {
+	# If removing systemd completely, remove the catalog database.
+	if [[ ! ${REPLACED_BY_VERSION} ]]; then
+		rm -f -v "${EROOT}"/var/lib/systemd/catalog/database
+	fi
+}