singularity-3.8.5-bp153.2.10.1

- updated to release version 3.8.5 which fixes CVE-2021-41190 (boo#1193273)
  * Building Singularity from source requires go >=1.16. We now aim
    to support the two most recent stable versions of Go. This
    corresponds to the Go Release Maintenance Policy
- Bug fixes
  * Sourcing a script based on PATH is now permitted, fixing a
    regression introduced in 3.6.0.
  * Environment variables in container definition files are
    properly scoped, fixing a regression introduced in 3.8.0.

- updated to bug fix release 3.8.4 with following fix:
  * Fix the oras contexts to avoid hangs upon failed pushes to
    Harbor registry.

- build requires libseccomp-devel (boo#1191697)
- fix sysuser file name

-  added example definitions for SLE12-SP5 and SLE15-SP3
  * added files:
    SLE-12SP5.def
    SLE-15SP3.def

- Utilize sysuser infrastructure to set group singularity.

- Updated to version 3.8.3 which fixes regression introduced in 3.8.1 that
  caused bind mounts without a destination to be added twice.

- update to version 3.8.2
- New features:
  * A new overlay command allows creation and addition of writable overlays.
  * Administrators can allow named users/groups to use specific CNI network
    configurations. Managed by directives in singularity.conf.
  * The build command now honors --nv, --rocm, and --bind flags, permitting
    builds that require GPU access or files bound in from the host.
  * A library service hostname can be specified as the first component of a
    library:// URL.
-  Bug fixes:
  * Respect http proxy server environment variables in key operations.
  * When pushing SIF images to oras:// endpoints, work around Harbor & GitLab
    failure to accept the SifConfigMediaType.
  * Avoid a setfsuid compilation warning on some gcc versions.
  * Fix a crash when silent/quiet log levels used on pulls from shub:// and
    http(s):// URIs.
  * Wait for dm device to appear when mounting an encrypted container rootfs.
  * Accommodate ppc64le pageSize in TestCgroups and disable -race.
  * Allow escaped \$ in a SINGULARITYENV_ var to set a literal $ in a container
    env var. Also allow escaped commas and colons in the source bind path.
  * Handle absolute symlinks correctly in multi-stage build %copy from blocks.
  * Fix incorrect reference in sandbox restrictive permissions warning.
  * Prevent garbage collection from closing the container image file descriptor.
  * Update to Arch Linux pacman.conf URL and remove file size verification.
  * Avoid panic when mountinfo line has a blank field.
  * Fix regression when files sourced from %environment contain \ escaped shell
    builtins (fixes issue with source of conda profile.d script).
  * singularity delete will use the correct library service when the hostname
    is specified in the library:// URI.
  * singularity build will use the correct library service when the hostname is
    specified in the library:// URI / definition file.
  * When destination is ommitted in %files entry in definition file, ensure
    globbed files are copied to correct resolved path.
  * Return an error if --tokenfile used for remote login to an OCI registry, as
    this is not supported.
  * Ensure repeated remote login to same URI does not create duplicate entries
    in ~/.singularity/remote.yaml.
  * Properly escape single quotes in Docker CMD / ENTRYPOINT translation.
  * Updated the modified golang-x-crypto module with the latest upstream version.

- Update to version 3.7.4  (boo#1186619)
  Fix for CVE-2021-32635:
  Due to incorrect use of a default URL, singularity action commands
  (run/shell/exec) specifying a container using a library:// URI will always
  attempt to retrieve the container from the default remote endpoint
  (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may
  be able to push a malicious container to the default remote endpoint with a
  URI that is identical to the URI used by a victim with a non-default remote
  endpoint, thus executing the malicious container.
- Disabled ppc64le builds as these are non pie builds and so not
  suiteable for the distribution in SLE and ppc64le is not relevant
  for openSUSE

- Update to version 3.7.3
  Fix for CVE-2021-29136:
  A dependency used to extract docker/OCI image layers can be
  tricked into modifying host files by creating a malicious layer
  that has a symlink with the name "." (or "/"), when running as root.

- New version 3.7.2
  - Bug Fixes
  - Fix progress bar display when source image size is unknown.
  - Fix a memory usage / leak issue when building from an existing
    image file.
  - Fix to allow use of ``--library`` flag to point push/pull at
    default cloud library when another remote is in use.
  - Address false positive loop test errors, and an e2e test registry
    setup issue.

- New version 3.7.1
  - Bug Fixes
  - Accommodate /sys/fs/selinux mount changes on kernel 5.9+.
  - Fix loop devices file descriptor leak when shared loop devices
    is enabled.
  - Use MaxLoopDevices variable from config file in all appropriate
    locations.
  - Use -buildmode=default (non pie) on ppc64le to prevent crashes
    when using plugins.
  - Remove spurious warning in parseTokenSection()
  - e2e test fixes for new kernels, new unsquashfs version.
  - Show correct web URI for detached builds against alternate remotes.

- New version 3.7.0
  - New features / functionalities
  - Allow configuration of global custom keyservers, separate from
    remote endpoints.
  - Add a new global keyring, for public keys only (used for ECL).
  - The `remote login` commmand now suports authentication to Docker/OCI
    registries and custom keyservers.
  - New `--exclusive` option for `remote use` allows admin to lock usage
    to a specific remote.
  - A new `Fingerprints:` header in definition files will check that
    a SIF source image can be verified, and is signed with keys
    matching all specified fingerprints.
  - Labels can be set dynamically from a build's `%post` section by
    setting them in the `SINGULARITY_LABELS` environment variable.
  - New `build-arch` label is automatically set to the architecure of
    the host during a container build.
  - New `-D/--description` flag for `singularity push` sets
    description for a library container image.
  - `singularity remote status` shows validity of authentication token if
    set.
  - `singularity push` reports quota usage and URL on successful push
    to a library server that supports this.
  - A new `--no-mount` flag for actions allows a user to disable
    proc/sys/dev/devpts/home/tmp/hostfs/cwd mounts, even if they are
    enabled in `singularity.conf`.
  - Changed defaults / behaviours
  - When actions (run/shell/exec...) are used without `--fakeroot` the
    umask from the calling environment will be propagated into the
    container, so that files are created with expected permissions.
    Use the new `--no-umask` flag to return to the previous behaviour
    of setting a default 0022 umask.
  - Container metadata, environment, scripts are recorded in a
    descriptor in builds to SIF files, and `inspect` will use this if
    present.
  - The `--nv` flag for NVIDIA GPU support will not resolve libraries
    reported by `nvidia-container-cli` via the ld cache. Will instead
    respect absolute paths to libraries reported by the tool, and bind
    all versioned symlinks to them.
  - General re-work of the `remote login` flow, adds prompts and token
    verification before replacing an existing authentication token.
  - The Execution Control List (ECL) now verifies container
    fingerprints using the new global keyring. Previously all users
    would need relevant keys in their own keyring.
  - The SIF layer mediatype for ORAS has been changed to
    `application/vnd.sylabs.sif.layer.v1.sif` reflecting the published
    [opencontainers/artifacts](https://github.com/opencontainers/artifacts/blob/master/artifact-authors.md#defining-layermediatypes)
    value.
  - `SINGULARITY_BIND` has been restored as an environment variable
    set within a running container. It now reflects all user binds
    requested by the `-B/--bind` flag, as well as via
    `SINGULARITY_BIND[PATHS]`.
  - `singularity search` now correctly searches for container images
    matching the host architecture by default. A new `--arch` flag
    allows searching for other architectures. A new results format
    gives more detail about container image results, while users and
    collections are no longer returned.
  - Bug Fixes
  - Support larger definition files, environments etc. by passing
    engine configuration in the environment vs. via socket buffer.
  - Ensure `docker-daemon:` and other source operations respect
    `SINGULARITY_TMPDIR` for all temporary files.
  - Support double quoted filenames in the `%files` section of build
    definitions.
  - Correct `cache list` sizes to show KiB with powers of 1024,
    matching `du` etc.
  - Don't fail on `enable fusemount=no` when no fuse mounts are
    needed.
  - Pull OCI images to the correct requested location when the cache
    is disabled.
  - Ensure `Singularity>` prompt is set when container has no
    environment script, or singularity is called through a wrapper
    script.
  - Avoid build failures in `yum/dnf` operations against the 'setup'
    package on `RHEL/CentOS/Fedora` by ensuring staged `/etc/` files
    do not match distro default content.
  - Failed binds to `/etc/hosts` and `/etc/localtime` in a container
    run with `--contain` are no longer fatal errors.
  - Don't initialize the cache for actions where it is not required.
  - Increase embedded shell interpreter timeout, to allow slow-running
    environment scripts to complete.
  - Correct buffer handling for key import to allow import from STDIN.
  - Reset environment to avoid `LD_LIBRARY_PATH` issues when resolving
    dependencies for the `unsquashfs` sandbox.
  - Fall back to `/sbin/ldconfig` if `ldconfig` on `PATH` fails while
    resolving GPU libraries. Fixes problems on systems using Nix /
    Guix.
  - Address issues caused by error code changes in `unsquashfs`
    version 4.4.
  - Ensure `/dev/kfd` is bound into container for ROCm when `--rocm`
    is used with `--contain`.
  - Tolerate comments on `%files` sections in build definition files.
  - Fix a loop device file descriptor leak.

- New version 3.6.4 addresses a security issue:
  - CVE-2020-15229, bsc#1177901
  Due to insecure handling of path traversal and the lack of path
  sanitization within unsquashfs, it is possible to overwrite/create
  files on the host filesystem during the extraction of a crafted
  squashfs filesystem. Affects unprivileged execution of SIF/SquashFS
  images, and image builds from SIF/SquashFS images.

- New version 3.6.3, addresses the following security issues:
  - CVE-2020-25039, bsc#1176705
  When a Singularity action command (run, shell, exec) is run with
  the fakeroot or user namespace option, Singularity will extract
  a container image to a temporary sandbox directory.
  Due to insecure permissions on the temporary directory it is possible
  for any user with access to the system to read the contents of the image.
  Additionally, if the image contains a world-writable file or directory,
  it is possible for a user to inject arbitrary content into the running
  container.
  - CVE-2020-25040, bsc#1176707
  When a Singularity command that results in a container
  build operation is executed, it is possible for a user with access
  to the system to read the contents of the image during the build.
  Additionally, if the image contains a world-writable file or directory,
  it is possible for a user to inject arbitrary content into the running
  build, which in certain circumstances may enable arbitrary code execution
  during the build and/or when the built container is run.

- New version 3.6.2, new features / functionalities:
  - Add --force option to singularity delete for non-interactive
  workflows.
  - Support compilation with FORTIFY_SOURCE=2 and build in pie mode
  with fstack-protector enabled
  - Changed defaults / behaviours
  - Default to current architecture for singularity delete.
  - Bug Fixes
  - Respect current remote for singularity delete command.
  - Allow rw as a (noop) bind option.
  - Fix capability handling regression in overlay mount.
  - Fix LD_LIBRARY_PATH environment override regression with --nv/--rocm.
  - Fix environment variable duplication within singularity engine.
  - Use -user-xattrs for unsquashfs to avoid error with rootless
    extraction using unsquashfs 3.4
  - Correct --no-home message for 3.6 CWD behavior.
  - Don't fail if parent of cache dir not accessible.
  - Fix tests for Go 1.15 Ctty handling.
  - Fix additional issues with test images on ARM64.
  - Fix FUSE e2e tests to use container ssh_config.
  - Provide advisory message r.e. need for upper and work to exist
    in overlay images.
  - Use squashfs mem and processor limits in squashfs gzip check.
  - Ensure build destination path is not an empty string - do not
    overwrite CWD.
  - Don't unset PATH when interpreting legacy /environment files.
- Remove patch, this change is now in upstream:
  * build-position-independent-binaries.patch

- New version 3.6.0. This version introduces a new signature format
  for SIF images, and changes to the signing / verification code to address
  the following security problems:
  - CVE-2020-13845, bsc#1174150
  In Singularity 3.x versions below 3.6.0, issues allow the ECL to
  be bypassed by a malicious user.
  - CVE-2020-13846, bsc#1174148
  In Singularity 3.5 the --all / -a option to singularity verify
  returns success even when some objects in a SIF container are not signed,
  or cannot be verified.
  - CVE-2020-13847, bsc#1174152
  In Singularity 3.x versions below 3.6.0, Singularity's sign and verify
  commands do not sign metadata found in the global header or data object
  descriptors of a SIF file, allowing an attacker to cause unexpected
  behavior. A signed container may verify successfully, even when it has
  been modified in ways that could be exploited to cause malicious behavior.
- New features / functionalities
  - A new '--legacy-insecure' flag to verify allows verification of SIF
  signatures in the old, insecure format.
  - A new '-l / --logs' flag for instance list that shows the paths
  to instance STDERR / STDOUT log files.
  - The --json output of instance list now include paths to
  STDERR / STDOUT log files.
- Changed defaults / behaviours
  - New signature format (see security fixes above).
  - Fixed spacing of singularity instance list to be dynamically changing
  based off of input lengths instead of fixed number of spaces to account
  for long instance names.
- Deprecate -a / --all option to sign/verify as new signature behavior
  makes this the default.
- For more information about upstream changes, please check:
  https://github.com/hpcng/singularity/blob/master/CHANGELOG.md

- New pre-version 3.6.0 rc5 with many changes:
- New features / functionalities
  - Singularity now supports the execution of minimal Docker/OCI
  containers that do not contain /bin/sh, e.g. docker://hello-world.
  - A new cache structure is used that is concurrency safe on a filesystem that
  supports atomic rename. If you downgrade to Singularity 3.5 or older after
  using 3.6 you will need to run singularity cache clean.
  - A plugin system rework adds new hook points that will allow the
  development of plugins that modify behavior of the runtime. An image driver
  concept is introduced for plugins to support new ways of handling image and
  overlay mounts. Plugins built for <=3.5 are not compatible with 3.6.
  - The --bind flag can now bind directories from a SIF or ext3 image into a
  container.
  - The --fusemount feature to mount filesystems to a container via FUSE
  drivers is now a supported feature (previously an experimental hidden flag).
  - This permits users to mount e.g. sshfs and cvmfs filesystems to the
  container at runtime.
  - A new -c/--config flag allows an alternative singularity.conf to be
  specified by the root user, or all users in an unprivileged installation.
  - A new --env flag allows container environment variables to be set via the
  Singularity command line.
  - A new --env-file flag allows container environment variables to be set from
  a specified file.
  - A new --days flag for cache clean allows removal of items older than a
  specified number of days. Replaces the --name flag which is not generally
  useful as the cache entries are stored by hash, not a friendly name.
- Changed defaults / behaviours
  - Environment variables prefixed with SINGULARITYENV_ always take
  precedence over variables without SINGULARITYENV_ prefix.
  - The %post build section inherits environment variables from the base image.
  - %files from ... will now follow symlinks for sources that are directly
  specified, or directly resolved from a glob pattern. It will not follow
  symlinks found through directory traversal. This mirrors Docker multi-stage
  COPY behaviour.
  - Restored the CWD mount behaviour of v2, implying that CWD path is not recreated
  inside container and any symlinks in the CWD path are not resolved anymore to
  determine the destination path inside container.
  - The %test build section is executed the same manner as singularity test image.
  - -fusemount with the container: default directive will foreground the FUSE
  process. Use container-daemon: for previous behavior.
- Removed --name flag for cache clean; replaced with --days.
- And many bug fixes.
- Update URL, github repository has moved.
- Update patch:
  * build-position-independent-binaries.patch

- New version 3.5.3. Main changes:
  * Container action scripts are no longer bound in from `etc/actions.d` on the
    host. They are created dynamically and inserted at container startup.
  * `%files from ...` will no longer follow symlinks when copying between
    stages in a multi stage build, as symlinks should be copied so that they
    resolve identically in later stages. Copying `%files` from the host will
    still maintain previous behavior of following links.
  * Many bug fixes, please read CHANGELOG.md

- New version 3.5.2. Main change is a fix for a security issue related
  to incorrect file permissions (CVE-2019-19724) on user configuration
  and cache directories. (boo#1159550)
  For other minor bug fixes please read CHANGELOG.md

- Update wording in SUSE.README
- New patch, to get a more clear error message when user doesn't
  belong to the singularity group
  * useful_error_message.patch

- New version 3.5.1. Many changes since 3.4.2, for the full changelog
  please read CHANGELOG.md. Changes relevant to the package:
  * New support for AMD GPUs via --rocm, install new configuration file
    rocmliblist.conf
  * Requires Go 1.13
- Update Source to download the release tarball that includes
  the vendored modules.
- Update patch:
  * build-position-independent-binaries.patch

- New version 3.4.2, this release addresses the following issues:
  - Sets workable permissions on OCI -> sandbox rootless builds
  - Fallback correctly to user namespace for non setuid installation
  - Correctly handle the starter-suid binary for non-root installs
  - Creates CACHEDIR if it doesn't exist
  - Set apex loglevel for umoci to match singularity loglevel

- New version 3.4.1
  - This point release addresses the following issues:
  - Fixes an issue where a PID namespace was always being used
  - Fixes compilation on non 64-bit architectures
  - Allows fakeroot builds for zypper, pacstrap, and debootstrap
  - Correctly detects seccomp on OpenSUSE
  - Honors GO_MODFLAGS properly in the mconfig generated makefile
  - Passes the Mac hostname to the VM in MacOS Singularity builds
  - Handles temporary EAGAIN failures when setting up loop devices on
    recent kernels.
  * Removed obsoleted patches:
  - fix_build_in_32_bits.patch
  - fix_flags_order.patch

- Fix build failure in i586. The patch is taken from upstream and should
  be removed with the next release update.
  * fix_build_in_32_bits.patch

- New version 3.4.0. Many changes since 3.2.1, for the full changelog
  please read CHANGELOG.md
- Add new BuildRequires on cryptsetup.
- Patches refreshed:
  * build-position-independent-binaries.patch
- Patches removed, merged upstream:
  * zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch
  * Handle-zypper-error-code-correctly.patch
  * Support-multi-line-bootdef-settings.patch
  * Add-support-for-numbered-variables.patch
  * Improve-zypper-integration.patch
  * Add-unit-tests-for-zypper-installation-on-SLE.patch
  * Fix-pgp-key-version-strings-and-paths.patch
- Patches added, fix an issue with the flags order provided by the Makefile
  * fix_flags_order.patch

- Fix-pgp-key-version-strings-and-paths.patch
  Fixing pgp key, version strings and paths.

- Update to version 3.2.1:
  This point release fixes the following bugs:
  * Allows users to join instances with non-suid workflow
  * Removes false warning when seccomp is disabled on the host
  * Fixes an issue in the terminal when piping output to commands
  * Binds NVIDIA persistenced socket when `--nv` is invoked

- Improve integration with SUSE Products: add support to create
  Singularity images with SLE.
  * build-position-independent-binaries.patch:
    Make sure, the built binaries adhere to the packaging guidelines.
  * zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch:
    Newer SUSE versions use a different path for the RPM database.
  * Handle-zypper-error-code-correctly.patch:
    When the installation succeeds by an installation scriptlet fails
    zypper returns error code 107. Don't treat this as an error.
  * Support-multi-line-bootdef-settings.patch:
    In order to specify a repository GPG key, add support for
    multi line variables.
  * Add-support-for-numbered-variables.patch:
    In order to specify a list of additional repos, add support
    to 'indexed' variables.
  * Improve-zypper-integration.patch:
    Improve handling of SUSE repositires:
  - For SLE, use SUSEConnect to get all product repos.
  - Allow to specify a repository GPG key.
  - Allow to specify additional installation repositories.
  * Add-unit-tests-for-zypper-installation-on-SLE.patch
    Add unit tests.

- Add group 'singularity', fix ownerships.

- Updated to singularity v3.2.0
  * [Security related fix](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11328)
    Instance files are now stored in user's home directory for privacy and
    many checks have been added to ensure that a user can't manipulate files
    to change `starter-suid` behavior when instances are joined (many thanks
    to Matthias Gerstner from the SUSE security team for finding and securely
    reporting this vulnerability)
    (CVE-2019-11328, bsc#1128598)
  * New features / functionalities
  - Introduced a new basic framework for creating and managing plugins
  - Added the ability to create containers through multi-stage builds
  - Created the concept of a Sylabs Cloud "remote" endpoint and added the
    ability for users and admins to set them through CLI and conf files
  - Added caching for images from Singularity Hub
  - Made it possible to compile Singularity outside of `$GOPATH`
  - Added a json partition to SIF files for OCI configuration when building
    from an OCI source
  - Full integration with Singularity desktop for MacOS code base
  * New Commands
  - Introduced the `plugin` command group for creating and managing plugins.
  * Introduced the `remote` command group to support management of Singularity
    endpoints.
  * Added to the `key` command group to improve PGP key management.
  * Added the `Stage: <name>` keyword to the definition file header and the
    `from <stage name>` option/argument pair to the `%files` section to
    support multistage builds
  * Deprecated / removed commands
  - The `--token/-t` option has been deprecated in favor of the `singularity
    remote` command group
  * Changed defaults / behaviors
  - Ask to confirm password on a newly generated PGP key
  - Prompt to push a key to the KeyStore when generated
  - Refuse to push an unsigned container unless overridden with
    `--allow-unauthenticated/-U` option
  - Warn and prompt when pulling an unsigned container without the
    `--allow-unauthenticated/-U` option
  For more information check:
    https://github.com/sylabs/singularity/blob/release-3.2/CHANGELOG.md
- Updated build-position-independent-binaries.patch

- building now non stripped version

- updated to singularity v3.1.1
  * New Commands
  - New hidden `buildcfg` command to display compile-time parameters
  - Added support for `LDFLAGS`, `CFLAGS`, `CGO_` variables in build system
  - Added `--nocolor` flag to Singularity client to disable color in logging
  * Removed Commands
    `singularity capability <add/drop> --desc` has been removed
    `singularity capability list <--all/--group/--user>` flags have all
    been removed
  * New features / functionalities
  - The `--builder` flag to the `build` command implicitly sets `--remote`
  - Repeated binds no longer cause Singularity to exit and fail, just warn
    instead
  - Corrected typos and improved docstrings throughout
  - Removed warning when CWD does not exist on the host system
  - Added support to spec file for RPM building on SLES 11

- update to singularity 3.1.0 what is reimplementaion in go
  so this is a complete new build and just reusing the changelog
  entries, following build differences were made to the upstream
  spec file
  * build position independent executable
  * build stripped executable
  * added following files:
  * build_flags.patch what adds the right build flags
  * singularity-rpmlintrc which supresses warning of file duplicate
    badness dues to different setuid bit

- On Leap 42 or SLE 12 / PackageHub12 do not check the
  permissions version: unfortunately the version number
  has no relation to the patch set applied (bsc#1125369).

- On Leap 42 or SLE 12 / PackageHub12 do not check the
  permissions version: unfortunately the version number
  has no relation to the patch set applied (bsc#1125369).

- Change from /var/singularity to /var/lib/singularity
- zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch:
  Fix the RPM db path for later versions of SUSE.
- Fix warning on bash-completion file about non-executible script.

- Updated to 2.6.1 to fix CVE-2018-19295 (bsc#1111411).
  * mount points are not mounted with shared mount propagation by
    default anymore, as this may result in privilege escalation.

- Also package the directory tree rooted at /var/singularity/.
  Otherwise running a container fails with:
  'Failed to resolve path to /var/singularity/mnt/container: No such file or directory'

- Add bash completions directory to file list for suse_version < 1500
  to keep the build checker happy.

- Update to version 2.6.0
  * Allow admin to specify a non-standard location for mksquashfs binary at
    build time with '--with-mksquashfs' option #1662
  * '--nv' option will use
    [nvidia-container-cli](https://github.com/NVIDIA/libnvidia-container) if
    installed #1681
  * [nvliblist.conf]
    (https://github.com/singularityware/singularity/blob/master/etc/nvliblist.conf)
    now has a section for binaries #1681
  * '--nv' can be made default with all action commands in singularity.conf
    [#1681]
  * '--nv' can be controlled by env vars '$SINGULARITY_NV' and
    '$SINGULARITY_NV_OFF' #1681
  * Refactored travis build and packaging tests #1601
  * Added build and packaging tests for Debian 8/9 and openSUSE 42.3/15.0 #1713
  * Restore shim init process for proper signal handling and child reaping when
    container is initiated in its own PID namespace #1221
  * Add '-i' option to image.create to specify the inode ratio. #1759
  * Bind '/dev/nvidia*' into the container when the '--nv' flag is used in
    conjuction with the '--contain' flag #1358
  * Add '--no-home' option to not mount user $HOME if it is not the $CWD and
    'mount home = yes' is set. #1761
  * Added support for OAUTH2 Docker registries like Azure Container Registry
    [#1622]
  [#]## Bug fixes
  * Fix 404 when using Arch Linux bootstrap #1731
  * Fix environment variables clearing while starting instances #1766

- Use %license instead of %doc for license files on newer products.
- Fix bash completion path.

- Updated from 2.3.2 to 2.5.2
- Fix security issues for incorrect access control on systems
  supporting overlay file system descirbed in CVE-2018-12021 and
  bsc#1100333
  Highlights of 2.5.2
  * a new `build` command was added to replace `create` +
    `bootstrap`
  * default image format is squashfs, eliminating the need to
    specify a size
  * a `localimage` can be used as a build base, including ext3,
    sandbox, and other squashfs images
  * singularity hub can now be used as a base with the uri
  * Restore docker-extract aufs whiteout handling that implements
    correct extraction of docker container layers.
  * several bug fixes, see CHANGELOG.md for details
- Removed: singularity-2.3.2.tar.gz
- Added: singularity-2.5.2.tar.gz
- Removed 'notyet' if conditions in specfile to allow files
  introduced in v2.5.2
- Fixed access control on systems supporting overlay file system
  (CVE-2018-12021, boo#1100333).

- Restrict permissions file version to a version which has
  the required singularity entries.

- Update to 2.3.2:
  * Fix for a change that Docker implemented to their registry
    RESTful API which broke compatibility with Singularity.
  * Several other low minor fixes.

- Fix a race condition that might allow a malicious user to
  bypass directory image restrictions, like mounting the host
  root filesystem as a container image.
  This is a backport of the upstream commit 6641c446105
  (bsc#1100333, CVE-2018-12021).

- Removed:
  Do-chdir-before-duing-chroot.patch:
  After checking with the security team that there are no concerns
  about doing the chdir() after the chroot(), remove this patch and
  add a filter to keep rpmlint from complaining (bsc#1028304).

- set permissions for SUID binaries to 4750.
- fix library packaging for i586.
- add a README.SUSE
- temporarily filter filter for non-standard-gid from rpmlint
  until group 'singularity' is available as known group.

- Update to version 2.3.1:
  This release includes a fix for a High Severity security issue on older
  hosts, and other improvements and fixes to previous versions of Singularity.
  Version 2.3:
  There are a massive number of fixes, updates, optimizations and awesomeness
  contained within this release, but here is a brief overview of the major
  changes you can expect to find in this release:
    Lots of backend library changes to accommodate a more flexible API
    Restructured Python backend
    Updated bootstrap backend to make it much more reliable
    Direct support for the awesome, the fantastic, Singularity-Hub!
    Ability to run additional commands without root privileges (e.g. create,
    import, copy, export, etc..).
    Added ability to pull images from Singularity Hub and Docker
    Containers now have labels, and are inspect'able
- Do-chdir-before-duing-chroot.patch:
  Add a chdir() before chroot() just to keep rpmlint from complaining
  even more. There is a chdir("/") right after the chroot() call.
- Created group 'singularity' and make suid-root binaries only executable
  by this group.

- Initial import of singuarity 2.2.1.