Daan De Meyer [Fri, 6 Mar 2026 14:58:06 +0000 (15:58 +0100)]
ci: privilege-separate Claude review workflow
The workflow is split into two jobs for least-privilege:
1. 'review' job — runs Claude with read-only permissions (contents: read,
id-token: write for AWS OIDC, actions: read). Claude produces a structured
JSON review via --json-schema with a 'comments' array and a 'summary'
string. Its tools are restricted to read-only operations (Read, LS, Grep,
Glob, Task, and various Bash prefixes for common read-only commands).
Claude also has access to CI MCP tools to analyze failed workflow runs.
2. 'post' job — only has pull-requests: write. Reads the structured JSON
output from the review job and posts inline comments individually (so
re-runs only add new comments). Maintains a tracking comment with a
<!-- claude-pr-review --> marker that is created on first run and updated
in-place on subsequent runs, preserving existing item order, wording,
and checkbox state. Posts a notification comment when the tracking
comment is updated or left unchanged.
Comment deduplication is handled by Claude in the prompt rather than in
the posting script, allowing for better semantic understanding of whether
two comments address the same issue.
The PR number is resolved via github.event.pull_request.number with a
fallback to github.event.issue.number for issue_comment events where
github.event.pull_request is not populated. The concurrency group uses
the same fallback.
Luca Boccassi [Sat, 7 Mar 2026 10:55:42 +0000 (10:55 +0000)]
Translations update from Fedora Weblate (#40984)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
A S Alam [Sat, 7 Mar 2026 01:58:35 +0000 (01:58 +0000)]
po: Translated using Weblate (Punjabi)
Currently translated at 34.5% (92 of 266 strings)
Co-authored-by: A S Alam <aalam@users.noreply.translate.fedoraproject.org>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/pa/
Translation: systemd/main
Add a simple fuzzer that verifies our machinery for parsing user records
from JSON works as intended.
The initial corpus was created with the help of Claude, so we have a
bunch of valid user records with as much fields as possible for the
initial corpus.
The fido2_hmac_salt/fido2_hmac_credential/recovery_key fields kept
leaking memory as the array itself wasn't deallocated after deallocating
each of its elements data:
Direct leak of 112 byte(s) in 1 object(s) allocated from:
#0 0x7f56f00e5e4b in realloc.part.0 (/lib64/libasan.so.8+0xe5e4b) (BuildId: 25975f766867e9e604dc5a71a8befeaed3301942)
#1 0x7f56ed869e42 in greedy_realloc ../src/basic/alloc-util.c:65
#2 0x7f56ed7ff5e9 in dispatch_fido2_hmac_salt ../src/shared/user-record.c:836
#3 0x7f56edd73cbc in sd_json_dispatch_full ../src/libsystemd/sd-json/sd-json.c:5204
#4 0x7f56edd745fc in sd_json_dispatch ../src/libsystemd/sd-json/sd-json.c:5276
#5 0x7f56ed80100b in dispatch_privileged ../src/shared/user-record.c:998
#6 0x7f56edd73cbc in sd_json_dispatch_full ../src/libsystemd/sd-json/sd-json.c:5204
#7 0x7f56edd745fc in sd_json_dispatch ../src/libsystemd/sd-json/sd-json.c:5276
#8 0x7f56ed80622c in user_record_load ../src/shared/user-record.c:1697
#9 0x000000408c15 in display_user ../src/userdb/userdbctl.c:447
#10 0x7f56ed83cc9a in dispatch_verb ../src/shared/verbs.c:137
#11 0x00000041df2b in run ../src/userdb/userdbctl.c:1908
#12 0x00000041dfbe in main ../src/userdb/userdbctl.c:1911
#13 0x7f56ec8105b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#14 0x7f56ec810667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#15 0x000000404a44 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/userdbctl+0x404a44) (BuildId: 19e8b7e7b7038d2cea20bc18a55bea2a9e4406d5)
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7f56f00e5e4b in realloc.part.0 (/lib64/libasan.so.8+0xe5e4b) (BuildId: 25975f766867e9e604dc5a71a8befeaed3301942)
#1 0x7f56ed869e42 in greedy_realloc ../src/basic/alloc-util.c:65
#2 0x7f56ed7fe779 in dispatch_fido2_hmac_credential_array ../src/shared/user-record.c:775
#3 0x7f56edd73cbc in sd_json_dispatch_full ../src/libsystemd/sd-json/sd-json.c:5204
#4 0x7f56edd745fc in sd_json_dispatch ../src/libsystemd/sd-json/sd-json.c:5276
#5 0x7f56ed80622c in user_record_load ../src/shared/user-record.c:1697
#6 0x000000408c15 in display_user ../src/userdb/userdbctl.c:447
#7 0x7f56ed83cc9a in dispatch_verb ../src/shared/verbs.c:137
#8 0x00000041df2b in run ../src/userdb/userdbctl.c:1908
#9 0x00000041dfbe in main ../src/userdb/userdbctl.c:1911
#10 0x7f56ec8105b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#11 0x7f56ec810667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#12 0x000000404a44 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/userdbctl+0x404a44) (BuildId: 19e8b7e7b7038d2cea20bc18a55bea2a9e4406d5)
SUMMARY: AddressSanitizer: 176 byte(s) leaked in 2 allocation(s).
shared/format-table: fix potential memleaks of d->formatted
We don't always return d->formatted, even if it is available. And
depending on the cell type, we'd either overwrite it directly or free
first. Let's always free it upfront and then set unconditionally.
(In this case, we don't need to spend effort on preserving the
existing value. It's just a cache.) Setting the variable directly
allows many temporary variables to be eliminated.
Also use asprintf_safe() to simplify the allocation of the buffer.
This is probably a tiny bit slower than the direct allocation, but
table formatting shouldn't be a hot path.
asprintf is nice to use, but the _documented_ error return convention is
unclear:
> If memory allocation wasn't possible, or some other error occurs,
> these functions will return -1, and the contents of strp are undefined.
What exactly "undefined" means is up for debate: if it was really
undefined, the caller wouldn't be able to meaningfully clean up, because
they wouldn't know if strp is a valid pointer. So far we interpreted
"undefined" — in some parts of the code base — as "either NULL or a
valid pointer that needs to be freed", and — in other parts of the
codebase — as "always NULL". I checked glibc and musl, and they both
uncoditionally set the output pointer to NULL on failure.
There is also no information _why_ asprintf failed. It could be an
allocation error or format string error. But we just don't have this
information.
Let's add a wrapper that either returns a good string or a NULL pointer.
Since there's just one failure result, we don't need a separate return
value and an output argument and can simplify callers.
It's actually only used in one place in libsystemd and moving it even makes
libsystemd smaller (in a non-optimized build):
$ ls -l build/libsystemd.so.0.43.0*
-rwxr-xr-x 1 zbyszek zbyszek 5763336 Mar 3 09:54 build/libsystemd.so.0.43.0-old
-rwxr-xr-x 1 zbyszek zbyszek 5763216 Mar 3 09:54 build/libsystemd.so.0.43.0
Also, move the definitions in the .h file so that similar functions are
grouped together and then move the definitions around in the .c file so
that they are in the same order as in the header.
Daan De Meyer [Fri, 6 Mar 2026 14:06:36 +0000 (15:06 +0100)]
ci: Make claude action review PRs only and fix the instructions
Turns out the claude code action has issues reviewing PRs from forks
(https://github.com/anthropics/claude-code-action/issues/939). Let's
reuse the approach from https://github.com/pzmarzly/demo--claude-bot-reviews
instead (which I've explicitly asked permission for to reuse).
Unlike the linked demo, we still insist on a comment by a maintainer
before claude reviews the PR.
sd-varlink: pin error message while we invoke a reply callback
Let's make sure the parameters/error pointers into the message remain
valid as long as the reply callback is running, even if the reply
otherwise resets the pending message.
Daan De Meyer [Fri, 6 Mar 2026 09:17:01 +0000 (10:17 +0100)]
agent: Minimize the amount of instructions in AGENTS.md
Let's only keep instructions for stuff that we've seen the AI
mess up in practice rather than having a bunch of AI generated
text that it can figure out for itself these days (given it was
trained on systemd's source code in the first place).
Also add a rule to use git worktrees and check out PRs locally when
reviewing them, since I've seen it mess that up in practice.
This will allow maintainers to mention claude in comments on issues and
prs to do stuff like review something or try to reproduce a bug or other
stuff. Let's give it a try and see whether we like it or not.
Daan De Meyer [Fri, 6 Mar 2026 07:54:33 +0000 (08:54 +0100)]
Move AI instructions to AGENTS.md
This seems to be what all the tools are standardizing on, except
claude (https://github.com/anthropics/claude-code/issues/6235) so
add a symlink from CLAUDE.md to AGENTS.md for now until they support
it as well.
Luca Boccassi [Fri, 6 Mar 2026 00:29:03 +0000 (00:29 +0000)]
Translations update from Fedora Weblate (#40968)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
Ronan Pigott [Thu, 5 Mar 2026 22:42:30 +0000 (15:42 -0700)]
zsh: fixup some recent zsh completers
These two completers are written in a stacked _arguments style, and some
generic options are valid before or after the verb. If the toplevel
_arguments is permitted to match options after the verb, it will halt
completion prematurely, so stop toplevel matching after the verb.
This corrects the following error:
$ userdbctl --output=class user <TAB> # completes users
$ userdbctl user --output=class <TAB> # completes nothing
Daan De Meyer [Thu, 5 Mar 2026 20:39:14 +0000 (21:39 +0100)]
ci: Add claude code github action
This will allow maintainers to mention claude in comments on issues
and prs to do stuff like review something or try to reproduce a bug
or other stuff. Let's give it a try and see whether we like it or
not.
Suppress warnings like the following from clang tidy:
```
../src/boot/addon.c:11:19: error: function 'efi_main' can be made static to enforce internal linkage [misc-use-internal-linkage,-warnings-as-errors]
11 | EFIAPI EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *system_table);
| ^
```
Some warnings are suppressed simply by setting comments to ignore the warning,
some are by making global variables static, or include a suitable header.
Luca Boccassi [Thu, 5 Mar 2026 17:19:19 +0000 (17:19 +0000)]
libcrypt: also try to dlopen libcrypt.so.1.1
On top of libcrypt.so.2 and libcrypt.so.1, also try libcrypt.so.1.1
as a third fallback. This is used on debian alpha, and it was
reported that it is intended to ship like that, with a different
SONAME than other architectures:
Fergus Dall [Sun, 30 Nov 2025 05:38:49 +0000 (16:08 +1030)]
pcrlock: Record predictions at start of component range
Currently pcrlock won't predict PCR values that would be present at the start
of the requested location range (unless there are no events for that PCR in the
location range). This means predictions for the default range 760:940, which is
intended to start just after entering the initrd, are not actually possible to
fulfill until after the initrd is exited (or possibly even later, depending on
what other events are recorded).
Fix this by recording predictions immediately prior to processing components
after the start point.
Hans de Goede [Thu, 5 Mar 2026 13:20:06 +0000 (14:20 +0100)]
boot: Make missing CHID DTB match a debug message instead of an error
With distributions like Ubuntu and Fedora using systemd-stub to auto load
DTB's on Windows on ARM laptops, the CHID DTB match failing is expected
when that same UKI is instead booted on an ARM SystemReady system where
no DTB is necessary.
In the ARM SystemReady case showing a big red error message is undesirable
and leads to confused users and bug-reports. Lower the message to debug
level when the status is EFI_NOT_FOUND to avoid these false positive error
messages.
Michal Sekletar [Wed, 25 Feb 2026 18:45:55 +0000 (19:45 +0100)]
core: cleanup unit's dropin directories from global cache
When user creates dropin files via API (e.g. systemctl set-property ...)
we put the dropin directory path into unit_path_cache. Drop those
directories from the cache in unit_free() and prevent memory leak.
Currently, parsing zlib.h on Fedora (and possibly others) causes spatch
to fail with an assertion. Let's work around that by defining two extra
macros in our Coccinelle parsing hacks.
Luca Boccassi [Wed, 4 Mar 2026 20:11:59 +0000 (20:11 +0000)]
Translations update from Fedora Weblate (#40952)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
test: don't register short-living containers with machined, again
Otherwise we might try to register the same scope again before the
previous instance gets a chance to be cleaned up:
[ 54.378392] systemd-nspawn[2554]: ░ Spawning container TEST-13-NSPAWN.defaultinaccessiblepaths.nxs on /var/lib/machines/TEST-13-NSPAWN.default_inaccessible_paths.nxs.
[ 54.382202] systemd-nspawn[2554]: Failed to allocate scope: Unit TEST-13-NSPAWN.defaultinaccessiblepaths.nxs.scope was already loaded or has a fragment file.
[ 54.411211] systemd[1]: TEST-13-NSPAWN.service: Main process exited, code=exited, status=1/FAILURE
[ 54.411413] systemd[1]: TEST-13-NSPAWN.service: Failed with result 'exit-code'.
[ 54.411885] systemd[1]: Failed to start TEST-13-NSPAWN.service - TEST-13-NSPAWN.
projects / thirdparty / systemd.git / log
