sys-libs/pam: add 1.7.0_p20241230

* Switch to Meson
* Wire up elogind+logind support (bug #931115) as it's now available
  upstream
* Docs are hard-disabled for now, but that's sort of fine (enough) for now
  given that we had bug #913087 for the previous ebuild
* Using a snapshot as there's a few build system patches post-tag and
  some other generally noteworthy patches we'd have to pull in manually
  otherwise
* Wire up verify-sig for the next release (but not used for this ebuild
  as took a snapshot)

Bug: https://bugs.gentoo.org/913087
Bug: https://bugs.gentoo.org/942075
Closes: https://bugs.gentoo.org/929970
Closes: https://bugs.gentoo.org/925334
Closes: https://bugs.gentoo.org/931115
Signed-off-by: Sam James <sam@gentoo.org>

2 files changed, 166 insertions, 0 deletions

diff --git a/sys-libs/pam/Manifest b/sys-libs/pam/Manifest
index 626b3811412f..8cf339814c65 100644
--- a/sys-libs/pam/Manifest
+++ b/sys-libs/pam/Manifest
@@ -2,3 +2,4 @@ DIST Linux-PAM-1.5.3-docs.tar.xz 466340 BLAKE2B 6bade3c63ebe6b6ca7a86d7385850bb8
 DIST Linux-PAM-1.5.3.tar.xz 1020076 BLAKE2B 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb SHA512 af88e8c1b6a9b737ffaffff7dd9ed8eec996d1fbb5804fb76f590bed66d8a1c2c6024a534d7a7b6d18496b300f3d6571a08874cf406cd2e8cea1d5eff49c136a
 DIST Linux-PAM-1.6.1-docs.tar.xz 465516 BLAKE2B c39dfba2e327120edc1f30be6ea7f8e6cf20d1f4dd17752cc34e0ae1c0bd22b3d19b94ab665bf3df5bd6ecc7fc358dbbedd8a3069df95ff6189580e538aa3547 SHA512 c6054ec6832f604c0654cf074e4e241c44037fd41cd37cca7da94abe008ff72adc4466d31bd254517eda083c7ec3f6aefd37785b3ee3d0d4553250bd29963855
 DIST Linux-PAM-1.6.1.tar.xz 1054152 BLAKE2B 649b4ff892fbd3eb90adcbd9ccc5b3f5df51bf1c79b9084c7a1613c432587b13b81761d1eb4f31ef12d58843d16af24a3c441d0b6f5d2f2a1db9c8da15a61e2f SHA512 ddb5a5f296f564b76925324550d29f15d342841a97815336789c7bb922a8663e831edeb54f3dcd1eaf297e3325c9e2e6c14b8740def5c43cf3f160a8a14fa2ea
+DIST pam-1.7.0_p20241230.gh.tar.gz 719108 BLAKE2B c37daabae380ce75c630a0af1b9960676bc973c773025bc7f65ae87aebff4ca3b667e16ec9635c7677e8a00e6b26eb590f84b798529c3340cdc2c262e7e5649e SHA512 d9d53ddd420fe754c76303b99c37e5cc2eca3d4af9f64043f3f9e69c3abfc3c05d5a1efdbbdfb39ad46a301a0df7a18425d0e8c110c1d76bad3e62dfa97b61ef
diff --git a/sys-libs/pam/pam-1.7.0_p20241230.ebuild b/sys-libs/pam/pam-1.7.0_p20241230.ebuild
new file mode 100644
index 000000000000..8d572ed2af7f
--- /dev/null
+++ b/sys-libs/pam/pam-1.7.0_p20241230.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+MY_P="Linux-${PN^^}-${PV}"
+
+# Avoid QA warnings
+# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
+TMPFILES_OPTIONAL=1
+
+inherit db-use fcaps flag-o-matic meson-multilib
+
+DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
+HOMEPAGE="https://github.com/linux-pam/linux-pam"
+
+if [[ ${PV} == *_p* ]] ; then
+	PAM_COMMIT="e634a3a9be9484ada6e93970dfaf0f055ca17332"
+	SRC_URI="
+		https://github.com/linux-pam/linux-pam/archive/${PAM_COMMIT}.tar.gz -> ${P}.gh.tar.gz
+	"
+	S="${WORKDIR}"/linux-${PN}-${PAM_COMMIT}
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/strace.asc
+	inherit verify-sig
+
+	SRC_URI="
+		https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
+		verify-sig? ( https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz.asc )
+	"
+	S="${WORKDIR}/${MY_P}"
+
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-strace )"
+fi
+
+LICENSE="|| ( BSD GPL-2 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux"
+IUSE="audit berkdb elogind examples debug nis nls selinux systemd"
+REQUIRED_USE="?? ( elogind systemd )"
+
+# meson.build specifically checks for bison and then byacc
+BDEPEND+="
+	|| ( sys-devel/bison dev-util/byacc )
+	sys-devel/flex
+	virtual/pkgconfig
+	nls? ( sys-devel/gettext )
+"
+DEPEND="
+	virtual/libcrypt:=[${MULTILIB_USEDEP}]
+	>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
+	audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
+	berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
+	!berkdb? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] )
+	selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
+	systemd? ( sys-apps/systemd:=[${MULTILIB_USEDEP}] )
+	nis? (
+		net-libs/libnsl:=[${MULTILIB_USEDEP}]
+		>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
+	)
+"
+RDEPEND="${DEPEND}"
+PDEPEND=">=sys-auth/pambase-20200616"
+
+src_configure() {
+	# meson.build sets -Wl,--fatal-warnings and with e.g. mold, we get:
+	#  cannot assign version `global` to symbol `pam_sm_open_session`: symbol not found
+	append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
+
+	# Do not let user's BROWSER setting mess us up, bug #549684
+	unset BROWSER
+
+	meson-multilib_src_configure
+}
+
+multilib_src_configure() {
+	local emesonargs=(
+		$(meson_feature audit)
+		$(meson_native_use_bool examples)
+		$(meson_use debug pam-debug)
+		$(meson_feature nis)
+		$(meson_feature nls i18n)
+		$(meson_feature selinux)
+
+		-Disadir='.'
+		-Dxml-catalog="${BROOT}"/etc/xml/catalog
+		-Dsecuredir="${EPREFIX}"/$(get_libdir)/security
+
+		-Ddb=$(usex berkdb 'db' 'gdbm')
+		-Ddb-uniquename=$(db_findver sys-libs/db)
+
+		# TODO: Docs are currently disabled as would need to either
+		# add the deps (some appear unpackaged too?) and possibly
+		# generate a tarball for them, but not so critical of an issue
+		# to handle with the Meson migration given this was disabled
+		# before too (see bug #913087).
+		#$(meson_native_enabled docs)
+		-Ddocs=disabled
+
+		-Dpam_unix=enabled
+
+		# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
+		-Deconf=disabled
+
+		# TODO: lastlog is enabled again for now by us as elogind support
+		# wasn't available at first. Even then, disabling lastlog will
+		# probably need a news item.
+		$(meson_feature systemd logind)
+		$(meson_feature elogind)
+		-Dpam_lastlog=enabled
+	)
+
+	# This whole weird has_version libxcrypt block can go once
+	# musl systems have libxcrypt[system] if we ever make
+	# that mandatory. See bug #867991.
+	#if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
+	#	# Avoid picking up symbol-versioned compat symbol on musl systems
+	#	export ac_cv_search_crypt_gensalt_rn=no
+	#
+	#	# Need to avoid picking up the libxcrypt headers which define
+	#	# CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
+	#	cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
+	#	append-cppflags -I"${T}"
+	#fi
+
+	meson_src_configure
+}
+
+multilib_src_install_all() {
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	# tmpfiles.eclass is impossible to use because
+	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
+	dodir /usr/lib/tmpfiles.d
+
+	cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
+		d /run/faillock 0755 root root
+	_EOF_
+	use selinux && cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
+		d /run/sepermit 0755 root root
+	_EOF_
+
+	# TODO: See bug #913087
+	#local page
+	#for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do
+	#	doman ${page}
+	#done
+}
+
+pkg_postinst() {
+	ewarn "Some software with pre-loaded PAM libraries might experience"
+	ewarn "warnings or failures related to missing symbols and/or versions"
+	ewarn "after any update. While unfortunate this is a limit of the"
+	ewarn "implementation of PAM and the software, and it requires you to"
+	ewarn "restart the software manually after the update."
+	ewarn ""
+	ewarn "You can get a list of such software running a command like"
+	ewarn "  lsof / | grep -E -i 'del.*libpam\\.so'"
+	ewarn ""
+	ewarn "Alternatively, simply reboot your system."
+
+	# The pam_unix module needs to check the password of the user which requires
+	# read access to /etc/shadow only.
+	fcaps cap_dac_override sbin/unix_chkpwd
+}