- Added support for AD site links replication scheduling (thx Vladimir Rubanov):
  + implemented site-link and connection management commands
  + added schedule control with nTDSConnection creation per [MS-ADTS] 6.2.2.3.4.5
  + added schedule presets and fixed offset handling
  + updated documentation for site-link and connection commands
  + added schedule interval tests

- Initial build for Sisyphus

- Update editions:
  + add ldap-auth-client-sssd to the main section of the server edition
  + add components to the base section of the server and domain editions:
    nfs-utils, cifs-utils, screen, arj, network-configuration, network-utils,
    ntfs-3g, btrfs-progs, jfsutils
  + move documentation components from the base to the main section in server
    and domain editions
  + add a features section to server and domain editions
  + update Kubernetes to 1.35 in the server edition
- Update components:
  + add new components: ldap-auth-client-sssd, alt-domain-ad-client-support,
    alt-server-gnome-environment, alt-server-temporary-for-installer (hidden),
    alt-server-virt-env, kubernetes1_34, kubernetes1_35, network-configuration,
    network-utils, f2fs-tools, ntfs-3g, cifs-utils and nfs-utils.
  + add iputils, traceroute, bind-utils and netlist packages to
    network-diag-tools component
  + add lftp package to network-utils component
  + add pam-limits-desktop package to alt-server-defaults component
  + add color-prompt-and-man package to base-special component
  + add gpart, ncdu and parted, hdparm, sdparm and nvme packages to storage-base
    component
  + add hwclock and eject packages to hardware-tools component
  + add su package to base-utils component
  + add os-prober package to boot-utils component
  + add dhcpcd package to etcnet component
  + add ntpdate package to ntp-utils component
  + add alterator-gpupdate legacy package to samba-ad-client-support component
  + add product-features and alt-server-features categories
  + update descriptions for etcnet, qemu-guest-agent, jfsutils and btrfs-progs
    components

- Add a validation hint in components (thx Andrey Alekseev).
- Add internal lists of components or packages for editions.
- Introduce hidden flag in editions.
- Rename metadata section to features in metadata2directory.
- Add internal components support in base2list.
- Add explicitly mark available actions in services (thx Andrey Alekseev).

- Fix typo in system-auth-use_first_pass-sss PAM stack rules.

- Update to latest 2.9 LTM release.
- Enable build with subid ranges support.
- Major fixes from upstream (GitHub#8209, GitHub#8184, GitHub#8253, GitHub#8257,
                             GitHub#8260, GitHub#8273, GitHub#8311, GitHub#8302,
                             GitHub#8327, GitHub#8347, GitHub#8380, GitHub#8249,
                             GitHub#8229, GitHub#8317, GitHub#8274, GitHub#8276)
  + Improved DN filtering in IPA during ipa_add_trusted_memberships_send().
  + Fixed non-posix groups incorrectly storing gid=0 in cache.
  + Added SUBID support to the LDAP provider.
  + Fixed handling of empty trusts in ipa_get_trust_type().
  + Disabled 'session_provider' by default in configuration.
  + Removed deprecated 'ipa_enable_dns_sites' option (IPA).
  + Restricted root from accessing arbitrary KCM caches (security fix).
  + Fixed SSSD on IPA when using short user names.
  + Fixed pac_check=no_check behavior in PAC module.
  + IPA S2N no longer updates user-private-groups.
  + Increased SBUS_MESSAGE_TIMEOUT to 5 minutes for better robustness.
  + Filtered invalid IPv6 addresses for DNS updates.
  + krb5_child now uses ERR_CHECK_NEXT_AUTH_TYPE instead of EAGAIN.
  + Clarified sssd-idp package description.
  + Fixed IPA trust handling with unknown trust type errors.
  + Included local fixes and improvements for Passkey authentication.

- build compatibility library libfuse3_3 with libfuse3.so.3 and
  libfuse3.so.3.16.2 files only according to Shared Libs Policy

- update to latest release 3.18.1
- build with libuirng (fuse-over-io-uring communication)
- rename libfuse3 to libfuse3_4 according to Shared Libs Policy
- add libfuse3 provide to fuse3 to preserve compatibility with legacy
  circular dependency

- Replaced key: sin@ (A921DACA -> 430ED6B0).

- new version (4.7.1) with rpmgs script
- rebuild with libmariadb instead of libmysqlclient

- new version 0.9.11

- system-check-localuser.control: local user detection method.
- system-auth-chooser (closes: #53858):
  + update system UID validation range (from UID < 500 to UID < 1000)
  + extract local user check into separate module system-check-localuser
  + add systemd dynamic user support
  + add detailed in-file documentation

- Move system-auth-sss local user check to system-check-localuser (hybrid
  authentication with conditional branching of determines the authentication
  path for local or non-local users with UID meeting a specific threshold).

- Update UID check for systemd dynamic users in system-auth-sss.
  Users with UID < 65536 are now treated as local.

- Disable Kerberos localauth an2ln plugin for AD/IPA (fixes: CVE-2025-11561).

- Add initial Markdown files for component descriptions.
- Fix editions:
  + update release notes for ALT Server 11.1 and ALT Domain 11.1
  + remove and replace base-browser to chromium at server and domain editions
  + add bind component to server editions
  + remove other network components in domain edition
  + remove domain network components in server edition
  + update kubernetes to 1.33 in server and domain editions
  + update final-notes for domain add caption Documentation
    to QR codes add variable to indicate the current year in the
    copyright for the Russian-language installation fix the location
    of the elements in the final-notes file (thx Maria Fokanova)
- Fix components:
  + add kubernetes1_32 and kubernetes1_33
  + add samba-extension-laps-v2-schema package to samba-dc component
  + add bind component

- Add support of intersite scheduled replication (thx Vladimir Rubanov):
  + python.netcmd: implement commands to list connections and control schedule
  + s4,dsdb: cancel current pending operation if running it ahead of schedule
  + s4,kcc: fix replication schedule unpacking for site-links
  + s4,dsdb: add function drepl_is_time_scheduled
  + s4,dsdb: remove element from repsTo list if it has
    WERR_DS_DRA_NO_REPLICA status
  + s4,dsdb: return WERR_DS_DRA_NO_REPLICA when
    DRSUAPI_DRS_NEVER_NOTIFY flag present

- components: change zabbix-server (thx Elena Mishina and Dmitriy Terekhin)
- editions: fix the location of the elements in the final-notes
  file closes #19 (thx Maria Fokanova)
- editions: update final-notes for server add caption 'Documentation'
  to QR codes add variable to indicate the current year in the
  copyright for the Russian-language installation (thx Maria Fokanova)

- Fix required backend versions compatible with 'exit_status' feature.

- editions: replace freeipa-server to main section from base (conflicts with
  samba-dc) in edition_domain.
- components: add dialog to base-utils component.
- fix(check): verify category names are unique (thx Maria Alexeeva)

- Fix apt-gpgkeys utility (closes: 57005).
- Fix filetrigger execution access (closes: 57006).

- Update to security release of Samba 4.21
- Security fixes (Fixes: CVE-2025-9640, CVE-2025-10230):
  + CVE-2025-9640:  Uninitialized memory disclosure via vfs_streams_xattr.
                    https://www.samba.org/samba/security/CVE-2025-9640.html
  + CVE-2025-10230: Command injection via WINS server hook script.
                    https://www.samba.org/samba/security/CVE-2025-10230.html

Fix edition_domain: add alterator-service-samba-ad component
Fix components (thx Maria Alexeeva):
  + new alterator-service-samba-ad component
  + add the alt-services package to the alterator-explorer component
  + update packages names in alterator-explorer component
Fix docs: change .section to .edition (thx Maria Alexeeva)

- Prepare licenses for new product releases.
- Fix typos in licenses (thx Alexey Ossotoff):
  + ALT_Domain_License
  + ALT_Product_License
  + ALT_Regular_License
  + ALT_Container_OS_License
  + ALT_Orchestra_License english
  + ALT_SP_License
  + ALT_Server_License
  + ALT_Product_License english
  + ALT_SP_Container_License
  + ALT_Container_License
- Add open license (thx Alexey Ossotoff):
  + ALT_Community_License
  + ALT_Orchestra_License
  + ALT_Simply_License
  + ALT_Product_License

- smbclient, dns: fix new options default values.

- Initial APT PKI for external GnuPG keys.

- editions: add edition_education for ALT Education product

- Add common and static licenses for ALT Education 11.0 and 11.1.

- Added new features:
  + smbclient: support domain-based dfs (thx Petr Usoltsev)
  + dns: resolve srv records as in windows (thx Petr Usoltsev)
- New options:
  + 'client resolve dfs names' - If yes (by default) client library tries to
                                 resolve dfs name to hostname.
  + 'dns resolve srv records' -  If yes (by default) internal dns server fill
                                 in the srv entries with ip addresses in the
                                 additional section.

- spec: exclude warnings SC2329 as error

- Added support for the Group Key Distribution Protocol (GKDI) to enable
  Group-Based Resource Encryption as part of LAPSv2 (Local Administrator
  Password Solution) (thx Vladimir Rubanov):
  + Implemented a new DCE/RPC endpoint server (s4:rpc_server/gkdi) for
    processing GetKey requests.
  + Introduced time-based group key computation and root key selection logic,
    with full support for both writable DCs and RODCs.
  + Key derivation adheres to [MS-GKDI], including Diffie-Hellman (DH) and
    elliptic-curve (ECDH) algorithms.

- Update to maintenance release of Samba 4.21
- Major fixes from upstream (Samba#14981, Samba#15844, Samba#15876, Samba#15891,
                             Samba#15900, Samba#15663, Samba#15877, Samba#15880):
  + netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0.
  + getpwuid does not shift to new DC when current DC is down.
  + Windows security hardening locks out schannel'ed netlogon dc calls like
    netr_DsRGetDCName (complete backport).
  + Figuring out the DC name from IP address fails and breaks fork_domain_child().
  + 'net ads group' failed to list domain groups.
  + Apparently there is a conflict between shadow_copy2 module and
    virusfilter (action quarantine).
  + Fix handling of empty GPO link.
  + SMB ACL inheritance doesn't work for files created.

- Updated to new version 1.3.2 (released 2025-07-24)
- Fixes from upstream:
  + Fixed binding the getresgid glibc symbol

- Updates to new version 1.5.0 (released 2025-05-06)
- Fixes from upstream:
  + Added support for quic_ko_wrapper
  + Fixed pcap frames generation for recv(m)msg and recvfrom
  + Fixed setsockopt(SO_REUSEPORT) with glibc 2.40 (from version 1.4.4)

- Fixed dependency on supported version of alt-components-base.

- feat: update editions validation with vendors components not included
- components: replace vendors to separate packages
- components: add pptpd component (thx Andrey Limachko)
- editions: remove alterator-legacy-kiosk from server
- editions: add pptpd to main section (thx Andrey Limachko)

- Convert HOST SPN prefix during syncing of machine password to keytab to
  lowercase for client compatibility.
- Major backport fixes from upstream (Samba#15891):
 + Resolve dc name using CLDAP also for ROLE_IPA_DC.

- feat: add support editions to validation script
- add conntrack-tools, haproxy and keepalived to main section in
  edition_server (closes: 55510)
- Fix components:
  + add x2goserver component
  + add conntrack-tools component
  + add keepalived component
  + add haproxy component
  + revert glibc meta package in glibc component (closes: 55498)

- Fix keytab sync regression for domain controllers (closes: 55111)
- Backport fixes from upstream (Samba#15863, Samba#15840):
 + rpc registry: add ProductType for AD DC
 + s3-net: fix "net ads kerberos" krb5ccname handling

- Fixed machine account credentials initialization (closes: 55324)

- Add short_display_name for components and categories (thx Michael Chernigin)

- Add support for reading key names for tables in get_field()

- Fix broken option "use-kerberos=desired" (Samba#15789) (closes: 55238).

- Add dependency to libldb-modules-dc for sssd-ad (closes: 54957).

- Update to maintenance release of Samba 4.21
- Major fixes from upstream (Samba#15876, Samba#15680):
   + Windows security hardening locks out schannel'ed netlogon dc
     calls like netr_DsRGetDCName.
   + Trust domains are not created.
- winbind: Fix running in interactive mode (thx Samuel Cabrero)

- Fix target directory of module /usr/lib64/samba/ldb/memberof.so installed into
  symlinked alternative directory /usr/lib64/samba/ldb.mit from
  libldb-modules-ldap (closes: 54914).

- Add static license of 11.1 products (thx trefas@yandex.ru):
  + ALT_Server_License
  + ALT_Domain_License
- Update product licenses templates for 11.1 releases (thx trefas@yandex.ru):
  + ALT_Simply_License
  + ALT_Regular_License
  + ALT_Product_License
  + ALT_Container_OS_License
- Add loongarch64 to list of target architectures
- Remove templates of ALT_Server_License

- Update to latest stable bugfix and security release
  (upstream fix of CVE-2025-32462, CVE-2025-32463 applied in 1.9.16p2-alt3):
 + Fixed a crash in sudo which could occur if there was a fatal error after the
   user was validated but before the command was actually run.
 + Fixed a problem with the pwfeedback option where an initial backspace would
   reduce the maximum length allowed for the password (GitHub#439).
 + Fixed a bug where a user could avoid entering a password for sudo -l command
   if they specified their own user or group name via the -u or -g options.
 + Avoid potential password guessing based on timing attacks on the strcmp()
   function on systems without PAM or a crypt() function where plaintext
   passwords are stored in the shadow password file.
 + Fixed a potential information leak where sudo -l command could be used to
   determine whether an executable exists in a directory that they do not have
   search access to.
 + Fixed a problem running sudo from a serial console on Linux when the command
   is run in a pseudo-terminal (the default).
 + Fixed a bug where the ALL command in a sudoers rule would override a previous
   NOSETENV tag. Command tags are inherited from previous Cmnds in a
   Cmnd_Spec_List. There is a special case for the SETENV tag with the ALL
   command, where SETENV is implied if no explicit SETENV or NOSETENV tag is
   specified. This special case did not take into account that a NOSETENV tag
   that was inherited should override this behavior.
- Fixes in behavior:
 + The ignore_dot sudoers setting is now on by default.
 + If sudo is run via ssh without a terminal and a password is required, it now
   suggest using ssh's -t option.
 + Sudo uses TCSAFLUSH, not TCSADRAIN, when disabling echo once again. A long
   time ago sudo changed from using TCSAFLUSH to TCSADRAIN due to some systems
   having bugs related to TCSAFLUSH. That should no longer be a concern. Using
   TCSAFLUSH ensures that password input that has been received by the kernel,
   but not yet read by sudo, will be discarded and not echoed.
 + Added the SUDO_TTY environment variable if the user has a terminal. This can
   be used to find the user's original tty device when sudo runs the command in
   its own pseudo-terminal (GitHub#447).

- Security release (fixes: CVE-2025-32462, CVE-2025-32463) (closes: 55007):
 + Sudo's -h (--host) option could be specified when running a command or
   editing a file. This could enable a local privilege escalation attack if the
   sudoers file allows the user to run commands on a different host.
   For more information, see Local Privilege Escalation via host option:
   https://www.sudo.ws/security/advisories/host_any/
 + An attacker can leverage sudo's -R (--chroot) option to run arbitrary
   commands as root, even if they are not listed in the sudoers file. The chroot
   support has been deprecated an will be removed entirely in a future release.
   For more information, see Local Privilege Escalation via chroot option:
   https://www.sudo.ws/security/advisories/chroot_bug/

- Add libldb-abi provide with version for newest samba 4.21 releases

- Compatibility prepare for libldb-abi provide from newest samba 4.21 releases.
- Update to latest 2.9 LTM release:
  + smartcard login fails when network disconnected (GitHub#6601)
  + LDAP auth happens after search failure (GitHub#6665): 'ldap_read_rootdse'
    option allows to specify how SSSD will read RootDSE from the LDAP server.
    Allowed values are "anonymous", "authenticated" and "never".
  + SSSD dyndns_ifname with wildcard (GitHub#6910)
  + krb5_child: ignore Smartcard identifiers with a ':' - fix it couldn't
    parse pkcs11 objects if token label contains semicolon (GitHub#7746)
  + Disk cache failure with large db sizes (GitHub#7793)
  + Group enumeration does not work if group name contains '#' (GitHub#7876)
  + LDAPU1 Local auth mapping rule error (GitHub#7931)

- Add license ALT_Orchestra_License