Packages changed:
  installation-images-MicroOS (16.27 -> 16.28)
  krb5 (1.18.2 -> 1.18.3)
  openssl-1_1
  python-dbus-python
  python-importlib-metadata (2.0.0 -> 3.1.1)
  python-notify2
  python-pyOpenSSL (19.1.0 -> 20.0.0)
  python-setuptools
  python-urllib3 (1.25.10 -> 1.26.2)
  system-users
  systemd
  sysuser-tools

=== Details ===

==== installation-images-MicroOS ====
Version update (16.27 -> 16.28)

- merge gh#openSUSE/installation-images#440
- add system-group-kvm explicitly
- 16.28

==== krb5 ====
Version update (1.18.2 -> 1.18.3)

- Update to 1.18.3
  * Fix a denial of service vulnerability when decoding Kerberos
    protocol messages.
  * Fix a locking issue with the LMDB KDB module which could cause
    KDC and kadmind processes to lose access to the database.
  * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
    and unloaded while libkrb5support remains loaded.

==== openssl-1_1 ====
Subpackages: libopenssl1_1

- Use the centralized crypto policy profile (jsc#SLE-15832)
  * add openssl-1.1.1-system-cipherlist.patch from Fedora

==== python-dbus-python ====

- Support builds with more than one python3 flavor
  gh#openSUSE/python-rpm-macros#66
- Remove shebang from examples (rpmlint warning, is in common doc)
- Clean duplicate python flavor variables for configure
- Update the provides/obsoletes tags for old-style dbus-1-$python

==== python-importlib-metadata ====
Version update (2.0.0 -> 3.1.1)

- Update to 3.1.1
  * no changelog, probably just the merge of 2.1.1
- Update in v2.1.1
  * #261: Restored compatibility for package discovery for metadata
    without version in the name and for legacy eggs.
- Update in v3.1.0
  * Merge with 2.1.0.
- Update in v2.1.0
  * #253: When querying for package metadata, the lookup now honors
    package normalization rules.
- Update in v3.0.0
  * Require Python 3.6 or later.
- Upstream switched to pytest, so do we
- Revert last change: The condition for **BuildRequires** does not
  make any sense, as that would also prevent the install of
  python36-importlib_resources into the build environment.
- Make requirement of importlib_resources only for particular
  versions of Python (< 3.9).

==== python-notify2 ====

- Fix Requires of dbus-python so that the macros can work out the
  correct flavor for multiple python3 flavors
  gh#openSUSE/python-rpm-macros#66

==== python-pyOpenSSL ====
Version update (19.1.0 -> 20.0.0)

- According to gh#pyca/pyopenssl#684 tests must run with TZ=UTC, also
  skip test_verify_with_time on %ix86.
- Update to v20.0.0
  - Backward-incompatible changes:
  - The minimum cryptography version is now 3.2.
  - Remove deprecated OpenSSL.tsafe module.
  - Removed deprecated
    OpenSSL.SSL.Context.set_npn_advertise_callback,
    OpenSSL.SSL.Context.set_npn_select_callback, and
    OpenSSL.SSL.Connection.get_next_proto_negotiated.
  - Drop support for Python 3.4
  - Drop support for OpenSSL 1.0.1 and 1.0.2
  - Deprecations:
  - Deprecated OpenSSL.crypto.loads_pkcs7 and
    OpenSSL.crypto.loads_pkcs12.
  - Changes:
  - Added a new optional chain parameter to
    OpenSSL.crypto.X509StoreContext() where additional untrusted
    certificates can be specified to help chain building. #948
  - Added OpenSSL.crypto.X509Store.load_locations to set trusted
    certificate file bundles and/or directories for verification.
    [#943]
  - Added Context.set_keylog_callback to log key material. #910
  - Added OpenSSL.SSL.Connection.get_verified_chain to retrieve
    the verified certificate chain of the peer. #894.
  - Make verification callback optional in Context.set_verify. If
    omitted, OpenSSL?s default verification is used. #933
  - Fixed a bug that could truncate or cause a zero-length key
    error due to a null byte in private key passphrase in
    OpenSSL.crypto.load_privatekey and
    OpenSSL.crypto.dump_privatekey. #947
- drop patch fix-compilation-2020.patch: no longer needed
- refreshed patch skip-networked-test.patch

==== python-setuptools ====

- Add remove_mock.patch to remove dependency on the external mock
  package.

==== python-urllib3 ====
Version update (1.25.10 -> 1.26.2)

- If you skip_python2 you don't need mock.
- We don't need to break Python 2.7
- Add remove_mock.patch to remove dependency on the external mock
  package (gh#urllib3/urllib3#2108).
- Fixed the testsuite and updated dependencies
- update to 1.26.2:
  * Fixed an issue where ``wrap_socket`` and ``CERT_REQUIRED`` wouldn't
    be imported properly on Python 2.7.8 and earlier (Pull #2052)
  * Fixed an issue where two ``User-Agent`` headers would be sent if a
    ``User-Agent`` header key is passed as ``bytes`` (Pull #2047)
  * Added support for HTTPS proxies contacting HTTPS servers (Pull #1923, Pull #1806)
  * Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that
    still wish to use TLS earlier than 1.2 without a deprecation warning
    should opt-in explicitly by setting ``ssl_version=ssl.PROTOCOL_TLSv1_1`` (Pull #2002)
  * *Starting in urllib3 v2.0: Connections that receive a ``DeprecationWarning`` will fail**
  * Deprecated ``Retry`` options ``Retry.DEFAULT_METHOD_WHITELIST``, ``Retry.DEFAULT_REDIRECT_HEADERS_BLACKLIST``
    and ``Retry(method_whitelist=...)`` in favor of ``Retry.DEFAULT_ALLOWED_METHODS``,
    ``Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT``, and ``Retry(allowed_methods=...)``
    (Pull #2000) **Starting in urllib3 v2.0: Deprecated options will be removed**
  * Added default ``User-Agent`` header to every request (Pull #1750)
  * Added ``urllib3.util.SKIP_HEADER`` for skipping ``User-Agent``, ``Accept-Encoding``,
    and ``Host`` headers from being automatically emitted with requests (Pull #2018)
  * Collapse ``transfer-encoding: chunked`` request data and framing into
    the same ``socket.send()`` call (Pull #1906)
  * Send ``http/1.1`` ALPN identifier with every TLS handshake by default (Pull #1894)
  * Properly terminate SecureTransport connections when CA verification fails (Pull #1977)
  * Don't emit an ``SNIMissingWarning`` when passing ``server_hostname=None``
    to SecureTransport (Pull #1903)
  * Disabled requesting TLSv1.2 session tickets as they weren't being used by urllib3 (Pull #1970)
  * Suppress ``BrokenPipeError`` when writing request body after the server
    has closed the socket (Pull #1524)
  * Wrap ``ssl.SSLError`` that can be raised from reading a socket (e.g. "bad MAC")
    into an ``urllib3.exceptions.SSLError`` (Pull #1939)
  * Fix retry backoff time parsed from ``Retry-After`` header when given
    in the HTTP date format. The HTTP date was parsed as the local timezone
    rather than accounting for the timezone in the HTTP date (typically
    UTC) (Pull #1932, Pull #1935, Pull #1938, Pull #1949)

==== system-users ====
Subpackages: system-group-hardware system-user-lp system-user-nobody

- Remove kvm group from hardware subpackage, since kvm is in its
  own subpackage (jsc#SLE-11629).

==== systemd ====
Subpackages: libsystemd0 libudev1 systemd-logger systemd-sysvinit udev

- Explicitly require group(kvm) by udev: the group used to be
  created by system-users-hardware, but has been split/moved to
  qemu/kvm, where it is more logical. The file
  /usr/lib/udev/rules.d/50-udev-default.rules references this
  group, thus we should make sure the group exists. Otherwise there
  are errors in the journal in the form of:
  /usr/lib/udev/rules.d/50-udev-default.rules:86 Unknown group 'kvm', ignoring

==== sysuser-tools ====

- useradd_or_adduser_dep must be PreReq so ordering makes sure it gets
  installed before.
- suggest shadow where useradd_or_adduser_dep is actually required