build(rpm): add conditional openSUSE Leap/Tumbleweed python paths and update Tumbleweed CUDA

[gummiangler]

Description

This PR introduces conditional Python interpreter paths and updated versions/dependencies for openSUSE Leap and Tumbleweed within the RPM spec file.

openSUSE Leap: Explicitly uses python311 and points CMake to /usr/bin/python3.11.
openSUSE Tumbleweed: Switches to the generic python3 stack, updates GCC to version 15, and bumps the target CUDA version to 13.2.0 (Build 595.45.04).

Note regarding CUDA: These changes were successfully tested and compiled on a local openSUSE Tumbleweed system using the pre-installed system CUDA 13.2.0. The build configuration is identical to the one intended for the download script, except that the local build skipped the install_cuda function and its patching logic. If any unexpected build errors occur on COPR for Tumbleweed, it is highly recommended to check whether the cuda-13-math_functions.patch conflicts with the CUDA 13.2.0 headers.

Screenshot

Issues Fixed or Closed

• Resolves https://github.com/orgs/LizardByte/discussions/1025

Roadmap Issues

Type of Change

• feat: New feature (non-breaking change which adds functionality)
• fix: Bug fix (non-breaking change which fixes an issue)
• docs: Documentation only changes
• style: Changes that do not affect the meaning of the code (white-space, formatting, missing semicolons, etc.)
• refactor: Code change that neither fixes a bug nor adds a feature
• perf: Code change that improves performance
• test: Adding missing tests or correcting existing tests
• build: Changes that affect the build system or external dependencies
• ci: Changes to CI configuration files and scripts
• chore: Other changes that don't modify src or test files
• revert: Reverts a previous commit
• BREAKING CHANGE: Introduces a breaking change (can be combined with any type above)

Checklist

• Code follows the style guidelines of this project
• Code has been self-reviewed
• Code has been commented, particularly in hard-to-understand areas
• Code docstring/documentation-blocks for new or existing methods/components have been added or updated
• Unit tests have been added or updated for any new or modified functionality

AI Usage

• None: No AI tools were used in creating this PR
• Light: AI provided minor assistance (formatting, simple suggestions)
• Moderate: AI helped with code generation or debugging specific parts
• Heavy: AI generated most or all of the code changes

[codecov]

Bundle Report

Bundle size has no change ✅

[ReenigneArcher]

Looks like it failed -> https://copr.fedorainfracloud.org/coprs/lizardbyte/pulls/build/10657213/

Also, I think Tumebleweed could use uv, which is the preferred option going forward for Python tooling.

https://software.opensuse.org/package/python-uv ... doesn't seem available in Leap though.

[gummiangler]

@ReenigneArcher
The build environment's dnf5 package manager is strictly enforcing GPG signature checks on the repositories, but it's hitting two major problems:

1. Copr Repositories (404): It attempts to fetch repomd.xml.asc for the internal Copr targets (copr_base and copr_coprdir), which return an HTTP 404. dnf5 treats this as a fatal metadata failure.

2. openSUSE OSS Repo: It throws a Bad GPG signature error for the main openSUSE Tumbleweed OSS repository, likely because the default bootstrap image lacks the updated openSUSE signing keys.

This is an environmental and repository configuration issue inherent to the Copr project settings rather than the Sunshine.spec file or source code.

To fix this, someone needs to adjust the project's Copr settings for the opensuse-tumbleweed-x86_64 chroot.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 27.53%. Comparing base (7ecd028) to head (faf1a1c).
⚠️ Report is 1 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5353      +/-   ##
==========================================
- Coverage   27.53%   27.53%   -0.01%     
==========================================
  Files         113      113              
  Lines       25593    25593              
  Branches    11237    11237              
==========================================
- Hits         7048     7047       -1     
+ Misses      17021    16451     -570     
- Partials     1524     2095     +571     

Flag	Coverage Δ
Archlinux	0.00% <ø> (ø)
FreeBSD-amd64	13.31% <ø> (+<0.01%)	⬆️
Homebrew-macos-14	21.01% <ø> (ø)
Homebrew-macos-15	21.18% <ø> (-0.01%)	⬇️
Homebrew-macos-26	21.30% <ø> (-0.02%)	⬇️
Homebrew-ubuntu-24.04	13.06% <ø> (ø)
Linux-AppImage	12.39% <ø> (ø)
Windows-AMD64	15.26% <ø> (ø)
Windows-ARM64	13.28% <ø> (-0.01%)	⬇️
macOS-arm64	19.25% <ø> (ø)
macOS-x86_64	18.72% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 43 files with indirect coverage changes

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7ecd028...faf1a1c. Read the comment docs.

[ReenigneArcher]

I can adjust it, but I'll need to know specifically what to change.

In the past I've only had to enable the chroots and never had to customize them. Even previously when I tried tumbleweed I got much further than this error.

[gummiangler]

Fedora infrastructure migrated its backends to use dnf5 by default for specific chroots. Older versions of dnf would simply warn and skip missing .asc metadata files for local build directories. This could be the problem

Until the Fedora Copr team updates their Tumbleweed bootstrap logic, i guess turning off gpgcheck and repo_gpgcheck for the chroot initialization is the best workaround.

I don't know much about COPR, but as far as I can tell, under the Chroots configuration for opensuse-tumbleweed-x86_64, Copr provides a text area to inject custom raw Mock options.

config_opts['dnf5_command_options'] = ['--setopt=gpgcheck=0', '--setopt=repo_gpgcheck=0']

Maybe there is a checkbox or something like this there too.

[ReenigneArcher]

@gummiangler these are the options I see when I try to edit a chroot.

[gummiangler]

Based on those options, the easiest and best fix is to change Mock bootstrap from "Use project settings" to Disable.

Right now, Copr is pulling a pre-configured openSUSE container image to act as a bootstrap manager. That image has outdated GPG keys and uses dnf5, which panics over the lack of metadata signatures (repomd.xml.asc) for some reason. But as far as i know Fedora’s Copr build hosts are fully updated and perfectly capable of handling Tumbleweed directly without needing a bootstrap wrapper.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gummiangler]

Again the build failed and again its a problem with Copr. When you turned off Mock's bootstrap setting, the host's native dnf5 took over the installation task. However, because the host is running a different operating system, it doesn't have openSUSE's official repository signing keys trusted inside its local security configuration. When dnf5 went to unpack the very first core package (openSUSE-release), it couldn't verify that the package's digital signature was authentic and untampered with.

To get around this, we need to tell the host's package manager to skip the signature validation check specifically for this initialization phase. But i dont know where we can set gpgcheck=0.

Transaction failed: Signature verification failed.
OpenPGP check for package "openSUSE-release-20260625-4174.1.x86_64"

[gummiangler]

I finally found the exact upstream issue, and it turns out we actually can't fix it from our side at all. Someone just opened a pull request to fix this on the backend fedora-copr/copr#4359.

The real problem is that openSUSE Tumbleweed's new dnf5 defaults strictly to repo_gpgcheck=1, but Copr doesn't sign its own repository metadata yet. It has nothing to do with our config or our keys. The fix they are merging right now will explicitly inject repo_gpgcheck=0 into the backend templates for Copr repos to bypass this exact bootstrap crash. We just have to wait for them to deploy the fix.

You can revert the changes to the chroot.

[ReenigneArcher]

@gummiangler thanks for looking into it!