[autobackport: sssd-2-11] Use macro rather than shell expansion for string processing in spec file

[sssd-bot]

This is an automatic backport of PR#8511 Use macro rather than shell expansion for string processing in spec file to branch sssd-2-11, created by @nforro.

Please make sure this backport is correct.

Note

The commits were cherry-picked without conflicts.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8511-to-sssd-2-11
git checkout SSSD-sssd-backport-pr8511-to-sssd-2-11
git push sssd-bot SSSD-sssd-backport-pr8511-to-sssd-2-11 --force

---

Original commits
f9697d4 - Use macro rather than shell expansion for string processing in spec file
caa0ec2 - Add a default for %samba_package_version

Backported commits

• 27d8481 - Use macro rather than shell expansion for string processing in spec file
• 9097497 - Add a default for %samba_package_version

---

Original Pull Request Body

We've hardened security in Packit Service and shell expansions in spec files are now rejected as they can be used to execute arbitrary code. There is no need to use shell expansion for string processing, there is an existing macro for this very purpose.

[gemini-code-assist]

Code Review

This pull request improves security by replacing a shell expansion used for string processing in the spec file with a safer RPM macro. It also adds a default value for the Samba package version, making the build more robust.

However, the PR's stated goal of rejecting shell expansions is not fully met, as other instances of shell execution remain in the spec file (e.g., for determining samba_package_version and ldb_modulesdir). My review includes a comment with a suggestion to remove the remaining shell expansion for samba_package_version by determining the version during the configure step, which would fully align with the security hardening objective.