Commit graph

7389 commits

Author SHA1 Message Date
Allan McRae
1327ce7bd8 makepkg: remove md5sums from generated mtree file
md5sums are cryptographically broken and we supply sha256sums to verify
files on a users system have not been modified from the packaged version.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-12-04 20:15:33 +10:00
Allan McRae
310bf878fc repo-add: do not add md5sums to the repo dbs
Keeping md5sums in the repo databases no longer serves a real purpose.
md5sums are no longer considered  secure, and we already have sha256sums
in the repos (along with PGP verification).

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-12-04 20:15:33 +10:00
Allan McRae
4f43ce3e4a repo-add: use parseopts from libmakepkg
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-12-04 20:14:32 +10:00
Allan McRae
e7806a43e0 pacman.conf.in: adjust example custom repo path for consistency
The example makepkg.conf.in suggests using "PKGDEST=/home/packages". It makes
sense to use the same path for the custom repo example in pacman.conf.in.

Fixes FS#48497.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-12-04 20:11:43 +10:00
Allan McRae
23aa82812e Fix typo in comment
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-11-08 14:20:36 +10:00
Allan McRae
05e52ef796 Document alpm_pkg_xdata_t type and accessor
Also more definitions to more relevant areas in alpm.h.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-11-08 14:19:35 +10:00
Allan McRae
83e5326ac9 Remove obsolete Doxyfile declarations
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-11-08 11:49:31 +10:00
Allan McRae
b2c9543ea9 Use modern openssl interfaces for calculating MD5 and SHA256 checksum
The currently used openssl interfaces for calculating checksums have been
deprecated in openssl-3.0.  Move to the modern interfaces to avoid build
warnings.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-11-07 16:58:29 +10:00
Morten Linderud
3ed08f97ec
executable/meson.build: include debugedit.sh.in
Signed-off-by: Morten Linderud <morten@linderud.pw>
2022-11-07 01:02:12 +01:00
Andrew Gregory
da68447ec6 set bash env variables before running scripts
Bash sources user configuration files under a number of conditions that
can cause issues with scripts when bash is used as the scriptlet shell.

Bash assumes it's being run under rsh/ssh if stdin is connected to a
socket and sources the user bashrc unless the environment variable
$SHLVL is >= 2.  Commit 6a4c6a02de
switched from pipes to sockets when communicating with child processes
to work around SIGPIPE issues.  Normally $SHLVL would be inherited from
the shell running pacman, but operations involving scriptlets are
generally run with sudo which does not let the $SHLVL variable through
unless specifically configured to.

Similarly $BASH_ENV can cause bash to source user-specified configuration
files if set.

https://lists.gnu.org/archive/html/help-bash/2022-02/msg00082.html

Note: the list discussion and bash source all reference SHLVL >= 2, this
is the SHLVL value *after* bash has incremented it on startup.  Setting
it to 1 in pacman is sufficient to disable the unwanted behavior.

Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2022-10-15 10:40:59 -07:00
Allan McRae
86981383a2 Fix missing if
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-10-09 13:43:31 +10:00
Frederik Schwan
de11824527 strip: Include .o files in strip operation
`.o` objects used to be omitted by strip.sh due to a missing match in
the `Relocatable file` section. This patch fixes the issue by handling
`.o` objects similar to kernel modules.

fixes FS#74941

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-10-09 11:01:12 +10:00
Morten Linderud
478af273df strip: fix unique source paths
`${pkgbase}` was added to the wrong invocation. This ensures we are
producing correct debug packages.

Example from the package:

    /usr/src/debug/pacman/pacman-6.0.2/src/pacman/callback.c
    /usr/src/debug/pacman/pacman-6.0.2/src/pacman/callback.h
    /usr/src/debug/pacman/pacman-6.0.2/src/pacman/check.c
    /usr/src/debug/pacman/pacman-6.0.2/src/pacman/check.h

Fixes: 776b7c1e75 ("debugflags: Ensure we have unique source paths")
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-10-09 10:57:26 +10:00
Allan McRae
efd0c24c07 Always create directories outputted from debugedit in debug packages
The debugedit call to list all source files may include things like
build/<...>.  We have been filtering out these <> files, but they can
point to the build directory which is important to be available for
relative source paths stored in the .debug files.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-10-08 21:07:45 +10:00
Allan McRae
a6b06a5b17 libmakepkg: fix compatibility with bash-5.2 globskipdots
Bash 5.2 has a new globskipdots option, which is enabled by default. The
check_dotfiles lint fails with globskipdots due to the assumption that
at least the "." and ".." paths will match. Disabling globskipdots would
be the usual solution, but that fails on bash<5.2.  Instead, enable
nullglob for this check.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-10-02 11:40:52 +10:00
Allan McRae
546433b4fd Update Transifex client usage instructions
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-09-26 21:10:54 +10:00
Allan McRae
e10751a1e0 Update Transifex config
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-09-26 20:53:48 +10:00
Kristian Klausen
673ce1ab10 pacman-key: Don't check gpg's trustdb after each key revocation
The trustdb is marked as dirty when a key is revoked[1] and GPG will
recheck it the next time. Checking the trustdb can take 300-500ms which
with 52 revoked keys (and counting) adds up.

This is very noticeable when initializing and populating pacman's
keyring like archiso is doing[2]. It is also unnecessary as the trustdb
is always checked as the last step when populating the keyring.

[1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=g10/keyedit.c;h=1cb62de8a87a823e06b2ed74efdc9e7a4cd99e2b;hb=refs/heads/STABLE-BRANCH-2-2#l6509
[2] https://gitlab.archlinux.org/archlinux/archiso/-/issues/191
2022-09-26 20:22:11 +10:00
Allan McRae
53dd3e844a makepkg.8: add missing fullstop
Fixes FS#75838

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-09-07 23:14:12 +10:00
Ben Westover
656abdb256 doc: Create documentation for pacman-db-upgrade and testpkg
There are two "binaries" that are currently missing documentation,
pacman-db-upgrade and testpkg. This patch adds that documentation.

Signed-off-by: Ben Westover <kwestover.kw@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-08-04 22:29:27 +10:00
Ben Westover
064e556c4e doc: Fix grammar in pacman.8.asciidoc
Signed-off-by: Ben Westover <kwestover.kw@gmail.com>
2022-08-02 23:04:22 +10:00
soloturn
184f593168 libmakepkg: Fix git clone command
Commit e017a5975c introduced the GITFLAGS
environmental variable. While ensuring the default of "--mirror" was
kept, there was a capitalisation mistake made. Handle the default for
GITFLAGS directly in the git clone command.
2022-08-02 13:07:09 +10:00
soloturn
e017a5975c makepkg: Add GITFLAGS environmental variable to customise checkout
The default flag used to clone a git repository when using makepkg
is "--mirror". However, when working with huge repositories, the use
of different flags during cloning can allow an faster checkout. For
example, using "--filter=blob:none" allows for small checkouts, at
the expense of requiring downloads during the build stage if anything
but the HEAD commit is used for the build. In addition, this example
would serve as a replacement for the often requested (but broken)
addition of --depth=1.

Add support for the environment variable GITFLAG to pass flags for
the git clone command. Note that this overrides the default rather
than adding to it in order to prevent incompatibilities.
2022-07-29 11:00:01 +10:00
Daan De Meyer
79bd512181 Add --keyringdir meson option to configure the keyring directory
On Debian, keyrings are stored in /usr/share/keyrings. To support
this, let's add a new --keyringdir option that allows configuring
the directory under datarootdir where the keyrings should be
imported from. We default to 'pacman/keyrings' for backwards
compatibility.
2022-07-29 10:17:52 +10:00
Alexander F. Rødseth
51b2e1c973 pacman: let the progress bar "C"/"c" move up and down at a more regular rate
For some terminal widths, the "C"/"c" character does not alternate at
regular intervals, but may look like it is stuck at either lowercase or
uppercase.

The previous behavior toggled based on the character position, while this
new behavior toggles the chomp alternation based on the progress percentage value.

This leads to slightly improved chomping.

Signed-off-by: Alexander F. Rødseth <xyproto@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-07-29 09:44:04 +10:00
Alexander F. Rødseth
5abe1455f2 pacman: remove redundant argument
The fill_progress function is called from two locations,
and both locations pass in the same percentage value twice.

This patch modifies the function signature to to receive the
percentage value just once.

Signed-off-by: Alexander F. Rødseth <xyproto@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-07-29 09:42:38 +10:00
Joe Baldino
daa2db6a23 meson: replace deprecated get_pkgconfig_variable()
Apparently that function was deprecated in 0.56, so use the generic
getter introduced in 0.51 instead. This squashes a warning.

Signed-off-by: Joe Baldino <pedanticdm@gmx.us>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-07-29 09:41:47 +10:00
Chris Down
ff7c6c8e57 util: Flush cursor state to stdout before removing signal handler
It's possible that the cursor does not reappear after pressing ^C during
shutdown. In my case, I noticed this when pressing ^C after getting
results from `pacman -F` -- this can reasonably reliably be triggered by
issuing a file query and pressing ^C shortly after results are shown.

There are two reasons for this issue:

1. The graceful SIGINT handler is removed at the start of cleanup(), but
   the window from entering cleanup() to reaching exit() is non trivial.
   The main offender is FREELIST(pm_targets), which on my T14s takes
   >0.1s to execute. This means that if you are unlucky enough to press
   ^C while there, the cursor isn't coming back, because we haven't
   issued any command to show the cursor again yet, and the userspace
   signal handler is already blown away.
2. Moving console_cursor_show() to earlier in cleanup() only half solves
   the issue. While it's fine not to flush after _hiding_ the cursor,
   since it will at least make itself apparent before any other text
   reaches the screen, _showing_ the cursor must be followed by flushing
   stdout, because once the graceful SIGINT handler is gone, if you
   press ^C, no flush will be triggered (and thus there will be no
   cursor).

This fixes the issue by always starting out by showing the cursor again
at cleanup() time. This means that no matter where we get caught at ^C,
we will not end up leaving the terminal without its beloved ensign.

Signed-off-by: Chris Down <chris@chrisdown.name>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-07-22 10:20:55 +10:00
Chris Down
015eb31c3a dload: Remove unused ABORT_SIGINT
The last user of ABORT_SIGINT was removed in commit 84723cab5d
("Cleanup the old sequential download code"), and this isn't exported as
part of the public API.

Signed-off-by: Chris Down <chris@chrisdown.name>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-07-21 20:00:44 +10:00
Jelle van der Waa
cb9776a07b util.c: extend --print-format with %C, %D, %M
Extend print-format with checkdepends, depends and makedepends.

Signed-off-by: Jelle van der Waa <jelle@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-07-21 19:58:20 +10:00
Jelle van der Waa
00bc386d5a util.c: extend --print-format with %b for builddate
Signed-off-by: Jelle van der Waa <jelle@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-07-21 19:56:18 +10:00
Allan McRae
7bcc2d9b23 Correctly handle failure in getting build or install dates
alpm_pkg_get_builddate() and alpm_pkg_get_installdate() both return -1 on
error. Correctly handle the error condition in pacman.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-07-21 19:50:10 +10:00
Jelle van der Waa
819a0c2986 util.c: extend --print-format with expac options
Extend --print-format with all expac format strings which can be easily
added without conversions and through a simple C macro.

Signed-off-by: Jelle van der Waa <jelle@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-07-21 19:09:59 +10:00
Andrew Gregory
6dcd4b5383 makepkg: store pkgtype in xdata
Package type is not relevant to alpm or even exposed to front-ends in
any way.

Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2022-07-21 19:01:45 +10:00
Andrew Gregory
fe028c7f6a query: print extended data when extra info is requested
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2022-07-21 19:01:38 +10:00
Andrew Gregory
3405709b46 add extended data field for arbitrary package data
This adds a mechanism for package builders to add arbitrary data to
packages that is not necessarily relevant enough to the package
installation process to gain first-class support in alpm.  Currently
these fields have to be added to parsers with a "not actually used"
comment and can't be retrieved through the API.

Extended data is stored in "name=value" format in the xdata field
(%XDATA% in desc files):

xdata = pkgtype=debug

or

%XDATA%
pkgtype=debug

Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2022-07-21 19:01:27 +10:00
Allan McRae
2bf67416c1 Fix remaining email list address
One instance was missed in b0a2fd75b2.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-06-25 22:59:20 +10:00
Jean Raby
6daeb37fe8 pacman: silence "info" msg when using --print
This allows for parsing the output of:
    pacman --upgrade --print-format '<format>' pkg.zst

without having to remove info messages from it.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-06-25 22:45:00 +10:00
Morten Linderud
776b7c1e75 debugflags: Ensure we have unique source paths
In some cases packages are built outside of a directory which contains
pkgname-pkgver, this results in source listing in debug packages having
a conflicting path like `/usr/src/debug/build/` which is not ideal.

This patch ensures we always include the pkgbase to ensure the paths are
unique.

Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-06-25 10:45:04 +10:00
Levente Polyak
0031cd1e46 doc/BUILDINFO.5: document buildtool and buildtoolver properties
The feature has been introduced in commit a33cdac10b
The buildinfo version has been bumped in commit 0428f6213b

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2022-06-25 10:25:36 +10:00
Allan McRae
d1e95c4e54 Gitlab CI: Install glibc-debug valgrind test
Currently our gitlab CI is failing due to valgrind breakage. With
Arch stripping glibc, valgrind now requires debuginfod to be active.
However the gitlab CI system combined without our testsuite does not
retrieve these symbols, even when the appropriate environmental
variable is set.

Work around this by installing the glibc-debug package directly
using a slight kludge...  All blame for this approach is assigned
to foutrelis!

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-06-16 09:00:18 +10:00
Allan McRae
84dc662d65 makepkg: add source signing PGP keys to source package if available
Arch Linux is adding source signing PGP keys to their package source
tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the
PGP keyserver infrastructure is a mess, this helps other people validate
sources in a PKGBUILD.

Add the keys to source packages if found alongside the PKGBUILD.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-05-31 20:13:14 +10:00
Allan McRae
fdf04cdac5 doc/PKGBUILD: remove Arch Linux specific advise
The documentation for the license array was specific to Arch Linux.
Remove it and some minor other Arch Linux specific references.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-05-18 22:06:07 +10:00
Allan McRae
18152a211a libmakepkg: Do not "strip" files when the format is not recognised
We use a multi step process during stripping to ensure permissions do
not get changed.  However, if the initial objcopy fails, the subsequent cat
results in a blank file.  Abandon early if objcopy fails.

Fixes FS#74486

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-05-12 09:45:12 +10:00
Jonas Witschel
f5f9e0f4ea makepkg: use bsdtar --no-read-sparse for archive creation if available
bsdtar uses the "pax" TAR archive format by default, which has support for
storing sparse file information in the archive. Unfortunately this is a source
of unreproducibility because the sparse encoding is taken from the file system
and different file systems handle sparse files differently: some file systems
have no support for sparsely encoded files at all, and even file systems with
sparse file support can report different file information for identical files
due to differing implementations.

As a real world example where this happens, consider the Arch Linux package
"brotli-testdata 1.0.9-7", which contains a sparsely encoded all-zeros file
"usr/share/brotli/testdata/zeros". Building this package on a btrfs file system
yields a different package than building it on tmpfs or ext4 solely due to
different sparse file information that gets recorded in the package tarball.

To improve the reproducibility of archives containing sparsely encoded files,
libarchive version 3.6.0 introduces a new --no-read-sparse option. This skips
reading sparse file information from disk entirely and therefore stores files
"expanded" in the archive, which is the only way to make them reliably
reproducible across file systems.

makepkg will use this option if libarchive is recent enough to support it,
which is detected at build time.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-03-11 09:43:59 +10:00
morganamilo
bddfcc3f40 libalpm: add getter for handle on db and pkg
db and pkg store a pointer to the handle for internal use but don't
actually provide a way for a user to get it.

Making this accessible is more convenient for front ends and FFI
wrappers.

For example, in other languages it's common to return the error value
directly. To achieve this the python and rust wrappers also store their
own pointer to the handle inside their own pkg/db wrappers.

Exposing this would allow the wrappers to forgo the extra pointer and
just return `pkg.get_handle().last_error()`.
2022-03-08 09:56:53 +10:00
Andrew Gregory
221905b5ae query: allow querying extra info for package files
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-03-07 20:37:45 +10:00
Andrew Gregory
293762ea8b query: only strip leading local/ for db packages
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
2022-03-07 20:37:01 +10:00
Allan McRae
40583ebe89 Avoid information leakage with badly formed download header
Parsing of Content-Disposition relies on well formed headers.
A malformed header such as:

Content-Disposition="";

will result in a strnduppayload->content_disp_name, -1, ptr),
which will copy memory until it hits a \0.

Prevent this by only copying the value if it exists.

Fixes FS#73704.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-03-06 21:49:56 +10:00
Allan McRae
632eb9739d Do not use WKD to import keys for package installs from a file
In order to use WKD in pacman -U/--upgrade operations, we need to
get the packager information from the .PKGINFO within the package.
That has obvious security implications. e.g. something like this
could convince a user to download a different key to what they
expect:

packager = foo bar <>^[[2K^[[0G:: Import PGP key DEADBEEF, "foo <bar>

While downloading an untrusted key has little impact due to the
web-of-trust model used by pacman, this could be bad in combination
with an exploit that allowed trust of keys in the keyring to be
altered.

To be safe, do not use WKD when installing using -U.

Fixes FS#73703.

Signed-off-by: Allan McRae <allan@archlinux.org>
2022-03-06 21:25:30 +10:00