We use NPROC for managing the number of parallel jobs to run, so it is
essentially that this is a valid number. Add a lint pass, and move the
setting of the default value to this location.
Signed-off-by: Allan McRae <allan@archlinux.org>
Parallel processing of file stripping is causing a TOC/TOU race when copying
source files into the debug location resulting in error messages from cp.
While hiding this error is not the ideal solution, it is currently the only
one we have. Given this is a error of our own making, and we understand the
cause and have determined there is zero actual downside to ignoring the
error, we will accept this approach until something better is found.
Signed-off-by: Allan McRae <allan@archlinux.org>
Perform file stripping in parallel where possible. Hardlinks remain
processed one at a time due to reproducibility issues.
Signed-off-by: Allan McRae <allan@archlinux.org>
Handle singly and muptiply hard-linked files separately. Also collect
information on hard linked files to avoid searching the entire package
to check for hard links.
Signed-off-by: Allan McRae <allan@archlinux.org>
Add a "safe_" prefix to strip_file() and strip_lto() to indicate that
these functions are taking extra steps to ensure permissions remain
unchanged.
Signed-off-by: Allan McRae <allan@archlinux.org>
Only a subset of checks were being performed on the overridden arch
arrays in package functions. Refactor checking such that all checks
are perform on all arch arrays.
Signed-off-by: Allan McRae <allan@archlinux.org>
The decision to set the PYTHONHASHSEED variable and its value is outside
the domain of makepkg and should be handled by a distribution. Move this
file to the libalpm-dropins project.
Signed-off-by: Allan McRae <allan@archlinux.org>
When the import key message was pushed to the pacman frontend, we no longer
displayed the length or algorithm used for the key, sticking to just the
user ID and the key ID.
Remove this code given this field is no longer used, and the code requires
updating for any now algorithm added.
Note: removal of the field from the alpm_pgpkey_t will happen in a separate
commit so that this commit can be readily backported.
Signed-off-by: Allan McRae <allan@archlinux.org>
Debug symbols should only be split from finally linked ELFs, not bare
object files. We're already excluding static libraries from splitting
for a similar reason.
The `.gnu_debuglink` sections are also mishandled by LLVM's LLD, which
copies them to its output. For example, this affects Arch Linux's
`/usr/lib/Scrt1.o`.
While we're here (and it changes the code less), also strip GNU LTO data
from bare objects, again for the same reason we're removing it from
static libraries, and apply static library stripping instead of shared
library stripping.
See: https://bugs.gentoo.org/787623
When objcopy encounters an already-present section, adding the new
debuglink will fail with a warning. Remove any existing `.gnu_debuglink`
section to work around this problem.
Arch Linux's `rust` package is affected by this. Apparently when LLVM's
LLD links in `/usr/lib/Scrt1.o` it will also copy the `.gnu_debuglink`
section.
See: https://bugs.gentoo.org/787623
Using objcopy can result in file permission changes. We work around this
by using "cat" to copy the temporary output file into the target. Extract
this code into a utility function.
Signed-off-by: Allan McRae <allan@archlinux.org>
For example, with landlock ABI < 3, LANDLOCK_ACCESS_FS_TRUNCATE is not
set in ruleset_attr.handled_access_fs, so it should not be set in
path_beneath.allowed_access either. Otherwise, landlock_add_rule fails
with -EINVAL, and pacman complains:
> error: restricting filesystem access failed because the landlock rule for the temporary download directory could not be added!
The change is tested on Debian Bookworm kernel
linux-image-6.1.0-25-cloud-amd64 6.1.106-3.
Some libaplm utilities sync databases as a non-root user for use in
actvities other than system updates. The ability to download as a
non-root user was broken as part of the download sandboxing.
Applying a minimial fix by preventing the chown of the downloaded file
if the user is non-root. A larger change increasing the robustness
and error checking of this path is warranted in the future.
Signed-off-by: Allan McRae <allan@archlinux.org>
Sorting modifies the list in place, causing any existing pointers to the
list to point to a random element.
Fixes#165
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Git commands can fail in bare repositories when global git config contains safe.bareRepository=explicit.
Some users set this option for increased security.
To be compatible with this configuration, explicitly set safe.bareRepository=all when invoking git in a bare repository.
In f91fa546 (repo-add: do not recreate the database if nothing was changed),
repo-add was made to skip database write-out if there were no changes to
the database. However, this breaks the usage of repo-add to create a new
empty database: `repo-add /path/to/mydb/mydb.db.tar.xz`.
Bring back support for this use-case by always writing the database if
it is missing.
Original-patch-by: Ivan Shapovalov <intelfx@intelfx.name>
Signed-off-by: Allan McRae <allan@archlinux.org>
The Arch sharutils package was spewing messages about "Permission denied" when
copying source files into the debug package. This is due to the source files
having 444 permissions and being used in multiple binaries. Only copy each
source file into the debug package onces to avoid this error.
Signed-off-by: Allan McRae <allan@archlinux.org>
If a package was already downloaded but its signature file was not,
pacman would download the signature then error out despite all files
being present.
Also fixes a similar error when some, but not all, package databases
were updated with -Sy.
Fixes#156
Signed-off-by: Allan McRae <allan@archlinux.org>
The calculation used the size of the package rather than the amount
remaining to download for partially downloaded packages.
Signed-off-by: Allan McRae <allan@archlinux.org>
