Test for downloads that redirect to some sort of cdn where the
redirected url does not relate to the original filename.
Signed-off-by: Allan McRae <allan@archlinux.org>
Github and other sites redirect their downloads to a cdn. So the
download http://foo.org/myrepo.db may redirect to something like
https://cdn.foo.org/83749327439.
This then causes pacman to try and download the sig as
https://cdn.foo.org/83749327439.sig which is incorrect. In this case
pacman should append .sig to the original url.
However urls like https://archlinux.org/packages/community/x86_64/0ad/download/
Redirect to the mirror, so .sig has to appended after the redirects and
not before.
So we decide if we should append .sig on the original or effective url
based on if the effective url (minus the query part) has .db or .pkg in it.
Fixes FS#71148
---
v2: move variable decleration to start of block
v3: use dbext instead of db
archweb's download links all ended in /download. This cause all the temp
files to be named download.part. With parallel downloads this results in
multiple downloads to go to the same temp file and breaks the transaction.
Assign random temporary filenames to downloads from URLs that are either
missing a filename, or if the filename does not contain at least three
hyphens (as a well formed package filename does).
While this approach to determining when to use a temporary filename is
not 100% foolproof, it does keep nice looking download progress bar names
when a proper package filename is given. The only downside of not using
temporary files when provided with a filename with three or more hyphens
is URLs created specifically to bypass temporary filename usage can not
be downloaded in parallel. We probably do not want to download packages
from such URLs anyway.
Fixes FS#71464
Modified-by: Allan McRae (do not use temporary files for realish URLs)
Signed-off-by: Allan McRae <allan@archlinux.org>
Arch Linux has been setting PYTHONHASHSEED=0 to create deterministic
.pyc files. After a thorough review by the Arch Security Team, setting
this variable was determined not to generated vulnerable .pyc files, as
when the loader loads the .pyc file and unmarshalls it, the internal
runtime will just populate the unordered data structures and use a new
runtime hash for them.
Signed-off-by: Allan McRae <allan@archlinux.org>
We usually set this up to default to the build time configured install
location, but a couple of files crept in without this.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Binutils commit 93df3340fd5ad32f784214fc125de71811da72ff enabled readelf
to report "Position-Independent Executable" files. Fix stripping to
account for this change.
Signed-off-by: Allan McRae <allan@archlinux.org>
pacman_date is set to the current date during build without respecting
SOURCE_DATE_EPOCH. As a result, a build cannot be fully reproduced on a later
date because the date embedded into the man pages does not match.
In contrast, the built-in asciidoc attribute "localdate" respects
SOURCE_DATE_EPOCH and has the desired ISO 8601 format, so simply use that
instead of the custom "pacman_date" attribute.
Fixes: FS#71154
Signed-off-by: Jonas Witschel <diabonas at archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
If the original download redirects to to a different url then alpm would
try to name the sig file after the url instead of <original_file>.sig.
Instead force this naming scheme regardless of url.
Fixes FS#71274
Signed-off-by: Allan McRae <allan@archlinux.org>
Since commit 08f4ae70, makepkg supports downloading from fossil.
However, the PKGBUILD man page was only partially updated to reflect
this change.
Signed-off-by: Allan McRae <allan@archlinux.org>
Comit 5151de30 tried to fix leaking memory when importing a key. However
key_search_keyserver() writes to the key passed in, making the original
uid and fingerprint unreachable, causing the new uid and fingerprint to
double free.
Fixes FS#71107
Signed-off-by: Allan McRae <allan@archlinux.org>
Around the same time retry events were added, there was a patch to pass
sig download events to the frontend. The retry code was not updated to
account for this.
Signed-off-by: morganamilo <morganamilo@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Some servers respond with error pages (e.g. 404.html) when a package is
not present. These were getting written to packages before moving onto
the next server. Reset the download progress on 400+ error conditions
to avoid this.
Signed-off-by: Allan McRae <allan@archlinux.org>
This can not be specified on its own but requires a value.
Signed-off-by: Christian Hesse <mail@eworm.de>
Signed-off-by: Allan McRae <allan@archlinux.org>
readelf --debug-dump sometimes reports inscrutable warnings which don't
actually affect our extraction of source filenames. For example:
readelf: Warning: There is a hole [0xd3d - 0xd89] in .debug_loc section.
Now gcc 11 seems to have dramatically increased the number of warnings:
readelf: Warning: Corrupt offset (0x0000008e) in range entry 9
[...]
readelf: Warning: Corrupt offset (0x000010f0) in range entry 250
The resulting debuginfo created by the very same toolchain works fine,
as does the list of source filenames. But the warnings are quite
noisy... send them to /dev/null since they are not actionable in the
context of getting source files
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
This partially fixes FS#67850
It fixes the case for -S'ing packages but not -U'ing urls.
pacman -S a/a b/b
resolving dependencies...
error: packages a and b have the same filename: a-1-1-any.pkg.tar.zst
error: failed to prepare transaction (duplicate filename)
Signed-off-by: Allan McRae <allan@archlinux.org>
When a download fails on one mirror a new download is started on the
next mirror. This causes the ammount downloaded to reset, confusing the
rate math and making it display a negative rate.
This is further complicated by the fact that a download may be resumed
from where it is or started over.
To account for this we alert the frontend that the download was
restarted. Pacman then starts the progress bar over.
Signed-off-by: Allan McRae <allan@archlinux.org>
Every alpm_option_set function clones the input so lets be more
consistent. Also this fixes servers not being sanatized.
Signed-off-by: Allan McRae <allan@archlinux.org>
When initially downloading a package, pacman will display a message
like:
wine-6.6-1-x86_64.pkg.tar.zst downloading...
Then when the download progresses the message will change to:
wine-6.6-1-x86_64.pkg.tar.zst
So instead lets match the progress message so there's no sudden change.
Signed-off-by: Allan McRae <allan@archlinux.org>
With a repo using "SigLevel = Optional" and a package already downloaded
into the cache, download_files() returns 1 (via _alpm_download) to indicate
no files were downloaded. This causes installation of the package to
fail.
Explicitly check that download_files() returns -1 (error) rather than
non-zero.
Signed-off-by: Allan McRae <allan@archlinux.org>
Restore the prior indicator whether or not databases were up to date.
0 is used to indicate if *any* db was actually updated as callers are
more likely to care about that than if *all* dbs were updated.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
An extra break causes _alpm_download to break out of the payload loop as
soon as it sees a successful url download with XferCommand.
Fixes: FS#70608 - -U fails to download all files with XferCommand
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Our callbacks require front-ends to maintain state in order to provide
reasonable output. The new download callback in particular requires
much more complex state information to be saved. Without the ability to
provide context, state must be saved globally, which may not be possible
for all front-ends. Scripting language bindings in particular have no
way to register per-handle callbacks without some form of context.
Implements: FS#12721
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
These were added without documentation in commit
a33cdac10b
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
We do not need the --relative case as it is dead code (we only ever link
a filename without directory components).
For the rest, GNU-specific ln -T does two things:
- if the link name is an existing directory, ln fails instead of
creating a surprising link inside the directory
- if the link name is a symlink to a directory, ln treats it as a file,
and due to -f, unlinks it
The second case can be portably solved by ln -n, and both cases can be
solved by doing what the original autotools Makefile did: rm -f && ln -s
If the file exists, it will be removed. If it cannot be removed, it must
be an ordinary directory, and the script aborts with an error.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Previously TotalDownload would switch the % download from per package to
overall. Meaning you had a choice of which information to dispplay.
Now with parallel downloads TotalDownload adds an extra progress bar.
There's no reason to have this an off by default feature. Let's just
make it always on.
Signed-off-by: Allan McRae <allan@archlinux.org>
If a makepkg consumer uses a build wrapper to override compiler
flags this may lead to unreproducible packages as there is no way to
know which exact files were used for tooling that tries to reproduce
said package.
Instead of vendoring the whole used makepkg.conf file into buildinfo,
this patch adds two new properties to the .BUILDINFO file named
BUILDTOOL and BUILDTOOLVER which by default are simply makepkg's own
values. Downstream consumers may override those values: For example in
Arch Linux the devtools package can set those values and allow
reproducible builds tooling to fetch the appropriate makepkg.conf.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
This allows architecture to be multivalued. On x86-64 machines, this
could be something like:
Architecture = x86-64-v3 x86-64
We use the first specified Architecture value in mirrorlist $arch
variable replacement, as this is backwards-compatible and sane.
Original-patch-by: Dan McGee <dan@archlinux.org>
Patch-updated-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
When the download estimate is over an hour the format displayed changes
from mm:ss to hh:mm:ss. This causes everything to be out of alignment
due to the extra characters.
So instead lets just go back to --:-- when the download => 100 minutes.
Signed-off-by: Allan McRae <allan@archlinux.org>
This pkg-config file is automatically created in the meson-uninstalled/
directory of the build tree, and points to the built artifacts there. If
this directory is added to PKG_CONFIG_PATH, it will be preferred over an
installed copy.
Making this work properly means it becomes trivially possible to build a
private copy of libalpm, and then compile other projects using it rather
than the system copy.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
