bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pacman/lib/libalpm
History
Allan McRae b187daefdf Do not use WKD to import keys for package installs from a file 
In order to use WKD in pacman -U/--upgrade operations, we need to
get the packager information from the .PKGINFO within the package.
That has obvious security implications. e.g. something like this
could convince a user to download a different key to what they
expect:

packager = foo bar <>^[[2K^[[0G:: Import PGP key DEADBEEF, "foo <bar>

While downloading an untrusted key has little impact due to the
web-of-trust model used by pacman, this could be bad in combination
with an exploit that allowed trust of keys in the keyring to be
altered.

To be safe, do not use WKD when installing using -U.

Fixes FS#73703.

Signed-off-by: Allan McRae <allan@archlinux.org>
(cherry picked from commit 632eb9739d)
2022-10-02 11:23:51 +10:00
..
po Final update of 6.0.x translations from Transifex 2022-09-26 21:09:49 +10:00
.gitignore libalpm: add pkg-config file 2012-04-25 20:02:36 -04:00
add.c Update copyright year 2021-03-01 12:22:20 +10:00
add.h Update copyright year 2021-03-01 12:22:20 +10:00
alpm.c skip servers with too many errors 2021-04-07 22:33:52 +10:00
alpm.h libalpm: remove unused error value 2021-05-20 11:34:00 +10:00
alpm_list.c Update copyright year 2021-03-01 12:22:20 +10:00
alpm_list.h Update copyright year 2021-03-01 12:22:20 +10:00
backup.c Update copyright year 2021-03-01 12:22:20 +10:00
backup.h Update copyright year 2021-03-01 12:22:20 +10:00
base64.c base64.c: comment out unused variable 2014-01-15 15:54:56 +10:00
base64.h Do not #define _RESERVED_IDENTIFIERS 2016-09-25 18:04:57 +10:00
be_local.c Update copyright year 2021-03-01 12:22:20 +10:00
be_package.c Do not use WKD to import keys for package installs from a file 2022-10-02 11:23:51 +10:00
be_sync.c Update copyright year 2021-03-01 12:22:20 +10:00
conflict.c Update copyright year 2021-03-01 12:22:20 +10:00
conflict.h Update copyright year 2021-03-01 12:22:20 +10:00
db.c libalpm: clone data on alpm_db_set_servers 2021-05-09 22:54:20 +10:00
db.h Update copyright year 2021-03-01 12:22:20 +10:00
deps.c Update copyright year 2021-03-01 12:22:20 +10:00
deps.h Update copyright year 2021-03-01 12:22:20 +10:00
diskspace.c Update copyright year 2021-03-01 12:22:20 +10:00
diskspace.h Update copyright year 2021-03-01 12:22:20 +10:00
dload.c Order downloads by descending max_size 2021-09-04 10:34:00 +10:00
dload.h libalpm: Give -U downloads a random .part name if needed 2021-09-04 10:33:51 +10:00
error.c libalpm: remove unused error value 2021-05-20 11:34:00 +10:00
filelist.c Update copyright year 2021-03-01 12:22:20 +10:00
filelist.h Update copyright year 2021-03-01 12:22:20 +10:00
graph.c Update copyright year 2021-03-01 12:22:20 +10:00
graph.h Update copyright year 2021-03-01 12:22:20 +10:00
group.c Update copyright year 2021-03-01 12:22:20 +10:00
group.h Update copyright year 2021-03-01 12:22:20 +10:00
handle.c add front-end provided context to callbacks 2021-05-01 12:08:14 +10:00
handle.h add front-end provided context to callbacks 2021-05-01 12:08:14 +10:00
hook.c Update copyright year 2021-03-01 12:22:20 +10:00
hook.h Update copyright year 2021-03-01 12:22:20 +10:00
libalpm.pc.in Update urls to not use www. for archlinux.org 2021-04-08 10:14:33 +10:00
libarchive-compat.h Update copyright year 2021-03-01 12:22:20 +10:00
log.c add front-end provided context to callbacks 2021-05-01 12:08:14 +10:00
log.h Update copyright year 2021-03-01 12:22:20 +10:00
meson.build Remove support for deltas from libalpm 2019-03-07 11:12:12 +10:00
package.c Update copyright year 2021-03-01 12:22:20 +10:00
package.h Update copyright year 2021-03-01 12:22:20 +10:00
pkghash.c Update copyright year 2021-03-01 12:22:20 +10:00
pkghash.h Update copyright year 2021-03-01 12:22:20 +10:00
rawstr.c Remove all modelines from the project 2018-05-14 09:59:15 +10:00
remove.c alpm: fix wrong access() being used 2022-10-02 11:14:59 +10:00
remove.h Update copyright year 2021-03-01 12:22:20 +10:00
signing.c Fix segfault when failing to import keys 2022-10-02 11:23:51 +10:00
signing.h Update copyright year 2021-03-01 12:22:20 +10:00
sync.c alpm: return -1 for error in find_dl_candidates 2022-10-02 11:16:22 +10:00
sync.h Update copyright year 2021-03-01 12:22:20 +10:00
trans.c fix formatting mistake 2021-05-10 07:58:25 +10:00
trans.h Update copyright year 2021-03-01 12:22:20 +10:00
util.c Fix build error when SIGPOLL is not available 2021-04-19 17:29:24 +10:00
util.h Update copyright year 2021-03-01 12:22:20 +10:00
version.c Update copyright year 2021-03-01 12:22:20 +10:00