From: Christian Hesse If download server is dynamic mirror chances are that db file download and db file signature download are redirected to different mirrors, resulting in invalid signature. This uses effective URL for db file signature download and makes the files always match. Signed-off-by: Christian Hesse --- lib/libalpm/be_sync.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c index b03d273..653cb0e 100644 --- a/lib/libalpm/be_sync.c +++ b/lib/libalpm/be_sync.c @@ -209,6 +209,7 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db) } for(i = db->servers; i; i = i->next) { + char *final_db_url = NULL; const char *server = i->data; struct dload_payload payload; size_t len; @@ -228,7 +229,7 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db) payload.force = force; payload.unlink_on_fail = 1; - ret = _alpm_download(&payload, syncpath, NULL, NULL); + ret = _alpm_download(&payload, syncpath, NULL, &final_db_url); _alpm_dload_payload_reset(&payload); if(ret == 0 && (level & ALPM_SIG_DATABASE)) { @@ -242,11 +243,11 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db) free(sigpath); /* if we downloaded a DB, we want the .sig from the same server */ - /* print server + filename into a buffer (leave space for .sig) */ - len = strlen(server) + strlen(db->treename) + 9; + /* print final_db_url into a buffer (leave space for .sig) */ + len = strlen(final_db_url) + 5; /* TODO fix leak syncpath and umask unset */ MALLOC(payload.fileurl, len, RET_ERR(handle, ALPM_ERR_MEMORY, -1)); - snprintf(payload.fileurl, len, "%s/%s.db.sig", server, db->treename); + snprintf(payload.fileurl, len, "%s.sig", final_db_url); payload.handle = handle; payload.force = 1; payload.errors_ok = (level & ALPM_SIG_DATABASE_OPTIONAL); @@ -260,6 +261,8 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db) _alpm_dload_payload_reset(&payload); } + free(final_db_url); + if(ret != -1 && sig_ret != -1) { break; } -- 2.1.2

On Thu, Oct 16, 2014 at 02:18:49PM +0200, Christian Hesse wrote:

Christian Hesse on Thu, 2014/10/16 13:54:

...

ALPM_SIG_DATABASE_OPTIONAL); @@ -260,6 +261,8 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db) _alpm_dload_payload_reset(&payload); }

+ free(final_db_url); + if(ret != -1 && sig_ret != -1) { break; }

But it starts crashing now... In curl_download_internal() we do:

*final_url = effective_url;

So no allocation. Either free() is wrong or we have to use strdup() here. No?

Well strdup would be silly since we're just trying to make sure that it has an owner to deallocate it. Yeah, this is just a const char* handed to us from curl... I suppose your original patch is correct, then.