This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official pacman repository". The branch, master has been updated via 48752f1b4b16cd1dad56649cd36b253494aa9ff1 (commit) via 80e2e1c7c9f2cc2795f497f2101b0aeb7b7e8638 (commit) via 0c4a8ae24b8395b0dd4f8046615336e394a8e3f8 (commit) via 5dd2b3776dedd85c196be737ea9c177216448756 (commit) via fd70c1c7bb0cb0681ab8a46d5f0494e0f9d992c6 (commit) via 6f3810793f4b1fc82094ccb1847ed82b85a203e6 (commit) via bcb44891ef8aa6feee3090cc0fd87b60e73aed5d (commit) from 024fde9748692c71f0d9e6c667439c912a78b6df (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 48752f1b4b16cd1dad56649cd36b253494aa9ff1 Author: Jonas Witschel <diabonas@archlinux.org> Date: Wed Oct 2 16:40:55 2019 +0200 signing: add ability to import keys using a WKD Currently pacman relies on the SKS keyserver network to fetch unknown PGP keys. These keyservers are vulnerable to signature spamming attacks, potentionally making it impossible to import the required keys. An alternative to keyservers is a so-called Web Key Directory (WKD), a well-known, trusted location on a server from where the keys can be fetched. This commit adds the ability to retrieve keys from a WKD. Due to the mentioned vulnerabilities, the WKD is tried first, falling back to the keyservers only if no appropriate key is found there. In contrast to keyservers, keys in a WKD are not looked up using their fingerprint, but by email address. Since the email address of the signing key is usually not included in the signature, we will use the packager email address to perform the lookup. Also see FS#63171. Signed-off-by: Jonas Witschel <diabonas@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit 80e2e1c7c9f2cc2795f497f2101b0aeb7b7e8638 Author: Jonas Witschel <diabonas@archlinux.org> Date: Wed Oct 2 16:40:54 2019 +0200 signing: move key import confirmation before key_search Ask the user whether they want to import a missing key before even doing a search on the keyserver. This will be useful for getting Web Key Directory support in place: for a WKD, looking up and importing a key are a single action, so the current key_search -> QUESTION -> key_import workflow does not apply. Since only the ID of the package signing key is available before key_search, we display the packager variable in addition to the key ID for user convenience. Signed-off-by: Jonas Witschel <diabonas@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit 0c4a8ae24b8395b0dd4f8046615336e394a8e3f8 Author: Dave Reisner <dreisner@archlinux.org> Date: Sun Oct 6 20:06:43 2019 -0400 dload: never return NULL from get_filename Downloads with a Content-Disposition header will typically not include slashes. When they do, we should most certainly only take the basename, but when they don't, we should treat the header value as the filename. Crash introduced in d197d8ab82cf when we started using get_filename in order to rightfully avoid an arbitrary file overwrite vulnerability. Signed-off-by: Allan McRae <allan@archlinux.org> commit 5dd2b3776dedd85c196be737ea9c177216448756 Author: Allan McRae <allan@archlinux.org> Date: Fri Oct 4 11:53:04 2019 +1000 makepkg.conf.5: Document PACKAGER format requirements Signed-off-by: Allan McRae <allan@archlinux.org> commit fd70c1c7bb0cb0681ab8a46d5f0494e0f9d992c6 Author: Jonas Witschel <diabonas@archlinux.org> Date: Wed Oct 2 16:40:56 2019 +0200 libmakepkg: check if PACKAGER has the expected format for WKD lookup pacman should be able to extract an email address from PACKAGER for WKD lookup, so issue a warning if it is not of the form "Example Name <email@address.invalid>". Neither the name nor the email address must contain additional angle brackets. Signed-off-by: Jonas Witschel <diabonas@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit 6f3810793f4b1fc82094ccb1847ed82b85a203e6 Author: morganamilo <morganamilo@gmail.com> Date: Mon Sep 9 19:39:09 2019 +0100 libmakepkg: fix typo Signed-off-by: Allan McRae <allan@archlinux.org> commit bcb44891ef8aa6feee3090cc0fd87b60e73aed5d Author: Eli Schwartz <eschwartz@archlinux.org> Date: Thu Aug 15 19:55:45 2019 -0400 autotools: distribute meson files If we use make dist to create the official, signed release tarballs, those will not have meson build files by default since autotools doesn't know what they are. Also distribute all src/common/ files. We never strictly needed any of them to be distributed with autotools, because the dist tarball dereferences the symlinks (???), but only some of them were being distributed, and meson needs them to be in the right location as we only build libcommon from the primary files. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> ----------------------------------------------------------------------- Summary of changes: Makefile.am | 9 +- doc/Makefile.am | 1 + doc/makepkg.conf.5.asciidoc | 1 + lib/libalpm/Makefile.am | 2 + lib/libalpm/be_package.c | 12 ++- lib/libalpm/dload.c | 6 +- lib/libalpm/signing.c | 121 +++++++++++++++++++++----- lib/libalpm/signing.h | 2 +- lib/libalpm/sync.c | 22 ++++- scripts/Makefile.am | 2 + scripts/libmakepkg/buildenv.sh.in | 2 +- scripts/libmakepkg/lint_config/variable.sh.in | 6 ++ src/common/Makefile.am | 3 +- src/pacman/Makefile.am | 2 + src/pacman/callback.c | 13 +-- src/util/Makefile.am | 2 + test/pacman/Makefile.am | 1 + test/scripts/Makefile.am | 1 + test/util/Makefile.am | 1 + 19 files changed, 165 insertions(+), 44 deletions(-) hooks/post-receive -- The official pacman repository