This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official pacman repository". The branch, master has been updated via b01bcc7d3d680856bd60c4ae03e4ba3f6d889cb2 (commit) via f3dfba73d22b7eca3810a8114f2aab63da488b4c (commit) via 78d6dcec6c49bd2fa830237a46fd14337bc9fd4c (commit) via 34ba8d984d89393ab85ca67724b87af67ff004c3 (commit) via f078c2d3bcb72bafda0dce5fe2c9418ca462bb1a (commit) from 6b9c1b4d54225b4c2808b5fadc2b6e779ae1916a (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit b01bcc7d3d680856bd60c4ae03e4ba3f6d889cb2 Author: Anatol Pomozov <anatol.pomozov@gmail.com> Date: Tue May 26 19:12:08 2020 -0700 Fallback to detached signatures during keyring check Pacman has a 'key in keyring' verification step that makes sure the signatures have a valid keyid. Currently pacman parses embedded package signatures only. Add a fallback to detached signatures. If embedded signature is missing then it tries to read corresponding *.sig file and get keyid from there. Verification: debug: found cached pkg: /var/cache/pacman/pkg/glib-networking-2.64.3-1-x86_64.pkg.tar.zst debug: found detached signature /var/cache/pacman/pkg/glib-networking-2.64.3-1-x86_64.pkg.tar.zst.sig with size 310 debug: found signature key: A5E9288C4FA415FA debug: looking up key A5E9288C4FA415FA locally debug: key lookup success, key exists Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> commit f3dfba73d22b7eca3810a8114f2aab63da488b4c Author: Anatol Pomozov <anatol.pomozov@gmail.com> Date: Mon May 18 14:30:04 2020 -0700 FS#33992: force download *.sig file if it does not exist in the cache In case if *.pkg exists but *.sig file does not we still have to pass the pkg to multi_download API. To avoid redownloading *.pkg file we use CURLOPT_TIMECONDITION curl option. Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> commit 78d6dcec6c49bd2fa830237a46fd14337bc9fd4c Author: Anatol Pomozov <anatol.pomozov@gmail.com> Date: Thu Apr 23 17:28:43 2020 -0700 Add a utility function to check whether a file exists in the cache It is similar to _alpm_filecache_find() but does not return a dynamically allocated memory to user. Thus the user does not need to free this resource. Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> commit 34ba8d984d89393ab85ca67724b87af67ff004c3 Author: Anatol Pomozov <anatol.pomozov@gmail.com> Date: Mon May 18 14:13:11 2020 -0700 Do not use counter for error tracking Current code uses an incrementing counter to check whether a function returned error: errors += some_function(); if(errors) { goto finish } Replace with a more standard variable errors = some_function(); if(errors) { goto finish } Rename 'errors' variable to a more typical 'ret'. Avoid reporting both ALPM_EVENT_PKG_RETRIEVE_FAILED and ALPM_EVENT_PKG_RETRIEVE_DONE in the error path. Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> commit f078c2d3bcb72bafda0dce5fe2c9418ca462bb1a Author: Anatol Pomozov <anatol.pomozov@gmail.com> Date: Tue May 12 15:26:38 2020 -0700 Move signature payload creation to download engine Until now callee of ALPM download functionality has been in charge of payload creation both for the main file (e.g. *.pkg) and for the accompanied *.sig file. One advantage of such solution is that all payloads are independent and can be fetched in parallel thus exploiting the maximum level of download parallelism. To build *.sig file url we've been using a simple string concatenation: $requested_url + ".sig". Unfortunately there are cases when it does not work. For example an archlinux.org "Download From Mirror" link looks like this https://www.archlinux.org/packages/core/x86_64/bash/download/ and it gets redirected to some mirror. But if we append ".sig" to the end of the link url and try to download it then archlinux.org returns 404 error. To overcome this issue we need to follow redirects for the main payload first, find the final url and only then append '.sig' suffix. This implies 2 things: - the signature payload initialization need to be moved to dload.c as it is the place where we have access to the resolved url - *.sig is downloaded serially with the main payload and this reduces level of parallelism Move *.sig payload creation to dload.c. Once the main payload is fetched successfully we check if the callee asked to download the accompanied signature. If yes - create a new payload and add it to mcurl. *.sig payload does not use server list of the main payload and thus does not support mirror failover. *.sig file comes from the same server as the main payload. Refactor event loop in curl_multi_download_internal() a bit. Instead of relying on curl_multi_check_finished_download() to return number of new payloads we simply rerun the loop iteration one more time to check if there are any active downloads left. Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> ----------------------------------------------------------------------- Summary of changes: lib/libalpm/alpm.h | 11 ++++++ lib/libalpm/be_sync.c | 34 ++++-------------- lib/libalpm/dload.c | 95 ++++++++++++++++++++++++++++++++------------------- lib/libalpm/dload.h | 4 ++- lib/libalpm/package.c | 40 ++++++++++++++++++++++ lib/libalpm/sync.c | 67 ++++++++++++++++++++++-------------- lib/libalpm/util.c | 51 +++++++++++++++++++++++++++ lib/libalpm/util.h | 3 ++ 8 files changed, 215 insertions(+), 90 deletions(-) hooks/post-receive -- The official pacman repository