This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official pacman repository". The branch, master has been updated via 3a9a510ca873df123a117133c7cb3ebaa711159c (commit) via 8bf972824a331ebcb30de01103b26b92b6792d59 (commit) via eba623b44377682534763b4222a660d3e6d60932 (commit) via 59bb21fce369e6453e00791cbb788e502e4039e9 (commit) via d0981d4c5b59d724d9b7989b1083c2c0e9f839b2 (commit) via 3d4e95e5262a8886a5e775c999fa48ed6a78e179 (commit) via 135f4397c2473844bc060e967dbe1b248b444301 (commit) via 8bec63bf92d8dd028aa88dbd5109c314cdb9ebea (commit) via 259d521e37c4cbcdbdc074e6cf832d233f2a9528 (commit) via 1825bd6716c2a51c92642e8b96beac0101e83805 (commit) via 2fb8081d059cae1f6d22a0b63c3714b51c1c1093 (commit) via c50ce453dc4adc1339577e3f0f1010590be3724f (commit) via ad0517d3711b6826cd7a95b99beb36ccd072c2e0 (commit) via 44f3a157983e903f926b4f11ddb3f57d111e60f9 (commit) via ab2be5794de8a57426ec3fc0f631cc766a0b8227 (commit) via 67ce123457cf9c0ee9d4298776ae563202214c69 (commit) from e4f13e62cf74393e811dd247a28b887935ce6a56 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 3a9a510ca873df123a117133c7cb3ebaa711159c Author: Andrew Gregory <andrew.gregory.8@gmail.com> Date: Wed Dec 20 23:22:36 2017 -0500 do not rely on name hashes for matching 6cfc4757b98e813428d261dbc185e20618ca83a6 was overzealous in attempting to optimize away a call to strcmp based on a comparison of hashes. The call can be skipped if the hashes are different, but different strings could have the same hash. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> commit 8bf972824a331ebcb30de01103b26b92b6792d59 Author: Eli Schwartz <eschwartz@archlinux.org> Date: Sun Dec 17 14:28:24 2017 -0500 vercmp: fix incorrect info in the manpage Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit eba623b44377682534763b4222a660d3e6d60932 Author: Eli Schwartz <eschwartz@archlinux.org> Date: Sun Dec 17 14:28:23 2017 -0500 vercmp: remove --usage variant of the -help option I think two ways to ask for this are enough for everyone, and we have never documented this anyway. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit 59bb21fce369e6453e00791cbb788e502e4039e9 Author: Andrew Gregory <andrew.gregory.8@gmail.com> Date: Sat Dec 16 12:41:11 2017 -0500 dload: ensure callback is always initialized once Frontends rely on an initialization call for setup between downloads. Checking for intialization after checking for a completed download can skip initialization in cases where files are small enough to be downloaded all at once (FS#56408). Relying on previous download size can result in multiple initializations if there are multiple non-transfer events prior to the download starting (fS#56468). Introduce a new cb_initialized variable to the payload struct and use it to ensure that the callback is initialized exactly once prior to any actual events. Fixes FS#56408, FS#56468 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> commit d0981d4c5b59d724d9b7989b1083c2c0e9f839b2 Author: Andrew Gregory <andrew.gregory.8@gmail.com> Date: Sat Dec 16 12:41:10 2017 -0500 avoid printing NULL string Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> commit 3d4e95e5262a8886a5e775c999fa48ed6a78e179 Author: Eli Schwartz <eschwartz@archlinux.org> Date: Tue Nov 21 23:34:47 2017 -0500 libmakepkg/integrity: fix git signatures not seen with multiple files In eaa82b4d0775252856a4e54a6f2a9ea191cf0b8f source_has_signature() was modified to check if git repositories are marked as signed. However, due to a typo the unused variable $netfile was checked. This worked as long as the last source element was marked as signed, due to $netfile being mistakenly set as a global in check_vcs_software(), but usually failed with multiple sources. Break this more consistently by properly declaring $netfile as a local variable in check_vcs_software() which it should be regardless. Fix it again by completely moving over to $netfile in source_has_signature() as netfile is more descriptive of the current state. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit 135f4397c2473844bc060e967dbe1b248b444301 Author: Eli Schwartz <eschwartz@archlinux.org> Date: Tue Nov 21 23:34:46 2017 -0500 libmakepkg/integrity: fix regression that broke invalid file sigs In 42e7020281d3ae260e1e9693495f527b7f476625 creating the gpg statusfile for a source file was split into a separate function, which used the return code to indicate unsigned files and proto-specific errors. However, the fallback return code was set by the final gpg invocation, which would be 1 if the signature was somehow broken (for example, the key was not available in the gpg keyring). As a result makepkg thought that file did not have a signature and skipped over it rather than erroring out. Fix this by explicitly setting the return code for all verify_*_signature() functions. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit 8bec63bf92d8dd028aa88dbd5109c314cdb9ebea Author: Eli Schwartz <eschwartz@archlinux.org> Date: Mon Oct 30 14:35:23 2017 -0400 makepkg: tell the compiler to record debugging info for debug packages In commit 8b0d59b83a60eb504567590346119fe4cd891cad support was added for storing the source files of binaries in debug packages. This made use of the debugedit program which is part of the RPM package manager, which is not very standalone. The same effect can be achieved using -fdebug-prefix-map, an option accepted by both the gcc and clang compilers which modifies how the compiler itself stores the references to the source files rather than requiring us to later edit the produced binaries. This also removes the dependency on external programs like debugedit. As a result of this change, source files will only be effectively added for programs which actually use the exported CFLAGS. This is a reasonable tradeoff as we expect our CFLAGS to be used rather than ignored. Upstream software which do not produce useful debug packages are expected to fix their build systems to respect the environment CFLAGS. As a result of this change, the routine for extracting source filenames from binaries had to be modified to derive the source file from the final debug location, rather than the other way around. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit 259d521e37c4cbcdbdc074e6cf832d233f2a9528 Author: Eli Schwartz <eschwartz@archlinux.org> Date: Mon Oct 30 14:35:22 2017 -0400 makepkg: Add a config option to specify the location of debug sources In commit 8b0d59b83a60eb504567590346119fe4cd891cad support was added for storing the source files of binaries in debug packages. Allow the user to specify where those source files should be stored via makepkg.conf Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit 1825bd6716c2a51c92642e8b96beac0101e83805 Author: Eli Schwartz <eschwartz@archlinux.org> Date: Sun Aug 27 21:37:20 2017 -0400 makepkg: refactor archive compression for reusability This allows for more easily extending the list of allowed compression methods, as it has to be modified in only one place. Also allow the user to specify their own preferred command + options for source packages in addition to compiled packages. Currently, makepkg.conf(5) erroneously claims this is already possible. commit 2fb8081d059cae1f6d22a0b63c3714b51c1c1093 Author: Eli Schwartz <eschwartz@archlinux.org> Date: Mon Oct 30 14:15:16 2017 -0400 libmakepkg: fix .gitignore to simply ignore all generated .sh files Prior to commit aca153bfa6b1bcd828f0b35db453bb9fea6a08bf some .sh files were not generated and simply included directly, and it was necessary to explicitly iterate all ignored files to prevent git from ignoring the directly-included files. However, now all .sh files are in fact generated so it makes no sense to list each one separately in the .gitignore file. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit c50ce453dc4adc1339577e3f0f1010590be3724f Author: Eli Schwartz <eschwartz@archlinux.org> Date: Mon Oct 30 14:03:28 2017 -0400 makepkg: reorganize the restoration of settings by precedence The extra variables on the commandline were inconsistently applied. They should override anything else, instead, most were overridden by environment variables with the exception of BUILDDIR (and this was not sanity-checked to see if it had write permissions). e.g. given the commandline: `PKGDEST="$(pwd)"` BUILDDIR="$(pwd)" makepkg PKGDEST=/doesnt/exist BUILDDIR=/doesnt/exist` We would incorrectly use the current working directory for PKGDEST. Meanwhile, we checked the wrong directory for BUILDDIR, and later errored when we tried to create $srcdir inside the non-writable directory "/doesnt/exist". In order to fix this, use the preferred bash builtin for saving variable definitions, similar to how we restore traps etc. rather than tediously redefining each one by hand, and restore this immediately after makepkg.conf is sourced. Finally, the `make`-style commandline overrides are applied. Also canonicalize_path is applied only on the final paths we try to use. While it is unlikely the value in makepkg.conf will be a relative path, since we now properly respect commandline overrides, they should be canonicalized as well. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit ad0517d3711b6826cd7a95b99beb36ccd072c2e0 Author: Nils Freydank <holgersson@posteo.de> Date: Fri Oct 20 22:42:32 2017 +0200 Fix CVE-2016-5434 (DoS/loop and out of boundary read) This is a rewrite of Tobias Stoeckmann’s patch from June 2016[1] using functions instead of macros. (Thanks to Tobias for explanations of his patch.) A short question on Freenode IRC showed that macros are generally discouraged and functions should be used. The patch introduces a static size_t length_check() in libalpm/signing.c. [1] Original patch: https://lists.archlinux.org/pipermail/pacman-dev/2016-June/021148.html CVE request (and assignment): http://seclists.org/oss-sec/2016/q2/526 Signed-off-by: Allan McRae <allan@archlinux.org> commit 44f3a157983e903f926b4f11ddb3f57d111e60f9 Author: Eli Schwartz <eschwartz@archlinux.org> Date: Tue Sep 26 12:16:39 2017 -0400 makepkg.conf: correct the documentation on the default options The documentation for OPTIONS and BUILDENV listed some incorrect defaults for undefined options. The defaults are implementation-defined in the source code for makepkg itself (e.g. it depends whether we use `check_option "opt" "y"` or `check_option "opt" "n"`) but were erroneously declared to be "whatever we *define* in the default makepkg.conf". Fixes FS#55754 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit ab2be5794de8a57426ec3fc0f631cc766a0b8227 Author: Ivy Foster <ivy.foster@gmail.com> Date: Fri Sep 22 13:01:09 2017 -0500 makepkg: implement error codes For your convenience, makepkg now has 16 distinct ways to fail. Also closes FS#54204. Signed-off-by: Ivy Foster <iff@escondida.tk> Signed-off-by: Allan McRae <allan@archlinux.org> commit 67ce123457cf9c0ee9d4298776ae563202214c69 Author: Ivy Foster <ivy.foster@gmail.com> Date: Fri Sep 22 12:25:06 2017 -0500 makepkg: clarify error when user passes -F Signed-off-by: Allan McRae <allan@archlinux.org> ----------------------------------------------------------------------- Summary of changes: doc/makepkg.8.txt | 57 ++++++ doc/makepkg.conf.5.txt | 10 +- doc/vercmp.8.txt | 12 +- etc/makepkg.conf.in | 6 +- lib/libalpm/be_sync.c | 2 +- lib/libalpm/deps.c | 6 +- lib/libalpm/dload.c | 9 +- lib/libalpm/dload.h | 1 + lib/libalpm/signing.c | 48 ++++- scripts/Makefile.am | 2 + scripts/libmakepkg/.gitignore | 18 +- .../libmakepkg/integrity/verify_signature.sh.in | 10 +- scripts/libmakepkg/tidy/strip.sh.in | 9 +- scripts/libmakepkg/util/compress.sh.in | 47 +++++ .../{lint_pkgbuild.sh.in => util/error.sh.in} | 51 +++-- scripts/makepkg.sh.in | 215 +++++++++------------ src/util/vercmp.c | 3 +- 17 files changed, 299 insertions(+), 207 deletions(-) create mode 100644 scripts/libmakepkg/util/compress.sh.in copy scripts/libmakepkg/{lint_pkgbuild.sh.in => util/error.sh.in} (53%) hooks/post-receive -- The official pacman repository