[arch-commits] Commit in pacman/repos (12 files)
Allan McRae
allan at archlinux.org
Wed Aug 12 07:11:00 UTC 2015
Date: Wednesday, August 12, 2015 @ 09:11:00
Author: allan
Revision: 243201
archrelease: copy trunk to testing-i686, testing-x86_64
Added:
pacman/repos/testing-i686/
pacman/repos/testing-i686/PKGBUILD
(from rev 243200, pacman/trunk/PKGBUILD)
pacman/repos/testing-i686/ensure-matching-database-and-package-version.patch
(from rev 243200, pacman/trunk/ensure-matching-database-and-package-version.patch)
pacman/repos/testing-i686/makepkg.conf
(from rev 243200, pacman/trunk/makepkg.conf)
pacman/repos/testing-i686/pacman.conf.i686
(from rev 243200, pacman/trunk/pacman.conf.i686)
pacman/repos/testing-i686/pacman.conf.x86_64
(from rev 243200, pacman/trunk/pacman.conf.x86_64)
pacman/repos/testing-x86_64/
pacman/repos/testing-x86_64/PKGBUILD
(from rev 243200, pacman/trunk/PKGBUILD)
pacman/repos/testing-x86_64/ensure-matching-database-and-package-version.patch
(from rev 243200, pacman/trunk/ensure-matching-database-and-package-version.patch)
pacman/repos/testing-x86_64/makepkg.conf
(from rev 243200, pacman/trunk/makepkg.conf)
pacman/repos/testing-x86_64/pacman.conf.i686
(from rev 243200, pacman/trunk/pacman.conf.i686)
pacman/repos/testing-x86_64/pacman.conf.x86_64
(from rev 243200, pacman/trunk/pacman.conf.x86_64)
-------------------------------------------------------------------+
testing-i686/PKGBUILD | 98 ++++++
testing-i686/ensure-matching-database-and-package-version.patch | 60 ++++
testing-i686/makepkg.conf | 146 ++++++++++
testing-i686/pacman.conf.i686 | 90 ++++++
testing-i686/pacman.conf.x86_64 | 99 ++++++
testing-x86_64/PKGBUILD | 98 ++++++
testing-x86_64/ensure-matching-database-and-package-version.patch | 60 ++++
testing-x86_64/makepkg.conf | 146 ++++++++++
testing-x86_64/pacman.conf.i686 | 90 ++++++
testing-x86_64/pacman.conf.x86_64 | 99 ++++++
10 files changed, 986 insertions(+)
Copied: pacman/repos/testing-i686/PKGBUILD (from rev 243200, pacman/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD (rev 0)
+++ testing-i686/PKGBUILD 2015-08-12 07:11:00 UTC (rev 243201)
@@ -0,0 +1,98 @@
+# vim: set ts=2 sw=2 et:
+# $Id$
+# Maintainer: Dan McGee <dan at archlinux.org>
+# Maintainer: Dave Reisner <dreisner at archlinux.org>
+
+pkgname=pacman
+pkgver=4.2.1
+pkgrel=3
+pkgdesc="A library-based package manager with dependency support"
+arch=('i686' 'x86_64')
+url="http://www.archlinux.org/pacman/"
+license=('GPL')
+groups=('base' 'base-devel')
+depends=('bash' 'glibc' 'libarchive>=3.1.2' 'curl>=7.39.0'
+ 'gpgme' 'pacman-mirrorlist' 'archlinux-keyring')
+makedepends=('asciidoc') # roundup patch alters docs
+checkdepends=('python2' 'fakechroot')
+provides=('pacman-contrib')
+conflicts=('pacman-contrib')
+replaces=('pacman-contrib')
+backup=(etc/pacman.conf etc/makepkg.conf)
+options=('strip' 'debug')
+source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
+ ensure-matching-database-and-package-version.patch
+ pacman.conf.i686
+ pacman.conf.x86_64
+ makepkg.conf)
+md5sums=('2a596fc8f723e99660c0869a74afcf47'
+ 'SKIP'
+ 'e8f72afe6f417d11bd36ada042744fe4'
+ '2db6c94709bb30cc614a176ecf8badb1'
+ 'de74a13618347f08ae4a9637f74471c4'
+ '08beec98ce8c3eca6a980c4a21c0bef0')
+validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD') # Allan McRae <allan at archlinux.org>
+
+
+prepare() {
+ cd "$pkgname-$pkgver"
+
+ patch -p1 -i $srcdir/ensure-matching-database-and-package-version.patch
+}
+
+build() {
+ cd "$pkgname-$pkgver"
+
+ ./configure --prefix=/usr --sysconfdir=/etc \
+ --localstatedir=/var --enable-doc \
+ --with-scriptlet-shell=/usr/bin/bash \
+ --with-ldconfig=/usr/bin/ldconfig
+ make
+ make -C contrib
+}
+
+check() {
+ make -C "$pkgname-$pkgver" check
+}
+
+package() {
+ cd "$pkgname-$pkgver"
+
+ make DESTDIR="$pkgdir" install
+ make DESTDIR="$pkgdir" -C contrib install
+
+ # install Arch specific stuff
+ install -dm755 "$pkgdir/etc"
+ install -m644 "$srcdir/pacman.conf.$CARCH" "$pkgdir/etc/pacman.conf"
+
+ case $CARCH in
+ i686)
+ mycarch="i686"
+ mychost="i686-pc-linux-gnu"
+ myflags="-march=i686"
+ ;;
+ x86_64)
+ mycarch="x86_64"
+ mychost="x86_64-unknown-linux-gnu"
+ myflags="-march=x86-64"
+ ;;
+ esac
+
+ # set things correctly in the default conf file
+ install -m644 "$srcdir/makepkg.conf" "$pkgdir/etc"
+ sed -i "$pkgdir/etc/makepkg.conf" \
+ -e "s|@CARCH[@]|$mycarch|g" \
+ -e "s|@CHOST[@]|$mychost|g" \
+ -e "s|@CARCHFLAGS[@]|$myflags|g"
+
+ # put bash_completion in the right location
+ install -dm755 "$pkgdir/usr/share/bash-completion/completions"
+ mv "$pkgdir/etc/bash_completion.d/pacman" "$pkgdir/usr/share/bash-completion/completions"
+ rmdir "$pkgdir/etc/bash_completion.d"
+
+ for f in makepkg pacman-key; do
+ ln -s pacman "$pkgdir/usr/share/bash-completion/completions/$f"
+ done
+
+ install -Dm644 contrib/PKGBUILD.vim "$pkgdir/usr/share/vim/vimfiles/syntax/PKGBUILD.vim"
+}
Copied: pacman/repos/testing-i686/ensure-matching-database-and-package-version.patch (from rev 243200, pacman/trunk/ensure-matching-database-and-package-version.patch)
===================================================================
--- testing-i686/ensure-matching-database-and-package-version.patch (rev 0)
+++ testing-i686/ensure-matching-database-and-package-version.patch 2015-08-12 07:11:00 UTC (rev 243201)
@@ -0,0 +1,60 @@
+From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
+From: Levente Polyak <anthraxx at archlinux.org>
+Date: Sat, 18 Jul 2015 17:58:23 +0200
+Subject: [PATCH] ensure matching database and package version
+
+While loading each package ensure that the internal version matches the
+expected database version to avoid the possibility to circumvent the
+version check.
+This issue can be used by an attacker to trick the software into
+installing an older version. The behavior can be exploited by a
+man-in-the-middle attack through specially crafted database tarball
+containing a higher version, yet actually delivering an older and
+vulnerable version, which was previously shipped.
+
+Signed-off-by: Levente Polyak <anthraxx at archlinux.org>
+Signed-off-by: Remi Gacogne <rgacogne at archlinux.org>
+Signed-off-by: Allan McRae <allan at archlinux.org>
+---
+ lib/libalpm/sync.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
+index 888ae15..e843b07 100644
+--- a/lib/libalpm/sync.c
++++ b/lib/libalpm/sync.c
+@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ EVENT(handle, &event);
+
+ for(i = handle->trans->add; i; i = i->next, current++) {
++ int error = 0;
+ alpm_pkg_t *spkg = i->data;
+ char *filepath;
+ int percent = (int)(((double)current_bytes / total_bytes) * 100);
+@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ spkg->name);
+ alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
+ if(!pkgfile) {
++ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
++ error = 1;
++ } else {
++ if(strcmp(spkg->name, pkgfile->name) != 0) {
++ _alpm_log(handle, ALPM_LOG_DEBUG,
++ "internal package name mismatch, expected: '%s', actual: '%s'\n",
++ spkg->name, pkgfile->name);
++ error = 1;
++ }
++ if(strcmp(spkg->version, pkgfile->version) != 0) {
++ _alpm_log(handle, ALPM_LOG_DEBUG,
++ "internal package version mismatch, expected: '%s', actual: '%s'\n",
++ spkg->version, pkgfile->version);
++ error = 1;
++ }
++ }
++ if(error != 0) {
+ errors++;
+ *data = alpm_list_add(*data, strdup(spkg->filename));
+ free(filepath);
+--
+2.4.6
+
Copied: pacman/repos/testing-i686/makepkg.conf (from rev 243200, pacman/trunk/makepkg.conf)
===================================================================
--- testing-i686/makepkg.conf (rev 0)
+++ testing-i686/makepkg.conf 2015-08-12 07:11:00 UTC (rev 243201)
@@ -0,0 +1,146 @@
+#
+# /etc/makepkg.conf
+#
+
+#########################################################################
+# SOURCE ACQUISITION
+#########################################################################
+#
+#-- The download utilities that makepkg should use to acquire sources
+# Format: 'protocol::agent'
+DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
+ 'http::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u'
+ 'https::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u'
+ 'rsync::/usr/bin/rsync --no-motd -z %u %o'
+ 'scp::/usr/bin/scp -C %u %o')
+
+# Other common tools:
+# /usr/bin/snarf
+# /usr/bin/lftpget -c
+# /usr/bin/wget
+
+#-- The package required by makepkg to download VCS sources
+# Format: 'protocol::package'
+VCSCLIENTS=('bzr::bzr'
+ 'git::git'
+ 'hg::mercurial'
+ 'svn::subversion')
+
+#########################################################################
+# ARCHITECTURE, COMPILE FLAGS
+#########################################################################
+#
+CARCH="@CARCH@"
+CHOST="@CHOST@"
+
+#-- Compiler and Linker Flags
+# -march (or -mcpu) builds exclusively for an architecture
+# -mtune optimizes for an architecture, but builds for whole processor family
+CPPFLAGS="-D_FORTIFY_SOURCE=2"
+CFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check"
+CXXFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check"
+LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
+#-- Make Flags: change this for DistCC/SMP systems
+#MAKEFLAGS="-j2"
+#-- Debugging flags
+DEBUG_CFLAGS="-g -fvar-tracking-assignments"
+DEBUG_CXXFLAGS="-g -fvar-tracking-assignments"
+
+#########################################################################
+# BUILD ENVIRONMENT
+#########################################################################
+#
+# Defaults: BUILDENV=(!distcc color !ccache check !sign)
+# A negated environment option will do the opposite of the comments below.
+#
+#-- distcc: Use the Distributed C/C++/ObjC compiler
+#-- color: Colorize output messages
+#-- ccache: Use ccache to cache compilation
+#-- check: Run the check() function if present in the PKGBUILD
+#-- sign: Generate PGP signature file
+#
+BUILDENV=(!distcc color !ccache check !sign)
+#
+#-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
+#-- specify a space-delimited list of hosts running in the DistCC cluster.
+#DISTCC_HOSTS=""
+#
+#-- Specify a directory for package building.
+#BUILDDIR=/tmp/makepkg
+
+#########################################################################
+# GLOBAL PACKAGE OPTIONS
+# These are default values for the options=() settings
+#########################################################################
+#
+# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+# A negated option will do the opposite of the comments below.
+#
+#-- strip: Strip symbols from binaries/libraries
+#-- docs: Save doc directories specified by DOC_DIRS
+#-- libtool: Leave libtool (.la) files in packages
+#-- staticlibs: Leave static library (.a) files in packages
+#-- emptydirs: Leave empty directories in packages
+#-- zipman: Compress manual (man and info) pages in MAN_DIRS with gzip
+#-- purge: Remove files specified by PURGE_TARGETS
+#-- upx: Compress binary executable files using UPX
+#-- debug: Add debugging flags as specified in DEBUG_* variables
+#
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+
+#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
+INTEGRITY_CHECK=(md5)
+#-- Options to be used when stripping binaries. See `man strip' for details.
+STRIP_BINARIES="--strip-all"
+#-- Options to be used when stripping shared libraries. See `man strip' for details.
+STRIP_SHARED="--strip-unneeded"
+#-- Options to be used when stripping static libraries. See `man strip' for details.
+STRIP_STATIC="--strip-debug"
+#-- Manual (man and info) directories to compress (if zipman is specified)
+MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info})
+#-- Doc directories to remove (if !docs is specified)
+DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc})
+#-- Files to be removed from all packages (if purge is specified)
+PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
+
+#########################################################################
+# PACKAGE OUTPUT
+#########################################################################
+#
+# Default: put built package and cached source in build directory
+#
+#-- Destination: specify a fixed directory where all packages will be placed
+#PKGDEST=/home/packages
+#-- Source cache: specify a fixed directory where source files will be cached
+#SRCDEST=/home/sources
+#-- Source packages: specify a fixed directory where all src packages will be placed
+#SRCPKGDEST=/home/srcpackages
+#-- Log files: specify a fixed directory where all log files will be placed
+#LOGDEST=/home/makepkglogs
+#-- Packager: name/email of the person or organization building packages
+#PACKAGER="John Doe <john at doe.com>"
+#-- Specify a key to use for package signing
+#GPGKEY=""
+
+#########################################################################
+# COMPRESSION DEFAULTS
+#########################################################################
+#
+COMPRESSGZ=(gzip -c -f -n)
+COMPRESSBZ2=(bzip2 -c -f)
+COMPRESSXZ=(xz -c -z -)
+COMPRESSLRZ=(lrzip -q)
+COMPRESSLZO=(lzop -q)
+COMPRESSZ=(compress -c -f)
+
+#########################################################################
+# EXTENSION DEFAULTS
+#########################################################################
+#
+# WARNING: Do NOT modify these variables unless you know what you are
+# doing.
+#
+PKGEXT='.pkg.tar.xz'
+SRCEXT='.src.tar.gz'
+
+# vim: set ft=sh ts=2 sw=2 et:
Copied: pacman/repos/testing-i686/pacman.conf.i686 (from rev 243200, pacman/trunk/pacman.conf.i686)
===================================================================
--- testing-i686/pacman.conf.i686 (rev 0)
+++ testing-i686/pacman.conf.i686 2015-08-12 07:11:00 UTC (rev 243201)
@@ -0,0 +1,90 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir = /
+#DBPath = /var/lib/pacman/
+#CacheDir = /var/cache/pacman/pkg/
+#LogFile = /var/log/pacman.log
+#GPGDir = /etc/pacman.d/gnupg/
+HoldPkg = pacman glibc
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+#UseDelta = 0.7
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg =
+#IgnoreGroup =
+
+#NoUpgrade =
+#NoExtract =
+
+# Misc options
+#UseSyslog
+#Color
+#TotalDownload
+CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+# - can be defined here or included from another file
+# - pacman will search repositories in the order defined here
+# - local/custom mirrors can be added here or in separate files
+# - repositories listed first will take precedence when packages
+# have identical names, regardless of version number
+# - URLs will have $repo replaced by the name of the current repo
+# - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+# [repo-name]
+# Server = ServerName
+# Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository. See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs
Copied: pacman/repos/testing-i686/pacman.conf.x86_64 (from rev 243200, pacman/trunk/pacman.conf.x86_64)
===================================================================
--- testing-i686/pacman.conf.x86_64 (rev 0)
+++ testing-i686/pacman.conf.x86_64 2015-08-12 07:11:00 UTC (rev 243201)
@@ -0,0 +1,99 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir = /
+#DBPath = /var/lib/pacman/
+#CacheDir = /var/cache/pacman/pkg/
+#LogFile = /var/log/pacman.log
+#GPGDir = /etc/pacman.d/gnupg/
+HoldPkg = pacman glibc
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+#UseDelta = 0.7
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg =
+#IgnoreGroup =
+
+#NoUpgrade =
+#NoExtract =
+
+# Misc options
+#UseSyslog
+#Color
+#TotalDownload
+CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+# - can be defined here or included from another file
+# - pacman will search repositories in the order defined here
+# - local/custom mirrors can be added here or in separate files
+# - repositories listed first will take precedence when packages
+# have identical names, regardless of version number
+# - URLs will have $repo replaced by the name of the current repo
+# - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+# [repo-name]
+# Server = ServerName
+# Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# If you want to run 32 bit applications on your x86_64 system,
+# enable the multilib repositories as required here.
+
+#[multilib-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+#[multilib]
+#Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository. See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs
Copied: pacman/repos/testing-x86_64/PKGBUILD (from rev 243200, pacman/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2015-08-12 07:11:00 UTC (rev 243201)
@@ -0,0 +1,98 @@
+# vim: set ts=2 sw=2 et:
+# $Id$
+# Maintainer: Dan McGee <dan at archlinux.org>
+# Maintainer: Dave Reisner <dreisner at archlinux.org>
+
+pkgname=pacman
+pkgver=4.2.1
+pkgrel=3
+pkgdesc="A library-based package manager with dependency support"
+arch=('i686' 'x86_64')
+url="http://www.archlinux.org/pacman/"
+license=('GPL')
+groups=('base' 'base-devel')
+depends=('bash' 'glibc' 'libarchive>=3.1.2' 'curl>=7.39.0'
+ 'gpgme' 'pacman-mirrorlist' 'archlinux-keyring')
+makedepends=('asciidoc') # roundup patch alters docs
+checkdepends=('python2' 'fakechroot')
+provides=('pacman-contrib')
+conflicts=('pacman-contrib')
+replaces=('pacman-contrib')
+backup=(etc/pacman.conf etc/makepkg.conf)
+options=('strip' 'debug')
+source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
+ ensure-matching-database-and-package-version.patch
+ pacman.conf.i686
+ pacman.conf.x86_64
+ makepkg.conf)
+md5sums=('2a596fc8f723e99660c0869a74afcf47'
+ 'SKIP'
+ 'e8f72afe6f417d11bd36ada042744fe4'
+ '2db6c94709bb30cc614a176ecf8badb1'
+ 'de74a13618347f08ae4a9637f74471c4'
+ '08beec98ce8c3eca6a980c4a21c0bef0')
+validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD') # Allan McRae <allan at archlinux.org>
+
+
+prepare() {
+ cd "$pkgname-$pkgver"
+
+ patch -p1 -i $srcdir/ensure-matching-database-and-package-version.patch
+}
+
+build() {
+ cd "$pkgname-$pkgver"
+
+ ./configure --prefix=/usr --sysconfdir=/etc \
+ --localstatedir=/var --enable-doc \
+ --with-scriptlet-shell=/usr/bin/bash \
+ --with-ldconfig=/usr/bin/ldconfig
+ make
+ make -C contrib
+}
+
+check() {
+ make -C "$pkgname-$pkgver" check
+}
+
+package() {
+ cd "$pkgname-$pkgver"
+
+ make DESTDIR="$pkgdir" install
+ make DESTDIR="$pkgdir" -C contrib install
+
+ # install Arch specific stuff
+ install -dm755 "$pkgdir/etc"
+ install -m644 "$srcdir/pacman.conf.$CARCH" "$pkgdir/etc/pacman.conf"
+
+ case $CARCH in
+ i686)
+ mycarch="i686"
+ mychost="i686-pc-linux-gnu"
+ myflags="-march=i686"
+ ;;
+ x86_64)
+ mycarch="x86_64"
+ mychost="x86_64-unknown-linux-gnu"
+ myflags="-march=x86-64"
+ ;;
+ esac
+
+ # set things correctly in the default conf file
+ install -m644 "$srcdir/makepkg.conf" "$pkgdir/etc"
+ sed -i "$pkgdir/etc/makepkg.conf" \
+ -e "s|@CARCH[@]|$mycarch|g" \
+ -e "s|@CHOST[@]|$mychost|g" \
+ -e "s|@CARCHFLAGS[@]|$myflags|g"
+
+ # put bash_completion in the right location
+ install -dm755 "$pkgdir/usr/share/bash-completion/completions"
+ mv "$pkgdir/etc/bash_completion.d/pacman" "$pkgdir/usr/share/bash-completion/completions"
+ rmdir "$pkgdir/etc/bash_completion.d"
+
+ for f in makepkg pacman-key; do
+ ln -s pacman "$pkgdir/usr/share/bash-completion/completions/$f"
+ done
+
+ install -Dm644 contrib/PKGBUILD.vim "$pkgdir/usr/share/vim/vimfiles/syntax/PKGBUILD.vim"
+}
Copied: pacman/repos/testing-x86_64/ensure-matching-database-and-package-version.patch (from rev 243200, pacman/trunk/ensure-matching-database-and-package-version.patch)
===================================================================
--- testing-x86_64/ensure-matching-database-and-package-version.patch (rev 0)
+++ testing-x86_64/ensure-matching-database-and-package-version.patch 2015-08-12 07:11:00 UTC (rev 243201)
@@ -0,0 +1,60 @@
+From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
+From: Levente Polyak <anthraxx at archlinux.org>
+Date: Sat, 18 Jul 2015 17:58:23 +0200
+Subject: [PATCH] ensure matching database and package version
+
+While loading each package ensure that the internal version matches the
+expected database version to avoid the possibility to circumvent the
+version check.
+This issue can be used by an attacker to trick the software into
+installing an older version. The behavior can be exploited by a
+man-in-the-middle attack through specially crafted database tarball
+containing a higher version, yet actually delivering an older and
+vulnerable version, which was previously shipped.
+
+Signed-off-by: Levente Polyak <anthraxx at archlinux.org>
+Signed-off-by: Remi Gacogne <rgacogne at archlinux.org>
+Signed-off-by: Allan McRae <allan at archlinux.org>
+---
+ lib/libalpm/sync.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
+index 888ae15..e843b07 100644
+--- a/lib/libalpm/sync.c
++++ b/lib/libalpm/sync.c
+@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ EVENT(handle, &event);
+
+ for(i = handle->trans->add; i; i = i->next, current++) {
++ int error = 0;
+ alpm_pkg_t *spkg = i->data;
+ char *filepath;
+ int percent = (int)(((double)current_bytes / total_bytes) * 100);
+@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ spkg->name);
+ alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
+ if(!pkgfile) {
++ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
++ error = 1;
++ } else {
++ if(strcmp(spkg->name, pkgfile->name) != 0) {
++ _alpm_log(handle, ALPM_LOG_DEBUG,
++ "internal package name mismatch, expected: '%s', actual: '%s'\n",
++ spkg->name, pkgfile->name);
++ error = 1;
++ }
++ if(strcmp(spkg->version, pkgfile->version) != 0) {
++ _alpm_log(handle, ALPM_LOG_DEBUG,
++ "internal package version mismatch, expected: '%s', actual: '%s'\n",
++ spkg->version, pkgfile->version);
++ error = 1;
++ }
++ }
++ if(error != 0) {
+ errors++;
+ *data = alpm_list_add(*data, strdup(spkg->filename));
+ free(filepath);
+--
+2.4.6
+
Copied: pacman/repos/testing-x86_64/makepkg.conf (from rev 243200, pacman/trunk/makepkg.conf)
===================================================================
--- testing-x86_64/makepkg.conf (rev 0)
+++ testing-x86_64/makepkg.conf 2015-08-12 07:11:00 UTC (rev 243201)
@@ -0,0 +1,146 @@
+#
+# /etc/makepkg.conf
+#
+
+#########################################################################
+# SOURCE ACQUISITION
+#########################################################################
+#
+#-- The download utilities that makepkg should use to acquire sources
+# Format: 'protocol::agent'
+DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
+ 'http::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u'
+ 'https::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u'
+ 'rsync::/usr/bin/rsync --no-motd -z %u %o'
+ 'scp::/usr/bin/scp -C %u %o')
+
+# Other common tools:
+# /usr/bin/snarf
+# /usr/bin/lftpget -c
+# /usr/bin/wget
+
+#-- The package required by makepkg to download VCS sources
+# Format: 'protocol::package'
+VCSCLIENTS=('bzr::bzr'
+ 'git::git'
+ 'hg::mercurial'
+ 'svn::subversion')
+
+#########################################################################
+# ARCHITECTURE, COMPILE FLAGS
+#########################################################################
+#
+CARCH="@CARCH@"
+CHOST="@CHOST@"
+
+#-- Compiler and Linker Flags
+# -march (or -mcpu) builds exclusively for an architecture
+# -mtune optimizes for an architecture, but builds for whole processor family
+CPPFLAGS="-D_FORTIFY_SOURCE=2"
+CFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check"
+CXXFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check"
+LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
+#-- Make Flags: change this for DistCC/SMP systems
+#MAKEFLAGS="-j2"
+#-- Debugging flags
+DEBUG_CFLAGS="-g -fvar-tracking-assignments"
+DEBUG_CXXFLAGS="-g -fvar-tracking-assignments"
+
+#########################################################################
+# BUILD ENVIRONMENT
+#########################################################################
+#
+# Defaults: BUILDENV=(!distcc color !ccache check !sign)
+# A negated environment option will do the opposite of the comments below.
+#
+#-- distcc: Use the Distributed C/C++/ObjC compiler
+#-- color: Colorize output messages
+#-- ccache: Use ccache to cache compilation
+#-- check: Run the check() function if present in the PKGBUILD
+#-- sign: Generate PGP signature file
+#
+BUILDENV=(!distcc color !ccache check !sign)
+#
+#-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
+#-- specify a space-delimited list of hosts running in the DistCC cluster.
+#DISTCC_HOSTS=""
+#
+#-- Specify a directory for package building.
+#BUILDDIR=/tmp/makepkg
+
+#########################################################################
+# GLOBAL PACKAGE OPTIONS
+# These are default values for the options=() settings
+#########################################################################
+#
+# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+# A negated option will do the opposite of the comments below.
+#
+#-- strip: Strip symbols from binaries/libraries
+#-- docs: Save doc directories specified by DOC_DIRS
+#-- libtool: Leave libtool (.la) files in packages
+#-- staticlibs: Leave static library (.a) files in packages
+#-- emptydirs: Leave empty directories in packages
+#-- zipman: Compress manual (man and info) pages in MAN_DIRS with gzip
+#-- purge: Remove files specified by PURGE_TARGETS
+#-- upx: Compress binary executable files using UPX
+#-- debug: Add debugging flags as specified in DEBUG_* variables
+#
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+
+#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
+INTEGRITY_CHECK=(md5)
+#-- Options to be used when stripping binaries. See `man strip' for details.
+STRIP_BINARIES="--strip-all"
+#-- Options to be used when stripping shared libraries. See `man strip' for details.
+STRIP_SHARED="--strip-unneeded"
+#-- Options to be used when stripping static libraries. See `man strip' for details.
+STRIP_STATIC="--strip-debug"
+#-- Manual (man and info) directories to compress (if zipman is specified)
+MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info})
+#-- Doc directories to remove (if !docs is specified)
+DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc})
+#-- Files to be removed from all packages (if purge is specified)
+PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
+
+#########################################################################
+# PACKAGE OUTPUT
+#########################################################################
+#
+# Default: put built package and cached source in build directory
+#
+#-- Destination: specify a fixed directory where all packages will be placed
+#PKGDEST=/home/packages
+#-- Source cache: specify a fixed directory where source files will be cached
+#SRCDEST=/home/sources
+#-- Source packages: specify a fixed directory where all src packages will be placed
+#SRCPKGDEST=/home/srcpackages
+#-- Log files: specify a fixed directory where all log files will be placed
+#LOGDEST=/home/makepkglogs
+#-- Packager: name/email of the person or organization building packages
+#PACKAGER="John Doe <john at doe.com>"
+#-- Specify a key to use for package signing
+#GPGKEY=""
+
+#########################################################################
+# COMPRESSION DEFAULTS
+#########################################################################
+#
+COMPRESSGZ=(gzip -c -f -n)
+COMPRESSBZ2=(bzip2 -c -f)
+COMPRESSXZ=(xz -c -z -)
+COMPRESSLRZ=(lrzip -q)
+COMPRESSLZO=(lzop -q)
+COMPRESSZ=(compress -c -f)
+
+#########################################################################
+# EXTENSION DEFAULTS
+#########################################################################
+#
+# WARNING: Do NOT modify these variables unless you know what you are
+# doing.
+#
+PKGEXT='.pkg.tar.xz'
+SRCEXT='.src.tar.gz'
+
+# vim: set ft=sh ts=2 sw=2 et:
Copied: pacman/repos/testing-x86_64/pacman.conf.i686 (from rev 243200, pacman/trunk/pacman.conf.i686)
===================================================================
--- testing-x86_64/pacman.conf.i686 (rev 0)
+++ testing-x86_64/pacman.conf.i686 2015-08-12 07:11:00 UTC (rev 243201)
@@ -0,0 +1,90 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir = /
+#DBPath = /var/lib/pacman/
+#CacheDir = /var/cache/pacman/pkg/
+#LogFile = /var/log/pacman.log
+#GPGDir = /etc/pacman.d/gnupg/
+HoldPkg = pacman glibc
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+#UseDelta = 0.7
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg =
+#IgnoreGroup =
+
+#NoUpgrade =
+#NoExtract =
+
+# Misc options
+#UseSyslog
+#Color
+#TotalDownload
+CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+# - can be defined here or included from another file
+# - pacman will search repositories in the order defined here
+# - local/custom mirrors can be added here or in separate files
+# - repositories listed first will take precedence when packages
+# have identical names, regardless of version number
+# - URLs will have $repo replaced by the name of the current repo
+# - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+# [repo-name]
+# Server = ServerName
+# Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository. See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs
Copied: pacman/repos/testing-x86_64/pacman.conf.x86_64 (from rev 243200, pacman/trunk/pacman.conf.x86_64)
===================================================================
--- testing-x86_64/pacman.conf.x86_64 (rev 0)
+++ testing-x86_64/pacman.conf.x86_64 2015-08-12 07:11:00 UTC (rev 243201)
@@ -0,0 +1,99 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir = /
+#DBPath = /var/lib/pacman/
+#CacheDir = /var/cache/pacman/pkg/
+#LogFile = /var/log/pacman.log
+#GPGDir = /etc/pacman.d/gnupg/
+HoldPkg = pacman glibc
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+#UseDelta = 0.7
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg =
+#IgnoreGroup =
+
+#NoUpgrade =
+#NoExtract =
+
+# Misc options
+#UseSyslog
+#Color
+#TotalDownload
+CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+# - can be defined here or included from another file
+# - pacman will search repositories in the order defined here
+# - local/custom mirrors can be added here or in separate files
+# - repositories listed first will take precedence when packages
+# have identical names, regardless of version number
+# - URLs will have $repo replaced by the name of the current repo
+# - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+# [repo-name]
+# Server = ServerName
+# Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# If you want to run 32 bit applications on your x86_64 system,
+# enable the multilib repositories as required here.
+
+#[multilib-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+#[multilib]
+#Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository. See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs
More information about the arch-commits
mailing list