[arch-commits] Commit in pacman/repos (12 files)

Allan McRae allan at archlinux.org
Fri Jul 24 01:56:49 UTC 2015


    Date: Friday, July 24, 2015 @ 03:56:49
  Author: allan
Revision: 242469

archrelease: copy trunk to testing-i686, testing-x86_64

Added:
  pacman/repos/testing-i686/
  pacman/repos/testing-i686/PKGBUILD
    (from rev 242468, pacman/trunk/PKGBUILD)
  pacman/repos/testing-i686/ensure-matching-database-and-package-version.patch
    (from rev 242468, pacman/trunk/ensure-matching-database-and-package-version.patch)
  pacman/repos/testing-i686/makepkg.conf
    (from rev 242468, pacman/trunk/makepkg.conf)
  pacman/repos/testing-i686/pacman.conf.i686
    (from rev 242468, pacman/trunk/pacman.conf.i686)
  pacman/repos/testing-i686/pacman.conf.x86_64
    (from rev 242468, pacman/trunk/pacman.conf.x86_64)
  pacman/repos/testing-x86_64/
  pacman/repos/testing-x86_64/PKGBUILD
    (from rev 242468, pacman/trunk/PKGBUILD)
  pacman/repos/testing-x86_64/ensure-matching-database-and-package-version.patch
    (from rev 242468, pacman/trunk/ensure-matching-database-and-package-version.patch)
  pacman/repos/testing-x86_64/makepkg.conf
    (from rev 242468, pacman/trunk/makepkg.conf)
  pacman/repos/testing-x86_64/pacman.conf.i686
    (from rev 242468, pacman/trunk/pacman.conf.i686)
  pacman/repos/testing-x86_64/pacman.conf.x86_64
    (from rev 242468, pacman/trunk/pacman.conf.x86_64)

-------------------------------------------------------------------+
 testing-i686/PKGBUILD                                             |   98 ++++++
 testing-i686/ensure-matching-database-and-package-version.patch   |   60 ++++
 testing-i686/makepkg.conf                                         |  146 ++++++++++
 testing-i686/pacman.conf.i686                                     |   90 ++++++
 testing-i686/pacman.conf.x86_64                                   |   99 ++++++
 testing-x86_64/PKGBUILD                                           |   98 ++++++
 testing-x86_64/ensure-matching-database-and-package-version.patch |   60 ++++
 testing-x86_64/makepkg.conf                                       |  146 ++++++++++
 testing-x86_64/pacman.conf.i686                                   |   90 ++++++
 testing-x86_64/pacman.conf.x86_64                                 |   99 ++++++
 10 files changed, 986 insertions(+)

Copied: pacman/repos/testing-i686/PKGBUILD (from rev 242468, pacman/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD	                        (rev 0)
+++ testing-i686/PKGBUILD	2015-07-24 01:56:49 UTC (rev 242469)
@@ -0,0 +1,98 @@
+# vim: set ts=2 sw=2 et:
+# $Id$
+# Maintainer: Dan McGee <dan at archlinux.org>
+# Maintainer: Dave Reisner <dreisner at archlinux.org>
+
+pkgname=pacman
+pkgver=4.2.1
+pkgrel=2
+pkgdesc="A library-based package manager with dependency support"
+arch=('i686' 'x86_64')
+url="http://www.archlinux.org/pacman/"
+license=('GPL')
+groups=('base' 'base-devel')
+depends=('bash' 'glibc' 'libarchive>=3.1.2' 'curl>=7.39.0'
+         'gpgme' 'pacman-mirrorlist' 'archlinux-keyring')
+makedepends=('asciidoc')   # roundup patch alters docs
+checkdepends=('python2' 'fakechroot')
+provides=('pacman-contrib')
+conflicts=('pacman-contrib')
+replaces=('pacman-contrib')
+backup=(etc/pacman.conf etc/makepkg.conf)
+options=('strip' 'debug')
+source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
+	ensure-matching-database-and-package-version.patch
+        pacman.conf.i686
+        pacman.conf.x86_64
+        makepkg.conf)
+md5sums=('2a596fc8f723e99660c0869a74afcf47'
+         'SKIP'
+         'e8f72afe6f417d11bd36ada042744fe4'
+         '2db6c94709bb30cc614a176ecf8badb1'
+         'de74a13618347f08ae4a9637f74471c4'
+         '03d578816b56852d803cbafac85b9f09')
+validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD')  # Allan McRae <allan at archlinux.org>
+
+
+prepare() {
+  cd "$pkgname-$pkgver"
+
+  patch -p1 -i $srcdir/ensure-matching-database-and-package-version.patch
+}
+
+build() {
+  cd "$pkgname-$pkgver"
+
+  ./configure --prefix=/usr --sysconfdir=/etc \
+    --localstatedir=/var --enable-doc \
+    --with-scriptlet-shell=/usr/bin/bash \
+    --with-ldconfig=/usr/bin/ldconfig
+  make
+  make -C contrib
+}
+
+check() {
+  make -C "$pkgname-$pkgver" check
+}
+
+package() {
+  cd "$pkgname-$pkgver"
+
+  make DESTDIR="$pkgdir" install
+  make DESTDIR="$pkgdir" -C contrib install
+
+  # install Arch specific stuff
+  install -dm755 "$pkgdir/etc"
+  install -m644 "$srcdir/pacman.conf.$CARCH" "$pkgdir/etc/pacman.conf"
+
+  case $CARCH in
+    i686)
+      mycarch="i686"
+      mychost="i686-pc-linux-gnu"
+      myflags="-march=i686"
+      ;;
+    x86_64)
+      mycarch="x86_64"
+      mychost="x86_64-unknown-linux-gnu"
+      myflags="-march=x86-64"
+      ;;
+  esac
+
+  # set things correctly in the default conf file
+  install -m644 "$srcdir/makepkg.conf" "$pkgdir/etc"
+  sed -i "$pkgdir/etc/makepkg.conf" \
+    -e "s|@CARCH[@]|$mycarch|g" \
+    -e "s|@CHOST[@]|$mychost|g" \
+    -e "s|@CARCHFLAGS[@]|$myflags|g"
+
+  # put bash_completion in the right location
+  install -dm755 "$pkgdir/usr/share/bash-completion/completions"
+  mv "$pkgdir/etc/bash_completion.d/pacman" "$pkgdir/usr/share/bash-completion/completions"
+  rmdir "$pkgdir/etc/bash_completion.d"
+
+  for f in makepkg pacman-key; do
+    ln -s pacman "$pkgdir/usr/share/bash-completion/completions/$f"
+  done
+
+  install -Dm644 contrib/PKGBUILD.vim "$pkgdir/usr/share/vim/vimfiles/syntax/PKGBUILD.vim"
+}

Copied: pacman/repos/testing-i686/ensure-matching-database-and-package-version.patch (from rev 242468, pacman/trunk/ensure-matching-database-and-package-version.patch)
===================================================================
--- testing-i686/ensure-matching-database-and-package-version.patch	                        (rev 0)
+++ testing-i686/ensure-matching-database-and-package-version.patch	2015-07-24 01:56:49 UTC (rev 242469)
@@ -0,0 +1,60 @@
+From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
+From: Levente Polyak <anthraxx at archlinux.org>
+Date: Sat, 18 Jul 2015 17:58:23 +0200
+Subject: [PATCH] ensure matching database and package version
+
+While loading each package ensure that the internal version matches the
+expected database version to avoid the possibility to circumvent the
+version check.
+This issue can be used by an attacker to trick the software into
+installing an older version. The behavior can be  exploited by a
+man-in-the-middle attack through specially crafted  database tarball
+containing a higher version, yet actually delivering an  older and
+vulnerable version, which was previously shipped.
+
+Signed-off-by: Levente Polyak <anthraxx at archlinux.org>
+Signed-off-by: Remi Gacogne <rgacogne at archlinux.org>
+Signed-off-by: Allan McRae <allan at archlinux.org>
+---
+ lib/libalpm/sync.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
+index 888ae15..e843b07 100644
+--- a/lib/libalpm/sync.c
++++ b/lib/libalpm/sync.c
+@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ 	EVENT(handle, &event);
+ 
+ 	for(i = handle->trans->add; i; i = i->next, current++) {
++		int error = 0;
+ 		alpm_pkg_t *spkg = i->data;
+ 		char *filepath;
+ 		int percent = (int)(((double)current_bytes / total_bytes) * 100);
+@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ 				spkg->name);
+ 		alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
+ 		if(!pkgfile) {
++			_alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
++			error = 1;
++		} else {
++			if(strcmp(spkg->name, pkgfile->name) != 0) {
++				_alpm_log(handle, ALPM_LOG_DEBUG,
++						"internal package name mismatch, expected: '%s', actual: '%s'\n",
++						spkg->name, pkgfile->name);
++				error = 1;
++			}
++			if(strcmp(spkg->version, pkgfile->version) != 0) {
++				_alpm_log(handle, ALPM_LOG_DEBUG,
++						"internal package version mismatch, expected: '%s', actual: '%s'\n",
++						spkg->version, pkgfile->version);
++				error = 1;
++			}
++		}
++		if(error != 0) {
+ 			errors++;
+ 			*data = alpm_list_add(*data, strdup(spkg->filename));
+ 			free(filepath);
+-- 
+2.4.6
+

Copied: pacman/repos/testing-i686/makepkg.conf (from rev 242468, pacman/trunk/makepkg.conf)
===================================================================
--- testing-i686/makepkg.conf	                        (rev 0)
+++ testing-i686/makepkg.conf	2015-07-24 01:56:49 UTC (rev 242469)
@@ -0,0 +1,146 @@
+#
+# /etc/makepkg.conf
+#
+
+#########################################################################
+# SOURCE ACQUISITION
+#########################################################################
+#
+#-- The download utilities that makepkg should use to acquire sources
+#  Format: 'protocol::agent'
+DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
+          'http::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u'
+          'https::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u'
+          'rsync::/usr/bin/rsync --no-motd -z %u %o'
+          'scp::/usr/bin/scp -C %u %o')
+
+# Other common tools:
+# /usr/bin/snarf
+# /usr/bin/lftpget -c
+# /usr/bin/wget
+
+#-- The package required by makepkg to download VCS sources
+#  Format: 'protocol::package'
+VCSCLIENTS=('bzr::bzr'
+            'git::git'
+            'hg::mercurial'
+            'svn::subversion')
+
+#########################################################################
+# ARCHITECTURE, COMPILE FLAGS
+#########################################################################
+#
+CARCH="@CARCH@"
+CHOST="@CHOST@"
+
+#-- Compiler and Linker Flags
+# -march (or -mcpu) builds exclusively for an architecture
+# -mtune optimizes for an architecture, but builds for whole processor family
+CPPFLAGS="-D_FORTIFY_SOURCE=2"
+CFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
+CXXFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
+LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
+#-- Make Flags: change this for DistCC/SMP systems
+#MAKEFLAGS="-j2"
+#-- Debugging flags
+DEBUG_CFLAGS="-g -fvar-tracking-assignments"
+DEBUG_CXXFLAGS="-g -fvar-tracking-assignments"
+
+#########################################################################
+# BUILD ENVIRONMENT
+#########################################################################
+#
+# Defaults: BUILDENV=(!distcc color !ccache check !sign)
+#  A negated environment option will do the opposite of the comments below.
+#
+#-- distcc:   Use the Distributed C/C++/ObjC compiler
+#-- color:    Colorize output messages
+#-- ccache:   Use ccache to cache compilation
+#-- check:    Run the check() function if present in the PKGBUILD
+#-- sign:     Generate PGP signature file
+#
+BUILDENV=(!distcc color !ccache check !sign)
+#
+#-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
+#-- specify a space-delimited list of hosts running in the DistCC cluster.
+#DISTCC_HOSTS=""
+#
+#-- Specify a directory for package building.
+#BUILDDIR=/tmp/makepkg
+
+#########################################################################
+# GLOBAL PACKAGE OPTIONS
+#   These are default values for the options=() settings
+#########################################################################
+#
+# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+#  A negated option will do the opposite of the comments below.
+#
+#-- strip:      Strip symbols from binaries/libraries
+#-- docs:       Save doc directories specified by DOC_DIRS
+#-- libtool:    Leave libtool (.la) files in packages
+#-- staticlibs: Leave static library (.a) files in packages
+#-- emptydirs:  Leave empty directories in packages
+#-- zipman:     Compress manual (man and info) pages in MAN_DIRS with gzip
+#-- purge:      Remove files specified by PURGE_TARGETS
+#-- upx:        Compress binary executable files using UPX
+#-- debug:      Add debugging flags as specified in DEBUG_* variables
+#
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+
+#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
+INTEGRITY_CHECK=(md5)
+#-- Options to be used when stripping binaries. See `man strip' for details.
+STRIP_BINARIES="--strip-all"
+#-- Options to be used when stripping shared libraries. See `man strip' for details.
+STRIP_SHARED="--strip-unneeded"
+#-- Options to be used when stripping static libraries. See `man strip' for details.
+STRIP_STATIC="--strip-debug"
+#-- Manual (man and info) directories to compress (if zipman is specified)
+MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info})
+#-- Doc directories to remove (if !docs is specified)
+DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc})
+#-- Files to be removed from all packages (if purge is specified)
+PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
+
+#########################################################################
+# PACKAGE OUTPUT
+#########################################################################
+#
+# Default: put built package and cached source in build directory
+#
+#-- Destination: specify a fixed directory where all packages will be placed
+#PKGDEST=/home/packages
+#-- Source cache: specify a fixed directory where source files will be cached
+#SRCDEST=/home/sources
+#-- Source packages: specify a fixed directory where all src packages will be placed
+#SRCPKGDEST=/home/srcpackages
+#-- Log files: specify a fixed directory where all log files will be placed
+#LOGDEST=/home/makepkglogs
+#-- Packager: name/email of the person or organization building packages
+#PACKAGER="John Doe <john at doe.com>"
+#-- Specify a key to use for package signing
+#GPGKEY=""
+
+#########################################################################
+# COMPRESSION DEFAULTS
+#########################################################################
+#
+COMPRESSGZ=(gzip -c -f -n)
+COMPRESSBZ2=(bzip2 -c -f)
+COMPRESSXZ=(xz -c -z -)
+COMPRESSLRZ=(lrzip -q)
+COMPRESSLZO=(lzop -q)
+COMPRESSZ=(compress -c -f)
+
+#########################################################################
+# EXTENSION DEFAULTS
+#########################################################################
+#
+# WARNING: Do NOT modify these variables unless you know what you are
+#          doing.
+#
+PKGEXT='.pkg.tar.xz'
+SRCEXT='.src.tar.gz'
+
+# vim: set ft=sh ts=2 sw=2 et:

Copied: pacman/repos/testing-i686/pacman.conf.i686 (from rev 242468, pacman/trunk/pacman.conf.i686)
===================================================================
--- testing-i686/pacman.conf.i686	                        (rev 0)
+++ testing-i686/pacman.conf.i686	2015-07-24 01:56:49 UTC (rev 242469)
@@ -0,0 +1,90 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir     = /
+#DBPath      = /var/lib/pacman/
+#CacheDir    = /var/cache/pacman/pkg/
+#LogFile     = /var/log/pacman.log
+#GPGDir      = /etc/pacman.d/gnupg/
+HoldPkg     = pacman glibc
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+#UseDelta    = 0.7
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg   =
+#IgnoreGroup =
+
+#NoUpgrade   =
+#NoExtract   =
+
+# Misc options
+#UseSyslog
+#Color
+#TotalDownload
+CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel    = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+#   - can be defined here or included from another file
+#   - pacman will search repositories in the order defined here
+#   - local/custom mirrors can be added here or in separate files
+#   - repositories listed first will take precedence when packages
+#     have identical names, regardless of version number
+#   - URLs will have $repo replaced by the name of the current repo
+#   - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+#       [repo-name]
+#       Server = ServerName
+#       Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository.  See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs

Copied: pacman/repos/testing-i686/pacman.conf.x86_64 (from rev 242468, pacman/trunk/pacman.conf.x86_64)
===================================================================
--- testing-i686/pacman.conf.x86_64	                        (rev 0)
+++ testing-i686/pacman.conf.x86_64	2015-07-24 01:56:49 UTC (rev 242469)
@@ -0,0 +1,99 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir     = /
+#DBPath      = /var/lib/pacman/
+#CacheDir    = /var/cache/pacman/pkg/
+#LogFile     = /var/log/pacman.log
+#GPGDir      = /etc/pacman.d/gnupg/
+HoldPkg     = pacman glibc
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+#UseDelta    = 0.7
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg   =
+#IgnoreGroup =
+
+#NoUpgrade   =
+#NoExtract   =
+
+# Misc options
+#UseSyslog
+#Color
+#TotalDownload
+CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel    = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+#   - can be defined here or included from another file
+#   - pacman will search repositories in the order defined here
+#   - local/custom mirrors can be added here or in separate files
+#   - repositories listed first will take precedence when packages
+#     have identical names, regardless of version number
+#   - URLs will have $repo replaced by the name of the current repo
+#   - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+#       [repo-name]
+#       Server = ServerName
+#       Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# If you want to run 32 bit applications on your x86_64 system,
+# enable the multilib repositories as required here.
+
+#[multilib-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+#[multilib]
+#Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository.  See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs

Copied: pacman/repos/testing-x86_64/PKGBUILD (from rev 242468, pacman/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD	                        (rev 0)
+++ testing-x86_64/PKGBUILD	2015-07-24 01:56:49 UTC (rev 242469)
@@ -0,0 +1,98 @@
+# vim: set ts=2 sw=2 et:
+# $Id$
+# Maintainer: Dan McGee <dan at archlinux.org>
+# Maintainer: Dave Reisner <dreisner at archlinux.org>
+
+pkgname=pacman
+pkgver=4.2.1
+pkgrel=2
+pkgdesc="A library-based package manager with dependency support"
+arch=('i686' 'x86_64')
+url="http://www.archlinux.org/pacman/"
+license=('GPL')
+groups=('base' 'base-devel')
+depends=('bash' 'glibc' 'libarchive>=3.1.2' 'curl>=7.39.0'
+         'gpgme' 'pacman-mirrorlist' 'archlinux-keyring')
+makedepends=('asciidoc')   # roundup patch alters docs
+checkdepends=('python2' 'fakechroot')
+provides=('pacman-contrib')
+conflicts=('pacman-contrib')
+replaces=('pacman-contrib')
+backup=(etc/pacman.conf etc/makepkg.conf)
+options=('strip' 'debug')
+source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig}
+	ensure-matching-database-and-package-version.patch
+        pacman.conf.i686
+        pacman.conf.x86_64
+        makepkg.conf)
+md5sums=('2a596fc8f723e99660c0869a74afcf47'
+         'SKIP'
+         'e8f72afe6f417d11bd36ada042744fe4'
+         '2db6c94709bb30cc614a176ecf8badb1'
+         'de74a13618347f08ae4a9637f74471c4'
+         '03d578816b56852d803cbafac85b9f09')
+validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD')  # Allan McRae <allan at archlinux.org>
+
+
+prepare() {
+  cd "$pkgname-$pkgver"
+
+  patch -p1 -i $srcdir/ensure-matching-database-and-package-version.patch
+}
+
+build() {
+  cd "$pkgname-$pkgver"
+
+  ./configure --prefix=/usr --sysconfdir=/etc \
+    --localstatedir=/var --enable-doc \
+    --with-scriptlet-shell=/usr/bin/bash \
+    --with-ldconfig=/usr/bin/ldconfig
+  make
+  make -C contrib
+}
+
+check() {
+  make -C "$pkgname-$pkgver" check
+}
+
+package() {
+  cd "$pkgname-$pkgver"
+
+  make DESTDIR="$pkgdir" install
+  make DESTDIR="$pkgdir" -C contrib install
+
+  # install Arch specific stuff
+  install -dm755 "$pkgdir/etc"
+  install -m644 "$srcdir/pacman.conf.$CARCH" "$pkgdir/etc/pacman.conf"
+
+  case $CARCH in
+    i686)
+      mycarch="i686"
+      mychost="i686-pc-linux-gnu"
+      myflags="-march=i686"
+      ;;
+    x86_64)
+      mycarch="x86_64"
+      mychost="x86_64-unknown-linux-gnu"
+      myflags="-march=x86-64"
+      ;;
+  esac
+
+  # set things correctly in the default conf file
+  install -m644 "$srcdir/makepkg.conf" "$pkgdir/etc"
+  sed -i "$pkgdir/etc/makepkg.conf" \
+    -e "s|@CARCH[@]|$mycarch|g" \
+    -e "s|@CHOST[@]|$mychost|g" \
+    -e "s|@CARCHFLAGS[@]|$myflags|g"
+
+  # put bash_completion in the right location
+  install -dm755 "$pkgdir/usr/share/bash-completion/completions"
+  mv "$pkgdir/etc/bash_completion.d/pacman" "$pkgdir/usr/share/bash-completion/completions"
+  rmdir "$pkgdir/etc/bash_completion.d"
+
+  for f in makepkg pacman-key; do
+    ln -s pacman "$pkgdir/usr/share/bash-completion/completions/$f"
+  done
+
+  install -Dm644 contrib/PKGBUILD.vim "$pkgdir/usr/share/vim/vimfiles/syntax/PKGBUILD.vim"
+}

Copied: pacman/repos/testing-x86_64/ensure-matching-database-and-package-version.patch (from rev 242468, pacman/trunk/ensure-matching-database-and-package-version.patch)
===================================================================
--- testing-x86_64/ensure-matching-database-and-package-version.patch	                        (rev 0)
+++ testing-x86_64/ensure-matching-database-and-package-version.patch	2015-07-24 01:56:49 UTC (rev 242469)
@@ -0,0 +1,60 @@
+From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001
+From: Levente Polyak <anthraxx at archlinux.org>
+Date: Sat, 18 Jul 2015 17:58:23 +0200
+Subject: [PATCH] ensure matching database and package version
+
+While loading each package ensure that the internal version matches the
+expected database version to avoid the possibility to circumvent the
+version check.
+This issue can be used by an attacker to trick the software into
+installing an older version. The behavior can be  exploited by a
+man-in-the-middle attack through specially crafted  database tarball
+containing a higher version, yet actually delivering an  older and
+vulnerable version, which was previously shipped.
+
+Signed-off-by: Levente Polyak <anthraxx at archlinux.org>
+Signed-off-by: Remi Gacogne <rgacogne at archlinux.org>
+Signed-off-by: Allan McRae <allan at archlinux.org>
+---
+ lib/libalpm/sync.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
+index 888ae15..e843b07 100644
+--- a/lib/libalpm/sync.c
++++ b/lib/libalpm/sync.c
+@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ 	EVENT(handle, &event);
+ 
+ 	for(i = handle->trans->add; i; i = i->next, current++) {
++		int error = 0;
+ 		alpm_pkg_t *spkg = i->data;
+ 		char *filepath;
+ 		int percent = (int)(((double)current_bytes / total_bytes) * 100);
+@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data,
+ 				spkg->name);
+ 		alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1);
+ 		if(!pkgfile) {
++			_alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n");
++			error = 1;
++		} else {
++			if(strcmp(spkg->name, pkgfile->name) != 0) {
++				_alpm_log(handle, ALPM_LOG_DEBUG,
++						"internal package name mismatch, expected: '%s', actual: '%s'\n",
++						spkg->name, pkgfile->name);
++				error = 1;
++			}
++			if(strcmp(spkg->version, pkgfile->version) != 0) {
++				_alpm_log(handle, ALPM_LOG_DEBUG,
++						"internal package version mismatch, expected: '%s', actual: '%s'\n",
++						spkg->version, pkgfile->version);
++				error = 1;
++			}
++		}
++		if(error != 0) {
+ 			errors++;
+ 			*data = alpm_list_add(*data, strdup(spkg->filename));
+ 			free(filepath);
+-- 
+2.4.6
+

Copied: pacman/repos/testing-x86_64/makepkg.conf (from rev 242468, pacman/trunk/makepkg.conf)
===================================================================
--- testing-x86_64/makepkg.conf	                        (rev 0)
+++ testing-x86_64/makepkg.conf	2015-07-24 01:56:49 UTC (rev 242469)
@@ -0,0 +1,146 @@
+#
+# /etc/makepkg.conf
+#
+
+#########################################################################
+# SOURCE ACQUISITION
+#########################################################################
+#
+#-- The download utilities that makepkg should use to acquire sources
+#  Format: 'protocol::agent'
+DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
+          'http::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u'
+          'https::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u'
+          'rsync::/usr/bin/rsync --no-motd -z %u %o'
+          'scp::/usr/bin/scp -C %u %o')
+
+# Other common tools:
+# /usr/bin/snarf
+# /usr/bin/lftpget -c
+# /usr/bin/wget
+
+#-- The package required by makepkg to download VCS sources
+#  Format: 'protocol::package'
+VCSCLIENTS=('bzr::bzr'
+            'git::git'
+            'hg::mercurial'
+            'svn::subversion')
+
+#########################################################################
+# ARCHITECTURE, COMPILE FLAGS
+#########################################################################
+#
+CARCH="@CARCH@"
+CHOST="@CHOST@"
+
+#-- Compiler and Linker Flags
+# -march (or -mcpu) builds exclusively for an architecture
+# -mtune optimizes for an architecture, but builds for whole processor family
+CPPFLAGS="-D_FORTIFY_SOURCE=2"
+CFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
+CXXFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
+LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
+#-- Make Flags: change this for DistCC/SMP systems
+#MAKEFLAGS="-j2"
+#-- Debugging flags
+DEBUG_CFLAGS="-g -fvar-tracking-assignments"
+DEBUG_CXXFLAGS="-g -fvar-tracking-assignments"
+
+#########################################################################
+# BUILD ENVIRONMENT
+#########################################################################
+#
+# Defaults: BUILDENV=(!distcc color !ccache check !sign)
+#  A negated environment option will do the opposite of the comments below.
+#
+#-- distcc:   Use the Distributed C/C++/ObjC compiler
+#-- color:    Colorize output messages
+#-- ccache:   Use ccache to cache compilation
+#-- check:    Run the check() function if present in the PKGBUILD
+#-- sign:     Generate PGP signature file
+#
+BUILDENV=(!distcc color !ccache check !sign)
+#
+#-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
+#-- specify a space-delimited list of hosts running in the DistCC cluster.
+#DISTCC_HOSTS=""
+#
+#-- Specify a directory for package building.
+#BUILDDIR=/tmp/makepkg
+
+#########################################################################
+# GLOBAL PACKAGE OPTIONS
+#   These are default values for the options=() settings
+#########################################################################
+#
+# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+#  A negated option will do the opposite of the comments below.
+#
+#-- strip:      Strip symbols from binaries/libraries
+#-- docs:       Save doc directories specified by DOC_DIRS
+#-- libtool:    Leave libtool (.la) files in packages
+#-- staticlibs: Leave static library (.a) files in packages
+#-- emptydirs:  Leave empty directories in packages
+#-- zipman:     Compress manual (man and info) pages in MAN_DIRS with gzip
+#-- purge:      Remove files specified by PURGE_TARGETS
+#-- upx:        Compress binary executable files using UPX
+#-- debug:      Add debugging flags as specified in DEBUG_* variables
+#
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+
+#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
+INTEGRITY_CHECK=(md5)
+#-- Options to be used when stripping binaries. See `man strip' for details.
+STRIP_BINARIES="--strip-all"
+#-- Options to be used when stripping shared libraries. See `man strip' for details.
+STRIP_SHARED="--strip-unneeded"
+#-- Options to be used when stripping static libraries. See `man strip' for details.
+STRIP_STATIC="--strip-debug"
+#-- Manual (man and info) directories to compress (if zipman is specified)
+MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info})
+#-- Doc directories to remove (if !docs is specified)
+DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc})
+#-- Files to be removed from all packages (if purge is specified)
+PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
+
+#########################################################################
+# PACKAGE OUTPUT
+#########################################################################
+#
+# Default: put built package and cached source in build directory
+#
+#-- Destination: specify a fixed directory where all packages will be placed
+#PKGDEST=/home/packages
+#-- Source cache: specify a fixed directory where source files will be cached
+#SRCDEST=/home/sources
+#-- Source packages: specify a fixed directory where all src packages will be placed
+#SRCPKGDEST=/home/srcpackages
+#-- Log files: specify a fixed directory where all log files will be placed
+#LOGDEST=/home/makepkglogs
+#-- Packager: name/email of the person or organization building packages
+#PACKAGER="John Doe <john at doe.com>"
+#-- Specify a key to use for package signing
+#GPGKEY=""
+
+#########################################################################
+# COMPRESSION DEFAULTS
+#########################################################################
+#
+COMPRESSGZ=(gzip -c -f -n)
+COMPRESSBZ2=(bzip2 -c -f)
+COMPRESSXZ=(xz -c -z -)
+COMPRESSLRZ=(lrzip -q)
+COMPRESSLZO=(lzop -q)
+COMPRESSZ=(compress -c -f)
+
+#########################################################################
+# EXTENSION DEFAULTS
+#########################################################################
+#
+# WARNING: Do NOT modify these variables unless you know what you are
+#          doing.
+#
+PKGEXT='.pkg.tar.xz'
+SRCEXT='.src.tar.gz'
+
+# vim: set ft=sh ts=2 sw=2 et:

Copied: pacman/repos/testing-x86_64/pacman.conf.i686 (from rev 242468, pacman/trunk/pacman.conf.i686)
===================================================================
--- testing-x86_64/pacman.conf.i686	                        (rev 0)
+++ testing-x86_64/pacman.conf.i686	2015-07-24 01:56:49 UTC (rev 242469)
@@ -0,0 +1,90 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir     = /
+#DBPath      = /var/lib/pacman/
+#CacheDir    = /var/cache/pacman/pkg/
+#LogFile     = /var/log/pacman.log
+#GPGDir      = /etc/pacman.d/gnupg/
+HoldPkg     = pacman glibc
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+#UseDelta    = 0.7
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg   =
+#IgnoreGroup =
+
+#NoUpgrade   =
+#NoExtract   =
+
+# Misc options
+#UseSyslog
+#Color
+#TotalDownload
+CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel    = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+#   - can be defined here or included from another file
+#   - pacman will search repositories in the order defined here
+#   - local/custom mirrors can be added here or in separate files
+#   - repositories listed first will take precedence when packages
+#     have identical names, regardless of version number
+#   - URLs will have $repo replaced by the name of the current repo
+#   - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+#       [repo-name]
+#       Server = ServerName
+#       Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository.  See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs

Copied: pacman/repos/testing-x86_64/pacman.conf.x86_64 (from rev 242468, pacman/trunk/pacman.conf.x86_64)
===================================================================
--- testing-x86_64/pacman.conf.x86_64	                        (rev 0)
+++ testing-x86_64/pacman.conf.x86_64	2015-07-24 01:56:49 UTC (rev 242469)
@@ -0,0 +1,99 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir     = /
+#DBPath      = /var/lib/pacman/
+#CacheDir    = /var/cache/pacman/pkg/
+#LogFile     = /var/log/pacman.log
+#GPGDir      = /etc/pacman.d/gnupg/
+HoldPkg     = pacman glibc
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+#UseDelta    = 0.7
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg   =
+#IgnoreGroup =
+
+#NoUpgrade   =
+#NoExtract   =
+
+# Misc options
+#UseSyslog
+#Color
+#TotalDownload
+CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel    = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+#   - can be defined here or included from another file
+#   - pacman will search repositories in the order defined here
+#   - local/custom mirrors can be added here or in separate files
+#   - repositories listed first will take precedence when packages
+#     have identical names, regardless of version number
+#   - URLs will have $repo replaced by the name of the current repo
+#   - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+#       [repo-name]
+#       Server = ServerName
+#       Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# If you want to run 32 bit applications on your x86_64 system,
+# enable the multilib repositories as required here.
+
+#[multilib-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+#[multilib]
+#Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository.  See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs



More information about the arch-commits mailing list