[pacman-dev] [GIT] The official pacman repository branch, master, updated. v5.1.1-207-g48752f1b
Allan McRae
allan at archlinux.org
Mon Oct 7 01:27:52 UTC 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The official pacman repository".
The branch, master has been updated
via 48752f1b4b16cd1dad56649cd36b253494aa9ff1 (commit)
via 80e2e1c7c9f2cc2795f497f2101b0aeb7b7e8638 (commit)
via 0c4a8ae24b8395b0dd4f8046615336e394a8e3f8 (commit)
via 5dd2b3776dedd85c196be737ea9c177216448756 (commit)
via fd70c1c7bb0cb0681ab8a46d5f0494e0f9d992c6 (commit)
via 6f3810793f4b1fc82094ccb1847ed82b85a203e6 (commit)
via bcb44891ef8aa6feee3090cc0fd87b60e73aed5d (commit)
from 024fde9748692c71f0d9e6c667439c912a78b6df (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 48752f1b4b16cd1dad56649cd36b253494aa9ff1
Author: Jonas Witschel <diabonas at archlinux.org>
Date: Wed Oct 2 16:40:55 2019 +0200
signing: add ability to import keys using a WKD
Currently pacman relies on the SKS keyserver network to fetch unknown
PGP keys. These keyservers are vulnerable to signature spamming attacks,
potentionally making it impossible to import the required keys. An
alternative to keyservers is a so-called Web Key Directory (WKD), a
well-known, trusted location on a server from where the keys can be
fetched.
This commit adds the ability to retrieve keys from a WKD. Due to the
mentioned vulnerabilities, the WKD is tried first, falling back to the
keyservers only if no appropriate key is found there.
In contrast to keyservers, keys in a WKD are not looked up using their
fingerprint, but by email address. Since the email address of the
signing key is usually not included in the signature, we will use the
packager email address to perform the lookup.
Also see FS#63171.
Signed-off-by: Jonas Witschel <diabonas at archlinux.org>
Signed-off-by: Allan McRae <allan at archlinux.org>
commit 80e2e1c7c9f2cc2795f497f2101b0aeb7b7e8638
Author: Jonas Witschel <diabonas at archlinux.org>
Date: Wed Oct 2 16:40:54 2019 +0200
signing: move key import confirmation before key_search
Ask the user whether they want to import a missing key before even doing
a search on the keyserver. This will be useful for getting Web Key
Directory support in place: for a WKD, looking up and importing a key
are a single action, so the current key_search -> QUESTION -> key_import
workflow does not apply.
Since only the ID of the package signing key is available before
key_search, we display the packager variable in addition to the key ID
for user convenience.
Signed-off-by: Jonas Witschel <diabonas at archlinux.org>
Signed-off-by: Allan McRae <allan at archlinux.org>
commit 0c4a8ae24b8395b0dd4f8046615336e394a8e3f8
Author: Dave Reisner <dreisner at archlinux.org>
Date: Sun Oct 6 20:06:43 2019 -0400
dload: never return NULL from get_filename
Downloads with a Content-Disposition header will typically not include
slashes. When they do, we should most certainly only take the basename,
but when they don't, we should treat the header value as the filename.
Crash introduced in d197d8ab82cf when we started using get_filename
in order to rightfully avoid an arbitrary file overwrite vulnerability.
Signed-off-by: Allan McRae <allan at archlinux.org>
commit 5dd2b3776dedd85c196be737ea9c177216448756
Author: Allan McRae <allan at archlinux.org>
Date: Fri Oct 4 11:53:04 2019 +1000
makepkg.conf.5: Document PACKAGER format requirements
Signed-off-by: Allan McRae <allan at archlinux.org>
commit fd70c1c7bb0cb0681ab8a46d5f0494e0f9d992c6
Author: Jonas Witschel <diabonas at archlinux.org>
Date: Wed Oct 2 16:40:56 2019 +0200
libmakepkg: check if PACKAGER has the expected format for WKD lookup
pacman should be able to extract an email address from PACKAGER for WKD
lookup, so issue a warning if it is not of the form
"Example Name <email at address.invalid>". Neither the name nor the email
address must contain additional angle brackets.
Signed-off-by: Jonas Witschel <diabonas at archlinux.org>
Signed-off-by: Allan McRae <allan at archlinux.org>
commit 6f3810793f4b1fc82094ccb1847ed82b85a203e6
Author: morganamilo <morganamilo at gmail.com>
Date: Mon Sep 9 19:39:09 2019 +0100
libmakepkg: fix typo
Signed-off-by: Allan McRae <allan at archlinux.org>
commit bcb44891ef8aa6feee3090cc0fd87b60e73aed5d
Author: Eli Schwartz <eschwartz at archlinux.org>
Date: Thu Aug 15 19:55:45 2019 -0400
autotools: distribute meson files
If we use make dist to create the official, signed release tarballs,
those will not have meson build files by default since autotools doesn't
know what they are.
Also distribute all src/common/ files. We never strictly needed any of
them to be distributed with autotools, because the dist tarball
dereferences the symlinks (???), but only some of them were being
distributed, and meson needs them to be in the right location as we only
build libcommon from the primary files.
Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
Signed-off-by: Allan McRae <allan at archlinux.org>
-----------------------------------------------------------------------
Summary of changes:
Makefile.am | 9 +-
doc/Makefile.am | 1 +
doc/makepkg.conf.5.asciidoc | 1 +
lib/libalpm/Makefile.am | 2 +
lib/libalpm/be_package.c | 12 ++-
lib/libalpm/dload.c | 6 +-
lib/libalpm/signing.c | 121 +++++++++++++++++++++-----
lib/libalpm/signing.h | 2 +-
lib/libalpm/sync.c | 22 ++++-
scripts/Makefile.am | 2 +
scripts/libmakepkg/buildenv.sh.in | 2 +-
scripts/libmakepkg/lint_config/variable.sh.in | 6 ++
src/common/Makefile.am | 3 +-
src/pacman/Makefile.am | 2 +
src/pacman/callback.c | 13 +--
src/util/Makefile.am | 2 +
test/pacman/Makefile.am | 1 +
test/scripts/Makefile.am | 1 +
test/util/Makefile.am | 1 +
19 files changed, 165 insertions(+), 44 deletions(-)
hooks/post-receive
--
The official pacman repository
More information about the pacman-dev
mailing list