[pacman-dev] [GIT] The official pacman repository branch, master, updated. v5.1.1-207-g48752f1b

Allan McRae allan at archlinux.org
Mon Oct 7 01:27:52 UTC 2019

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The official pacman repository".

The branch, master has been updated
       via  48752f1b4b16cd1dad56649cd36b253494aa9ff1 (commit)
       via  80e2e1c7c9f2cc2795f497f2101b0aeb7b7e8638 (commit)
       via  0c4a8ae24b8395b0dd4f8046615336e394a8e3f8 (commit)
       via  5dd2b3776dedd85c196be737ea9c177216448756 (commit)
       via  fd70c1c7bb0cb0681ab8a46d5f0494e0f9d992c6 (commit)
       via  6f3810793f4b1fc82094ccb1847ed82b85a203e6 (commit)
       via  bcb44891ef8aa6feee3090cc0fd87b60e73aed5d (commit)
      from  024fde9748692c71f0d9e6c667439c912a78b6df (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 48752f1b4b16cd1dad56649cd36b253494aa9ff1
Author: Jonas Witschel <diabonas at archlinux.org>
Date:   Wed Oct 2 16:40:55 2019 +0200

    signing: add ability to import keys using a WKD
    Currently pacman relies on the SKS keyserver network to fetch unknown
    PGP keys. These keyservers are vulnerable to signature spamming attacks,
    potentionally making it impossible to import the required keys. An
    alternative to keyservers is a so-called Web Key Directory (WKD), a
    well-known, trusted location on a server from where the keys can be
    This commit adds the ability to retrieve keys from a WKD. Due to the
    mentioned vulnerabilities, the WKD is tried first, falling back to the
    keyservers only if no appropriate key is found there.
    In contrast to keyservers, keys in a WKD are not looked up using their
    fingerprint, but by email address. Since the email address of the
    signing key is usually not included in the signature, we will use the
    packager email address to perform the lookup.
    Also see FS#63171.
    Signed-off-by: Jonas Witschel <diabonas at archlinux.org>
    Signed-off-by: Allan McRae <allan at archlinux.org>

commit 80e2e1c7c9f2cc2795f497f2101b0aeb7b7e8638
Author: Jonas Witschel <diabonas at archlinux.org>
Date:   Wed Oct 2 16:40:54 2019 +0200

    signing: move key import confirmation before key_search
    Ask the user whether they want to import a missing key before even doing
    a search on the keyserver. This will be useful for getting Web Key
    Directory support in place: for a WKD, looking up and importing a key
    are a single action, so the current key_search -> QUESTION -> key_import
    workflow does not apply.
    Since only the ID of the package signing key is available before
    key_search, we display the packager variable in addition to the key ID
    for user convenience.
    Signed-off-by: Jonas Witschel <diabonas at archlinux.org>
    Signed-off-by: Allan McRae <allan at archlinux.org>

commit 0c4a8ae24b8395b0dd4f8046615336e394a8e3f8
Author: Dave Reisner <dreisner at archlinux.org>
Date:   Sun Oct 6 20:06:43 2019 -0400

    dload: never return NULL from get_filename
    Downloads with a Content-Disposition header will typically not include
    slashes. When they do, we should most certainly only take the basename,
    but when they don't, we should treat the header value as the filename.
    Crash introduced in d197d8ab82cf when we started using get_filename
    in order to rightfully avoid an arbitrary file overwrite vulnerability.
    Signed-off-by: Allan McRae <allan at archlinux.org>

commit 5dd2b3776dedd85c196be737ea9c177216448756
Author: Allan McRae <allan at archlinux.org>
Date:   Fri Oct 4 11:53:04 2019 +1000

    makepkg.conf.5: Document PACKAGER format requirements
    Signed-off-by: Allan McRae <allan at archlinux.org>

commit fd70c1c7bb0cb0681ab8a46d5f0494e0f9d992c6
Author: Jonas Witschel <diabonas at archlinux.org>
Date:   Wed Oct 2 16:40:56 2019 +0200

    libmakepkg: check if PACKAGER has the expected format for WKD lookup
    pacman should be able to extract an email address from PACKAGER for WKD
    lookup, so issue a warning if it is not of the form
    "Example Name <email at address.invalid>". Neither the name nor the email
    address must contain additional angle brackets.
    Signed-off-by: Jonas Witschel <diabonas at archlinux.org>
    Signed-off-by: Allan McRae <allan at archlinux.org>

commit 6f3810793f4b1fc82094ccb1847ed82b85a203e6
Author: morganamilo <morganamilo at gmail.com>
Date:   Mon Sep 9 19:39:09 2019 +0100

    libmakepkg: fix typo
    Signed-off-by: Allan McRae <allan at archlinux.org>

commit bcb44891ef8aa6feee3090cc0fd87b60e73aed5d
Author: Eli Schwartz <eschwartz at archlinux.org>
Date:   Thu Aug 15 19:55:45 2019 -0400

    autotools: distribute meson files
    If we use make dist to create the official, signed release tarballs,
    those will not have meson build files by default since autotools doesn't
    know what they are.
    Also distribute all src/common/ files. We never strictly needed any of
    them to be distributed with autotools, because the dist tarball
    dereferences the symlinks (???), but only some of them were being
    distributed, and meson needs them to be in the right location as we only
    build libcommon from the primary files.
    Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
    Signed-off-by: Allan McRae <allan at archlinux.org>


Summary of changes:
 Makefile.am                                   |   9 +-
 doc/Makefile.am                               |   1 +
 doc/makepkg.conf.5.asciidoc                   |   1 +
 lib/libalpm/Makefile.am                       |   2 +
 lib/libalpm/be_package.c                      |  12 ++-
 lib/libalpm/dload.c                           |   6 +-
 lib/libalpm/signing.c                         | 121 +++++++++++++++++++++-----
 lib/libalpm/signing.h                         |   2 +-
 lib/libalpm/sync.c                            |  22 ++++-
 scripts/Makefile.am                           |   2 +
 scripts/libmakepkg/buildenv.sh.in             |   2 +-
 scripts/libmakepkg/lint_config/variable.sh.in |   6 ++
 src/common/Makefile.am                        |   3 +-
 src/pacman/Makefile.am                        |   2 +
 src/pacman/callback.c                         |  13 +--
 src/util/Makefile.am                          |   2 +
 test/pacman/Makefile.am                       |   1 +
 test/scripts/Makefile.am                      |   1 +
 test/util/Makefile.am                         |   1 +
 19 files changed, 165 insertions(+), 44 deletions(-)

The official pacman repository

More information about the pacman-dev mailing list