[pacman-dev] [GIT] The official pacman repository branch, master, updated. v5.2.1-113-gf53ac85f

Allan McRae allan at archlinux.org
Mon Aug 10 09:26:28 UTC 2020


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The official pacman repository".

The branch, master has been updated
       via  f53ac85ff6cd2f74f8157f23a5e21650cd17f372 (commit)
       via  62246b9355867ab83566998303c921af6b1e38ef (commit)
       via  2403fc97325908043917732b32adf87a2eaff603 (commit)
       via  74aacf44958e1343b910b3fbdcf753393857f070 (commit)
      from  2a352dc059f696eeda1e18116e468994c1a38430 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f53ac85ff6cd2f74f8157f23a5e21650cd17f372
Author: Anatol Pomozov <anatol.pomozov at gmail.com>
Date:   Fri Jul 31 09:53:15 2020 -0700

    Enable sha256/md5 hash verification if detached signatures are used
    
    Pacman has multiple ways to verify package content integrity:
     - gpg signature
     - sha256
     - md5
    
    These verification mechanisms overlap each other. gpg signatures already contain
    hash value of the package content. So if a package signature is present then
    pacman ignored the other 2 hash values. This worked well with signtures
    embedded into pacman database.
    
    Recently pacman got an ability to handle detached signatures (*.sig files
    located next to the package files). If pacman verifies detached signature only
    then one can replace pkg+sig files with some other content and pacman still
    processes it as a valid package. To prevent it we need to verify
    database<->package integrity using hash values stored in the database.
    
    This commit fixes FS#67232
    
    The new debug output is:
      checking package integrity...
      debug: found cached pkg: /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
      debug: sha256sum: 77baf61c62c5570b3a37cf0c3b16c5d9a97dde6fedd1a3528bf0cc5f96dd5e52
      debug: checking sha256sum for /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
      debug: sig data: <from .sig>
      debug: checking signature for /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
      debug: 1 signatures returned
      debug: fingerprint: B5971F2C5C10A9A08C60030F786C63F330D7CB92
    
    Signed-off-by: Anatol Pomozov <anatol.pomozov at gmail.com>
    Signed-off-by: Allan McRae <allan at archlinux.org>

commit 62246b9355867ab83566998303c921af6b1e38ef
Author: Anatol Pomozov <anatol.pomozov at gmail.com>
Date:   Fri Jul 31 09:54:42 2020 -0700

    Fix error during keyring checking
    
    With current master version the 'keyring checking' step produces an error:
      debug: returning error 6 from alpm_pkg_get_sig (../lib/libalpm/package.c: 274) : wrong or NULL argument passed
    
    The package signature is still checked later at the integrity verification step though.
    
    This commit fixes keyring checking and now the debug log looks like this:
      debug: found cached pkg: /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
      debug: found detached signature /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst.sig with size 566
      debug: found signature key: 786C63F330D7CB92
      debug: looking up key 786C63F330D7CB92 locally
      debug: key lookup success, key exists
    
    Signed-off-by: Anatol Pomozov <anatol.pomozov at gmail.com>
    Signed-off-by: Allan McRae <allan at archlinux.org>

commit 2403fc97325908043917732b32adf87a2eaff603
Author: Eli Schwartz <eschwartz at archlinux.org>
Date:   Wed Aug 5 10:02:10 2020 -0400

    repo-add: use more libmakepkg to handle common compression routines
    
    Currently the list of supported formats for an archive, is maintained in
    two places. And repo-add does not actually get updated. :(
    
    In the process, remove some of the logical duplication when calling
    bsdtar/compress_as.
    
    Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
    Signed-off-by: Allan McRae <allan at archlinux.org>

commit 74aacf44958e1343b910b3fbdcf753393857f070
Author: Eli Schwartz <eschwartz at archlinux.org>
Date:   Wed Aug 5 10:02:09 2020 -0400

    libmakepkg: extend compress.sh to also permit checking validity
    
    get_compression_command() can now be used to do upfront checks for
    whether a given extension is known to do something successfully. This is
    useful when writing tools in which an unknown compression type is a
    fatal error.
    
    Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
    Signed-off-by: Allan McRae <allan at archlinux.org>

-----------------------------------------------------------------------

Summary of changes:
 lib/libalpm/be_package.c               |  2 +-
 lib/libalpm/package.c                  |  4 +--
 scripts/libmakepkg/util/compress.sh.in | 53 +++++++++++++++++++++++++---------
 scripts/repo-add.sh.in                 | 32 ++++++++------------
 4 files changed, 54 insertions(+), 37 deletions(-)


hooks/post-receive
-- 
The official pacman repository


More information about the pacman-dev mailing list