summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-07-06libmakepkg: fix unsanitized source filenamesEli Schwartz
There were a couple places where filenames beginning with "-" were not properly guarded against by passing them after "--". Some PKGBUILD authors are crazy, but we still take those into account. Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-07-06fix typo in libalpm commentChristian Hesse
contatenate -> concatenate Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-16makepkg: introduce SOURCE_DATE_EPOCHAllan McRae
This patch introduces the SOURCE_DATE_EPOCH environmental variable. All files in a package are adjusted to have their modification dates set to the value of SOURCE_DATE_EPOCH, which defaults to "date +%s". Setting this variable allows a package that is built twice in the same environment to be (potentially) reproducible in that the checksum of the generated package file will be the same. Also adjust the compression of the mtree file to avoid gzip embedding a timestamp. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2017-05-16makepkg: remove build date from .PKGINFO headerAllan McRae
This information is duplicated (in less friendly format) in the "builddate" entry and removing it improves reproducible packaging. Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2017-05-16remove unused byte from user agent bufferAndrew Gregory
snprintf prints at most n bytes including the terminating '\0'. The extra reserved byte was never being used. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-16check for overflow when setting HTTP_USER_AGENTAndrew Gregory
gcc7 issues a warning about a potential overflow if left unchecked. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-16query_fileowner: avoid buffer overflowAndrew Gregory
Copying a string into a buffer that has just been determined to not be able to hold it is obviously incorrect. The actual error handling appears to have been unintentionally removed in 47762ab687959e48acc2de8592fcf3ba3cfa502b. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-16alpm_unlock: check handle before dereferencingAndrew Gregory
Prevents SIGSEGV if we catch SIGINT or SIGHUP before initializing alpm. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-08pacman.8: fix typo in query optionsMichael Straube
Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-08free memory for --overwrite listsAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-08add send_fakem to valgrind.suppAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-08be_sync: error out if a db cannot be parsedAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-05-08makepkg: create signature files outside of fakerootAllan McRae
With recent version of gpg, signing within fakeroot works on the first invocation, but fails on later runs. Sign all packages outside of fakeroot to avoid this issue. Fixes FS#49946. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-17makepkg: do not create symlinks in build directoryAllan McRae
Setting PKGDEST and friends enables us to keep all built packages in a single location. Symlinking these files into the build directory creates unnecessary clutter and requires clean-up in multiple places when removing old version. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-17makepkg: clean up pkgver and prepare log filesMichael Straube
Delete log files for the pkgver and prepare functions if -c,--clean is passed. Fixes FS#51039 and FS#51075 Includes patch submitted by Christian Braun. Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-16run_chroot: label pipe endpoints for readabilityAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16add --sysroot optionAndrew Gregory
--root is not sufficient to properly operate on a mounted guest system. Using --root still uses the host system's configuration and there is no way to correctly use the guest configuration without manually modifying any Include directives. --sysroot provides an easier way to operate on a guest system by chrooting immediately after option parsing before configuration parsing or performing any operations. It is currently limited to the root user, but that's enough for restoring a guest system to a working state, which is the primary intended use case. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16use sockets for scriptlet/hook communicationAndrew Gregory
If a scriptlet/hook dies at the wrong moment it can trigger SIGPIPE, terminating the process. For pipes, there is no way to prevent SIGPIPE other than ignoring it process-wide. This can have unintended consequences in a multi-threaded process. Using send(2) with sockets, however, allows ignoring SIGPIPE on a per-call basis, leaving other threads able to make use of SIGPIPE. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16conflict: include owner for filesystem conflictsAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16unlink_file: strip trailing slashesAndrew Gregory
If the user replaces a directory with a symlink, libalpm would get confused because the trailing slash causes system calls to resolve the symlink. This leads to errors and a misleading message during upgrades. Even though libalpm does not support this, it should not be giving misleading errors. Also adds an overflow check. Fixes FS#51377 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16sortbydeps: rename vptr -> iAndrew Gregory
vptr is a simple list iterator, which are typically named i. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16sortbydeps: rename found -> switched_to_childAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16sortbydeps: factor out dep cycle warningAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16graph.h: rename childptr -> iteratorAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-16graph.h: replace hardcoded values with an enumAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2017-04-12deprecate --force in favor of --overwriteAndrew Gregory
--force is widely misunderstood and the same effect can now be achieved with --overwrite, which is better named and can be used more safely. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-12add --overwrite option to ignore file conflictsAndrew Gregory
Allows for safer, more fine-grained control for overwriting files than --force's all-or-nothing approach. Implements FS#31549. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-12libalpm: Use archive_read_extract2Armin K
archive_read_extract() forces resolution of uid/gid to names when extracting the tarball. This can lead to wrong file ownership when using pacman with -r option and when uid/gid differ in the host and in the chroot. archive_read_extract2() uses uid's and gid's only. See also: https://lists.archlinux.org/pipermail/pacman-dev/2017-March/021912.html Signed-off-by: Armin K <krejzi@email.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-04Replace @SIZECMD@ with POSIX-compatible commandDrew DeVault
Now uses wc -c $file | cut -d' ' -f1, which works using only POSIX commands and removes the need for any platform-specific usages. Signed-off-by: Drew DeVault <sir@cmpwn.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-04parse stdin as newline-separatedAndrew Gregory
Newline-separated input is more reliable because most of the arguments we accept over stdin can validly contain spaces but not newlines. Resolves FS#52992 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-04add alpm_list_append_strdupAndrew Gregory
Makes error detection and handling easier for a common operation. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-04pactest: add --review optionAndrew Gregory
Opens the test file(s), test output, and any log files in the test environment in an editor after the tests run for review. Simplifies debugging tests by avoiding the need to use --keep-root and manually opening the relevant files. The editor used can be set with --editor or $EDITOR, falling back to vim. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-04-04Ignore comments in INSTALL files (FS#51916)Michael Straube
If a comment in an INSTALL file contains the name of a valid INSTALL file function but the function itself is not present, pacman tries to execute that function. That leads to an error. Ignore comments in the grep function in libalpm/trans.c to avoid such errors. Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-13Introduce a 'disable-download-timeout' optionChristian Hesse
Add command line option ('--disable-download-timeout') and config file option ('DisableDownloadTimeout') to disable defaults for low speed limit and timeout on downloads. Use this if you have issues downloading files with proxy and/or security gateway. Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04alpm_fetch_pkgurl: fix memory leakAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04Fix memory leak in alpm_pkg_checkmd5sumAllan McRae
Also remove redundant additional return path. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04Suppress valgrind error in fakechrootRikard Falkeborn
This was spotted on Arch Linux, most likely it was introduced when fakechroot was updated to 2.19-1. Valgrind suggests to add the following suppression, which can be tweaked to fit an already existing one. { <insert_a_suppression_name_here> Memcheck:Leak match-leak-kinds: reachable fun:calloc obj:/usr/lib/libdl-2.24.so fun:dlsym obj:/usr/lib/libfakeroot/fakechroot/libfakechroot.so fun:bindtextdomain obj:/usr/lib/libgpg-error.so.0.20.0 fun:call_init.part.0 fun:_dl_init obj:/usr/lib/ld-2.24.so obj:* obj:* obj:* } Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04Provide source files for useful debug packagesAllan McRae
Debug packages are fairly useless currently because the soucre files needed for stepping through code etc are not packaged with them. This patch adds the needed source files to the debug package and adjusts the debug info to look at the /usr/src/debug/ directory for them rather than the build location. This requires using the "debugedit" program which is provided as part of the RPM sources. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04Document the new query parameter for VCS sourcesEli Schwartz
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04makepkg: Verify git signaturesEli Schwartz
A git repository is marked as signed if it contains the query "signed" as defined by https://tools.ietf.org/html/rfc3986 Adds two utility functions in util/source.sh.in to extract fragments and queries, and modifies source/git.sh.in to use them. Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04libmakepkg/integrity: Verify file signatures in a separate functionEli Schwartz
This makes it easier to add signature verification for new protos. Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04Add alpm_pkg_get_makedepends and alpm_pkg_get_checkdependsMark Weiman
makepkg adds makedepends and checkdepends to a package's .PKGINFO file. Add functions that allow use of these from libalpm. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04filelist_sort: check if filelist is presortedAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04add _alpm_filelist_sortAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04repo-add: sort file list entriesAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04makepkg: sort package contentsAndrew Gregory
By passing a NUL-separated filelist, this also fixes a bug where files that look like bsdtar options in the package root could break the package ("-C" was particularly troublesome because bsdtar interprets it as an option anywhere in the file list, even following "--"). Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04find_fileconflicts: rename tmpfiles -> newfilesAndrew Gregory
The files belong to the new version of a package being installed, they are not temporary in any way. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04conflict: skip dir children when replacing a fileAndrew Gregory
When replacing a file with a directory, any files under that directory do not need to be checked for conflicts. This prevents possible false-positive conflicts where the file being replaced is a symlink. We were already skipping the directory children when the file was owned by the previous version of a package being upgraded. This extends that to other packages being removed. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04ini: only recognize comments at beginning of lineAndrew Gregory
Allows the hash sign to be used in values in config files and hooks. Fixes #48702 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04dload: s/CURLOPT_WRITEHEADER/CURLOPT_HEADERDATA/Dave Reisner
The former is really old, and should be avoided. Signed-off-by: Allan McRae <allan@archlinux.org>