7 files changed, 191 insertions, 154 deletions
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index d89fd306..727de258 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -53,21 +53,16 @@ edit = sed \
 	-e 's|@BUILDSCRIPT[@]|$(BUILDSCRIPT)|g' \
 	-e 's|@SIZECMD[@]|$(SIZECMD)|g' \
 	-e 's|@SEDINPLACE[@]|$(SEDINPLACE)|g' \
-	-e 's|@DUPATH[@]|$(DUPATH)|g' \
 	-e 's|@SCRIPTNAME[@]|$@|g' \
 	-e 's|@configure_input[@]|Generated from $@.sh.in; do not edit by hand.|g'
 
 ## All the scripts depend on Makefile so that they are rebuilt when the
 ## prefix etc. changes. Use chmod -w to prevent people from editing the
 ## wrong file by accident.
-# two 'test' lines- make sure we can handle both sh and py type scripts
-# third 'test' line- make sure one of the two checks succeeded
 $(OURSCRIPTS): Makefile
-	@echo '    ' GEN $@;
-	@$(RM) $@
-	@test -f $(srcdir)/$@.sh.in && m4 -P -I $(srcdir) $(srcdir)/$@.sh.in | $(edit) >$@
-	@chmod +x $@
-	@chmod a-w $@
+	$(AM_V_at)$(RM) $@
+	$(AM_V_GEN)test -f $(srcdir)/$@.sh.in && m4 -P -I $(srcdir) $(srcdir)/$@.sh.in | $(edit) >$@
+	$(AM_V_at)chmod +x,a-w $@
 
 makepkg: \
 	$(srcdir)/makepkg.sh.in \
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 2d672a37..eb1329c7 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -39,10 +39,10 @@ export COMMAND_MODE='legacy'
 # Ensure CDPATH doesn't screw with our cd calls
 unset CDPATH
 
-myver='@PACKAGE_VERSION@'
-confdir='@sysconfdir@'
-BUILDSCRIPT='@BUILDSCRIPT@'
-startdir="$PWD"
+declare -r myver='@PACKAGE_VERSION@'
+declare -r confdir='@sysconfdir@'
+declare -r BUILDSCRIPT='@BUILDSCRIPT@'
+declare -r startdir="$PWD"
 
 packaging_options=('strip' 'docs' 'libtool' 'emptydirs' 'zipman' 'purge' 'upx')
 other_options=('ccache' 'distcc' 'buildflags' 'makeflags')
@@ -338,10 +338,10 @@ in_array() {
 	return 1 # Not Found
 }
 
-source_has_signatures(){
+source_has_signatures() {
 	local file
 	for file in "${source[@]}"; do
-		if [[ $file = *.@(sig?(n)|asc) ]]; then
+		if [[ ${file%%::*} = *.@(sig?(n)|asc) ]]; then
 			return 0
 		fi
 	done
@@ -420,18 +420,18 @@ download_file() {
 run_pacman() {
 	local cmd
 	if [[ ! $1 = -@(T|Qq) ]]; then
-		printf -v cmd "%q " "$PACMAN" $PACMAN_OPTS "$@"
+		cmd=("$PACMAN" $PACMAN_OPTS "$@")
 	else
-		printf -v cmd "%q " "$PACMAN" "$@"
+		cmd=("$PACMAN" "$@")
 	fi
 	if (( ! ASROOT )) && [[ ! $1 = -@(T|Qq) ]]; then
 		if type -p sudo >/dev/null; then
-			cmd="sudo $cmd"
+			cmd=(sudo "${cmd[@]}")
 		else
-			cmd="su root -c '$cmd'"
+			cmd=(su root -c "$(printf '%q ' "${cmd[@]}")")
 		fi
 	fi
-	eval "$cmd"
+	"${cmd[@]}"
 }
 
 check_deps() {
@@ -677,14 +677,18 @@ check_checksums() {
 				fi
 
 				if (( $found )) ; then
-					local expectedsum=$(tr '[:upper:]' '[:lower:]' <<< "${integrity_sums[$idx]}")
-					local realsum="$(openssl dgst -${integ} "$file")"
-					realsum="${realsum##* }"
-					if [[ $expectedsum = $realsum ]]; then
-						printf -- "$(gettext "Passed")\n" >&2
+					if [[ ${integrity_sums[$idx]} = 'SKIP' ]]; then
+						echo "$(gettext "Skipped")" >&2
 					else
-						printf -- "$(gettext "FAILED")\n" >&2
-						errors=1
+						local expectedsum=$(tr '[:upper:]' '[:lower:]' <<< "${integrity_sums[$idx]}")
+						local realsum="$(openssl dgst -${integ} "$file")"
+						realsum="${realsum##* }"
+						if [[ $expectedsum = $realsum ]]; then
+							printf -- "$(gettext "Passed")\n" >&2
+						else
+							printf -- "$(gettext "FAILED")\n" >&2
+							errors=1
+						fi
 					fi
 				fi
 
@@ -841,7 +845,7 @@ extract_sources() {
 		if [[ $cmd = bsdtar ]]; then
 			$cmd -xf "$file" || ret=$?
 		else
-			rm -f "${file%.*}"
+			rm -f -- "${file%.*}"
 			$cmd -dcf "$file" > "${file%.*}" || ret=$?
 		fi
 		if (( ret )); then
@@ -970,7 +974,7 @@ tidy_install() {
 
 	if [[ $(check_option docs) = "n" && -n ${DOC_DIRS[*]} ]]; then
 		msg2 "$(gettext "Removing doc files...")"
-		rm -rf ${DOC_DIRS[@]}
+		rm -rf -- ${DOC_DIRS[@]}
 	fi
 
 	if [[ $(check_option purge) = "y" && -n ${PURGE_TARGETS[*]} ]]; then
@@ -997,7 +1001,7 @@ tidy_install() {
 				find ${MAN_DIRS[@]} -lname "$file" 2>/dev/null |
 				while read link ; do
 					rm -f "$link" "${link}.gz"
-					ln -s "${file}.gz" "${link}.gz"
+					ln -s -- "${file}.gz" "${link}.gz"
 				done
 
 				# check file still exists (potentially already compressed due to hardlink)
@@ -1087,30 +1091,62 @@ find_libdepends() {
 }
 
 find_libprovides() {
-	local libprovides
-	find "$pkgdir" -type f -name \*.so\* | while read filename
-	do
-		# check if we really have a shared object
-		if LC_ALL=C readelf -h "$filename" 2>/dev/null | grep -q '.*Type:.*DYN (Shared object file).*'; then
-			# 64
-			soarch=$(LC_ALL=C readelf -h "$filename" | sed -n 's/.*Class.*ELF\(32\|64\)/\1/p')
-			# get the string binaries link to: libfoo.so.1.2 -> libfoo.so.1
-			sofile=$(LC_ALL=C readelf -d "$filename" 2>/dev/null | sed -n 's/.*Library soname: \[\(.*\)\].*/\1/p')
-			[ -z "$sofile" ] && sofile="${filename##*/}"
-
-			# extract the library name: libfoo.so
-			soname="${sofile%%\.so\.*}.so"
-			# extract the major version: 1
-			soversion="${sofile##*\.so\.}"
-			if in_array "${soname}" ${provides[@]}; then
-				if ! in_array "${soname}=${soversion}-${soarch}" ${libprovides[@]}; then
-					# libfoo.so=1-64
-					echo "${soname}=${soversion}-${soarch}"
-					libprovides=(${libprovides[@]} "${soname}=${soversion}-${soarch}")
+	local libprovides missing
+	for p in ${provides[@]}; do
+		missing=0
+		case "$p" in
+			*.so)
+				local filename=$(find "$pkgdir" -type f -name $p\*)
+				if [[ $filename ]]; then
+					# packages may provide multiple versions of the same library
+					for fn in ${filename[@]}; do
+						# check if we really have a shared object
+						if LC_ALL=C readelf -h "$fn" 2>/dev/null | grep -q '.*Type:.*DYN (Shared object file).*'; then
+							# get the string binaries link to (e.g. libfoo.so.1.2 -> libfoo.so.1)
+							local sofile=$(LC_ALL=C readelf -d "$fn" 2>/dev/null | sed -n 's/.*Library soname: \[\(.*\)\].*/\1/p')
+							if [[ -z "$sofile" ]]; then
+								warning "$(gettext "Library listed in %s is not versioned: %s")" "'provides'" "$p"
+								libprovides=(${libprovides[@]} "$p")
+								continue
+							fi
+
+							# get the library architecture (32 or 64 bit)
+							local soarch=$(LC_ALL=C readelf -h "$fn" | sed -n 's/.*Class.*ELF\(32\|64\)/\1/p')
+
+							# extract the library major version
+							local soversion="${sofile##*\.so\.}"
+
+							libprovides=(${libprovides[@]} "${p}=${soversion}-${soarch}")
+						else
+							warning "$(gettext "Library listed in %s is not a shared object: %s")" "'provides'" "$p"
+							libprovides=(${libprovides[@]} "$p")
+						fi
+					done
+				else
+					libprovides=(${libprovides[@]} "$p")
+					missing=1
 				fi
-			fi
-    fi
+				;;
+			*)
+				libprovides=(${libprovides[@]} "$p")
+				;;
+		esac
+
+		if (( missing )); then
+			warning "$(gettext "Can not find library listed in %s: %s")" "'provides'" "$p"
+		fi
 	done
+
+	echo ${libprovides[@]}
+}
+
+check_license() {
+	# TODO maybe remove this at some point
+	# warn if license array is not present or empty
+	if [[ -z $license ]]; then
+		warning "$(gettext "Please add a license line to your %s!")" "$BUILDSCRIPT"
+		plain "$(gettext "Example for GPL\'ed software: %s.")" "license=('GPL')"
+	fi
 }
 
 write_pkginfo() {
@@ -1120,8 +1156,7 @@ write_pkginfo() {
 	else
 		local packager="Unknown Packager"
 	fi
-	local size="$(@DUPATH@ -sk)"
-	size="$(( ${size%%[^0-9]*} * 1024 ))"
+	local size="$(find . -print0 | xargs -0 @SIZECMD@ | awk '{ sum += $1 } END { print sum }')"
 
 	msg2 "$(gettext "Generating %s file...")" ".PKGINFO"
 	echo "# Generated by makepkg $myver"
@@ -1144,13 +1179,15 @@ write_pkginfo() {
 	[[ $groups ]]     && printf "group = %s\n"     "${groups[@]}"
 	[[ $optdepends ]] && printf "optdepend = %s\n" "${optdepends[@]//+([[:space:]])/ }"
 	[[ $conflicts ]]  && printf "conflict = %s\n"  "${conflicts[@]}"
+
+	provides=($(find_libprovides))
+	[[ $provides ]]   && printf "provides = %s\n"  "${provides[@]}"
+
 	[[ $backup ]]     && printf "backup = %s\n"    "${backup[@]}"
 
-	local it
 
-	libprovides=$(find_libprovides)
+	local it
 	libdepends=$(find_libdepends)
-	provides=("${provides[@]}" ${libprovides})
 	depends=("${depends[@]}" ${libdepends})
 
 	for it in "${depends[@]}"; do
@@ -1167,20 +1204,6 @@ write_pkginfo() {
 		fi
 	done
 
-	for it in "${provides[@]}"; do
-		# ignore versionless entires (those come from the PKGBUILD)
-		if [[ $it  = *.so ]]; then
-			# check if the entry has been found by find_libprovides
-			# if not, it's unneeded; tell the user so he can remove it
-			if [[ ! $libprovides =~ (^|\s)${it}=.* ]]; then
-				error "$(gettext "Cannot find library listed in %s: %s")" "'provides'" "$it"
-				return 1
-			fi
-		else
-			echo "provides = $it"
-		fi
-	done
-
 	for it in "${packaging_options[@]}"; do
 		local ret="$(check_option $it)"
 		if [[ $ret != "?" ]]; then
@@ -1192,12 +1215,7 @@ write_pkginfo() {
 		fi
 	done
 
-	# TODO maybe remove this at some point
-	# warn if license array is not present or empty
-	if [[ -z $license ]]; then
-		warning "$(gettext "Please add a license line to your %s!")" "$BUILDSCRIPT"
-		plain "$(gettext "Example for GPL\'ed software: %s.")" "license=('GPL')"
-	fi
+	check_license
 }
 
 check_package() {
@@ -1248,7 +1266,7 @@ create_package() {
 
 	write_pkginfo $nameofpkg > .PKGINFO
 
-	local comp_files=".PKGINFO"
+	local comp_files=('.PKGINFO')
 
 	# check for changelog/install files
 	for i in 'changelog/.CHANGELOG' 'install/.INSTALL'; do
@@ -1258,7 +1276,7 @@ create_package() {
 			msg2 "$(gettext "Adding %s file...")" "$orig"
 			cp "$startdir/${!orig}" "$dest"
 			chmod 644 "$dest"
-			comp_files+=" $dest"
+			comp_files+=("$dest")
 		fi
 	done
 
@@ -1280,12 +1298,12 @@ create_package() {
 	# bsdtar's gzip compression always saves the time stamp, making one
 	# archive created using the same command line distinct from another.
 	# Disable bsdtar compression and use gzip -n for now.
-	bsdtar -cf - $comp_files * |
+	bsdtar -cf - "${comp_files[@]}" * |
 	case "$PKGEXT" in
-		*tar.gz)  gzip -c -f -n ;;
-		*tar.bz2) bzip2 -c -f ;;
-		*tar.xz)  xz -c -z - ;;
-		*tar.Z)   compress -c -f ;;
+		*tar.gz)  ${COMPRESSGZ[@]:-gzip -c -f -n} ;;
+		*tar.bz2) ${COMPRESSBZ2[@]:-bzip2 -c -f} ;;
+		*tar.xz)  ${COMPRESSXZ[@]:-xz -c -z -} ;;
+		*tar.Z)   ${COMPRESSZ[@]:-compress -c -f} ;;
 		*tar)     cat ;;
 		*) warning "$(gettext "'%s' is not a valid archive extension.")" \
 			"$PKGEXT"; cat ;;
@@ -1345,6 +1363,8 @@ create_srcpackage() {
 	local srclinks="$(mktemp -d "$startdir"/srclinks.XXXXXXXXX)"
 	mkdir "${srclinks}"/${pkgbase}
 
+	check_license
+
 	msg2 "$(gettext "Adding %s...")" "$BUILDSCRIPT"
 	ln -s "${BUILDFILE}" "${srclinks}/${pkgbase}/${BUILDSCRIPT}"
 
@@ -1467,8 +1487,8 @@ check_sanity() {
 	awk -F'=' '$1 ~ /^[[:space:]]*pkgrel$/' "$BUILDFILE" | sed "s/[[:space:]]*#.*//" |
 	while IFS='=' read -r _ i; do
 		eval i=\"$(sed 's/^\(['\''"]\)\(.*\)\1$/\2/' <<< "${i%%+([[:space:]])}")\"
-		if [[ $i = *[[:space:]-]* ]]; then
-			error "$(gettext "%s is not allowed to contain hyphens or whitespace.")" "pkgrel"
+		if [[ $i != +([0-9])?(.+([0-9])) ]]; then
+			error "$(gettext "%s must be a decimal.")" "pkgrel"
 			return 1
 		fi
 	done || ret=1
@@ -1983,6 +2003,7 @@ set -E
 [[ -n ${PKGEXT} ]] && _PKGEXT=${PKGEXT}
 [[ -n ${SRCEXT} ]] && _SRCEXT=${SRCEXT}
 [[ -n ${GPGKEY} ]] && _GPGKEY=${GPGKEY}
+[[ -n ${PACKAGER} ]] && _PACKAGER=${PACKAGER}
 
 # default config is makepkg.conf
 MAKEPKG_CONF=${MAKEPKG_CONF:-$confdir/makepkg.conf}
@@ -2031,8 +2052,11 @@ readonly ALL_OFF BOLD BLUE GREEN RED YELLOW
 BUILDDIR=${_BUILDDIR:-$BUILDDIR}
 BUILDDIR=${BUILDDIR:-$startdir} #default to $startdir if undefined
 if [[ ! -d $BUILDDIR ]]; then
-	mkdir -p "$BUILDDIR" ||
-			error "$(gettext "You do not have write permission to create packages in %s.")" "$BUILDDIR"
+	if ! mkdir -p "$BUILDDIR"; then
+		error "$(gettext "You do not have write permission to create packages in %s.")" "$BUILDDIR"
+		plain "$(gettext "Aborting...")"
+		exit 1
+	fi
 	chmod a-s "$BUILDDIR"
 fi
 if [[ ! -w $BUILDDIR ]]; then
@@ -2040,8 +2064,6 @@ if [[ ! -w $BUILDDIR ]]; then
 	plain "$(gettext "Aborting...")"
 	exit 1
 fi
-srcdir="$BUILDDIR/src"
-pkgdir="$BUILDDIR/pkg"
 
 PKGDEST=${_PKGDEST:-$PKGDEST}
 PKGDEST=${PKGDEST:-$startdir} #default to $startdir if undefined
@@ -2070,6 +2092,7 @@ fi
 PKGEXT=${_PKGEXT:-$PKGEXT}
 SRCEXT=${_SRCEXT:-$SRCEXT}
 GPGKEY=${_GPGKEY:-$GPGKEY}
+PACKAGER=${_PACKAGER:-$PACKAGER}
 
 if (( HOLDVER )) && [[ -n $FORCE_VER ]]; then
 	# The '\\0' is here to prevent gettext from thinking --holdver is an option
@@ -2137,6 +2160,14 @@ fi
 pkgbase=${pkgbase:-${pkgname[0]}}
 epoch=${epoch:-0}
 
+if [[ $BUILDDIR = "$startdir" ]]; then
+	srcdir="$BUILDDIR/src"
+	pkgdir="$BUILDDIR/pkg"
+else
+	srcdir="$BUILDDIR/$pkgbase/src"
+	pkgdir="$BUILDDIR/$pkgbase/pkg"
+fi
+
 if (( GENINTEG )); then
 	mkdir -p "$srcdir"
 	chmod a-s "$srcdir"
diff --git a/scripts/pacman-db-upgrade.sh.in b/scripts/pacman-db-upgrade.sh.in
index e0a049c5..894152f6 100644
--- a/scripts/pacman-db-upgrade.sh.in
+++ b/scripts/pacman-db-upgrade.sh.in
@@ -23,7 +23,7 @@
 export TEXTDOMAIN='pacman-scripts'
 export TEXTDOMAINDIR='@localedir@'
 
-myver='@PACKAGE_VERSION@'
+declare -r myver='@PACKAGE_VERSION@'
 
 eval $(awk '/DBPath/ {print $1$2$3}' @sysconfdir@/pacman.conf)
 dbroot="${DBPath:-@localstatedir@/lib/pacman/}"
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 3ea8947f..482b56d7 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -24,7 +24,7 @@
 export TEXTDOMAIN='pacman-scripts'
 export TEXTDOMAINDIR='@localedir@'
 
-myver="@PACKAGE_VERSION@"
+declare -r myver="@PACKAGE_VERSION@"
 
 # Options
 ADD=0
@@ -245,8 +245,7 @@ populate_keyring() {
 	fi
 
 	# Variable used for iterating on keyrings
-	local key
-	local key_id
+	local keys key_id
 
 	# Add keys from requested keyrings
 	for keyring in "${KEYRINGIDS[@]}"; do
@@ -262,14 +261,12 @@ populate_keyring() {
 	local -A trusted_ids
 	for keyring in "${KEYRINGIDS[@]}"; do
 		if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then
-			while read key; do
-				# skip comments; these are valid in this file
-				[[ $key = \#* ]] && continue
-				key_id="${key%%:*}"
-				if [[ -n ${key_id} ]]; then
-					# Mark this key to be lsigned
-					trusted_ids[$key_id]="${keyring}"
-				fi
+			while IFS=: read key_id _; do
+				# skip blank lines, comments; these are valid in this file
+				[[ -z $key_id || ${key_id:0:1} = \# ]] && continue
+
+				# Mark this key to be lsigned
+				trusted_ids[$key_id]=$keyring
 			done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
 		fi
 	done
@@ -294,13 +291,13 @@ populate_keyring() {
 	local -A revoked_ids
 	for keyring in "${KEYRINGIDS[@]}"; do
 		if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then
-			while read key; do
-				key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)"
-				if [[ -n ${key_id} ]]; then
+			IFS=$'\n' read -r -d '' -a keys < "${KEYRING_IMPORT_DIR}/${keyring}-revoked"
+			while IFS=: read _ _ _ _ key_id _; do
+				if [[ -n $key_id ]]; then
 					# Mark this key to be disabled
 					revoked_ids[$key_id]="${keyring}"
 				fi
-			done < "${KEYRING_IMPORT_DIR}/${keyring}-revoked"
+			done < <("${GPG_PACMAN[@]}" --quiet --with-colons --list-keys "${keys[@]}" 2>/dev/null)
 		fi
 	done
 
diff --git a/scripts/pacman-optimize.sh.in b/scripts/pacman-optimize.sh.in
index 8a4e7224..4a84c0bb 100644
--- a/scripts/pacman-optimize.sh.in
+++ b/scripts/pacman-optimize.sh.in
@@ -24,7 +24,7 @@
 export TEXTDOMAIN='pacman-scripts'
 export TEXTDOMAINDIR='@localedir@'
 
-myver='@PACKAGE_VERSION@'
+declare -r myver='@PACKAGE_VERSION@'
 
 eval $(awk '/DBPath/ {print $1$2$3}' @sysconfdir@/pacman.conf)
 dbroot="${DBPath:-@localstatedir@/lib/pacman/}"
@@ -88,9 +88,8 @@ if [[ -n $1 ]]; then
 	dbroot="$1"
 fi
 
-# make sure diff is installed
-if ! type diff >/dev/null 2>&1; then
-	die "$(gettext "diff tool was not found, please install diffutils.")"
+if ! type -p openssl >/dev/null; then
+	die "$(gettext "Cannot find the %s binary required for verifying integrity.")" "openssl"
 fi
 
 if [[ ! -d $dbroot || ! -d $dbroot/local ]]; then
@@ -103,8 +102,8 @@ fi
 
 # strip any trailing slash from our dbroot
 dbroot="${dbroot%/}"
-# form the path to our lockfile location
 lockfile="${dbroot}/db.lck"
+localdb="${dbroot}/local"
 
 # make sure pacman isn't running
 if [[ -f $lockfile ]]; then
@@ -113,42 +112,44 @@ fi
 # do not let pacman run while we do this
 touch "$lockfile"
 
-workdir=$(mktemp -d /tmp/pacman-optimize.XXXXXXXXXX) ||
+workdir=$(mktemp -d "${TMPDIR:-/tmp}/pacman-optimize.XXXXXXXXXX") ||
 	die_r "$(gettext "Can not create temp directory for database building.")\n" >&2
 
 # step 1: sum the old db
 msg "$(gettext "MD5sum'ing the old database...")"
-find "$dbroot" -type f | sort | xargs md5sum > "$workdir/pacsums.old"
+(cd "$localdb" && find . -type f -print0 | \
+	xargs -0 openssl dgst -md5 | sort > "$workdir/pacsums.old")
 
 # step 2: tar it up
-msg "$(gettext "Tar'ing up %s...")" "$dbroot"
-bsdtar -czf "$workdir/pacman-db.tar.gz" -C "$dbroot" ./
+msg "$(gettext "Tar'ing up %s...")" "$localdb"
+bsdtar -czf "$workdir/pacman-db.tar.gz" -C "$localdb" ./
 if (( $? )); then
 	rm -rf "$workdir"
-	die_r "$(gettext "Tar'ing up %s failed.")" "$dbroot"
+	die_r "$(gettext "Tar'ing up %s failed.")" "$localdb"
 fi
 
 # step 3: make and sum the new db side-by-side with the old
 msg "$(gettext "Making and MD5sum'ing the new database...")"
-mkdir "$dbroot.new"
-bsdtar -xpf "$workdir/pacman-db.tar.gz" -C "$dbroot.new"
+mkdir "$localdb.new"
+bsdtar -xpf "$workdir/pacman-db.tar.gz" -C "$localdb.new"
 if (( $? )); then
        rm -rf "$workdir"
-       die_r "$(gettext "Untar'ing %s failed.")" "$dbroot"
+       die_r "$(gettext "Untar'ing %s failed.")" "$localdb"
 fi
 # immediate sync following extraction should get it written continuously on HDD
 msg "$(gettext "Syncing database to disk...")"
 sync
-find "$dbroot.new" -type f | sort | \
-		xargs md5sum | sed 's#.new##' > "$workdir/pacsums.new"
+(cd "$localdb.new" && find . -type f -print0 | \
+	xargs -0 openssl dgst -md5 | sort > "$workdir/pacsums.new")
 
 # step 4: compare the sums
 msg "$(gettext "Checking integrity...")"
-diff "$workdir/pacsums.old" "$workdir/pacsums.new" >/dev/null 2>&1
-if (( $? )); then
+read -ra old_dgst < <(openssl dgst -md5 < "$workdir/pacsums.old")
+read -ra new_dgst < <(openssl dgst -md5 < "$workdir/pacsums.new")
+if [[ ${old_dgst[@]:(-1)} != ${new_dgst[@]:(-1)} ]]; then
 	# failed
 	# leave our pacman-optimize tmpdir for checking to see what doesn't match up
-	rm -rf "$dbroot.new"
+	rm -rf "$localdb.new"
 	die_r "$(gettext "Integrity check FAILED, reverting to old database.")"
 fi
 
@@ -156,15 +157,15 @@ fi
 msg "$(gettext "Rotating database into place...")"
 
 fail=0
-mv "$dbroot" "$dbroot.old" || fail=1
-mv "$dbroot.new" "$dbroot" || fail=1
-chmod --reference="$dbroot.old" "$dbroot" || fail=1
-chown --reference="$dbroot.old" "$dbroot" || fail=1
+mv "$localdb" "$localdb.old" || fail=1
+mv "$localdb.new" "$localdb" || fail=1
+chmod --reference="$localdb.old" "$localdb" || fail=1
+chown --reference="$localdb.old" "$localdb" || fail=1
 if (( fail )); then
 	# failure with our directory shuffle
-	die_r "$(gettext "New database substitution failed. Check for $dbroot,\n$dbroot.old, and $dbroot.new directories.")"
+	die_r "$(gettext "New database substitution failed. Check for %s, %s, and %s directories.")" "$localdb" "$localdb.old" "$localdb.new"
 fi
-rm -rf "$dbroot.old"
+rm -rf "$localdb.old"
 
 # remove the lock file and our working directory with sums and tarfile
 rm -f "$lockfile"
diff --git a/scripts/pkgdelta.sh.in b/scripts/pkgdelta.sh.in
index 35be70ce..5a2e6a37 100644
--- a/scripts/pkgdelta.sh.in
+++ b/scripts/pkgdelta.sh.in
@@ -26,7 +26,7 @@ set -o errexit
 export TEXTDOMAIN='pacman-scripts'
 export TEXTDOMAINDIR='@localedir@'
 
-myver='@PACKAGE_VERSION@'
+declare -r myver='@PACKAGE_VERSION@'
 
 QUIET=0
 
diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in
index 2bb9c83f..043a0b86 100644
--- a/scripts/repo-add.sh.in
+++ b/scripts/repo-add.sh.in
@@ -25,8 +25,8 @@ shopt -s extglob
 export TEXTDOMAIN='pacman-scripts'
 export TEXTDOMAINDIR='@localedir@'
 
-myver='@PACKAGE_VERSION@'
-confdir='@sysconfdir@'
+declare -r myver='@PACKAGE_VERSION@'
+declare -r confdir='@sysconfdir@'
 
 QUIET=0
 DELTA=0
@@ -203,7 +203,7 @@ create_signature() {
 	gpg --detach-sign --use-agent ${SIGNWITHKEY} "$dbfile" &>/dev/null || ret=$?
 
 	if (( ! ret )); then
-		msg2 "$(gettext "Created signature file %s.")" "${dbfile##*/}.sig"
+		msg2 "$(gettext "Created signature file %s.")" "${dbfile##*/.tmp.}.sig"
 	else
 		warning "$(gettext "Failed to sign package database.")"
 	fi
@@ -424,13 +424,8 @@ elephant() {
 check_repo_db() {
 	local repodir
 
-	# ensure the path to the DB exists
-	if [[ "$LOCKFILE" == /* ]]; then
-		repodir=${LOCKFILE%/*}/
-	else
-		repodir=$PWD/$LOCKFILE
-		repodir=${repodir%/*}/
-	fi
+	# ensure the path to the DB exists; $LOCKFILE is always an absolute path
+	repodir=${LOCKFILE%/*}/
 
 	if [[ ! -d "$repodir" ]]; then
 		error "$(gettext "%s does not exist or is not a directory.")" "$repodir"
@@ -579,7 +574,7 @@ if [[ $cmd != "repo-add" && $cmd != "repo-remove" ]]; then
 	exit 1
 fi
 
-tmpdir=$(mktemp -d /tmp/repo-tools.XXXXXXXXXX) || (\
+tmpdir=$(mktemp -d "${TMPDIR:-/tmp}/repo-tools.XXXXXXXXXX") || (\
 	error "$(gettext "Cannot create temp directory for database building.")"; \
 	exit 1)
 mkdir $tmpdir/tree
@@ -637,7 +632,11 @@ if [[ -z $REPO_DB_FILE ]]; then
 	exit 1
 fi
 
-LOCKFILE=$REPO_DB_FILE.lck
+if [[ $REPO_DB_FILE == /* ]]; then
+	LOCKFILE=$REPO_DB_FILE.lck
+else
+	LOCKFILE=$PWD/$REPO_DB_FILE.lck
+fi
 
 verify_repo_extension "$REPO_DB_FILE" >/dev/null
 check_repo_db
@@ -654,37 +653,51 @@ if (( success )); then
 	msg "$(gettext "Creating updated database file '%s'")" "$REPO_DB_FILE"
 
 	TAR_OPT=$(verify_repo_extension "$REPO_DB_FILE")
+	# $LOCKFILE is already guaranteed to be absolute so this is safe
+	dirname=${LOCKFILE%/*}
 	filename=${REPO_DB_FILE##*/}
+	# this ensures we create it on the same filesystem, making moves atomic
+	tempname="$dirname/.tmp.$filename"
 
 	pushd "$tmpdir/tree" >/dev/null
 	if ( shopt -s nullglob; files=(*); (( ${#files[*]} )) ); then
-		bsdtar -c${TAR_OPT}f "$tmpdir/$filename" *
+		bsdtar -c${TAR_OPT}f "$tempname" *
 	else
 		# we have no packages remaining? zip up some emptyness
 		warning "$(gettext "No packages remain, creating empty database.")"
-		bsdtar -c${TAR_OPT}f "$tmpdir/$filename" -T /dev/null
+		bsdtar -c${TAR_OPT}f "$tempname" -T /dev/null
 	fi
 	popd >/dev/null
 
-	create_signature "$tmpdir/$filename"
+	create_signature "$tempname"
 
-	[[ -f $REPO_DB_FILE ]] && mv -f "$REPO_DB_FILE" "${REPO_DB_FILE}.old"
+	# hardlink or move the previous version of the database and signature to .old
+	# extension as a backup measure
+	if [[ -f $REPO_DB_FILE ]]; then
+		ln -f "$REPO_DB_FILE" "$REPO_DB_FILE.old" 2>/dev/null || \
+			mv -f "$REPO_DB_FILE" "$REPO_DB_FILE.old"
+	fi
 	if [[ -f $REPO_DB_FILE.sig ]]; then
-		mv -f "$REPO_DB_FILE.sig" "$REPO_DB_FILE.old.sig"
+		ln -f "$REPO_DB_FILE.sig" "$REPO_DB_FILE.old.sig" 2>/dev/null || \
+			mv -f "$REPO_DB_FILE.sig" "$REPO_DB_FILE.old.sig"
 	else
 		rm -f "$REPO_DB_FILE.old.sig"
 	fi
-	[[ -f $tmpdir/$filename ]] && mv "$tmpdir/$filename" "$REPO_DB_FILE"
-	[[ -f $tmpdir/$filename.sig ]] && mv "$tmpdir/$filename.sig" "$REPO_DB_FILE.sig"
+
+	# rotate the newly-created database and signature into place
+	mv "$tempname" "$REPO_DB_FILE"
+	if [[ -f $tempname.sig ]]; then
+		mv "$tempname.sig" "$REPO_DB_FILE.sig"
+	fi
+
 	dblink="${REPO_DB_FILE%.tar*}"
-	target=${REPO_DB_FILE##*/}
 	rm -f "$dblink" "$dblink.sig"
-	ln -s "$target" "$dblink" 2>/dev/null || \
-		ln "$target" "$dblink" 2>/dev/null || \
+	ln -s "$filename" "$dblink" 2>/dev/null || \
+		ln "$filename" "$dblink" 2>/dev/null || \
 		cp "$REPO_DB_FILE" "$dblink"
 	if [[ -f "$REPO_DB_FILE.sig" ]]; then
-		ln -s "$target.sig" "$dblink.sig" 2>/dev/null || \
-			ln "$target.sig" "$dblink.sig" 2>/dev/null || \
+		ln -s "$filename.sig" "$dblink.sig" 2>/dev/null || \
+			ln "$filename.sig" "$dblink.sig" 2>/dev/null || \
 			cp "$REPO_DB_FILE.sig" "$dblink.sig"
 	fi
 else