Age | Commit message (Collapse) | Author | Files | Lines |
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
system() runs the provided command via a shell, which is subject to
command injection. Even though pacman already provides a mechanism to
sign and verify the databases containing the urls, certain distributions
have yet to get their act together and start signing databases, leaving
them vulnerable to MITM attacks. Replacing the system call with an
almost equivalent exec call removes the possibility of a shell-injection
attack for those users.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
|
|
Converts an argc/argv pair to a string for presentation to the user.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
|
|
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
|
|
Saving fflages breaks reproducible builds due to encoding information
specific to the filesystem that was used to build the package. This
information is not needed for packaging purposes anyway.
Including fflags also means that attempting to extract a package file as
root (or fakeroot) might result in angry warnings being printed to the
console by bsdtar, followed by a non-zero exit code, unless the user
remembers to use --no-fflags during extraction. This is unpleasant UI, even
if pacman itself won't care about these.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
With unknown uid pacman crashed. Return with error from email_from_uid()
if uid is NULL.
Signed-off-by: Christian Hesse <mail@eworm.de>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
If the key's uid is unknown (for example with db signatures) the
question was:
:: Import PGP key 02FD1C7A934E614545849F19A6234074498E9CEE, "(null)"? [Y/n]
Let's display a modified question for unknown uid.
Signed-off-by: Christian Hesse <mail@eworm.de>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
If an email address is specified, we use --locate-key to look up the key
using WKD and keyserver as a fallback. If the key is specified as a key
ID, this doesn't work, so we use the normal keyserver-based --recv-keys.
Note that --refresh-keys still uses the keyservers exclusively for
refreshing, though the situation might potentially be improved in a new
version of GnuPG:
https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062169.html
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
remove_deps is called once, at the end of clean_up() before makepkg
exit. If remove_deps returns >0 (e.g. when pressing "n" in the resulting
prompt), the error is caught by the ERR signal handler. This in turns
sends SIGUSR1 to the process group, with resulting exit code 138.
In case remove_deps fails, this patch exits makepkg with E_REMOVE_DEPS
if there was no previous error (that is, EXIT_CODE equals E_OK).
Otherwise, makepkg exits with EXIT_CODE.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
When running `makepkg -i` it may be necessary to first remove make- and
checkdepends before installing the built package - for example if they
conflict each other. This is the case for wireguard-arch which
makedepends and conflicts wireguard-dkms.
Signed-off-by: Erich Eckner <git@eckner.net>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Without the -f option to wait, we might move on and try to delete the
logpipe before the process is completed.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
The logpipe fifo can remain when exiting on a non-error condition such
as recieving signals INT and USR1. This can be seen by doing either a
manual CTRL-C to interrupt the build or by sending a signal such as:
$ makepkg & sleep 5 ; kill -USR1 $!
Remove the fifo in all cases on script exit if it still exists.
Signed-off-by: Austin Lund <austin.lund@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Try and find an exact match via pkgcache before iterating the entire
localdb.
Gives a noticeable speed up for exact matches e.g. `pacman -T zlib`
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
when a satisfying package is already installed, we always pick it
instead of prompting the user. So we can return that package as soon as
we find it, instead of waiting until we've iterated through all the
databases.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
In addition to the general issue of staticlibs linkage, linking a static
lib to a library() does not seem to generate the needed Libs.private.
Rework how we handle this entirely. Instead of relying on convenience
libraries, we will *sigh* go extract a boatload of .o files again, then
relink those to the installable libalpm, while mentioning our
dependencies again.
We still have our guaranteed static library for linking arbitrary programs
with (e.g. vercmp), and we still only generate one identical copy of the
.o files, but now we potentially `ar` it up twice, which isn't so bad.
And linking still works, and pkg-config files also still work.
One alternative would be to explicitly list our dependencies to
pkgconfig.generate with requires_private, but since gpgme might be an
elevated config-tool dependency, this can fail with:
meson.build:341:10: ERROR: requires argument not a string, library with pkgconfig-generated file or pkgconfig-dependency object, got <GpgmeDependency gpgme: True>
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
LIB_VERSION is supposed to be something like 11.0.1, not simply
reiterate the project version. As a result, we ended up with this:
$ pacman -V
[...]
Pacman v5.1.0 - libalpm v5.1.0
[...]
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
libcommon isn't even installed, so that means libalpm.a (if installed)
is fatally broken as it misses objects. The problem is that meson
doesn't handle this case correctly:
https://github.com/mesonbuild/meson/issues/3934
https://github.com/mesonbuild/meson/issues/3937
https://github.com/mesonbuild/meson/pull/3939
Work around this by manually extracting libcommon's .o files into the
list of objects used to create libalpm.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Not all compression types can be detected in the seccomp sandbox, so we
need to disable it. This requires either configuring makepkg to know the
sandbox is available, or checking for file >= 5.38 in which the sandbox
option is a no-op even when seccomp is disabled.
- Requires autoconf-archive for autotools version compare macro.
- meson version comparison could be made a lot simpler using meson-git.
Fixes FS#58626
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
There is no good reason to bloat the keyring by importing tons of
signatures we cannot use; drop any signatures that don't validate
against another available key (probably the master keys).
If any desired signatures get cleaned, the key can be refreshed after
importing the new signing public key.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
By default, the latest versions of GnuPG disable the Web of Trust and
refuse to import signatures from public keyservers. This is to prevent
denial of service attacks, because refusing to import signatures only if
the key size is too big, is apparently too silly to consider.
Either way, pacman needs the WoT. If pacman imports a key at all, it
means everything failed and we are in fallback mode, trying to overcome
a shortcoming in the availability of keys in the keyring package.
(This commonly means the user needs to acquire a new key during the same
transaction that updates archlinux-keyring.)
In order for that new key to be usable, it *must* also import signatures
from the Master Keys.
I don't give credence to this supposed DoS, since the worst case
scenario is nothing happening and needing to CTRL+C in order to exit the
program. In the case of pacman, this is better than being unable to
install anything at all (which is gnupg doing a much more harmful DoS to
pacman), and in the already unusual case where something like
--refresh-keys is being used directly instead of depending on the
keyring package itself, gnupg supports WKD out of the box and will
prefer that for people whose keys are marketed as being non-DOSable.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
If an option is a two-part option, we print both (separated by IFS=' '),
but when grepping to see if it already exists, we only checked the first
component. This means that something like keyserver-options could only
check if there were existing keyserver options of any sort, but not
which ones.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Added gettext macro to warnings, helps, and errors for translation.
Signed-off-by: Matthew Sexton <wsdmatty@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Using the macro got in the way of _() macro for translation
All the macro did was make it so the writer didn't have to type
\n", stream); at the end of every line.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
If we failed to get the pkg from pkgcache then we know no satisfying
package exists by name. So only compare provides.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
The rust language supports $RUSTFLAGS to be used automatically in all
rustc invocations. Allow setting this in makepkg.conf (e.g. for
optimization or debuginfo support), and teach debug+strip to pass the
rustc command line argument necessary to rewrite source file paths in
the debugging symbols.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Currently pacman relies on the SKS keyserver network to fetch unknown
PGP keys. These keyservers are vulnerable to signature spamming attacks,
potentionally making it impossible to import the required keys. An
alternative to keyservers is a so-called Web Key Directory (WKD), a
well-known, trusted location on a server from where the keys can be
fetched.
This commit adds the ability to retrieve keys from a WKD. Due to the
mentioned vulnerabilities, the WKD is tried first, falling back to the
keyservers only if no appropriate key is found there.
In contrast to keyservers, keys in a WKD are not looked up using their
fingerprint, but by email address. Since the email address of the
signing key is usually not included in the signature, we will use the
packager email address to perform the lookup.
Also see FS#63171.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Ask the user whether they want to import a missing key before even doing
a search on the keyserver. This will be useful for getting Web Key
Directory support in place: for a WKD, looking up and importing a key
are a single action, so the current key_search -> QUESTION -> key_import
workflow does not apply.
Since only the ID of the package signing key is available before
key_search, we display the packager variable in addition to the key ID
for user convenience.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Downloads with a Content-Disposition header will typically not include
slashes. When they do, we should most certainly only take the basename,
but when they don't, we should treat the header value as the filename.
Crash introduced in d197d8ab82cf when we started using get_filename
in order to rightfully avoid an arbitrary file overwrite vulnerability.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
pacman should be able to extract an email address from PACKAGER for WKD
lookup, so issue a warning if it is not of the form
"Example Name <email@address.invalid>". Neither the name nor the email
address must contain additional angle brackets.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
If we use make dist to create the official, signed release tarballs,
those will not have meson build files by default since autotools doesn't
know what they are.
Also distribute all src/common/ files. We never strictly needed any of
them to be distributed with autotools, because the dist tarball
dereferences the symlinks (???), but only some of them were being
distributed, and meson needs them to be in the right location as we only
build libcommon from the primary files.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Commit 11ab9aa9f5f0f3873df89c73e8715b82f485bd9b replaced a strcpy() call
with memcpy(), without copying the terminating null character.
Since fname is allocated with malloc(), subsequent strstr() calls will
overrun the buffer's boundary.
Signed-off-by: László Várady <laszlo.varady93@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
This includes a patch from Andrew to fix pactest's TAP output for
subtests. Original TAP support in meson was added in 0.50, but 0.51
contains a bugfix that ensures the test still work with the --verbose
flag passed to meson test, so let's depend on that.
|
|
An artificial symbol can be produced when requesting debugging symbols
and the compiler has inlined a function. These symbols will give
spurious results when listing source files for inclusion in debug
packages. This will ignore these symbols and avoid an error that can be
generated when creating a debug package.
Signed-off-by: Austin Lund <austin.lund@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
.ninja.log is only present after building (successful or otherwise) the
project, but build.ninja is output as soon as the build dir is setup.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
These are defined by a POSIX standard, and we should assert that we have
them, or define sane fallbacks (as per sys_types.h(0P)).
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
This was ported over from the AC_CHECK_{FUNCS,HEADERS} lists in
configure.ac, but I never actually checked if the resulting CPP defines
are used. Turns out, lots of symbols, not a lot of define usage.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Overriding the segfault handler prevents the creation of core dumps by
the default handler, which makes debugging segfaults difficult.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
If we get SIGSEGV we need to bail out quickly, leaving other signals
unblocked could lead to other signal handlers getting triggered.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Currently when caling alpm_trans_commit, if fetching a package restults
in a 404 (or other non 400 response code), the function returns -1 but
errno is never set.
This patch sets errno to ALPM_ERR_RETRIEVE.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
This works everywhere that gpgme >= 1.13.0 because it is a pkg-config
dependency, and meson 0.51 adds a fallback config-tool dependency
provider that detects older versions of gpgme seamlessly via
gpgme-config.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
The default state of `dependency()` is `required: true`, which means if
a dependency is not found, meson immediately aborts and does not log our
`error()` messages. meson 0.50 has builtin support for dependencies with
custom error messages.
The alternative would be to specify `required: false` everywhere, and
only then to key off of `dep.found()`.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
We haven't reached our first public release of the meson build backend
yet, so we have lots of flexibility for this... and build dependencies
are easier to upgrade than runtime dependencies anyway.
Updating meson allows us to make use of a bunch of new features that
rewquire the latest version of meson.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
bash uses POSIX extended regular expressions via regex(3), which does
not guarantee support for shorthand character classes. Although glibc
supports it, msys2-runtime does not.
Make sure the completion script works (hopefully) everywhere by being
more portable.
Fixes: https://github.com/msys2/MSYS2-packages/pull/1549
Original-patch-by: plotasse <platos@protonmail.ch>
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Fixes FS#63000
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
%X is locale-dependent, making it impossible to reliably parse and
potentially overflowing the buffer. %T is consistent across locales.
Also fixes some adjacent whitespace.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|