virtual "can" be used when served under apache2
https://www.php.net/manual/en/function.virtual.php

dl has been removed since php-fpm 7.0.0
https://www.php.net/manual/en/function.dl.php

Disable popen

Disable escapeshellarg

Disable pclose

Disable symlink

Disable shell_exec

Disable proc_open

Disable proc_get_status

Reorder to less annoy jelle:(

Remove symlink from disable_functions

archwiki/includes/media/SvgHandler.php:281:             $ok = symlink( $srcPath, $lnPath );

Remove shell_exec from disable_functions

archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:173:  * short of shell_exec('env'), but it's usually near-empty anyway. We add
archwiki/maintenance/updateCredits.php:62:$lines = explode( "\n", shell_exec( 'git log --format="%aN"' ) );
archwiki/maintenance/mwdocgen.php:139:          $this->doDot = shell_exec( 'which dot' );
archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneEngine.php:85:                        self::$clockTick = intval( shell_exec( 'getconf CLK_TCK' ) );

Remove popen from disable_functions

flyspray/plugins/dokuwiki/inc/io.php:516:  $fh = popen($cmd, "r");
archwiki/vendor/wikimedia/parsoid/bin/parse.php:409:                            $pipe = popen( "$fgPath > $fgOutDir/profile.svg", "w" );
archwiki/vendor/pear/pear-core-minimal/src/OS/Guess.php:254:            $cpp = popen("/usr/bin/cpp $tmpfile", "r");
archwiki/maintenance/populateImageSha1.php:117:                 $pipe = popen( $cmd, 'w' );
archwiki/maintenance/includes/SevenZipStream.php:68:            $this->stream = popen( $command, $mode[0] );
archwiki/includes/libs/filebackend/FSFileBackend.php:781:                       $pipes[$index] = popen( $fileOpHandle->cmd, 'r' );
archwiki/includes/GlobalFunctions.php:2202:     $handle = popen( $cmd, 'r' );
archwiki/includes/GlobalFunctions.php:2219:     $handle = popen( $cmd, 'r' );
archwiki/includes/GlobalFunctions.php:2284:     $h = popen( $cmd, 'r' );
archwiki/includes/GlobalFunctions.php:2288:             throw new Exception( __FUNCTION__ . '(): popen() failed' );
archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneInterpreter.php:196:          $handle = popen( $cmd, 'r' );

Remove pclose from disable_functions

flyspray/plugins/dokuwiki/inc/io.php:522:  pclose($fh);
archwiki/vendor/pear/pear-core-minimal/src/OS/Guess.php:264:            pclose($cpp);
archwiki/vendor/pear/mail/Mail/sendmail.php:184:        $result = pclose($mail);

Remove proc_open from disable_functions

aurweb/web/lib/pkgbasefuncs.inc.php:101:        $p = proc_open($cmd, $descspec, $pipes);
aurweb/web/lib/acctfuncs.inc.php:1334:  $p = proc_open($cmd, $descspec, $pipes);
archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:223:         $proc = proc_open( $cmd, $desc, $pipes,
archwiki/vendor/wikimedia/parsoid/tools/regression-testing.php:86:              $process = proc_open(
archwiki/vendor/monolog/monolog/src/Monolog/Handler/ProcessHandler.php:118:        $this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);
archwiki/tests/parser/editTests.php:293:                $proc = proc_open( '/usr/bin/dwdiff -Pc --diff-input',
archwiki/maintenance/storage/recompressTracked.php:253:                 $proc = proc_open( "$cmd --child-id $i", $spec, $pipes );
archwiki/maintenance/mysql.php:169:             $proc = proc_open( Shell::escape( $args ), $desc, $pipes );
archwiki/maintenance/includes/TextPassDumper.php:793:           $this->spawnProc = proc_open( $cmd, $spec, $pipes );
archwiki/includes/resourceloader/ResourceLoaderImage.php:429:                   $process = proc_open(
archwiki/includes/export/DumpPipeOutput.php:74:         $this->procOpenResource = proc_open( $command, $spec, $pipes );
archwiki/includes/exception/ShellDisabledError.php:35:          parent::__construct( 'Unable to run external programs, proc_open() is disabled' );
archwiki/includes/GlobalFunctions.php:2076:             return 'Unable to run external programs, proc_open() is disabled.';
archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneInterpreter.php:147:          $this->proc = proc_open(

Remove proc_get_status from disable_functions

archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:270:                         $status = proc_get_status( $proc );
archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:358:                 $status = proc_get_status( $proc );
archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneInterpreter.php:626:                  $status = proc_get_status( $this->proc );

Remove escapeshellarg from disable_functions

flyspray/includes/class.flyspray.php:1477:               $type = @exec(sprintf('file -bi %s', escapeshellarg($fname)));
aurweb/web/lib/acctfuncs.inc.php:1247:  $cmd = "/usr/bin/ssh-keygen -l -f " . escapeshellarg($tmpfile);
aurweb/web/lib/acctfuncs.inc.php:1326:          $cmd .= ' ' . escapeshellarg($param);
archwiki/vendor/wikimedia/shellbox/src/Shellbox.php:148:                                $retVal .= escapeshellarg( $arg );
archwiki/vendor/wikimedia/shellbox/src/Command/BashWrapper.php:32:                      $cmd = '/bin/bash ' . escapeshellarg( __DIR__ . '/limit.sh' ) . ' ' .
archwiki/vendor/wikimedia/shellbox/src/Command/BashWrapper.php:37:                                      'SB_CGROUP=' . escapeshellarg( $this->cgroup ) . '; ' .
archwiki/vendor/pear/pear-core-minimal/src/System.php:81:                $escape = escapeshellarg($b);
archwiki/vendor/pear/mail/Mail/sendmail.php:172:        $from = escapeshellarg($from); // Security bug #16200
archwiki/includes/libs/filebackend/FSFileBackend.php:825:               $encSrc = escapeshellarg( $this->cleanPathSlashes( $fsSrcPath ) );
archwiki/includes/libs/filebackend/FSFileBackend.php:826:               $encStage = escapeshellarg( $this->cleanPathSlashes( $fsStagePath ) );
archwiki/includes/libs/filebackend/FSFileBackend.php:827:               $encDst = escapeshellarg( $this->cleanPathSlashes( $fsDstPath ) );
archwiki/includes/libs/filebackend/FSFileBackend.php:857:               $encSrc = escapeshellarg( $this->cleanPathSlashes( $fsSrcPath ) );
archwiki/includes/libs/filebackend/FSFileBackend.php:858:               $encDst = escapeshellarg( $this->cleanPathSlashes( $fsDstPath ) );
archwiki/includes/libs/filebackend/FSFileBackend.php:878:               $encSrc = escapeshellarg( $this->cleanPathSlashes( $fsPath ) );

Address jelle's comments

Add GPG master and signing key for Renovate and arch-boxes

See merge request !579

The key is used for signing the releases, so the users can be sure the
images on the mirrors haven't been modified. arch-boxes has been tweaked
to use the key in this MR[1].

[1] arch-boxes!176

Renovate is a tool for: "Automated dependency updates. Multi-platform
and multi-language."[1].

We require all commits pushed directly to official projects to be
signed, so a master key and signing key have been generated for
Renovate. Both keys are stored in renovate.asc and Renovate only has
access to the signing key.

[1] https://github.com/renovatebot/renovate

syncriscv: add role for mirroring the RISC-V port

See merge request !625

Going to be served by all our Geo boxes under riscv.mirror.pkgbuild.com.

Fixes: 578b7819 ("Capitalize the handler name in handler invocations")
Fixes: 26f289b7 ("Capitalize the first letter of all task names")

All lists have been migrated to mailman3[1] and mailman3 is what users
should use, so show its interface by default and not the mailman2
interface.

[1] 75ac7d09 ("mailman: Fourth and final batch of mailman3 migrated lists")

Fixes: 4d8dfb6a ("mailman: Third batch of mailman3 migrated lists")

arch-general
aur-general
aur-requests

It has been decided not to migrate the following unlisted and unused
lists:
arch-magazine
arch-notifications
arch-test
mailman

Fixes: 92586d5b ("change(aurweb): rework ansible config for 6.0.0")

aurweb: bump to v6.1.4

See merge request !626

Required for poetry 1.2 until #1917 is fixed

https://github.com/python-poetry/poetry/issues/1917



Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

The default (40KB) isn't enough for all patches.

Fixes: 4d8dfb6a ("mailman: Third batch of mailman3 migrated lists")

gitlab_runner: try to protect the VM runner kernel from the root user

See merge request archlinux/infrastructure!617

Enable kernel lockdown in confidentiality mode to restrict how the root user can interact with the kernel.
See https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode and https://man.archlinux.org/man/kernel_lockdown.7

This could prevent a scenario where a malicious kernel module or access to some interface that kernel lockdown prevents, would allow or assist in escaping the KVM.
It is not very likely as there needs to be an exploitable vulnerability in the hypervisor.
To make it more secure, the host too would need to enable kernel lockdown.

In the end this may only give some sense of security, but, as we all know, that's all that matters anyway.

arch-commits
arch-security
aur-dev
pacman-contrib
pacman-dev

mailman3: IaC list configurations

Closes #254

See merge request archlinux/infrastructure!610

It is cumbersome to manage the list configurations from the web ui and
easy for them to diverge, so let's instead manage them with Ansible.

Fix #254

The default of 0.5 has proven insufficient on at least 3 boxes so far.

They should never have been in two files.

Fixes: 98704c48 ("root_ssh: Add additional SSH key for klausenbusk")

Ref #469

We moved away from raid6 a while back; update the host var to reflect
the current configuration.

aurweb: bump to 6.1.2 version

See merge request archlinux/infrastructure!624

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

The WKD logic has been moved to the archlinux-keyring project[1][2].

[1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/merge_requests/166
[2] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/merge_requests/169

This box is very sussy and really likes to fill up its zram swap:

  [root@reproducible ~]# zramctl
  NAME       ALGORITHM DISKSIZE  DATA  COMPR TOTAL STREAMS MOUNTPOINT
  /dev/zram0 lzo-rle       1.9G  1.5G 183.4M  196M       1 [SWAP]

  [root@reproducible ~]# free -m
                 total        used        free      shared  buff/cache   available
  Mem:            1928         529          73           5        1325        1236
  Swap:           1927        1543         384

Fixes: 4a5748ea ("Bump zram-fraction to 1.0 for reproducible.archlinux.org")

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

Otherwise it can't open our letsencrypt certs. It will setuid to
`turnserver` itself.

We get a lot of unauthorized STUN requests in the logs.

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

archusers: Make kgizdov dev

See merge request archlinux/infrastructure!622

See archlinux/infrastructure#468