1. 03 Dec, 2020 3 commits
  2. 26 Nov, 2020 9 commits
  3. 21 Oct, 2020 3 commits
  4. 23 Sep, 2020 3 commits
    • Eli Schwartz's avatar
      makepkg: libprovides: don't provide both versioned and unversioned sonames · 406a3720
      Eli Schwartz authored and Allan McRae's avatar Allan McRae committed
      
      
      If multiple files match the pattern libfoo.so*, we want to check each of
      them and see if they are shared libraries, and if so, if they have
      versions attached.
      
      But some packages can have both shared libraries and random files which
      match the filename pattern. This is true at least for files in
      /usr/share/gdb/auto-load/, which must match the filename they are paired
      with, followed by "-gdb.py" (or some other gdb scripting ext), but
      definitely don't contain a shared library. In this case, we don't want
      to double-report the library in the generated provides.
      
      It's also possible (probably) for a package to provide a versioned as
      well as an unversioned shared library, but in such cases a single
      provides entry is sufficient to cover both cases (and the libdepends
      for the depending package would contain an unversioned dependency).
      
      Solve this by keeping track of whether we have added a versioned soname
      provides already, and then only adding a maximum of one unversioned
      provides *iff* there isn't a versioned one yet.
      
      Signed-off-by: Eli Schwartz's avatarEli Schwartz <eschwartz@archlinux.org>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      406a3720
    • Chih-Hsuan Yen's avatar
      util.c: table_print_line: properly align texts involving CJK · 4533c6a8
      Chih-Hsuan Yen authored and Allan McRae's avatar Allan McRae committed
      
      
      For printf in C, width is counted as bytes rather than Unicode width. [1]
      
      > If the precision is specified, no more than that many bytes are written.
      
      [1] Section 7.21.6, N2176, final draft for ISO/IEC 9899:2017 (C18)
      
      Thanks Andrew Gregory for suggesting a simpler approach.
      
      Fixes FS#59229
      
      Signed-off-by: default avatarChih-Hsuan Yen <yan12125@gmail.com>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      4533c6a8
    • Anatol Pomozov's avatar
      FS#66472: Remove *.sig file if package corrupted · ff7ff3c5
      Anatol Pomozov authored and Allan McRae's avatar Allan McRae committed
      
      
      In case if a package corrupted (e.g. signature or hash is invalid)
      pacman tries to remove the package file to redownload it anew the next time.
      Remove *.sig file as well to make sure no data is left for the invalid
      package.
      
      Signed-off-by: Anatol Pomozov's avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      ff7ff3c5
  5. 03 Sep, 2020 3 commits
  6. 10 Aug, 2020 2 commits
    • Anatol Pomozov's avatar
      Enable sha256/md5 hash verification if detached signatures are used · f53ac85f
      Anatol Pomozov authored and Allan McRae's avatar Allan McRae committed
      
      
      Pacman has multiple ways to verify package content integrity:
       - gpg signature
       - sha256
       - md5
      
      These verification mechanisms overlap each other. gpg signatures already contain
      hash value of the package content. So if a package signature is present then
      pacman ignored the other 2 hash values. This worked well with signtures
      embedded into pacman database.
      
      Recently pacman got an ability to handle detached signatures (*.sig files
      located next to the package files). If pacman verifies detached signature only
      then one can replace pkg+sig files with some other content and pacman still
      processes it as a valid package. To prevent it we need to verify
      database<->package integrity using hash values stored in the database.
      
      This commit fixes FS#67232
      
      The new debug output is:
        checking package integrity...
        debug: found cached pkg: /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
        debug: sha256sum: 77baf61c62c5570b3a37cf0c3b16c5d9a97dde6fedd1a3528bf0cc5f96dd5e52
        debug: checking sha256sum for /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
        debug: sig data: <from .sig>
        debug: checking signature for /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
        debug: 1 signatures returned
        debug: fingerprint: B5971F2C5C10A9A08C60030F786C63F330D7CB92
      
      Signed-off-by: Anatol Pomozov's avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      f53ac85f
    • Anatol Pomozov's avatar
      Fix error during keyring checking · 62246b93
      Anatol Pomozov authored and Allan McRae's avatar Allan McRae committed
      
      
      With current master version the 'keyring checking' step produces an error:
        debug: returning error 6 from alpm_pkg_get_sig (../lib/libalpm/package.c: 274) : wrong or NULL argument passed
      
      The package signature is still checked later at the integrity verification step though.
      
      This commit fixes keyring checking and now the debug log looks like this:
        debug: found cached pkg: /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
        debug: found detached signature /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst.sig with size 566
        debug: found signature key: 786C63F330D7CB92
        debug: looking up key 786C63F330D7CB92 locally
        debug: key lookup success, key exists
      
      Signed-off-by: Anatol Pomozov's avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      62246b93
  7. 09 Aug, 2020 2 commits
  8. 14 Jul, 2020 4 commits
  9. 07 Jul, 2020 5 commits
    • Anatol Pomozov's avatar
      Fallback to detached signatures during keyring check · b01bcc7d
      Anatol Pomozov authored and Allan McRae's avatar Allan McRae committed
      
      
      Pacman has a 'key in keyring' verification step that makes sure the signatures
      have a valid keyid. Currently pacman parses embedded package signatures only.
      
      Add a fallback to detached signatures. If embedded signature is missing then it
      tries to read corresponding *.sig file and get keyid from there.
      
      Verification:
        debug: found cached pkg: /var/cache/pacman/pkg/glib-networking-2.64.3-1-x86_64.pkg.tar.zst
        debug: found detached signature /var/cache/pacman/pkg/glib-networking-2.64.3-1-x86_64.pkg.tar.zst.sig with size 310
        debug: found signature key: A5E9288C4FA415FA
        debug: looking up key A5E9288C4FA415FA locally
        debug: key lookup success, key exists
      
      Signed-off-by: Anatol Pomozov's avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      b01bcc7d
    • Anatol Pomozov's avatar
      FS#33992: force download *.sig file if it does not exist in the cache · f3dfba73
      Anatol Pomozov authored and Allan McRae's avatar Allan McRae committed
      
      
      In case if *.pkg exists but *.sig file does not we still have to pass
      the pkg to multi_download API.
      
      To avoid redownloading *.pkg file we use CURLOPT_TIMECONDITION curl option.
      
      Signed-off-by: Anatol Pomozov's avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      f3dfba73
    • Anatol Pomozov's avatar
      Add a utility function to check whether a file exists in the cache · 78d6dcec
      Anatol Pomozov authored and Allan McRae's avatar Allan McRae committed
      
      
      It is similar to _alpm_filecache_find() but does not return a
      dynamically allocated memory to user. Thus the user does not need to
      free this resource.
      
      Signed-off-by: Anatol Pomozov's avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      78d6dcec
    • Anatol Pomozov's avatar
      Do not use counter for error tracking · 34ba8d98
      Anatol Pomozov authored and Allan McRae's avatar Allan McRae committed
      
      
      Current code uses an incrementing counter to check whether a function
      returned error:
      
        errors += some_function();
        if(errors) { goto finish }
      
      Replace with a more standard variable
        errors = some_function();
        if(errors) { goto finish }
      
      Rename 'errors' variable to a more typical 'ret'.
      
      Avoid reporting both ALPM_EVENT_PKG_RETRIEVE_FAILED and
      ALPM_EVENT_PKG_RETRIEVE_DONE in the error path.
      
      Signed-off-by: Anatol Pomozov's avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      34ba8d98
    • Anatol Pomozov's avatar
      Move signature payload creation to download engine · f078c2d3
      Anatol Pomozov authored and Allan McRae's avatar Allan McRae committed
      Until now callee of ALPM download functionality has been in charge of
      payload creation both for the main file (e.g. *.pkg) and for the accompanied
      *.sig file. One advantage of such solution is that all payloads are
      independent and can be fetched in parallel thus exploiting the maximum
      level of download parallelism.
      
      To build *.sig file url we've been using a simple string concatenation:
      $requested_url + ".sig". Unfortunately there are cases when it does not
      work. For example an archlinux.org "Download From Mirror" link looks like
      this https://www.archlinux.org/packages/core/x86_64/bash/download/
      
       and
      it gets redirected to some mirror. But if we append ".sig" to the end of
      the link url and try to download it then archlinux.org returns 404 error.
      
      To overcome this issue we need to follow redirects for the main payload
      first, find the final url and only then append '.sig' suffix.
      This implies 2 things:
       - the signature payload initialization need to be moved to dload.c
       as it is the place where we have access to the resolved url
       - *.sig is downloaded serially with the main payload and this reduces
       level of parallelism
      
      Move *.sig payload creation to dload.c. Once the main payload is fetched
      successfully we check if the callee asked to download the accompanied
      signature. If yes - create a new payload and add it to mcurl.
      
      *.sig payload does not use server list of the main payload and thus does
      not support mirror failover. *.sig file comes from the same server as
      the main payload.
      
      Refactor event loop in curl_multi_download_internal() a bit. Instead of
      relying on curl_multi_check_finished_download() to return number of new
      payloads we simply rerun the loop iteration one more time to check if
      there are any active downloads left.
      
      Signed-off-by: Anatol Pomozov's avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      f078c2d3
  10. 26 Jun, 2020 3 commits
    • Denton Liu's avatar
      srcinfo.sh: remove trailing newline · 6b9c1b4d
      Denton Liu authored and Allan McRae's avatar Allan McRae committed
      
      
      When a .SRCINFO file is generated via `makepkg --printsrcinfo`, each
      section is concluded with an empty line. This means that at the end of
      the file, an empty line remains. This is considered a trailing
      whitespace error. In fact, `git diff --check` will warn about this,
      saying "new blank line at EOF."
      
      Instead of closing each section off with an empty line, use the empty
      line to separate sections, omitting the empty line at the end of the
      file.
      
      Signed-off-by: default avatarDenton Liu <liu.denton@gmail.com>
      Signed-off-by: Allan McRae's avatarAllan McRae <allan@archlinux.org>
      6b9c1b4d
    • Anatol Pomozov's avatar
      Cleanup the old sequential download code · 84723cab
      Anatol Pomozov authored and Allan McRae's avatar Allan McRae committed
      
      
      All users of _alpm_download() have been refactored to the new API.
      It is time to remove the old _alpm_download() functionality now.
      
      This change also removes obsolete SIGPIPE signal handler functionality
      (this is a leftover from libfetch days).
      
      Signed-off-by: Anatol Pomozov's avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      84723cab
    • Anatol Pomozov's avatar
      Convert '-U pkg1 pkg2' codepath to parallel download · 16d98d65
      Anatol Pomozov authored and Allan McRae's avatar Allan McRae committed
      
      
      Installing remote packages using its URL is an interesting case for ALPM
      API. Unlike package sync ('pacman -S pkg1 pkg2') '-U' does not deal with
      server mirror list. Thus _alpm_multi_download() should be able to
      handle file download for payloads that either have 'fileurl' field
      or pair of fields ('servers' and 'filepath') set.
      
      Signature for alpm_fetch_pkgurl() has changed and it accepts an
      output list that is populated with filepaths to fetched packages.
      
      Signed-off-by: Anatol Pomozov's avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      16d98d65
  11. 19 Jun, 2020 1 commit
  12. 15 Jun, 2020 1 commit
  13. 11 Jun, 2020 1 commit