We should only disable this specific keyid. This change enforces that the
contents of the -revoked keyring file are full fingerprints which can uniquely
identify a key.
Partially addresses FS#35478. This does nothing to confirm whether or not the
key was successfully disabled -- a ridiculously simple request which appears to
be far too difficult for gpg to manage.
Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
Simon Gomizelj [Wed, 22 May 2013 04:43:11 +0000 (00:43 -0400)]
validate %FILEPATH% when parsing repo dbs
Currently we make no effort to validate the %FILENAME% field in the
repo db. This allows for relative paths to be considered valid.
A carefully crafted db entry with a malicious relative path,
(e.g. `../../../../etc/passwd`) will cause pacman to to
overwrite _any_ file on the target's machine.
Add the following validation:
- doesn't start with '.'
- doesn't contain a '/'
- won't overflow PATH_MAX
Signed-off-by: Simon Gomizelj <simongmzlj@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Allan McRae [Tue, 4 Jun 2013 03:38:48 +0000 (13:38 +1000)]
Restrict pkgname from starting with a dot.
Adding this restriction means we can filter any FILENAME entry from
starting with a "/" or a ".". Use the term "dot" as it is more
computing relevant compared to "full stop" or "period" which vary
depending on English locale.
Dave Reisner [Wed, 15 May 2013 13:58:43 +0000 (09:58 -0400)]
Revert "paccache: avoid subshell in calling runcmd"
su is terribad. In addition to reverting, this also removes support for
privilege escalation via su. If you want to use paccache as root and
fail to comprehend how much better sudo is than su, then run paccache
directly via su.
Dave Reisner [Wed, 15 May 2013 13:58:42 +0000 (09:58 -0400)]
makepkg: fixup broken revision and repo references
bzr support "worked", but didn't handle any of the actual features we
wanted with makepkg. This moves the revision specification to the proper
place (extraction, rather than download), and fixes an additional broken
reference to $repo which was never set.
Fixes FS#35281.
Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
Allan McRae [Thu, 11 Apr 2013 01:56:06 +0000 (11:56 +1000)]
Do not use checkout directory for SVN config
Using the checkout directory for the SVN config can result in clashes
between config files and files from the SVN checkout. Instead, use
a ".makepkg" directory within the checkout.
Maxime Gauduin [Wed, 10 Apr 2013 16:54:02 +0000 (18:54 +0200)]
Add support for all bzr URLs in the PKGBUILD source array
Add support for all bzr URLs, including "lp:" URLs, in the source array.
This, however, requires an internet connection and will fall back to the
current behavior for offline builds. In that case, only the URL reported
by 'bzr config parent_location' run inside the local repo can be used,
and is outputted.
William Giokas [Fri, 15 Mar 2013 17:11:11 +0000 (12:11 -0500)]
makepkg: don't run remove_deps twice when unneeded
remove_deps already has a check and won't run unless -r is specified, so
if this was meant to remove dependencies of a failure no matter what,
then it's not doing it, and with -r it is run twice on a failure for no
real reason.
Signed-off-by: William Giokas <1007380@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Daniel Wallace [Fri, 5 Apr 2013 23:31:57 +0000 (19:31 -0400)]
zsh completion: make sure -Ss works
if you put a type in pacman -Ss <regex> it doesn't work because it never
passes through they pointer ->sync_search to set $state. All of the
other iterations like this have a case, add one for -S*s*
popd doesn't run in the for loop in download_sources() if the continue
in download_files is executed. Causing the extract_files to extract
everything into $SRCDEST instead of $srcdir
Andrew Gregory [Sat, 30 Mar 2013 01:52:55 +0000 (21:52 -0400)]
makepkg: unset GREP_OPTIONS
grep allows options to be set from the environment with GREP_OPTIONS.
Many of these options will alter grep's output, breaking makepkg.
GREP_OPTIONS=--line-number breaks installed dependency removal, for
instance.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Allan McRae [Wed, 27 Mar 2013 10:11:21 +0000 (20:11 +1000)]
Ensure we are always in $SRCDEST before downloading
When VCS sources were updated, we changed into their root directory.
Any following source was then downloaded to an incorrect place causing
a failure in makepkg. Ensure we are always in the $SRCDEST directory
before starting any download.
Daniel Wallace [Mon, 18 Mar 2013 05:46:55 +0000 (01:46 -0400)]
zsh completion: make $tmp local
The tmp variable is conflicting with the $tmp variable in
${^fpath}/_main_complete(N) and which is used to complete all the
functions, and causing an error: command not found: for whatever was in
$tmp (which in this case is the last value in $words[@])
making it local fixes this.
Signed-off-by: Daniel Wallace <danielwallace@gtmanfred.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Allan McRae [Fri, 15 Mar 2013 02:17:16 +0000 (12:17 +1000)]
Remove Indonesian translation
I imported this translation from transifex without realising that there
was no strings translated despite being "acitve" on transifex for quite
some time. Remove it until translation begins...
Jason St. John [Thu, 14 Mar 2013 02:18:59 +0000 (22:18 -0400)]
Update documentation to use https links for sites that support it
The Arch web site now redirects to https links for all subdomains, so it
makes sense to use these links in the docs for pacman. Links were
changed to use https for a couple other sites that support it as well,
such as gnu.org and kernel.org.
Signed-off-by: Jason St. John <jstjohn@purdue.edu> Signed-off-by: Allan McRae <allan@archlinux.org>
It is much better to download the submodules using separate source entries
and adjust the submodule configs to point at these versions in the
prepare() function.
See https://mailman.archlinux.org/pipermail/pacman-dev/2013-March/016771.html
for an example.
Dan McGee [Mon, 11 Mar 2013 04:01:55 +0000 (23:01 -0500)]
Save and restore old locale when manipulating via setlocale
We shouldn't assume a frontend program didn't explicitly set the LC_TIME
setting to a value not in the environment, which is what we previously
assumed. Save the old locale before forcing the 'C' locale and restore
it when we are done.
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
Dan McGee [Mon, 11 Mar 2013 03:51:11 +0000 (22:51 -0500)]
Use C locale when parsing UseDelta floating point values
We should save the current locale, use the 'C' locale during parsing,
then restore the original locale. Config files should always parse
regardless of the current user's locale setting. Fixes FS#34253.
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
Daniel Wallace [Wed, 6 Mar 2013 20:41:29 +0000 (15:41 -0500)]
zsh completion: fix stacked completion
Before this, if you do pacman -Sy<tab> it completes to -y. Now, with -S
and the other operations in the actual option _arguments, it won't
remove the operations.
Signed-off-by: Daniel Wallace <danielwallace@gtmanfred.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Andrew Gregory [Sat, 9 Mar 2013 16:59:33 +0000 (11:59 -0500)]
testdb: quote output substitutions
Quoting output substitutions makes whitespace errors such as FS#30101
much more obvious:
old:
missing perl-test-pod dependency for perl-test-output
new:
missing 'perl-test-pod ' dependency for 'perl-test-output'
Several of the quoted substitutions should not be capable of containing
whitespace in theory, but this errs on the side of caution as the point
of the tool is to find error conditions.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Andrew Gregory [Sat, 9 Mar 2013 16:59:32 +0000 (11:59 -0500)]
testdb: pass empty local pkglist to alpm_checkdeps
Passing the local package list to alpm_checkdeps as both the local
packages and packages to be upgraded did nothing but cause extra
overhead as the packages were all removed from the installed package
list because they were being upgraded.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Andrew Gregory [Sat, 9 Mar 2013 16:49:27 +0000 (11:49 -0500)]
pmpkg: add missing directories to test packages
Several tests require complete file lists in order to provide accurate
results. These can be non-obvious. Adding missing parent directories
helps insure the integrity of tests against human error. Filling in
parent directories also allows us to check that file lists are actually
valid.
There didn't seem to be a good place to do this that was always
guaranteed to be run, so this adds a finalize() function to packages
that will always be run before the package is actually used to allow for
this type of tidying.
Fixes FS#30723
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Olivier Brunel [Sat, 23 Feb 2013 12:08:44 +0000 (13:08 +0100)]
makepkg: Add --verifysource to only download/verify source files
Because --noextract also implies to not download/verify source files, it wasn't
possible to simply do that, without either extracting and/or building.
(Note: --verifysource takes precedence over --noextract)
Signed-off-by: Olivier Brunel <i.am.jack.mail@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Neer Sighted [Sat, 9 Mar 2013 16:50:58 +0000 (08:50 -0800)]
makepkg: Make VCS download functions use get_filename
Make all VCS download functions uses get_filename to get the repo name.
In addition, creating a working directory from a Bazaar repository now shows
the short-name of the repository, not the full path on disk.
I'm not sure if the name of the variable that holds the basename of the local
clone should still be `repo`, but I have left the variable name for simplicity.
Signed-off-by: Neer Sighted <neersighted@myopera.com> Signed-off-by: Allan McRae <allan@archlinux.org>
William Giokas [Sat, 9 Mar 2013 20:36:55 +0000 (14:36 -0600)]
makepkg: Separate vcs download and extract
Previously makepkg would clone vcs sources in the download function,
regardless of the noextract settings. Now the download_* functions only
download or update the vcs sources, and the new extract_* functions just
create working copies using the specified protocols. The extract_sources
function will call the needed extract function for the protocol
specified. The tarball extraction has also been moved into its own
extract_file function to keep things consistent.
Signed-off-by: William Giokas <1007380@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Simon Gomizelj [Thu, 7 Mar 2013 06:32:41 +0000 (01:32 -0500)]
make status/log messages reflect version change
Currently pacman either prints 'adding' or 'upgrading' when installing
a package. This make pacman print and log the other possible actions:
'downgrade' and 'reinstall'
Signed-off-by: Simon Gomizelj <simongmzlj@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>