While loading each package ensure that the internal version matches the
expected database version to avoid the possibility to circumvent the
version check.
This issue can be used by an attacker to trick the software into
installing an older version. The behavior can be exploited by a
man-in-the-middle attack through specially crafted database tarball
containing a higher version, yet actually delivering an older and
vulnerable version, which was previously shipped.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
f170a94c13 potentially causes $pkgdirbase/$pkg to be undeleteable
with -R or -C if a previous build was interrupted. We simply can't
traverse to this directory, and rm blows up.
Signed-off-by: Allan McRae <allan@archlinux.org>
Passing "-Fl pkg" will print the filelist for the first occurance of "pkg"
in the sync repos. Other version of the package can be printed using
"-Fl repo/pkg".
Signed-off-by: Allan McRae <allan@archlinux.org>
Add the -F/--files operations, -s/--sync support and nd provide dummy
functions for -s/--search, -l/-list and -o/--owns.
Signed-off-by: Allan McRae <allan@archlinux.org>
If a sync database contains a "files" file, the file list will be read.
Currently, there is no known demand for the file list to be lazy loaded by
any libalpm frontend, so these files are read whenever present. Lazy loading
can be implemented when a demand exists.
Signed-off-by: Allan McRae <allan@archlinux.org>
This allows frontends to select between the .db and .files databases
currently supplied by repo-add or any other compatible database.
Signed-off-by: Allan McRae <allan@archlinux.org>
1) Remove checks for removing pre-tardb files
2) Remove the long redundant keep_used parameter
3) Fix pacman error due to removing .sig file along with database
Signed-off-by: Allan McRae <allan@archlinux.org>
If a transaction is removing a package while ignoring all dependencies, there
should not be any warning about other packages optionally requiring it.
Signed-off-by: Allan McRae <allan@archlinux.org>
Fix new warnings generated by gcc-5 about potential overflows.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Use alpm_find_satisfier() instead of alpm_db_get_pkg() when retrieving
the install status of a package to make sure we spot providers as well.
Fixes FS#36412
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Pacman cannot handle armored signatures, so make repo-add error out if
one is detected.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
This commit adds a makepkg option to generate and print the SRCINFO file
for a PKGBUILD, required by the new AUR, to stdout.
AUR 4.0 will use Git instead of source tarballs for uploading packages,
so making makepkg capable of printing the SRCINFO would simplify package
management, instead of having to extract it from a source tarball.
It is also useful for scripting other things, so that instead of having
to parse PKGBUILDs, one can make makepkg generate the SRCINFO and then
you can parse that instead, which is much simpler and less error-prone.
Signed-off-by: Allan McRae <allan@archlinux.org>
Pacman cannot handle armored signatures, so use gpg's --no-armor flag to
force an unarmored signature.
Signed-off-by: Allan McRae <allan@archlinux.org>
Commit 7b8f8753 removed the title parameter but forgot to remove it
from the docstring.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
The old text could be interpreted such that makepkg-template compares
the version numbers of the templates to find the most recent
one. Rephrase this to make it explicit that "$template_name.template" is
used.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
The check that pkgver is non-empty done in check_pkgver should also be
performed after running the pkgver() function. Merge validate_pkgver
into check_pkgver and run check_pkgver after updating pkgver.
Signed-off-by: Allan McRae <allan@archlinux.org>
The change in commit 9d96bed9d6 causes download errors for the .db.sig file
in case the final URL for the .db file contains query strings or other
unexpected stuff. This commit isn't intended to be a total solution, but it
should eliminate the problem in the most obvious cases.
Signed-off-by: Allan McRae <allan@archlinux.org>
"return 0 on success, -1 on error (pm_errno is set accordingly)"
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Even if opening the log file fails, if a user has enabled syslog we may
still be able to log to that. Set the error return value and continue
instead of bailing out.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
valgrind does not like calling open(NULL, ...). This also makes the
return value 0 if logfile has not been set.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Currently makepkg clears the whole $pkgbasedir which is needless. Moreover,
in the obscure case of multiple makepkg runs (with different $pkgname) that
share a $pkgdirbase, only $pkgdir's from the last run will remain. Since
I consider the contents of $pkgdir an important artifact, this commit restricts
the deletion to individual $pkgdir's.
When CLEANUP is set, the behavior is unchanged.
Discussed in:
https://lists.archlinux.org/pipermail/pacman-dev/2015-February/019939.html
Signed-off-by: Allan McRae <allan@archlinux.org>
With commit 097d5a478b, including alpm.h also drags in archive.h.
Ensure the tools we build that depend on ALPM also include the necessary
flags to find libarchive headers if they are not installed in a standard
location.
[Dan: Add commit message]
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Especially when maintaining local templates in addition to the ones
stored in /usr/share/makepkg-template, it can be useful to include
templates stored in multiple different locations into one PKGBUILD. This
patch makes this possible by allowing --template-dir to be specified
multiple times.
This also introduces a dedicated error message when a template cannot be
found, in contrast to the already existing "Couldn't detect version for
template '%s'".
If a template of the same name is present in more than one of the given
directories, the last one always takes precedence.
Neither the default behaviour without the option given, nor the handling
of a single template dir is changed.
Signed-off-by: Dominik Fischer <d.f.fischer@web.de>
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Allan McRae <allan@archlinux.org>
clang is wrong - dbfile is always used initialized in that function.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
