From f50626583c7053650815ec0abb69fd92c3871fd8 Mon Sep 17 00:00:00 2001 From: joborun Date: Fri, 1 Mar 2024 22:02:29 +0200 Subject: [PATCH] upg pacman --- pacman/PKGBUILD | 40 ++++- pacman/PKGBUILD-arch | 30 +++- pacman/deps | 1 + pacman/makepkg.conf | 22 ++- pacman/makepkg.conf-arch | 19 ++- pacman/makepkg.conf-arch-old | 159 ++++++++++++++++++ pacman/note | 1 + ...-default-checksum-from-md5-to-sha256.patch | 59 +++++++ pacman/pacman-check-pipes-gnupg.patch | 50 ++++++ pacman/pacman-early-err-git.patch | 54 ++++++ pacman/pacman-fix-gnupg-binary-data.patch | 106 ++++++++++++ pacman/pacman-fix-gnupg-newsig-check.patch | 48 ++++++ pacman/pacman-ignore-a-files.patch | 52 ++++++ pacman/pacman-sort-debuginfod-repro.patch | 26 +++ pacman/pacman-split-off-strip-debug.patch | 50 ++++++ pacman/pacman.conf | 28 +-- pacman/patch.list | 8 + 17 files changed, 703 insertions(+), 50 deletions(-) create mode 100644 pacman/makepkg.conf-arch-old create mode 100644 pacman/pacman-change-default-checksum-from-md5-to-sha256.patch create mode 100644 pacman/pacman-check-pipes-gnupg.patch create mode 100644 pacman/pacman-early-err-git.patch create mode 100644 pacman/pacman-fix-gnupg-binary-data.patch create mode 100644 pacman/pacman-fix-gnupg-newsig-check.patch create mode 100644 pacman/pacman-ignore-a-files.patch create mode 100644 pacman/pacman-sort-debuginfod-repro.patch create mode 100644 pacman/pacman-split-off-strip-debug.patch create mode 100644 pacman/patch.list diff --git a/pacman/PKGBUILD b/pacman/PKGBUILD index 9d14cdd..7968297 100644 --- a/pacman/PKGBUILD +++ b/pacman/PKGBUILD @@ -7,12 +7,12 @@ pkgname=pacman pkgver=6.0.2 -pkgrel=015 +pkgrel=016 pkgdesc="A library-based package manager with dependency support modified for joborun from arch" url="https://www.archlinux.org/pacman/" groups=(base jobbot) -depends=('bash' 'glibc' 'libarchive' 'curl' 'gpgme' 'pacman-mirrorlist' 'jobo-mirror' - 'gawk' 'coreutils' 'gnupg' 'grep' 'archlinux-keyring' +depends=('bash' 'glibc' 'libarchive' 'curl' 'gpgme' 'pacman-mirrorlist' + 'jobo-mirror' 'gawk' 'coreutils' 'gnupg' 'grep' 'archlinux-keyring' 'obarun-keyring' 'joborun-keyring' 'lzip') # NOTE: Joborun linux is switching default pkg compression to lzip at level -5 @@ -35,6 +35,14 @@ source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.xz{,.sig pacman-strip-include-o-files-similar-to-kernel-modules.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/de11824527ec4e2561e161ac40a5714ec943543c.patch pacman-fix-compatibility-with-bash-5.2-patsub_replacement.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/0e938f188692c710be36f9dd9ea7b94381aed1b4.patch pacman-fix-order-of-fakechroot-fakeroot-nesting.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/05f283b5ad8f5b8f995076e93a27c8772076f872.patch + pacman-change-default-checksum-from-md5-to-sha256.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/aa3a1bc3b50d797fb75278f79a83cd7dde50c66e.patch + pacman-sort-debuginfod-repro.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/843bf21e794c79c5b3bcf8a57e45ef9c62312fee.patch + pacman-split-off-strip-debug.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/7a4fff3310ba2eadd3d5428cbb92e58eb2ee853b.patch + pacman-ignore-a-files.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/00d2b1f90261bf77eaaf262d2504af016562f2ac.patch + pacman-early-err-git.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/3aa096a74f717d31650e0eb3cf34e9a5ebadc313.patch + pacman-fix-gnupg-binary-data.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/86ec26b2d33372a4b3bda48f22c4a9f226c3ccce.patch + pacman-fix-gnupg-newsig-check.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/16a064701a30d7e1175e1185cc6da44238302fab.patch + pacman-check-pipes-gnupg.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/f8c2e59ec57c86827b1f1b1c2f6760dc3e59fe40.patch pacman.conf makepkg.conf) @@ -82,13 +90,23 @@ package() { install -m644 "$srcdir/pacman.conf" "$pkgdir/etc" install -m644 "$srcdir/makepkg.conf" "$pkgdir/etc" # rm -rf $pkgdir/usr/share/libalpm/hooks + +# +# local wantsdir="$pkgdir/usr/lib/systemd/system/sockets.target.wants" +# install -dm755 "$wantsdir" +# +# local unit +# for unit in dirmngr gpg-agent gpg-agent-{browser,extra,ssh} keyboxd; do +# ln -s "../${unit}@.socket" "$wantsdir/${unit}@etc-pacman.d-gnupg.socket" +# done + } #---- arch license gpg-key & sha256sums ---- arch=(x86_64) -license=('GPL') +license=('GPL-2.0-or-later') validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD' # Allan McRae 'B8151B117037781095514CA7BBDFFC92306B1121') # Andrew Gregory (pacman) @@ -101,8 +119,14 @@ sha256sums=(7d8e3e8c5121aec0965df71f59bedf46052c6cf14f96365c4411ec3de0a4c1a5 # d87d0c9957c613fda272553bee58140349d151ae399f346ddaf6d75ee5916312 # pacman-strip-include-o-files-similar-to-kernel-modules.patch 8641d514ef4cae9e4d1867aadf4b9c850a9e8dc9792c6c559f9d2a0e1713a5a1 # pacman-fix-compatibility-with-bash-5.2-patsub_replacement.patch b11f62d4bd9557e9d3e7456bc95f63e9eabab5ecee1368f4a14a84bc94b1c8d1 # pacman-fix-order-of-fakechroot-fakeroot-nesting.patch - 6436e418557989586221d4d5c527666f18d98c6332126dbb6276581b9dce4f6d # pacman.conf - b7b3302848e12438b4767eafcc76e121b0f24717c37572e252ffcf4f36a5c4d9) # makepkg.conf - -## 3e50b6c757dae445d65793aa2fb47f34102737613d5e67a7e12ba90f6e903b1f pacman-6.0.2-015-x86_64.pkg.tar.lz + cf749ad981e8f3dedd89c05a5e69a9c91d1e58ef9407e8f8e04ba9c183939623 # pacman-change-default-checksum-from-md5-to-sha256.patch + 17e7af22533984924aaf1cf36c74aa26b46b04ad140cd76b65521be906bd3ff7 # pacman-sort-debuginfod-repro.patch + 94d1f3575d0c3faf8bf11fee8e5ef36c8b339ebfd24868931903ba179ffecf4e # pacman-split-off-strip-debug.patch + 468837eed9a4ffd3778f159a7e62f89a38a4244f822a3a5b014daa69e3c65d28 # pacman-ignore-a-files.patch + 0ac6a34e6fc126a243a642e509f459f6cde20af213ab949791a5cc325cf031f9 # pacman-early-err-git.patch + d08d4a56dc3a977fdfd4591c30733fa28976710ffba53786541d98717892dc24 # pacman-fix-gnupg-binary-data.patch + 4a3cdfba490121a20f3648791cd47ba323f3d3d56bf7ced21b9badb1f22d6abc # pacman-fix-gnupg-newsig-check.patch + 94c273f07e4e28125b6002567c62e1f6c65f543597de6a8bd79e8c5bf6e4a125 # pacman-check-pipes-gnupg.patch + 488ae68d6c75c81a829dbb1e75ba7349cf341bea5da07c2896e529cdb09f612e # pacman.conf + e3eca3bbddf18a3d3278b876a40bc37b58175fd410cfa7fd328d48e8fdb1e17f) # makepkg.conf diff --git a/pacman/PKGBUILD-arch b/pacman/PKGBUILD-arch index 86dc2de..d0a8261 100644 --- a/pacman/PKGBUILD-arch +++ b/pacman/PKGBUILD-arch @@ -3,11 +3,11 @@ pkgname=pacman pkgver=6.0.2 -pkgrel=8 +pkgrel=9 pkgdesc="A library-based package manager with dependency support" arch=('x86_64') url="https://www.archlinux.org/pacman/" -license=('GPL') +license=('GPL-2.0-or-later') depends=('bash' 'glibc' 'libarchive' 'curl' 'gpgme' 'pacman-mirrorlist' 'gettext' 'gawk' 'coreutils' 'gnupg' 'grep') makedepends=('meson' 'asciidoc' 'doxygen') @@ -26,6 +26,14 @@ source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.xz{,.sig pacman-strip-include-o-files-similar-to-kernel-modules.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/de11824527ec4e2561e161ac40a5714ec943543c.patch pacman-fix-compatibility-with-bash-5.2-patsub_replacement.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/0e938f188692c710be36f9dd9ea7b94381aed1b4.patch pacman-fix-order-of-fakechroot-fakeroot-nesting.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/05f283b5ad8f5b8f995076e93a27c8772076f872.patch + pacman-change-default-checksum-from-md5-to-sha256.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/aa3a1bc3b50d797fb75278f79a83cd7dde50c66e.patch + pacman-sort-debuginfod-repro.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/843bf21e794c79c5b3bcf8a57e45ef9c62312fee.patch + pacman-split-off-strip-debug.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/7a4fff3310ba2eadd3d5428cbb92e58eb2ee853b.patch + pacman-ignore-a-files.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/00d2b1f90261bf77eaaf262d2504af016562f2ac.patch + pacman-early-err-git.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/3aa096a74f717d31650e0eb3cf34e9a5ebadc313.patch + pacman-fix-gnupg-binary-data.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/86ec26b2d33372a4b3bda48f22c4a9f226c3ccce.patch + pacman-fix-gnupg-newsig-check.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/16a064701a30d7e1175e1185cc6da44238302fab.patch + pacman-check-pipes-gnupg.patch::https://gitlab.archlinux.org/pacman/pacman/-/commit/f8c2e59ec57c86827b1f1b1c2f6760dc3e59fe40.patch pacman.conf makepkg.conf) sha256sums=('7d8e3e8c5121aec0965df71f59bedf46052c6cf14f96365c4411ec3de0a4c1a5' @@ -36,8 +44,16 @@ sha256sums=('7d8e3e8c5121aec0965df71f59bedf46052c6cf14f96365c4411ec3de0a4c1a5' 'd87d0c9957c613fda272553bee58140349d151ae399f346ddaf6d75ee5916312' '8641d514ef4cae9e4d1867aadf4b9c850a9e8dc9792c6c559f9d2a0e1713a5a1' 'b11f62d4bd9557e9d3e7456bc95f63e9eabab5ecee1368f4a14a84bc94b1c8d1' + 'cf749ad981e8f3dedd89c05a5e69a9c91d1e58ef9407e8f8e04ba9c183939623' + '17e7af22533984924aaf1cf36c74aa26b46b04ad140cd76b65521be906bd3ff7' + '94d1f3575d0c3faf8bf11fee8e5ef36c8b339ebfd24868931903ba179ffecf4e' + '96efb79a96abf8cdcecb9f8dc461552549cf46159f44bb4160eb073e1ea5000a' + '0ac6a34e6fc126a243a642e509f459f6cde20af213ab949791a5cc325cf031f9' + '6e81b34e6a5f312d48ce3aaca0f02ddd10b7a43325cb32acf7666b6b7ac41552' + '250598a27a3077ec1dfe97a30af8bb0daf449d3ab456ed6a0c7a5bea0eb58f51' + '94c273f07e4e28125b6002567c62e1f6c65f543597de6a8bd79e8c5bf6e4a125' '656c4d4cb8cb12adbf178fc8cb2fd25f8c285d6572bbdbb24d865d00e0d5a85a' - 'b46bca4d3f8b41138923b7a1d7ada272b56ad8b89d0d6ce09145638bdf15185d') + 'f2791b51588104ec6dbaafa389451056f3c61fa6c19510dcce3a9a6cc19cba29') prepare() { cd "${pkgname}-${pkgver}" @@ -82,6 +98,14 @@ package() { install -dm755 "$pkgdir/etc" install -m644 "$srcdir/pacman.conf" "$pkgdir/etc" install -m644 "$srcdir/makepkg.conf" "$pkgdir/etc" + + local wantsdir="$pkgdir/usr/lib/systemd/system/sockets.target.wants" + install -dm755 "$wantsdir" + + local unit + for unit in dirmngr gpg-agent gpg-agent-{browser,extra,ssh} keyboxd; do + ln -s "../${unit}@.socket" "$wantsdir/${unit}@etc-pacman.d-gnupg.socket" + done } # vim: set ts=2 sw=2 et: diff --git a/pacman/deps b/pacman/deps index bd3e04f..3c24236 100644 --- a/pacman/deps +++ b/pacman/deps @@ -5,5 +5,6 @@ python fakechroot cmake bash-completion +gettext diff --git a/pacman/makepkg.conf b/pacman/makepkg.conf index 457779a..a8847ce 100644 --- a/pacman/makepkg.conf +++ b/pacman/makepkg.conf @@ -1,4 +1,6 @@ #!/hint/bash +# shellcheck disable=2034 + # # /etc/makepkg.conf # @@ -39,18 +41,20 @@ CHOST="x86_64-pc-linux-gnu" #-- Compiler and Linker Flags #CPPFLAGS="" CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \ - -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \ - -fstack-clash-protection -fcf-protection" + -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security \ + -fstack-clash-protection -fcf-protection \ + -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer" CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS" -LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" +LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now \ + -Wl,-z,pack-relative-relocs" LTOFLAGS="-flto=auto" -#RUSTFLAGS="-C opt-level=2" +RUSTFLAGS="-Cforce-frame-pointers=yes" #-- Make Flags: change this for DistCC/SMP systems #MAKEFLAGS="-j2" #-- Debugging flags DEBUG_CFLAGS="-g" DEBUG_CXXFLAGS="$DEBUG_CFLAGS" -#DEBUG_RUSTFLAGS="-C debuginfo=2" +DEBUG_RUSTFLAGS="-C debuginfo=2" ######################################################################### # BUILD ENVIRONMENT @@ -92,7 +96,7 @@ BUILDENV=(!distcc color !ccache check !sign) #-- debug: Add debugging flags as specified in DEBUG_* variables #-- lto: Add compile flags for building with link time optimization # -OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug !lto) +OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug lto) #-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2 INTEGRITY_CHECK=(sha256) @@ -109,7 +113,7 @@ DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc}) #-- Files to be removed from all packages (if purge is specified) PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod) #-- Directory to store source code in for debug packages -DBGSRCDIR="/usr/src/debug" +#DBGSRCDIR="/usr/src/debug" ######################################################################### # PACKAGE OUTPUT @@ -122,7 +126,7 @@ DBGSRCDIR="/usr/src/debug" #-- Source cache: specify a fixed directory where source files will be cached #SRCDEST=/home/sources #-- Source packages: specify a fixed directory where all src packages will be placed -SRCPKGDEST=/src/pkg/ +#SRCPKGDEST=/src/pkg/ #-- Log files: specify a fixed directory where all log files will be placed #LOGDEST=/home/makepkglogs #-- Packager: name/email of the person or organization building packages @@ -145,7 +149,7 @@ COMPRESSLRZ=(lrzip -q) COMPRESSLZO=(lzop -q) COMPRESSZ=(compress -c -f) COMPRESSLZ4=(lz4 -q) -COMPRESSLZ=(lzip -6 -c -f) +COMPRESSLZ=(lzip -6 -c -f -vv) ######################################################################### # EXTENSION DEFAULTS diff --git a/pacman/makepkg.conf-arch b/pacman/makepkg.conf-arch index b9e04eb..7f3ba07 100644 --- a/pacman/makepkg.conf-arch +++ b/pacman/makepkg.conf-arch @@ -1,4 +1,6 @@ #!/hint/bash +# shellcheck disable=2034 + # # /etc/makepkg.conf # @@ -39,18 +41,20 @@ CHOST="x86_64-pc-linux-gnu" #-- Compiler and Linker Flags #CPPFLAGS="" CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \ - -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \ - -fstack-clash-protection -fcf-protection" + -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security \ + -fstack-clash-protection -fcf-protection \ + -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer" CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS" -LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" +LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now \ + -Wl,-z,pack-relative-relocs" LTOFLAGS="-flto=auto" -#RUSTFLAGS="-C opt-level=2" +RUSTFLAGS="-Cforce-frame-pointers=yes" #-- Make Flags: change this for DistCC/SMP systems #MAKEFLAGS="-j2" #-- Debugging flags DEBUG_CFLAGS="-g" DEBUG_CXXFLAGS="$DEBUG_CFLAGS" -#DEBUG_RUSTFLAGS="-C debuginfo=2" +DEBUG_RUSTFLAGS="-C debuginfo=2" ######################################################################### # BUILD ENVIRONMENT @@ -92,7 +96,7 @@ BUILDENV=(!distcc color !ccache check !sign) #-- debug: Add debugging flags as specified in DEBUG_* variables #-- lto: Add compile flags for building with link time optimization # -OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug !lto) +OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge debug lto) #-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2 INTEGRITY_CHECK=(sha256) @@ -137,7 +141,7 @@ DBGSRCDIR="/usr/src/debug" COMPRESSGZ=(gzip -c -f -n) COMPRESSBZ2=(bzip2 -c -f) COMPRESSXZ=(xz -c -z -) -COMPRESSZST=(zstd -c -z -q -) +COMPRESSZST=(zstd -c -T0 --ultra -20 -) COMPRESSLRZ=(lrzip -q) COMPRESSLZO=(lzop -q) COMPRESSZ=(compress -c -f) @@ -157,3 +161,4 @@ SRCEXT='.src.tar.gz' # #-- Command used to run pacman as root, instead of trying sudo and su #PACMAN_AUTH=() +# vim: set ft=sh ts=2 sw=2 et: diff --git a/pacman/makepkg.conf-arch-old b/pacman/makepkg.conf-arch-old new file mode 100644 index 0000000..b9e04eb --- /dev/null +++ b/pacman/makepkg.conf-arch-old @@ -0,0 +1,159 @@ +#!/hint/bash +# +# /etc/makepkg.conf +# + +######################################################################### +# SOURCE ACQUISITION +######################################################################### +# +#-- The download utilities that makepkg should use to acquire sources +# Format: 'protocol::agent' +DLAGENTS=('file::/usr/bin/curl -qgC - -o %o %u' + 'ftp::/usr/bin/curl -qgfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u' + 'http::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'https::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'rsync::/usr/bin/rsync --no-motd -z %u %o' + 'scp::/usr/bin/scp -C %u %o') + +# Other common tools: +# /usr/bin/snarf +# /usr/bin/lftpget -c +# /usr/bin/wget + +#-- The package required by makepkg to download VCS sources +# Format: 'protocol::package' +VCSCLIENTS=('bzr::breezy' + 'fossil::fossil' + 'git::git' + 'hg::mercurial' + 'svn::subversion') + +######################################################################### +# ARCHITECTURE, COMPILE FLAGS +######################################################################### +# +CARCH="x86_64" +CHOST="x86_64-pc-linux-gnu" + +#-- Compiler and Linker Flags +#CPPFLAGS="" +CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \ + -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \ + -fstack-clash-protection -fcf-protection" +CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS" +LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" +LTOFLAGS="-flto=auto" +#RUSTFLAGS="-C opt-level=2" +#-- Make Flags: change this for DistCC/SMP systems +#MAKEFLAGS="-j2" +#-- Debugging flags +DEBUG_CFLAGS="-g" +DEBUG_CXXFLAGS="$DEBUG_CFLAGS" +#DEBUG_RUSTFLAGS="-C debuginfo=2" + +######################################################################### +# BUILD ENVIRONMENT +######################################################################### +# +# Makepkg defaults: BUILDENV=(!distcc !color !ccache check !sign) +# A negated environment option will do the opposite of the comments below. +# +#-- distcc: Use the Distributed C/C++/ObjC compiler +#-- color: Colorize output messages +#-- ccache: Use ccache to cache compilation +#-- check: Run the check() function if present in the PKGBUILD +#-- sign: Generate PGP signature file +# +BUILDENV=(!distcc color !ccache check !sign) +# +#-- If using DistCC, your MAKEFLAGS will also need modification. In addition, +#-- specify a space-delimited list of hosts running in the DistCC cluster. +#DISTCC_HOSTS="" +# +#-- Specify a directory for package building. +#BUILDDIR=/tmp/makepkg + +######################################################################### +# GLOBAL PACKAGE OPTIONS +# These are default values for the options=() settings +######################################################################### +# +# Makepkg defaults: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug !lto) +# A negated option will do the opposite of the comments below. +# +#-- strip: Strip symbols from binaries/libraries +#-- docs: Save doc directories specified by DOC_DIRS +#-- libtool: Leave libtool (.la) files in packages +#-- staticlibs: Leave static library (.a) files in packages +#-- emptydirs: Leave empty directories in packages +#-- zipman: Compress manual (man and info) pages in MAN_DIRS with gzip +#-- purge: Remove files specified by PURGE_TARGETS +#-- debug: Add debugging flags as specified in DEBUG_* variables +#-- lto: Add compile flags for building with link time optimization +# +OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug !lto) + +#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2 +INTEGRITY_CHECK=(sha256) +#-- Options to be used when stripping binaries. See `man strip' for details. +STRIP_BINARIES="--strip-all" +#-- Options to be used when stripping shared libraries. See `man strip' for details. +STRIP_SHARED="--strip-unneeded" +#-- Options to be used when stripping static libraries. See `man strip' for details. +STRIP_STATIC="--strip-debug" +#-- Manual (man and info) directories to compress (if zipman is specified) +MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info}) +#-- Doc directories to remove (if !docs is specified) +DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc}) +#-- Files to be removed from all packages (if purge is specified) +PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod) +#-- Directory to store source code in for debug packages +DBGSRCDIR="/usr/src/debug" + +######################################################################### +# PACKAGE OUTPUT +######################################################################### +# +# Default: put built package and cached source in build directory +# +#-- Destination: specify a fixed directory where all packages will be placed +#PKGDEST=/home/packages +#-- Source cache: specify a fixed directory where source files will be cached +#SRCDEST=/home/sources +#-- Source packages: specify a fixed directory where all src packages will be placed +#SRCPKGDEST=/home/srcpackages +#-- Log files: specify a fixed directory where all log files will be placed +#LOGDEST=/home/makepkglogs +#-- Packager: name/email of the person or organization building packages +#PACKAGER="John Doe " +#-- Specify a key to use for package signing +#GPGKEY="" + +######################################################################### +# COMPRESSION DEFAULTS +######################################################################### +# +COMPRESSGZ=(gzip -c -f -n) +COMPRESSBZ2=(bzip2 -c -f) +COMPRESSXZ=(xz -c -z -) +COMPRESSZST=(zstd -c -z -q -) +COMPRESSLRZ=(lrzip -q) +COMPRESSLZO=(lzop -q) +COMPRESSZ=(compress -c -f) +COMPRESSLZ4=(lz4 -q) +COMPRESSLZ=(lzip -c -f) + +######################################################################### +# EXTENSION DEFAULTS +######################################################################### +# +PKGEXT='.pkg.tar.zst' +SRCEXT='.src.tar.gz' + +######################################################################### +# OTHER +######################################################################### +# +#-- Command used to run pacman as root, instead of trying sudo and su +#PACMAN_AUTH=() diff --git a/pacman/note b/pacman/note index 3ee4244..a650874 100644 --- a/pacman/note +++ b/pacman/note @@ -3,3 +3,4 @@ absolutely necessary. July 21st 2022 Arch decides to rebuild adding gettext and other build utilities to pacman, unnecesseraly for those who don't build from source within their main installation The contradiction here is that Arch always advises to build pkgs from source in a separate clean minimal chroot or container or docker, meanwhile they keep adding building tools to pacman because of the makepkg inclusion. I believe a split of makepkg as a separate pkg is best, within the pacman pkgbase +edition 6.0.2-016/arch-rel-9 fails 2 python checks so we run with --nochceck over the build to finish it, possibly with all the new systemd functionality tests fail diff --git a/pacman/pacman-change-default-checksum-from-md5-to-sha256.patch b/pacman/pacman-change-default-checksum-from-md5-to-sha256.patch new file mode 100644 index 0000000..24f62e5 --- /dev/null +++ b/pacman/pacman-change-default-checksum-from-md5-to-sha256.patch @@ -0,0 +1,59 @@ +From aa3a1bc3b50d797fb75278f79a83cd7dde50c66e Mon Sep 17 00:00:00 2001 +From: Ben Westover +Date: Fri, 29 Jul 2022 17:04:06 -0400 +Subject: [PATCH] proto: Change the default checksum from md5 to sha256 + +MD5 isn't a very good checksum, and the PKGBUILD page on the Arch Wiki +states that it should not be used, instead recommending sha256 or b2. +This patch changes the default from md5 to sha256 because that seems to +be the most commonly used checksum today. + +Signed-off-by: Ben Westover +--- + proto/PKGBUILD-split.proto | 2 +- + proto/PKGBUILD-vcs.proto | 2 +- + proto/PKGBUILD.proto | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/proto/PKGBUILD-split.proto b/proto/PKGBUILD-split.proto +index 9898ef81d..eea97e56a 100644 +--- a/proto/PKGBUILD-split.proto ++++ b/proto/PKGBUILD-split.proto +@@ -28,7 +28,7 @@ changelog= + source=("$pkgbase-$pkgver.tar.gz" + "$pkgname-$pkgver.patch") + noextract=() +-md5sums=() ++sha256sums=() + validpgpkeys=() + + prepare() { +diff --git a/proto/PKGBUILD-vcs.proto b/proto/PKGBUILD-vcs.proto +index ae9956a9c..49c6759f4 100644 +--- a/proto/PKGBUILD-vcs.proto ++++ b/proto/PKGBUILD-vcs.proto +@@ -25,7 +25,7 @@ options=() + install= + source=('FOLDER::VCS+URL#FRAGMENT') + noextract=() +-md5sums=('SKIP') ++sha256sums=('SKIP') + + # Please refer to the 'USING VCS SOURCES' section of the PKGBUILD man page for + # a description of each element in the source array. +diff --git a/proto/PKGBUILD.proto b/proto/PKGBUILD.proto +index a2c600d5a..9aff797c8 100644 +--- a/proto/PKGBUILD.proto ++++ b/proto/PKGBUILD.proto +@@ -27,7 +27,7 @@ changelog= + source=("$pkgname-$pkgver.tar.gz" + "$pkgname-$pkgver.patch") + noextract=() +-md5sums=() ++sha256sums=() + validpgpkeys=() + + prepare() { +-- +GitLab + diff --git a/pacman/pacman-check-pipes-gnupg.patch b/pacman/pacman-check-pipes-gnupg.patch new file mode 100644 index 0000000..969ceec --- /dev/null +++ b/pacman/pacman-check-pipes-gnupg.patch @@ -0,0 +1,50 @@ +From f8c2e59ec57c86827b1f1b1c2f6760dc3e59fe40 Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Mon, 22 Jan 2024 14:35:28 +0100 +Subject: [PATCH] pacman-key: Make signature verification more robust by + checking pipes + +To ensure we are not dropping the return code of the `gpg` call due to +piping into `grep`, we make use of `PIPESTATUS` to check the return code +of each command separately. + +Additionally, we can now distinguish between two states: The signature +does not verify (e.g. due to technical reasons) and the signature is +not trusted. + +Signed-off-by: David Runge +--- + scripts/pacman-key.sh.in | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in +index 8abd824ec..1c9e06478 100644 +--- a/scripts/pacman-key.sh.in ++++ b/scripts/pacman-key.sh.in +@@ -591,10 +591,21 @@ verify_sig() { + error "$(gettext "Cannot use armored signatures for packages: %s")" "$sig" + exit 1 + fi +- if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "${files[@]}" | grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE).*$'; then +- error "$(gettext "The signature identified by %s could not be verified.")" "$sig" ++ ++ "${GPG_PACMAN[@]}" --status-fd 1 --verify "${files[@]}" | grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE).*$' ++ ++ # return error if GnuPG fails to verify the signature ++ if [[ "${PIPESTATUS[0]}" -ne 0 ]]; then ++ error "$(gettext "The signature verification for %s failed.")" "$sig" ++ ret=1 ++ fi ++ ++ # return error if the signature is not trusted fully or ultimately ++ if [[ "${PIPESTATUS[1]}" -ne 0 ]]; then ++ error "$(gettext "The signature %s is not trusted.")" "$sig" + ret=1 + fi ++ + exit $ret + } + +-- +GitLab + diff --git a/pacman/pacman-early-err-git.patch b/pacman/pacman-early-err-git.patch new file mode 100644 index 0000000..89a598f --- /dev/null +++ b/pacman/pacman-early-err-git.patch @@ -0,0 +1,54 @@ +From 3aa096a74f717d31650e0eb3cf34e9a5ebadc313 Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Mon, 22 Jan 2024 13:48:15 +0100 +Subject: [PATCH] makepkg: Emit early error if signature verification fails + +Emit an early error message if tag or commit verification with git or +detached signature verification with gpg fails. +Make `verify_file_signature()` and `verify_git_signature()` return +non-zero in this case and set errors to `1`, so that later checks +in `check_pgpsigs()`, although still run, can not lead to a positive +result. + +Signed-off-by: David Runge +--- + .../libmakepkg/integrity/verify_signature.sh.in | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in +index 0c1547ee3..ca1d5a868 100644 +--- a/scripts/libmakepkg/integrity/verify_signature.sh.in ++++ b/scripts/libmakepkg/integrity/verify_signature.sh.in +@@ -157,7 +157,13 @@ verify_file_signature() { + "") decompress="cat" ;; + esac + +- $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null ++ # verify the signature and write metadata to a status file ++ if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then ++ printf '%s\n' "$(gettext "%s is unable to verify the signature.")" "gpg" >&2 ++ errors=1 ++ return 1 ++ fi ++ + return 0 + } + +@@ -189,7 +195,13 @@ verify_git_signature() { + + printf " %s git repo ... " "${dir##*/}" >&2 + +- git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile" 2>&1 ++ # verify the signature and write metadata to a status file ++ if ! git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile" 2>&1; then ++ printf '%s\n' "$(gettext "%s is unable to verify the signature.")" "git" >&2 ++ errors=1 ++ return 1 ++ fi ++ + if ! grep -qs NEWSIG "$statusfile"; then + printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2 + errors=1 +-- +GitLab + diff --git a/pacman/pacman-fix-gnupg-binary-data.patch b/pacman/pacman-fix-gnupg-binary-data.patch new file mode 100644 index 0000000..e3eeb32 --- /dev/null +++ b/pacman/pacman-fix-gnupg-binary-data.patch @@ -0,0 +1,106 @@ +From 86ec26b2d33372a4b3bda48f22c4a9f226c3ccce Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Sun, 21 Jan 2024 12:33:04 +0100 +Subject: [PATCH] makepkg: Improve robustness of signature verification by + limiting terms + +The output of +`gpg --quiet --batch --status-fd /dev/stdout --verify 2> /dev/null` +or +`git verify-commit --raw 2>&1` +may contain binary data, if the signature has been created with an +OpenPGP implementation, that e.g. makes use of notations. +If the notation string (see `NOTATION_DATA` in /usr/share/doc/gnupg/ +DETAILS) contains a trailing binary char, this will break signature +verification, as any following entry (e.g. `VALIDSIG`) will be offset. + +As we are only making use of a narrow set of terms from the statusfile +(namely `NEWSIG`, `GOODSIG`, `EXPSIG`, `EXPKEYSIG`, `REVKEYSIG`, +`BADSIG`, `ERRSIG`, `VALIDSIG`, `TRUST_UNDEFINED`, `TRUST_NEVER`, +`TRUST_MARGINAL`, `TRUST_FULLY`, `TRUST_ULTIMATE`), we are applying a +filter, so that only understood terms are written to the file. + +Signed-off-by: David Runge +--- + .../integrity/verify_signature.sh.in | 27 ++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in +index ca1d5a868..d786a2c39 100644 +--- a/scripts/libmakepkg/integrity/verify_signature.sh.in ++++ b/scripts/libmakepkg/integrity/verify_signature.sh.in +@@ -26,6 +26,12 @@ MAKEPKG_LIBRARY=${MAKEPKG_LIBRARY:-'@libmakepkgdir@'} + source "$MAKEPKG_LIBRARY/util/message.sh" + source "$MAKEPKG_LIBRARY/util/pkgbuild.sh" + ++# Filter the contents of a GnuPG statusfile to only contain understood terms to narrow the file's scope and circumvent ++# the use of terms (e.g. NOTATION_DATA) that may contain unescaped binary data ++filter_gnupg_statusfile() { ++ grep -E "(.*SIG| TRUST_.*)" ++} ++ + check_pgpsigs() { + (( SKIPPGPCHECK )) && return 0 + ! source_has_signatures && return 0 +@@ -35,6 +41,7 @@ check_pgpsigs() { + local netfile proto pubkey success status fingerprint trusted + local warnings=0 + local errors=0 ++ local statusfile_raw="$(mktemp)" + local statusfile=$(mktemp) + local all_sources + +@@ -103,7 +110,7 @@ check_pgpsigs() { + printf '\n' >&2 + done + +- rm -f "$statusfile" ++ rm -f "$statusfile" "$statusfile_raw" + + if (( errors )); then + error "$(gettext "One or more PGP signatures could not be verified!")" +@@ -158,12 +165,19 @@ verify_file_signature() { + esac + + # verify the signature and write metadata to a status file +- if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then ++ if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile_raw" --verify "$file" - 2> /dev/null; then + printf '%s\n' "$(gettext "%s is unable to verify the signature.")" "gpg" >&2 + errors=1 + return 1 + fi + ++ # create a statusfile that contains only understood terms ++ if ! filter_gnupg_statusfile > "$statusfile" < "$statusfile_raw"; then ++ printf '%s\n' "$(gettext "unable to extract signature metadata.")" >&2 ++ errors=1 ++ return 1 ++ fi ++ + return 0 + } + +@@ -196,12 +210,19 @@ verify_git_signature() { + printf " %s git repo ... " "${dir##*/}" >&2 + + # verify the signature and write metadata to a status file +- if ! git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile" 2>&1; then ++ if ! git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile_raw" 2>&1; then + printf '%s\n' "$(gettext "%s is unable to verify the signature.")" "git" >&2 + errors=1 + return 1 + fi + ++ # create a statusfile that contains only understood terms ++ if ! filter_gnupg_statusfile > "$statusfile" < "$statusfile_raw"; then ++ printf '%s\n' "$(gettext "unable to extract signature metadata.")" >&2 ++ errors=1 ++ return 1 ++ fi ++ + if ! grep -qs NEWSIG "$statusfile"; then + printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2 + errors=1 +-- +GitLab + diff --git a/pacman/pacman-fix-gnupg-newsig-check.patch b/pacman/pacman-fix-gnupg-newsig-check.patch new file mode 100644 index 0000000..c50d87d --- /dev/null +++ b/pacman/pacman-fix-gnupg-newsig-check.patch @@ -0,0 +1,48 @@ +From 16a064701a30d7e1175e1185cc6da44238302fab Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Mon, 22 Jan 2024 14:04:28 +0100 +Subject: [PATCH] makepkg: Move check for signature metadata to central + location + +Move the check for the `NEWSIG` metadata keyword contained in the +GnuPG based statusfile to `parse_gpg_statusfile()` so that it is also +run when creating the statusfile in `verify_file_signature()` and not +only when running `verify_git_signature()`. + +Signed-off-by: David Runge +--- + scripts/libmakepkg/integrity/verify_signature.sh.in | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in +index d786a2c39..8a35fe16e 100644 +--- a/scripts/libmakepkg/integrity/verify_signature.sh.in ++++ b/scripts/libmakepkg/integrity/verify_signature.sh.in +@@ -223,17 +223,19 @@ verify_git_signature() { + return 1 + fi + +- if ! grep -qs NEWSIG "$statusfile"; then +- printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2 +- errors=1 +- return 1 +- fi + return 0 + } + + parse_gpg_statusfile() { + local type arg1 arg6 arg10 + ++ # ensure the NEWSIG keyword is part of the metadata ++ if ! grep -qs NEWSIG "$statusfile"; then ++ printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2 ++ errors=1 ++ return 1 ++ fi ++ + while read -r _ type arg1 _ _ _ _ arg6 _ _ _ arg10 _; do + case "$type" in + GOODSIG) +-- +GitLab + diff --git a/pacman/pacman-ignore-a-files.patch b/pacman/pacman-ignore-a-files.patch new file mode 100644 index 0000000..77ddd20 --- /dev/null +++ b/pacman/pacman-ignore-a-files.patch @@ -0,0 +1,52 @@ +From 00d2b1f90261bf77eaaf262d2504af016562f2ac Mon Sep 17 00:00:00 2001 +From: Morten Linderud +Date: Sun, 17 Dec 2023 16:03:36 +0100 +Subject: [PATCH] strip: don't create debug packages from .a files + +.a files are not valid ELF files so we can't run objcopy nor debugedit +on them. + +Rename STRIPLTO to STATICLIB to be more descriptive. + +Signed-off-by: Morten Linderud +--- + scripts/libmakepkg/tidy/strip.sh.in | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/scripts/libmakepkg/tidy/strip.sh.in b/scripts/libmakepkg/tidy/strip.sh.in +index 6c435058a..e0a303532 100644 +--- a/scripts/libmakepkg/tidy/strip.sh.in ++++ b/scripts/libmakepkg/tidy/strip.sh.in +@@ -156,7 +156,7 @@ tidy_strip() { + + local binary strip_flags + find . -type f -perm -u+w -print0 2>/dev/null | LC_ALL=C sort -z | while IFS= read -rd '' binary ; do +- local STRIPLTO=0 ++ local STATICLIB=0 + case "$(LC_ALL=C readelf -h "$binary" 2>/dev/null)" in + *Type:*'DYN (Shared object file)'*) # Libraries (.so) or Relocatable binaries + strip_flags="$STRIP_SHARED";; +@@ -167,7 +167,7 @@ tidy_strip() { + *Type:*'REL (Relocatable file)'*) # Libraries (.a) or objects + if ar t "$binary" &>/dev/null; then # Libraries (.a) + strip_flags="$STRIP_STATIC" +- STRIPLTO=1 ++ STATICLIB=1 + elif [[ $binary = *'.ko' || $binary = *'.o' ]]; then # Kernel module or object file + strip_flags="$STRIP_SHARED" + else +@@ -177,9 +177,9 @@ tidy_strip() { + *) + continue ;; + esac +- collect_debug_symbols "$binary" ++ (( ! STATICLIB )) && collect_debug_symbols "$binary" + strip_file "$binary" ${strip_flags} +- (( STRIPLTO )) && strip_lto "$binary" ++ (( STATICLIB )) && strip_lto "$binary" + done + + elif check_option "debug" "y"; then +-- +GitLab + diff --git a/pacman/pacman-sort-debuginfod-repro.patch b/pacman/pacman-sort-debuginfod-repro.patch new file mode 100644 index 0000000..bd877a8 --- /dev/null +++ b/pacman/pacman-sort-debuginfod-repro.patch @@ -0,0 +1,26 @@ +From 843bf21e794c79c5b3bcf8a57e45ef9c62312fee Mon Sep 17 00:00:00 2001 +From: kpcyrd +Date: Sun, 27 Aug 2023 13:03:40 +0200 +Subject: [PATCH] libmakepkg: Fix non-reproducible binaries by processing + debuginfo in order + +--- + scripts/libmakepkg/tidy/strip.sh.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/libmakepkg/tidy/strip.sh.in b/scripts/libmakepkg/tidy/strip.sh.in +index 035a2142e..a53bd451b 100644 +--- a/scripts/libmakepkg/tidy/strip.sh.in ++++ b/scripts/libmakepkg/tidy/strip.sh.in +@@ -152,7 +152,7 @@ tidy_strip() { + fi + + local binary strip_flags +- find . -type f -perm -u+w -print0 2>/dev/null | while IFS= read -rd '' binary ; do ++ find . -type f -perm -u+w -print0 2>/dev/null | LC_ALL=C sort -z | while IFS= read -rd '' binary ; do + local STRIPLTO=0 + case "$(LC_ALL=C readelf -h "$binary" 2>/dev/null)" in + *Type:*'DYN (Shared object file)'*) # Libraries (.so) or Relocatable binaries +-- +GitLab + diff --git a/pacman/pacman-split-off-strip-debug.patch b/pacman/pacman-split-off-strip-debug.patch new file mode 100644 index 0000000..f7910dc --- /dev/null +++ b/pacman/pacman-split-off-strip-debug.patch @@ -0,0 +1,50 @@ +From 7a4fff3310ba2eadd3d5428cbb92e58eb2ee853b Mon Sep 17 00:00:00 2001 +From: Morten Linderud +Date: Wed, 21 Dec 2022 17:52:57 +0100 +Subject: [PATCH] strip: split off file stripping and debug package creation + +Some projects might duplicate the file in multiple locations for one +reason or another. When debug packages are enabled, `makepkg` will only +strip the first occurrence of the binary and abort early on all the +other binaries. + +Signed-off-by: Morten Linderud +--- + scripts/libmakepkg/tidy/strip.sh.in | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/scripts/libmakepkg/tidy/strip.sh.in b/scripts/libmakepkg/tidy/strip.sh.in +index e904080c9..6c435058a 100644 +--- a/scripts/libmakepkg/tidy/strip.sh.in ++++ b/scripts/libmakepkg/tidy/strip.sh.in +@@ -66,7 +66,7 @@ package_source_files() { + done < <(source_files "$binary") + } + +-strip_file() { ++collect_debug_symbols() { + local binary=$1; shift + + if check_option "debug" "y"; then +@@ -118,7 +118,10 @@ strip_file() { + ln -s "$target" "$dbgdir/.build-id/${bid:0:2}/${bid:2}.debug" + fi + fi ++} + ++strip_file(){ ++ local binary=$1; shift + local tempfile=$(mktemp "$binary.XXXXXX") + if strip "$@" "$binary" -o "$tempfile"; then + cat "$tempfile" > "$binary" +@@ -174,6 +177,7 @@ tidy_strip() { + *) + continue ;; + esac ++ collect_debug_symbols "$binary" + strip_file "$binary" ${strip_flags} + (( STRIPLTO )) && strip_lto "$binary" + done +-- +GitLab + diff --git a/pacman/pacman.conf b/pacman/pacman.conf index a1f1a1c..35bbd2a 100644 --- a/pacman/pacman.conf +++ b/pacman/pacman.conf @@ -84,20 +84,14 @@ SigLevel = Never [jobcore] #Server = file:///var/cache/jobcore/ Include = /etc/pacman.d/mirrorlist-jobo -#Server = https://ftp.iij.ad.jp/pub/osdn.jp/storage/g/j/jo/joborun/jobcore/ -#Server = https://osdn.net/projects/joborun/storage/jobcore/ [jobextra] #Server = file:///var/cache/jobextra/ Include = /etc/pacman.d/mirrorlist-jobo -#Server = https://ftp.iij.ad.jp/pub/osdn.jp/storage/g/j/jo/joborun/jobextra/ -#Server = https://osdn.net/projects/joborun/storage/jobextra/ [jobcomm] #Server = file:///var/cache/jobcomm/ Include = /etc/pacman.d/mirrorlist-jobo -#Server = https://ftp.iij.ad.jp/pub/osdn.jp/storage/g/j/jo/joborun/jobcomm/ -#Server = https://osdn.net/projects/joborun/storage/jobcomm/ #[jobmine] # ## make your own repository and add what you build from OUR or AUR @@ -108,13 +102,14 @@ Include = /etc/pacman.d/mirrorlist-jobo #### gpgme drops the effort after a few seconds and replies with #### failure. Obarun should first make strict rules on building #### before implementing strict rules on downloading pkgs! +#### Nothing useful can come out of obcore anymore unless you are curious -#[obcore-testing] +##[obcore-testing] +##Server = https://cloud.server.obarun.org/$repo/os/$arch/ + +#[obcore] #Server = https://cloud.server.obarun.org/$repo/os/$arch/ -[obcore] -Server = https://cloud.server.obarun.org/$repo/os/$arch/ - #[obextra-testing] #Server = https://cloud.server.obarun.org/$repo/os/$arch/ @@ -183,17 +178,14 @@ Include = /etc/pacman.d/mirrorlist #### Spark-Linux begins here ####### #[spark-testing] -#SigLevel = Never ##Include = /etc/pacman.d/mirrorlist-spark #Server = https://mirror.fleshless.org/spark/$repo #[spark] -#SigLevel = Never ##Include = /etc/pacman.d/mirrorlist-spark #Server = https://mirror.fleshless.org/spark/$repo #[spark-extra] -#SigLevel = Never ##Include = /etc/pacman.d/mirrorlist-spark #Server = https://mirror.fleshless.org/spark/$repo @@ -204,31 +196,26 @@ Include = /etc/pacman.d/mirrorlist #### Artix is designed to use exclusively ONE init and service manager, not two! #[gremlins] -#SigLevel = Never ##SigLevel = DatabaseOptional ##Include = /etc/pacman.d/mirrorlist-artix #Server = http://mirror1.artixlinux.org/repos/$repo/os/$arch #[system] -#SigLevel = Never ##SigLevel = DatabaseOptional ##Include = /etc/pacman.d/mirrorlist-artix #Server = http://mirror1.artixlinux.org/repos/$repo/os/$arch #[world] -#SigLevel = Never ##SigLevel = DatabaseOptional ##Include = /etc/pacman.d/mirrorlist-artix #Server = http://mirror1.artixlinux.org/repos/$repo/os/$arch #[galaxy-gremlins] -#SigLevel = Never ##SigLevel = DatabaseOptional ##Include = /etc/pacman.d/mirrorlist-artix #Server = http://mirror1.artixlinux.org/repos/$repo/os/$arch #[galaxy] -#SigLevel = Never ##SigLevel = DatabaseOptional ##Include = /etc/pacman.d/mirrorlist-artix #Server = http://mirror1.artixlinux.org/repos/$repo/os/$arch @@ -237,13 +224,11 @@ Include = /etc/pacman.d/mirrorlist # enable the multilib repositories as required here. #[lib32-gremlins] -#SigLevel = Never ##SigLevel = DatabaseOptional ##Include = /etc/pacman.d/mirrorlist-artix #Server = http://mirror1.artixlinux.org/repos/$repo/os/$arch #[lib32] -#SigLevel = Never ##SigLevel = DatabaseOptional ##Include = /etc/pacman.d/mirrorlist-artix #Server = http://mirror1.artixlinux.org/repos/$repo/os/$arch @@ -251,19 +236,16 @@ Include = /etc/pacman.d/mirrorlist #### Archstrike and Blackarch begin here ####### #[archstrike-testing] -#SigLevel = Never ##SigLevel = DatabaseOptional ##Include = /etc/pacman.d/archstrike-mirrorlist #Server = https://mirror.archstrike.org/$arch/$repo #[archstrike] -#SigLevel = Never ##SigLevel = DatabaseOptional ##Include = /etc/pacman.d/archstrike-mirrorlist #Server = https://mirror.archstrike.org/$arch/$repo #[blackarch] -#SigLevel = Never ##SigLevel = DatabaseOptional ##Include = /etc/pacman.d/blackarch-mirrorlist #Server = https://blackarch.org/blackarch/$repo/os/$arch diff --git a/pacman/patch.list b/pacman/patch.list new file mode 100644 index 0000000..a11e2af --- /dev/null +++ b/pacman/patch.list @@ -0,0 +1,8 @@ +pacman-change-default-checksum-from-md5-to-sha256.patch +pacman-sort-debuginfod-repro.patch +pacman-split-off-strip-debug.patch +pacman-ignore-a-files.patch +pacman-early-err-git.patch +pacman-fix-gnupg-binary-data.patch +pacman-fix-gnupg-newsig-check.patch +pacman-check-pipes-gnupg.patch