joborun-pkg/jobcore
joborun-pkg/jobcore
Template
2
1
Fork 0
Code Issues Pull requests Projects Releases Activity
jobcore/xz/PKGBUILD

103 lines
3.7 KiB
Bash
Raw Blame History

echo "DO NOT USE THIS"
echo "Read comments first, use arch: core/xz 5.6.1-2
Due to the uncovered back door 3/29/24
and according to Arch building from git was safer than from tar ball, but
they also
Both tar ball and git source at github is removed
We have copies of both but we will not use either
till this clears up.
As far as we can research ONLY when sshd was run by systemd would this
backdoor be effective, so we have nothing to worry about even if the
code is in our copies of xz
#!/usr/bin/bash
# JOBoRun : Jwm OpenBox Obarun RUNit
# Maintainer : Joe Bo Run <joborun@disroot.org>
# PkgSource : url="https://gittea.disroot.org/joborun-pkg/jobcore/$pkgname"
# Website : https://pozol.eu
#-----------------------------------------| DESCRIPTION |---------------------------------------
pkgname=xz
pkgver=5.6.1
pkgrel=02
pkgdesc='Library and command line tools for XZ and LZMA compressed files'
#makedepends=('git' 'po4a' 'doxygen') # useless doxygen branding and some icons with the trade name
depends=('sh')
provides=('liblzma.so')
#options=('debug') ##### uncomment this to produce the debug pkg
url='https://xz.tukaani.org/xz-utils/'
source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig})
#source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
# previous sources
# source=("https://tukaani.org/${pkgname}/${pkgname}-${pkgver}.tar.gz"{,.sig})
# temporary use of unsigned mirror at SF since zoner.fi is down
# Sums same with arch
#source=("xz-5.2.9.tar.gz:https://downloads.sourceforge.net/project/lzmautils/xz-5.2.9.tar.gz?ts=gAAAAABjiAaACqaAp0YyfNS0hoSgTfR8z7zafIiHfu8jZuEf9Dk3IX7wbWPwuuekp1LHnfAHvVrsFD4kpAbKm9HOsRMfAzd3CA%3D%3D&r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Flzmautils%2Ffiles%2Fxz-5.2.9.tar.gz")
## "https://tukaani.org/${pkgname}/xzgrep-ZDI-CAN-16587.patch"{,.sig})
#prepare() {
## cd ${pkgname}
# cd "${srcdir}/${pkgname}-${pkgver}"
# ./autogen.sh
#}
#prepare() {
# cd "${srcdir}/${pkgname}-${pkgver}"
#
# patch -p1 -i "${srcdir}/xzgrep-ZDI-CAN-16587.patch"
#}
build() {
cd "${srcdir}/${pkgname}-${pkgver}"
# cd ${pkgname}
./configure --prefix=/usr \
--disable-rpath \
--enable-werror
make
}
## Some of the reading on this indicates the code is injected by
## blobs used to run the following tests
#check() {
# cd "${srcdir}/${pkgname}-${pkgver}"
## cd ${pkgname}
# make check
#}
package() {
cd "${srcdir}/${pkgname}-${pkgver}"
# cd ${pkgname}
make DESTDIR="${pkgdir}" install
install -d -m755 "${pkgdir}/usr/share/licenses/xz/"
ln -sf /usr/share/doc/xz/COPYING "${pkgdir}/usr/share/licenses/xz/"
ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2"
}
#---- arch license gpg-key & sha256sums ----
arch=(x86_64)
license=('GPL' 'LGPL' 'custom')
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
## THIS WAS THE ATTACKER ###
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
# tarball sums
sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 # xz-5.6.1.tar.gz
2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig
# git sums
#sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
#sha256sums=(e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc) # xz
## Removed --- Use arch core/xz instead for now
## 8466a47ac4224181b2f56bbf17ef7afea38849abd1d1ffa2da3b5ae8b1e7f941 xz-5.6.1-02-x86_64.pkg.tar.lz
##
Reference in a new issue View git blame Copy permalink