Changes:
- Only fallback to YAML if UCL parsing fails
- pkg2ng: Hide warnings about @mtree, @stopdaemon, @comment
@display and @conflicts
- Fix escaping issues with COMMENT
- pkg add: Fix -A to properly mark package as automatic
- pkg2ng: Fix over NFS
- pkg2ng: Show message while analyzing shared libraries
This update includes a security update for possible arbitrary code
execution from package manifest parsing. All users are advised to
upgrade ASAP. The base pkg(7) was never affected by this. [1]
Changes:
* Fix libyaml head-based buffer overflow [1]
* Fix pkg info -E support for ports, which namely affected
net/openldap* usage. [2]
* Fix packages registering themselves as dependencies [3]
* Bash autocompletion fixes [4]
* autoremove: Don't try to remove locked packages
* Support 'pkg bootstrap -f', which will force a reinstall of pkg
on FreeBSD 10.0+
* Fix %t timestamp formatter with %{...%} modifiers [5]
* pkg info: Show date installed
* Add $daily_status_security_pkgaudit_quiet to control 410.pkg-audit.in
output verbosity level
* Add an error when trying to update repository and none are defined [6]
* Fix typos in manpages [7]
Security: CVE-2013-6393 [1]
Reported by: secteam (delphij) [1]
PR: ports/184797 [2]
Reported by: Pavel Timofeev <timp87@gmail.com> [2], many
Submitted by: smh@ [3]
Submitted by: brd@ [4]
Submitted by: Jamie Landeg Jones [5]
Submitted by: Rodrigo Osorio [6]
Submitted by: Michael Gehring, wblock [7]
With hat: portmgr
MFH: 2014Q1
- Manpage improvements
- fix $auditfile in pkg audit periodic script
- Fix repo-*.sqlite being corrupted when pkg update is interrupted by the user
- pkg add now tells the version of the package missing
- Strop decoding/encoding all fields, only scripts and description are now encoded/decoded
It only happens if one has list or key/value list in pkg.conf
a workaround to update is to comment it out the time to upgrade
Reported by: many
Pointyhat to: bapt (again)
Changes:
- Fix segfault in pkg audit -F [1]
- Fix multiple segfault when using eventpipe [2]
- Fix REPOS_DIR being appended instead of overwritten when modified from pkg.conf
Reported by: many [1]
Reported by: kmoore [2]
Changes:
- Workaround a bug in bsd.*.mk on FreeBSD 8.x
- Fix a pkg repo segfault
- Document aliases in pkg.conf(5)
- Be more verbose when refusing a repository configuration file
- Sync libucl with upstream (bug fixes)
- Fix a fd leak in pkg repo
- Fix memory leaks due bad usage of libarchive
Changelog:
- Fix pkg which returns bogus non-zero exit status on success
- Better check libucl returns
- Fix bad build system resulting in broken binaries on arm and ia64
- Update pkg.conf documentation
- Add manpage for pkg config
- OOTB support for dragonfly
- Lots of fixes in libucl
- Fix pkg register complaining about shared libraries not found
- Do not resume a jailed or chrooted pkg(8) upgrade
- Document the plist format (in pkg-create(8))
- Pet mandoc -Tlint
- Add manpage for pkg_repos(3)
- Fix dependencies losing portepoch information
- pkg-[r]query: Add %q to display architecture
- Fix pkg add allowing to install package with missing dependencies
- Fix description being stored escaped
Special thanks to mat@ (for bug busting) and cognet@ (tracking down 2 issues
on arm and as a side effect fixing on ia64
With the PKG_PORTSDIR make argument set, Release 1.2.2 will properly build
pkg when PORTSDIR doesn't equal the default /usr/ports, as is the standard
case with DragonFly.
Additionally, pkg(8) and pkg-static(8) man pages are conditionally edited
to remove references to the -j option when libjail isn't found on the
system. This extra-patch should never be used on FreeBSD.
Changes:
- Fix pkg rquery always printing index like lines
- Fix pkg -vv suggestion so it print something actually usable
- Fix shlib's -P and -R options were swapped round.
- Replace broken pkg_repos_count() by pkg_repos_total_count() and pkg_repos_activated_count()
- Fix parsing of options (in manifest)
- pkg add http:// now fetch to a temporary location and cleanup after itself
- Fix generation of the manifest digest
- Properly calculate how many packages where removed
- Fix support for dependencies with the same name (grrrr Fix you port if they have package name collision !!!!)
- Fix pkg info -R in case multiple dependencies has the same name
Changelog:
- Improved build system
- Allow to hook plugins, before closing the local db if it was opened in RW mode
- Allow ARCH to be printed by pkg info
- New pkg bootstrap subcommand that is the counter part of the pkg(7) bootstrap subcommand
- Use port specified in the SRV entries to connect to a given mirror
- Properly support srv priority/weigh when ordering mirrors
- Lots of spelling/grammar fixes
- Broken incremental pkg repo support was removed.
- ABI is now checked again using globs:
* a 'noarch' package should just specify: ARCH: 'freebsd:*'
* a package working on both i386 and amd64: ARCH: 'freebsd:9:x86:*'
- new pkg config subcommand to allow direct query of options
- options can now have a description
- pkg repo can now take new arguments:
pkg repo [path] [rsa_key|'signing_command: <command>']
This allow calling external command to perform the signing and
pass the checksum to be signed in the command stdin.
- in case pkg info is querying a file or is a single direct match
query then default on -f
- pkg info -q is now equivalent of pkg info -qa
- expat is now always bundled (for vuxml)
- vuxml is now the default source for pkg audit
- Accept empty/comment only configuration files
- Print a pkg name only once - even if multiple vulns were found - when using -q
in pkg audit
- pkg info now default on glob matching
- Support for pkg+foo url scheme where foo can be (http, https, ftp).
- pkg add is now able to read the packages from a pipe or a non-regular
file '-' is an alias for stdin, this also works from pipes, fifos,
unix domain sockets etc.
- New 'fingerprint' kind of signature:
if a repository is declared using the fingerprint type of
signature, a fingerprint directory should also be provided.
Inside that fingerprint directory should be 2 directories:
trusted and revoked. Those directories will contains files (in
yaml/ucl format) containing the fingerprint of the trusted
certificated and the revoked ones:
--- begins --
function: sha256
fingerprint: an_hex_representation_of_the_fingerprint
--- ends ---
All unknown attribute will be silently ignored to allow extending
in the future.
It also support multiple signatures inside the catalog. the
catalog should provide the signature in the following form:
name.sig
name.cert
- packagesite in pkg.conf is deprecated in favour using dedicated
repository configuration files
- REPO_DIR is now a list instead of a simple string
- New git like aliases to allow creating custom commands
- Allow using '?' operator in pkg query expressions
- Fix ssh:// support
- New PKG_SSH_ARGS to allow passing custom arguments to ssh command
used for the ssh:// protocol
- Do not generate catalogs in pkg 1.0 format anymore.
- YAML is replaced by UCL format:
Both formats are really simular. pkg(8) will falls back on parsing YAML
when the UCL parser fail. And will emit a warning to the
user showing a syntax that is compatible with both YAML and UCL.
More informations on UCL: https://github.com/vstakhov/libucl
- Dependencies on library is now automatic via pkg register and pkg
create
- Auto upgrade of pkg(8) now restart the upgrade process automatically
- Lots of bug fixes discovered by Coverity Scan
- New debug level traces
- Bug fixes in zsh completion
- rquery can now take a -I argument to output index like lines (needed for
bsdconfig)
- Skip self upgrade with -F is passed
- Autodetect if libelf should be used bundled
- Lots of bug fixes
Thanks a lot to all people allowed this release to happen, may that be from providing
code, ideas, submitting bugs, documenting or just supporting.
Changes:
* When using SRV mirrors, order the mirrors by the advertised
priority and weight. This should fix 'pkg update' using mirror
A while 'pkg upgrade' and 'pkg fetch' end up using mirrors
A, B and C, resulting in checksum errors due to not all mirrors
being updated at the same time.
* Add support for 'pkg+http://' URL scheme and deprecate
'http://' when using SRV mirroring. This is only a cosmetic change
that encourages users to not try loading the PACKAGESITE into
a browser to view it.
Discussed with: bapt
With hat: portmgr
Obtained from: upstream git
Changes:
* Fix crash when opening repository in some cases
* Fix build with -Werror
* Fix 'pkg install [-f] pkg' not finding results
* Fix 'pkg upgrade -f' always wanting to upgrade pkg first
* Fix 'pkg install -R' always wanting to install pkg first
* Fix backwards compatibility for 1.0-built packages for
tracking shlibs. This may cause some packages to be
reinstalled after the repository is updated.
* Fix pkg (upgrade|fetch|install) -r <repo> crash
* Fix crash when specifying invalid repo with -r
Changes:
- Fix repository signing verification with new format during update
- Disable terminal title setting
- Fix %a/%k returning true/false instead of 0/1
- Various memory/fd leaks have been fixed
- Fixed pkg self-upgrade detection
- ZSH completion fixes
- Several crashes fixed
With hat: portmgr
This was showing as a warning in portmaster/portupgrade and could
have caused packages to be registered incorrectly automatic/non-automatic
on upgrade.
Reported by: many
Obtained from: upstream git
Changes:
- Fix install|upgrade -f not executing post-install scripts [1]
- Fix bad size calculation on i386 for pkg delete (always say 4G will be freed)
- Fix pkg query '%sh' now properly converting to human number on i386
- Fix zsh completion missing ']' [2]
- Fix pkg stats in case no remote repositories are configured [3]
Reported by: ohauer [1], Kimmo Paasiala via github issue #520 [2], rene [3]
Changes since 1.0.X:
- new simpler and more reliable solver
- shared libraries are now always tracked
- ssh:// is supported as a protocol to distribute packages (needs pkg 1.1+ on
the server hosting the packages)
- multirepository is no longer considered experimental and works by default.
- incremental update of the catalog (only if the repository was created by pkg
1.1+)
- simplification of the public API
- stabilisation of the public API (we will now try to keep it stable and if
change are needed there will be deprecation time before removal of some old
functions)
- new experimental pkg convert (can convert from and to legacy pkg database)
pkg2ng now uses pkg convert (still recommanded to use pkg2ng)
- new pkg lock/unlock to prevent any manipulation of a given package (no
upgrade,delete,etc)
- improved UI (now you can see the progress of an upgrade what is left to be
done)
- new pkg annotation to allow one to add annotations (free form key/value) to a
package)
- pkg audit is now able to directly parse the vuxml native format and not only
the compact version
- pkg -vv now shows all available options and their current settings
- pkg -vvv now shows a description of all the available options
- pkg info now automatically considers the query as globbing if * is in the
requested pattern
- new hook plugin interface (allows users to create hooks that get called at
anytime during and upgrade/installation/deletion of a package)
- new cmd plugin interface (allows users to create new sub command available for
pkg)
- pkg register can now register a port installation in the legacy database
format
- repository can be defined in simple yaml files
- Explain why a package is being reinstalled
- A package can now be marked to only be upgraded from a given repository via
annotations
- install and upgrade will show from which repository packages are taken from
- old/unused 'informations' field has been removed in favor of using
annotations
- pkg repo produce a repo.txz in pkg 1.0 (legacy) fromat
Internal:
- massive usage of hash tables (uthash), which simplifies a lot of the code,
and improves performances
- lots of optimisation in plist and manifest parsing
- lots of optimisation in loading packages (mmap used when possible)
- lots of cleanup in memory usage
- regression test framework is now ready (using atf) regression test are slowly
being added and populated.
Prevent 'pkg update' will always think that the repo is up to date if no mtime header is sent by the http server [2]
Bump port revision
Reported by: adrian[1], hrs [1]
Tested by: hrs [1]
Submitted by: cperciva [2]
Changes:
- Add pkg -N to detect if pkgng is installed and activated.
See pkg(8) for usage as this is not completely safe for 9.1's
bootstrapper.
- Update manpages with examples
- Fix crash in shlib handling (was already in port)
- Fix shlibs scanning over NFS
- Update to new repository/upstream URL at
http://github.com/freebsd/pkg
With hat: portmgr
pkg.
Here is the list of new features that happened in pkg 1.1:
- new simpler and more reliable solver
- shared libraries are now always tracked
- ssh:// is supported as a protocol to distribute packages (needs pkg 1.1+ on
the server hosting the packages)
- multirepository is no longer considered experimental and works by default.
- incremental update of the catalog (only if the repository was created by pkg
1.1+)
- simplification of the public API
- stabilisation of the public API (we will now try to keep it stable and if
change are needed there will be deprecation time before removal of some old
functions)
- new experimental pkg convert (can convert from and to legacy pkg database)
pkg2ng now uses pkg convert (still recommanded to use pkg2ng)
- new pkg lock/unlock to prevent any manipulation of a given package (no
upgrade,delete,etc)
- improved UI (now you can see the progress of an upgrade what is left to be
done)
- new pkg annotation to allow one to add annotations (free form key/value) to a
package)
- pkg audit is now able to directly parse the vuxml native format and not only
the compact version
- pkg -vv now shows all available options and their current settings
- pkg -vvv now shows a description of all the available options
- pkg info now automatically considers the query as globbing if * is in the
requested pattern
- new hook plugin interface (allows users to create hooks that get called at
anytime during and upgrade/installation/deletion of a package)
- new cmd plugin interface (allows users to create new sub command available for
pkg)
- pkg register can now register a port installation in the legacy database
format
- repository can be defined in simple yaml files
Internal:
- massive usage of hash tables (uthash), which simplifies a lot of the code,
and improves performances
- lots of optimisation in plist and manifest parsing
- lots of optimisation in loading packages (mmap used when possible)
- lots of cleanup in memory usage
- regression test framework is now ready (using atf) regression test are slowly
being added and populated.
To use this new version:
Ports users (or in building factories: poudriere/tinderbox):
Add WITH_PKGNG=devel to your make.conf
pkg set -o ports-mgmt/pkg:ports-mgmt/pkg-devel
Binary package users, if the remote repository is providing pkg 1.1:
pkg set -o ports-mgmt/pkg:ports-mgmt/pkg-devel
pkg upgrade
Note that pkg 1.1 can use a repository created for pkg 1.0 and vis versa.
Huge thanks to all the people that have contributed to the pkg developement:
- may that be by code
- documentation
- bug report
- feedback
- ideas
List of people who contributed code:
Baptiste Daroussin, Matthew Seaman, Bryan Drewery, Vsevolod Stakhov,
Marin Atanasov Nikolov, Alexandre Perrin, Romain Tartière, Julien Laffaye,
Glen Barber, John Marino, Alex Kozlov, Roman Naumann, Sofian Brabez,
Alberto Villa, Will Andrews, Eitan Adler, Dan McGregor, namor, niamtokik,
Arthur Gautier, Garrett Cooper, Andrew Turner, Jeremy Chadwick,
Hajimu UMEMOTO, Mark Lokowich, Eygene Ryabinkin, Pietro Cerutti,
Rolf Grossmann, Ed Schouten, Dimitry Andric, David Forsythe, Stefan Grundmann,
Craig Rodrigues, Antoine Brodin, Andrey Zonov, Joel Dahl
Stats between 1.0 and 1.1:
287 files changed, 63418 insertions(+), 18763 deletions(-)
1198 commits
