Date: Saturday, January 30, 2016 @ 01:41:44 Author: allan Revision: 258692
archrelease: copy trunk to testing-i686, testing-x86_64 Added: pacman/repos/testing-i686/ pacman/repos/testing-i686/PKGBUILD (from rev 258691, pacman/trunk/PKGBUILD) pacman/repos/testing-i686/ensure-matching-database-and-package-version.patch (from rev 258691, pacman/trunk/ensure-matching-database-and-package-version.patch) pacman/repos/testing-i686/makepkg.conf (from rev 258691, pacman/trunk/makepkg.conf) pacman/repos/testing-i686/pacman.conf.i686 (from rev 258691, pacman/trunk/pacman.conf.i686) pacman/repos/testing-i686/pacman.conf.x86_64 (from rev 258691, pacman/trunk/pacman.conf.x86_64) pacman/repos/testing-x86_64/ pacman/repos/testing-x86_64/PKGBUILD (from rev 258691, pacman/trunk/PKGBUILD) pacman/repos/testing-x86_64/ensure-matching-database-and-package-version.patch (from rev 258691, pacman/trunk/ensure-matching-database-and-package-version.patch) pacman/repos/testing-x86_64/makepkg.conf (from rev 258691, pacman/trunk/makepkg.conf) pacman/repos/testing-x86_64/pacman.conf.i686 (from rev 258691, pacman/trunk/pacman.conf.i686) pacman/repos/testing-x86_64/pacman.conf.x86_64 (from rev 258691, pacman/trunk/pacman.conf.x86_64) -------------------------------------------------------------------+ testing-i686/PKGBUILD | 90 ++++++ testing-i686/ensure-matching-database-and-package-version.patch | 60 ++++ testing-i686/makepkg.conf | 147 ++++++++++ testing-i686/pacman.conf.i686 | 91 ++++++ testing-i686/pacman.conf.x86_64 | 100 ++++++ testing-x86_64/PKGBUILD | 90 ++++++ testing-x86_64/ensure-matching-database-and-package-version.patch | 60 ++++ testing-x86_64/makepkg.conf | 147 ++++++++++ testing-x86_64/pacman.conf.i686 | 91 ++++++ testing-x86_64/pacman.conf.x86_64 | 100 ++++++ 10 files changed, 976 insertions(+) Copied: pacman/repos/testing-i686/PKGBUILD (from rev 258691, pacman/trunk/PKGBUILD) =================================================================== --- testing-i686/PKGBUILD (rev 0) +++ testing-i686/PKGBUILD 2016-01-30 00:41:44 UTC (rev 258692) @@ -0,0 +1,90 @@ +# vim: set ts=2 sw=2 et: +# $Id$ +# Maintainer: Dan McGee <d...@archlinux.org> +# Maintainer: Dave Reisner <dreis...@archlinux.org> + +pkgname=pacman +pkgver=5.0.0 +pkgrel=1 +pkgdesc="A library-based package manager with dependency support" +arch=('i686' 'x86_64') +url="http://www.archlinux.org/pacman/" +license=('GPL') +groups=('base' 'base-devel') +depends=('bash' 'glibc' 'libarchive' 'curl' + 'gpgme' 'pacman-mirrorlist' 'archlinux-keyring') +makedepends=('asciidoc') # roundup patch alters docs +checkdepends=('python2' 'fakechroot') +provides=('pacman-contrib') +conflicts=('pacman-contrib') +replaces=('pacman-contrib') +backup=(etc/pacman.conf etc/makepkg.conf) +options=('strip' 'debug') +source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig} + pacman.conf.i686 + pacman.conf.x86_64 + makepkg.conf) +md5sums=('9ecf8a5b659c0e02232c945ab198e6e1' + 'SKIP' + 'bdb40c76225c2fd8874bd34b6a3f6ad7' + 'c511ee4c7a86a37e8841440ede89300d' + 'f5b59fe5f016eebd9590318530bbd996') +validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD') # Allan McRae <al...@archlinux.org> + + +build() { + cd "$pkgname-$pkgver" + + ./configure --prefix=/usr --sysconfdir=/etc \ + --localstatedir=/var --enable-doc \ + --with-scriptlet-shell=/usr/bin/bash \ + --with-ldconfig=/usr/bin/ldconfig + make V=1 + make -C contrib +} + +check() { + make -C "$pkgname-$pkgver" check +} + +package() { + cd "$pkgname-$pkgver" + + make DESTDIR="$pkgdir" install + make DESTDIR="$pkgdir" -C contrib install + + # install Arch specific stuff + install -dm755 "$pkgdir/etc" + install -m644 "$srcdir/pacman.conf.$CARCH" "$pkgdir/etc/pacman.conf" + + case $CARCH in + i686) + mycarch="i686" + mychost="i686-pc-linux-gnu" + myflags="-march=i686" + ;; + x86_64) + mycarch="x86_64" + mychost="x86_64-unknown-linux-gnu" + myflags="-march=x86-64" + ;; + esac + + # set things correctly in the default conf file + install -m644 "$srcdir/makepkg.conf" "$pkgdir/etc" + sed -i "$pkgdir/etc/makepkg.conf" \ + -e "s|@CARCH[@]|$mycarch|g" \ + -e "s|@CHOST[@]|$mychost|g" \ + -e "s|@CARCHFLAGS[@]|$myflags|g" + + # put bash_completion in the right location + install -dm755 "$pkgdir/usr/share/bash-completion/completions" + mv "$pkgdir/etc/bash_completion.d/pacman" "$pkgdir/usr/share/bash-completion/completions" + rmdir "$pkgdir/etc/bash_completion.d" + + for f in makepkg pacman-key; do + ln -s pacman "$pkgdir/usr/share/bash-completion/completions/$f" + done + + install -Dm644 contrib/PKGBUILD.vim "$pkgdir/usr/share/vim/vimfiles/syntax/PKGBUILD.vim" +} Copied: pacman/repos/testing-i686/ensure-matching-database-and-package-version.patch (from rev 258691, pacman/trunk/ensure-matching-database-and-package-version.patch) =================================================================== --- testing-i686/ensure-matching-database-and-package-version.patch (rev 0) +++ testing-i686/ensure-matching-database-and-package-version.patch 2016-01-30 00:41:44 UTC (rev 258692) @@ -0,0 +1,60 @@ +From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001 +From: Levente Polyak <anthr...@archlinux.org> +Date: Sat, 18 Jul 2015 17:58:23 +0200 +Subject: [PATCH] ensure matching database and package version + +While loading each package ensure that the internal version matches the +expected database version to avoid the possibility to circumvent the +version check. +This issue can be used by an attacker to trick the software into +installing an older version. The behavior can be exploited by a +man-in-the-middle attack through specially crafted database tarball +containing a higher version, yet actually delivering an older and +vulnerable version, which was previously shipped. + +Signed-off-by: Levente Polyak <anthr...@archlinux.org> +Signed-off-by: Remi Gacogne <rgaco...@archlinux.org> +Signed-off-by: Allan McRae <al...@archlinux.org> +--- + lib/libalpm/sync.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c +index 888ae15..e843b07 100644 +--- a/lib/libalpm/sync.c ++++ b/lib/libalpm/sync.c +@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, + EVENT(handle, &event); + + for(i = handle->trans->add; i; i = i->next, current++) { ++ int error = 0; + alpm_pkg_t *spkg = i->data; + char *filepath; + int percent = (int)(((double)current_bytes / total_bytes) * 100); +@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, + spkg->name); + alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1); + if(!pkgfile) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n"); ++ error = 1; ++ } else { ++ if(strcmp(spkg->name, pkgfile->name) != 0) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, ++ "internal package name mismatch, expected: '%s', actual: '%s'\n", ++ spkg->name, pkgfile->name); ++ error = 1; ++ } ++ if(strcmp(spkg->version, pkgfile->version) != 0) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, ++ "internal package version mismatch, expected: '%s', actual: '%s'\n", ++ spkg->version, pkgfile->version); ++ error = 1; ++ } ++ } ++ if(error != 0) { + errors++; + *data = alpm_list_add(*data, strdup(spkg->filename)); + free(filepath); +-- +2.4.6 + Copied: pacman/repos/testing-i686/makepkg.conf (from rev 258691, pacman/trunk/makepkg.conf) =================================================================== --- testing-i686/makepkg.conf (rev 0) +++ testing-i686/makepkg.conf 2016-01-30 00:41:44 UTC (rev 258692) @@ -0,0 +1,147 @@ +# +# /etc/makepkg.conf +# + +######################################################################### +# SOURCE ACQUISITION +######################################################################### +# +#-- The download utilities that makepkg should use to acquire sources +# Format: 'protocol::agent' +DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u' + 'http::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'https::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'rsync::/usr/bin/rsync --no-motd -z %u %o' + 'scp::/usr/bin/scp -C %u %o') + +# Other common tools: +# /usr/bin/snarf +# /usr/bin/lftpget -c +# /usr/bin/wget + +#-- The package required by makepkg to download VCS sources +# Format: 'protocol::package' +VCSCLIENTS=('bzr::bzr' + 'git::git' + 'hg::mercurial' + 'svn::subversion') + +######################################################################### +# ARCHITECTURE, COMPILE FLAGS +######################################################################### +# +CARCH="@CARCH@" +CHOST="@CHOST@" + +#-- Compiler and Linker Flags +# -march (or -mcpu) builds exclusively for an architecture +# -mtune optimizes for an architecture, but builds for whole processor family +CPPFLAGS="-D_FORTIFY_SOURCE=2" +CFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong" +CXXFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong" +LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro" +#-- Make Flags: change this for DistCC/SMP systems +#MAKEFLAGS="-j2" +#-- Debugging flags +DEBUG_CFLAGS="-g -fvar-tracking-assignments" +DEBUG_CXXFLAGS="-g -fvar-tracking-assignments" + +######################################################################### +# BUILD ENVIRONMENT +######################################################################### +# +# Defaults: BUILDENV=(!distcc color !ccache check !sign) +# A negated environment option will do the opposite of the comments below. +# +#-- distcc: Use the Distributed C/C++/ObjC compiler +#-- color: Colorize output messages +#-- ccache: Use ccache to cache compilation +#-- check: Run the check() function if present in the PKGBUILD +#-- sign: Generate PGP signature file +# +BUILDENV=(!distcc color !ccache check !sign) +# +#-- If using DistCC, your MAKEFLAGS will also need modification. In addition, +#-- specify a space-delimited list of hosts running in the DistCC cluster. +#DISTCC_HOSTS="" +# +#-- Specify a directory for package building. +#BUILDDIR=/tmp/makepkg + +######################################################################### +# GLOBAL PACKAGE OPTIONS +# These are default values for the options=() settings +######################################################################### +# +# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !optipng !upx !debug) +# A negated option will do the opposite of the comments below. +# +#-- strip: Strip symbols from binaries/libraries +#-- docs: Save doc directories specified by DOC_DIRS +#-- libtool: Leave libtool (.la) files in packages +#-- staticlibs: Leave static library (.a) files in packages +#-- emptydirs: Leave empty directories in packages +#-- zipman: Compress manual (man and info) pages in MAN_DIRS with gzip +#-- purge: Remove files specified by PURGE_TARGETS +#-- upx: Compress binary executable files using UPX +#-- optipng: Optimize PNG images with optipng +#-- debug: Add debugging flags as specified in DEBUG_* variables +# +OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !optipng !upx !debug) + +#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512 +INTEGRITY_CHECK=(md5) +#-- Options to be used when stripping binaries. See `man strip' for details. +STRIP_BINARIES="--strip-all" +#-- Options to be used when stripping shared libraries. See `man strip' for details. +STRIP_SHARED="--strip-unneeded" +#-- Options to be used when stripping static libraries. See `man strip' for details. +STRIP_STATIC="--strip-debug" +#-- Manual (man and info) directories to compress (if zipman is specified) +MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info}) +#-- Doc directories to remove (if !docs is specified) +DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc}) +#-- Files to be removed from all packages (if purge is specified) +PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod) + +######################################################################### +# PACKAGE OUTPUT +######################################################################### +# +# Default: put built package and cached source in build directory +# +#-- Destination: specify a fixed directory where all packages will be placed +#PKGDEST=/home/packages +#-- Source cache: specify a fixed directory where source files will be cached +#SRCDEST=/home/sources +#-- Source packages: specify a fixed directory where all src packages will be placed +#SRCPKGDEST=/home/srcpackages +#-- Log files: specify a fixed directory where all log files will be placed +#LOGDEST=/home/makepkglogs +#-- Packager: name/email of the person or organization building packages +#PACKAGER="John Doe <j...@doe.com>" +#-- Specify a key to use for package signing +#GPGKEY="" + +######################################################################### +# COMPRESSION DEFAULTS +######################################################################### +# +COMPRESSGZ=(gzip -c -f -n) +COMPRESSBZ2=(bzip2 -c -f) +COMPRESSXZ=(xz -c -z -) +COMPRESSLRZ=(lrzip -q) +COMPRESSLZO=(lzop -q) +COMPRESSZ=(compress -c -f) + +######################################################################### +# EXTENSION DEFAULTS +######################################################################### +# +# WARNING: Do NOT modify these variables unless you know what you are +# doing. +# +PKGEXT='.pkg.tar.xz' +SRCEXT='.src.tar.gz' + +# vim: set ft=sh ts=2 sw=2 et: Copied: pacman/repos/testing-i686/pacman.conf.i686 (from rev 258691, pacman/trunk/pacman.conf.i686) =================================================================== --- testing-i686/pacman.conf.i686 (rev 0) +++ testing-i686/pacman.conf.i686 2016-01-30 00:41:44 UTC (rev 258692) @@ -0,0 +1,91 @@ +# +# /etc/pacman.conf +# +# See the pacman.conf(5) manpage for option and repository directives + +# +# GENERAL OPTIONS +# +[options] +# The following paths are commented out with their default values listed. +# If you wish to use different paths, uncomment and update the paths. +#RootDir = / +#DBPath = /var/lib/pacman/ +#CacheDir = /var/cache/pacman/pkg/ +#LogFile = /var/log/pacman.log +#GPGDir = /etc/pacman.d/gnupg/ +#HookDir = /etc/pacman.d/hooks/ +HoldPkg = pacman glibc +#XferCommand = /usr/bin/curl -C - -f %u > %o +#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u +#CleanMethod = KeepInstalled +#UseDelta = 0.7 +Architecture = auto + +# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup +#IgnorePkg = +#IgnoreGroup = + +#NoUpgrade = +#NoExtract = + +# Misc options +#UseSyslog +#Color +#TotalDownload +CheckSpace +#VerbosePkgLists + +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. +SigLevel = Required DatabaseOptional +LocalFileSigLevel = Optional +#RemoteFileSigLevel = Required + +# NOTE: You must run `pacman-key --init` before first using pacman; the local +# keyring can then be populated with the keys of all official Arch Linux +# packagers with `pacman-key --populate archlinux`. + +# +# REPOSITORIES +# - can be defined here or included from another file +# - pacman will search repositories in the order defined here +# - local/custom mirrors can be added here or in separate files +# - repositories listed first will take precedence when packages +# have identical names, regardless of version number +# - URLs will have $repo replaced by the name of the current repo +# - URLs will have $arch replaced by the name of the architecture +# +# Repository entries are of the format: +# [repo-name] +# Server = ServerName +# Include = IncludePath +# +# The header [repo-name] is crucial - it must be present and +# uncommented to enable the repo. +# + +# The testing repositories are disabled by default. To enable, uncomment the +# repo name header and Include lines. You can add preferred servers immediately +# after the header, and they will be used before the default mirrors. + +#[testing] +#Include = /etc/pacman.d/mirrorlist + +[core] +Include = /etc/pacman.d/mirrorlist + +[extra] +Include = /etc/pacman.d/mirrorlist + +#[community-testing] +#Include = /etc/pacman.d/mirrorlist + +[community] +Include = /etc/pacman.d/mirrorlist + +# An example of a custom package repository. See the pacman manpage for +# tips on creating your own repositories. +#[custom] +#SigLevel = Optional TrustAll +#Server = file:///home/custompkgs Copied: pacman/repos/testing-i686/pacman.conf.x86_64 (from rev 258691, pacman/trunk/pacman.conf.x86_64) =================================================================== --- testing-i686/pacman.conf.x86_64 (rev 0) +++ testing-i686/pacman.conf.x86_64 2016-01-30 00:41:44 UTC (rev 258692) @@ -0,0 +1,100 @@ +# +# /etc/pacman.conf +# +# See the pacman.conf(5) manpage for option and repository directives + +# +# GENERAL OPTIONS +# +[options] +# The following paths are commented out with their default values listed. +# If you wish to use different paths, uncomment and update the paths. +#RootDir = / +#DBPath = /var/lib/pacman/ +#CacheDir = /var/cache/pacman/pkg/ +#LogFile = /var/log/pacman.log +#GPGDir = /etc/pacman.d/gnupg/ +#HookDir = /etc/pacman.d/hooks/ +HoldPkg = pacman glibc +#XferCommand = /usr/bin/curl -C - -f %u > %o +#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u +#CleanMethod = KeepInstalled +#UseDelta = 0.7 +Architecture = auto + +# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup +#IgnorePkg = +#IgnoreGroup = + +#NoUpgrade = +#NoExtract = + +# Misc options +#UseSyslog +#Color +#TotalDownload +CheckSpace +#VerbosePkgLists + +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. +SigLevel = Required DatabaseOptional +LocalFileSigLevel = Optional +#RemoteFileSigLevel = Required + +# NOTE: You must run `pacman-key --init` before first using pacman; the local +# keyring can then be populated with the keys of all official Arch Linux +# packagers with `pacman-key --populate archlinux`. + +# +# REPOSITORIES +# - can be defined here or included from another file +# - pacman will search repositories in the order defined here +# - local/custom mirrors can be added here or in separate files +# - repositories listed first will take precedence when packages +# have identical names, regardless of version number +# - URLs will have $repo replaced by the name of the current repo +# - URLs will have $arch replaced by the name of the architecture +# +# Repository entries are of the format: +# [repo-name] +# Server = ServerName +# Include = IncludePath +# +# The header [repo-name] is crucial - it must be present and +# uncommented to enable the repo. +# + +# The testing repositories are disabled by default. To enable, uncomment the +# repo name header and Include lines. You can add preferred servers immediately +# after the header, and they will be used before the default mirrors. + +#[testing] +#Include = /etc/pacman.d/mirrorlist + +[core] +Include = /etc/pacman.d/mirrorlist + +[extra] +Include = /etc/pacman.d/mirrorlist + +#[community-testing] +#Include = /etc/pacman.d/mirrorlist + +[community] +Include = /etc/pacman.d/mirrorlist + +# If you want to run 32 bit applications on your x86_64 system, +# enable the multilib repositories as required here. + +#[multilib-testing] +#Include = /etc/pacman.d/mirrorlist + +#[multilib] +#Include = /etc/pacman.d/mirrorlist + +# An example of a custom package repository. See the pacman manpage for +# tips on creating your own repositories. +#[custom] +#SigLevel = Optional TrustAll +#Server = file:///home/custompkgs Copied: pacman/repos/testing-x86_64/PKGBUILD (from rev 258691, pacman/trunk/PKGBUILD) =================================================================== --- testing-x86_64/PKGBUILD (rev 0) +++ testing-x86_64/PKGBUILD 2016-01-30 00:41:44 UTC (rev 258692) @@ -0,0 +1,90 @@ +# vim: set ts=2 sw=2 et: +# $Id$ +# Maintainer: Dan McGee <d...@archlinux.org> +# Maintainer: Dave Reisner <dreis...@archlinux.org> + +pkgname=pacman +pkgver=5.0.0 +pkgrel=1 +pkgdesc="A library-based package manager with dependency support" +arch=('i686' 'x86_64') +url="http://www.archlinux.org/pacman/" +license=('GPL') +groups=('base' 'base-devel') +depends=('bash' 'glibc' 'libarchive' 'curl' + 'gpgme' 'pacman-mirrorlist' 'archlinux-keyring') +makedepends=('asciidoc') # roundup patch alters docs +checkdepends=('python2' 'fakechroot') +provides=('pacman-contrib') +conflicts=('pacman-contrib') +replaces=('pacman-contrib') +backup=(etc/pacman.conf etc/makepkg.conf) +options=('strip' 'debug') +source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig} + pacman.conf.i686 + pacman.conf.x86_64 + makepkg.conf) +md5sums=('9ecf8a5b659c0e02232c945ab198e6e1' + 'SKIP' + 'bdb40c76225c2fd8874bd34b6a3f6ad7' + 'c511ee4c7a86a37e8841440ede89300d' + 'f5b59fe5f016eebd9590318530bbd996') +validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD') # Allan McRae <al...@archlinux.org> + + +build() { + cd "$pkgname-$pkgver" + + ./configure --prefix=/usr --sysconfdir=/etc \ + --localstatedir=/var --enable-doc \ + --with-scriptlet-shell=/usr/bin/bash \ + --with-ldconfig=/usr/bin/ldconfig + make V=1 + make -C contrib +} + +check() { + make -C "$pkgname-$pkgver" check +} + +package() { + cd "$pkgname-$pkgver" + + make DESTDIR="$pkgdir" install + make DESTDIR="$pkgdir" -C contrib install + + # install Arch specific stuff + install -dm755 "$pkgdir/etc" + install -m644 "$srcdir/pacman.conf.$CARCH" "$pkgdir/etc/pacman.conf" + + case $CARCH in + i686) + mycarch="i686" + mychost="i686-pc-linux-gnu" + myflags="-march=i686" + ;; + x86_64) + mycarch="x86_64" + mychost="x86_64-unknown-linux-gnu" + myflags="-march=x86-64" + ;; + esac + + # set things correctly in the default conf file + install -m644 "$srcdir/makepkg.conf" "$pkgdir/etc" + sed -i "$pkgdir/etc/makepkg.conf" \ + -e "s|@CARCH[@]|$mycarch|g" \ + -e "s|@CHOST[@]|$mychost|g" \ + -e "s|@CARCHFLAGS[@]|$myflags|g" + + # put bash_completion in the right location + install -dm755 "$pkgdir/usr/share/bash-completion/completions" + mv "$pkgdir/etc/bash_completion.d/pacman" "$pkgdir/usr/share/bash-completion/completions" + rmdir "$pkgdir/etc/bash_completion.d" + + for f in makepkg pacman-key; do + ln -s pacman "$pkgdir/usr/share/bash-completion/completions/$f" + done + + install -Dm644 contrib/PKGBUILD.vim "$pkgdir/usr/share/vim/vimfiles/syntax/PKGBUILD.vim" +} Copied: pacman/repos/testing-x86_64/ensure-matching-database-and-package-version.patch (from rev 258691, pacman/trunk/ensure-matching-database-and-package-version.patch) =================================================================== --- testing-x86_64/ensure-matching-database-and-package-version.patch (rev 0) +++ testing-x86_64/ensure-matching-database-and-package-version.patch 2016-01-30 00:41:44 UTC (rev 258692) @@ -0,0 +1,60 @@ +From deac9731884a83ad91eab9f27b288f406f56c87b Mon Sep 17 00:00:00 2001 +From: Levente Polyak <anthr...@archlinux.org> +Date: Sat, 18 Jul 2015 17:58:23 +0200 +Subject: [PATCH] ensure matching database and package version + +While loading each package ensure that the internal version matches the +expected database version to avoid the possibility to circumvent the +version check. +This issue can be used by an attacker to trick the software into +installing an older version. The behavior can be exploited by a +man-in-the-middle attack through specially crafted database tarball +containing a higher version, yet actually delivering an older and +vulnerable version, which was previously shipped. + +Signed-off-by: Levente Polyak <anthr...@archlinux.org> +Signed-off-by: Remi Gacogne <rgaco...@archlinux.org> +Signed-off-by: Allan McRae <al...@archlinux.org> +--- + lib/libalpm/sync.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c +index 888ae15..e843b07 100644 +--- a/lib/libalpm/sync.c ++++ b/lib/libalpm/sync.c +@@ -1212,6 +1212,7 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, + EVENT(handle, &event); + + for(i = handle->trans->add; i; i = i->next, current++) { ++ int error = 0; + alpm_pkg_t *spkg = i->data; + char *filepath; + int percent = (int)(((double)current_bytes / total_bytes) * 100); +@@ -1232,6 +1233,23 @@ static int load_packages(alpm_handle_t *handle, alpm_list_t **data, + spkg->name); + alpm_pkg_t *pkgfile =_alpm_pkg_load_internal(handle, filepath, 1); + if(!pkgfile) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, "failed to load pkgfile internal\n"); ++ error = 1; ++ } else { ++ if(strcmp(spkg->name, pkgfile->name) != 0) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, ++ "internal package name mismatch, expected: '%s', actual: '%s'\n", ++ spkg->name, pkgfile->name); ++ error = 1; ++ } ++ if(strcmp(spkg->version, pkgfile->version) != 0) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, ++ "internal package version mismatch, expected: '%s', actual: '%s'\n", ++ spkg->version, pkgfile->version); ++ error = 1; ++ } ++ } ++ if(error != 0) { + errors++; + *data = alpm_list_add(*data, strdup(spkg->filename)); + free(filepath); +-- +2.4.6 + Copied: pacman/repos/testing-x86_64/makepkg.conf (from rev 258691, pacman/trunk/makepkg.conf) =================================================================== --- testing-x86_64/makepkg.conf (rev 0) +++ testing-x86_64/makepkg.conf 2016-01-30 00:41:44 UTC (rev 258692) @@ -0,0 +1,147 @@ +# +# /etc/makepkg.conf +# + +######################################################################### +# SOURCE ACQUISITION +######################################################################### +# +#-- The download utilities that makepkg should use to acquire sources +# Format: 'protocol::agent' +DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u' + 'http::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'https::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'rsync::/usr/bin/rsync --no-motd -z %u %o' + 'scp::/usr/bin/scp -C %u %o') + +# Other common tools: +# /usr/bin/snarf +# /usr/bin/lftpget -c +# /usr/bin/wget + +#-- The package required by makepkg to download VCS sources +# Format: 'protocol::package' +VCSCLIENTS=('bzr::bzr' + 'git::git' + 'hg::mercurial' + 'svn::subversion') + +######################################################################### +# ARCHITECTURE, COMPILE FLAGS +######################################################################### +# +CARCH="@CARCH@" +CHOST="@CHOST@" + +#-- Compiler and Linker Flags +# -march (or -mcpu) builds exclusively for an architecture +# -mtune optimizes for an architecture, but builds for whole processor family +CPPFLAGS="-D_FORTIFY_SOURCE=2" +CFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong" +CXXFLAGS="@CARCHFLAGS@ -mtune=generic -O2 -pipe -fstack-protector-strong" +LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro" +#-- Make Flags: change this for DistCC/SMP systems +#MAKEFLAGS="-j2" +#-- Debugging flags +DEBUG_CFLAGS="-g -fvar-tracking-assignments" +DEBUG_CXXFLAGS="-g -fvar-tracking-assignments" + +######################################################################### +# BUILD ENVIRONMENT +######################################################################### +# +# Defaults: BUILDENV=(!distcc color !ccache check !sign) +# A negated environment option will do the opposite of the comments below. +# +#-- distcc: Use the Distributed C/C++/ObjC compiler +#-- color: Colorize output messages +#-- ccache: Use ccache to cache compilation +#-- check: Run the check() function if present in the PKGBUILD +#-- sign: Generate PGP signature file +# +BUILDENV=(!distcc color !ccache check !sign) +# +#-- If using DistCC, your MAKEFLAGS will also need modification. In addition, +#-- specify a space-delimited list of hosts running in the DistCC cluster. +#DISTCC_HOSTS="" +# +#-- Specify a directory for package building. +#BUILDDIR=/tmp/makepkg + +######################################################################### +# GLOBAL PACKAGE OPTIONS +# These are default values for the options=() settings +######################################################################### +# +# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !optipng !upx !debug) +# A negated option will do the opposite of the comments below. +# +#-- strip: Strip symbols from binaries/libraries +#-- docs: Save doc directories specified by DOC_DIRS +#-- libtool: Leave libtool (.la) files in packages +#-- staticlibs: Leave static library (.a) files in packages +#-- emptydirs: Leave empty directories in packages +#-- zipman: Compress manual (man and info) pages in MAN_DIRS with gzip +#-- purge: Remove files specified by PURGE_TARGETS +#-- upx: Compress binary executable files using UPX +#-- optipng: Optimize PNG images with optipng +#-- debug: Add debugging flags as specified in DEBUG_* variables +# +OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !optipng !upx !debug) + +#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512 +INTEGRITY_CHECK=(md5) +#-- Options to be used when stripping binaries. See `man strip' for details. +STRIP_BINARIES="--strip-all" +#-- Options to be used when stripping shared libraries. See `man strip' for details. +STRIP_SHARED="--strip-unneeded" +#-- Options to be used when stripping static libraries. See `man strip' for details. +STRIP_STATIC="--strip-debug" +#-- Manual (man and info) directories to compress (if zipman is specified) +MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info}) +#-- Doc directories to remove (if !docs is specified) +DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc}) +#-- Files to be removed from all packages (if purge is specified) +PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod) + +######################################################################### +# PACKAGE OUTPUT +######################################################################### +# +# Default: put built package and cached source in build directory +# +#-- Destination: specify a fixed directory where all packages will be placed +#PKGDEST=/home/packages +#-- Source cache: specify a fixed directory where source files will be cached +#SRCDEST=/home/sources +#-- Source packages: specify a fixed directory where all src packages will be placed +#SRCPKGDEST=/home/srcpackages +#-- Log files: specify a fixed directory where all log files will be placed +#LOGDEST=/home/makepkglogs +#-- Packager: name/email of the person or organization building packages +#PACKAGER="John Doe <j...@doe.com>" +#-- Specify a key to use for package signing +#GPGKEY="" + +######################################################################### +# COMPRESSION DEFAULTS +######################################################################### +# +COMPRESSGZ=(gzip -c -f -n) +COMPRESSBZ2=(bzip2 -c -f) +COMPRESSXZ=(xz -c -z -) +COMPRESSLRZ=(lrzip -q) +COMPRESSLZO=(lzop -q) +COMPRESSZ=(compress -c -f) + +######################################################################### +# EXTENSION DEFAULTS +######################################################################### +# +# WARNING: Do NOT modify these variables unless you know what you are +# doing. +# +PKGEXT='.pkg.tar.xz' +SRCEXT='.src.tar.gz' + +# vim: set ft=sh ts=2 sw=2 et: Copied: pacman/repos/testing-x86_64/pacman.conf.i686 (from rev 258691, pacman/trunk/pacman.conf.i686) =================================================================== --- testing-x86_64/pacman.conf.i686 (rev 0) +++ testing-x86_64/pacman.conf.i686 2016-01-30 00:41:44 UTC (rev 258692) @@ -0,0 +1,91 @@ +# +# /etc/pacman.conf +# +# See the pacman.conf(5) manpage for option and repository directives + +# +# GENERAL OPTIONS +# +[options] +# The following paths are commented out with their default values listed. +# If you wish to use different paths, uncomment and update the paths. +#RootDir = / +#DBPath = /var/lib/pacman/ +#CacheDir = /var/cache/pacman/pkg/ +#LogFile = /var/log/pacman.log +#GPGDir = /etc/pacman.d/gnupg/ +#HookDir = /etc/pacman.d/hooks/ +HoldPkg = pacman glibc +#XferCommand = /usr/bin/curl -C - -f %u > %o +#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u +#CleanMethod = KeepInstalled +#UseDelta = 0.7 +Architecture = auto + +# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup +#IgnorePkg = +#IgnoreGroup = + +#NoUpgrade = +#NoExtract = + +# Misc options +#UseSyslog +#Color +#TotalDownload +CheckSpace +#VerbosePkgLists + +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. +SigLevel = Required DatabaseOptional +LocalFileSigLevel = Optional +#RemoteFileSigLevel = Required + +# NOTE: You must run `pacman-key --init` before first using pacman; the local +# keyring can then be populated with the keys of all official Arch Linux +# packagers with `pacman-key --populate archlinux`. + +# +# REPOSITORIES +# - can be defined here or included from another file +# - pacman will search repositories in the order defined here +# - local/custom mirrors can be added here or in separate files +# - repositories listed first will take precedence when packages +# have identical names, regardless of version number +# - URLs will have $repo replaced by the name of the current repo +# - URLs will have $arch replaced by the name of the architecture +# +# Repository entries are of the format: +# [repo-name] +# Server = ServerName +# Include = IncludePath +# +# The header [repo-name] is crucial - it must be present and +# uncommented to enable the repo. +# + +# The testing repositories are disabled by default. To enable, uncomment the +# repo name header and Include lines. You can add preferred servers immediately +# after the header, and they will be used before the default mirrors. + +#[testing] +#Include = /etc/pacman.d/mirrorlist + +[core] +Include = /etc/pacman.d/mirrorlist + +[extra] +Include = /etc/pacman.d/mirrorlist + +#[community-testing] +#Include = /etc/pacman.d/mirrorlist + +[community] +Include = /etc/pacman.d/mirrorlist + +# An example of a custom package repository. See the pacman manpage for +# tips on creating your own repositories. +#[custom] +#SigLevel = Optional TrustAll +#Server = file:///home/custompkgs Copied: pacman/repos/testing-x86_64/pacman.conf.x86_64 (from rev 258691, pacman/trunk/pacman.conf.x86_64) =================================================================== --- testing-x86_64/pacman.conf.x86_64 (rev 0) +++ testing-x86_64/pacman.conf.x86_64 2016-01-30 00:41:44 UTC (rev 258692) @@ -0,0 +1,100 @@ +# +# /etc/pacman.conf +# +# See the pacman.conf(5) manpage for option and repository directives + +# +# GENERAL OPTIONS +# +[options] +# The following paths are commented out with their default values listed. +# If you wish to use different paths, uncomment and update the paths. +#RootDir = / +#DBPath = /var/lib/pacman/ +#CacheDir = /var/cache/pacman/pkg/ +#LogFile = /var/log/pacman.log +#GPGDir = /etc/pacman.d/gnupg/ +#HookDir = /etc/pacman.d/hooks/ +HoldPkg = pacman glibc +#XferCommand = /usr/bin/curl -C - -f %u > %o +#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u +#CleanMethod = KeepInstalled +#UseDelta = 0.7 +Architecture = auto + +# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup +#IgnorePkg = +#IgnoreGroup = + +#NoUpgrade = +#NoExtract = + +# Misc options +#UseSyslog +#Color +#TotalDownload +CheckSpace +#VerbosePkgLists + +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. +SigLevel = Required DatabaseOptional +LocalFileSigLevel = Optional +#RemoteFileSigLevel = Required + +# NOTE: You must run `pacman-key --init` before first using pacman; the local +# keyring can then be populated with the keys of all official Arch Linux +# packagers with `pacman-key --populate archlinux`. + +# +# REPOSITORIES +# - can be defined here or included from another file +# - pacman will search repositories in the order defined here +# - local/custom mirrors can be added here or in separate files +# - repositories listed first will take precedence when packages +# have identical names, regardless of version number +# - URLs will have $repo replaced by the name of the current repo +# - URLs will have $arch replaced by the name of the architecture +# +# Repository entries are of the format: +# [repo-name] +# Server = ServerName +# Include = IncludePath +# +# The header [repo-name] is crucial - it must be present and +# uncommented to enable the repo. +# + +# The testing repositories are disabled by default. To enable, uncomment the +# repo name header and Include lines. You can add preferred servers immediately +# after the header, and they will be used before the default mirrors. + +#[testing] +#Include = /etc/pacman.d/mirrorlist + +[core] +Include = /etc/pacman.d/mirrorlist + +[extra] +Include = /etc/pacman.d/mirrorlist + +#[community-testing] +#Include = /etc/pacman.d/mirrorlist + +[community] +Include = /etc/pacman.d/mirrorlist + +# If you want to run 32 bit applications on your x86_64 system, +# enable the multilib repositories as required here. + +#[multilib-testing] +#Include = /etc/pacman.d/mirrorlist + +#[multilib] +#Include = /etc/pacman.d/mirrorlist + +# An example of a custom package repository. See the pacman manpage for +# tips on creating your own repositories. +#[custom] +#SigLevel = Optional TrustAll +#Server = file:///home/custompkgs