commit: 56f0bb584949a4b8946dd5e79e0398e73aaf06e0 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Fri Mar 29 22:45:41 2024 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Fri Mar 29 22:52:30 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56f0bb58
app-arch/xz-utils: add/restore 5.4.2 This is the last release signed by Lasse Collin, the previous signer of xz-utils releases. Downgrade to this out of an abundance of caution. We are not aware of any issues that *specifically* require this. Note that the Manifest matches dfcc1f271fa3da8b8710c80737e85a7347f16ba0 from when 5.4.2 was removed from ::gentoo in the past. Bug: https://bugs.gentoo.org/928134 Signed-off-by: Sam James <sam <AT> gentoo.org> app-arch/xz-utils/Manifest | 2 + app-arch/xz-utils/xz-utils-5.4.2.ebuild | 140 ++++++++++++++++++++++++++++++++ profiles/package.mask | 11 ++- 3 files changed, 152 insertions(+), 1 deletion(-) diff --git a/app-arch/xz-utils/Manifest b/app-arch/xz-utils/Manifest index 06fafaca4b3e..1cba80db1e9c 100644 --- a/app-arch/xz-utils/Manifest +++ b/app-arch/xz-utils/Manifest @@ -1,3 +1,5 @@ +DIST xz-5.4.2.tar.gz 2799022 BLAKE2B 3c622b0823f0cbb5fbc5eaa0372fc2f0fefe0950d131417f831bce47b6d9747d145429f0649de106819331f9ae6a289c497182c7b6d1e211513308dd083a9b72 SHA512 149f980338bea3d66de1ff5994b2b236ae1773135eda68b62b009df0c9dcdf5467f8cb2c06da95a71b6556d60bd3d21f475feced34d5dfdb80ee95416a2f9737 +DIST xz-5.4.2.tar.gz.sig 566 BLAKE2B 95c9c70fdd25b92095dd9691e4d9d4306a3f982becfe7bd42ca6132a76f29be2c2bc66f4fc2bda547058c18e227292f4185799eb905084fc3ab415ae867b4b1b SHA512 30e965c228ed3a8ecb804db8eb11703a765b7ee934030ea69bb3940b630811eb71bf74fd20371ef7759761904ece4f0144a0b00be4d843cf98299fd016f161aa DIST xz-5.4.6.tar.gz 2889306 BLAKE2B f0bbd33ea7cd64d475c3501f6e76080c8c0080e377f23462f5f76459935f4e621538ddaa8452d2feaed278d62a596e38ed2aca18ed9e76512c4ec77fa2f4cc5f SHA512 b08a61d8d478d3b4675cb1ddacdbbd98dc6941a55bcdd81a28679e54e9367d3a595fa123ac97874a17da571c1b712e2a3e901c2737099a9d268616a1ba3de497 DIST xz-5.4.6.tar.gz.sig 566 BLAKE2B 808f1b5e2a17729f36a05ba88a9c00210cda2afa02923e6f289d13dc2a48f7674cafec6e25660e142d67f01dd941c7390cee2757b054df3a3193dde0791363a1 SHA512 d5e32b944e7492a32c40f675d918796e077f63490a23c6fce5c4d6d1eebc443f129d27a2e888913c5a36c3ffdac75b9c96c1749402283445e0ba9ff72b965741 DIST xz-5.6.1.tar.gz 3045434 BLAKE2B b3fc3140c9655e812a03800a5ed8ac709aaafaee2ce5d3a62defdd085e643fa639de44beb64833160f4eb12829ad25b96d9f50a8c3d56d79cd5bbef71b9009b2 SHA512 8af100eb83288f032e4813be2bf8de7d733c8761f77f078776c1391709241ad8fe3192d107664786e2543677915c5eeb3fe7add5c53b48b50c10a9de7c9f4fda diff --git a/app-arch/xz-utils/xz-utils-5.4.2.ebuild b/app-arch/xz-utils/xz-utils-5.4.2.ebuild new file mode 100644 index 000000000000..982f62b0c16d --- /dev/null +++ b/app-arch/xz-utils/xz-utils-5.4.2.ebuild @@ -0,0 +1,140 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# Remember: we cannot leverage autotools in this ebuild in order +# to avoid circular deps with autotools + +EAPI=8 + +inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs + +if [[ ${PV} == 9999 ]] ; then + # Per tukaani.org, git.tukaani.org is a mirror of github and + # may be behind. + EGIT_REPO_URI=" + https://github.com/tukaani-project/xz + https://git.tukaani.org/xz.git + " + inherit git-r3 autotools + + # bug #272880 and bug #286068 + BDEPEND="sys-devel/gettext >=dev-build/libtool-2" +else + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc + inherit verify-sig + + MY_P="${PN/-utils}-${PV/_}" + SRC_URI=" + https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz + mirror://sourceforge/lzmautils/${MY_P}.tar.gz + https://tukaani.org/xz/${MY_P}.tar.gz + verify-sig? ( + https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz.sig + https://tukaani.org/xz/${MY_P}.tar.gz.sig + ) + " + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi + + S="${WORKDIR}/${MY_P}" +fi + +DESCRIPTION="Utils for managing LZMA compressed files" +HOMEPAGE="https://tukaani.org/xz/"; + +# See top-level COPYING file as it outlines the various pieces and their licenses. +LICENSE="public-domain LGPL-2.1+ GPL-2+" +SLOT="0" +IUSE="doc +extra-filters pgo nls static-libs" + +if [[ ${PV} != 9999 ]] ; then + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-lassecollin )" +fi + +src_prepare() { + default + + if [[ ${PV} == 9999 ]] ; then + eautopoint + eautoreconf + else + # Allow building shared libs on Solaris/x64 + elibtoolize + fi +} + +multilib_src_configure() { + local myconf=( + --enable-threads + $(multilib_native_use_enable doc) + $(use_enable nls) + $(use_enable static-libs static) + ) + + if ! multilib_is_native_abi ; then + myconf+=( + --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts} + ) + fi + + if ! use extra-filters ; then + myconf+=( + # LZMA1 + LZMA2 for standard .lzma & .xz files + --enable-encoders=lzma1,lzma2 + --enable-decoders=lzma1,lzma2 + + # those are used by default, depending on preset + --enable-match-finders=hc3,hc4,bt4 + + # CRC64 is used by default, though some (old?) files use CRC32 + --enable-checks=crc32,crc64 + ) + fi + + if [[ ${CHOST} == *-solaris* ]] ; then + export gl_cv_posix_shell="${EPREFIX}"/bin/sh + + # Undo Solaris-based defaults pointing to /usr/xpg5/bin + myconf+=( --disable-path-for-script ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" +} + +multilib_src_compile() { + # -fprofile-partial-training because upstream note the test suite isn't super comprehensive + # See https://documentation.suse.com/sbp/all/html/SBP-GCC-10/index.html#sec-gcc10-pgo + local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)") + local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)") + + emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" + + if use pgo ; then + emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check + + if tc-is-clang; then + llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die + fi + + emake clean + emake CFLAGS="${CFLAGS} ${pgo_use_flags}" + fi +} + +multilib_src_install_all() { + find "${ED}" -type f -name '*.la' -delete || die + + if use doc ; then + rm "${ED}"/usr/share/doc/${PF}/COPYING* || die + fi +} + +pkg_preinst() { + preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0) +} + +pkg_postinst() { + preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0) +} diff --git a/profiles/package.mask b/profiles/package.mask index 7abcf6cc3031..6c0d5f5a7b23 100644 --- a/profiles/package.mask +++ b/profiles/package.mask @@ -33,11 +33,20 @@ #--- END OF EXAMPLES --- +# Sam James <[email protected]> (2024-03-28) +# Newer releases were signed by a potentially compromised upstream maintainer. +# There is no evidence that these releases contain malicious code, but masked +# out of an abundance of caution. See bug #928134. +>=app-arch/xz-utils-5.4.3 + # Sam James <[email protected]> (2024-03-28) # Backdoor discovered in release tarballs. DOWNGRADE NOW. # https://www.openwall.com/lists/oss-security/2024/03/29/4 # https://bugs.gentoo.org/928134 ->=app-arch/xz-utils-5.6.0 +~app-arch/xz-utils-5.5.1_alpha +~app-arch/xz-utils-5.5.2_beta +~app-arch/xz-utils-5.6.0 +~app-arch/xz-utils-5.6.1 # Michał Górny <[email protected]> (2024-03-26) # Last release in 2012. No reverse dependencies.
