Re: [PATCH] cygport/lib/src_prep.cygpart: use gpgv2 not gpg2 --verify
Brian Inglis via Cygwin-apps writes: > Utility gpgv2 is the gpg2 release of gpgv, a lighter, script friendly, > single operation gpg verification helper designed for use in scripts > instead of gpg2 --verify: see 'info gpg2 helper gpgv' NAK. This tool doesn't check for expired keys and also searches for keys in different places, so you'd have to change your setup. More specifically you'd either have to explicitly trust all keys you want to check (not going to happen) or use a "--keyring" argument to force it to use the pubring. (I've used an old key file for Cygwin in the following for demonstration, the current key is not expired obviously.) --8<---cut here---start->8--- ~> gpg2 --verify cygwin/setup64.zst{.sig,} gpg: Signature made So 07 Apr 2024 16:30:47 CEST gpg:using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpg: Good signature from "Cygwin " [expired] gpg: Note: This key has expired! Primary key fingerprint: 5640 5CF6 FCC8 1574 682A 5D56 1A69 8DE9 E2E5 6300 ~> gpgv2 cygwin/setup64.zst{.sig,} gpgv: unknown type of key resource 'trustedkeys.kbx' gpgv: keyblock resource '/home/gratz/.gnupg/trustedkeys.kbx': General error gpgv: Signature made So 07 Apr 2024 16:30:47 CEST gpgv:using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpgv: Can't check signature: No public key ~> gpgv2 --keyring .gnupg/pubring.gpg cygwin/setup64.zst{.sig,} gpgv: Signature made So 07 Apr 2024 16:30:47 CEST gpgv:using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpgv: Good signature from "Cygwin " --8<---cut here---end--->8--- Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
Re: [PATCH] cygport/lib/src_prep.cygpart: use checksum files with packages
Brian Inglis via Cygwin-apps writes: > Some package upstreams offer only checksums, for example .sha512sum, > .sha256sum, > for verification rather than gpg signatures, for example .asc, .sig, .sign, > etc; > use these checksum files when provided in a similar manner to gpg signatures; > these files are often provided with fixed names which may be renamed on > download > to unique values using cygport URI fragment support like > #/$NAME-VERSION.sha...sum; > use coreutils cksum as it supports all modern and legacy checksums and > formats. https://repo.or.cz/cygport/rpm-style.git/commitdiff/c956092ce8d90230b812fb05ad2b4da13df1e36d Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds
[PATCH] cygport/lib/src_prep.cygpart: use checksum files with packages
From: "Brian Inglis" Some package upstreams offer only checksums, for example .sha512sum, .sha256sum, for verification rather than gpg signatures, for example .asc, .sig, .sign, etc; use these checksum files when provided in a similar manner to gpg signatures; these files are often provided with fixed names which may be renamed on download to unique values using cygport URI fragment support like #/$NAME-VERSION.sha...sum; use coreutils cksum as it supports all modern and legacy checksums and formats. define __sum_verify() after __gpg_verify(); add to readonly function definition list unpack(): skip files matching *.*sum __src_prep(): define file types or prefixes in variable sum_exts; in src files loop after __gpg_verify(): match file checksum type and call __sum_verify() Signed-off-by: Brian Inglis --- lib/src_prep.cygpart | 56 ++- 1 file changed, 55 insertions(+), 1 deletion(-) --- lib/src_prep.cygpart2024-01-15 05:09:23.0 -0700 +++ lib/src_prep.cygpart2024-04-30 11:41:01.218878400 -0600 @@ -88,6 +88,7 @@ unpack() { # determine correct source decompression command case ${unpack_file_path} in *.asc|*.md5|*.sig|*.sign) continue ;; + *.*sum)continue ;; *.tar.lrz) check_prog_req lrzuntar lrzip unpack_cmd="lrzuntar" @@ -200,6 +201,43 @@ __gpg_verify() { fi } +__sum_verify() { + local _file=${1#${DISTDIR}/}; + local _filedesc=${2}; + local _filetype=${3}; + local _sum=${3%sum}; + + if ! check_prog cksum + then + # display notice only once + if ! defined _cksum_not_found_ + then + inform "cksum must be installed in order to check checksums."; + _cksum_not_found_=1 + fi + + return 0; + fi + + # {b2,b2b}{,sum} -> blake2b; ck{,sum} -> crc; {,sum} -> bsd + [ -z "${_sum}" ]&& _sum=${_sum:-bsd} + [ "b2" = "${_sum}" ]&& _sum=blake2b + [ "b2b" = "${_sum}" ] && _sum=blake2b + [ "ck" = "${_sum}" ]&& _sum=crc + + if defined DISTDIR && [ -d ${DISTDIR} ] && [ -f ${DISTDIR}/${_file} ] + then + cd ${DISTDIR} + inform "${_filedesc} ${_filetype} checksum verification follows:"; + if [ "${_sum}" = "crc" ] || [ "${_sum}" = "bsd" ] || [ "${_sum}" = "sysv" ] + then + cksum -a ${_sum} ${_file%.${_filetype}} || true; + else + cksum -a ${_sum} -c ${_file} || true; + fi + fi +} + __mkdirs() { cd ${top}; mkdir -p ${srcdir} ${origsrcdir} ${B} ${D} ${T} ${configdir} ${logdir} ${distdir} ${patchdir} ${spkgdir}; @@ -298,6 +336,10 @@ __src_prep() { local src_pkg; local tar_patch; local n=1; + local sum_exts="sha512 sha384 sha256 sha224 b2 b2b blake2b sm3 sha1 md5 ck crc bsd sysv"; + # prefer newer stronger keys for faster lookup + # blake2b bsd crc md5 sha1 sha224 sha256 sha384 sha512 sm3 sysv + # {b2,b2b}{,sum} -> blake2b; ck{,sum} -> crc; {,sum} -> bsd cd ${top}; @@ -328,6 +370,18 @@ __src_prep() { __gpg_verify ${src_pkg} "SOURCE $((n++))" ${sigext}; fi done + for sigext in ${sum_exts} ''# final entry is BSD .sum -> '' + do + if [ "${src_pkg}" != "${src_pkg%.${sigext}sum}" ] + then + __sum_verify ${src_pkg} "SOURCE $((n++))" "${sigext}sum"; + break; + elif [ "${src_pkg}" != "${src_pkg%.${sigext}}" ] # fail if '' unless *. + then + __sum_verify ${src_pkg} "SOURCE $((n++))" "${sigext}"; + break; + fi + done done for src_patch in ${_src_orig_patches} @@ -510,4 +564,4 @@ __src_prep() { } readonly -f __cpio_gz_extract __gem_extract __srpm_extract unpack \ -__gpg_verify __mkdirs cygpatch __src_prep +__gpg_verify __sum_verify __mkdirs cygpatch __src_prep
[PATCH] cygport/lib/src_prep.cygpart: use gpgv2 not gpg2 --verify
From: "Brian Inglis" Utility gpgv2 is the gpg2 release of gpgv, a lighter, script friendly, single operation gpg verification helper designed for use in scripts instead of gpg2 --verify: see 'info gpg2 helper gpgv' __gpg_verify(): use gpgv2 not gpg2 --verify Signed-off-by: Brian Inglis --- lib/src_prep.cygpart |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/lib/src_prep.cygpart 2024-01-15 05:09:23.0 -0700 +++ b/lib/src_prep.cygpart 2024-04-30 01:49:54.294030400 -0600 @@ -181,7 +181,7 @@ __gpg_verify() { local _filetype=${2}; local _sigext=${3:-sig}; - if ! check_prog gpg2 + if ! check_prog gpgv2 then # display notice only once if ! defined _gpg_not_found_ @@ -196,7 +196,7 @@ __gpg_verify() { if [ -f ${_file}.${_sigext} ] then inform "${_filetype} signature follows:"; - gpg2 --verify ${_file}.${_sigext} ${_file} || true; + gpgv2 ${_file}.${_sigext} ${_file} || true; fi }
Re: [PATCH cygport] Increase _FORTIFY_SOURCE level from 2 to 3 in CFLAGS
On 28/04/2024 13:21, Christian Franke via Cygwin-apps wrote: ASSI via Cygwin-apps wrote: Christian Franke via Cygwin-apps writes: _FORTIFY_SOURCE=3 is supported by Cygwin 3.5.0 headers and Cygwin gcc 13.2.1 test release. Silently falls back to level 2 if level 3 is unsupported (older headers or gcc) or to level 0 if unsupported at all (C++, clang). Well, if only that was the case… --8<---cut here---start->8--- from /usr/include/w32api/windows.h:9, from /mnt/share/cygpkgs/libarchive/libarchive.x86_64/src/libarchive-3.7.4/test_utils/test_common.h:88, from /mnt/share/cygpkgs/libarchive/libarchive.x86_64/src/libarchive-3.7.4/tar/test/test.h:38, from /mnt/share/cygpkgs/libarchive/libarchive.x86_64/src/libarchive-3.7.4/tar/test/test_extract_tar_lrz.c:25: /usr/include/w32api/_mingw_mac.h:319:8: warning: #warning Using _FORTIFY_SOURCE=2 (level 3 requires __builtin_dynamic_object_size support) [-Wcpp] 319 | # warning Using _FORTIFY_SOURCE=2 (level 3 requires __builtin_dynamic_object_size support) --8<---cut here---end--->8--- Can't we conditiohnalize this to depend on the actual compiler support? This is a bogus warning. Sorry, my bad. In my contribution of _FORTIFY_SOURCE support to MinGW-w64 from 2019, I didn't realize that these warnings also appear if only Win32 API includes (windows.h, ...) are used. The related internal macros have only an effect if MinGW-w64 runtime includes (stdio.h, string.h, ...) are used. Meantime this has been fixed upstream: https://sourceforge.net/p/mingw-w64/mingw-w64/ci/f8e088e I guess that means we need an updated w32api-header package, with this patch added, if it's not yet in a release...
Re: [PATCH cygport] Add check of SPDX expression provided by LICENSE variable
On 2024-04-30 15:07, Christian Franke via Cygwin-apps wrote: Brian Inglis via Cygwin-apps wrote: On 2024-04-30 11:45, Christian Franke via Cygwin-apps wrote: The new script uses the SPDX webpages to create the license file. I didn't find a usable single license list at https://github.com/spdx As usual, it is easier if you clearly state the purpose of the file you want, and its desired properties, like data content, format, etc. What about: https://spdx.github.io/license-list-data/ This is apparently a draft version of https://spdx.org/licenses/index.html which is used by the script to generate the local license file. Strip out the table entries and create what you want with a command or script. and everything under: https://github.com/spdx/license-list-data I didn't find a single file which lists the licenses there. GH does not always make access easy, with its limited online displays and fixed display orders, and searches return a lot of junk, without easy access to better searching in context, but try: https://github.com/spdx/license-list-data/blob/main/licenses.md which also has xrefs to the text files; also there are: https://github.com/spdx/license-list-data/blob/main/json/licenses.json https://github.com/spdx/license-list-data/blob/main/json/exceptions.json which can be easily processed using `jq`. -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry
Re: [PATCH cygport] Add check of SPDX expression provided by LICENSE variable
Brian Inglis via Cygwin-apps wrote: On 2024-04-30 11:45, Christian Franke via Cygwin-apps wrote: ... Attached. The new script uses the SPDX webpages to create the license file. I didn't find a usable single license list at https://github.com/spdx What about: https://spdx.github.io/license-list-data/ This is apparently a draft version of https://spdx.org/licenses/index.html which is used by the script to generate the local license file. and everything under: https://github.com/spdx/license-list-data I didn't find a single file which lists the licenses there.
Re: [PATCH cygport] Add check of SPDX expression provided by LICENSE variable
On 2024-04-30 11:45, Christian Franke via Cygwin-apps wrote: Jon Turney via Cygwin-apps wrote: PS: I have a local script which checks SPDX Identifiers and expressions. Any interest to add this to cygport and then check LICENSE settings? Oh, yes please. That sounds like a good idea. Attached. The new script uses the SPDX webpages to create the license file. I didn't find a usable single license list at https://github.com/spdx What about: https://spdx.github.io/license-list-data/ and everything under: https://github.com/spdx/license-list-data The data/spdx-licenses file is not included in the patch. It could be generated from the source dir with: $ tools/spdx-check -f data/spdx-licenses -m ... data/spdx-licenses: created $ sha1sum data/spdx-licenses 80a19d6891d08bf34113464464ee12308374c792 *data/spdx-licenses The changes to the meson files are guessed. I didn't test the meson build yet. -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry
Costing and Designing Solutions
Hello, I'm hoping you receive this email. Our staff specializes in precise and effective estimate takeoffs for building firms such as yours. Our group is prepared to make your estimating problems easier. Think for a moment about how much time and accuracy our services could save you on your projects. We can't wait to help you succeed. With regards, Arnold Robert Estimating Dept. Classic Estimation LLC -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[PATCH cygport] Add check of SPDX expression provided by LICENSE variable
Jon Turney via Cygwin-apps wrote (thread "[PATCH cygport] Add repro-finish command"): ... PS: I have a local script which checks SPDX Identifiers and expressions. Any interest to add this to cygport and then check LICENSE settings? Oh, yes please. That sounds like a good idea. Attached. The new script uses the SPDX webpages to create the license file. I didn't find a usable single license list at https://github.com/spdx The data/spdx-licenses file is not included in the patch. It could be generated from the source dir with: $ tools/spdx-check -f data/spdx-licenses -m ... data/spdx-licenses: created $ sha1sum data/spdx-licenses 80a19d6891d08bf34113464464ee12308374c792 *data/spdx-licenses The changes to the meson files are guessed. I didn't test the meson build yet. -- Regards, Christian From 61f75757fa8e9118207cc09cf4a621aac8a4da78 Mon Sep 17 00:00:00 2001 From: Christian Franke Date: Tue, 30 Apr 2024 19:28:01 +0200 Subject: [PATCH] Add check of SPDX expression provided by LICENSE variable The new script 'tools/spdx-checks' checks a SPDX license expression. License identifiers are provided by the new file 'spdx-licenses' which could be created by the script from the related SPDX webpages. --- bin/cygport.in| 17 data/meson.build | 1 + tools/meson.build | 1 + tools/spdx-check | 198 ++ 4 files changed, 217 insertions(+) create mode 100644 tools/spdx-check diff --git a/bin/cygport.in b/bin/cygport.in index 15bd559e..3166beba 100755 --- a/bin/cygport.in +++ b/bin/cygport.in @@ -41,6 +41,7 @@ declare -r _cygport_version=@VERSION@; declare -r _privdatadir=@pkgdatadir@; declare -r _privclassdir=@cygclassdir@; declare -r _privlibdir=@cygpartdir@; +declare -r _privtoolsdir=@pkgdatadir@/tools; declare -r _privgnuconfigdir=@gnuconfigdir@; declare -r _privsysconfdir=@sysconfdir@; @@ -489,6 +490,22 @@ do fi done +if [ "${LICENSE+y}" = "y" ] +then + if ! _out=$(${_privtoolsdir}/spdx-check -f ${_privdatadir}/spdx-licenses "${LICENSE}" 2>&1) + then + warning "LICENSE='${LICENSE}' is invalid:" + echo "${_out}" + elif [ "${_out:+y}" = "y" ] + then + warning "LICENSE='${LICENSE}' has warnings:" + echo "${_out}" + else + inform "LICENSE='${LICENSE}' is valid" + fi + unset _out +fi + for restrict in ${RESTRICT//,/ } do declare _CYGPORT_RESTRICT_${restrict//-/_}_=1 diff --git a/data/meson.build b/data/meson.build index 51c6a5fd..e83a90fe 100644 --- a/data/meson.build +++ b/data/meson.build @@ -2,6 +2,7 @@ datadocs = files('cygport.conf', 'mirrors') install_data('mirrors', 'sample.cygport', + 'spdx-licenses', install_dir: pkgdatadir) install_data('gnuconfig/config.guess', diff --git a/tools/meson.build b/tools/meson.build index acd83926..96d8d19e 100644 --- a/tools/meson.build +++ b/tools/meson.build @@ -1,6 +1,7 @@ tools = files( 'deb2targz', 'pkgrip', +'spdx-check', 'sysrootize' ) diff --git a/tools/spdx-check b/tools/spdx-check new file mode 100644 index ..bffcaae0 --- /dev/null +++ b/tools/spdx-check @@ -0,0 +1,198 @@ +#! /bin/bash +### +# +# spdx-check - check SPDX license expression +# +# Copyright (C) 2024 Christian Franke +# +# SPDX-License-Identifier: BSD-3-Clause +# + + +set -e -o pipefail +myname=$0 + +# SPDX license list web pages +spdx_url_lic="https://spdx.org/licenses/index.html; +spdx_url_exc="https://spdx.org/licenses/exceptions-index.html; + +# Default license file +def_spdx_file="$(dirname "$myname")/spdx-licenses" + +usage() +{ + cat <&2 + exit 1 +} + +warning() +{ + echo "Warning:" "$@" >&2 +} + +check_spdx_id() +{ + local id=$1 + local m m_id + + if ! [ -f "$spdx_file" ]; then +warning "Missing '$spdx_file' - SPDX identifier '$1' not checked" +return 0 + fi + + # SPDX identifiers are case insensitive but the correct case is recommended + m=$(grep -Ei -m 1 "^!?&?${id//+/\\+}\$" "$spdx_file" 2>/dev/null) \ +|| error "Unknown SPDX identifier '$id'" + + # TODO: Distinguish licenses and exceptions + m_id=${m#!}; m_id=${m_id#&} + + [ "$m_id" = "$id" ] || warning "It is recommended to use '$m_id' instead of '$id'" + [ "$m" = "${m#!}" ] || warning "SPDX identifier '$m_id' is deprecated" +} + +check_spdx_expr() +{ + local x=$1 + local f s t + + # Insert spaces around tokens to simplify parsing + x=" $x "; x=${x//(/ ( }; x=${x//)/ ) } + + # Check tokens + f=false + for t in $x; do +f=true +case $t in + AND|OR|WITH|[\(\)]) +;; + [Aa][Nn][Dd]|[Oo][Rr]|[Ww][Ii][Tt][Hh]) +error "Invalid token '$t' - use '${t@U}' instead" ;; + [0-9A-Za-z]*) +s=${t%+}; s=${s//[-.0-9A-Za-z]/} +[ -z
Re: Cygwin - rsync / new release 3.2.7 => 3.3.0
On 29/04/2024 15:10, Jari Aalto wrote: On 2024-04-28 21:41, Chad Dougherty wrote: Hello Jari, On 4/27/24 05:12, Jari Aalto wrote: Hi Chad, you seemed to take care of rsync while I was unavailable. If you still want to maintain rsync, would you update it to latest version. I checked and it compiles ok. ... but you might want to also apply the Debian patches to the latest version It's good to hear from you. I'd be happy for you to resume maintainership of this package if you're willing. I no longer actively use Cygwin so it would make more sense for someone else to do it. Chad, I guess that means that your other packages are orphaned? $ grep 'Chad Dougherty' cygwin-pkg-maint lz4 Chad Dougherty mingw64-i686-lz4 Chad Dougherty mingw64-x86_64-lz4 Chad Dougherty minisign Chad Dougherty passwdqc Chad Dougherty Thanks for your work on these as a maintainer. Thanks Chad, I have the latest ready, so I can continue maintaining. Jon, would someone update the Cygwin Porters file in order to proceed with the upload. Jari, Done. I set your rsync-3.3.0-1 upload to be retried, which seems to have succeeded.
Re: [PATCH cygport] Add customization support for announce command
Jon Turney wrote: On 10/03/2024 16:33, Christian Franke via Cygwin-apps wrote: Jon Turney wrote: On 23/02/2024 11:23, Christian Franke via Cygwin-apps wrote: Christian Franke wrote: The email generated by the cygport announce command is useful, but actual use cases are somewhat limited due to the hard-coded email submission. The attached patch adds more flexibility. The patch is on top of the "Use correct wording if only one package is announced" patch. Slightly changed patch attached. Also adjusted to new version of "Use correct wording if only one package is announced" patch. [...] Thanks for this. Possible (better?) alternative names for the new settings: ANNOUNCEMENT_EDITOR ANNOUNCEMENT_MAILER Hmmm... I think "ANNOUNCE_EDITOR" and "ANNOUNCE_MAILER" would be the best for clarity and conciseness. New patch attached. Is still on top of "Use correct wording ..." patch. I also added HOMEPAGE to the propagated variables as this should be included in an announcement. Thanks. + /bin/bash -c "cd ${top} || exit 1 +${HOMEPAGE+HOMEPAGE=${HOMEPAGE@Q}} +P=${P@Q}; PF=${PF@Q}; PN=${PN@Q}; PR=${PR@Q}; PV=(${PV[*]@Q}) +${SMTP_SENDER+SMTP_SENDER=${SMTP_SENDER@Q}} +${SMTP_SERVER+SMTP_SERVER=${SMTP_SERVER@Q}} +${SMTP_SERVER_PORT+SMTP_SERVER_PORT=${SMTP_SERVER_PORT@Q}} +${SMTP_ENCRYPTION+SMTP_ENCRYPTION=${SMTP_ENCRYPTION@Q}} +${SMTP_USER+SMTP_USER=${SMTP_USER@Q}} +${SMTP_PASS+SMTP_PASS=${SMTP_PASS@Q}} +${cmd} +" $0 ${msg} || error "Command '\${${cmdvar}} ${msg}' (cwd=${top}) failed" +} Sorry I didn't notice this before, and I am terrible at writing shell, but perhaps you could share the reasoning behind writing this as above, and not as, e.g. (cd ${top} && env BLAH ${cmd}) avoiding all the verbiage in the description of ANNOUNCE_EDITOR about it being fed into 'bash -c' (and hence getting evaluated twice??) rather than just run? None of the mentioned variables are exported to the environment by cygport. I wanted to keep this fact in the subshell. Therefore the assignments are added to the script instead of passing via env(ironment). The latter won't even work with the PV variable because arrays could not be exported. Variables would not be evaluated twice. For example in the rare case that someone uses something like SMTP_SERVER="smtp.$(hostname -d)" in cygport.conf, this would immediately expand to SMTP_SERVER="smtp.some.domain". The above ${SMTP_SERVER+SMTP_SERVER=${SMTP_SERVER@Q}} would expand to SMTP_SERVER=${SMTP_SERVER@Q} and then to SMTP_SERVER='smtp.some.domain' (The @Q bash extension ensures proper quoting).