| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
remove also redundant pkg_selectable check in repair mode.
|
|
|
|
|
|
Move addition of virtual package after the dependencies have been parsed
as then the reverse dependency structers can be populated correctly.
|
|
|
|
this would happen if same package matched multiple times due to
multiple provided names.
|
|
|
|
The hash type was accidentally changed in previous commit. Currently
csum->data cannot hold longer hash, so fix the hash.
|
|
|
|
merge_options() will write one more entry to the options table
which is the end-of-table indicator. Allocate memory for it too.
valgrind did not pick it up due to being in stack; changing alloca
to malloc would make valgrind notice the issue too.
Reported-by: Mobile Stream <info@mobile-stream.com>
|
|
|
|
there are several applets that support simulation but are not
committing changes to database
|
|
|
|
|
|
A crafted .apk file could to trick apk writing unverified data to
an unexpected file during temporary file creation due to bugs in handling
long link target name and the way a regular file is extracted.
Several hardening steps are implemented to avoid this:
- the temporary file is now always first unlinked (apk thus reserved
all filenames .apk.* to be it's working files)
- the temporary file is after that created with O_EXCL to avoid races
- the temporary file is no longer directly the archive entry name
and thus directly controlled by potentially untrusted data
- long file names and link target names are now rejected
- hard link targets are now more rigorously checked
- various additional checks added for the extraction process to
error out early in case of malformed (or old legacy) file
Reported-by: Max Justicz <max@justi.cz>
|
|
Consolidate author information, so that tools like 'git shortlog' show
a single entry for each author.
|
|
This is unwanted information disclosure.
Reported-by: Max Justicz <max@justi.cz>
|
|
Most applets return whatever apk_solver_commit() returns. It is the
number of errors found (or negative for hard error). Sanitize the
error value to not give false success exit code in the unlikely case
of errors % 256 == 0.
Reported-by: Max Justicz <max@justi.cz>
|
|
We should not update repository index when --no-network is specified.
ref #9126
|
|
|
|
ref #9063
|
|
It's common for a pre-install script to do something like
addgroup -S group 2>/dev/null
When apk installs files after this, it sets the owner/group based on id cache
but currently the id cache is stale and doesn't contain the new group at that
point: instead the file will be installed with gid that the build host
happened to have for that group -- on target this might mean a non-existing
group or a completely different group.
We can't know if the script really did modify id cache contents so make sure
to reset the id cache on every script execution.
|
|
Virtual packages have the origin pointer set to NULL. Trying to print it
using the BLOB_PRINTF macros causes a segmentation fault.
Inspired by the `print_origin_name` function from `src/search.c` this
commit attempts to fix it by checking whether `pkg->origin` is NULL
before attempting to print it. If it is NULL the pkg name is printed
instead.
Since printing the pkg name requires a different format string this
commit splits the printf call for printing the package line into
multiple ones. The output format shouldn't have changed at all though.
|
|
|
|
|
|
|
|
Run apk_solver_solve once with all args as dependencies instead of
running apk_solver_solve for each arg. This is neccesary so the
install_if calculation is done correctly.
|
|
|
|
During netboot on systems without RTC, time() will be near zero,
and the index fill not exist. Thus the plain test of st.st_mtime
against system time failed. Verify that fstatat() succeeds.
|
|
priority
|
|
|
|
|
|
tests)
|
|
|
|
TLS_client_method is a LibreSSL extension.
SSLv23_client_method is generic, and doesn't mean SSL v2/v3 only.
|
|
enabling virtuals by default
|
|
list does everything search does and more
|
|
|
|
|
|
|
|
|
|
The list applet provides a convenient way of inspecting both the available
and installed package databases by listing their contents. In some ways,
it is similar to `apk search` but is considered to be a superset of
`apk search` functionality.
A few `apk list` criterion are not yet ready though, such as `apk list --depends`
which searches by runtime dependency (replacing `apk info --rdepends`).
|
|
|
|
|
|
|
|
|
|
Internally the value is in seconds, but on command line it's in
minutes.
|
|
|
|
|
