diff options
Diffstat (limited to 'system')
-rw-r--r-- | system/apk-tools/APKBUILD | 2 | ||||
-rw-r--r-- | system/apk-tools/deep.patch | 106 | ||||
-rw-r--r-- | system/bubblewrap/APKBUILD | 36 | ||||
-rw-r--r-- | system/bubblewrap/tests.patch | 23 |
4 files changed, 87 insertions, 80 deletions
diff --git a/system/apk-tools/APKBUILD b/system/apk-tools/APKBUILD index d9e29a241..78478e51e 100644 --- a/system/apk-tools/APKBUILD +++ b/system/apk-tools/APKBUILD @@ -70,6 +70,6 @@ static() { } sha512sums="1b190cfd04c69369bd4f2b708d4df0f8cf2937e1580c95138fd2c2257e7604d015deaca10a9fe0da6742981caadb6b067c15e417a1951866f781b8a5c71c98ee apk-tools-2.10.3.tar.xz -a89007da158cbca67d5c18df2f117958604d69bf49251ccd11052457d5926eebe3d6573dfca238bd246e64661a7e373b1853fd226e4cca34c148195e688ae846 deep.patch +059f0368b096c53357db567bf720f049cf19a88dbf10dc2496a739dfe332a6487b87f07056d7cf6f0c8a385782821547d4aba8c393591c4070838f1c98819dda deep.patch 53d446734d32341cbd9ca00aedcd65d4d99220da354a9339837a6c79609a321f61ae917fb3cd9d4bffebcfc171d06c0f0d315e29a2d16285545c4fa085a75639 list.patch 746d00ce2af554a25db7ecea2b0a4d8f7399d2560efb6bf59ea144012d0163d3e0bad84c799bd706e8be6c0a543d4e35728d6beb269fddbbea626384009129cb pmmx.patch" diff --git a/system/apk-tools/deep.patch b/system/apk-tools/deep.patch index f315339cc..b9e361717 100644 --- a/system/apk-tools/deep.patch +++ b/system/apk-tools/deep.patch @@ -1,84 +1,50 @@ -From e61635ada7901763919caeaa01fa62ead3f6e97f Mon Sep 17 00:00:00 2001 -From: "A. Wilcox" <AWilcox@Wilcox-Tech.com> -Date: Fri, 31 May 2019 21:32:02 -0500 -Subject: [PATCH 1/1] upgrade: add --deep option to upgrade everything +From b0be9f610c02bb2d5e681a3904940d311e9de298 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> +Date: Mon, 3 Jun 2019 14:53:46 +0300 +Subject: solver: fix common dependency merging to inherit pinning and flags +Notably this fixes occasional issues when doing upgrade with multiple +versions of same packages. Without this the upgrade flag is not always +propagated properly down the dependency chain. --- - src/apk_solver.h | 1 + - src/solver.c | 10 ++++++++++ - src/upgrade.c | 5 +++++ - 3 files changed, 16 insertions(+) + src/solver.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) -diff --git a/src/apk_solver.h b/src/apk_solver.h -index b8b072d..908b3fd 100644 ---- a/src/apk_solver.h -+++ b/src/apk_solver.h -@@ -35,6 +35,7 @@ struct apk_changeset { - #define APK_SOLVERF_REINSTALL 0x0004 - #define APK_SOLVERF_LATEST 0x0008 - #define APK_SOLVERF_IGNORE_CONFLICT 0x0010 -+#define APK_SOLVERF_DEEP 0x0020 - - void apk_solver_set_name_flags(struct apk_name *name, - unsigned short solver_flags, diff --git a/src/solver.c b/src/solver.c -index e10cf8b..8437d61 100644 +index e10cf8b..2121dd9 100644 --- a/src/solver.c +++ b/src/solver.c -@@ -40,6 +40,7 @@ struct apk_solver_state { - unsigned int pinning_inherit; - unsigned int default_repos; - unsigned ignore_conflict : 1; -+ unsigned deep_upgrade : 1; - }; - - static struct apk_provider provider_none = { -@@ -510,6 +511,14 @@ static int compare_providers(struct apk_solver_state *ss, +@@ -462,6 +462,8 @@ static void reconsider_name(struct apk_solver_state *ss, struct apk_name *name) + name->name, name0->name); + name0->ss.requirers++; + name_requirers_changed(ss, name0); ++ foreach_array_item(p, name0->providers) ++ inherit_pinning_and_flags(ss, p->pkg, pkg); + } + } + } +@@ -510,7 +512,6 @@ static int compare_providers(struct apk_solver_state *ss, unsigned int solver_flags; int r; -+ /* In deep upgrades, always return the greater version */ -+ if (ss->deep_upgrade) -+ switch (apk_version_compare_blob(*pA->version, *pB->version)) { -+ case APK_VERSION_LESS: -+ return -1; -+ case APK_VERSION_GREATER: -+ return 1; -+ } - +- /* Prefer existing package */ if (pkgA == NULL || pkgB == NULL) -@@ -1006,6 +1015,7 @@ restart: - ss->changeset = changeset; - ss->default_repos = apk_db_get_pinning_mask_repos(db, APK_DEFAULT_PINNING_MASK); - ss->ignore_conflict = !!(solver_flags & APK_SOLVERF_IGNORE_CONFLICT); -+ ss->deep_upgrade = !!(solver_flags & APK_SOLVERF_DEEP); - list_init(&ss->dirty_head); - list_init(&ss->unresolved_head); - -diff --git a/src/upgrade.c b/src/upgrade.c -index 14457b5..e48d8e3 100644 ---- a/src/upgrade.c -+++ b/src/upgrade.c -@@ -38,6 +38,9 @@ static int option_parse_applet(void *ctx, struct apk_db_options *dbopts, int opt - case 'a': - uctx->solver_flags |= APK_SOLVERF_AVAILABLE; - break; -+ case 'd': -+ uctx->solver_flags |= APK_SOLVERF_DEEP; -+ break; - case 'l': - uctx->solver_flags |= APK_SOLVERF_LATEST; - break; -@@ -59,6 +62,8 @@ static const struct apk_option options_applet[] = { - { 0x10000, "no-self-upgrade", - "Do not do early upgrade of 'apk-tools' package" }, - { 0x10001, "self-upgrade-only", "Only do self-upgrade" }, -+ { 'd', "deep", -+ "Include dependencies when upgrading world" }, - }; + return (pkgA != NULL) - (pkgB != NULL); +@@ -675,8 +676,11 @@ static void select_package(struct apk_solver_state *ss, struct apk_name *name) - static const struct apk_option_group optgroup_applet = { + if (name->ss.requirers || name->ss.has_iif) { + foreach_array_item(p, name->providers) { +- dbg_printf(" consider "PKG_VER_FMT" iif_triggered=%d, tag_ok=%d, selectable=%d, provider_priority=%d, installed=%d\n", +- PKG_VER_PRINTF(p->pkg), p->pkg->ss.iif_triggered, p->pkg->ss.tag_ok, p->pkg->ss.pkg_selectable, ++ dbg_printf(" consider "PKG_VER_FMT" iif_triggered=%d, tag_ok=%d, selectable=%d, available=%d, flags=0x%x, provider_priority=%d, installed=%d\n", ++ PKG_VER_PRINTF(p->pkg), ++ p->pkg->ss.iif_triggered, p->pkg->ss.tag_ok, ++ p->pkg->ss.pkg_selectable, p->pkg->ss.pkg_available, ++ p->pkg->ss.solver_flags, + p->pkg->provider_priority, p->pkg->ipkg != NULL); + /* Ensure valid pinning and install-if trigger */ + if (name->ss.requirers == 0 && -- -2.21.0 +cgit v1.2.1 diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD index 0147c92c6..1589504a6 100644 --- a/system/bubblewrap/APKBUILD +++ b/system/bubblewrap/APKBUILD @@ -1,26 +1,32 @@ # Contributor: Timo Teräs <timo.teras@iki.fi> -# Maintainer: +# Maintainer: Max Rees <maxcrees@me.com> pkgname=bubblewrap -pkgver=0.3.1 +pkgver=0.3.3 pkgrel=0 pkgdesc="Unprivileged sandboxing tool" url="https://github.com/projectatomic/bubblewrap" arch="all" -options="!check suid" # ? +options="!check suid" # requires suid to already be set in order to check license="LGPL-2.0+" makedepends="autoconf automake libcap-dev docbook-xsl" +checkdepends="sudo" subpackages="$pkgname-doc $pkgname-bash-completion:bashcomp:noarch" source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz - realpath-workaround.patch musl-fixes.patch" + realpath-workaround.patch + musl-fixes.patch + tests.patch" + +# secfixes: +# 0.3.3-r0: +# - CVE-2019-12439 prepare() { cd "$builddir" - NOCONFIGURE=1 ./autogen.sh + srcdir= NOCONFIGURE=1 ./autogen.sh default_prepare } build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -32,8 +38,19 @@ build() { make } +check() { + # Uses sudo to chown root and setuid $builddir/test-bwrap + # + # As of 0.3.3-r0, all tests pass on ppc64 except those relating + # to bind mounts over symlinks. Those tests fail because musl's + # realpath depends on the availability of /proc, which is not + # available in the middle of the setup procedure since pivot_root + # has been performed at least once. They have been patched to be + # skipped. + make check +} + package() { - cd "$builddir" make install DESTDIR="$pkgdir" } @@ -46,6 +63,7 @@ bashcomp() { mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/ } -sha512sums="fbc44976f53fdf8913b94c57d1f26a3b87c773e86a289e58fd3d7b1c4ea7f33c862f1a38a4f791315358990928768a68334f0a171302c18a16c7e2e9f1a146dd bubblewrap-0.3.1.tar.gz +sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae bubblewrap-0.3.3.tar.gz 400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4 realpath-workaround.patch -f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch" +f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch +d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd tests.patch" diff --git a/system/bubblewrap/tests.patch b/system/bubblewrap/tests.patch new file mode 100644 index 000000000..651d6269a --- /dev/null +++ b/system/bubblewrap/tests.patch @@ -0,0 +1,23 @@ +--- bubblewrap-0.3.3/tests/test-run.sh 2019-05-01 04:51:47.000000000 -0400 ++++ bubblewrap-0.3.3/tests/test-run.sh 2019-06-03 14:43:33.881226220 -0400 +@@ -127,8 +127,9 @@ + fi + + # bind dest in symlink (https://github.com/projectatomic/bubblewrap/pull/119) +- $RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true +- echo "ok - can bind a destination over a symlink" ++ #$RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true ++ #echo "ok - can bind a destination over a symlink" ++ echo "ok # SKIP musl realpath depends on /proc" + done + + # Test devices +@@ -215,7 +216,7 @@ + # Test --die-with-parent + + cat >lockf-n.py <<EOF +-#!/usr/bin/env python ++#!/usr/bin/env python3 + import struct,fcntl,sys + path = sys.argv[1] + if sys.argv[2] == 'wait': |