summaryrefslogtreecommitdiff
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/apk-tools/APKBUILD2
-rw-r--r--system/apk-tools/deep.patch106
-rw-r--r--system/bubblewrap/APKBUILD36
-rw-r--r--system/bubblewrap/tests.patch23
4 files changed, 87 insertions, 80 deletions
diff --git a/system/apk-tools/APKBUILD b/system/apk-tools/APKBUILD
index d9e29a241..78478e51e 100644
--- a/system/apk-tools/APKBUILD
+++ b/system/apk-tools/APKBUILD
@@ -70,6 +70,6 @@ static() {
}
sha512sums="1b190cfd04c69369bd4f2b708d4df0f8cf2937e1580c95138fd2c2257e7604d015deaca10a9fe0da6742981caadb6b067c15e417a1951866f781b8a5c71c98ee apk-tools-2.10.3.tar.xz
-a89007da158cbca67d5c18df2f117958604d69bf49251ccd11052457d5926eebe3d6573dfca238bd246e64661a7e373b1853fd226e4cca34c148195e688ae846 deep.patch
+059f0368b096c53357db567bf720f049cf19a88dbf10dc2496a739dfe332a6487b87f07056d7cf6f0c8a385782821547d4aba8c393591c4070838f1c98819dda deep.patch
53d446734d32341cbd9ca00aedcd65d4d99220da354a9339837a6c79609a321f61ae917fb3cd9d4bffebcfc171d06c0f0d315e29a2d16285545c4fa085a75639 list.patch
746d00ce2af554a25db7ecea2b0a4d8f7399d2560efb6bf59ea144012d0163d3e0bad84c799bd706e8be6c0a543d4e35728d6beb269fddbbea626384009129cb pmmx.patch"
diff --git a/system/apk-tools/deep.patch b/system/apk-tools/deep.patch
index f315339cc..b9e361717 100644
--- a/system/apk-tools/deep.patch
+++ b/system/apk-tools/deep.patch
@@ -1,84 +1,50 @@
-From e61635ada7901763919caeaa01fa62ead3f6e97f Mon Sep 17 00:00:00 2001
-From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
-Date: Fri, 31 May 2019 21:32:02 -0500
-Subject: [PATCH 1/1] upgrade: add --deep option to upgrade everything
+From b0be9f610c02bb2d5e681a3904940d311e9de298 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 3 Jun 2019 14:53:46 +0300
+Subject: solver: fix common dependency merging to inherit pinning and flags
+Notably this fixes occasional issues when doing upgrade with multiple
+versions of same packages. Without this the upgrade flag is not always
+propagated properly down the dependency chain.
---
- src/apk_solver.h | 1 +
- src/solver.c | 10 ++++++++++
- src/upgrade.c | 5 +++++
- 3 files changed, 16 insertions(+)
+ src/solver.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
-diff --git a/src/apk_solver.h b/src/apk_solver.h
-index b8b072d..908b3fd 100644
---- a/src/apk_solver.h
-+++ b/src/apk_solver.h
-@@ -35,6 +35,7 @@ struct apk_changeset {
- #define APK_SOLVERF_REINSTALL 0x0004
- #define APK_SOLVERF_LATEST 0x0008
- #define APK_SOLVERF_IGNORE_CONFLICT 0x0010
-+#define APK_SOLVERF_DEEP 0x0020
-
- void apk_solver_set_name_flags(struct apk_name *name,
- unsigned short solver_flags,
diff --git a/src/solver.c b/src/solver.c
-index e10cf8b..8437d61 100644
+index e10cf8b..2121dd9 100644
--- a/src/solver.c
+++ b/src/solver.c
-@@ -40,6 +40,7 @@ struct apk_solver_state {
- unsigned int pinning_inherit;
- unsigned int default_repos;
- unsigned ignore_conflict : 1;
-+ unsigned deep_upgrade : 1;
- };
-
- static struct apk_provider provider_none = {
-@@ -510,6 +511,14 @@ static int compare_providers(struct apk_solver_state *ss,
+@@ -462,6 +462,8 @@ static void reconsider_name(struct apk_solver_state *ss, struct apk_name *name)
+ name->name, name0->name);
+ name0->ss.requirers++;
+ name_requirers_changed(ss, name0);
++ foreach_array_item(p, name0->providers)
++ inherit_pinning_and_flags(ss, p->pkg, pkg);
+ }
+ }
+ }
+@@ -510,7 +512,6 @@ static int compare_providers(struct apk_solver_state *ss,
unsigned int solver_flags;
int r;
-+ /* In deep upgrades, always return the greater version */
-+ if (ss->deep_upgrade)
-+ switch (apk_version_compare_blob(*pA->version, *pB->version)) {
-+ case APK_VERSION_LESS:
-+ return -1;
-+ case APK_VERSION_GREATER:
-+ return 1;
-+ }
-
+-
/* Prefer existing package */
if (pkgA == NULL || pkgB == NULL)
-@@ -1006,6 +1015,7 @@ restart:
- ss->changeset = changeset;
- ss->default_repos = apk_db_get_pinning_mask_repos(db, APK_DEFAULT_PINNING_MASK);
- ss->ignore_conflict = !!(solver_flags & APK_SOLVERF_IGNORE_CONFLICT);
-+ ss->deep_upgrade = !!(solver_flags & APK_SOLVERF_DEEP);
- list_init(&ss->dirty_head);
- list_init(&ss->unresolved_head);
-
-diff --git a/src/upgrade.c b/src/upgrade.c
-index 14457b5..e48d8e3 100644
---- a/src/upgrade.c
-+++ b/src/upgrade.c
-@@ -38,6 +38,9 @@ static int option_parse_applet(void *ctx, struct apk_db_options *dbopts, int opt
- case 'a':
- uctx->solver_flags |= APK_SOLVERF_AVAILABLE;
- break;
-+ case 'd':
-+ uctx->solver_flags |= APK_SOLVERF_DEEP;
-+ break;
- case 'l':
- uctx->solver_flags |= APK_SOLVERF_LATEST;
- break;
-@@ -59,6 +62,8 @@ static const struct apk_option options_applet[] = {
- { 0x10000, "no-self-upgrade",
- "Do not do early upgrade of 'apk-tools' package" },
- { 0x10001, "self-upgrade-only", "Only do self-upgrade" },
-+ { 'd', "deep",
-+ "Include dependencies when upgrading world" },
- };
+ return (pkgA != NULL) - (pkgB != NULL);
+@@ -675,8 +676,11 @@ static void select_package(struct apk_solver_state *ss, struct apk_name *name)
- static const struct apk_option_group optgroup_applet = {
+ if (name->ss.requirers || name->ss.has_iif) {
+ foreach_array_item(p, name->providers) {
+- dbg_printf(" consider "PKG_VER_FMT" iif_triggered=%d, tag_ok=%d, selectable=%d, provider_priority=%d, installed=%d\n",
+- PKG_VER_PRINTF(p->pkg), p->pkg->ss.iif_triggered, p->pkg->ss.tag_ok, p->pkg->ss.pkg_selectable,
++ dbg_printf(" consider "PKG_VER_FMT" iif_triggered=%d, tag_ok=%d, selectable=%d, available=%d, flags=0x%x, provider_priority=%d, installed=%d\n",
++ PKG_VER_PRINTF(p->pkg),
++ p->pkg->ss.iif_triggered, p->pkg->ss.tag_ok,
++ p->pkg->ss.pkg_selectable, p->pkg->ss.pkg_available,
++ p->pkg->ss.solver_flags,
+ p->pkg->provider_priority, p->pkg->ipkg != NULL);
+ /* Ensure valid pinning and install-if trigger */
+ if (name->ss.requirers == 0 &&
--
-2.21.0
+cgit v1.2.1
diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD
index 0147c92c6..1589504a6 100644
--- a/system/bubblewrap/APKBUILD
+++ b/system/bubblewrap/APKBUILD
@@ -1,26 +1,32 @@
# Contributor: Timo Teräs <timo.teras@iki.fi>
-# Maintainer:
+# Maintainer: Max Rees <maxcrees@me.com>
pkgname=bubblewrap
-pkgver=0.3.1
+pkgver=0.3.3
pkgrel=0
pkgdesc="Unprivileged sandboxing tool"
url="https://github.com/projectatomic/bubblewrap"
arch="all"
-options="!check suid" # ?
+options="!check suid" # requires suid to already be set in order to check
license="LGPL-2.0+"
makedepends="autoconf automake libcap-dev docbook-xsl"
+checkdepends="sudo"
subpackages="$pkgname-doc $pkgname-bash-completion:bashcomp:noarch"
source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz
- realpath-workaround.patch musl-fixes.patch"
+ realpath-workaround.patch
+ musl-fixes.patch
+ tests.patch"
+
+# secfixes:
+# 0.3.3-r0:
+# - CVE-2019-12439
prepare() {
cd "$builddir"
- NOCONFIGURE=1 ./autogen.sh
+ srcdir= NOCONFIGURE=1 ./autogen.sh
default_prepare
}
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -32,8 +38,19 @@ build() {
make
}
+check() {
+ # Uses sudo to chown root and setuid $builddir/test-bwrap
+ #
+ # As of 0.3.3-r0, all tests pass on ppc64 except those relating
+ # to bind mounts over symlinks. Those tests fail because musl's
+ # realpath depends on the availability of /proc, which is not
+ # available in the middle of the setup procedure since pivot_root
+ # has been performed at least once. They have been patched to be
+ # skipped.
+ make check
+}
+
package() {
- cd "$builddir"
make install DESTDIR="$pkgdir"
}
@@ -46,6 +63,7 @@ bashcomp() {
mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/
}
-sha512sums="fbc44976f53fdf8913b94c57d1f26a3b87c773e86a289e58fd3d7b1c4ea7f33c862f1a38a4f791315358990928768a68334f0a171302c18a16c7e2e9f1a146dd bubblewrap-0.3.1.tar.gz
+sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae bubblewrap-0.3.3.tar.gz
400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4 realpath-workaround.patch
-f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch"
+f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch
+d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd tests.patch"
diff --git a/system/bubblewrap/tests.patch b/system/bubblewrap/tests.patch
new file mode 100644
index 000000000..651d6269a
--- /dev/null
+++ b/system/bubblewrap/tests.patch
@@ -0,0 +1,23 @@
+--- bubblewrap-0.3.3/tests/test-run.sh 2019-05-01 04:51:47.000000000 -0400
++++ bubblewrap-0.3.3/tests/test-run.sh 2019-06-03 14:43:33.881226220 -0400
+@@ -127,8 +127,9 @@
+ fi
+
+ # bind dest in symlink (https://github.com/projectatomic/bubblewrap/pull/119)
+- $RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true
+- echo "ok - can bind a destination over a symlink"
++ #$RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true
++ #echo "ok - can bind a destination over a symlink"
++ echo "ok # SKIP musl realpath depends on /proc"
+ done
+
+ # Test devices
+@@ -215,7 +216,7 @@
+ # Test --die-with-parent
+
+ cat >lockf-n.py <<EOF
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ import struct,fcntl,sys
+ path = sys.argv[1]
+ if sys.argv[2] == 'wait':