The 'Compressing data' step takes a significant amount of time when
packaging software with huge binaries, like Kubernetes. This can
certainly be shortened using multithreaded compression, like 'pigz'.
Symbolic links might point to files outside of the chroot and
thus might delete files outside the chroot. This allows deletion
of arbitrary directories on the host from a malicious APKBUILD.
Following hard links shouldn't be a problem since hard links (usually)
cannot refer to directories and since remove(3) removes the link, not
the file it points to it shouldn't cause a problem.
I noticed this because alpine-baselayout creates /var/run as a symlink
to /run. Therefore causing /run to be deleted on the host when using
abuild-rmtemp which in turn causes a bunch of software to no longer
function properly (including OpenRC).
Only run check in fakeroot if options="checkroot" is set. This makes
options="!checkroot" the default.
I expect most checks work as non-root, and if a testsuite requires root,
it will likely fail in fakeroot too. Fakeroot has also shown lower
performance for parallel builds.
Fix case where 1) checksum is a single line and 2) there is a variable
under the checksum that should be kept. For example:
sha512sum="...."
keepthis="..."
Previously the `keepthis` variable would have been removed.
ref https://github.com/alpinelinux/abuild/pull/41
Abuild-fetch uses curl (fallback to wget) to download files. They are
saved with a ".part" extension first, so they can be resumed if
necessary. When the download is through, the ".part" extension gets
removed. However, when the server does not support resume of downloads
(e.g. GitHub's on the fly generated tarballs), then the ".part"
extension got removed anyway. Abuild aborts in that case. But when
running a third time, the distfile exists and it is assumed that this
is the full download.
Changes:
* abuild-fetch:
* Only remove the ".part" extension, when curl/wget exit with 0
* Pass the exit code from curl/wget as exit code of abuild-fetch
* Wherever abuild-fetch would return an exit code on its own, the
codes have been changed to be > 200 (so they don't collide with
curl's as of now 92 exit codes)
* Remove undocumented feature of downloading multiple source URLs at
a time. This doesn't match with the usage description, was not used
in abuild at all and it would have made it impossible to pass the
exit code.
* abuild:
* After downloading, when curl is installed and abuild-fetch has
33 as exit code (curl's HTTP range error), then delete the partfile
and try the download again.
Changes:
* argument sanity checks:
* `PKGNAME[-PKGVER] | SRCURL`
* check if missing
* check if specified more than once (see below)
* specifying more than one buildtype flag
* `-n` (set pkgname) without using SRCURL as last argument
* `-s` (sourceforge source) without using PKGNAME as last argument
* Typo fix: exist -> exists
* `usage()`:
* always print PKGNAME and PKGDESC (instead of NAME and DESC,
NAME was used in one place and PKGNAME in another)
* link to <https://spdx.org/licenses/>
* `-m` (meson) flag was missing in short usage line at the top
* indicate that the buildtypes are exclusive
* `-c` flag: remove "to new directory" wording to make the
message shorter (this should be obvious)
* remove empty line at the end
NOTE: Before this commit, the `PKGNAME[-PKGVER] | SRCURL` was allowed
to be specified more than once, and the code looped over the arguments.
But this was not documented in `usage()` and had unexpected results:
```
$ newapkbuild first second third
$ tree
.
___ first
___ APKBUILD
___ first
___ ___ APKBUILD
___ ___ first
___ ___ ___ APKBUILD
___ ___ ___ src
___ ___ src
___ src
```
scanelf may pick up tempfiles created by strip or setfattr since it runs
in spearate process and pipes the out to a subshell. This causes a race
and may lead to the while loop attempt to strip seomthing that no longer
exists.
We fix that by test if file exists before try manipulate it. We could
have written he file list to a temp file first, but this way we benefit
from multiple cores working in parallel.
unpack will no longer unpack without a checksum, even with -f. This
means that newapkbuild will not be able to deduce what kind of build
system is contained within, so the templates for CMake, Perl, etc are
never used.
This patch ensures checksumming is done right after fetch, so that
unpack works properly.
`git describe` by default looks for tags, but `git clone` does not clone
tags by default which causes failures on travis currently.
Also redirect `git describe` errors to /dev/null while being here.
I've forgot to add a patch file to the source variable in an APKBUILD,
altought I did add it to the sums variable.
The error message made it
seem that I've forgot to add the file to the source directory, which led
me to check if my build system was missing the files for some reason.
Only after reading the `abuild.in` file did I understood what happened.
Hopefully this change makes the message clearer and more helpful.
licenses will be checked against the license.lst file provided by
the spdx-licenses-list package when installed except when explicitly
disabled by the !spdx options flag.
abuild, as packaged in Alpine Linux, does not depend on git. But when
you use it without git, it will print out errors like the following:
/usr/bin/abuild: line 2554: git: not found
With this commit, it saves the git_path in the beginning (just like
abuild_path). Later in the code it does not try to run git if that
variable is empty.
Notably `abuild rootbld` is already checking whether `abuild-rootbld`
is installed, and that subpackage of `abuild` does already depend on
`git`. So no additional check was added before using `git ` inside
`rootbld`.
Fixes#32
The force flag used to skip the following functions, without any
documentation in the help (-h) output:
* verify (checksum verification)
* initdcheck (check if the init scripts are openrc scripts)
* check_arch (check if the target architecture is in "arch=")
* check_libc (check if the target libc is masked in the options)
This was counter-intuitive and could even be dangerous (when one relies
on the checksum verification to prevent man-in-the-middle attacks, but
always uses the -f flag).
With this commit, it only skips check_arch and check_libc besides the
package up to date check and the help output mentions this.