Age | Commit message (Collapse) | Author |
|
It's important to ensure the guest has up to date data because updating
a chroot after quite some time can potentially rely on updated
archlinux-keyring, something which the host machine either kept up to
date on or manually fixed, but it kills automation to mess around with
chroot configs like that. Alternatively, signed packages added with -I
need to work, and we assume the host is configured to accept these.
That is *not* a good reason to completely nuke whatever is in the guest,
though. A guest might have been manually configured to accept keys which
aren't accepted by the host; one example of this happening in practice,
is archlinux32 when building 32-bit packages from an archlinux host.
A simple solution is to use pacman-key's native facility to dump the
known keys and trust status from one gpg configuration, and import it
into another. Use this to append to, rather than overwrite, the chrooted
guest's pacman keyring.
While we are at it, fix a bug where we didn't respect the host's
pacman.conf settings for the GpgDir. While it isn't wildly likely a user
will choose to customize this, it is a valid and supported use case and
we must think about this ourselves.
|
|
|
|
--verifysource"
|
|
Previously, arch-nspawn was using the hosts' pacman cache in
the chroot even when the chroot was set up with a different
cache by mkarchroot, unless specified with the -c flag.
Problem is that makechrootpkg passes no -C, -M nor -c flags
to arch-nspawn, so all values must be obtained from the
working directory.
This change take the cache directories from the pacman.conf
specified with the -C option unless the -c option was given
(as is the case when the chroot is set up with mkarchroot),
and, when neither -C nor -c is given (as is the case when
invoked by makechrootpkg), the cache directory is taken
from the pacman.conf in the working directory.
This wasn't such an issue when i686 was mainline, however,
which building packages in a chroot against archlinux32 on
an x86_64 platform, the cache of the host should _never_ be
used.
|
|
non-x86_64-build, so we do not use any-packages from x86_64 mirrors, and cross-mount inside to /var/cache/pacman/pkg
|
|
pacman-staging-with-build-support-i686.conf: reorder repositories and add repo build-support for i686
|
|
|
|
|
|
This reverts commit 7259e7def07a5f6ee04a34db61a87361ad0b5ac7, except for commitpkg.in
|
|
|
|
|
|
|
|
|
|
Even if continue would work, it does exactly the same as a return
in the way this function is being used.
|
|
makechrootpkg's download_sources() leaves a stray directory if
"makepkg --verifysource" failed. We use "setup_workdir" instead
of "mktemp -d", because this ensures the correct garbage collection.
Signed-off-by: Erich Eckner <git@eckner.net>
|
|
Les us source makepkg.conf settings from the environemnt. This also includes
`GNUPGHOME` which is present in `makechrootpkg`, but not included in archbuild.
Signed-off-by: Morten Linderud <foxboron@archlinux.org>
|
|
|
|
|
|
|
|
|
|
makepkg 5.1 implements error codes, and 14 means that installing the
packages after they were built has failed. We don't care about this
error and would like makechrootpkg to succeed regardless, e.g. for split
packages that are mutually exclusive.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
chown support "$user:$group" but also "$user:" which infers $group
rather than leaving it as root. This looks up the group name in cases
where the default group is e.g. "users" and users do not get their own
unique groups.
|
|
It is much nicer to use a proper configuration parser to retrieve the
primary mirror, rather than clever hacks using undocumented APIs,
especially when their behavior as used then breaks in later releases.
Fortunately, pacutils exists now and pacconf handles this quite
elegantly. It has since been moved to pacman-git proper.
Check if pacman-conf from a new enough version of pacman exists and
fallback on pacconf from pacutils.
|
|
cache"
This reverts commit eb6b0e3f11279b6512b1469ff042d2982eaaeef4.
This never worked, as pacman-git returns file urls from the cache anyway
and pacman stable doesn't have any problem at all. Having useless code
which makes people think the issue is solved when it really isn't, is
bloat, so remove it.
|
|
Since commit 75fdff1811a0487f82c75b2e260da905102b4eea we no longer run
integrity checks inside the chroot anyway, so this is no longer needed
and will never be used.
|
|
Without it, sudo 1.8.23 will return an error:
sudo: PAM account management error: Authentication
service cannot retrieve authentication info
|
|
In pacman-git commit d8717a6a9666ec80c8645d190d6f9c7ab73084ac makepkg
started checking that the setuid/setgid bit could be removed on the
$BUILDDIR in order to prevent this propagating to the packages
themselves. Unfortunately, this requires the temporary builddir used
during the --verifysource stage of makepkg, to be owned by $makepkg_user
which was not the case as it is created as root using mktemp (and given
world rwx in addition to the restricted deletion bit.)
Obviously makepkg cannot chmod a directory that it does not own. Fix
this by making $makepkg_user the owner of that directory, as should have
been the case all along.
(Giving world rwx is illogical on general principle. The fact that this
is a workaround for makepkg demanding these directories be writable even
when they are not going to be used for the makepkg options in question,
is not justification for being careless.)
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
|
|
Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user
uses a custom GPG home directory, the siganture checking would fail.
Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg.
Signed-off-by: Emiel Wiedijk <me@aimileus.nl>
|
|
While still possible with 'commitpkg core', there is a chance it will
prevent accidental pushes straight to [core].
|
|
|
|
This worked properly until eab5aba.
|
|
Support for working with `set -u` was broken by 94160d6. Egg on my
face; I'm the one who wants `set -u` support, and I'm the author of
that commit!
libmakepkg does not work with `set -u`; but mostly because of the include
guards! So we just need to temporarily disable `set -u` (nounset) while
loading libmakepkg. Instead of introducing a new variable, just store the
initial nounset status in _INCLUDE_COMMON_SH; rather than a useless
fixed-string "true".
While we're at it, disable POSIX-mode (just in case we're running as "sh"
instead of "bash"), since libmakepkg uses bash-isms that won't parse in
POSIX mode.
|
|
|
|
https://lists.parabola.nu/pipermail/dev/2017-June/005576.html
|
|
Don't use error-prone logic e.g.
foo=true; if $foo ...
This completely fails to act as expected when the variable is unset
because of unrelated bugs.
While this merely causes the default behavior to be "false" rather than
"true" in such cases, it is better to fail to enable explicitly
requested behavior (which will be noticed by the user) than to simply
upgrade to this behavior for free (which may not seem to have any
obvious cause).
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
|
|
Fixes regression in 2fd5931a8c67289a8a4acd327b3ce99a5d64c8c7
$run_namcap will always be set to ""
`if $not_a_var; then ...; fi` is always truthful when $not_a_var is
unset or equal to "" and the `then` clause will always be run.
I'm not sure why global state variables need to be cloned locally for
their sole explicit purpose.
But for now this patch implements the minimum necessary work to properly
pass the "do I want namcap" variable into prepare_chroot() according to
the current logic flow.
Note that I have still not thorougly tested makechrootpkg.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
|
|
This reverts commit ddd508efc083fc9beb6f2c96e2537521b31c1e6f.
The underlying bug (FS#56529) was fixed in glibc 2.26-9.
|
|
Recent development versions of makepkg support reproducible builds
through the environment variable SOURCE_DATE_EPOCH. Pass this variable
through makechrootpkg to makepkg when available.
Also initialize SOURCE_DATE_EPOCH whenever running archbuild to enforce
reproducible builds for repository packages.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
|
|
|
|
|
|
This mirrors dbscripts commit
625fa02 by Pierre Schmitz <pierre@archlinux.de> at 2017-04-18 14:20:49
|
|
A couple of the comments noting which globals are used by functions are
outdated/wrong.
- download_sources() : Remove USER from the list. It was always wrong.
Originally, it should have been SUDO_USER (not USER), but I should have
removed it entirely in 4f23609.
- move_products() : Add SRCPKGDEST to the list. Though the commit adding
the comment was only recently upstreamed (as 2fd5931), it originated in
2013 in a commit that has since been rebased many times. Anyway, in
this rebasing, it missed move_products() starting to pay attention to
SRCPKGDEST in fd1be1b (since nothing made git think there was a
"conflict").
|
|
The reason it wasn't moved before was just to keep the diffs
(with --ignore-all-space) smaller, to make merging and rebasing work
easier. Moving code around in a file tends to make that difficult.
But, readability wise, it belongs in main().
|
|
nspawn does not give us a controlling terminal, hence we ignore
interrupts. Apparently this was lost in systemd at some point.
Hack around this by reopening the console to make it the controlling
terminal.
|
|
Coredumps from build chroots are not generally useful. Prevent
them from being generated.
Avoids a lot of annoyance from the GCC testsuite spawning lots of
systemd-coredump processes.
Just set the soft limit so the user can still raise it in the PKGBUILD
if they insist.
|
|
Whoops, this will of course mess with nspawn arguments passed to
arch-nspawn.
|
|
This was lost at some point.
|
|
As not all commands we run are capable of reaping processes correctly.
For example, pacman is not.
|
|
|