In the %apply_patches that inspired %autopatch, patch application
respects the fuzz settings that are used for %patch. %autopatch
and %autosetup weren't using this, which led to an inconsistent
patch application behavior.
Invoking '%__scm_setup_$__scm' without looking at option '-S' in the
specfile, permits dynamic selection of the SCM on the commandline
rpmbuild --define="__scm SCM"
Tested with rpmbuild 4.13, git, svn, ... on Linux Mint 17.2.
Firstly %autosetup showed an error during its expansion if some patch
wasn't available, that is an error was showed during parsing of a spec
file. This caused showing an error during execution of rpmspec
tool (rhbz:1293687).
Now %autosetup doesn't cause an error during parsing of a spec file but
it causes an error during building of specfile if some patch is not
available. Also old macro %patch behaves similarly.
In order to preserve our sanity when reading logs of
%make_build output, adding "-O" to %make_build keeps the output
of each thread contiguous, making the resultant build log
readable and useful. See GNU Make manual for details on the switch.
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
unlike Mageia's %apply_patches which inspired it, %autopatch continues
when it fails to apply a patch because it doesn't exists. Eg:
+ /usr/bin/cat /home/tv/rpmbuild/SOURCES/test.patch2
+ /usr/bin/patch -p1 -s
/usr/bin/cat: /home/tv/rpmbuild/SOURCES/test.patch2: No such file or directory
+ /usr/bin/cat /home/tv/rpmbuild/SOURCES/test.patch
+ /usr/bin/patch -p1 -s
Let's catch that error
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
This plugin extracts file signatures from rpmfiles and writes them to
security.ima xattr. Only non-config file signatures are installed.
Changelog:
- use rpmfi instead of rpmfiles
- use rpmfiFN instead of fsmFsPath
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
Remove rpm asking for passphrase and then passing this passphrase
to gpg via file descriptor (--passphrase-fd) but provide gpg with
access to unredirected stdin to get passphrase directly from user.
Remove also macro %__gpg_check_password_cmd because in this new signing
scheme has no sense. rpm doesn't handle passphrase in any way,
everything is done in gpg including checking of passphrase.
We did this modification because of changes in gpg behavior. Since
gpg-2.1 option "--passphrase-fd" doesn't work by default, only when
it is explicitly allowed in gpg.conf. (rhbz:#1228234)
If it is defined then it is used for queries when "-p" is not set on
commandline. If it is not defined then macro _vsflags_query is used.
For queries with "-p" on commadline macro _vsflags_query is always used.
Macro _vsflags_query_rpmdb is set to 0xf0f00 (no checking) by default.
(rhbz:#438625)
- This adds brutally simple utf-8 validation to spec parse & package
construction: all string-class tags in headers are checked regardless
of other tag semantics.
- Parse-time validation is optional via RPMSPEC_NOUTF8
flag, but package construction time is required as we want to
stomp RPMTAG_ENCODING to all packages that pass. What is always
optional is whether non-valid utf-8 strings fail the build, defaulting
to off (but distros probably want to enable it)
- Note we dont give a damn about the spec itself, only what ends up in
packages: strings can come from numerous other sources than spec
directly, and OTOH who cares if eg spec comments are non-utf?
Read presence of relevant extensions from hwcap. Loosely based on what's
currently in use for Fedora (armv7hl) and Pidora (armv6hl).
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- The basic concept is not without merit but what was implemented here
has been stuck in experimental state in middle of two sorta conflicting
goals for four years now, and world has moved onward in the meanwhile.
The sepolicy part is better handled in the new selinux plugin, and other
action business belongs to packages (in the form of some trigger-like
scripts or such) rather than rpm plugins.
- Deleted here, but the sepolicy plugin functionality still needs
merging into the new selinux plugin...
- RPMTAG_COLLECTIONS left in place but tagged unimplemented as per policy
to never actually remove tags
- During building of a package a dummy tag is added to the signature
header. This tag reserves some space for gpg signatures. So during
signing of the package the gpg signatures can be put in this reserved
space and it is not necessary to rewrite the whole package to make some
space for gpg signatures.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- Work around scoping "fun" wrt nested parametrized macro invocations
combined with macro manipulation from %{lua:...}
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- Similar to "%autosetup -S git", but assumes git-formatted patch files
and hence preserves authorship information and commit messages.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- urlGetFile() can only handle one file at a time, so globbing does
not make sense and only confuses us. Besides, useful things like
'rpm -Uvh http://somewhere.org/foo-1.2-1.{i386,x86_64}.rpm'
work just as well without curl-level globbing.
- Incidentally this is also the documented workaround for using
IPv6 numerical addresses with curl (RhBug:1076277)
- Without --index in apply, any file additions will not be committed and
in case the patch contains *only* file addition the macro can fail
completely (empty commit). With --index there's no need for -a in
commit either.
- This allows simplifying the make invokations from specs. In particular
the parallel build options no longer need to be messed with from specs,
and %__make can be overridden to force a different make implementation
to be used throughout the spec.
- While a lot of software builds correctly in parallel, there are always
exceptions... together with _smp_ncpus_max macro this can now be
expressed with a separate "%global _smp_ncpus_max 1" (or any other
arbitrary value beyond which parallel build is buggy) line which
is easy to grep for and experiment with.
- Should've really been in commit cf07feda05
- This kinda points out stupid these manually maintained %fooarch
macros are, nobody remembers to update them.
- Log transaction start + finish, package install/erase and scriptlet
failures. In case of failures, log a failure summary at transaction
end.
- Plenty of room for improvement here, such making the logging and
package identifiers configurable + emitting different messages
for install/upgrade/erase/cleanup. Its a starting point, nothing
more...
- pkg-config isn't multilib-aware by itself so things fail when
building packages for secondary archs (RhBug:212522)
- A variant of this patch has been in Fedora and RHEL for quite some
time, but they used to just brutally override whatever might
have been in PKG_CONFIG_PATH, which can break things in a custom
setup (RhBug:569773). Append instead of full override.
- Bzr defaults to global value on "bzr whoami", so we would mess
up user identity on "%autosetup -S bzr". Oops. Move identity setting
after repo initialization and set the identity per-branch, not global.
The notion of "per-branch identity" seems odd, but then bzr is...
I guess this would be bzr-speak for "per-directory identity"
- For some reason on my own account git keeps functioning even if
I remove its configuration, but on a newly created account git commit
bails out with "Please tell me who you are" unless we set the
(per-repo) configuration here.
- This is highly systemd-specific functionality so it makes sense to
name the plugin in a way that makes it (more) obvious. No other
changes besides renaming.
- We wouldn't want anybody to shutdown (or reboot) the system while a
transaction is in progress, it's just that there hasn't been a whole lot
that could've been done about it. Recent systemd versions provide an API to
prevent shutdowns however:
http://www.freedesktop.org/wiki/Software/systemd/inhibit
- Add a simple plugin which, if enabled, tries to acquire a shutdown
inhibitor lock from systemd for the duration of transactionsd. This
could use better error handling and all... but its a start at least.
- Note that D-BUS is required, but only for the plugin, not (lib)rpm.
- Practically everybody renames the debug information sub-packages
from -debug to -debuginfo, might as well do so upstream already.
Intended to do this like five years ago but kept forgetting...
- Unfortunately patch'es idea of "interesting" output is not ideal for
our purposes: "patching foo.c" is of little value, but hunks with
offsets and fuzz can be important and there's no switch to patch
to get exactly what we want. So let it be chatty... build logs are,
anyway.
- Defaults should be for the common case with disablers for those who want
to do something special, and typically if you have patches you also
want to apply them. Change it while we still can: eliminate -A option to
%autosetup and apply all patches unless -N option is used.
- These are both "appears to have roughly the intended effect" level
tested, but I'm not really familiar with either bzr or quilt so
any further refinements need to come from people actually familiar
with these tools.
- This adds two main macros (+ bunch of helpers) to automate the
common case tasks in %prep:
1) %autopatch which automatically applies all patches from a spec
2) %autosetup which (optionally) takes care of it all, and (also
optionally) sets up a git/hg repository of the unpacked source +
applied patches as it goes.
- This should be considered a starting point only, there are various
things to improve. Eg we'd like to be able to make backups
with plain patch (based on patch number maybe) and at least with git,
we'd like to be able be (optionally) use 'git am' patching style
to preserve original authors + commit messages etc.
- A noteworthy point here is that as these are fully implemented as
macros, they are compatible with several older rpm versions as well.
- Now that this is relatively sanely doable... make %license with
non-absolute paths behave similarly to %doc, only installing to a
different directory (%_licensedir) and with different flags:
licenses are not generic documentation and should not be skipped
on installation even if --nodocs is used. The common practise of
stuffing licenses into %doc actually violates various licenses
which require the license text to always accompany the software.
- While ticket #116 suggests various schemes to reduce disk usage,
adding some very special logic to installation code just to deal
with these doesn't seem justifiable, given how small the licenses
generally are. However with licenses now in their own directory
structure (/usr/share/licenses by default), running hardlink on
them is trivial for cases where disk space is tight
(live images, embedded systems etc)
Teach %prep and %uncompress how to handle 7zip tarballs, with
the mingw toolchain landing in fedora, this may be useful when
crossbuilding Windows sources compressed using 7zip (CxImage is
one such project).
autotools dependency tracking isn't generally useful in rpm builds;
disabling it results in cleaner build logs and possibly slight build
speedups.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- We need to grow some digest (and why not external signature as well)
validation mechanism before we can let rpmbuild download + execute
arbitrary content from the internet, at least by default.
- A larger cache is beneficial in various scenarios, but triggers
horrible worst-case performance under memory pressure (or so my
current theory goes, there might be other factors too). The
worst-case degration is orders of magnitude bigger than the best-case
improvements from the larger cache and for many use-cases doesn't
make a whole lot difference. We could/should tune the cache with
priorizing indexes and all, and perhaps dynamically select the
cache size but for now, the 1Mb cache size is known to "just work".
- While it would be perfectly reasonable to perform signature
checking during db rebuild, this is problematic as long as our
keys live in the same database we're rebuilding: the environment
might be paniced, the indexes required for key lookups might be
corrupt or non-existent etc - one would assume there's a reason for
the db is getting rebuilt in the first place. When signature checking
is enabled, we're forced to generate missing indexes on the potentially
borked database we're just about to rebuild, which might not go very
well, and since they keyring loading has no clue its getting called
from middle of db rebuild it'll try to use a shared environment
which might be broken ... etc.
Neal Gompa (ニール・ゴンパ)