Packages need to be able to differentiate between install and upgrade
scenarios, seems commit ab069ec876 with
half the lights out...
As %posttrans happens after all the excitement, with the erasure elements
already executed, so the installed package count cannot be used to
differentiate between install and upgrade. So we need to find it out the
hard way: see if there's an erasure element that depends on this
package.
For the very unlikely case when openat() succeeded but fstatat()
doesn't, the directory descriptor may be leaved opened. Rearrange
the code a bit to ensure it'll always get closed when appropriate.
Suggested-by: Pavel Kopylov <pkopylov@cloudlinux.com>
Suggested-by: Dmitry Antipov <dantipov@cloudlinux.com>
Hack to allow suppressing key import lint warning messages. Emitting
warning messages depending on verbosity level is ugly but for the case
at hand (different output between PGP backends on CI) it's probably the
lesser evil here.
Initial patch by Neal H. Walfield.
Instead of constructing a new list from scratch and returning that, just
extend the passed list. This makes it easier to use this function
incrementally when expanding multiple patterns in a loop, such as during
package manifest parsing which we adapt here right away.
Preserve the ability to pass NULL as argvPtr and still get a match count
via argcPtr, by keeping the local argv around for that case.
No functional change.
This is an incomplete release-early version, NOT intended or
suitable for production use. It is intended to replace the autotools
based buildsystem in rpm 4.20, until then it'll be developed alongside
it. This causes some extra complications of course, but then we avoid
a huge flag-day, and that matters more.
To those wondering why cmake and not ${myfavorite}: the community around
us effectively made that choice for us. We've made a lot of noise about
bootstrap dependencies. When libsolv, dnf and all the related stack is
powered by cmake build, it'd be just foolish to go with anything else.
This way people working on the rpm stack have only one build system to
learn, there's peer support available nearby and bootstrap dependencies
are reduced, not increased. It also doesn't hurt that cmake is actually
and actively maintained.
We currently accept a space-separated list of patterns here so any
backslash, whether it belongs to a space char or not, gets consumed by
poptParseArgvString() before the string is passed to glob(3), requiring
callers to double-escape anything they wish to keep literal.
Fix that by only accepting one pattern. Adapt the one caller which
relies on this actually being a list, in rpmReadPackageManifest(), and
those callers where we preserve spaces by escaping them which is no
longer needed.
Replace our own heuristic emulating GLOB_NOMAGIC with the actual flag to
glob(3) so that literal (double) backslashes are also handled properly.
Keep the indentation of the original for loop to make the diff easier to
read, next commit will fix that.
No immediate effect within RPM since we currently avoid passing escaped
patterns to rpmGlob(), this is just a prerequisite for the following
commits. External users of rpmGlob(), as unlikely as they are, might,
in theory, notice this subtle change but we'll be bumping the soname in
4.19 so that's covered.
cap_compare() is in libcap since 2008 or so, we really don't need to
bother with versions older than that. Another redundant configure check
and a piece of moldy code bites the dust.
Commit d703160334 introduced a new step
to key import which can fail before keyring is initialized.
Always initialize your variables, never need "fixes" like this.
Sqlite WAL threshold of 1000 pages is way too low for rpmdb as a single
header often exceeds that, but disabling the checkpointing entirely can
cause the WAL to grow to multiple gigabytes during large distro update
transactions, which isn't healty either. Bump the threshold to 10000
pages which caps the WAL size to tens of megabytes, which hopefully
is a reasonable balance between performance on rotational disks (anybody
remember those?) and diskpace consumption.
Also drop no longer meaningful link to %_flush_io configuration.
When importing an OpenPGP certificate, lint the certificate to show
the user possible issues. Fail if the certificate is completely
unusable. Using the Sequoia backend, this yields, for instance:
$ ./rpmkeys --import tests/data/keys/alice-revoked-subkey.asc
Certificate B3A771BFEB04E625:
Subkey 1F71177215217EE0 was revoked: Key material has been compromised, it was the maid
Certificate does not have any usable signing keys
Fixes#1974.
The subsequent code relied on buffer lenght being explicit PATH_MAX
which certainly was no longer the case. Clearly, our test-suite does
not excercise this code...
Should've been in commit b1bc46e56a
Since we're requiring POSIX.1-2008 now, we can rely on realpath()
being sane as well. Turns out we've been relying on that in the
debuginfo build-id code since 2016 already (commit
bbfe1f86b2), oops. But then, nobody
has complained...
No functional changes.
rpmio/digest.h contains definitions that are only used by the interal
OpenPGP parser, and are not required by the future Sequoia backend.
Move those definitions into rpmio/rpmpgp_internal.h.
Fixes#2006.
- Add accessor functions pgpDigParamsSignID, pgpDigParamsUserID,
pgpDigParamsVersion, and pgpDigParamsTime.
- Move the definition of `pgpDigParams_s` from `rpmio/digest.h` to
`rpmio/rpmpgp.c`.
- Change code to use the accessor functions.
- Fixes#1979.
The fs keyring doesn't of course need the header to be created, but
going through the same motions ensures consistent results, ie the
key goes throught the same validation steps and we also get a
"descriptive" file name for free (descriptive in that it matches the
rpmdb NVR)
The keyring a transaction uses shouldn't change by somebody defining
macro in the meanwhile. Add an enum for known types and a helper to
lazily determine it on the first keyring load.
Commit 2d52726bd5 was not SUPPOSED to
change any behavior, but it did: "shared" colored files (ie one being
wrong color and the other one actually installed) removed in the
same transaction would not get removed at all. Fix the embarrasment
that happens when you don't have systematic tests.
Fixes: #1800
Commit f311fb65ee added a step to reset
calculated states between rpmtsRun() calls to allow for %pretrans
hacks, but this causes actions set for --excludepath to get lost.
While those do get recalculated at the time of actual install and
correctly skipped, this causes them to be considered for file
disposition which they should not.
Files that are not installed cannot conflict with anything, any more
than skipped files can. The latter we handled, the former not. Strange
what "obvious" cases can go on unnoticed forever, when lacking systematic
tests.
fsmClose() does all the necessary checks and resets the fd to -1 after
close, why duplicate these all over the code when we already have a
function...
There's no difference wrt file descriptors getting closed here, but
there is a side-effect to this: if %_flush_io is enabled, they now
get fsync() on the associated directories too, which I think is a good
thing for those who care about it.
Commit 0e3024ca3e introduced a leak on
directory file descriptors from hardlinked sets, preventing some large
packages with many hardlinks from installing at all.
fsmMkfile() needs to close the firstdir fd when done with it because
that's the only place that knows when it's safe to do so. However, there
could be non-hardlink entries left in the same directory, so we must not
close *that* descriptor. Dup the firstdir descriptor so we're free to
close it without worrying about the other state.
Fixes: #1947
This is insecure in so many ways I'm not going to bother trying to list
them all. It's an undocumented "feature" left over from more innocent
times, time to give it the axe.
Introduced back in 2007 in 5831404601 the
point was to fake up a sane public header structure with minimal
internal disruption, TEMPORARILY. I think 15 years is temporary enough.
The machinery has worked rather well for what it is, but having the
headers appear in multiple locations is weird and confusing to people,
plus this "physical" separation makes it far more clearer what is
a public header and what isn't.
Stop including rpmtag.h from rpmtypes.h, fix callers instead.
This fixes the long-standing issue that rpmtypes.h is not the
free-standing header it's supposed to be and that its sole purpose
is, ie safe to include from anywhere.
Panu Matilainen