- Use a self-pipe to handle signal race on select(). pselect() would work
too but this is more portable and avoids other signal hassles.
- Use non-blocking IO for communicating with the child to avoid spin-happy
timeouts, just check all fd's properly before trying to use them
- Avoid leaking memory from readBuff on errors
- if fonts are detected in the package being built but fc-query isn't
present, the script exited without consuming stdin which can break
getOutputFrom()
Deciding whether it is necessary to remove the SUID bit based on
the current link count creates an opportunity for a race condition.
A hardlink could be created just between lstat() and chmod().
This reverts commit 89be57ad92.
This patch allows short-circuiting of building binary packages. To
prevent accidental use of short-circuited rpms, they are marked with
an unsatisfiable dependency "rpmlib(ShortCircuited)". A developer using
this feature for local development and testing will use "--nodeps".
Should such a rpm leak into the world, users will quickly notice
it does not install by default.
(v3: avoids API change, suggested by Panu Matilainen.
v2: added poisoning with unsatisfiable dependency.)
Michal
- the exec plugin was using a private copy of rpmchroot.c to avoid
RPM_GNUC_INTERNAL on the API, better let the plugins use librpm
state instead
- the chroot API really belongs to librpmio but for now...
- file dependencies aren't necessarily on real files, they can be
virtual provides too eg when alternatives is used
- rc was being accessed unitialized
- oh well, at least I said "supposedly"...
This patch adds a generic plugin, exec.so, that should be sufficient for the
majority of Collection actions. After all packages in a Collection have been
installed/removed, this plugin executes the arguments by calling system(3),
allowing for a very generic and powerful method to perform many actions.
This also adds two sample macros as examples of the format, using the exec.so
plugin.
There are three times during a transaction when Collection actions can be
performed:
1) After the last time a member of a collection is either installed or removed
2) After the last time a member of a collection is installed only
3) Before the first time a member of a collection is removed only
This patch adds three lists to the rpmte structure to mark which transaction
elements fall into each of these groups, and the collections that caused that.
A new function is added to the TSM to scan through all the transaction elements
and update these lists. When a collection is added to one of these lists, it
signifies that when that transaction element is installed, the appropriate
action should be performed for that collection.
This patch adds a simple plugin system that makes simple problems easy to
solve, and difficult problems, such as SELinux, possible.
When the transaction gets to the point where a collection action should occur,
it expands a macro of the form %__collection_<collection name> to get the path
to a plugin and any additional options. The plugin is dlopen'ed, and the
appropriate function is called in the plugin, with the additional arguments
passed in.
This also adds a --nocollections option to disable performing Collection
actions.
This patch adds the install-time feature that if a package requires a package
in a collection, then it also requires all other packages in that collection.
This has the effect that collections will be roughly grouped together during a
transaction.
Although this is not absolutely necessary for the majority of collections, it
is required for the SELinux collection. This is because all SELinux policies
must be installed before the applications they secure to ensure correct labels.
This means we must ensure packages in the selinux collection are ordered
earlier in the transaction than all applications they protect. Adding this
implicit runtime requirements achieves this in a general manner, without major
modifications to dependency ordering.
To accomplish this, this patch splits the addRelation function into two parts:
one that determines which relations to add, and one that actually adds them.
After the usual relation is added between two packages, it then determines if
the required package contains any collections. If so, it finds all other
packages that are in the same collections and creates additional relations.
- We were adding a trailing newline to urlhelper command line passed
to execvp(), with the newline ending up in the URL passed to curl.
Many servers dont seem to mind the extra newline, but some do. Oh well...
- Just like suid/sgid bits, hardlinks to executables with capabilities
set can "leak" permissions to old, potentially vulnerable versions
of binaries. Related to RhBug:598775.
Florian Festi