diff options
| -rw-r--r-- | libre/blender/PKGBUILD | 2 | ||||
| -rw-r--r-- | libre/systemd/PKGBUILD | 13 | ||||
| -rw-r--r-- | libre/systemd/systemd-hwdb.hook (renamed from libre/systemd/udev-hwdb.hook) | 4 | ||||
| -rw-r--r-- | libre/systemd/systemd-update.hook | 11 | ||||
| -rw-r--r-- | libre/systemd/systemd.install | 10 | ||||
| -rw-r--r-- | nonprism/darktable/PKGBUILD | 6 | ||||
| -rw-r--r-- | pcr/systemd-knock/PKGBUILD | 94 | ||||
| -rw-r--r-- | pcr/systemd-knock/systemd-hwdb.hook (renamed from pcr/systemd-knock/udev-hwdb.hook) | 4 | ||||
| -rw-r--r-- | pcr/systemd-knock/systemd-update.hook | 11 | ||||
| -rw-r--r-- | pcr/systemd-knock/systemd.install | 10 |
10 files changed, 112 insertions, 53 deletions
diff --git a/libre/blender/PKGBUILD b/libre/blender/PKGBUILD index d868e35ca..a59cd7aa7 100644 --- a/libre/blender/PKGBUILD +++ b/libre/blender/PKGBUILD @@ -46,7 +46,7 @@ elif [[ "${_git}" = 'no' ]]; then pkgver="${_gittagver}.${_gittagrev}" # Revision fi -pkgrel='6.parabola1' +pkgrel='7.parabola1' epoch='17' pkgdesc='A fully integrated 3D graphics creation suite, without nonfree CUDA support' arch=('i686' 'x86_64' 'armv7h') diff --git a/libre/systemd/PKGBUILD b/libre/systemd/PKGBUILD index e939c59a5..b2d3aa997 100644 --- a/libre/systemd/PKGBUILD +++ b/libre/systemd/PKGBUILD @@ -7,12 +7,12 @@ pkgbase=systemd pkgname=('systemd' 'libsystemd' 'systemd-sysvcompat' 'libsystemd-standalone' 'libudev' 'nss-myhostname' 'nss-mymachines' 'nss-resolve') pkgver=232 -pkgrel=7.parabola1 +pkgrel=8.parabola1 arch=('i686' 'x86_64' 'armv7h') url="https://www.github.com/systemd/systemd" makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam' 'libelf' 'intltool' 'iptables' 'kmod' 'libcap' 'libidn' 'libgcrypt' - 'libmicrohttpd' 'libxslt' 'util-linux' 'linux-api-headers' + 'libmicrohttpd' 'libxslt' 'util-linux' 'linux-libre-api-headers' 'python-lxml' 'quota-tools' 'shadow' 'git') makedepends_i686=('gnu-efi-libs') makedepends_x86_64=('gnu-efi-libs') @@ -24,9 +24,10 @@ source=("git://github.com/systemd/systemd.git#tag=v$pkgver" 'parabola.conf' 'loader.conf' 'systemd-user.pam' + 'systemd-hwdb.hook' 'systemd-sysusers.hook' 'systemd-tmpfiles.hook' - 'udev-hwdb.hook' + 'systemd-update.hook' '0001-disable-RestrictAddressFamilies-on-i686.patch' '0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch' '0001-nspawn-don-t-hide-bind-tmp-mounts.patch' @@ -44,9 +45,10 @@ sha512sums=('SKIP' '70b3f1d6aaa9cd4b6b34055a587554770c34194100b17b2ef3aaf4f16f68da0865f6b3ae443b3252d395e80efabd412b763259ffb76c902b60e23b6b522e3cc8' '6c6f579644ea2ebb6b46ee274ab15110718b0de40def8c30173ba8480b045d403f2aedd15b50ad9b96453f4ad56920d1350ff76563755bb9a80b10fa7f64f1d9' 'b90c99d768dc2a4f020ba854edf45ccf1b86a09d2f66e475de21fe589ff7e32c33ef4aa0876d7f1864491488fd7edb2682fc0d68e83a6d4890a0778dc2d6fe19' + '2c1f765e7cefc50f07ad994634ea25d9396e6b9c0de46e58f18377e642a471517a0dbf5eb547070a38c6ecf84ec8e030f650a6cee010871cd7a466a32534adda' '9d27d97f172a503f5b7044480a0b9ccc0c4ed5dbb2eb3b2b1aa929332c3bcfe38ef0c0310b6566f23b34f9c05b77035221164a7ab7677784c4a54664f12fca22' '0f4efddd25256e09c42b953caeee4b93eb49ecc6eaebf02e616b4dcbfdac9860c3d8a3d1a106325b2ebc4dbc6e08ac46702abcb67a06737227ccb052aaa2a067' - '888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862' + '10190fba9f39a8f4b620a0829e0ba8ed63bb4dbeca712966011ee7807880d01ab2abff1a80baafeb6674db70526a473fe585db8190e864f318fc4d6068552618' '89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f' 'b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219' '68478403433aafc91a03fda5d83813d2ed1dfc6ab7416b2927a803314ecf826edcb6c659587e74df65de3ccb1edf958522f56ff9ac461a1f696b6dede1d4dd35' @@ -268,9 +270,10 @@ package_systemd() { install -Dm644 "$srcdir/loader.conf" "$pkgdir"/usr/share/systemd/bootctl/loader.conf install -Dm644 "$srcdir/splash-parabola.bmp" "$pkgdir"/usr/share/systemd/bootctl/splash-parabola.bmp + install -Dm644 "$srcdir/systemd-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-hwdb.hook" install -Dm644 "$srcdir/systemd-sysusers.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-sysusers.hook" install -Dm644 "$srcdir/systemd-tmpfiles.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-tmpfiles.hook" - install -Dm644 "$srcdir/udev-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/udev-hwdb.hook" + install -Dm644 "$srcdir/systemd-update.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-update.hook" # overwrite the systemd-user PAM configuration with our own install -Dm644 systemd-user.pam "$pkgdir/etc/pam.d/systemd-user" diff --git a/libre/systemd/udev-hwdb.hook b/libre/systemd/systemd-hwdb.hook index 7bc055b4e..d7c987724 100644 --- a/libre/systemd/udev-hwdb.hook +++ b/libre/systemd/systemd-hwdb.hook @@ -6,6 +6,6 @@ Operation = Remove Target = usr/lib/udev/hwdb.d/* [Action] -Description = Updating udev Hardware Database... +Description = Updating udev hardware database... When = PostTransaction -Exec = /usr/bin/udevadm hwdb --update +Exec = /usr/bin/systemd-hwdb --usr update diff --git a/libre/systemd/systemd-update.hook b/libre/systemd/systemd-update.hook new file mode 100644 index 000000000..3697fbd70 --- /dev/null +++ b/libre/systemd/systemd-update.hook @@ -0,0 +1,11 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Operation = Remove +Target = usr/ + +[Action] +Description = Arming ConditionNeedsUpdate... +When = PostTransaction +Exec = /usr/bin/touch -c /usr diff --git a/libre/systemd/systemd.install b/libre/systemd/systemd.install index b59de2008..f799c882d 100644 --- a/libre/systemd/systemd.install +++ b/libre/systemd/systemd.install @@ -36,6 +36,15 @@ _230_1_changes() { echo ':: systemd-bootchart is no longer included with systemd' } +_232_8_changes() { + # paper over possible effects of CVE-2016-10156 + local stamps=(/var/lib/systemd/timers/*.timer) + + if [[ -f ${stamps[0]} ]]; then + chmod 0644 "${stamps[@]}" + fi +} + post_install() { systemd-machine-id-setup @@ -68,6 +77,7 @@ post_upgrade() { 219-2 219-4 230-1 + 232-8 ) for v in "${upgrades[@]}"; do diff --git a/nonprism/darktable/PKGBUILD b/nonprism/darktable/PKGBUILD index 31189bd9c..a7eb29c3d 100644 --- a/nonprism/darktable/PKGBUILD +++ b/nonprism/darktable/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 204142 2017-01-01 22:06:34Z spupykin $ +# $Id: PKGBUILD 209497 2017-01-30 13:15:21Z spupykin $ # Maintainer (Arch): Sergej Pupykin <pupykin.s+arch@gmail.com> # Contributor (Arch): Christian Himpel <chressie at gmail dot com> # Contributor (Arch): Johannes Hanika <hanatos at gmail dot com> @@ -6,7 +6,7 @@ pkgname=darktable epoch=2 -pkgver=2.2.1 +pkgver=2.2.2 pkgrel=1.nonprism1 pkgdesc="Utility to organize and develop raw images, without flickcurl support" arch=('i686' 'x86_64' 'armv7h') @@ -23,7 +23,7 @@ optdepends=('librsvg' 'osm-gps-map' 'libcups') validpgpkeys=('C4CBC150699956E2A3268EF5BB5CC8295B1779C9') # even releases are stable, do not change source url! source=("https://github.com/darktable-org/darktable/releases/download/release-${pkgver}/darktable-${pkgver/rc/.rc}.tar.xz"{,.asc}) -sha256sums=('da843190f08e02df19ccbc02b9d1bef6bd242b81499494c7da2cccdc520e24fc' +sha256sums=('766d7d734e7bd5a33f6a6932a43b15cc88435c64ad9a0b20410ba5b4706941c2' 'SKIP') build() { diff --git a/pcr/systemd-knock/PKGBUILD b/pcr/systemd-knock/PKGBUILD index 590ff3bfb..46c3364ca 100644 --- a/pcr/systemd-knock/PKGBUILD +++ b/pcr/systemd-knock/PKGBUILD @@ -9,7 +9,7 @@ pkgbase=systemd-knock pkgname=('systemd-knock' 'libsystemd-knock' 'systemd-knock-sysvcompat' 'libsystemd-knock-standalone' 'libudev-knock' 'nss-knock-myhostname' 'nss-knock-mymachines' 'nss-knock-resolve') pkgver=232 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64' 'armv7h') url="https://www.github.com/systemd/systemd" makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam' 'libelf' @@ -29,9 +29,10 @@ source=("git://github.com/systemd/systemd.git#tag=v$pkgver" 'parabola.conf' 'loader.conf' 'systemd-user.pam' + 'systemd-hwdb.hook' 'systemd-sysusers.hook' 'systemd-tmpfiles.hook' - 'udev-hwdb.hook' + 'systemd-update.hook' '0001-disable-RestrictAddressFamilies-on-i686.patch' '0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch' '0001-nspawn-don-t-hide-bind-tmp-mounts.patch' @@ -53,9 +54,10 @@ sha512sums=('SKIP' '70b3f1d6aaa9cd4b6b34055a587554770c34194100b17b2ef3aaf4f16f68da0865f6b3ae443b3252d395e80efabd412b763259ffb76c902b60e23b6b522e3cc8' '6c6f579644ea2ebb6b46ee274ab15110718b0de40def8c30173ba8480b045d403f2aedd15b50ad9b96453f4ad56920d1350ff76563755bb9a80b10fa7f64f1d9' 'b90c99d768dc2a4f020ba854edf45ccf1b86a09d2f66e475de21fe589ff7e32c33ef4aa0876d7f1864491488fd7edb2682fc0d68e83a6d4890a0778dc2d6fe19' + '2c1f765e7cefc50f07ad994634ea25d9396e6b9c0de46e58f18377e642a471517a0dbf5eb547070a38c6ecf84ec8e030f650a6cee010871cd7a466a32534adda' '9d27d97f172a503f5b7044480a0b9ccc0c4ed5dbb2eb3b2b1aa929332c3bcfe38ef0c0310b6566f23b34f9c05b77035221164a7ab7677784c4a54664f12fca22' '0f4efddd25256e09c42b953caeee4b93eb49ecc6eaebf02e616b4dcbfdac9860c3d8a3d1a106325b2ebc4dbc6e08ac46702abcb67a06737227ccb052aaa2a067' - '888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862' + '10190fba9f39a8f4b620a0829e0ba8ed63bb4dbeca712966011ee7807880d01ab2abff1a80baafeb6674db70526a473fe585db8190e864f318fc4d6068552618' '89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f' 'b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219' '68478403433aafc91a03fda5d83813d2ed1dfc6ab7416b2927a803314ecf826edcb6c659587e74df65de3ccb1edf958522f56ff9ac461a1f696b6dede1d4dd35' @@ -83,45 +85,60 @@ _backports=( '3d4cf7de48a74726694abbaa09f9804b845ff3ba' # build-sys: check for lz4 in the old and new numbering scheme (#4717) ) -#_validate_tag() { -# local success fingerprint trusted status tag=v$pkgver -# -# parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1) -# -# if (( ! success )); then -# error 'failed to validate tag %s\n' "$tag" -# return 1 -# fi -# -# if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then -# error 'unknown or untrusted public key: %s\n' "$fingerprint" -# return 1 -# fi -# -# case $status in -# 'expired') -# warning 'the signature has expired' -# ;; -# 'expiredkey') -# warning 'the key has expired' -# ;; -# esac -# -# return 0 -#} +_validate_tag() { + local success fingerprint trusted status tag=v$pkgver + + parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1) + + if (( ! success )); then + error 'failed to validate tag %s\n' "$tag" + return 1 + fi + + if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then + error 'unknown or untrusted public key: %s\n' "$fingerprint" + return 1 + fi + + case $status in + 'expired') + warning 'the signature has expired' + ;; + 'expiredkey') + warning 'the key has expired' + ;; + esac + + return 0 +} prepare() { cd "$_pkgbase" -# _validate_tag || return + _validate_tag || return if (( ${#_backports[*]} > 0 )); then git cherry-pick -n "${_backports[@]}" fi - # apply FSDG, Knock and another patches + # https://github.com/systemd/systemd/issues/4789 + patch -Np1 <../0001-nspawn-don-t-hide-bind-tmp-mounts.patch + + # these patches aren't upstream, but they make v232 more useable. + + # https://github.com/systemd/systemd/issues/4575 + patch -Np1 <../0001-disable-RestrictAddressFamilies-on-i686.patch + + # https://github.com/systemd/systemd/issues/4595 + # https://github.com/systemd/systemd/issues/3826 + patch -Np1 <../0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch + + # apply Knock patch + patch -Np1 -i "$srcdir"/0001-adds-TCP-Stealth-support-to-systemd-231.patch + + # apply FSDG patches local patchfile - for patchfile in "$srcdir"/*.patch; do + for patchfile in "$srcdir"/????-FSDG-*.patch; do patch -Np1 -i "$patchfile" done @@ -142,21 +159,14 @@ build() { CXXFLAGS+=" -fno-lto" fi - local enable_gnuefi='' - if [ "$CARCH" != "armv7h" ]; then - enable_gnuefi='--enable-gnuefi' - fi - local configure_options=( --libexecdir=/usr/lib --localstatedir=/var --sysconfdir=/etc --enable-lz4 - $enable_gnuefi --disable-audit --disable-ima - --enable-tcp-stealth --with-sysvinit-path= --with-sysvrcnd-path= @@ -165,6 +175,9 @@ build() { --with-dbuspolicydir=/usr/share/dbus-1/system.d --without-kill-user-processes ) + if [ "$CARCH" != "armv7h" ]; then + configure_options+=(--enable-gnuefi) + fi ./configure "${configure_options[@]}" @@ -270,9 +283,10 @@ package_systemd-knock() { install -Dm644 "$srcdir/loader.conf" "$pkgdir"/usr/share/systemd/bootctl/loader.conf install -Dm644 "$srcdir/splash-parabola.bmp" "$pkgdir"/usr/share/systemd/bootctl/splash-parabola.bmp + install -Dm644 "$srcdir/systemd-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-hwdb.hook" install -Dm644 "$srcdir/systemd-sysusers.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-sysusers.hook" install -Dm644 "$srcdir/systemd-tmpfiles.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-tmpfiles.hook" - install -Dm644 "$srcdir/udev-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/udev-hwdb.hook" + install -Dm644 "$srcdir/systemd-update.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-update.hook" # overwrite the systemd-user PAM configuration with our own install -Dm644 systemd-user.pam "$pkgdir/etc/pam.d/systemd-user" diff --git a/pcr/systemd-knock/udev-hwdb.hook b/pcr/systemd-knock/systemd-hwdb.hook index 7bc055b4e..d7c987724 100644 --- a/pcr/systemd-knock/udev-hwdb.hook +++ b/pcr/systemd-knock/systemd-hwdb.hook @@ -6,6 +6,6 @@ Operation = Remove Target = usr/lib/udev/hwdb.d/* [Action] -Description = Updating udev Hardware Database... +Description = Updating udev hardware database... When = PostTransaction -Exec = /usr/bin/udevadm hwdb --update +Exec = /usr/bin/systemd-hwdb --usr update diff --git a/pcr/systemd-knock/systemd-update.hook b/pcr/systemd-knock/systemd-update.hook new file mode 100644 index 000000000..3697fbd70 --- /dev/null +++ b/pcr/systemd-knock/systemd-update.hook @@ -0,0 +1,11 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Operation = Remove +Target = usr/ + +[Action] +Description = Arming ConditionNeedsUpdate... +When = PostTransaction +Exec = /usr/bin/touch -c /usr diff --git a/pcr/systemd-knock/systemd.install b/pcr/systemd-knock/systemd.install index b59de2008..f799c882d 100644 --- a/pcr/systemd-knock/systemd.install +++ b/pcr/systemd-knock/systemd.install @@ -36,6 +36,15 @@ _230_1_changes() { echo ':: systemd-bootchart is no longer included with systemd' } +_232_8_changes() { + # paper over possible effects of CVE-2016-10156 + local stamps=(/var/lib/systemd/timers/*.timer) + + if [[ -f ${stamps[0]} ]]; then + chmod 0644 "${stamps[@]}" + fi +} + post_install() { systemd-machine-id-setup @@ -68,6 +77,7 @@ post_upgrade() { 219-2 219-4 230-1 + 232-8 ) for v in "${upgrades[@]}"; do |