abuild issueshttps://gitlab.alpinelinux.org/alpine/abuild/-/issues2020-07-08T10:52:06Zhttps://gitlab.alpinelinux.org/alpine/abuild/-/issues/9061Checksum in middle of APKBUILD causes issues2020-07-08T10:52:06ZStelios KantosChecksum in middle of APKBUILD causes issuesAs mentioned in this issue:
https://github.com/alpinelinux/abuild/commit/75b8cacaf0468470c502314560a436b80b7fe9af
newapkbuild is putting checksums in the middle of APKBUILD files. I just
noticed a strange issue, after generating a packa...As mentioned in this issue:
https://github.com/alpinelinux/abuild/commit/75b8cacaf0468470c502314560a436b80b7fe9af
newapkbuild is putting checksums in the middle of APKBUILD files. I just
noticed a strange issue, after generating a package with newapkbuild
(and it inserting the checksums in the middle of the file), adding a
patch, and then running “abuild checksum”, multiple lines got deleted
from the middle of my APKBUILD. This included the entire prepare()
section, up to the first line of the build() section.
Maybe the proper solution in the above commit was to move the “unpack”
down to the “checksum” line? Regardless, there’s some strange issues
inside of abuild that caused this to happen in the first place, and it
should probably be investigated further.
*(from redmine: issue id 9061, created on 2018-07-06)*Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/abuild/-/issues/9016Support GnuPG public keys as an alternative to checksums2024-03-24T16:17:48ZalgitbotSupport GnuPG public keys as an alternative to checksumsSigned packages provide more security than checksums, e.g. in the case
of corrupt mirrors or download sites.
The private key is only owned by the devs or release managers. All users
can use the well known public key to verify their dow...Signed packages provide more security than checksums, e.g. in the case
of corrupt mirrors or download sites.
The private key is only owned by the devs or release managers. All users
can use the well known public key to verify their downloads. As an
additional feature, the key can be fetched from keyservers, so
corrupt/revoked keys will throw an error.
e.g. in the case of nginx:
Fetch B0F4253373F8F6F510D42178520A9993A1C052F8 in the APKBUILD and fetch
the \*.asc together with the tarball/signed git tag.
*(from redmine: issue id 9016, created on 2018-06-16)*https://gitlab.alpinelinux.org/alpine/abuild/-/issues/4727abuild sometimes counts package size wrong2019-07-14T07:25:45ZSören Tempelabuild sometimes counts package size wrongI managed to create a package which contains a file in usr/bin. The fact
that this file exists can be confirmed using tar -tvf <path to package>
the output of this command is the following:
-rw-r--r-- root/root 256 2015-10-03 ...I managed to create a package which contains a file in usr/bin. The fact
that this file exists can be confirmed using tar -tvf <path to package>
the output of this command is the following:
-rw-r--r-- root/root 256 2015-10-03 03:28 .SIGN.RSA.soeren+alpine@soeren-tempel.net-55e4833d.rsa.pub
-rw-r--r-- root/root 1060 2015-10-03 03:28 .PKGINFO
drwxr-xr-x root/root 0 2015-10-03 03:28 usr/
drwxr-xr-x root/root 0 2015-10-03 03:28 usr/bin/
-rwxr-xr-x root/root 1309096 2015-10-03 03:28 usr/bin/ncmpcpp
When trying to install the package using \`apk add\` no error is
encountered, however, the output of \`apk info -L ncmpcpp\` claims that
the package doesn’t contain any files:
# apk add packages/testing/x86_64/ncmpcpp-0.6.7-r0.apk
(1/9) Installing boost-system (1.58.0-r1)
(2/9) Installing boost-filesystem (1.58.0-r1)
(3/9) Installing boost-date_time (1.58.0-r1)
(4/9) Installing boost-regex (1.58.0-r1)
(5/9) Installing boost-thread (1.58.0-r1)
(6/9) Installing boost (1.58.0-r1)
(7/9) Installing boost-program_options (1.58.0-r1)
(8/9) Installing taglib (1.9.1-r1)
(9/9) Installing ncmpcpp (0.6.7-r0)
Executing busybox-1.23.2-r9.trigger
OK: 2562 MiB in 476 packages
# apk info -L ncmpcpp
ncmpcpp-0.6.7-r0 contains:
#
I am using apk-tools 2.6.4, compiled for x86\_64. The package which has
this issue is attached below, I also encountered this error with a
different package a few days ago. With the attached package I was able
to reproduce this error on two different machines, both running edge.
*(from redmine: issue id 4727, created on 2015-10-03, closed on 2017-05-29)*
* Uploads:
* [ncmpcpp-0.6.7-r0.apk](/uploads/87201049d2666799240ca094bc4d0fff/ncmpcpp-0.6.7-r0.apk)
* [APKBUILD](/uploads/e8c4925b32e56c3aafc9ef7955f19e48/APKBUILD) ncmpcpp APKBUILD
* [log.sync](/uploads/edd0e1f054adc6f47dc8ef8156a4f55f/log.sync) abuild output with sync invocation
* [log](/uploads/56b46ce5862cd3a4e82248853aff4300/log) vanilla abuild outputNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/abuild/-/issues/77have abuild to sign the index and packages2019-07-14T07:17:06ZNatanael Copahave abuild to sign the index and packagesapk-tools supports package signing. We need to modify abuild to use the
new index format and sign index and packages.
*(from redmine: issue id 77, created on 2009-07-23, closed on 2009-08-04)*apk-tools supports package signing. We need to modify abuild to use the
new index format and sign index and packages.
*(from redmine: issue id 77, created on 2009-07-23, closed on 2009-08-04)*Natanael CopaNatanael Copa