1. 02 Nov, 2018 4 commits
  2. 30 Oct, 2018 1 commit
    • Timo Teräs's avatar
      fix xattr hash to be sha1 · f38d1f74
      Timo Teräs authored
      The hash type was accidentally changed in previous commit. Currently
      csum->data cannot hold longer hash, so fix the hash.
  3. 26 Oct, 2018 1 commit
  4. 05 Oct, 2018 1 commit
  5. 25 Sep, 2018 2 commits
  6. 11 Sep, 2018 1 commit
  7. 10 Sep, 2018 3 commits
    • Timo Teräs's avatar
      apk-tools-2.10.1 · 11bd821c
      Timo Teräs authored
    • Timo Teräs's avatar
      rework unpacking of packages and harden package file format requirements · 6484ed98
      Timo Teräs authored
      A crafted .apk file could to trick apk writing unverified data to
      an unexpected file during temporary file creation due to bugs in handling
      long link target name and the way a regular file is extracted.
      Several hardening steps are implemented to avoid this:
       - the temporary file is now always first unlinked (apk thus reserved
         all filenames .apk.* to be it's working files)
       - the temporary file is after that created with O_EXCL to avoid races
       - the temporary file is no longer directly the archive entry name
         and thus directly controlled by potentially untrusted data
       - long file names and link target names are now rejected
       - hard link targets are now more rigorously checked
       - various additional checks added for the extraction process to
         error out early in case of malformed (or old legacy) file
      Reported-by: default avatarMax Justicz <max@justi.cz>
    • Robert Hencke's avatar
      add .mailmap to consolidate git shortlog · b11f9aa9
      Robert Hencke authored
      Consolidate author information, so that tools like 'git shortlog' show
      a single entry for each author.
  8. 05 Sep, 2018 2 commits
  9. 21 Aug, 2018 1 commit
  10. 14 Aug, 2018 1 commit
  11. 18 Jul, 2018 1 commit
  12. 02 Jul, 2018 2 commits
    • Jussi Kukkonen's avatar
      Invalidate id cache after script execution · d609ef3c
      Jussi Kukkonen authored
      It's common for a pre-install script to do something like
          addgroup -S group 2>/dev/null
      When apk installs files after this, it sets the owner/group based on id cache
      but currently the id cache is stale and doesn't contain the new group at that
      point: instead the file will be installed with gid that the build host
      happened to have for that group -- on target this might mean a non-existing
      group or a completely different group.
      We can't know if the script really did modify id cache contents so make sure
      to reset the id cache on every script execution.
    • Sören Tempel's avatar
      list: fix segmentation fault with virtual packages · 5c4b90df
      Sören Tempel authored
      Virtual packages have the origin pointer set to NULL. Trying to print it
      using the BLOB_PRINTF macros causes a segmentation fault.
      Inspired by the `print_origin_name` function from `src/search.c` this
      commit attempts to fix it by checking whether `pkg->origin` is NULL
      before attempting to print it. If it is NULL the pkg name is printed
      Since printing the pkg name requires a different format string this
      commit splits the printf call for printing the package line into
      multiple ones. The output format shouldn't have changed at all though.
  13. 24 Jun, 2018 1 commit
  14. 14 Jun, 2018 3 commits
  15. 08 May, 2018 1 commit
  16. 05 Apr, 2018 1 commit
    • Timo Teräs's avatar
      db: fix refreshing index if time is zero · 258519b1
      Timo Teräs authored
      During netboot on systems without RTC, time() will be near zero,
      and the index fill not exist. Thus the plain test of st.st_mtime
      against system time failed. Verify that fstatat() succeeds.
  17. 21 Feb, 2018 1 commit
  18. 20 Feb, 2018 3 commits
  19. 09 Feb, 2018 1 commit
  20. 31 Jan, 2018 1 commit
    • A. Wilcox's avatar
      libfetch: support OpenSSL · 36f5cf8e
      A. Wilcox authored
      TLS_client_method is a LibreSSL extension.
      SSLv23_client_method is generic, and doesn't mean SSL v2/v3 only.
  21. 29 Jan, 2018 6 commits
  22. 28 Jan, 2018 1 commit
    • Ariadne Conill's avatar
      list: new applet · fff8bfa5
      Ariadne Conill authored
      The list applet provides a convenient way of inspecting both the available
      and installed package databases by listing their contents.  In some ways,
      it is similar to `apk search` but is considered to be a superset of
      `apk search` functionality.
      A few `apk list` criterion are not yet ready though, such as `apk list --depends`
      which searches by runtime dependency (replacing `apk info --rdepends`).
  23. 09 Jan, 2018 1 commit