GitLab

(cherry picked from commit ca368916)

Detect properly if the file stream gets an error during these
read operations.

Reported-by: Ariel Zelivansky from Twistlock
(cherry picked from commit cd531aef3033475c26f29a1f650a3bf392cc2daa)

The value from tar header is unsigned int; keep it casted to
unsigned int and size_t instead of (signed) int, otherwise
the comparisons fail to do their job properly. Additionally check
entry.size against SSIZE_MAX so the rounding up later on is
guaranteed to not overflow.

Fixes CVE-2017-9669 and CVE-2017-9671.
Reported-by: Ariel Zelivansky from Twistlock

(cherry picked from commit 286aa77ef1811e477895713df162c92b2ffc6df8)

It is unreasonable to assume that all package writers would except
to reset umask themselves. It's done currently in most packages,
but we had first issue of this kind recently, so better just reset
umask.

trigger it only if apk-tools can be upgrade, add test cases

print license with the --license option.

Make it possible to individually override openssl, zlib and libfetch
cflags and linker flags. This makes it possible to build apk-tools
without having pkg-config installed.

fixes #5656

it's only used to speed up things, and having it non-existant
is not a fatal error - all included things in index will be
passed in command line anyway

which will delete any .apk package on output directory that were
not downloaded by fetch

this allows apk fetch to incrementally build repositories for
binary images

don't overwrite the link_target if it was found from pax header.
ref #5076

- self-conflicts when the exact same version of a name is provided
  twice is now properly detected and diagnozed
- don't print redundant satisfies diagnostic

Implement --no-cache. The index is read directly from network and not
cached. This is useful for docker, where you install a set of packages
and directly after purge the cache. (see
https://github.com/gliderlabs/docker-alpine/blob/1fc9e59d1689fc4eaf930ec66389fe58062fccec/builder/scripts/apk-install)

fixes #4905

preserve [am]time for all packages and indexes. this fixes the caching
error that 'apk update' is after new index is generated, but before
the used mirror is synchronized. this caused local apkindex timestamp
to be newer than file in mirror, when in fact it was outdated index.

this also fixes fetched files to have build timestamp so that files
going to .iso or custom images have proper timestamps (rsync with
appropriate --modify-window now works)

fixes #4770

apk_name_foreach_matching() can matches each package via it's
main name and all it's provides. Print matched packages only once.

We need fall back to a splice buffer if posix_fallocate call fails due
to file being a device (eg tty) or a pipe. This fixes apk fetch --stdout.

ftruncate does not allocate it, and subsequent access to mmaped
file will result in SIGBUS. this fixes to properly report disk
full errors.

the problem is that var/lock is on root installs symlink to /run/lock
(on tmpfs) and does not exist if doing chroot() to that root. fixes
apk to work when chrooted to existing rootfs install.

fixes #4261