.editorconfig

+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = tab
+indent_size = 8
+
+[.gitlab-ci.yml]
+indent_style = space
+indent_size = 2

.gitignore

-build/
 src/apk
-src/apk-test
 src/apk.static
 src/help.h
-test/*.got
-test/repos.out
-test/repos.stamp
-test/test*.out
-test/test*.ok
 libfetch/*err.h
 *.a
 *.o

.gitlab-ci.yml

 stages:
-    - test
-    - build
-    - upload
-    - release
+  - test
+  - build
+  - upload
+  - release
 
 variables:
   PACKAGE_ENDPOINT: "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/"
+  ALPINE_DEPS: "make gcc git scdoc musl-dev linux-headers openssl-dev zlib-dev lua5.3-dev lua5.3-lzlib cmocka-dev python3-dev"
+  ALPINE_STATIC_DEPS: "zlib-static openssl-libs-static"
 
-test-legacy:alpine:
-    image: alpine
-    stage: test
-    script:
-        - apk update
-        - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev lua5.3-dev lua5.3-lzlib zstd-dev
-        - make -j$(nproc) check
-    tags:
-        - docker-alpine
-        - x86_64
+.test:alpine:
+  stage: test
+  image:
+    name: alpine
+  script:
+    - apk add -u meson $ALPINE_DEPS $ALPINE_JOB_DEPS $ALPINE_STATIC_DEPS zstd-dev zstd-static
+    - meson setup --auto-features=enabled build
+    - ninja -C build
+    - meson setup build-static -Dc_link_args=-static -Ddefault_library=static -Dprefer_static=true
+    - ninja -C build-static src/apk
+    - meson test -C build
+  artifacts:
+    reports:
+      junit: build/**/*.junit.xml
 
-test:alpine:
-    image: alpine
-    stage: test
-    script:
-        - apk update
-        - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev zstd-dev lua5.3-dev lua5.3-lzlib meson zlib-static zstd-static openssl-libs-static
-        - meson setup build
-        - ninja -C build
-        - meson setup build-static -Dc_link_args=-static -Ddefault_library=static -Dprefer_static=true
-        - ninja -C build-static
-    tags:
-        - docker-alpine
-        - x86_64
+test:alpine:x86_64:
+  extends: .test:alpine
+  variables:
+    ALPINE_JOB_DEPS: "shellcheck"
+  tags:
+    - docker-alpine
+    - x86_64
+
+test:alpine:x86:
+  extends: .test:alpine
+  image:
+    entrypoint: ["linux32", "sh", "-c"]
+    docker:
+      platform: linux/i386
+  tags:
+    - docker-alpine
+    - x86
 
 test:alpine-alt-config:
-    image: alpine
-    stage: test
-    script:
-        - apk update
-        - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev lua5.3-dev lua5.3-lzlib meson
-        - meson setup build -Durl_backend=wget -Dzstd=false
-        - ninja -C build
-    tags:
-        - docker-alpine
-        - x86_64
+  image: alpine
+  stage: test
+  script:
+    - apk add -u meson $ALPINE_DEPS
+    - meson setup build -Durl_backend=wget -Dzstd=false
+    - ninja -C build
+  tags:
+    - docker-alpine
+    - x86_64
 
 test:alpine-muon:
-    image: alpine:edge
-    stage: test
-    script:
-        - echo https://dl-cdn.alpinelinux.org/alpine/edge/testing >> /etc/apk/repositories
-        - apk update
-        - apk add gcc git musl-dev openssl-dev linux-headers zlib-dev zstd-dev lua5.3-dev lua5.3-lzlib muon zlib-static zstd-static openssl-libs-static
-        - muon setup build
-        - ninja -C build
-        - muon setup -Dc_link_args="-static" -Dprefer_static=true -Ddefault_library=static build-static
-        - ninja -C build-static
-    tags:
-        - docker-alpine
-        - x86_64
+  image: alpine:edge
+  stage: test
+  script:
+    - echo https://dl-cdn.alpinelinux.org/alpine/edge/testing >> /etc/apk/repositories
+    - apk add -u muon $ALPINE_DEPS $ALPINE_STATIC_DEPS zstd-dev zstd-static
+    - muon setup build
+    - ninja -C build
+    - muon setup -Dc_link_args="-static" -Dprefer_static=true -Ddefault_library=static build-static
+    - ninja -C build-static src/apk
+  tags:
+    - docker-alpine
+    - x86_64
+
+test:alpine-legacy:
+  stage: test
+  image:
+    name: alpine
+  script:
+    - apk add -u $ALPINE_DEPS zstd-dev
+    - make -j$(nproc) check
+  tags:
+    - docker-alpine
+    - x86_64
 
 test:debian:
-    image: debian
-    stage: test
-    script:
-        - apt-get update
-        - apt-get install -y make gcc git libssl-dev zlib1g-dev libzstd-dev lua5.3-dev lua5.2 lua-zlib-dev sudo meson
-        - unlink /bin/sh
-        - ln -s /bin/bash /bin/sh
-        - meson setup build
-        - ninja -C build
-    tags:
-        - docker-alpine
-        - x86_64
+  image: debian
+  stage: test
+  script:
+    - apt-get update
+    - apt-get install -y make gcc git libssl-dev zlib1g-dev libzstd-dev lua5.3-dev lua5.2 lua-zlib-dev sudo meson
+    - unlink /bin/sh
+    - ln -s /bin/bash /bin/sh
+    - meson setup build
+    - ninja -C build
+  tags:
+    - docker-alpine
+    - x86_64
 
 build-static:
-    stage: build
-    image: alpinelinux/build-base:latest-$ARCH
-    script:
-        - abuild-apk add -u make gcc git musl-dev openssl-dev linux-headers zlib-dev zstd-dev lua5.3-dev lua5.3-lzlib zlib-static zstd-static openssl-libs-static
-        - make -j$(nproc) static
-        - install -s -m0755 src/apk.static src/apk.static-$ARCH
-    parallel:
-      matrix:
-        - ARCH:
-            - x86_64
-            - x86
-            - armv7
-            - armhf
-            - aarch64
-            - s390x
-            - ppc64le
-            - riscv64
-    artifacts:
-      paths:
-        - src/apk.static-*
-    tags:
-      - docker-alpine
-      - $ARCH
+  stage: build
+  image: alpinelinux/build-base:latest-$ARCH
+  script:
+    - abuild-apk add -u $ALPINE_DEPS $ALPINE_STATIC_DEPS zstd-dev zstd-static
+    - make -j$(nproc) static
+    - install -s -m0755 src/apk.static src/apk.static-$ARCH
+  parallel:
+    matrix:
+      - ARCH:
+        - x86_64
+        - x86
+        - armv7
+        - armhf
+        - aarch64
+        - s390x
+        - ppc64le
+        - riscv64
+  artifacts:
+    paths:
+      - src/apk.static-*
+  tags:
+    - docker-alpine
+    - $ARCH
 
 make-release:
-    stage: release
-    image: registry.gitlab.com/gitlab-org/release-cli:latest
-    script:
-        - |-
-          apk add curl
-          for artifact in src/apk.static-*; do
-            ! [ -f "$artifact" ] && { echo "No artifacts found"; exit 1; }
-            ARCH=${artifact#*-}
-            echo "Uploading binary for $ARCH"
-            curl --fail -H "JOB-TOKEN: $CI_JOB_TOKEN" -T "$artifact" -o /dev/null ${PACKAGE_ENDPOINT}/$CI_COMMIT_TAG/$ARCH/apk.static
-          done
-        - echo "Making a release"
-    release:
-      name: $CI_COMMIT_TAG
-      description: "Release $CI_COMMIT_TAG"
-      tag_name: $CI_COMMIT_TAG
-      ref: $CI_COMMIT_TAG
-      assets:
-        links:
-          - name: apk.static (x86_64)
-            url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/x86_64/apk.static
-          - name: apk.static (x86)
-            url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/x86/apk.static
-          - name: apk.static (armv7)
-            url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/armv7/apk.static
-          - name: apk.static (armhf)
-            url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/armhf/apk.static
-          - name: apk.static (aarch64)
-            url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/aarch64/apk.static
-          - name: apk.static (s390x)
-            url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/s390x/apk.static
-          - name: apk.static (ppc64le)
-            url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/ppc64le/apk.static
-          - name: apk.static (riscv64)
-            url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/riscv64/apk.static
-    rules:
-        - if: $CI_COMMIT_TAG
-    tags:
-      - docker-alpine
-      - x86_64
+  stage: release
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  script:
+    - |-
+      apk add curl
+      for artifact in src/apk.static-*; do
+        ! [ -f "$artifact" ] && { echo "No artifacts found"; exit 1; }
+        ARCH=${artifact#*-}
+        echo "Uploading binary for $ARCH"
+        curl --fail -H "JOB-TOKEN: $CI_JOB_TOKEN" -T "$artifact" -o /dev/null ${PACKAGE_ENDPOINT}/$CI_COMMIT_TAG/$ARCH/apk.static
+        done
+    - echo "Making a release"
+  release:
+    name: $CI_COMMIT_TAG
+    description: "Release $CI_COMMIT_TAG"
+    tag_name: $CI_COMMIT_TAG
+    ref: $CI_COMMIT_TAG
+    assets:
+      links:
+        - name: apk.static (x86_64)
+          url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/x86_64/apk.static
+        - name: apk.static (x86)
+          url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/x86/apk.static
+        - name: apk.static (armv7)
+          url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/armv7/apk.static
+        - name: apk.static (armhf)
+          url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/armhf/apk.static
+        - name: apk.static (aarch64)
+          url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/aarch64/apk.static
+        - name: apk.static (s390x)
+          url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/s390x/apk.static
+        - name: apk.static (ppc64le)
+          url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/ppc64le/apk.static
+        - name: apk.static (riscv64)
+          url: $PACKAGE_ENDPOINT/$CI_COMMIT_TAG/riscv64/apk.static
+  rules:
+    - if: $CI_COMMIT_TAG
+  tags:
+    - docker-alpine
+    - x86_64

Make.rules

@@ -35,7 +35,7 @@ else
   Q = @
 endif
 
-ifneq ($(findstring s,$(MAKEFLAGS)),)
+ifneq ($(findstring -s,$(MAKEFLAGS)),)
   quiet=silent_
 endif
 
@@ -60,6 +60,7 @@ export FULL_VERSION RCS_FIND_IGNORE
 ##
 # Utilities and default flags for them.
 
+PKG_CONFIG	:= pkg-config
 CROSS_COMPILE	?=
 CC		:= $(CROSS_COMPILE)gcc
 AR		:= $(CROSS_COMPILE)ar
@@ -69,6 +70,7 @@ SCDOC		:= scdoc
 SED		:= sed
 INSTALL		:= install
 INSTALLDIR	:= $(INSTALL) -d
+LUA		:= $(firstword $(wildcard /usr/bin/lua5.3 /usr/bin/lua5.2))
 
 CFLAGS		?= -g -O2
 CFLAGS_ALL	:= -Wall -Wstrict-prototypes -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -std=gnu11 -fPIC
@@ -77,7 +79,7 @@ CFLAGS_ALL	+= $(CFLAGS)
 LDFLAGS		?= -g
 LDFLAGS_ALL	+= $(LDFLAGS)
 
-export CC AR LD LN SCDOC SED INSTALL INSTALLDIR CFLAGS_ALL LDFLAGS_ALL
+export PKG_CONFIG CC AR LD LN SCDOC SED INSTALL INSTALLDIR LUA CFLAGS_ALL LDFLAGS_ALL
 
 build		:=
 

Makefile

@@ -5,8 +5,9 @@
 
 PACKAGE := apk-tools
 VERSION := $(shell ./get-version.sh "$(FULL_VERSION)" "$(VERSION)")
+SO_VERSION := $(shell cat VERSION | cut -d' ' -f1)
 
-export PACKAGE VERSION
+export PACKAGE VERSION SO_VERSION
 
 ##
 # Default directories
@@ -25,13 +26,22 @@ export DESTDIR SBINDIR LIBDIR CONFDIR MANDIR DOCDIR INCLUDEDIR PKGCONFIGDIR
 ##
 # Top-level subdirs
 
-subdirs		:= libfetch/ src/ doc/
+subdirs		:= libfetch/ src/ doc/ lua/
 
 ##
 # Include all rules and stuff
 
 include Make.rules
 
+##
+# Globals
+
+URL_BACKEND	?= libfetch
+CRYPTO		?= openssl
+export URL_BACKEND CRYPTO
+
+CFLAGS_ALL	+= -DCRYPTO_USE_$(shell echo $(CRYPTO) | tr '[:lower:]' '[:upper:]')
+
 ##
 # Top-level targets
 
@@ -39,8 +49,8 @@ install:
 	$(INSTALLDIR) $(DESTDIR)$(DOCDIR)
 	$(INSTALL) README.md $(DESTDIR)$(DOCDIR)
 
-check test: FORCE src/
-	$(Q)$(MAKE) TEST=y
+check test: FORCE
+	$(Q)$(MAKE) compile
 	$(Q)$(MAKE) -C test
 
 static:
@@ -52,3 +62,5 @@ tag: check
 	git tag -s v$${TAG_VERSION} -m "apk-tools-$${TAG_VERSION}"
 
 src/: libfetch/
+
+lua/: src/

VERSION

-3.0.0_pre2
+3.0.0_rc4

doc/Makefile

@@ -27,6 +27,8 @@ scdocs-y += \
 	apk-mkndx.8 \
 	apk-mkpkg.8 \
 	apk-policy.8 \
+	apk-protected_paths.5 \
+	apk-query.8 \
 	apk-stats.8 \
 	apk-update.8 \
 	apk-upgrade.8 \

doc/apk-adbdump.8.scd

@@ -6,25 +6,25 @@ apk adbdump - dump v3 files in textual representation
 
 # SYNOPSIS
 
-*apk adbdump* _files_...
+*apk adbdump* [<_options_>...] _files_...
 
 # DESCRIPTION
 
 *apk adbdump* will dump the metadata portion of given _files_ (packages,
 indexes, installeddb) to its textual representation.
 
-The output is YAML "like" (see BUGS) output which can be used to inspect
-the metadata. *apk adbgen*(8) can convert the textual representation back
-to the binary format.
+The output can be:
+	- yaml with annotations as comment
+	- json data blob
 
-# OPTIONS
-
-*apk adbdump* does not support any specific options. See *apk*(8) for global
-options.
+*apk-adbgen*(8) can convert the YAML textual representation back to
+the binary format with certain limitations (nested ADB and DATA blocks
+are not supported).
 
-# BUGS
+# OPTIONS
 
-YAML compliant quoting is not impemented correctly at this time.
+*--format* _FORMAT_
+	Specify the output format (options: *json*, *yaml*)
 
 # SEE ALSO
 

doc/apk-adbgen.8.scd

@@ -10,7 +10,7 @@ apk adbgen - generate v3 files from text representation
 
 # DESCRIPTION
 
-*apk adbgen* takes in *apk adbdump*(8) output and convert it back to the
+*apk adbgen* takes in *apk-adbdump*(8) output and convert it back to the
 corresponding binary format.
 
 # SEE ALSO

doc/apk-audit.8.scd

@@ -87,3 +87,7 @@ then the affected path or details. The changes detected are:
 
 *-r, --recursive*
 	Descend into directories and audit them as well.
+
+# SEE ALSO
+
+*apk-protected_paths*(5)

doc/apk-extract.8.scd

@@ -6,7 +6,7 @@ apk extract - Extract package file contents
 
 # SYNOPSIS
 
-*apk extract* [<_options_>...] _packages_...
+*apk extract* [<_options_>...] _files_...
 
 # DESCRIPTION
 

doc/apk-fetch.8.scd

@@ -27,6 +27,11 @@ specified.
 *-o, --output* _DIR_
 	Write the downloaded file(s) to _DIR_.
 
+*--pkgname-spec* _PKGNAME_SPEC_
+	Generate downloaded package names with _PKGNAME_SPEC_ specification.
+	Does not work with *--prune* unless the specification starts with
+	*${name}[-\_.]*.
+
 *-R, --recursive*
 	Fetch packages and all of their dependencies.
 

doc/apk-index.8.scd

@@ -11,7 +11,7 @@ apk index - create repository index file from packages
 # DESCRIPTION
 
 *apk index* creates a repository index from a list of package files. See
-*apk-repositories*(8) for more information on repository indicies.
+*apk-repositories*(5) for more information on repository indicies.
 
 Generally, the resulting index must be cryptographically signed before *apk*
 will accept it. See *abuild-sign*(1) for details.

doc/apk-info.8.scd

@@ -30,10 +30,12 @@ display the appropriate information, then an empty line terminates that field.
 *-d, --description*
 	Print the package description.
 
-*-e, --installed*
+*-e, --exists, --installed*
 	Check package installed status. For each installed package, print it's
 	name. The exit status is the number of given packages not installed.
 	Thus, zero (or success) is returned if all named packages are installed.
+	NOTE: *--installed* is deprecated and will be removed to allow
+	the same option in *query* group to function.
 
 *-L, --contents*
 	List files included in the package.

doc/apk-keys.5.scd

@@ -6,8 +6,16 @@ apk-keys(5)
 
 # DESCRIPTION
 
-The */etc/apk/keys* directory stores RSA public keys which are trusted by apk
-to verify cryptographic signatures for packages. To trust a new key, simply add
-the armored public key to this directory. See *abuild-keygen*(1) for
-information on generating new keys, *abuild-sign*(1) for using these keys to
-sign files, and *apk-verify*(8) for verifying keys against the apk trust store.
+The */etc/apk/keys* directory stores the public keys which are trusted by apk
+to verify cryptographic signatures for packages.
+
+To trust a new key, simply add the armored public key to this directory. The
+keys can be generated with *openssl*.
+
+The APKv2 packages require the filename of public key to match the signing
+key name in the package. APKv3 files are matched using the public key identity
+and filename is not signifcant.
+
+# SEE ALSO
+
+*abuild-keygen*(1), *abuild-sign*(1), *apk-adbsign*(8), *apk-verify*(8)

doc/apk-mkndx.8.scd

@@ -11,7 +11,7 @@ apk mkndx - create apkv3 repository index file from packages
 # DESCRIPTION
 
 *apk mkndx* creates a repository index from a list of package files. See
-*apk-repositories*(8) for more information on repository indicies.
+*apk-repositories*(5) for more information on repository indicies.
 
 # OPTIONS
 
@@ -20,6 +20,11 @@ apk mkndx - create apkv3 repository index file from packages
 	information based on the git commit SHA of aports HEAD at the time of
 	index generation.
 
+*--filter-spec* _PKGNAME_SPEC_
+	Filter previous index only. Each argument should be _PKGNAME_SPEC_ formatted
+	name of a package to include from the index. This can be used to create
+	a subset of existing index.
+
 *--hash* _HASH_
 	Use _HASH_ as the algorithm for apk v3 integrity. Currently supported:
 	- sha256 (default)
@@ -35,5 +40,30 @@ apk mkndx - create apkv3 repository index file from packages
 	Read an existing index from _INDEX_ to speed up the creation of the new
 	index by reusing data when possible.
 
-*--rewrite-arch* _ARCH_
-	Set all package's architecture to _ARCH_.
+*--pkgname-spec* _PKGNAME_SPEC_
+	Specify package name specification for downloading the packages.
+	APK will construct the download URL relative to index file by expanding
+	this specification with package specific values.
+
+	If the specification contains :// it is considered an absolute URL instead
+	of relative. This is not recommended for public repositories as using
+	absolute package name specification would prevent mirroring. However, this
+	is useful in build environment to create a subset of an index and have it
+	refer to packages in another repository.
+
+	If not specified, the default will be determined by *apk* at runtime based
+	on how the repository is referenced:
+	- ${arch}/${name}-${version}.apk if referenced by repository base path URL
+	- ${name}-${version}.apk if referenced by repository index file URL
+
+	Currently supported substitution variables are:
+	- name
+	- version
+	- arch
+	- hash
+
+	Additionally a prefix of the variable can used with syntax: *${name:4}*. This
+	truncates the substition to maximum of 4 characters.
+
+	The specification writer should ensure that the repository does not contain
+	multiple packages that would expand to same package filename.

doc/apk-package.5.scd

@@ -87,6 +87,9 @@ Unfortunately it is not possible to deduce if a given string is of format
 	uses the following default architectures:
 	- noarch
 	- aarch64
+	- arc700
+	- archs
+	- armeb
 	- armel
 	- armhf
 	- armv7
@@ -100,18 +103,19 @@ Unfortunately it is not possible to deduce if a given string is of format
 	- riscv32
 	- riscv64
 	- s390x
+	- sh2eb
+	- sh3
+	- sh4
 	- loongarchx32
 	- loongarch64
 	- x86
 	- x86_64
 
-	APK currently uses the architecture to construct the package download
-	URL from a repository base path.
+	The arch field can be part of the repository download URL. See
+	*apk-mkndx*(8) *--pkgname-spec* for additional details.
 
-	The APK does not currently validate package architecture against the
-	running system or the database's architecture. However, this will be
-	soon changed that APK will consider only compatible packages for
-	installation.
+	Package is not eligible for installation unless the arch matches
+	one of the values in *etc/apk/arch*.
 
 *license* (*license*, *L*)
 	Package license. This is informative field for the user and APK does
@@ -267,6 +271,13 @@ Unfortunately it is not possible to deduce if a given string is of format
 	removal) has modified content of that directory. When package is
 	being fixed or installed it will get list of all matching directories.
 
+	Trigger globs may start with *+*, which means that the path should
+	only be passed to the trigger script when the directory was modified
+	during the transaction. It does not affect whether the trigger is
+	invoked or not. Without the prefix, the path will also be passed
+	when present in the system and the package providing the trigger
+	script is updated or reinstalled.
+
 *replaces-priority*
 	If two packages both contain the same file, and they both have replaces
 	directive allow them to overwrite packages. This priority determines
@@ -274,4 +285,4 @@ Unfortunately it is not possible to deduce if a given string is of format
 
 # SEE ALSO
 
-*abuild*(1), *apk*(1), *apk-v2*(5), *apk-v3*(5)
+*abuild*(1), *apk*(8), *apk-v2*(5), *apk-v3*(5)

doc/apk-protected_paths.5.scd

+apk-protected_paths(5)
+
+# NAME
+
+*/etc/apk/protected_paths.d/\*.list* - paths with special treatement by apk
+
+# DESCRIPTION
+
+Files in _/etc/apk/protected_paths.d/\*.list_ enumerate files are protected and
+are not overwritten by *apk*(8). Generally, these are configuration files that
+are expected to be modified by the system administrator. These files also
+receive special treatment by *apk-audit*(8).
+
+If *apk*(8) would install a file into a protected path which has been modified,
+it shall intend write the file into a file with the _.apk-new_ suffix.
+
+For example, once the file _/etc/passwd_ is modified by the local administrator,
+*apk*(8) should not overwrite it when upgrading or fixing packages. Likewise,
+protected files modified by any automation (including post-install scripts) are
+not overwritten.
+
+*apk-audit(8)* shall report protected paths by default. When using
+*apk audit --system* or *apk audit --full*, protected files shall be omitted
+from the output. When  using *apk audit --backup*, matching files are always
+reported. This is in turn used by *lbu commit*.
+
+# FILE FORMAT
+
+Each line is a single rule composed of one symbol followed with a glob
+expression, which shall be evaluated relative to the root directory.
+
+The initial symbol must be one of:
+
+*+*
+	Protect matching paths only if the file's checksum does not match the
+	one in the apk database.
+
+*-*
+	Do not protect matching paths, even if it matched a previous rule.
+
+*@*
+	Protect matching paths only if they are symlinks which have been
+	modified.
+
+*!*
+	Protect matching path unconditionally.
+
+Lines starting with *#* and empty lines are ignored.
+
+# EXAMPLES
+
+```
+# This line is ignored; it is a comment.
++etc/
+@etc/init.d
+!etc/apk
+\-etc/ssl/certs/ca-cert-\*.pem
+```
+
+# CAVEATS
+
+If a file is modified, and its contents eventually become the same as what was
+originally installed by apk, the file is considered to have been unmodified.
+
+Wildcard patterns are not taken into account by *apk*(8) when creating
+*.apk-new* files instead of overwriting files.
+
+# SEE ALSO
+
+*apk*(8), *apk-audit*(8)

doc/apk-query.8.scd

+apk-query(8)
+
+# NAME
+
+apk query - query information about packages by various criteria
+
+# SYNOPSIS
+
+*apk query* [<_options_>...] _query_...
+
+*apk query* [<_options_>...] *--recursive* _constraints_...
+
+# DESCRIPTION
+
+*apk query* searches for matching packages from selected sources.
+
+In the default mode, _query_ specifiers are interpreted as follows:
+	*name{[<>~=]version}*
+		Select packages by *name* and optional *version* match.
+	*text*
+		Select packages by selected fields matching *text*.
+
+In the *--recursive* mode, the _constraints_ specify a lsit of dependencies
+to satisfy and the solver algorithm is used to determine a list of packages
+that fullfil these constraints.
+
+The query executes in the following steps:
+. Each _query_ string is executed independently to select candidate packages
+. If *--all-matches* is not specified, the best candidate for given term
+  is added to the list of result packages
+. The resulting package list is sorted
+
+# QUERY OPTIONS
+
+The applets supporting query specifiers recognize the following options:
+
+*--all-matches*
+	Select all matched packages. By default only best match for each query
+	element is selected.
+
+*--available*
+	Filter selection to available packages.
+
+*--fields* _FIELDS_
+	A comma separated list of fields to include in the output.
+
+*--format* _FORMATSPEC_
+	Specify output format from *default*, *yaml* or *json*. The *default*
+	format is human readable text output.
+
+*--from* _FROMSPEC_
+	Search packages from: *system* (all system sources), *repositories*
+	(exclude installed database), *installed* (exclude normal repositories)
+	or *none* (commandline repositories only).
+
+*--installed*
+	Filter selection to installed packages.
+
+*--match* _FIELDS_
+	A comma separated list of fields to match the query against.
+
+*--recursive*
+	Run solver algorithm with given _constraints_ to select packages.
+
+*--ugpradable*
+	Filter selection to upgradable packages.
+
+*--world*
+	Include *apk-world*(5) dependencies in constraints. Implies *--recursive*.
+
+*--oprhaned*
+	Filter selection to orphaned packages.
+
+# FIELDS
+
+The field names are all small letters for *--match* and *--fields* options
+and for the machine parseable output (json and yaml). For the human readable
+default format the fields are capilaized.
+
+The following package metadata fields are available:
+*name*, *version*, *description*, *arch*, *license*, *origin*, *maintainer*,
+*url*, *commit*, *build-time*, *installed-size*, *file-size*, *provider-priority*,
+*depends*, *provides*, *replaces*, *install-if*, *layer*, *triggers*, *scripts*,
+and *replaces-priority*.
+See *apk-package*(8) *package info metadata* and *package metadata* sections
+for the description of these fields.
+
+Additionally the following fields are available:
+
+*contents*
+	File names contained in a package.
+
+*download-url*
+	Full URL to download the package from.
+
+*owner*
+	Lookup owner package for given path name. (*--match* only)
+
+*package*
+	The package identifier in format *name*-*version* (e.g.
+	package-1.0-r0).
+
+*repositories*
+	List of repositories the package is available from.
+
+*status*
+	Status of an installed package. List of one or more of following
+	keywords:
+	- *installed*
+	- *broken-files*
+	- *broken-scripts*
+	- *broken-xattr*
+
+# EXAMPLES
+
+\# search all packages starting with apk++
+apk query "apk\*"
+
+\# show owner package of sensors executable in json++
+apk query --format json --match owner /usr/bin/sensors
+
+\# show apk-tools and its dependencies in yaml++
+apk query --format yaml --recursive apk-tools
+
+\# print source packages for all packages providing cmd:apk++
+apk query --match name,provides cmd:apk --fields origin
+
+\# print source packages with specific dependency name++
+apk query --match dependency so:libapk.so.2.14.9 --fields origin

doc/apk-repositories.5.scd

@@ -2,35 +2,111 @@ apk-repositories(5)
 
 # NAME
 
-*/etc/apk/repositories*, */etc/apk/repositories.d/\*.list* - list of package
-repositories
+*/etc/apk/repositories*++
+*/etc/apk/repositories.d/\*.list*++
+*/lib/apk/repositories.d/\*.list*++
+	list of package repositories
 
 # DESCRIPTION
 
-/etc/apk/repositories is the list of package repositories *apk*(8) uses to
-retrieve package files for installation. Each line of this file specifies the
-location of a package repository, and optionally a tag.
+*apk*(8) loads repository definitions from the above mentioned files.
 
-The location may be an _http://_, _https://_, or the path to a directory on
-the local filesystem. A tagged repository is prefixed with the *@tag* specifier,
-followed by a space and the repository location. For more information about
-repository tags, see *apk-world*(5).
+The *repositories* file is first loaded. The *repositories.d* paths are
+then processed if *--repositories-file* option was not used. The directories
+are enumerated in the above mentioned order. Once a *.list* file of given
+name is seen, any file of the same name in subsequent directories is ignored.
+
+# FILE FORMAT
+
+Each line follows one of the following syntax:
+
+*\# comment*
+	A comment line which is ignored.
+
+*set \[-default\] key=value*
+	Set the variable named *key* to given *value*.
+
+	The *key* is limited to letters, numbers and the underscore (\_) character,
+	and must start with a letter. The *APK_* prefixed variable names are
+	reserved for built-in variables and cannot be defined by the user.
+
+	A variable expansion is perfomered on the *value* before assignment.
+
+	If the option *-default* is specified, the *key* value is not changed
+	if it already exists.
+
+	Currently the following variables are defined:
+		- *APK_ARCH*, the primary architecture of the database
+
+*ndx \[@tag\] url*++
+*\[v2|v3\] \[@tag\] url \[component...\]*
+	If a repository declaration omits the type field it defaults to the type
+	defined in latest *default* command, or if absent, to *v2* (or *ndx* if *url*
+	ends with *.adb* or *.tar.gz*). If the format is *v3* or the *ndx* filename
+	ends with *.adb* a v3 format index file required.
+
+	The optional *@tag* can be present to indicate that the repository should
+	not be used by default. Refer to *apk-world*(5) on how to enable installation
+	of packages from tagged repositories.
+
+	A variable expansion is performed on the *url* and *component* portions
+	individually at the time of parsing the line.
+
+	The *url* refers to an index file or a repository path. Currently supported
+	schemes are:
+		- _http://_
+		- _https://_
+		- _file://_
+		- absolute filesystem path (must start with `/`)
+
+	The *component* list specifies a list of repository components. If specifies,
+	the line is expanded to multiple URLs: one for each component, and the *component*
+	is appended to the *url*. Specifying *component* with *ndx* type is not valid.
+
+# EXAMPLES
+
+To define a distribution provided repository list, the distribution can
+ship e.g */lib/apk/repositories.d/distribution.list* with the contents:
+
+	set -default distro_mirror=https://example.com/distro++
+v3 ${distro_mirror} main community
+
+In */etc/apk/repositories.d/00-vars.list* the mirror can be overridden with:
+
+	set distro_mirror=https://mirror.example.com/distro
 
 # REPOSITORY LAYOUT
 
-Each repository must store an index at *$repository/$arch/APKINDEX.tar.gz*. See
-*apk-index*(8) for information about generating this file. The packages
-themselves are stored at *$repository/$arch/$pkgname-$pkgver-r$pkgrel.apk*.
+If the *type* is *ndx*, the layout and path resolution is as follows:
+	- *url* is a URL to the index file
+	- *base_url* is *url* with last component stripped off
+	- default package path: *$base_url/$name-$version.apk*
+
+Otherwise the *type* is one of the repository types, and the path resolution
+works as follows:
+	- *url* is the *base_url* to the repository
+	- index (*v3*) is at *$base_url/$arch/Packages.adb*
+	- index (*v2*) is at *$base_url/$arch/APKINDEX.tar.gz*
+	- default package path: *$base_url/$arch/$name-$version.apk*
+
+If the index file has a *pkgname-spec* set, it is used to construct the package path.
+Otherwise the default package path based on above rules is used.
+
+# CREATING INDEXES AND REPOSITORIES
+
+See *apk-mkndx*(8) on how to create index files and *apk-adbsign*(8) on modifying
+signatures.
+
+For the legacy index format refer to *apk-index*(8) for index files, *abuild-keygen*(1)
+for information about generating keys, *abuild-sign*(1) for information about using
+these keys to sign files.
+
+*apk-verify*(8) can verify both new and old style index and package files.
 
-*apk*(8) verifies that each of these files has a valid cryptographic signature
-unless explicitly told not to via the *--allow-untrusted* flag. See
-*abuild-keygen*(1) for information about generating keys, *apk-keys*(5) to add
-keys to the list of trusted keys, *abuild-sign*(1) for information about using
-these keys to sign files, and *apk-verify*(8) for information about verifying
-those signatures.
+# CLIENT INDEX UPDATING
 
-# UPDATING INDICIES
+*apk*(8) fetches and stores the index for each repository at a local cache
+in */etc/apk/cache* or */var/cache/apk*. Refer to *apk-cache*(5) for more details.
 
-*apk*(8) fetches and stores the index for each package repository at
-*/var/cache/apk*. To fetch fresh indicies for all configured repositories, use
-*apk-update*(8).
+Refer to *apk-keys*(5) on how the client needs to be configured for verifying
+the index signatures.