.drone.yml

+---
+kind: pipeline
+name: v3.9-x86
+
+clone:
+  depth: 50
+
+platform:
+  os: linux
+  arch: amd64
+
+workspace:
+  base: /home/buildozer/drone
+  path: aports
+
+steps:
+  - name: build
+    image: alpinelinux/alpine-drone-ci:v3.9-x86
+    commands:
+      - linux32 build.sh
+    environment:
+      GH_TOKEN:
+        from_secret: github_token
+    pull: always
+
+trigger:
+  event:
+    - pull_request
+
+---
+kind: pipeline
+name: v3.9-x86_64
+
+clone:
+  depth: 50
+
+platform:
+  os: linux
+  arch: amd64
+
+workspace:
+  base: /home/buildozer/drone
+  path: aports
+
+steps:
+  - name: build
+    image: alpinelinux/alpine-drone-ci:v3.9-x86_64
+    commands:
+      - build.sh
+    environment:
+      GH_TOKEN:
+        from_secret: github_token
+    pull: always
+
+trigger:
+  event:
+    - pull_request
+
+---
+kind: pipeline
+name: v3.9-aarch64
+
+clone:
+  depth: 50
+
+platform:
+  os: linux
+  arch: arm64
+
+workspace:
+  base: /home/buildozer/drone
+  path: aports
+
+steps:
+  - name: build
+    image: alpinelinux/alpine-drone-ci:v3.9-aarch64
+    commands:
+      - build.sh
+    environment:
+      GH_TOKEN:
+        from_secret: github_token
+    pull: always
+
+trigger:
+  event:
+    - pull_request
+
+---
+kind: pipeline
+name: v3.9-armhf
+
+clone:
+  depth: 50
+
+platform:
+  os: linux
+  arch: arm
+
+workspace:
+  base: /home/buildozer/drone
+  path: aports
+
+steps:
+  - name: build
+    image: alpinelinux/alpine-drone-ci:v3.9-armhf
+    commands:
+      - build.sh
+    environment:
+      GH_TOKEN:
+        from_secret: github_token
+    pull: always
+
+trigger:
+  event:
+    - pull_request
+
+---
+kind: pipeline
+name: v3.9-armv7
+
+clone:
+  depth: 50
+
+platform:
+  os: linux
+  arch: arm
+
+workspace:
+  base: /home/buildozer/drone
+  path: aports
+
+steps:
+  - name: build
+    image: alpinelinux/alpine-drone-ci:v3.9-armv7
+    commands:
+      - build.sh
+    environment:
+      GH_TOKEN:
+        from_secret: github_token
+    pull: always
+
+trigger:
+  event:
+    - pull_request
+

community/alpine-make-rootfs/APKBUILD

 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
 # Maintainer: Jakub Jirutka <jakub@jirutka.cz>
 pkgname=alpine-make-rootfs
-pkgver=0.2.0
+pkgver=0.3.1
 pkgrel=0
 pkgdesc="Make customized Alpine Linux rootfs (base image) for containers"
 url="https://github.com/alpinelinux/alpine-make-rootfs"
@@ -17,4 +17,4 @@ package() {
 	make install DESTDIR="$pkgdir" PREFIX=/usr
 }
 
-sha512sums="8f500e11708eae1a856f77efcf6b183d7760576130082f1f2500d670f6ecdbac101b06a538d580a34890fb7c2a0d502b803796ca1a8eaf82ddfadfb43781618b  alpine-make-rootfs-0.2.0.tar.gz"
+sha512sums="7971ac0275e4d2e9bdc3ea29197b40a66e493bf9977249922418f06e1bd9434a62a4ffa0cc637839ae1837f2f8916535977e695cb959288213ce1fee90cc3b44  alpine-make-rootfs-0.3.1.tar.gz"

community/bareos/APKBUILD

@@ -3,7 +3,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=bareos
 pkgver=17.2.7
-pkgrel=0
+pkgrel=1
 pkgdesc="Bareos - Backup Archiving REcovery Open Sourced"
 url="http://www.bareos.org"
 arch="all"
@@ -22,6 +22,8 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/Re
 	$pkgname-sd.initd
 	$pkgname-fd.initd
 	path-mounted.patch
+	fix-bsmtp-segfault.patch
+	pthread-double-detach.patch
 	"
 builddir="$srcdir"/${pkgname}-Release-${pkgver}
 
@@ -127,4 +129,6 @@ sha512sums="254eddacb067ef7e82b7a54bdfcbffd5cfa033fa045f697c7e5b5c28dd064b5e1ce9
 eb1e7072b579bf9ae21f2e351d6900abb277db64e373f4760bac8188b82929376e4a196d2c935cefe1ae4cc2c396f2fcba1a25642b26e2f92a0d008fbdc4b5f2  bareos-dir.initd
 c770b1d041fafef93d4eb0269ba8d9733e85ef465657fe8dd5d5c68a27ec773cec9c5c582d4a16596d95bbf6dbd3f7194dc9c0d8ed73138e9fb438fba9aa9445  bareos-sd.initd
 c6347079dbcef5f4a69ec0c4ecc31803520d715d599d89c6bbfbb3741a86c50d7295c30432889b13ee9c16f2feaa84b1c6ae992cfee6505d569c6493d7e85a5b  bareos-fd.initd
-eac4614c1b29ff0f12061837e425ae495890076021b6d1b0f1beb93501cfb905170342dac5dab69b09f825d5b9416eea25fa02e2174b5a704315c7feb08ff3d3  path-mounted.patch"
+eac4614c1b29ff0f12061837e425ae495890076021b6d1b0f1beb93501cfb905170342dac5dab69b09f825d5b9416eea25fa02e2174b5a704315c7feb08ff3d3  path-mounted.patch
+0974ce1ad1a7acd834d75253fe1decdcf40fb1fc0a9248f848514fb201d8482af5319a91b3d0032ee91f6e034225a46ddd9c8058d7f86a514a261408c84f31d1  fix-bsmtp-segfault.patch
+1487e1294ade656e63877994d33621c8cc22258c8db7e95c2e1fdc16a0c5cf6ce77d6a232f46642fe5b3672c404a6f3a79628a983aa01dc4192882bda0e8c51e  pthread-double-detach.patch"

community/bareos/fix-bsmtp-segfault.patch

+Patch from Michael Cassaniti, posted here:
+https://bugs.alpinelinux.org/issues/10156#note-5
+Until this issue is fixed upstream this patch is needed.
+
+diff --git a/src/lib/jcr.c b/src/lib/jcr.c
+index 00bfe8c87..338f90e59 100644
+--- a/src/lib/jcr.c
++++ b/src/lib/jcr.c
+@@ -77,6 +77,7 @@ static pthread_mutex_t jcr_lock = PTHREAD_MUTEX_INITIALIZER;
+ static pthread_mutex_t job_start_mutex = PTHREAD_MUTEX_INITIALIZER;
+ static pthread_mutex_t last_jobs_mutex = PTHREAD_MUTEX_INITIALIZER;
+
++static bool jcr_initialized = false;
+ #ifdef HAVE_WIN32
+ static bool tsd_initialized = false;
+ static pthread_key_t jcr_key;         /* Pointer to jcr for each thread */
+@@ -351,6 +352,8 @@ static void create_jcr_key()
+       berrno be;
+       Jmsg1(NULL, M_ABORT, 0, _("pthread key create failed: ERR=%s\n"),
+             be.bstrerror(status));
++   } else {
++     jcr_initialized = true;
+    }
+ }
+
+@@ -719,7 +722,10 @@ void set_jcr_in_tsd(JCR *jcr)
+  */
+ JCR *get_jcr_from_tsd()
+ {
+-   JCR *jcr = (JCR *)pthread_getspecific(jcr_key);
++   JCR *jcr = (JCR *)INVALID_JCR;
++   if (jcr_initialized){
++     jcr = (JCR *)pthread_getspecific(jcr_key);
++   }
+
+    /*
+     * Set any INVALID_JCR to NULL which the rest of BAREOS understands
+@@ -736,7 +742,7 @@ JCR *get_jcr_from_tsd()
+  */
+ uint32_t get_jobid_from_tsd()
+ {
+-   JCR *jcr = (JCR *)pthread_getspecific(jcr_key);
++   JCR *jcr = get_jcr_from_tsd();
+    uint32_t JobId = 0;
+
+    if (jcr && jcr != INVALID_JCR) {

community/bareos/pthread-double-detach.patch

+This patch fixes a double pthread_detach(), which is undefined behaviour
+and leads to a segfault when running with musl libc.
+Until this issue is fixed upstream this patch is needed.
+
+--- a/src/dird/ua_server.c
++++ b/src/dird/ua_server.c
+@@ -73,7 +73,15 @@
+    UAContext *ua;
+    JCR *jcr;
+ 
+-   pthread_detach(pthread_self());
++   /* only detach if not yet detached */
++   int _detachstate;
++   pthread_attr_t _gattr;
++   pthread_getattr_np(pthread_self(), &_gattr);
++   pthread_attr_getdetachstate(&_gattr, &_detachstate);
++   pthread_attr_destroy(&_gattr);
++   if(_detachstate != PTHREAD_CREATE_DETACHED) {
++      pthread_detach(pthread_self());
++   }
+ 
+    jcr = new_control_jcr("-Console-", JT_CONSOLE);
+ 
+--- a/src/dird/job.c
++++ b/src/dird/job.c
+@@ -420,7 +420,16 @@
+ {
+    JCR *jcr = (JCR *)arg;
+ 
+-   pthread_detach(pthread_self());
++   /* only detach if not yet detached */
++   int _detachstate;
++   pthread_attr_t _gattr;
++   pthread_getattr_np(pthread_self(), &_gattr);
++   pthread_attr_getdetachstate(&_gattr, &_detachstate);
++   pthread_attr_destroy(&_gattr);
++   if(_detachstate != PTHREAD_CREATE_DETACHED) {
++      pthread_detach(pthread_self());
++   }
++
+    Dsm_check(100);
+ 
+    Dmsg0(200, "=====Start Job=========\n");

community/borgbackup/APKBUILD

@@ -2,7 +2,7 @@
 # Maintainer: Jakub Jirutka <jakub@jirutka.cz>
 pkgname=borgbackup
 pkgver=1.1.7
-pkgrel=1
+pkgrel=2
 pkgdesc="Deduplicating backup program"
 url="https://borgbackup.readthedocs.io/"
 arch="all"
@@ -10,7 +10,8 @@ license="BSD-3-Clause"
 depends="python3 py3-msgpack py3-zmq"
 makedepends="python3-dev lz4-dev acl-dev attr-dev openssl-dev linux-headers
 	py3-setuptools"
-source="https://github.com/$pkgname/borg/releases/download/$pkgver/$pkgname-$pkgver.tar.gz"
+source="https://github.com/$pkgname/borg/releases/download/$pkgver/$pkgname-$pkgver.tar.gz
+        msgpack-fix.patch"
 
 build() {
 	cd "$builddir"
@@ -26,4 +27,5 @@ package() {
 	find . -name '*.h' -delete -o -name '*.c' -delete -o -name '*.pyx' -delete
 }
 
-sha512sums="586420b9cad7e731f2f1b8b05f3cd3dc606691c5a5ec307e887035d941ac5ac6d4c988783660969960a1221e4d9f2b865ee5558d4007ea7524632d0a50a8a402  borgbackup-1.1.7.tar.gz"
+sha512sums="586420b9cad7e731f2f1b8b05f3cd3dc606691c5a5ec307e887035d941ac5ac6d4c988783660969960a1221e4d9f2b865ee5558d4007ea7524632d0a50a8a402  borgbackup-1.1.7.tar.gz
+0b30850df11124c7d699867a88852dc2c49c7e3b4025f1d75a3b4404ca5801d73ab21260f86a7725bb3b19650c8c0ddea05569f5696cb68b3e45c8faf54a97b6  msgpack-fix.patch"

community/borgbackup/msgpack-fix.patch

+--- borgbackup-1.1.7/setup.py.original
++++ borgbackup-1.1.7/setup.py
+@@ -39,7 +39,9 @@
+     # we are rather picky about msgpack versions, because a good working msgpack is
+     # very important for borg, see https://github.com/borgbackup/borg/issues/3753
+     # best versions seem to be 0.4.6, 0.4.7, 0.4.8 and 0.5.6:
+-    'msgpack-python >=0.4.6, <=0.5.6, !=0.5.0, !=0.5.1, !=0.5.2, !=0.5.3, !=0.5.4, !=0.5.5',
++    'msgpack-python >=0.4.6, <=0.5.6, !=0.5.0, !=0.5.1, !=0.5.2, !=0.5.3, !=0.5.4, !=0.5.5;python_version <"3.4"',
++    'msgpack-python >=0.4.6, <0.5;python_version=="3.4"',
++    'msgpack >=0.5.6;python_version >="3.5"',
+     # if you can't satisfy the above requirement, these are versions that might
+     # also work ok, IF you make sure to use the COMPILED version of msgpack-python,
+     # NOT the PURE PYTHON fallback implementation: ==0.5.1, ==0.5.4

community/chromium/APKBUILD

 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=chromium
-pkgver=71.0.3578.98
-pkgrel=2
+pkgver=72.0.3626.121
+pkgrel=0
 pkgdesc="chromium web browser"
 url="http://www.chromium.org/"
-arch="x86_64" # aarch64 armhf armv7 temp disable because we need clang for arm
+arch="x86_64 armv7" # aarch64 temp disable due to build failure
 license="BSD"
 depends="xdg-utils"
 depends_dev=""
@@ -17,8 +17,6 @@ makedepends="$depends_dev
 	bsd-compat-headers
 	bzip2-dev
 	cairo-dev
-	clang
-	clang-dev
 	cups-dev
 	dbus-glib-dev
 	eudev-dev
@@ -89,7 +87,6 @@ source="https://commondatastorage.googleapis.com/chromium-browser-official/$pkgn
 	google-api.keys
 
 	default-pthread-stacksize.patch
-	gn-bootstrap-remove-sysroot-related-options.patch
 	musl-fixes.patch
 	musl-fixes-breakpad.patch
 	musl-hacks.patch
@@ -103,18 +100,22 @@ source="https://commondatastorage.googleapis.com/chromium-browser-official/$pkgn
 
 	chromium-use-alpine-target.patch
 	chromium-gcc-r1.patch
-	chromium-skia-harmony.patch
 	media-base.patch
 	musl-crashpad.patch
-	chromium-71-gcc-0.patch
+	musl-v8-fix-deadlock.patch
+	musl-v8-monotonic-pthread-cont_timedwait.patch
 	gcc8-alignof.patch
-	chromium-fix_harfbuzz_2.patch
-	chromium-enable-vaapi.patch
-	chromium-i686-vaapi-fpermissive.patch
+	gcc-fno-delete-null-pointer-checks.patch
+	gcc-arm.patch
+	musl-arm-limits.patch
 	"
 
 builddir="$srcdir"/$pkgname-$pkgver
 
+# secfixes:
+#   72.0.3626.121-r0:
+#     - CVE-2019-5786
+
 if [ -n "$DEBUG" ]; then
 	_buildtype=Debug
 	_is_debug=true
@@ -148,6 +149,7 @@ prepare() {
 		ffmpeg
 		flac
 		fontconfig
+		freetype
 		harfbuzz-ng
 		libdrm
 		libevent
@@ -173,6 +175,11 @@ prepare() {
 			-delete
 	done
 
+	# workaround missing files for arm
+	for i in safe_conversions_arm_impl.h safe_math_arm_impl.h; do
+		ln -s ../../../../base/numerics/$i tools/gn/base/numerics/$i
+	done
+
 	msg "Replacing gyp files"
 	python build/linux/unbundle/replace_gn_files.py --system-libraries \
 		${use_system}
@@ -193,8 +200,6 @@ build() {
 	##############################################################
 	eval "$(base64 -d < $srcdir/google-api.keys)"
 
-	local _ca=""
-
 	msg "Bootstrapping GN"
 	local _c=$(_gn_flags is_clang=false \
 		use_sysroot=false \
@@ -208,11 +213,12 @@ build() {
 	)
 
 	AR="ar" CC="${CC:-gcc}" CXX="${CXX:-g++}" LD="${CXX:-g++}" \
-		python tools/gn/bootstrap/bootstrap.py -s -v --gn-gen-args "$_c $_ca"
+		python tools/gn/bootstrap/bootstrap.py -s -v --gn-gen-args "$_c"
 
 	msg "Configuring build"
 	_c=$(_gn_flags \
 		clang_use_chrome_plugins=false \
+		closure_compile=false \
 		custom_toolchain=\"//build/toolchain/linux/unbundle:default\" \
 		enable_hangout_services_extension=true \
 		enable_nacl=false \
@@ -228,6 +234,7 @@ build() {
 		host_toolchain=\"//build/toolchain/linux/unbundle:default\" \
 		icu_use_data_file=true \
 		is_clang=false \
+		is_component_build=false \
 		is_debug=$_is_debug \
 		is_desktop_linux=true \
 		linux_use_bundled_binutils=false \
@@ -245,7 +252,6 @@ build() {
 		use_pulseaudio=false \
 		use_sysroot=false \
 		use_system_harfbuzz=true \
-		use_vaapi=true \
 	)
 
 	AR="ar" CC="${CC:-gcc}" CXX="${CXX:-g++}" LD="${CXX:-g++}" NM=/usr/bin/nm \
@@ -325,14 +331,13 @@ chromedriver() {
 	mv "$pkgdir"/usr/bin/chromedriver "$subpkgdir"/usr/bin
 }
 
-sha512sums="dbeb90e16c6c05422c1f43e8fe747d60dab49c1fffdd0f33824ca24429f3871bda649eb1e6402470d3d9bb701e47d55d2fff4f46530e3f43e72f516d1837aad6  chromium-71.0.3578.98.tar.xz
+sha512sums="0bbeba7fa662d92ad60fdb56b3a73b79fc40ecb1499bb3b9a50b78ab7900b7a4de83f271c1c299e386dc9f72bfb2cbf71f83a388c6e14e288ab42b2b673fce96  chromium-72.0.3626.121.tar.xz
 a3bb959c65944ae2fb765725cedcffd743a58bc0c2cd1f1999d15fe79801d00f3474b08b4ed7b48859ed921eb57093d0ad09d90f201d729ed9b8a419a591ed29  pstables-2.8.h
 b9a810416dd7a8ffc3a5ced85ad9acebda1665bd08a57eec7b189698cc5f74d2c3fd69044e20fcb83297a43214b2772a1312b2c6122ea0eb716abacf39524d60  chromium-launcher.sh
 f6d962b9e4c22dd42183df3db5d3202dab33eccecafb1bf63ca678147289581262db1e5e64cbe8f9c212beefb0a6717bb8d311e497f56b55fe95b8bab2db493f  chromium.conf
 e182c998a43d22d1c76a86c561619afd1fca8c2be668265ad5e2f81a3806f7a154272cc027a2f8b370fb69446892c69e5967a4be76082325c14245ee7915234c  chromium.desktop
 2d8237a940ea691bd10b08315429677a587f7ef9692a0cca53bfd066eae82998a6c71f402a8669e9de39f94d7f3280745d1628ea6eac5d76ca7116844d4e0dac  google-api.keys
 230d1819b9d644ebaa6e194e948d662add8d237a99cc3d6b0f8a2fc2b331b43a3cd0766746f1c76c1a114f1730b40504c532d0c40aafa8cbc45022663cbcc245  default-pthread-stacksize.patch
-1c7398a68ee01b9d61c1bb1a3e6dfcc88662da42b9012844040bd86e858228dc480c7f21d2c52829e9959e4a3f6e39b8c5cb22f8f7c8394322c8347d828b6625  gn-bootstrap-remove-sysroot-related-options.patch
 9cd1defffb55cd1290e82b233a623e962775e19f001b26ae8f74330f3467499fd16067d607ca8e2b0b9b8d8988cd7ea2af93df65d7cc3d9299b8bc2b472c712e  musl-fixes.patch
 90efbc89151c77f32434364dcbaabaf9d9a207f4a77f147cd51b3fe100832fbfb3a9fb665303a79a3d788e400f4f41890de202ccbb7bd1fc6252e33c6e74e429  musl-fixes-breakpad.patch
 0aa3176f1021332088740d6e4fe2eadbe375240df0690c8449426a42a674fdf58e8a1fda85ca527dc1b4451e964d54564283fd81e3b7df059f5bcfccb8e07e84  musl-hacks.patch
@@ -345,11 +350,11 @@ db7f676d3476820c29f234b1f8f17a74e82b72d67fc727c715307734fd238e3cb0f99d8b5320d45f
 1b8647ab4081ec27f142eb564841b603dbf4c41118502e43b061d06f8866ebd1418d676457ed9ee0dc0a759e0369a29219bea98e74f687ddcba5d4513ca460ba  secure_getenv.patch
 246c43a0ab557671119ebc4ecb292925ebfee25312fb50e739a179dc085d23b9623bec2d7baecdd37ebd9318f8770664f20c12de6383def74cd89b7845d149ce  chromium-use-alpine-target.patch
 6e2bcbed44786c6c0d3beda935269f30fdcdf07c400defa6bf73f8359a60b1d59cc2f80dbc106be651a535635995641321d9e524b18919d3975bd6008a641d59  chromium-gcc-r1.patch
-cbd99d51178fa5c2c3dee1eb4990240ca2ff829cee9151384e36bc3c634698c0ecaf9b51c99e901f38d0a37eef7187fe5ad39b9b7f528f7a9066a855a0c6e49f  chromium-skia-harmony.patch
 589a7acf149d44db081da2dd24a7769f2b9572a8cc64d2aad78577a64768d3b6fb2bfa02292b5260acd2c4a28c3ae9b82847ff901ce8a21baeca0b46dcda0ca9  media-base.patch
 05c1af43038f76014f5f8b605085310414242f2bfad0e3258ddb29a08e7f4307de31b2d551b0a291986cc7d5a01cf3a003ac864216877195bb4310fd33193f0f  musl-crashpad.patch
-74fcae35afd964e2dc09508325465ee0d2efd13b94941eaf6464da1f4b32a34b326cf2c290fffcfc930acefda51a64dfbc980527900849efb5a94922cc17bc20  chromium-71-gcc-0.patch
+2c22e0d56b2557bafc842043911ecd0f8f70589013aeb7d3e8c7c8a5622bdbfe1f249e7223991ebf6130c7a45c7771a02dcc096dd03c48e2559ea4741147cfce  musl-v8-fix-deadlock.patch
+6953e83d4034f7a016dd055fed152a8a448f741a4c4f7a8f3b03cc7a4589d3d3c03775f844d76d6d4478ac15c655fee0be7355f0d5062ddc7fa9f6ce4b011116  musl-v8-monotonic-pthread-cont_timedwait.patch
 9bfc532fd1e84e30362ac41fcd68253e17ee4cb5e986ceb5bb122e3235e4617e295ce9dddfdfbbd0b9d3e67267096152da2a19e3bb4bb9111c7fdb22fa398872  gcc8-alignof.patch
-4e6bfecdece829306b8c2ea2a4b6d9b0598f97e5b164e0f468e765ffa10cac6b9e57c8814b79eb1244a314d81e8954654111a2e1e056b2c450b369994337cb40  chromium-fix_harfbuzz_2.patch
-b0e61b4710a8e9009bd9c10722d902391b83c0400a48a6a40cc0e117ca4c1895732babe5baa078f5b3096b72d105fa2d1f4196f8d35c1ae94ff4d8d99d2a17f5  chromium-enable-vaapi.patch
-42d64d07215476295a35568e4492297a00b66205b5a41288a98b1663985fe1868e9595e961284dfbbd8b5846cc1b04e365ab89733270ffbc6967e3366571cf47  chromium-i686-vaapi-fpermissive.patch"
+bb0f3dc1ade429a398d487ae190a278948533398c4a1085aeb35ff57fefb90a1e598008ba839423ca0acd30ba4c992950f395dba3b9994d3c7187fe68b9a93d7  gcc-fno-delete-null-pointer-checks.patch
+9f4a555b98ca47063fd5a90d119686de09d5c8ecdec2ef936f42cf45d3ba012e91a6455d3d550b3c90da15ca9b085238afd442a21ce47bea571ff356b74620f8  gcc-arm.patch
+3bcffb36f28a01d8bb91f1c1ee1e327caebb1e139d4e8772ad15460ee69cb5ea3307a235dc83184a9e09b687882d9617f3a3ce1a7b07cbd6e11b0a5d6a6ace81  musl-arm-limits.patch"

community/chromium/chromium-71-gcc-0.patch

-From 65be571f6ac2f7942b4df9e50b24da517f829eec Mon Sep 17 00:00:00 2001
-From: Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
-Date: Mon, 15 Oct 2018 20:26:10 +0000
-Subject: [PATCH] google_util: Explicitly use std::initializer_list with
- base::NoDestructor
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Follow-up to ac53c5c53 ("Remove CR_DEFINE_STATIC_LOCAL from /components").
-Due to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84849, having
-base::NoDestructor<T<U>> and passing an initializer list of Us does not
-work if this is not done explicitly, as GCC incorrectly fails to determine
-which constructor overload to use:
-
-    ../../components/google/core/common/google_util.cc: In function ‘bool google_util::{anonymous}::IsCanonicalHostGoogleHostname(base::StringPiece, google_util::SubdomainPermission)’:
-    ../../components/google/core/common/google_util.cc:120:24: error: call of overloaded ‘NoDestructor(<brace-enclosed initializer list>)’ is ambiguous
-           {GOOGLE_TLD_LIST});
-
-See also: https://chromium-review.googlesource.com/c/chromium/src/+/1170905
-
-Bug: 819294
-Change-Id: Ie1490b6646d7998d636c485769caabf56c1cf44c
-Reviewed-on: https://chromium-review.googlesource.com/c/1275854
-Reviewed-by: Peter Kasting <pkasting@chromium.org>
-Commit-Queue: Raphael Kubo da Costa (CET) <raphael.kubo.da.costa@intel.com>
-Cr-Commit-Position: refs/heads/master@{#599733}
----
- components/google/core/common/google_util.cc | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/components/google/core/common/google_util.cc b/components/google/core/common/google_util.cc
-index a44c84393820..7733848a0443 100644
---- components/google/core/common/google_util.cc
-+++ components/google/core/common/google_util.cc
-@@ -117,7 +117,7 @@ bool IsCanonicalHostGoogleHostname(base::StringPiece canonical_host,
-   StripTrailingDot(&tld);
- 
-   static base::NoDestructor<std::set<std::string>> google_tlds(
--      {GOOGLE_TLD_LIST});
-+      std::initializer_list<std::string>({GOOGLE_TLD_LIST}));
-   return base::ContainsKey(*google_tlds, tld.as_string());
- }
- 
-@@ -132,7 +132,8 @@ bool IsGoogleSearchSubdomainUrl(const GURL& url) {
-   StripTrailingDot(&host);
- 
-   static base::NoDestructor<std::set<std::string>> google_subdomains(
--      {"ipv4.google.com", "ipv6.google.com"});
-+      std::initializer_list<std::string>(
-+          {"ipv4.google.com", "ipv6.google.com"}));
- 
-   return base::ContainsKey(*google_subdomains, host.as_string());
- }
--- 
-2.19.1
-

community/chromium/chromium-fix_harfbuzz_2.patch

-From 7ae38170a117e909bb28e1470842b68de3501197 Mon Sep 17 00:00:00 2001
-From: Mike Gilbert <floppymaster@gmail.com>
-Date: Sun, 21 Oct 2018 10:06:53 -0400
-Subject: [PATCH] blink: add 'const' modifier for harfbuzz hb_codepoint_t
- pointers
-
-This resolves a build failure against harfbuzz 2.0.
-
-Based on a patch by Alexandre Fierreira.
-
-Bug: https://bugs.gentoo.org/669034
----
- .../renderer/platform/fonts/shaping/harfbuzz_face.cc     | 2 +-
- .../renderer/platform/fonts/skia/skia_text_metrics.cc    | 9 +++++++--
- .../renderer/platform/fonts/skia/skia_text_metrics.h     | 2 +-
- 3 files changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_face.cc b/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_face.cc
-index 8e7d91ca371f..e279a5876cb3 100644
---- third_party/blink/renderer/platform/fonts/shaping/harfbuzz_face.cc
-+++ third_party/blink/renderer/platform/fonts/shaping/harfbuzz_face.cc
-@@ -139,7 +139,7 @@ static hb_position_t HarfBuzzGetGlyphHorizontalAdvance(hb_font_t* hb_font,
- static void HarfBuzzGetGlyphHorizontalAdvances(hb_font_t* font,
-                                                void* font_data,
-                                                unsigned count,
--                                               hb_codepoint_t* first_glyph,
-+                                               const hb_codepoint_t* first_glyph,
-                                                unsigned int glyph_stride,
-                                                hb_position_t* first_advance,
-                                                unsigned int advance_stride,
-diff --git a/third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.cc b/third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.cc
-index 77ec6209fab9..9f9070921448 100644
---- third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.cc
-+++ third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.cc
-@@ -18,6 +18,11 @@ T* advance_by_byte_size(T* p, unsigned byte_size) {
-   return reinterpret_cast<T*>(reinterpret_cast<uint8_t*>(p) + byte_size);
- }
- 
-+template <class T>
-+T* advance_by_byte_size_const(T* p, unsigned byte_size) {
-+  return reinterpret_cast<T*>(reinterpret_cast<const uint8_t*>(p) + byte_size);
-+}
-+
- }  // namespace
- 
- SkiaTextMetrics::SkiaTextMetrics(const SkPaint* paint) : paint_(paint) {
-@@ -39,7 +44,7 @@ void SkiaTextMetrics::GetGlyphWidthForHarfBuzz(hb_codepoint_t codepoint,
- }
- 
- void SkiaTextMetrics::GetGlyphWidthForHarfBuzz(unsigned count,
--                                               hb_codepoint_t* glyphs,
-+                                               const hb_codepoint_t* glyphs,
-                                                unsigned glyph_stride,
-                                                hb_position_t* advances,
-                                                unsigned advance_stride) {
-@@ -48,7 +53,7 @@ void SkiaTextMetrics::GetGlyphWidthForHarfBuzz(unsigned count,
-   // array that copy them to a regular array.
-   Vector<Glyph, 256> glyph_array(count);
-   for (unsigned i = 0; i < count;
--       i++, glyphs = advance_by_byte_size(glyphs, glyph_stride)) {
-+       i++, glyphs = advance_by_byte_size_const(glyphs, glyph_stride)) {
-     glyph_array[i] = *glyphs;
-   }
-   Vector<SkScalar, 256> sk_width_array(count);
-diff --git a/third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.h b/third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.h
-index 787d8af0375a..3bc4407c641b 100644
---- third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.h
-+++ third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.h
-@@ -19,7 +19,7 @@ class SkiaTextMetrics final {
- 
-   void GetGlyphWidthForHarfBuzz(hb_codepoint_t, hb_position_t* width);
-   void GetGlyphWidthForHarfBuzz(unsigned count,
--                                hb_codepoint_t* first_glyph,
-+                                const hb_codepoint_t* first_glyph,
-                                 unsigned glyph_stride,
-                                 hb_position_t* first_advance,
-                                 unsigned advance_stride);
--- 
-2.19.1
-

community/chromium/chromium-i686-vaapi-fpermissive.patch

---- media/gpu/vaapi/BUILD.gn.i686permissive	2018-11-29 09:27:02.405909871 -0500
-+++ media/gpu/vaapi/BUILD.gn	2018-11-29 09:29:50.648259696 -0500
-@@ -10,6 +10,11 @@ import("//ui/ozone/ozone.gni")
- 
- assert(use_vaapi)
- 
-+config("vaapi_permissive") {
-+  cflags = [ "-fpermissive" ]
-+}
-+
-+
- action("libva_generate_stubs") {
-   extra_header = "va_stub_header.fragment"
- 
-@@ -98,6 +103,8 @@ source_set("vaapi") {
-     "//third_party/libyuv",
-   ]
- 
-+  configs += [ ":vaapi_permissive" ]
-+
-   if (use_x11) {
-     configs += [ "//build/config/linux:x11" ]
-     deps += [ "//ui/gfx/x" ]

community/chromium/chromium-skia-harmony.patch

---- third_party/skia/src/ports/SkFontHost_FreeType.cpp.orig	2017-10-10 17:42:06.956950985 +0200
-+++ third_party/skia/src/ports/SkFontHost_FreeType.cpp	2017-10-10 17:46:05.824187787 +0200
-@@ -99,8 +99,6 @@
-     FreeTypeLibrary()
-         : fGetVarDesignCoordinates(nullptr)
-         , fLibrary(nullptr)
--        , fIsLCDSupported(false)
--        , fLCDExtra(0)
-     {
-         if (FT_New_Library(&gFTMemory, &fLibrary)) {
-             return;
-@@ -147,12 +145,7 @@
-         }
- #endif
- 
--        // Setup LCD filtering. This reduces color fringes for LCD smoothed glyphs.
--        // The default has changed over time, so this doesn't mean the same thing to all users.
--        if (FT_Library_SetLcdFilter(fLibrary, FT_LCD_FILTER_DEFAULT) == 0) {
--            fIsLCDSupported = true;
--            fLCDExtra = 2; //Using a filter adds one full pixel to each side.
--        }
-+        FT_Library_SetLcdFilter(fLibrary, FT_LCD_FILTER_DEFAULT);
-     }
-     ~FreeTypeLibrary() {
-         if (fLibrary) {
-@@ -161,8 +153,6 @@
-     }
- 
-     FT_Library library() { return fLibrary; }
--    bool isLCDSupported() { return fIsLCDSupported; }
--    int lcdExtra() { return fLCDExtra; }
- 
-     // FT_Get_{MM,Var}_{Blend,Design}_Coordinates were added in FreeType 2.7.1.
-     // Prior to this there was no way to get the coordinates out of the FT_Face.
-@@ -173,8 +163,6 @@
- 
- private:
-     FT_Library fLibrary;
--    bool fIsLCDSupported;
--    int fLCDExtra;
- 
-     // FT_Library_SetLcdFilterWeights was introduced in FreeType 2.4.0.
-     // The following platforms provide FreeType of at least 2.4.0.
-@@ -704,17 +692,6 @@
-         rec->fTextSize = SkIntToScalar(1 << 14);
-     }
- 
--    if (isLCD(*rec)) {
--        // TODO: re-work so that FreeType is set-up and selected by the SkFontMgr.
--        SkAutoMutexAcquire ama(gFTMutex);
--        ref_ft_library();
--        if (!gFTLibrary->isLCDSupported()) {
--            // If the runtime Freetype library doesn't support LCD, disable it here.
--            rec->fMaskFormat = SkMask::kA8_Format;
--        }
--        unref_ft_library();
--    }
--
-     SkPaint::Hinting h = rec->getHinting();
-     if (SkPaint::kFull_Hinting == h && !isLCD(*rec)) {
-         // collapse full->normal hinting if we're not doing LCD
-@@ -1115,11 +1092,11 @@
- void SkScalerContext_FreeType::updateGlyphIfLCD(SkGlyph* glyph) {
-     if (isLCD(fRec)) {
-         if (fLCDIsVert) {
--            glyph->fHeight += gFTLibrary->lcdExtra();
--            glyph->fTop -= gFTLibrary->lcdExtra() >> 1;
-+            glyph->fHeight += 2;
-+            glyph->fTop -= 1;
-         } else {
--            glyph->fWidth += gFTLibrary->lcdExtra();
--            glyph->fLeft -= gFTLibrary->lcdExtra() >> 1;
-+            glyph->fWidth += 2;
-+            glyph->fLeft -= 1;
-         }
-     }
- }

community/chromium/gcc-arm.patch

+diff --git a/third_party/zlib/BUILD.gn b/third_party/zlib/BUILD.gn
+index b44bda6..1d159d8 100644
+--- ./third_party/zlib/BUILD.gn
++++ ./third_party/zlib/BUILD.gn
+@@ -63,7 +63,7 @@ config("zlib_arm_crc32_config") {
+     #  - ChromeOS has wrapper scripts that are borking the compiler flags.
+     #  - Fuchsia just added a syscall for feature detection.
+     # TODO(cavalcantii): crbug.com/810125.
+-    if (!is_ios && !is_chromeos && !is_fuchsia) {
++    if (is_clang && !is_ios && !is_chromeos && !is_fuchsia) {
+       defines = [ "CRC32_ARMV8_CRC32" ]
+       if (is_android) {
+         defines += [ "ARMV8_OS_ANDROID" ]

community/chromium/gcc-fno-delete-null-pointer-checks.patch

+diff --git a/v8/BUILD.gn b/v8/BUILD.gn
+index 3c03942..870b1e6 100644
+--- ./v8/BUILD.gn
++++ ./v8/BUILD.gn
+@@ -577,6 +577,14 @@ config("toolchain") {
+     defines += [ "V8_ANDROID_LOG_STDOUT" ]
+   }
+ 
++  if (!is_win && !is_clang) {
++    # GCC 6+ can optimize away pointer comparisons to null. This is
++    # problematic as V8 encodes Values through tagged pointers and comparisons
++    # with 0 are actually necessary in many cases. As a temporary Workaround
++    # we disable this optimization. See: https://crbug.com/v8/3782
++    cflags += [ "-fno-delete-null-pointer-checks" ]
++  }
++
+   # TODO(jochen): Support v8_enable_prof on Windows.
+   # TODO(jochen): Add support for compiling with simulators.
+ 

community/chromium/gn-bootstrap-remove-sysroot-related-options.patch

-See: https://chromium.googlesource.com/chromium/src/tools/gn/+/6630c2e334d7bc179e95a3d543a8eca3201d6725%5E%21/#F0
-diff --git a/bootstrap/bootstrap.py b/bootstrap/bootstrap.py
-index 261fddd..1945852 100755
---- tools/gn/bootstrap/bootstrap.py
-+++ tools/gn/bootstrap/bootstrap.py
-@@ -46,10 +46,6 @@
-       '--build-path',
-       help='The directory in which to build gn, '
-       'relative to the src directory. (eg. out/Release)')
--  parser.add_option(
--      '--with-sysroot',
--      action='store_true',
--      help='Download and build with the Debian sysroot.')
-   parser.add_option('-v', '--verbose', help='ignored')
-   parser.add_option(
-       '--skip-generate-buildfiles',
-@@ -76,8 +72,6 @@
-       '--no-last-commit-position',
-       '--out-path=' + gn_build_dir,
-   ]
--  if not options.with_sysroot:
--    cmd.append('--no-sysroot')
-   if options.debug:
-     cmd.append('--debug')
-   subprocess.check_call(cmd)

community/chromium/musl-arm-limits.patch

+diff --git a/third_party/crashpad/crashpad/snapshot/linux/cpu_context_linux.cc b/third_party/crashpad/crashpad/snapshot/linux/cpu_context_linux.cc
+index 6ba52a8..0c7a9f9 100644
+--- ./third_party/crashpad/crashpad/snapshot/linux/cpu_context_linux.cc
++++ ./third_party/crashpad/crashpad/snapshot/linux/cpu_context_linux.cc
+@@ -14,6 +14,7 @@
+ 
+ #include "snapshot/linux/cpu_context_linux.h"
+ 
++#include <limits>
+ #include <stddef.h>
+ #include <string.h>
+ 

community/chromium/musl-v8-fix-deadlock.patch

+Release the mutex before mess with the stack guard
+
+Upstream report: https://bugs.chromium.org/p/v8/issues/detail?id=8881
+
+diff --git a/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc b/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc
+index 09226e1..29a1871 100644
+--- ./v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc
++++ ./v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc
+@@ -132,8 +132,10 @@ void OptimizingCompileDispatcher::CompileNext(OptimizedCompilationJob* job) {
+   // The function may have already been optimized by OSR.  Simply continue.
+   // Use a mutex to make sure that functions marked for install
+   // are always also queued.
+-  base::MutexGuard access_output_queue_(&output_queue_mutex_);
+-  output_queue_.push(job);
++  {
++    base::MutexGuard access_output_queue_(&output_queue_mutex_);
++    output_queue_.push(job);
++  }
+   isolate_->stack_guard()->RequestInstallCode();
+ }
+ 

community/chromium/musl-v8-monotonic-pthread-cont_timedwait.patch

+Use monotonic clock for pthread_cond_timedwait with musl too.
+
+diff --git a/v8/src/base/platform/condition-variable.cc b/v8/src/base/platform/condition-variable.cc
+index 5ea7083..c13027e 100644
+--- ./v8/src/base/platform/condition-variable.cc
++++ ./v8/src/base/platform/condition-variable.cc
+@@ -16,7 +16,7 @@ namespace base {
+ 
+ ConditionVariable::ConditionVariable() {
+ #if (V8_OS_FREEBSD || V8_OS_NETBSD || V8_OS_OPENBSD || \
+-     (V8_OS_LINUX && V8_LIBC_GLIBC))
++     V8_OS_LINUX)
+   // On Free/Net/OpenBSD and Linux with glibc we can change the time
+   // source for pthread_cond_timedwait() to use the monotonic clock.
+   pthread_condattr_t attr;
+@@ -92,7 +92,7 @@ bool ConditionVariable::WaitFor(Mutex* mutex, const TimeDelta& rel_time) {
+       &native_handle_, &mutex->native_handle(), &ts);
+ #else
+ #if (V8_OS_FREEBSD || V8_OS_NETBSD || V8_OS_OPENBSD || \
+-     (V8_OS_LINUX && V8_LIBC_GLIBC))
++     V8_OS_LINUX)
+   // On Free/Net/OpenBSD and Linux with glibc we can change the time
+   // source for pthread_cond_timedwait() to use the monotonic clock.
+   result = clock_gettime(CLOCK_MONOTONIC, &ts);

community/containerd/APKBUILD

@@ -4,8 +4,8 @@
 pkgname=containerd
 
 # NOTE: containerd's Makefile tries to get REVISION from git, but we're building from a tarball.
-_commit=9754871865f7fe2f4e74d43e2fc7ccd237edcbce
-pkgver=1.2.2
+_commit=85f6aa58b8a3170aec9824568f7a31832878b603
+pkgver=1.2.7
 pkgrel=0
 pkgdesc="An open and reliable container runtime"
 url="https://containerd.io"
@@ -17,6 +17,10 @@ subpackages="$pkgname-doc"
 source="containerd-$pkgver.tar.gz::https://github.com/containerd/containerd/archive/v$pkgver.tar.gz"
 builddir="$srcdir/src/github.com/containerd/containerd"
 
+# secfixes:
+#   1.2.6:
+#     - CVE-2019-9946
+
 build() {
 	cd "$srcdir"
 	export GOPATH="$PWD"
@@ -42,4 +46,4 @@ package() {
 	install -Dm644 "$builddir"/man/*.5 "$pkgdir"/usr/share/man/man5/
 }
 
-sha512sums="0fdd8799c5afb75074b6f00d5191e983ff570b323242665055c73b2e7a6bdd74a745e287f4f7b675dde26e8bf083c144104151e794ad24d2a8f6f39ae2ee6fff  containerd-1.2.2.tar.gz"
+sha512sums="b96ca236d28933c1bf309fc7204af7d2c356e19af394d5c2274a178c8f15298faf6ca9bb8e7d04acb7c3c9c41035446643a8df0103017f7ed0320bfc37cb8ca9  containerd-1.2.7.tar.gz"

community/docker/APKBUILD

+# Contributor: Eivind Uggedal <eu@eju.no>
 # Contributor: Jake Buchholz <tomalok@gmail.com>
 # Maintainer: Jake Buchholz <tomalok@gmail.com>
-
 pkgname=docker
-pkgver=18.09.1
-_gitcommit=4c52b901c6cb019f7552cd93055f9688c6538be4	# https://github.com/docker/docker-ce/commits/v$pkgver
+pkgver=18.09.8
+_gitcommit=0dd43dd87fd530113bf44c9bba9ad8b20ce4637f	# https://github.com/docker/docker-ce/commits/v$pkgver
 _ver=${pkgver/_/-}-ce
 pkgrel=0
 pkgdesc="Pack, ship and run any application as a lightweight container"
@@ -11,13 +11,20 @@ url="http://www.docker.io/"
 arch="all"
 license="Apache-2.0"
 depends="ca-certificates containerd iptables tini-static"
-makedepends="go go-md2man btrfs-progs-dev bash linux-headers coreutils lvm2-dev libtool"
+makedepends="go go-md2man btrfs-progs-dev bash linux-headers coreutils lvm2-dev libtool
+	libseccomp-dev"
 install="$pkgname.pre-install"
 
-# https://github.com/docker/docker-ce/blob/v$pkgver/components/engine/hack/dockerfile/install/proxy.installer
-_libnetwork_ver=2cfbf9b1f98162a55829a21cc603c76072a75382
+# from https://github.com/docker/docker-ce/blob/v$pkgver/components/engine/vendor.conf
+_libnetwork_ver=e7933d41e7b206756115aa9df5e0599fc5169742
 _cobra_ver="0.0.3"
 
+# secfixes:
+#   18.09.8:
+#     - CVE-2019-13509
+#   18.09.7:
+#     - CVE-2018-15664
+
 subpackages="
 	$pkgname-bash-completion:bashcomp:noarch
 	$pkgname-fish-completion:fishcomp:noarch
@@ -38,7 +45,7 @@ source="
 _dockerdir="$srcdir"/docker-$_ver
 _cli_builddir="$_dockerdir"/components/cli
 _daemon_builddir="$_dockerdir"/components/engine
-_buildtags=""
+_buildtags="seccomp"
 
 _libnetwork_builddir="$srcdir"/libnetwork-$_libnetwork_ver
 
@@ -187,8 +194,8 @@ vim() {
 	done
 }
 
-sha512sums="9813d3bd41eff63a089495a976226b93d5d43544530aea0ebce78b96e6b4b38389fe3ad1117f1ca95c38727047a24211ad2c2b44217935c26ffb5496cf90407e  docker-18.09.1.tar.gz
-9256eedc6ed530506e4e61673a9f45397274093dd61105097d5c650796f0afebc8ad7c550d2dc3cacf94426e3872a2b764906bca46fc907a21b865314c8927d4  libnetwork-2cfbf9b1f98162a55829a21cc603c76072a75382.tar.gz
+sha512sums="34cf91da732ebbde88f0c8cd39664130e6bd344b18d4643715a00e1c4062d0838a37650a8ee68fb371abd8f01910c7bdce1237af74a49cd63b5ed5382eaf00ed  docker-18.09.8.tar.gz
+0a833510df0029999bfc05c23445a58a8b2ff165c0fb2fd5c411498d1e89b5b1990d2778b32346dd2b6d61c166ff707c6277a5d1937db6345c77d3825eb59875  libnetwork-e7933d41e7b206756115aa9df5e0599fc5169742.tar.gz
 c38db9432a168f913b41a1e1b11d84bedfade82ff70791be9d343a6cc86b8a05b18bae344d67ebd8bae4c98662db7ac664a9dc86fa9b9ad4aa5c96cbf0178efb  cobra-0.0.3.tar.gz
 33155a79799cc6c0520a030e1a9bdba60441776d612e5e255574b23bbce1c7a8e5d868284b05a8a92704be6bbb7db905388564e867986a705acbe4884ac58584  docker-openrc-fixes.patch
 9b24dc0c50904c3d12bb04c1a7df169651043ddbc258018647010a5aa01d8a19ad54d10ca79dce6d6283c81f4fa0cc8de417f6180dd824c5a588b22b23546cb5  docker-openrc-busybox-ash.patch"

community/drupal7/APKBUILD

 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Andy Postnikov <apostnikov@gmail.com>
 pkgname=drupal7
-pkgver=7.63
+pkgver=7.67
 pkgrel=0
 pkgdesc="An open source content management platform"
 url="https://www.drupal.org/"
@@ -36,6 +36,9 @@ builddir="$srcdir/drupal-$pkgver"
 options="!check" # This package not have testsuite
 
 # secfixes:
+#   7.67-r0:
+#     - CVE-2019-11831
+#     - CVE-2019-11358
 #   7.62-r0:
 #     - CVE-2018-1000888
 #   7.59-r0:
@@ -78,4 +81,4 @@ package() {
 		"$pkgdir"/var/lib/$pkgname/sites/default/files
 }
 
-sha512sums="e601732590a0b6d63d15d4d73e9531576592092dda986d965ff4d466069f21fc0adcd004798547b14dc528546ddcb5bb089a7cb1919b89f94339888858f12dd1  drupal-7.63.tar.gz"
+sha512sums="0e4f60010b1395183cea19424e8c2849f93fb7285a081bf7d0c774b8e82f403083533059f58c3831950cc06dfa8117d443db52b66a521301ceac10b1b333aa28  drupal-7.67.tar.gz"

community/elasticsearch/APKBUILD

 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
 # Maintainer: Jakub Jirutka <jakub@jirutka.cz>
 pkgname=elasticsearch
-pkgver=6.4.1
-pkgrel=2
+pkgver=6.4.3
+pkgrel=0
 pkgdesc="Open Source, Distributed, RESTful Search Engine"
 url="https://www.elastic.co/products/elasticsearch"
 arch="x86 x86_64 ppc64le"
@@ -114,7 +114,7 @@ _x_pack() {
 	rm -rf "$subpkgdir"/$_basedir/modules/x-pack-ml
 }
 
-sha512sums="a023a6db5554dee6f10718dfa297aa06a735c7857542c2db80fa5c2b86ff4bf405bb8167578c5b60741ad05ed96a64b54bc71d128a0ff955468b0449588b053c  elasticsearch-6.4.1.tar.gz
+sha512sums="2f48720fd1644b1d0f103ca93bd19632c2a12bd3c94434ddf58bc692cb0b23631222f8d23cc0d0e85e271e11099fe0fc8aedf402906b76845ad680eb592f8987  elasticsearch-6.4.3.tar.gz
 24d17bdfad1d4e53a3568c77e14a712ab0cd17144eb95b2bdf659466dbe5cf48d1ac48285c644c0bf1dc7f309012ccb99956fcd5134e6ac85651c94bee8b5add  elasticsearch.initd
 2ab1baf1b5c8782f3f371ba221aadd3e841abc62175f0b1ddcfc68d711e2370465124e076f8cc2e549c25a1da9db8c90172b2f410bd6bbe4153f0e831620b6ba  elasticsearch.confd
 450879a8ab49c4debac3f8ed484918d48428cabf300b8196db785930a9bc56ce8a153b8d4c91655cfbe9ff50bb978b3c0f87eef99ed36213463f206b68d06590  elasticsearch.logrotated

community/exim/APKBUILD

@@ -5,10 +5,10 @@
 # Contributor: Jesse Young <jlyo@jlyo.org>
 # Maintainer: Jesse Young <jlyo@jlyo.org>
 pkgname=exim
-pkgver=4.91
-pkgrel=3
+pkgver=4.92.2
+pkgrel=0
 pkgdesc="Message Transfer Agent"
-url="https://www.exim.org"
+url="https://www.exim.org/"
 arch="all"
 license="GPL-2.0-or-later"
 options="!check suid"
@@ -30,6 +30,12 @@ source="https://ftp.exim.org/pub/exim/exim4/$pkgname-$pkgver.tar.xz
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   4.92.2-r0:
+#     - CVE-2019-15846
+#   4.92.1-r0:
+#     - CVE-2019-13917
+#   4.92-r0:
+#     - CVE-2019-10149
 #   4.91-r0:
 #     - CVE-2018-6789
 #   4.89-r5:
@@ -115,8 +121,8 @@ cdb() { _mv_ext cdb; }
 dbmdb() { _mv_ext dbmdb; }
 dnsdb() { _mv_ext dnsdb; }
 
-sha512sums="35b34dda8dd0f27c0429e6eb8409756ecd3cf9e535bac421d696b1560db0ff3bf4cd0e4a00bc0b7e32137d31bb5de20776c7c1830ec125aa36b5c4376b0c71a2  exim-4.91.tar.xz
-517447ac989a8de27cca74d544bdbeed6667442d1a229efaaef0a2b2878afb754602ece7c5e9983778224cc052f6d38209a65ef95712a16309d7b72c0e277fa8  bounce-charset.patch
+sha512sums="d27aca4d4e9df267b0afcbe7b3f74c9ca6e96e7e6eb4d2f86ff00b0e2234eaec90271405eb387a36a2e0d4ec5597b2920753f85318a5618ddbc8af475a7d81cd  exim-4.92.2.tar.xz
+691df92954f015711398350963ea321d143127bc731a985bcacc5364c71b6df84b6c21a2e8dc3cc2048fcd3dd02def3dc8015f4d84dd672f23d5a41348e72dc7  bounce-charset.patch
 f764a09ac7b6dfa34a5cd8bf5ad8b5fea355ac3b21a14f7218c84804bce420c6212cbebd2811fa40b0034dba626f0c9b293de77dbd634432edd31b237003515e  exim.Makefile
 bb6f5ead067af19ace661cc92bcd428da97570aedd1f9dc5b61a34e7e3fb3e028be6c96d51df73353bdfcaf69a3ee053fb03d245f868d63ebf518aa96ec82d66  exim.confd
 3769e74a54566362bcdf57c45fbf7d130d7a7529fbc40befce431eef0387df117c71a5b57779c507e30d5b125913b5f26c9d16b17995521a1d94997be6dc3e02  exim.initd

community/exim/bounce-charset.patch

---- a/src/deliver.c	2018-04-15 02:18:10.000000000 +0300
-+++ b/src/deliver.c	2018-06-15 14:01:58.196926447 +0300
-@@ -7291,7 +7291,7 @@
+--- a/src/deliver.c
++++ b/src/deliver.c
+@@ -7373,7 +7373,7 @@
  	"MIME-Version: 1.0\n\n"
  
  	"--%s\n"
@@ -9,16 +9,16 @@
  
  	"This message was created automatically by mail delivery software.\n"
  	" ----- The following addresses had successful delivery notifications -----\n",
-@@ -7560,7 +7560,7 @@
+@@ -7644,7 +7644,7 @@
  
        /* output human readable part as text/plain section */
-       fprintf(f, "--%s\n"
+       fprintf(fp, "--%s\n"
 -	  "Content-type: text/plain; charset=us-ascii\n\n",
 +	  "Content-type: text/plain; charset=utf-8\n\n",
  	bound);
  
        if ((emf_text = next_emf(emf, US"intro")))
-@@ -8163,7 +8163,7 @@
+@@ -8252,7 +8252,7 @@
  
          /* output human readable part as text/plain section */
          fprintf(f, "--%s\n"

community/ffmpeg/APKBUILD

@@ -3,10 +3,10 @@
 # Contributor: Jakub Skrzypnik <j.skrzypnik@openmailbox.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=ffmpeg
-pkgver=4.0.2
+pkgver=4.0.4
 pkgrel=0
 pkgdesc="Complete and free Internet live audio and video broadcasting solution for Linux/Unix"
-url="http://ffmpeg.org/"
+url="https://ffmpeg.org/"
 arch="all"
 license="GPL"
 options="!check" # tests/data/hls-lists.append.m3u8 fails
@@ -22,6 +22,11 @@ source="https://ffmpeg.org/releases/ffmpeg-$pkgver.tar.xz
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   4.0.4-r0:
+#     - CVE-2018-15822
+#     - CVE-2019-9718
+#     - CVE-2019-9721
+#     - CVE-2019-11339
 #   3.4.4-r0:
 #     - CVE-2018-14395
 #   3.4.3-r0:
@@ -112,5 +117,5 @@ libs() {
 	mv "$pkgdir"/usr/lib "$subpkgdir"/usr
 }
 
-sha512sums="2dc2b8c66d9c31b6d06da5da336ef45415e3c24fac8c9063cd47f7d4cf688ec4846f88cdd9e841b956cea81e56bb3c6b7655aef503400c7367c32910c28990ac  ffmpeg-4.0.2.tar.xz
+sha512sums="b7f66f5b38df4114f96fd85e42c6a42cb9673d4ca042d6775d1b64b7966cc9833e01bfa83e429e2cff8f2ecdd7dea44ede135aca75c31a7ed706e7384657196c  ffmpeg-4.0.4.tar.xz
 32652e18d4eb231a2e32ad1cacffdf33264aac9d459e0e2e6dd91484fced4e1ca5a62886057b1f0b4b1589c014bbe793d17c78adbaffec195f9a75733b5b18cb  0001-libavutil-clean-up-unused-FF_SYMVER-macro.patch"

community/firefox-esr/APKBUILD

+# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
 # Contributor: William Pitcock <nenolod@dereferenced.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=firefox-esr
-pkgver=60.4.0
-pkgrel=1
+pkgver=60.9.0
+pkgrel=0
 pkgdesc="Firefox web browser - Extended Support Release"
 url="https://www.mozilla.org/en-US/firefox/organizations/"
 # limited by rust and cargo
@@ -60,7 +61,6 @@ source="https://ftp.mozilla.org/pub/firefox/releases/${pkgver}esr/source/firefox
 	fix-tools.patch
 	mallinfo.patch
 
-	fix-arm-atomics-grsec.patch
 	fix-arm-version-detect.patch
 	mozilla-build-arm.patch
 	disable-moz-stackwalk.patch
@@ -79,6 +79,67 @@ _mozappdir=/usr/lib/firefox
 ldpath="$_mozappdir"
 
 # secfixes:
+#   69.9.0-r0:
+#     - CVE-2019-9812
+#     - CVE-2019-11740
+#     - CVE-2019-11742
+#     - CVE-2019-11743
+#     - CVE-2019-11744
+#     - CVE-2019-11746
+#     - CVE-2019-11752
+#   60.8.0-r0:
+#     - CVE-2019-9811
+#     - CVE-2019-11709
+#     - CVE-2019-11711
+#     - CVE-2019-11712
+#     - CVE-2019-11713
+#     - CVE-2019-11715
+#     - CVE-2019-11717
+#     - CVE-2019-11719
+#     - CVE-2019-11729
+#     - CVE-2019-11730
+#   60.7.2-r0:
+#     - CVE-2019-11708
+#   60.7.1-r0:
+#     - CVE-2019-11707
+#   60.7.0-r0:
+#     - CVE-2019-9815
+#     - CVE-2019-9816
+#     - CVE-2019-9817
+#     - CVE-2019-9818
+#     - CVE-2019-9819
+#     - CVE-2019-9820
+#     - CVE-2019-11691
+#     - CVE-2019-11692
+#     - CVE-2019-11693
+#     - CVE-2019-7317
+#     - CVE-2019-9797
+#     - CVE-2018-18511
+#     - CVE-2019-11694
+#     - CVE-2019-11698
+#     - CVE-2019-5798
+#     - CVE-2019-9800
+#   60.6.1-r0:
+#     - CVE-2019-9810
+#     - CVE-2019-9813
+#     - CVE-2019-9790
+#     - CVE-2019-9791
+#     - CVE-2019-9792
+#     - CVE-2019-9793
+#     - CVE-2019-9794
+#     - CVE-2019-9795
+#     - CVE-2019-9796
+#     - CVE-2019-9801
+#     - CVE-2018-18506
+#     - CVE-2019-9788
+#   60.5.2-r0:
+#     - CVE-2019-5785
+#     - CVE-2018-18335