- Nov 09, 2018
-
-
Timo Teräs authored
-
- Nov 02, 2018
-
-
Timo Teräs authored
-
Timo Teräs authored
Move addition of virtual package after the dependencies have been parsed as then the reverse dependency structers can be populated correctly.
-
Timo Teräs authored
-
Timo Teräs authored
this would happen if same package matched multiple times due to multiple provided names.
-
Timo Teräs authored
-
- Oct 30, 2018
-
-
Timo Teräs authored
The hash type was accidentally changed in previous commit. Currently csum->data cannot hold longer hash, so fix the hash.
-
- Oct 26, 2018
-
-
Timo Teräs authored
-
- Oct 05, 2018
-
-
Timo Teräs authored
merge_options() will write one more entry to the options table which is the end-of-table indicator. Allocate memory for it too. valgrind did not pick it up due to being in stack; changing alloca to malloc would make valgrind notice the issue too. Reported-by: Mobile Stream <info@mobile-stream.com>
-
- Sep 25, 2018
-
-
Timo Teräs authored
-
Timo Teräs authored
there are several applets that support simulation but are not committing changes to database
-
- Sep 11, 2018
-
-
Timo Teräs authored
-
- Sep 10, 2018
-
-
Timo Teräs authored
-
Timo Teräs authored
A crafted .apk file could to trick apk writing unverified data to an unexpected file during temporary file creation due to bugs in handling long link target name and the way a regular file is extracted. Several hardening steps are implemented to avoid this: - the temporary file is now always first unlinked (apk thus reserved all filenames .apk.* to be it's working files) - the temporary file is after that created with O_EXCL to avoid races - the temporary file is no longer directly the archive entry name and thus directly controlled by potentially untrusted data - long file names and link target names are now rejected - hard link targets are now more rigorously checked - various additional checks added for the extraction process to error out early in case of malformed (or old legacy) file Reported-by: Max Justicz <max@justi.cz>
-
Consolidate author information, so that tools like 'git shortlog' show a single entry for each author.
-
- Sep 05, 2018
-
-
Timo Teräs authored
This is unwanted information disclosure. Reported-by: Max Justicz <max@justi.cz>
-
Timo Teräs authored
Most applets return whatever apk_solver_commit() returns. It is the number of errors found (or negative for hard error). Sanitize the error value to not give false success exit code in the unlikely case of errors % 256 == 0. Reported-by: Max Justicz <max@justi.cz>
-
- Aug 21, 2018
-
-
Natanael Copa authored
We should not update repository index when --no-network is specified. ref #9126
-
- Aug 14, 2018
-
-
- Jul 18, 2018
-
-
Timo Teräs authored
ref #9063
-
- Jul 02, 2018
-
-
It's common for a pre-install script to do something like addgroup -S group 2>/dev/null When apk installs files after this, it sets the owner/group based on id cache but currently the id cache is stale and doesn't contain the new group at that point: instead the file will be installed with gid that the build host happened to have for that group -- on target this might mean a non-existing group or a completely different group. We can't know if the script really did modify id cache contents so make sure to reset the id cache on every script execution.
-
Virtual packages have the origin pointer set to NULL. Trying to print it using the BLOB_PRINTF macros causes a segmentation fault. Inspired by the `print_origin_name` function from `src/search.c` this commit attempts to fix it by checking whether `pkg->origin` is NULL before attempting to print it. If it is NULL the pkg name is printed instead. Since printing the pkg name requires a different format string this commit splits the printf call for printing the package line into multiple ones. The output format shouldn't have changed at all though.
-
- Jun 24, 2018
-
-
Natanael Copa authored
-
- Jun 14, 2018
-
-
Timo Teräs authored
-
Timo Teräs authored
-
Run apk_solver_solve once with all args as dependencies instead of running apk_solver_solve for each arg. This is neccesary so the install_if calculation is done correctly.
-
- May 08, 2018
-
-
- Apr 05, 2018
-
-
Timo Teräs authored
During netboot on systems without RTC, time() will be near zero, and the index fill not exist. Thus the plain test of st.st_mtime against system time failed. Verify that fstatat() succeeds.
-
- Feb 21, 2018
-
-
Ariadne Conill authored
-
- Feb 20, 2018
-
-
Ariadne Conill authored
-
Ariadne Conill authored
-
Ariadne Conill authored
-
- Feb 09, 2018
-
-
Jakub Jirutka authored
-
- Jan 31, 2018
-
-
TLS_client_method is a LibreSSL extension. SSLv23_client_method is generic, and doesn't mean SSL v2/v3 only.
-
- Jan 29, 2018
-
-
Ariadne Conill authored
list: use `apk list --providers` to search virtual providers instead of enabling virtuals by default
-
Ariadne Conill authored
list does everything search does and more
-
Ariadne Conill authored
-
Ariadne Conill authored
-
Ariadne Conill authored
-
Ariadne Conill authored
-