This is a GCC extension, and seems to not work correctly with
cross-compilation. Perhaps the combination of using also designated
array initializer mixed up things.

Just git rid of the flexible member for now.

and additional sanity checks on the extraction state

The _DATA callback needs to be deferred until extracted data is
handled for the state machine to work correctly for identity data
generation.

fixes regresion in "apk index"

fixes 9855169e "io: simplify mpart and error handling"

instead of io error

Otherwise the ops might be retained, and result in false verification
failure.

fixes #10985

fixes #10988

Make the package uninstallable, and report the status correctly
if dependens is incorrect. Treat malformed provides and install_if
better.

fixes #10987

ends up saving a pointer size on the struct as the short
fits in padding gap.

- put generic crypto function to own file
- put openssl specific crypto implementations into its own file
- remove EVP_MD_CTX_FLAG_ONESHOT setting as it was mere optimization
  (only useful for Padlock SHA accelerator IIRC)
- use separate identity generation hash context
- remove usage of gotos
- remove unused and unneeded modes
- harden extract_v2 file parser while at it

Pass data only with the APK_MPART_DATA callback to simplify things.
Handler errors more straight forward.

This was originally used for testing, but is no longer needed.
If uvol configuration is needed, support for a lib/apk/exec/uvol
symlink or similar can be added to take preference of the uvol
binary.

This allows apk to create a db-uvol symlink on any write operation
if uvol is active, and the database does not exist yet. This allows
relocation of the uvol-db to an alternative directory, but still
support generic apk builds to find the uvol database using the
symlink.

fixes #10969

This corresponds with the Make.rules default of -Wall

Calculate and write the xattr hash to installed database. This
will go away once installed database is migrated to new format.

Since the conversion happens on installation of the package,
the issue will get fixed the package is reinstalled (apk fix)
or upgraded to new version with apk including this commit.

fixes #10986

consider package as upgradable only if it is from the same pinned
repository. clean up is_upgradable() while at it.

fixes #10899

The database logic now tracks the state, and calls to update
permissions only if the ACL actually changed. Just update all
at one go if change is needed.

This removes the deferred directory permission changing. Stronger
guarantee of directories having proper permissions are now given
for package post-upgrade scripts. This also reduces one full
walk of all packages during install.

I believe the original reasoning for the deferred mechanism was
the possibility of memory overhead in tracking the packages for
each directory. Massif analysis shows that the directory structure
overhead is small compared to all the other data we read, so
lets do this now.

This fixes the extract applet to also set owner for directories
extracted as root. Also during normal operation, this allows to
get the directory owner right for initial extraction.

Update the documentation to speak of 'world constraints' instead
of package spec. Apk really operations on the dependency and
constraint level and directly stores them to 'world' instead of
specific package names.

Also mention that any constraint change can produce all kind of
package changes: installation, removal, upgrade or downgrade.

Document prefix match better.

fixes #10965

The original logic was somewhat wrong. We should not be trying
to repeatedly decompress the stream with the same input, as there
is no guarantee it will safely advance the input all the way.

Instead, we should call it once and then ask for more input if
it has been advanced to the end. Regardless, we should return
when the output buffer has been filled, and keep trying to get
more input every time; zstd will eventually advance the input
buffer so that we either get satisfactory data, an EOF, or an
error.

While at it, handle another edge case. The extraction generally
works without it but just for robustness and to match what the
documentation is saying; if decompressStream fully fills in an
output buffer, there may be more data internally, so save that
state and next time try getting that data to return it even if
we get an EOF from the stream.

If an output buffer is filled only partially, it means zstd has
processed everything. In this case, this generally means an end
of file, so the input buffer will have been fully advanced and
we get an EOF from the wrapped stream on next iteration; since
we got *some* data, we disregard this EOF and return the data.