systemd/apk-tools: new aport

For systemd (and our own sanity) we need to do the /usr merge. This fork of apk-tools includes the logic to support alpine packages like tar which install the main tar binary to /bin and then a symlink to /usr/bin/... We should find a way to implement this in upstream apk-tools, and continue pushing Alpine to also adopt the merged /usr model. Signed-off-by: Caleb Connolly <caleb@postmarketos.org>

systemd/apk-tools: new aport
3fd68f08 · Caleb Connolly · Clayton Craft · 90811112 · 3fd68f08 · 3fd68f08
Verified Commit 3fd68f08 authored 1 year ago by Caleb Connolly Committed by Clayton Craft 5 months ago
--- a/systemd/apk-tools/APKBUILD
+++ b/systemd/apk-tools/APKBUILD
+# Forked from Alpine INSERT-REASON-HERE (CHANGEME!)
+
+pkgname=apk-tools
+pkgver=9992.14
+_pkgver=2.14.0
+pkgrel=6
+pkgdesc="Alpine Package Keeper - package manager for alpine"
+arch="all"
+url="https://gitlab.alpinelinux.org/alpine/apk-tools"
+license="GPL-2.0-only"
+subpackages="$pkgname-dbg $pkgname-dev $pkgname-static $pkgname-doc $pkgname-zsh-completion"
+# Musl 1.2 introduced new ABI for time64 => upgrading apk-tools
+# while staying on musl <1.2 causes missing symbols
+# starting with musl 1.2.3_git (pre 1.2.3), we added DT_RELR
+# it is possible for old systems to upgrade, and apk-tools would upgrade first,
+# which would upgrade to a binary that cannot run until musl is upgraded.
+# forcing this constraint makes apk upgrade musl as part of the 'critical' transaction,
+# and update musl first.
+depends="musl>=1.2.3_git20230424"
+makedepends_build="openssl>3 lua5.3 lua5.3-lzlib scdoc"
+makedepends_host="zlib-dev openssl-dev zlib-static openssl-libs-static linux-headers"
+makedepends="$makedepends_build $makedepends_host lua-dev"
+_lua="no"
+if [ "$CBUILD" = "$CHOST" ]; then
+	_lua="lua5.3"
+	subpackages="$subpackages $_lua-apk:luaapk"
+	makedepends="$makedepends $_lua-dev"
+
+	# ca-certificates-bundle needed for https certificate validation
+	depends="$depends ca-certificates-bundle"
+fi
+
+_commit="3ffd8c224c5e87328bd237dad6a63bb75fb10255"
+source="https://gitlab.com/calebccff/apk-tools/-/archive/$_commit/apk-tools-$_commit.tar.gz
+	_apk
+	"
+builddir="$srcdir/$pkgname-$_commit"
+
+# secfixes:
+#   2.12.6-r0:
+#     - CVE-2021-36159
+#   2.12.5-r0:
+#     - CVE-2021-30139
+
+prepare() {
+	default_prepare
+	sed -i -e 's:-Werror::' Make.rules
+	echo "FULL_VERSION=$_pkgver-r$pkgrel" > config.mk
+}
+
+build() {
+	make LUA="$_lua"
+	make static LUA="$_lua"
+}
+
+check() {
+	make check LUA="$_lua"
+}
+
+package() {
+	make DESTDIR="$pkgdir" LUA="$_lua" install
+	install -d "$pkgdir"/var/lib/apk \
+		"$pkgdir"/lib/apk/exec \
+		"$pkgdir"/etc/apk/keys \
+		"$pkgdir"/etc/apk/protected_paths.d
+
+	install -Dm644 "$srcdir"/_apk "$pkgdir"/usr/share/zsh/site-functions/_apk
+	rm -r "$pkgdir"/usr/share/doc
+}
+
+static() {
+	pkgdesc="Alpine Package Keeper - static binary"
+	install -Dm755 "$builddir"/src/apk.static \
+		"$subpkgdir"/sbin/apk.static
+
+	# lets sign the static binary so it can be vefified from distros
+	# that does not have apk-tools
+	local abuild_conf=${ABUILD_CONF:-"/etc/abuild.conf"}
+	local abuild_home=${ABUILD_USERDIR:-"$HOME/.abuild"}
+	local abuild_userconf=${ABUILD_USERCONF:-"$abuild_home/abuild.conf"}
+	[ -f "$abuild_userconf" ] && . "$abuild_userconf"
+	local privkey="$PACKAGER_PRIVKEY"
+	local pubkey=${PACKAGER_PUBKEY:-"$privkey.pub"}
+	local keyname=${pubkey##*/}
+	${CROSS_COMPILE}strip "$subpkgdir"/sbin/apk.static
+	openssl dgst -sha1 -sign "$privkey" \
+		-out "$subpkgdir"/sbin/apk.static.SIGN.RSA.$keyname \
+		"$subpkgdir"/sbin/apk.static
+}
+
+luaapk() {
+	pkgdesc="Lua module for apk-tools"
+	mkdir -p "$subpkgdir"/usr/
+	mv "$pkgdir"/usr/lib "$subpkgdir"/usr/lib/
+}
+
+sha512sums="
+5028790865c4a1e8b231bceb2d28e06f870cbdd6e0bb8ef5d203420dfb137142ead08002659af16c103d867f8501eb00624d7860c20df490f95dd2ec24226153  apk-tools-3ffd8c224c5e87328bd237dad6a63bb75fb10255.tar.gz
+7870676720f5007eee9482786e02246f8e3474afb90e76c9c83aebe914747a8e007b5d2eed6441933f4922024b3f0664db270f21981ad6c2db877a110b0cd79e  _apk
+"
--- a/systemd/apk-tools/_apk
+++ b/systemd/apk-tools/_apk
+#compdef apk
+
+function _apk {
+
+	local -a global_opts=(
+		"(-h --help)"{-h,--help}"[Print help information]"
+		"(-i --interactive)"{-i,--interactive}"[Ask confirmation before performing certain operations]"
+		"(-p --root)"{-p,--root}"[Manage file system at ROOT]"
+		"(-q --quiet)"{-q,--quiet}"[Print less information]"
+		"(-U --update-cache)"{-U,--update-cache}"[Alias for '--cache-max-age 1']"
+		"(-v --verbose)"{-v,--verbose}"[Print more information]"
+		"(-V --version)"{-V,--version}"[Print program version and exit]"
+		"(-X --repository)"{-X,--repository}"[Specify additional package repository]:repository:_host"
+		"--allow-untrusted[Install packages with untrusted signature or no signature]"
+		"--arch[Temporarily override architecture]:arch:(armhf mips64 s390x x86_64 x86 aarch64 ppc64le armv7 riscv64)"
+		"--cache-dir[Temporarily override the cache directory]:directory:_dir_list"
+		"--cache-max-age[Maximum age for index in cache before it's refreshed]:minutes"
+		"--force-binary-stdout[Continue even if binary data will be printed to the terminal]"
+		"--force-broken-world[Continue even if world cannot be satisfied]"
+		"--force-non-repository[Continue even if packages may be lost on reboot]"
+		"--force-old-apk[Continue even if packages use unsupported features]"
+		"--force-overwrite[Overwrite files in other packages]"
+		"--force-refresh[Do not use cached files]"
+		"--keys-dir[Override directory of trusted keys]:directory:_dir_list"
+		"--no-cache[Do not use any local cache path]"
+		"--no-network[Do not use the network]"
+		"--no-progress[Disable progress bar even for TTYs]"
+		"--print-arch[Print default arch and exit]"
+		"--progress[Show progress]"
+		"--progress-fd[Write progress to the specified file descriptor]:file descriptor"
+		"--purge[Delete modified configuration files or uninstalled packages from cache]"
+		"--repositories-file[Override system repositories]:repository file:_files"
+		"--wait[Wait to get an exclusive repository lock before failing]:seconds"
+	)
+
+	local -a commit_opts=(
+		"(-s --simulate)"{-s,--simulate}"[Simulate the requested operation without making any changes]"
+		"--clean-protected[Do not create .apk-new files in configuration directories]"
+		"--overlay-from-stdin[Read list of overlay files from stdin]"
+		"--no-scripts[Do not execute any scripts]"
+		"--no-commit-hooks[Skip pre/post hook scripts]"
+		"--initramfs-diskless-boot[Enables selected force options, disables commit hooks and more]"
+	)
+
+	local -a latest_opt=("(-l --latest)"{-l,--latest}"[Always choose the latest package by version]")
+	local -a upgrade_opt=("(-u --upgrade)"{-u,--upgrade}"[Upgrade packages and it's dependencies]")
+
+	local context state state_descr line
+	typeset -A opt_args
+	local curcontext="$curcontext"
+	local ret=1
+
+	function _ccache_apk_world { [[ "$1" -ot /etc/apk/world ]] }
+	function _ccache_apk_avail {
+		for i in /var/cache/apk/APKINDEX.*; do
+			[[ "$1" -ot "$i" ]] && return
+		done
+	}
+
+	function _apk_available_pkgs {
+		local -a _apk_available_packs
+		zstyle ":completion:${curcontext}:" cache-policy _ccache_apk_avail
+		local IFS=$'\n'
+		if _cache_invalid apk_index_packages_available || ! _retrieve_cache apk_index_packages_available; then
+			_apk_available_packs=(${${$(/sbin/apk list -a 2>/dev/null)%% *}%-*-r[[:digit:]]*})
+			_store_cache apk_index_packages_available _apk_available_packs
+		fi
+		_describe 'available packages' _apk_available_packs
+	}
+
+	function _apk_installed_pkgs {
+		local -a _apk_installed_packs
+		zstyle ":completion:${curcontext}:" cache-policy _ccache_apk_world
+		local IFS=$'\n'
+		if _cache_invalid apk_index_packages_installed || ! _retrieve_cache apk_index_packages_installed; then
+			_apk_installed_packs=(${${$(/sbin/apk list -I 2>/dev/null)%% *}%-*-r[[:digit:]]*})
+			_store_cache apk_index_packages_installed _apk_installed_packs
+		fi
+		_describe 'installed packages' _apk_installed_packs
+	}
+
+	function _apk_packages {
+		_alternative 'repo:available packages:_apk_available_pkgs' 'localpkgs:local packages:_files -g "*.apk"'
+	}
+
+	function _apk_cache {
+		local -a cache_subcmds=(
+			"clean:Remove package files which are no longer necessary"
+			"download:Fetch package files from the repositories and store them in the cache"
+			"sync:Clean and Download"
+		)
+		_describe 'subcommand' cache_subcmds
+	}
+
+	function _apk_subcmds {
+		local -a cmds=(
+			"add:Add packages to world and commit changes"
+			"del:Remove packages from world and commit changes"
+			"fix:Fix, reinstall or upgrade packages without modifying world"
+			"update:Update repository indexes"
+			"upgrade:Install upgrades available from repositories"
+			"cache:Manage the local package cache"
+			"info:Give detailed information about packages or repositories"
+			"list:List packages matching a pattern or other criteria"
+			"dot:Render dependencies as graphviz graphs"
+			"policy:Show repository policy for packages"
+			"search:Search for packages by name or description"
+			"index:Create repository index file from packages"
+			"fetch:Download packages from global repositories to a local directory"
+			"manifest:Show checksums of package contents"
+			"verify:Verify package integrity and signature"
+			"audit:Audit system for changes"
+			"stats:Show statistics about repositories and installations"
+			"version:Compare package versions or perform tests on version strings"
+		)
+		_describe 'subcommand' cmds
+	}
+
+	local -a completion_spec=($global_opts ':subcommand:_apk_subcmds')
+
+	case ${${words:#-*}[2]} in
+	(add)
+		completion_spec+=(
+			$commit_opts \
+			$latest_opt \
+			$upgrade_opt \
+			"--initdb[Initialize a new package database]" \
+			"(-t --virtual)"{-t,--virtual}"[Create virtual package with given dependencies]" \
+			"--no-chown[Do not change file owner or group]" \
+			"*:package:_apk_packages"
+		)
+	;;
+	(del)
+		completion_spec+=(
+			$commit_opts \
+			"(-r --rdepends)"{-r,--rdepends}"[Recursively delete all top-level reverse dependencies]" \
+			"*:installed package:_apk_installed_pkgs"
+		)
+	;;
+	(fix)
+		completion_spec+=(
+			$commit_opts \
+			"(-d --depends)"{-d,--depends}"[Fix dependencies of specified packages]" \
+			"(-r --reinstall)"{-r,--reinstall}"[Reinstall packages]" \
+			"(-u --upgrade)"{-u,--upgrade}"[Upgrade if an upgrade is available and does not break dependencies]" \
+			"(-x --xattr)"{-x,--xattr}"[Fix packages with broken xattrs]" \
+			"--directory-permissions[Reset all directory permissions]" \
+			"*:package:_apk_packages"
+		)
+	;;
+	(update) completion_spec+=($commit_opts);;
+	(upgrade)
+		completion_spec+=(
+			$commit_opts \
+			$latest_opt \
+			"(-a --available)"{-a,--available}"[Reset all packages to versions available from current repositories]" \
+			"--ignore[Upgrade all other packages than the ones listed]" \
+			"--no-self-upgrade[Do not do an early upgrade of the 'apk-tools' package]" \
+			"--prune[Remove packages which are no longer available from any configured repository]" \
+			"--self-upgrade-only[Only perform a self-upgrade of the 'apk-tools' package]" \
+			"*:package:_apk_packages"
+		)
+	;;
+	(cache)
+		completion_spec+=(
+			$latest_opt \
+			$upgrade_opt \
+			'2:subcommand:_apk_cache'
+		)
+	;;
+	(info)
+		completion_spec+=(
+			"(-a --all)"{-a,--all}"[List all information known about the package]" \
+			"(-d --description)"{-d,--descripton}"[Print the package description]" \
+			"(-e --installed)"{-e,--installed}"[Check package installed status]" \
+			"(-L --contents)"{-L,--contents}"[List files included in the package]" \
+			"(-P --provides)"{-P,--provides}"[List what the package provides]" \
+			"(-r --rdepends)"{-r,--rdepends}"[List reverse dependencies of the package]" \
+			"(-R --depends)"{-R,--depends}"[List the dependencies of the package]" \
+			"(-s --size)"{-s,--size}"[Print the package's installed size]" \
+			"(-w --webpage)"{-w,--webpage}"[Print the URL for the package's upstream webpage]" \
+			"(-W --who-owns)"{-W,--who-owns}"[Print the package which owns the specified file]:file:_files" \
+			"(-i --install-if)"{-i,--install-if}"[List the package's install_if rule]" \
+			"--license[Print the package SPDX license identifier]" \
+			"--replaces[List the other packages for which this package is marked as a replacement]" \
+			"(-I --rinstall-if)"{-I,--rinstall-if}"[List other packages whose install_if rules refer to this package]" \
+			"--triggers[Print active triggers for the package]" \
+			"*:package:_apk_packages"
+		)
+	;;
+	(list)
+		completion_spec+=(
+			"(-I --installed)"{-I,--installed}"[Consider only installed packages]" \
+			"(-O --orphaned)"{-O,--orphaned}"[Consider only orphaned packages]" \
+			"(-a --available)"{-a,--available}"[Consider only available packages]" \
+			"(-u --upgradable --upgradeable)"{-u,--upgradable,--upgradeable}"[Consider only upgradable packages]" \
+			"(-o --origin)"{-o,--origin}"[List packages by origin]" \
+			"(-d --depends)"{-d,--depends}"[List packages by dependency]" \
+			"(-P --providers)"{-P,--providers}"[List packages by provider]" \
+			"*:pattern"
+		)
+	;;
+	(dot)
+		completion_spec+=(
+			"--errors[Consider only packages with errors]" \
+			"--installed[Consider only installed packages]"
+		)
+	;;
+	(index)
+		completion_spec+=(
+			"(-d --description)"{-d,--description}"[Add a description to the index]:description" \
+			"(-o --output)"{-o,--output}"[Output generated index to file]:output:_files" \
+			"(-x --index)"{-x,--index}"[Read an existing index to speed up the creation of the new index]" \
+			"--no-warnings[Disable warnings about missing dependencies]" \
+			"--rewrite-arch[Set all package's architecture to arch]:arch:(armhf mips64 s390x x86_64 x86 aarch64 ppc64le armv7 riscv64)" \
+			"*:package:_apk_packages"
+		)
+	;;
+	(fetch)
+		completion_spec+=(
+			"(-l --link)"{-l,--link}"[Create hard links if possible]" \
+			"(-o --output)"{-o,--output}"[Where to write the downloaded files]:directory:_dir_list" \
+			"(-r --recursive)"{-r,--recursive}"[Fetch packages and all of their dependencies]" \
+			"(-s --stdout)"{-s,--stdout}"[Dump the .apk file(s) to stdout]" \
+			"--simulate[Simulate the requested operation without making any changes]" \
+			"--url[Print the full URL for downloaded packages]" \
+			"*:package:_apk_packages"
+		)
+	;;
+	(manifest) completion_spec+=("*:package:_apk_packages");;
+	(verify) completion_spec+=("*:package:_apk_packages");;
+	(audit)
+		completion_spec+=(
+			"--backup[Audit configuration files only (default)]" \
+			"--check-permissions[Check file permissions too]" \
+			"--packages[Print only the packages with changed files]" \
+			"--system[Audit all system files]" \
+			"(-r --recursive)"{-r,--recursive}"[Descent into directories and audit them as well]" \
+			"*:files:_files"
+		)
+	;;
+	(version)
+		completion_spec+=(
+			"(-a --all)"{-a,--all}"[Consider packages from all repository tags]" \
+			"(-c --check)"{-c,--check}"[Check versions for validity]:*: " \
+			"(-I --indexes)"{-I,--indexes}"[Print the version and description for each repository's index]:*: " \
+			"(-l --limit)"{-l,--limit}"[Limit to packages with output matching given operand]:operand:('>' '=' '<' '>=' '<=')" \
+			"(-t --test)"{-t,--test}"[Compare two version strings]:*: " \
+			"*:package:_apk_packages"
+		)
+	;;
+	(policy) completion_spec+=("*:package:_apk_packages");;
+	(search)
+		completion_spec+=(
+			"(-a --all)"{-a,--all}"[Print all matching package versions]" \
+			"(-d --description)"{-d,--description}"[Search in description as well]" \
+			"(-e -x --exact)"{-e,-x,--exact}"[Match package names exactly]" \
+			"--has-origin[Match by package origin]" \
+			"(-o --origin)"{-o,--origin}"[Print base package name]" \
+			"(-r --rdepends)"{-r,--rdepends}"[Print reverse dependencies]" \
+			"*:package:_apk_packages"
+		)
+	;;
+	esac
+
+	_arguments -C -s $completion_spec && ret=0
+	return ret
+}