Ecosyste.ms: OpenCollective
An open API service for software projects hosted on Open Collective.
github.com/QubesOS/qubes-rpm-oxide
Rust libraries for processing RPM packages
https://github.com/QubesOS/qubes-rpm-oxide
14424c843fb434856d8739e9c5def74174204115 authored over 1 year ago
This ensures that future changes to the librpm and librpmio ABI do not
silently cause undefined ...
No functional change intended.
9af9d2a69f8bb1cbc258469a763c2b861ecf1424 authored over 1 year ago
RPM assumes that the i18ntable is at least as long as all i18nstring
entries, and many versions ...
5f637c2b0a918d37bf37be036d61b31c7ce91704 authored almost 2 years ago
* origin/pr/25:
Drop R4.0 CI
Migrate to 2018 edition
Stop using ... for inclusive ranges
...
It's EOL already.
4ca10ab771a0ce6326f117ec1b090b87d801a28e authored almost 2 years ago
This will be used by fwupd wrapper to validate if signature is well
formed before allowing full ...
This exists:
google-noto-sans-mono-fonts-20201206^1.git0c78c8329-7.fc37.noarch.rpm
R4.0 is end-of-life.
0a2ad568486eec39f0a402fb1dece4b2af72d5de authored over 2 years ago
Now that R4.0 is end of life, it is possible to use Rust 2018. The
actual migration was mostly ...
It has been deprecated since Rust 1.37, and compilers that lack the
replacement ..= syntax are n...
Bare trait objects have been deprecated since Rust 1.37.
516631c67d63fb9db24de9f952e8ee34fccc1621 authored over 2 years ago
The alloc crate was unstable in such old compilers. Drop workarounds
for this.
Remove the workarounds for try_from being unstable in these versions.
2b0d3f509993717d8ae148d03079c79b5f7ecd6a authored over 2 years ago
Remove the workarounds for const_fn being unstable in these old
compilers.
c206db8044f227a1e030705087d48743d67e038d authored over 2 years ago
* origin/pr/16:
Remove a huge amount of unnecessary locking
* origin/pr/20:
.qubesbuilder: replace 'spec' by 'build'
Add Qubes Builder v2 integration
This fails on legitimate packages:
Error canonicalizing file: Bad length for i18nstring Tag...
bc95e02b0e5bf3cbc28bc65c89c735f3fd5b254e authored over 2 years ago
* origin/pr/21:
Better error messages for corrupt packages
A malicious attacker sending a forged package is the least likely reason
for verification to fai...
73b2fbffc0860238c53e498400de01e21f14708d authored over 2 years ago
7d96f02d89b78d3be966675b33511b6c7eb29673 authored over 2 years ago
RPM assumes that the i18ntable has the same length as all i18nstring
entries, and all released v...
Panu Matilainen (the RPM project lead) suggested loading the RPM keyring
eagerly instead of lazi...
Older versions may not work.
4026fbcce4c6dff94ee80fb5d08d8b2b9e7f53cc authored almost 3 years agoOld compilers need ugly workarounds.
13d73706801f6aa123842df06b1dca82902b73ce authored almost 3 years ago
It turns out that RPM’s keyring and transaction functions are not
thread-safe. This showed up a...
d19eadd74a63540abb6032a549fb57edb5183998 authored almost 3 years ago
The header-processing code assumes that tags are in order and unique.
This should be enforced by...
6c0ae46a38ff4ccecfb8b1164fb3befd0523c65f authored about 3 years ago
Writing 704MiB to stderr is not a good idea.
c1242a8a8ee8f00cacf36789098111831ae296c1 authored about 3 years ago32735d1ccf6382632b454f53247a733b1c052ea2 authored about 3 years ago
390d64a5ea5a0376b076aeebf368e5c87b486198 authored about 3 years ago
dc9a7a8684bb161f1f7e70447faf2a2c45f72679 authored about 3 years ago
This is needed for qvm-template to continue working in Debian.
1a5ffb7caccb34e937f48422c5c5a7d85ecc1dc3 authored about 3 years agoThis will be used by qvm-template to display a nice progress bar.
6aab76360088710a8027abd29fb3c0791c1ef699 authored about 3 years agoqubes-core-admin-client will need it for qvm-template.
b20cfe71bb8d49ddf5a3b7957cfb33220a41b13e authored about 3 years agoIt is a useless no-op.
4b4de7ecaeda1ab1a202a2218230e67231736ea0 authored about 3 years agoThis is a disgusting hack, but the RPM C API isn’t very good either.
5812d4b2128f4e7987822b5b29e5ff3ded92cac9 authored about 3 years agoString tags may be arrays, which will have NUL bytes.
b924f976ffbd4f2fd8c90992b011d6b8f3886707 authored about 3 years ago
They are a giant footgun in Rust and using them in FFI is not
recommended.
c9e9da7b0b4e3fd96248554705ca4a0f671bd28c authored about 3 years ago
rpm-ostree needs it.
35e21637ba715a57333e29bb4f6329a607c7f462 authored over 3 years ago
* origin/pr/6:
Add tests for old-format packet parsing
Add way more packet serialization and...
This is critical because OpenPGP packets are parsed twice: once by us
and again by RPM. RPM wil...
This covers almost all of the possibilities for serialization. Parsing
is only partially covered.
It failed to build.
af1b2db69f49df13dbdfd1a17c9f2354b55fb666 authored over 3 years agoThey all passed, but are still good to have!
f721b612cbefe0479eede70cef553c89080cda38 authored over 3 years agoSo that people actually know what they mean.
627d98c661c791603b19a63b261aee20397fad45 authored over 3 years agoThis was broken due to a broken port to the 2015 edition.
4a3db532bfee6ff5283441445649f537a8c7e297 authored over 3 years ago
This will be necessary to use rpm-oxide to handle the RPM keyring. Also
add more tests.
From a run of `cargo clippy`: We can just transfer ownership of the `Vec`.
Signed-off-by: Colin...
1972e235ffea0683dc8ddee9ec97c3c7a831c20a authored over 3 years agoto clean up formatting
dbe191eb7164ed85165516efc47520f6c45df599 authored over 3 years agoSilly logic error.
dcde3f8d51d4ad7a51ba96d9d80a1ccbf28786ec authored over 3 years agoeven when allow_weak_hashes is enabled.
f53b8efb73555d566ce0dcd99ce089fd460b8bf2 authored over 3 years ago
We allow SHA224, SHA1, and MD5 if allow_weak_hashes is set to
AllowWeakHashes::Yes.
Signature versions other than 3 and 4 should return
UnsupportedSignatureVersion, rather than the...
This found a bug: the empty MPI was not properly rejected.
25b89eb5a325a243629faa0a40b860890524d124 authored over 3 years ago
This is RECOMMENDED by RFC4880 and should be supported by all versions
of RPM, as they use the s...
859ee5228358ede5e9365767a0551268dad82e98 authored over 3 years ago
The format of a parsed packet is neither trusted nor signed and so must
not affect the result of...
e7c67e69c6db9f52577187c7eae5027f51b2abe7 authored almost 4 years ago
9d17d92c3ef69e1a924644bd2811f7d934069d97 authored almost 4 years ago
This reverts commit 5c182f1df8f08ddc7c1a0357b05e5b9abcfe37a2.
Fedora 25’s Cargo cannot handle o...
677b8ef618a0c982b378aaeecf32a3672bcde0fd authored almost 4 years ago
Our primary output is a binary, not a library, so we should have
Cargo.lock under version control.
This cleans up the root directory.
f14384b1de7ba704a90cef9e311a21d5f1a2dd50 authored almost 4 years agoThe /pkgs directory is used by qubes-builder.
b6e983e994e2a3e87f87eb7e783313969559cf3d authored almost 4 years agoTo represent that we are moving towards production.
2fdca3527ed765ba6a13a846c86adbebaca4b771 authored almost 4 years ago
Modern versions of RPM generate both, so this should be the most
compatible option.
No change in behavior
f744f4f97c989e18e5514100e2d5256b3d4daffc authored almost 4 years ago
Old versions of RPM fail to verify the header+payload digest without
this.
This allows us to emit sizes and other integer tags.
e36c12200d7c3e24349acd609e81c6a6b08ed33e authored almost 4 years agoto match old versions of RPM.
fb549e52121996895d620eea9a2c369ad4bad575 authored almost 4 years agoIt was never implemented.
460fb119d84b08a52462d0e8926c99b4998aa457 authored almost 4 years agoGPG uses old-style packets for tags less than 16, so do so as well.
2567bab7bbf4febc3baca88d99d1597c6af89ef4 authored almost 4 years ago/usr/bin doesn’t belong to us 🙂
9d9381f1cb77381cff70d6e5e70380b765d33131 authored almost 4 years agoThis has been working for a while but I forgot to commit it.
9bc49e224f89aa7a8a342f20c3c5ccc969d9a3eb authored almost 4 years agoSo that the generated packages have a changelog entry.
e9a0787f9ea4fafe2892728601d08a27af24dc90 authored almost 4 years ago
Otherwise, when Rust calls ‘exit()’, RPM cleans up some data structures
that are still in use in...
RPM was complaining it could not find Rust’s GDB scripts.
7f5d7b481645cb426a716314d977ee0db8ea40b4 authored almost 4 years ago
Some of the unsafe code was unnecessary and has been replaced by safe
code. The rest has added ...
This code was disabled in the rust to make rpmcanon work on old Rust
versions. Fortunately, re-...
rpm-oxide needs to build on Rust as old as 1.21.0, which is missing many
modern features and had...
This avoids exposing the UTF-8 decoder of an old Rust version to
untrusted inputs.
qubes-builder expects rpm.spec.in to be present, not rpm.spec.
a864fde1adb084e73fb6bca6727c601bdfde1353 authored almost 4 years ago
This required substantial changes so that the code would build on Rust
1.21.
This is an upstream RPM limitation.
67fb900fb3ddce250d3100a3f1c1af9b60c63e6d authored almost 4 years ago
They are found in packages signed by Fedora 32 apparently, and are
harmless.
Apparently the signatures made by Fedora 32’s GPG keys have them.
a1f540f6a86860a9627d1b1905da187257152986 authored almost 4 years ago
OpenPGP signatures have a timestamp and an expiration date. A signature
made in the future is n...
Sadly some old packages require them :(
04f7b93cc12ceefeb900848504854a0a51dd640b authored almost 4 years ago
They won’t be copied into the final package, so they can’t be used to
exploit RPM. Moreover, ba...
This fixes compiler warnings.
f0ed7735bc61f52f3432b7bdd2e9cb884f6c4f92 authored almost 4 years agoNo change in behavior
bc51a5e4ac1db1e197734aa8f7f40b8b5b544783 authored almost 4 years ago5afa9d07a56f27a5045d4db7ebcf0ff04e164577 authored almost 4 years ago
9b89518bbeed1ec0c127377477a514320f7270c6 authored almost 4 years ago
This is way more future-proof.
3f49c6804a993711b550306e307e498e87e48cca authored almost 4 years agoThis tests various corner cases in verification.
3d059be0ebdab23a21ff9457d1bc845cef757122 authored almost 4 years ago