ilot/forgejo-aneksajo: upgrade to 11.0.0_git0

ilot/forgejo-aneksajo/APKBUILD

@@ -4,7 +4,7 @@
 # Contributor: Patrycja Rosa <alpine@ptrcnull.me>
 # Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
 pkgname=forgejo-aneksajo
-pkgver=10.0.3_git0
+pkgver=11.0.0_git0
 _gittag=v${pkgver/_git/-git-annex}
 pkgrel=0
 pkgdesc="Self-hosted Git service written in Go with git-annex support"
@@ -60,7 +60,7 @@ build() {
 	export CGO_LDFLAGS="$LDFLAGS"
 	unset LDFLAGS
 	## make FHS compliant
-	local setting="code.gitea.io/gitea/modules/setting"
+	local setting="forgejo.org/modules/setting"
 	export LDFLAGS="$LDFLAGS -X $setting.CustomConf=/etc/forgejo/app.ini"
 	export LDFLAGS="$LDFLAGS -X $setting.AppWorkPath=/var/lib/forgejo/"
 
@@ -106,7 +106,7 @@ package() {
 }
 
 sha512sums="
-e32c919228df167374e8f3099e2e59bfab610aac6c87465318efe1cac446d014535e270f57b0bf8b2a7eb3843c5dcb189eac4dad2e230b57acd9096ead647eca  forgejo-aneksajo-v10.0.3-git-annex0.tar.gz
+07f72fcd3bb02a6bbfbcf73f8526c51f1f3fe39d2a504395dfb0997743a190bd210389d58114aaf546fb6d0fabaa80a54240632e11eeba35250b9e6b9b63f438  forgejo-aneksajo-v11.0.0-git-annex0.tar.gz
 497d8575f2eb5ac43baf82452e76007ef85e22cca2cc769f1cf55ffd03d7ce4d50ac4dc2b013e23086b7a5577fc6de5a4c7e5ec7c287f0e3528e908aaa2982aa  forgejo-aneksajo.initd
 b537b41b6b3a945274a6028800f39787b48c318425a37cf5d40ace0d1b305444fd07f17b4acafcd31a629bedd7d008b0bb3e30f82ffeb3d7e7e947bdbe0ff4f3  forgejo-aneksajo.ini
 "

ilot/freescout/APKBUILD

@@ -1,7 +1,7 @@
 # Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
 # Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
 pkgname=freescout
-pkgver=1.8.174
+pkgver=1.8.175
 pkgrel=0
 pkgdesc="Free self-hosted help desk & shared mailbox"
 arch="noarch"
@@ -76,7 +76,7 @@ package() {
 	install -m755 -D "$srcdir"/freescout-manage.sh "$pkgdir"/usr/bin/freescout-manage
 }
 sha512sums="
-c5ec40b3dd7f6f593a950d96632e69d8e0a43e17f566f3d83b52aa44e2aac8ef98c536e9408faa834051d7fb3f07e003642f5e6e2a25a69ea51cf7b96290fb1d  freescout-1.8.174.tar.gz
+aa5f762eddaac34977a42bb59a0c2ec2113b0ad4f04b767465e9c23c4bb5d0dd722432735fb10975c23b0a5ca4a11abcfc52d893a3c6678d4908ceb29cefa736  freescout-1.8.175.tar.gz
 e4af6c85dc12f694bef2a02e4664e31ed50b2c109914d7ffad5001c2bbd764ef25b17ecaa59ff55ef41bccf17169bf910d1a08888364bdedd0ecc54d310e661f  freescout.nginx
 7ce9b3ee3a979db44f5e6d7daa69431e04a5281f364ae7be23e5a0a0547f96abc858d2a8010346be2fb99bd2355fb529e7030ed20d54f310249e61ed5db4d0ba  freescout-manage.sh
 0cba00b7d945ce84f72a2812d40028a073a5278856f610e46dbfe0ac78deff6bf5eba7643635fa4bc64d070c4d49eb47d24ea0a05ba1e6ea76690bfd77906366  rename-client-to-membre-fr-en.patch

ilot/go/0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch

@@ -0,0 +1,45 @@
+From fa8e52baedd21265f69b5f425157e11c8c4ec24a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net>
+Date: Sat, 25 Mar 2023 09:08:04 +0100
+Subject: [PATCH] cmd/link: prefer musl's over glibc's ld.so during dynamic
+ linking
+
+Without this commit glibc's is preferred over musl by default. This
+causes issues on Alpine when a dynamically linked Go binary is created
+while gcompat is installed, causing the binary to be linked against
+the ld.so provided by the gcompat package.
+
+This commit changes the logic to check for musl's ld.so first, if it
+does not exist we fallback to glibc. This default can be overwritten
+using the `-I` option of cmd/link.
+
+See https://gitlab.alpinelinux.org/alpine/aports/-/issues/14737
+---
+ src/cmd/link/internal/ld/elf.go | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/cmd/link/internal/ld/elf.go b/src/cmd/link/internal/ld/elf.go
+index 713f7739a5..8cf9377858 100644
+--- a/src/cmd/link/internal/ld/elf.go
++++ b/src/cmd/link/internal/ld/elf.go
+@@ -1886,14 +1886,14 @@ func asmbElf(ctxt *Link) {
+ 						Exitf("ELF interpreter not set")
+ 					}
+ 				} else {
+-					interpreter = thearch.ELF.Linuxdynld
+-					// If interpreter does not exist, try musl instead.
++					interpreter = thearch.ELF.LinuxdynldMusl
++					// If interpreter does not exist, try glibc instead.
+ 					// This lets the same cmd/link binary work on
+-					// both glibc-based and musl-based systems.
++					// both musl-based and glibc-based systems.
+ 					if _, err := os.Stat(interpreter); err != nil {
+-						if musl := thearch.ELF.LinuxdynldMusl; musl != "" {
+-							if _, err := os.Stat(musl); err == nil {
+-								interpreter = musl
++						if glibc := thearch.ELF.Linuxdynld; glibc != "" {
++							if _, err := os.Stat(glibc); err == nil {
++								interpreter = glibc
+ 							}
+ 						}
+ 					}

ilot/go/0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch

@@ -0,0 +1,29 @@
+From 82ac7268f746c31d771e584c1c83f93890b33404 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net>
+Date: Tue, 11 Jul 2023 05:18:00 +0200
+Subject: [PATCH] go.env: Don't switch Go toolchain version as directed in
+ go.mod
+
+We want users and packages to use the version of Go that is provided
+in our package repository. We don't want to download pre-built
+toolchains from golang.org.
+
+Also note that prior to Go 1.21, pre-built Go binaries are linked
+against glibc and hence do not work on Alpine.
+---
+ go.env | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/go.env b/go.env
+index 6ff2b921d4..a106fb4638 100644
+--- a/go.env
++++ b/go.env
+@@ -7,6 +7,5 @@
+ GOPROXY=https://proxy.golang.org,direct
+ GOSUMDB=sum.golang.org
+ 
+-# Automatically download newer toolchains as directed by go.mod files.
+-# See https://go.dev/doc/toolchain for details.
+-GOTOOLCHAIN=auto
++# Don't attempt to switch to a newer toolchains by default.
++GOTOOLCHAIN=local

ilot/go/0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch

@@ -0,0 +1,245 @@
+From 5c5b24702f5542fba019d6b98eec6121bc21df31 Mon Sep 17 00:00:00 2001
+From: Michael Pratt <mpratt@google.com>
+Date: Thu, 3 Apr 2025 11:15:13 +0000
+Subject: [PATCH] runtime: cleanup M vgetrandom state before dropping P
+
+When an M is destroyed, we put its vgetrandom state back on the shared
+list for another M to reuse. This list is simply a slice, so appending
+to the slice may allocate. Currently this operation is performed in
+mdestroy, after the P is released, meaning allocation is not allowed.
+
+More the cleanup earlier in mdestroy when allocation is still OK.
+
+Also add //go:nowritebarrierrec to mdestroy since it runs without a P,
+which would have caught this bug.
+
+Fixes #73141.
+
+Change-Id: I6a6a636c3fbf5c6eec09d07a260e39dbb4d2db12
+Reviewed-on: https://go-review.googlesource.com/c/go/+/662455
+Reviewed-by: Jason Donenfeld <Jason@zx2c4.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Keith Randall <khr@golang.org>
+Reviewed-by: Keith Randall <khr@google.com>
+---
+ src/runtime/os3_solaris.go            |  5 ++++-
+ src/runtime/os_aix.go                 |  5 ++++-
+ src/runtime/os_darwin.go              |  5 ++++-
+ src/runtime/os_dragonfly.go           |  5 ++++-
+ src/runtime/os_linux.go               |  9 ++++-----
+ src/runtime/os_netbsd.go              |  5 ++++-
+ src/runtime/os_openbsd.go             |  5 ++++-
+ src/runtime/os_plan9.go               |  5 ++++-
+ src/runtime/os_windows.go             |  4 +++-
+ src/runtime/proc.go                   |  3 +++
+ src/runtime/vgetrandom_linux.go       | 11 +++++++++--
+ src/runtime/vgetrandom_unsupported.go |  2 +-
+ 12 files changed, 48 insertions(+), 16 deletions(-)
+
+diff --git a/src/runtime/os3_solaris.go b/src/runtime/os3_solaris.go
+index cf163a6bf4..ded821b2e6 100644
+--- a/src/runtime/os3_solaris.go
++++ b/src/runtime/os3_solaris.go
+@@ -234,8 +234,11 @@ func unminit() {
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_aix.go b/src/runtime/os_aix.go
+index 93464cb997..1b483c2a7e 100644
+--- a/src/runtime/os_aix.go
++++ b/src/runtime/os_aix.go
+@@ -186,8 +186,11 @@ func unminit() {
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_darwin.go b/src/runtime/os_darwin.go
+index 0ecbea7ae4..6eab3b5c3d 100644
+--- a/src/runtime/os_darwin.go
++++ b/src/runtime/os_darwin.go
+@@ -344,8 +344,11 @@ func unminit() {
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_dragonfly.go b/src/runtime/os_dragonfly.go
+index a02696eb4f..9b3235084d 100644
+--- a/src/runtime/os_dragonfly.go
++++ b/src/runtime/os_dragonfly.go
+@@ -216,8 +216,11 @@ func unminit() {
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_linux.go b/src/runtime/os_linux.go
+index 8b3c4d0ecc..fb46b81682 100644
+--- a/src/runtime/os_linux.go
++++ b/src/runtime/os_linux.go
+@@ -412,13 +412,12 @@ func unminit() {
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+-	if mp.vgetrandomState != 0 {
+-		vgetrandomPutState(mp.vgetrandomState)
+-		mp.vgetrandomState = 0
+-	}
+ }
+ 
+ // #ifdef GOARCH_386
+diff --git a/src/runtime/os_netbsd.go b/src/runtime/os_netbsd.go
+index 735ace25ad..a06e5febbd 100644
+--- a/src/runtime/os_netbsd.go
++++ b/src/runtime/os_netbsd.go
+@@ -320,8 +320,11 @@ func unminit() {
+ 	// must continue working after unminit.
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_openbsd.go b/src/runtime/os_openbsd.go
+index 574bfa8b17..4ce4c3c58d 100644
+--- a/src/runtime/os_openbsd.go
++++ b/src/runtime/os_openbsd.go
+@@ -182,8 +182,11 @@ func unminit() {
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_plan9.go b/src/runtime/os_plan9.go
+index 2dbb42ad03..3b5965ab99 100644
+--- a/src/runtime/os_plan9.go
++++ b/src/runtime/os_plan9.go
+@@ -217,8 +217,11 @@ func minit() {
+ func unminit() {
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go
+index 7183e79f7d..54407a320c 100644
+--- a/src/runtime/os_windows.go
++++ b/src/runtime/os_windows.go
+@@ -906,9 +906,11 @@ func unminit() {
+ 	mp.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
+ //
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ //go:nosplit
+ func mdestroy(mp *m) {
+ 	if mp.highResTimer != 0 {
+diff --git a/src/runtime/proc.go b/src/runtime/proc.go
+index e9873e54cd..21bee4df71 100644
+--- a/src/runtime/proc.go
++++ b/src/runtime/proc.go
+@@ -1935,6 +1935,9 @@ func mexit(osStack bool) {
+ 		mp.gsignal = nil
+ 	}
+ 
++	// Free vgetrandom state.
++	vgetrandomDestroy(mp)
++
+ 	// Remove m from allm.
+ 	lock(&sched.lock)
+ 	for pprev := &allm; *pprev != nil; pprev = &(*pprev).alllink {
+diff --git a/src/runtime/vgetrandom_linux.go b/src/runtime/vgetrandom_linux.go
+index a6ec4b701c..40be022f24 100644
+--- a/src/runtime/vgetrandom_linux.go
++++ b/src/runtime/vgetrandom_linux.go
+@@ -73,9 +73,16 @@ func vgetrandomGetState() uintptr {
+ 	return state
+ }
+ 
+-func vgetrandomPutState(state uintptr) {
++// Free vgetrandom state from the M (if any) prior to destroying the M.
++//
++// This may allocate, so it must have a P.
++func vgetrandomDestroy(mp *m) {
++	if mp.vgetrandomState == 0 {
++		return
++	}
++
+ 	lock(&vgetrandomAlloc.statesLock)
+-	vgetrandomAlloc.states = append(vgetrandomAlloc.states, state)
++	vgetrandomAlloc.states = append(vgetrandomAlloc.states, mp.vgetrandomState)
+ 	unlock(&vgetrandomAlloc.statesLock)
+ }
+ 
+diff --git a/src/runtime/vgetrandom_unsupported.go b/src/runtime/vgetrandom_unsupported.go
+index 070392cfaa..43c53e1198 100644
+--- a/src/runtime/vgetrandom_unsupported.go
++++ b/src/runtime/vgetrandom_unsupported.go
+@@ -13,6 +13,6 @@ func vgetrandom(p []byte, flags uint32) (ret int, supported bool) {
+ 	return -1, false
+ }
+ 
+-func vgetrandomPutState(state uintptr) {}
++func vgetrandomDestroy(mp *m) {}
+ 
+ func vgetrandomInit() {}

ilot/go/APKBUILD

@@ -0,0 +1,318 @@
+# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
+# Contributor: Eivind Uggedal <eu@eju.no>
+# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
+pkgname=go
+# go binaries are statically linked, security updates require rebuilds
+pkgver=1.24.2
+pkgrel=1
+pkgdesc="Go programming language compiler"
+url="https://go.dev/"
+arch="all"
+license="BSD-3-Clause"
+depends="binutils gcc musl-dev"
+makedepends="bash"
+options="!check"
+checkdepends="binutils-gold git git-daemon"
+subpackages="$pkgname-doc"
+source="https://go.dev/dl/go$pkgver.src.tar.gz
+	0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch
+	0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch
+	0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch
+	tests-fchmodat-not-supported.patch
+	"
+case "$CARCH" in
+	arm*|aarch64) depends="$depends binutils-gold";;
+	riscv64|loongarch64)
+		# binutils-gold is not supported on riscv64 and loongarch64.
+		checkdepends="${checkdepends/binutils-gold/}"
+		;;
+esac
+
+# secfixes:
+#   0:
+#     - CVE-2022-41716
+#     - CVE-2022-41720
+#     - CVE-2022-41722
+#     - CVE-2024-24787
+#   1.24.2-r0:
+#     - CVE-2025-22871
+#   1.24.1-r0:
+#     - CVE-2025-22870
+#   1.23.6-r0:
+#     - CVE-2025-22866
+#   1.23.5-r0:
+#     - CVE-2024-45336
+#     - CVE-2024-45341
+#   1.23.1-r0:
+#     - CVE-2024-34155
+#     - CVE-2024-34156
+#     - CVE-2024-34158
+#   1.22.5-r0:
+#     - CVE-2024-24791
+#   1.22.4-r0:
+#     - CVE-2024-24789
+#     - CVE-2024-24790
+#   1.22.3-r0:
+#     - CVE-2024-24788
+#   1.22.2-r0:
+#     - CVE-2023-45288
+#   1.22.1-r0:
+#     - CVE-2024-24783
+#     - CVE-2023-45290
+#     - CVE-2023-45289
+#     - CVE-2024-24785
+#     - CVE-2024-24784
+#   1.21.5-r0:
+#     - CVE-2023-39324
+#     - CVE-2023-39326
+#   1.21.3-r0:
+#     - CVE-2023-39325
+#     - CVE-2023-44487
+#   1.21.2-r0:
+#     - CVE-2023-39323
+#   1.21.1-r0:
+#     - CVE-2023-39318
+#     - CVE-2023-39319
+#     - CVE-2023-39320
+#     - CVE-2023-39321
+#     - CVE-2023-39322
+#   1.20.7-r0:
+#     - CVE-2023-29409
+#   1.20.6-r0:
+#     - CVE-2023-29406
+#   1.20.5-r0:
+#     - CVE-2023-29402
+#     - CVE-2023-29403
+#     - CVE-2023-29404
+#     - CVE-2023-29405
+#   1.20.4-r0:
+#     - CVE-2023-24539
+#     - CVE-2023-24540
+#     - CVE-2023-29400
+#   1.20.3-r0:
+#     - CVE-2023-24537
+#     - CVE-2023-24538
+#     - CVE-2023-24534
+#     - CVE-2023-24536
+#   1.20.2-r0:
+#     - CVE-2023-24532
+#   1.20.1-r0:
+#     - CVE-2022-41725
+#     - CVE-2022-41724
+#     - CVE-2022-41723
+#   1.19.4-r0:
+#     - CVE-2022-41717
+#   1.19.2-r0:
+#     - CVE-2022-2879
+#     - CVE-2022-2880
+#     - CVE-2022-41715
+#   1.19.1-r0:
+#     - CVE-2022-27664
+#     - CVE-2022-32190
+#   1.18.5-r0:
+#     - CVE-2022-32189
+#   1.18.4-r0:
+#     - CVE-2022-1705
+#     - CVE-2022-1962
+#     - CVE-2022-28131
+#     - CVE-2022-30630
+#     - CVE-2022-30631
+#     - CVE-2022-30632
+#     - CVE-2022-30633
+#     - CVE-2022-30635
+#     - CVE-2022-32148
+#   1.18.1-r0:
+#     - CVE-2022-28327
+#     - CVE-2022-27536
+#     - CVE-2022-24675
+#   1.17.8-r0:
+#     - CVE-2022-24921
+#   1.17.7-r0:
+#     - CVE-2022-23772
+#     - CVE-2022-23773
+#     - CVE-2022-23806
+#   1.17.6-r0:
+#     - CVE-2021-44716
+#     - CVE-2021-44717
+#   1.17.3-r0:
+#     - CVE-2021-41772
+#     - CVE-2021-41771
+#   1.17.2-r0:
+#     - CVE-2021-38297
+#   1.17.1-r0:
+#     - CVE-2021-39293
+#   1.17-r0:
+#     - CVE-2020-29509
+#     - CVE-2020-29511
+#     - CVE-2021-29923
+#   1.16.7-r0:
+#     - CVE-2021-36221
+#   1.16.6-r0:
+#     - CVE-2021-34558
+#   1.16.5-r0:
+#     - CVE-2021-33195
+#     - CVE-2021-33196
+#     - CVE-2021-33197
+#     - CVE-2021-33198
+#   1.16.4-r0:
+#     - CVE-2021-31525
+#   1.16.2-r0:
+#     - CVE-2021-27918
+#     - CVE-2021-27919
+#   1.15.7-r0:
+#     - CVE-2021-3114
+#     - CVE-2021-3115
+#   1.15.5-r0:
+#     - CVE-2020-28362
+#     - CVE-2020-28366
+#     - CVE-2020-28367
+#   1.15.2-r0:
+#     - CVE-2020-24553
+#   1.15-r0:
+#     - CVE-2020-16845
+#   1.14.5-r0:
+#     - CVE-2020-15586
+#   1.13.7-r0:
+#     - CVE-2020-7919
+#   1.13.2-r0:
+#     - CVE-2019-17596
+#   1.13.1-r0:
+#     - CVE-2019-16276
+#   1.12.8-r0:
+#     - CVE-2019-9512
+#     - CVE-2019-9514
+#     - CVE-2019-14809
+#   1.11.5-r0:
+#     - CVE-2019-6486
+#   1.9.4-r0:
+#     - CVE-2018-6574
+
+if [ "$CBUILD" = "$CTARGET" ]; then
+	makedepends="go-bootstrap $makedepends"
+	provides="go-bootstrap=$pkgver-r$pkgrel"
+else
+	pkgname="go-bootstrap"
+	makedepends="go $makedepends"
+	# Go expect host linker instead of the cross-compiler
+	export CC_FOR_TARGET="$CC"
+	export CC="${HOSTLD:-gcc}"
+	export CXX="${HOSTLD:-g++}"
+	export LD="${HOSTLD:-ld}"
+fi
+
+case "$CTARGET_ARCH" in
+aarch64) export GOARCH="arm64" ;;
+armel)   export GOARCH="arm" GOARM=5 ;;
+armhf)   export GOARCH="arm" GOARM=6 ;;
+armv7)   export GOARCH="arm" GOARM=7 ;;
+s390x)   export GOARCH="s390x" ;;
+x86)     export GOARCH="386" ;;
+x86_64)  export GOARCH="amd64" ;;
+ppc64)   export GOARCH="ppc64" ;;
+ppc64le) export GOARCH="ppc64le" ;;
+riscv64) export GOARCH="riscv64" ;;
+loongarch64) export GOARCH="loong64" ;;
+*)       export GOARCH="unsupported";;
+esac
+
+# compile go itself as a PIE on supported arches.
+case "$CARCH" in
+x86_64|s390x|aarch64) export GO_LDFLAGS=-buildmode=pie ;;
+esac
+
+prepare() {
+	default_prepare
+
+	# The GitLab CI builds aports in a container. On ppc64le, ASLR
+	# needs to be disabled in order to have the following test case
+	# pass. However, the container doesn't have permissions to
+	# disable ASLR, hence we just disable this test for now.
+	#
+	# See https://github.com/golang/go/issues/49066#issuecomment-1252948861
+	if [ "$CTARGET_ARCH" = "ppc64le" ]; then
+		rm test/fixedbugs/bug513.go
+	fi
+}
+
+builddir="$srcdir"/go
+build() {
+	cd "$builddir/src"
+
+	export GOOS="linux"
+	export GOPATH="$srcdir"
+	export GOROOT="$builddir"
+	export GOBIN="$GOROOT"/bin
+	export GOROOT_FINAL=/usr/lib/go
+
+	local p; for p in /usr/lib/go-bootstrap /usr/lib/go-linux-$GOARCH-bootstrap /usr/lib/go; do
+		if [ -d "$p" ]; then
+			export GOROOT_BOOTSTRAP="$p"
+			break
+		fi
+	done
+
+	./make.bash -v
+
+	# copied from bootstrap.bash to fixup cross-built bootstrap go
+	if [ "$CBUILD" != "$CTARGET" ]; then
+		local gohostos="$(../bin/go env GOHOSTOS)"
+		local gohostarch="$(../bin/go env GOHOSTARCH)"
+		mv ../bin/*_*/* ../bin
+		rmdir ../bin/*_*
+		rm -rf "../pkg/${gohostos}_$gohostarch"* "../pkg/tool/${gohostos}_$gohostarch"*
+		rm -rf ../pkg/bootstrap ../pkg/obj
+	fi
+}
+
+check() {
+	cd "$builddir/src"
+	if [ "$CTARGET_ARCH" = "armhf" ]; then
+		export GO_TEST_TIMEOUT_SCALE=2
+	fi
+
+	# Test suite does not pass with ccache, thus remove it form $PATH.
+	export PATH="$(echo "$PATH" | sed 's|/usr/lib/ccache/bin:||g')"
+
+	PATH="$builddir/bin:$PATH" ./run.bash -no-rebuild
+}
+
+package() {
+	mkdir -p "$pkgdir"/usr/bin "$pkgdir"/usr/lib/go/bin "$pkgdir"/usr/share/doc/go
+
+	for binary in go gofmt; do
+		install -Dm755 bin/"$binary" "$pkgdir"/usr/lib/go/bin/"$binary"
+		ln -s /usr/lib/go/bin/"$binary" "$pkgdir"/usr/bin/
+	done
+
+	cp -a misc pkg src lib "$pkgdir"/usr/lib/go
+	cp -r doc "$pkgdir"/usr/share/doc/go
+	rm -rf "$pkgdir"/usr/lib/go/pkg/obj
+	rm -rf "$pkgdir"/usr/lib/go/pkg/bootstrap
+	rm -f  "$pkgdir"/usr/lib/go/pkg/tool/*/api
+
+	# Install go.env, see https://go.dev/doc/toolchain#GOTOOLCHAIN.
+	install -Dm644 "$builddir"/go.env "$pkgdir"/usr/lib/go/go.env
+	install -Dm644 VERSION "$pkgdir/usr/lib/go/VERSION"
+
+	# Remove tests from /usr/lib/go/src to reduce package size,
+	# these should not be needed at run-time by any program.
+	find "$pkgdir"/usr/lib/go/src \( -type f -a -name "*_test.go" \) \
+		-exec rm -rf \{\} \+
+	find "$pkgdir"/usr/lib/go/src \( -type d -a -name "testdata" \) \
+		-exec rm -rf \{\} \+
+
+	# Remove rc (plan 9) and bat scripts (windows) to reduce package
+	# size further. The bash scripts are actually needed at run-time.
+	#
+	# See: https://gitlab.alpinelinux.org/alpine/aports/issues/11091
+	find "$pkgdir"/usr/lib/go/src -type f -a \( -name "*.rc" -o -name "*.bat" \) \
+		-exec rm -rf \{\} \+
+}
+
+sha512sums="
+6366a32f6678e7908b138f62dafeed96f7144b3b93505e75fba374b33727da8b1d087c1f979f493382b319758ebfcbeb30e9d7dadcb2923b628c8abe7db41c6f  go1.24.2.src.tar.gz
+34dbe032c5f08dd8a7aad36fc4d54e746a876fdadc25466888a2f04f5a9d53103190ebd68d3cf978d3a041976185e30ffb25611fb577d031c159810d2d4c7c41  0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch
+8061e4ef9d7dd31804bd8d98c95afa5dd82567940b3436f45f874e0419e324b49713d8a814df04617e575ec3c6155199c4661352ea8aef63ead81ca3020f3dc4  0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch
+d56b796ac81f8901cf426711e381b386ec6e039090fd914ebb2246e5b2ccaa6c1dcb40810a886c5e1b0a748c9bcd4cfe9749d85da91e7ce4c11aaf470295e549  0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch
+33ecefca77fa0af52a3b2b66a76977af27a88c8dddb89f03e0a5ae6794b9aac53a62d7be33020b49022e9a89d4cdfa383038ee10e160eb94548b2430bf3cfb5e  tests-fchmodat-not-supported.patch
+"

ilot/go/tests-fchmodat-not-supported.patch

@@ -0,0 +1,19 @@
+Without this patch, the TestFchmodat fails on our arm CI with:
+
+	syscall_linux_test.go:139: Fchmodat: unexpected error: operation not permitted, expected EOPNOTSUPP
+
+The "operation not permitted" means that EPERM was returned which
+is likely due to the security policy of our CI container.
+
+diff -upr go.orig/src/syscall/syscall_linux_test.go go/src/syscall/syscall_linux_test.go
+--- go.orig/src/syscall/syscall_linux_test.go	2024-02-07 22:54:39.316022227 +0100
++++ go/src/syscall/syscall_linux_test.go	2024-02-07 22:56:05.104871102 +0100
+@@ -135,7 +135,7 @@ func TestFchmodat(t *testing.T) {
+ 	}
+ 
+ 	err = syscall.Fchmodat(_AT_FDCWD, "symlink1", 0444, _AT_SYMLINK_NOFOLLOW)
+-	if err != syscall.EOPNOTSUPP {
++	if !testenv.SyscallIsNotSupported(err) && err != syscall.EOPNOTSUPP {
+ 		t.Fatalf("Fchmodat: unexpected error: %v, expected EOPNOTSUPP", err)
+ 	}
+ }

ilot/nextcloud30/APKBUILD

@@ -2,7 +2,7 @@
 # Contributor: jahway603 <jahway603@protonmail.com>
 # Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
 _pkgname=nextcloud
-pkgver=30.0.8
+pkgver=30.0.10
 pkgrel=0
 is_latest=true
 _pkgvermaj=${pkgver%%.*}
@@ -310,7 +310,7 @@ _package_app() {
 }
 
 sha512sums="
-0bca2f42ccfb7db4befdd2aeeb1df72d2f9acad88907706f8524ced55bd0213b30b687a5e4c623615e59f22246562e195fd74bbb409c4f60b713482e1237d755  nextcloud-30.0.8.tar.bz2
+c8c9800fff46c5634576b9e0696afd4083e34d24000762ebf3a66192d1dea3f664d1c1d42e6ae262535757991d0a60ee7ee1e1d24757677be56bb8ea7d4d3fd5  nextcloud-30.0.10.tar.bz2
 daeabeaa315bb908cc1e49612cce4b2debd71d17acb84b5d14e15fe124c907884b72d54e9aa669ec209eee1b1934d0bc242d72a28d8db7339cfb08383f66fd5c  nextcloud-dont-chmod.patch
 12f4a39aef0f81a0115c81bf2b345cc194537a7e8300748b800b0e35bc07928091296074b23c2019c17aced69854a11d1ed7225f67eefd27cf00c3969a75c5b0  dont-update-htaccess.patch
 cb04252d01407c7030e87dd54616c621ea0f85ef0212674b1161288182538cae0fb31c67e7cc07c66f9607075774c64e386009cc66365b1f1b155f6ad4f83ac0  disable-integrity-check-as-default.patch