From 23161d31ee83f81cee59587bf970e110970d23ae Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 6 May 2025 13:28:31 -0400 Subject: [PATCH 1/4] ilot/freescout: upgrade to 1.8.175 --- ilot/freescout/APKBUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ilot/freescout/APKBUILD b/ilot/freescout/APKBUILD index 1dbbedd..5f4eb2d 100644 --- a/ilot/freescout/APKBUILD +++ b/ilot/freescout/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Antoine Martin (ayakael) # Contributor: Antoine Martin (ayakael) pkgname=freescout -pkgver=1.8.174 +pkgver=1.8.175 pkgrel=0 pkgdesc="Free self-hosted help desk & shared mailbox" arch="noarch" @@ -76,7 +76,7 @@ package() { install -m755 -D "$srcdir"/freescout-manage.sh "$pkgdir"/usr/bin/freescout-manage } sha512sums=" -c5ec40b3dd7f6f593a950d96632e69d8e0a43e17f566f3d83b52aa44e2aac8ef98c536e9408faa834051d7fb3f07e003642f5e6e2a25a69ea51cf7b96290fb1d freescout-1.8.174.tar.gz +aa5f762eddaac34977a42bb59a0c2ec2113b0ad4f04b767465e9c23c4bb5d0dd722432735fb10975c23b0a5ca4a11abcfc52d893a3c6678d4908ceb29cefa736 freescout-1.8.175.tar.gz e4af6c85dc12f694bef2a02e4664e31ed50b2c109914d7ffad5001c2bbd764ef25b17ecaa59ff55ef41bccf17169bf910d1a08888364bdedd0ecc54d310e661f freescout.nginx 7ce9b3ee3a979db44f5e6d7daa69431e04a5281f364ae7be23e5a0a0547f96abc858d2a8010346be2fb99bd2355fb529e7030ed20d54f310249e61ed5db4d0ba freescout-manage.sh 0cba00b7d945ce84f72a2812d40028a073a5278856f610e46dbfe0ac78deff6bf5eba7643635fa4bc64d070c4d49eb47d24ea0a05ba1e6ea76690bfd77906366 rename-client-to-membre-fr-en.patch From 5944fd27d4f14d5b562ffb58d96a862e1e6ce737 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 6 May 2025 13:19:44 -0400 Subject: [PATCH 2/4] ilot/nextcloud30: upgrade to 30.0.10 --- ilot/nextcloud30/APKBUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ilot/nextcloud30/APKBUILD b/ilot/nextcloud30/APKBUILD index 66aca75..161f723 100644 --- a/ilot/nextcloud30/APKBUILD +++ b/ilot/nextcloud30/APKBUILD @@ -2,7 +2,7 @@ # Contributor: jahway603 # Maintainer: Leonardo Arena _pkgname=nextcloud -pkgver=30.0.8 +pkgver=30.0.10 pkgrel=0 is_latest=true _pkgvermaj=${pkgver%%.*} @@ -310,7 +310,7 @@ _package_app() { } sha512sums=" -0bca2f42ccfb7db4befdd2aeeb1df72d2f9acad88907706f8524ced55bd0213b30b687a5e4c623615e59f22246562e195fd74bbb409c4f60b713482e1237d755 nextcloud-30.0.8.tar.bz2 +c8c9800fff46c5634576b9e0696afd4083e34d24000762ebf3a66192d1dea3f664d1c1d42e6ae262535757991d0a60ee7ee1e1d24757677be56bb8ea7d4d3fd5 nextcloud-30.0.10.tar.bz2 daeabeaa315bb908cc1e49612cce4b2debd71d17acb84b5d14e15fe124c907884b72d54e9aa669ec209eee1b1934d0bc242d72a28d8db7339cfb08383f66fd5c nextcloud-dont-chmod.patch 12f4a39aef0f81a0115c81bf2b345cc194537a7e8300748b800b0e35bc07928091296074b23c2019c17aced69854a11d1ed7225f67eefd27cf00c3969a75c5b0 dont-update-htaccess.patch cb04252d01407c7030e87dd54616c621ea0f85ef0212674b1161288182538cae0fb31c67e7cc07c66f9607075774c64e386009cc66365b1f1b155f6ad4f83ac0 disable-integrity-check-as-default.patch From d095638cf066fd06c46ef54aecebf9cc150ac580 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Fri, 9 May 2025 13:51:15 -0400 Subject: [PATCH 3/4] ilot/go: new aport --- ...musl-s-over-glibc-s-ld.so-during-dyn.patch | 45 +++ ...tch-Go-toolchain-version-as-directed.patch | 29 ++ ...M-vgetrandom-state-before-dropping-P.patch | 245 ++++++++++++++ ilot/go/APKBUILD | 318 ++++++++++++++++++ ilot/go/tests-fchmodat-not-supported.patch | 19 ++ 5 files changed, 656 insertions(+) create mode 100644 ilot/go/0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch create mode 100644 ilot/go/0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch create mode 100644 ilot/go/0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch create mode 100644 ilot/go/APKBUILD create mode 100644 ilot/go/tests-fchmodat-not-supported.patch diff --git a/ilot/go/0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch b/ilot/go/0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch new file mode 100644 index 0000000..2cbbcd9 --- /dev/null +++ b/ilot/go/0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch @@ -0,0 +1,45 @@ +From fa8e52baedd21265f69b5f425157e11c8c4ec24a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=B6ren=20Tempel?= +Date: Sat, 25 Mar 2023 09:08:04 +0100 +Subject: [PATCH] cmd/link: prefer musl's over glibc's ld.so during dynamic + linking + +Without this commit glibc's is preferred over musl by default. This +causes issues on Alpine when a dynamically linked Go binary is created +while gcompat is installed, causing the binary to be linked against +the ld.so provided by the gcompat package. + +This commit changes the logic to check for musl's ld.so first, if it +does not exist we fallback to glibc. This default can be overwritten +using the `-I` option of cmd/link. + +See https://gitlab.alpinelinux.org/alpine/aports/-/issues/14737 +--- + src/cmd/link/internal/ld/elf.go | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/cmd/link/internal/ld/elf.go b/src/cmd/link/internal/ld/elf.go +index 713f7739a5..8cf9377858 100644 +--- a/src/cmd/link/internal/ld/elf.go ++++ b/src/cmd/link/internal/ld/elf.go +@@ -1886,14 +1886,14 @@ func asmbElf(ctxt *Link) { + Exitf("ELF interpreter not set") + } + } else { +- interpreter = thearch.ELF.Linuxdynld +- // If interpreter does not exist, try musl instead. ++ interpreter = thearch.ELF.LinuxdynldMusl ++ // If interpreter does not exist, try glibc instead. + // This lets the same cmd/link binary work on +- // both glibc-based and musl-based systems. ++ // both musl-based and glibc-based systems. + if _, err := os.Stat(interpreter); err != nil { +- if musl := thearch.ELF.LinuxdynldMusl; musl != "" { +- if _, err := os.Stat(musl); err == nil { +- interpreter = musl ++ if glibc := thearch.ELF.Linuxdynld; glibc != "" { ++ if _, err := os.Stat(glibc); err == nil { ++ interpreter = glibc + } + } + } diff --git a/ilot/go/0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch b/ilot/go/0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch new file mode 100644 index 0000000..db82330 --- /dev/null +++ b/ilot/go/0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch @@ -0,0 +1,29 @@ +From 82ac7268f746c31d771e584c1c83f93890b33404 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=B6ren=20Tempel?= +Date: Tue, 11 Jul 2023 05:18:00 +0200 +Subject: [PATCH] go.env: Don't switch Go toolchain version as directed in + go.mod + +We want users and packages to use the version of Go that is provided +in our package repository. We don't want to download pre-built +toolchains from golang.org. + +Also note that prior to Go 1.21, pre-built Go binaries are linked +against glibc and hence do not work on Alpine. +--- + go.env | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/go.env b/go.env +index 6ff2b921d4..a106fb4638 100644 +--- a/go.env ++++ b/go.env +@@ -7,6 +7,5 @@ + GOPROXY=https://proxy.golang.org,direct + GOSUMDB=sum.golang.org + +-# Automatically download newer toolchains as directed by go.mod files. +-# See https://go.dev/doc/toolchain for details. +-GOTOOLCHAIN=auto ++# Don't attempt to switch to a newer toolchains by default. ++GOTOOLCHAIN=local diff --git a/ilot/go/0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch b/ilot/go/0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch new file mode 100644 index 0000000..2e02033 --- /dev/null +++ b/ilot/go/0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch @@ -0,0 +1,245 @@ +From 5c5b24702f5542fba019d6b98eec6121bc21df31 Mon Sep 17 00:00:00 2001 +From: Michael Pratt +Date: Thu, 3 Apr 2025 11:15:13 +0000 +Subject: [PATCH] runtime: cleanup M vgetrandom state before dropping P + +When an M is destroyed, we put its vgetrandom state back on the shared +list for another M to reuse. This list is simply a slice, so appending +to the slice may allocate. Currently this operation is performed in +mdestroy, after the P is released, meaning allocation is not allowed. + +More the cleanup earlier in mdestroy when allocation is still OK. + +Also add //go:nowritebarrierrec to mdestroy since it runs without a P, +which would have caught this bug. + +Fixes #73141. + +Change-Id: I6a6a636c3fbf5c6eec09d07a260e39dbb4d2db12 +Reviewed-on: https://go-review.googlesource.com/c/go/+/662455 +Reviewed-by: Jason Donenfeld +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Keith Randall +Reviewed-by: Keith Randall +--- + src/runtime/os3_solaris.go | 5 ++++- + src/runtime/os_aix.go | 5 ++++- + src/runtime/os_darwin.go | 5 ++++- + src/runtime/os_dragonfly.go | 5 ++++- + src/runtime/os_linux.go | 9 ++++----- + src/runtime/os_netbsd.go | 5 ++++- + src/runtime/os_openbsd.go | 5 ++++- + src/runtime/os_plan9.go | 5 ++++- + src/runtime/os_windows.go | 4 +++- + src/runtime/proc.go | 3 +++ + src/runtime/vgetrandom_linux.go | 11 +++++++++-- + src/runtime/vgetrandom_unsupported.go | 2 +- + 12 files changed, 48 insertions(+), 16 deletions(-) + +diff --git a/src/runtime/os3_solaris.go b/src/runtime/os3_solaris.go +index cf163a6bf4..ded821b2e6 100644 +--- a/src/runtime/os3_solaris.go ++++ b/src/runtime/os3_solaris.go +@@ -234,8 +234,11 @@ func unminit() { + getg().m.procid = 0 + } + +-// Called from exitm, but not from drop, to undo the effect of thread-owned ++// Called from mexit, but not from dropm, to undo the effect of thread-owned + // resources in minit, semacreate, or elsewhere. Do not take locks after calling this. ++// ++// This always runs without a P, so //go:nowritebarrierrec is required. ++//go:nowritebarrierrec + func mdestroy(mp *m) { + } + +diff --git a/src/runtime/os_aix.go b/src/runtime/os_aix.go +index 93464cb997..1b483c2a7e 100644 +--- a/src/runtime/os_aix.go ++++ b/src/runtime/os_aix.go +@@ -186,8 +186,11 @@ func unminit() { + getg().m.procid = 0 + } + +-// Called from exitm, but not from drop, to undo the effect of thread-owned ++// Called from mexit, but not from dropm, to undo the effect of thread-owned + // resources in minit, semacreate, or elsewhere. Do not take locks after calling this. ++// ++// This always runs without a P, so //go:nowritebarrierrec is required. ++//go:nowritebarrierrec + func mdestroy(mp *m) { + } + +diff --git a/src/runtime/os_darwin.go b/src/runtime/os_darwin.go +index 0ecbea7ae4..6eab3b5c3d 100644 +--- a/src/runtime/os_darwin.go ++++ b/src/runtime/os_darwin.go +@@ -344,8 +344,11 @@ func unminit() { + getg().m.procid = 0 + } + +-// Called from exitm, but not from drop, to undo the effect of thread-owned ++// Called from mexit, but not from dropm, to undo the effect of thread-owned + // resources in minit, semacreate, or elsewhere. Do not take locks after calling this. ++// ++// This always runs without a P, so //go:nowritebarrierrec is required. ++//go:nowritebarrierrec + func mdestroy(mp *m) { + } + +diff --git a/src/runtime/os_dragonfly.go b/src/runtime/os_dragonfly.go +index a02696eb4f..9b3235084d 100644 +--- a/src/runtime/os_dragonfly.go ++++ b/src/runtime/os_dragonfly.go +@@ -216,8 +216,11 @@ func unminit() { + getg().m.procid = 0 + } + +-// Called from exitm, but not from drop, to undo the effect of thread-owned ++// Called from mexit, but not from dropm, to undo the effect of thread-owned + // resources in minit, semacreate, or elsewhere. Do not take locks after calling this. ++// ++// This always runs without a P, so //go:nowritebarrierrec is required. ++//go:nowritebarrierrec + func mdestroy(mp *m) { + } + +diff --git a/src/runtime/os_linux.go b/src/runtime/os_linux.go +index 8b3c4d0ecc..fb46b81682 100644 +--- a/src/runtime/os_linux.go ++++ b/src/runtime/os_linux.go +@@ -412,13 +412,12 @@ func unminit() { + getg().m.procid = 0 + } + +-// Called from exitm, but not from drop, to undo the effect of thread-owned ++// Called from mexit, but not from dropm, to undo the effect of thread-owned + // resources in minit, semacreate, or elsewhere. Do not take locks after calling this. ++// ++// This always runs without a P, so //go:nowritebarrierrec is required. ++//go:nowritebarrierrec + func mdestroy(mp *m) { +- if mp.vgetrandomState != 0 { +- vgetrandomPutState(mp.vgetrandomState) +- mp.vgetrandomState = 0 +- } + } + + // #ifdef GOARCH_386 +diff --git a/src/runtime/os_netbsd.go b/src/runtime/os_netbsd.go +index 735ace25ad..a06e5febbd 100644 +--- a/src/runtime/os_netbsd.go ++++ b/src/runtime/os_netbsd.go +@@ -320,8 +320,11 @@ func unminit() { + // must continue working after unminit. + } + +-// Called from exitm, but not from drop, to undo the effect of thread-owned ++// Called from mexit, but not from dropm, to undo the effect of thread-owned + // resources in minit, semacreate, or elsewhere. Do not take locks after calling this. ++// ++// This always runs without a P, so //go:nowritebarrierrec is required. ++//go:nowritebarrierrec + func mdestroy(mp *m) { + } + +diff --git a/src/runtime/os_openbsd.go b/src/runtime/os_openbsd.go +index 574bfa8b17..4ce4c3c58d 100644 +--- a/src/runtime/os_openbsd.go ++++ b/src/runtime/os_openbsd.go +@@ -182,8 +182,11 @@ func unminit() { + getg().m.procid = 0 + } + +-// Called from exitm, but not from drop, to undo the effect of thread-owned ++// Called from mexit, but not from dropm, to undo the effect of thread-owned + // resources in minit, semacreate, or elsewhere. Do not take locks after calling this. ++// ++// This always runs without a P, so //go:nowritebarrierrec is required. ++//go:nowritebarrierrec + func mdestroy(mp *m) { + } + +diff --git a/src/runtime/os_plan9.go b/src/runtime/os_plan9.go +index 2dbb42ad03..3b5965ab99 100644 +--- a/src/runtime/os_plan9.go ++++ b/src/runtime/os_plan9.go +@@ -217,8 +217,11 @@ func minit() { + func unminit() { + } + +-// Called from exitm, but not from drop, to undo the effect of thread-owned ++// Called from mexit, but not from dropm, to undo the effect of thread-owned + // resources in minit, semacreate, or elsewhere. Do not take locks after calling this. ++// ++// This always runs without a P, so //go:nowritebarrierrec is required. ++//go:nowritebarrierrec + func mdestroy(mp *m) { + } + +diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go +index 7183e79f7d..54407a320c 100644 +--- a/src/runtime/os_windows.go ++++ b/src/runtime/os_windows.go +@@ -906,9 +906,11 @@ func unminit() { + mp.procid = 0 + } + +-// Called from exitm, but not from drop, to undo the effect of thread-owned ++// Called from mexit, but not from dropm, to undo the effect of thread-owned + // resources in minit, semacreate, or elsewhere. Do not take locks after calling this. + // ++// This always runs without a P, so //go:nowritebarrierrec is required. ++//go:nowritebarrierrec + //go:nosplit + func mdestroy(mp *m) { + if mp.highResTimer != 0 { +diff --git a/src/runtime/proc.go b/src/runtime/proc.go +index e9873e54cd..21bee4df71 100644 +--- a/src/runtime/proc.go ++++ b/src/runtime/proc.go +@@ -1935,6 +1935,9 @@ func mexit(osStack bool) { + mp.gsignal = nil + } + ++ // Free vgetrandom state. ++ vgetrandomDestroy(mp) ++ + // Remove m from allm. + lock(&sched.lock) + for pprev := &allm; *pprev != nil; pprev = &(*pprev).alllink { +diff --git a/src/runtime/vgetrandom_linux.go b/src/runtime/vgetrandom_linux.go +index a6ec4b701c..40be022f24 100644 +--- a/src/runtime/vgetrandom_linux.go ++++ b/src/runtime/vgetrandom_linux.go +@@ -73,9 +73,16 @@ func vgetrandomGetState() uintptr { + return state + } + +-func vgetrandomPutState(state uintptr) { ++// Free vgetrandom state from the M (if any) prior to destroying the M. ++// ++// This may allocate, so it must have a P. ++func vgetrandomDestroy(mp *m) { ++ if mp.vgetrandomState == 0 { ++ return ++ } ++ + lock(&vgetrandomAlloc.statesLock) +- vgetrandomAlloc.states = append(vgetrandomAlloc.states, state) ++ vgetrandomAlloc.states = append(vgetrandomAlloc.states, mp.vgetrandomState) + unlock(&vgetrandomAlloc.statesLock) + } + +diff --git a/src/runtime/vgetrandom_unsupported.go b/src/runtime/vgetrandom_unsupported.go +index 070392cfaa..43c53e1198 100644 +--- a/src/runtime/vgetrandom_unsupported.go ++++ b/src/runtime/vgetrandom_unsupported.go +@@ -13,6 +13,6 @@ func vgetrandom(p []byte, flags uint32) (ret int, supported bool) { + return -1, false + } + +-func vgetrandomPutState(state uintptr) {} ++func vgetrandomDestroy(mp *m) {} + + func vgetrandomInit() {} diff --git a/ilot/go/APKBUILD b/ilot/go/APKBUILD new file mode 100644 index 0000000..82a98ba --- /dev/null +++ b/ilot/go/APKBUILD @@ -0,0 +1,318 @@ +# Contributor: Sören Tempel +# Contributor: Eivind Uggedal +# Maintainer: Sören Tempel +pkgname=go +# go binaries are statically linked, security updates require rebuilds +pkgver=1.24.2 +pkgrel=1 +pkgdesc="Go programming language compiler" +url="https://go.dev/" +arch="all" +license="BSD-3-Clause" +depends="binutils gcc musl-dev" +makedepends="bash" +options="!check" +checkdepends="binutils-gold git git-daemon" +subpackages="$pkgname-doc" +source="https://go.dev/dl/go$pkgver.src.tar.gz + 0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch + 0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch + 0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch + tests-fchmodat-not-supported.patch + " +case "$CARCH" in + arm*|aarch64) depends="$depends binutils-gold";; + riscv64|loongarch64) + # binutils-gold is not supported on riscv64 and loongarch64. + checkdepends="${checkdepends/binutils-gold/}" + ;; +esac + +# secfixes: +# 0: +# - CVE-2022-41716 +# - CVE-2022-41720 +# - CVE-2022-41722 +# - CVE-2024-24787 +# 1.24.2-r0: +# - CVE-2025-22871 +# 1.24.1-r0: +# - CVE-2025-22870 +# 1.23.6-r0: +# - CVE-2025-22866 +# 1.23.5-r0: +# - CVE-2024-45336 +# - CVE-2024-45341 +# 1.23.1-r0: +# - CVE-2024-34155 +# - CVE-2024-34156 +# - CVE-2024-34158 +# 1.22.5-r0: +# - CVE-2024-24791 +# 1.22.4-r0: +# - CVE-2024-24789 +# - CVE-2024-24790 +# 1.22.3-r0: +# - CVE-2024-24788 +# 1.22.2-r0: +# - CVE-2023-45288 +# 1.22.1-r0: +# - CVE-2024-24783 +# - CVE-2023-45290 +# - CVE-2023-45289 +# - CVE-2024-24785 +# - CVE-2024-24784 +# 1.21.5-r0: +# - CVE-2023-39324 +# - CVE-2023-39326 +# 1.21.3-r0: +# - CVE-2023-39325 +# - CVE-2023-44487 +# 1.21.2-r0: +# - CVE-2023-39323 +# 1.21.1-r0: +# - CVE-2023-39318 +# - CVE-2023-39319 +# - CVE-2023-39320 +# - CVE-2023-39321 +# - CVE-2023-39322 +# 1.20.7-r0: +# - CVE-2023-29409 +# 1.20.6-r0: +# - CVE-2023-29406 +# 1.20.5-r0: +# - CVE-2023-29402 +# - CVE-2023-29403 +# - CVE-2023-29404 +# - CVE-2023-29405 +# 1.20.4-r0: +# - CVE-2023-24539 +# - CVE-2023-24540 +# - CVE-2023-29400 +# 1.20.3-r0: +# - CVE-2023-24537 +# - CVE-2023-24538 +# - CVE-2023-24534 +# - CVE-2023-24536 +# 1.20.2-r0: +# - CVE-2023-24532 +# 1.20.1-r0: +# - CVE-2022-41725 +# - CVE-2022-41724 +# - CVE-2022-41723 +# 1.19.4-r0: +# - CVE-2022-41717 +# 1.19.2-r0: +# - CVE-2022-2879 +# - CVE-2022-2880 +# - CVE-2022-41715 +# 1.19.1-r0: +# - CVE-2022-27664 +# - CVE-2022-32190 +# 1.18.5-r0: +# - CVE-2022-32189 +# 1.18.4-r0: +# - CVE-2022-1705 +# - CVE-2022-1962 +# - CVE-2022-28131 +# - CVE-2022-30630 +# - CVE-2022-30631 +# - CVE-2022-30632 +# - CVE-2022-30633 +# - CVE-2022-30635 +# - CVE-2022-32148 +# 1.18.1-r0: +# - CVE-2022-28327 +# - CVE-2022-27536 +# - CVE-2022-24675 +# 1.17.8-r0: +# - CVE-2022-24921 +# 1.17.7-r0: +# - CVE-2022-23772 +# - CVE-2022-23773 +# - CVE-2022-23806 +# 1.17.6-r0: +# - CVE-2021-44716 +# - CVE-2021-44717 +# 1.17.3-r0: +# - CVE-2021-41772 +# - CVE-2021-41771 +# 1.17.2-r0: +# - CVE-2021-38297 +# 1.17.1-r0: +# - CVE-2021-39293 +# 1.17-r0: +# - CVE-2020-29509 +# - CVE-2020-29511 +# - CVE-2021-29923 +# 1.16.7-r0: +# - CVE-2021-36221 +# 1.16.6-r0: +# - CVE-2021-34558 +# 1.16.5-r0: +# - CVE-2021-33195 +# - CVE-2021-33196 +# - CVE-2021-33197 +# - CVE-2021-33198 +# 1.16.4-r0: +# - CVE-2021-31525 +# 1.16.2-r0: +# - CVE-2021-27918 +# - CVE-2021-27919 +# 1.15.7-r0: +# - CVE-2021-3114 +# - CVE-2021-3115 +# 1.15.5-r0: +# - CVE-2020-28362 +# - CVE-2020-28366 +# - CVE-2020-28367 +# 1.15.2-r0: +# - CVE-2020-24553 +# 1.15-r0: +# - CVE-2020-16845 +# 1.14.5-r0: +# - CVE-2020-15586 +# 1.13.7-r0: +# - CVE-2020-7919 +# 1.13.2-r0: +# - CVE-2019-17596 +# 1.13.1-r0: +# - CVE-2019-16276 +# 1.12.8-r0: +# - CVE-2019-9512 +# - CVE-2019-9514 +# - CVE-2019-14809 +# 1.11.5-r0: +# - CVE-2019-6486 +# 1.9.4-r0: +# - CVE-2018-6574 + +if [ "$CBUILD" = "$CTARGET" ]; then + makedepends="go-bootstrap $makedepends" + provides="go-bootstrap=$pkgver-r$pkgrel" +else + pkgname="go-bootstrap" + makedepends="go $makedepends" + # Go expect host linker instead of the cross-compiler + export CC_FOR_TARGET="$CC" + export CC="${HOSTLD:-gcc}" + export CXX="${HOSTLD:-g++}" + export LD="${HOSTLD:-ld}" +fi + +case "$CTARGET_ARCH" in +aarch64) export GOARCH="arm64" ;; +armel) export GOARCH="arm" GOARM=5 ;; +armhf) export GOARCH="arm" GOARM=6 ;; +armv7) export GOARCH="arm" GOARM=7 ;; +s390x) export GOARCH="s390x" ;; +x86) export GOARCH="386" ;; +x86_64) export GOARCH="amd64" ;; +ppc64) export GOARCH="ppc64" ;; +ppc64le) export GOARCH="ppc64le" ;; +riscv64) export GOARCH="riscv64" ;; +loongarch64) export GOARCH="loong64" ;; +*) export GOARCH="unsupported";; +esac + +# compile go itself as a PIE on supported arches. +case "$CARCH" in +x86_64|s390x|aarch64) export GO_LDFLAGS=-buildmode=pie ;; +esac + +prepare() { + default_prepare + + # The GitLab CI builds aports in a container. On ppc64le, ASLR + # needs to be disabled in order to have the following test case + # pass. However, the container doesn't have permissions to + # disable ASLR, hence we just disable this test for now. + # + # See https://github.com/golang/go/issues/49066#issuecomment-1252948861 + if [ "$CTARGET_ARCH" = "ppc64le" ]; then + rm test/fixedbugs/bug513.go + fi +} + +builddir="$srcdir"/go +build() { + cd "$builddir/src" + + export GOOS="linux" + export GOPATH="$srcdir" + export GOROOT="$builddir" + export GOBIN="$GOROOT"/bin + export GOROOT_FINAL=/usr/lib/go + + local p; for p in /usr/lib/go-bootstrap /usr/lib/go-linux-$GOARCH-bootstrap /usr/lib/go; do + if [ -d "$p" ]; then + export GOROOT_BOOTSTRAP="$p" + break + fi + done + + ./make.bash -v + + # copied from bootstrap.bash to fixup cross-built bootstrap go + if [ "$CBUILD" != "$CTARGET" ]; then + local gohostos="$(../bin/go env GOHOSTOS)" + local gohostarch="$(../bin/go env GOHOSTARCH)" + mv ../bin/*_*/* ../bin + rmdir ../bin/*_* + rm -rf "../pkg/${gohostos}_$gohostarch"* "../pkg/tool/${gohostos}_$gohostarch"* + rm -rf ../pkg/bootstrap ../pkg/obj + fi +} + +check() { + cd "$builddir/src" + if [ "$CTARGET_ARCH" = "armhf" ]; then + export GO_TEST_TIMEOUT_SCALE=2 + fi + + # Test suite does not pass with ccache, thus remove it form $PATH. + export PATH="$(echo "$PATH" | sed 's|/usr/lib/ccache/bin:||g')" + + PATH="$builddir/bin:$PATH" ./run.bash -no-rebuild +} + +package() { + mkdir -p "$pkgdir"/usr/bin "$pkgdir"/usr/lib/go/bin "$pkgdir"/usr/share/doc/go + + for binary in go gofmt; do + install -Dm755 bin/"$binary" "$pkgdir"/usr/lib/go/bin/"$binary" + ln -s /usr/lib/go/bin/"$binary" "$pkgdir"/usr/bin/ + done + + cp -a misc pkg src lib "$pkgdir"/usr/lib/go + cp -r doc "$pkgdir"/usr/share/doc/go + rm -rf "$pkgdir"/usr/lib/go/pkg/obj + rm -rf "$pkgdir"/usr/lib/go/pkg/bootstrap + rm -f "$pkgdir"/usr/lib/go/pkg/tool/*/api + + # Install go.env, see https://go.dev/doc/toolchain#GOTOOLCHAIN. + install -Dm644 "$builddir"/go.env "$pkgdir"/usr/lib/go/go.env + install -Dm644 VERSION "$pkgdir/usr/lib/go/VERSION" + + # Remove tests from /usr/lib/go/src to reduce package size, + # these should not be needed at run-time by any program. + find "$pkgdir"/usr/lib/go/src \( -type f -a -name "*_test.go" \) \ + -exec rm -rf \{\} \+ + find "$pkgdir"/usr/lib/go/src \( -type d -a -name "testdata" \) \ + -exec rm -rf \{\} \+ + + # Remove rc (plan 9) and bat scripts (windows) to reduce package + # size further. The bash scripts are actually needed at run-time. + # + # See: https://gitlab.alpinelinux.org/alpine/aports/issues/11091 + find "$pkgdir"/usr/lib/go/src -type f -a \( -name "*.rc" -o -name "*.bat" \) \ + -exec rm -rf \{\} \+ +} + +sha512sums=" +6366a32f6678e7908b138f62dafeed96f7144b3b93505e75fba374b33727da8b1d087c1f979f493382b319758ebfcbeb30e9d7dadcb2923b628c8abe7db41c6f go1.24.2.src.tar.gz +34dbe032c5f08dd8a7aad36fc4d54e746a876fdadc25466888a2f04f5a9d53103190ebd68d3cf978d3a041976185e30ffb25611fb577d031c159810d2d4c7c41 0001-cmd-link-prefer-musl-s-over-glibc-s-ld.so-during-dyn.patch +8061e4ef9d7dd31804bd8d98c95afa5dd82567940b3436f45f874e0419e324b49713d8a814df04617e575ec3c6155199c4661352ea8aef63ead81ca3020f3dc4 0002-go.env-Don-t-switch-Go-toolchain-version-as-directed.patch +d56b796ac81f8901cf426711e381b386ec6e039090fd914ebb2246e5b2ccaa6c1dcb40810a886c5e1b0a748c9bcd4cfe9749d85da91e7ce4c11aaf470295e549 0003-runtime-cleanup-M-vgetrandom-state-before-dropping-P.patch +33ecefca77fa0af52a3b2b66a76977af27a88c8dddb89f03e0a5ae6794b9aac53a62d7be33020b49022e9a89d4cdfa383038ee10e160eb94548b2430bf3cfb5e tests-fchmodat-not-supported.patch +" diff --git a/ilot/go/tests-fchmodat-not-supported.patch b/ilot/go/tests-fchmodat-not-supported.patch new file mode 100644 index 0000000..168ca71 --- /dev/null +++ b/ilot/go/tests-fchmodat-not-supported.patch @@ -0,0 +1,19 @@ +Without this patch, the TestFchmodat fails on our arm CI with: + + syscall_linux_test.go:139: Fchmodat: unexpected error: operation not permitted, expected EOPNOTSUPP + +The "operation not permitted" means that EPERM was returned which +is likely due to the security policy of our CI container. + +diff -upr go.orig/src/syscall/syscall_linux_test.go go/src/syscall/syscall_linux_test.go +--- go.orig/src/syscall/syscall_linux_test.go 2024-02-07 22:54:39.316022227 +0100 ++++ go/src/syscall/syscall_linux_test.go 2024-02-07 22:56:05.104871102 +0100 +@@ -135,7 +135,7 @@ func TestFchmodat(t *testing.T) { + } + + err = syscall.Fchmodat(_AT_FDCWD, "symlink1", 0444, _AT_SYMLINK_NOFOLLOW) +- if err != syscall.EOPNOTSUPP { ++ if !testenv.SyscallIsNotSupported(err) && err != syscall.EOPNOTSUPP { + t.Fatalf("Fchmodat: unexpected error: %v, expected EOPNOTSUPP", err) + } + } From 7d89efbe5be910512b023188b838e1475483b829 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 6 May 2025 13:25:32 -0400 Subject: [PATCH 4/4] ilot/forgejo-aneksajo: upgrade to 11.0.0_git0 --- ilot/forgejo-aneksajo/APKBUILD | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ilot/forgejo-aneksajo/APKBUILD b/ilot/forgejo-aneksajo/APKBUILD index d9e09b9..d3a4462 100644 --- a/ilot/forgejo-aneksajo/APKBUILD +++ b/ilot/forgejo-aneksajo/APKBUILD @@ -4,7 +4,7 @@ # Contributor: Patrycja Rosa # Maintainer: Antoine Martin (ayakael) pkgname=forgejo-aneksajo -pkgver=10.0.3_git0 +pkgver=11.0.0_git0 _gittag=v${pkgver/_git/-git-annex} pkgrel=0 pkgdesc="Self-hosted Git service written in Go with git-annex support" @@ -60,7 +60,7 @@ build() { export CGO_LDFLAGS="$LDFLAGS" unset LDFLAGS ## make FHS compliant - local setting="code.gitea.io/gitea/modules/setting" + local setting="forgejo.org/modules/setting" export LDFLAGS="$LDFLAGS -X $setting.CustomConf=/etc/forgejo/app.ini" export LDFLAGS="$LDFLAGS -X $setting.AppWorkPath=/var/lib/forgejo/" @@ -106,7 +106,7 @@ package() { } sha512sums=" -e32c919228df167374e8f3099e2e59bfab610aac6c87465318efe1cac446d014535e270f57b0bf8b2a7eb3843c5dcb189eac4dad2e230b57acd9096ead647eca forgejo-aneksajo-v10.0.3-git-annex0.tar.gz +07f72fcd3bb02a6bbfbcf73f8526c51f1f3fe39d2a504395dfb0997743a190bd210389d58114aaf546fb6d0fabaa80a54240632e11eeba35250b9e6b9b63f438 forgejo-aneksajo-v11.0.0-git-annex0.tar.gz 497d8575f2eb5ac43baf82452e76007ef85e22cca2cc769f1cf55ffd03d7ce4d50ac4dc2b013e23086b7a5577fc6de5a4c7e5ec7c287f0e3528e908aaa2982aa forgejo-aneksajo.initd b537b41b6b3a945274a6028800f39787b48c318425a37cf5d40ace0d1b305444fd07f17b4acafcd31a629bedd7d008b0bb3e30f82ffeb3d7e7e947bdbe0ff4f3 forgejo-aneksajo.ini "