2016-06-01 17:23:13 huh 2016-06-01 17:23:19 why did the zfs stuff break? 2016-06-01 18:03:50 ncopa: did you do something with 3.4 by any chance? 2016-06-01 18:10:24 no 2016-06-01 18:10:31 i didnt get to it 2016-06-01 18:10:36 but thanks for the reminder 2016-06-01 18:10:39 i'll check it now 2016-06-01 18:20:10 \o/ 2016-06-01 18:20:21 worked like a charm here 2016-06-01 18:20:25 d 2016-06-01 18:20:32 weird 2016-06-01 18:20:37 yeah 2016-06-01 18:20:39 I guess the answer is 42 2016-06-01 18:20:46 something like that :) 2016-06-01 18:26:14 i'll have to fix that zfs thing 2016-06-01 18:26:21 i think i know what went wrong 2016-06-01 18:26:25 but a bit later 2016-06-03 07:31:00 bah 2016-06-09 12:44:30 ncopa: seems as claws on 3.4 had issues, not sure why though. 2016-06-09 14:50:07 i disabled the continue on errors 2016-06-09 14:50:30 clandmeter: what isses does claws have? 2016-06-09 14:50:34 i use claws all the time 2016-06-09 14:51:23 ncopa: it was linked against older lib 2016-06-09 14:51:31 oh 2016-06-09 14:51:54 and older lib did not change so version? 2016-06-09 14:52:15 ERROR: unsatisfiable constraints: 2016-06-09 14:52:15 so:libetpan.so.17 (missing): 2016-06-09 14:52:15 required by: claws-mail-3.13.2-r1[so:libetpan.so.17] 2016-06-09 14:52:24 current is .20 2016-06-10 12:51:51 algitbot: retry 3.4-stable 2016-06-12 09:44:11 fun 2016-06-12 09:44:26 do I have build env here? 2016-06-12 09:44:27 no 2016-06-12 09:56:32 all current day smartheads are missing now 2016-06-12 09:56:48 nmeum: any idea why I had to do this? http://dup.pw/aports/92726e78 2016-06-12 10:13:46 barthalion: builldir is not set in that APKBUILD 2016-06-12 10:14:37 you still need to explicitly assign a value to it, after doing so you can use the default_prepare function 2016-06-12 10:48:00 nmeum: I thought the default value of $builddir is $srcdir/$pkgname-$pkgver 2016-06-12 10:48:23 and it is wrong only in package() 2016-06-12 10:48:42 works fine in prepare() and build() 2016-06-12 10:51:22 oh, I didn't notice that builldir has a default value now, nice 2016-06-12 10:51:26 good to know 2016-06-12 10:51:34 but no idea why it isn't set in package() 2016-06-14 06:37:43 ah, right, no pkgrel change 2016-06-15 06:33:25 freeswitch sources on buildserver needs to be deleted 2016-06-15 06:36:21 algitbot; retry 3.2-stable 2016-06-15 06:36:35 algitbot:retry 3.2-stable 2016-06-15 06:38:14 algitbot:retry 3.2-stable 2016-06-17 14:26:42 algitbot:retry edge 2016-06-17 14:34:01 algitbot:retry edge 2016-06-17 14:34:04 algitbot:retry master 2016-06-17 20:21:20 nmeum: esptool does not build 2016-06-17 20:21:34 nmeum: you need setuptools in makedeps 2016-06-17 20:21:54 barthalion: I will fix it right away 2016-06-17 20:21:59 thanks for the heads up 2016-06-18 21:36:18 j apo 2016-06-18 21:36:21 oops 2016-06-18 21:36:46 what’s wrong? 2016-06-20 10:56:22 ncopa: ^ is the old xclip tarball from the previous url still cached in /var/cache/distfiles or why does it cause a checksum error? 2016-06-20 11:33:06 nmeum: i dont know 2016-06-20 11:35:05 php pear downloads are broken 2016-06-20 11:35:07 i mean 2016-06-20 11:35:18 i the content change every download 2016-06-20 11:36:24 that explains why I didn't fix it with my commit 2016-06-20 11:36:36 it’s PHP, of course it’s broken :P //trolling 2016-06-20 11:36:44 i think its the gzip'ing that does it 2016-06-20 11:36:59 gzip has a field for timestamp 2016-06-20 11:37:06 which changes every rebuild 2016-06-20 11:37:14 so checksum does not match 2016-06-20 11:37:53 can we remove that field after abuild downloaded the file? 2016-06-20 11:39:32 thats a good question 2016-06-20 11:39:36 i think we can 2016-06-20 11:39:39 but do we want 2016-06-20 11:39:51 it will make the the checksum fail for everythin else 2016-06-20 11:39:56 unless we have an option=... for it 2016-06-20 11:40:20 option="reset-gzip-timestamp" 2016-06-20 11:40:54 ideally, the php site should cache the generated tarballs 2016-06-20 11:41:06 so we get a cached variant 2016-06-20 11:41:09 we have no power there 2016-06-20 11:41:11 i think thats what github does 2016-06-20 11:41:17 this would solve the github download as sell..but i think this would make download less secure 2016-06-20 11:41:17 I doubt we are the first distribution to hit that 2016-06-20 11:41:17 we can report it 2016-06-20 11:41:30 fcolista: it doesn't affect security at all 2016-06-20 11:41:39 debian make a copy of the sources 2016-06-20 11:41:54 maybe we should as wall 2016-06-20 11:41:58 have sourcepackages 2016-06-20 11:42:01 barthalion, yes. If you generate timestamp each download, how can you be sure that the upstream is not modified? 2016-06-20 11:42:31 fcolista: no. timestamp is just a timestamp 2016-06-20 11:42:38 it does not tell me if upstream modified anything 2016-06-20 11:42:54 fcolista: i'd say the oposite 2016-06-20 11:42:55 and if someone did something nasty, it doesn't save me either, this is what signatures are for 2016-06-20 11:42:56 So we jsut reset the timestamp part of the zip, and not the entire checksum of the file? 2016-06-20 11:43:00 exactly 2016-06-20 11:43:05 Ah, ok. 2016-06-20 11:43:18 I thought it would affect the entire checksum. 2016-06-20 11:43:34 since upstream modifies the timestamp, we cannot verify using checksum 2016-06-20 11:43:38 it will, but there is no golden bullet 2016-06-20 11:43:41 then yes, as ncopa said, is the opposite. 2016-06-20 11:43:52 what we are talking about is to reset it to 0 2016-06-20 11:44:07 by removal/reset of timestamp, checksum will stop changing for no reason 2016-06-20 11:44:09 then we cannot verify with against an upstream checksum 2016-06-20 11:44:23 unles something changes ofc 2016-06-20 11:44:23 however, it will differ if the content of tarball has changed 2016-06-20 11:44:27 yes 2016-06-20 11:44:57 there are a few projects that silently change contents of the tarball 2016-06-20 11:45:20 i have seen minor typo fixes in releases notes/docs 2016-06-20 11:45:59 but i think we should report it upstream 2016-06-20 11:46:09 not beeing able to verify checksum is an upstream problem 2016-06-20 11:51:41 ncopa: use composer, stop using pear 2016-06-20 11:51:45 oh well 2016-06-20 11:52:15 i think I'll send an email to security@php.net 2016-06-20 11:52:48 lol, 'use composer' 2016-06-20 11:53:32 it's very reassuring that neither pear or composer verifies checksums 2016-06-20 11:56:58 or we can just remove all Pear packages from repository :P these can be installed using some php tool, same as ruby packages, right? 2016-06-20 12:02:25 we should probably have some sort of sourcepackage archive 2016-06-20 12:02:32 but i dont know how to properly do that 2016-06-20 12:02:51 sourcepage archive? 2016-06-20 12:02:57 we do have distfiles.alpinelinux.org 2016-06-20 12:03:01 eg source tarballs 2016-06-20 12:03:12 cache? 2016-06-20 12:03:14 that we have a common cache for all buildservers 2016-06-20 12:03:17 yes 2016-06-20 12:03:48 maybe we should set up a caching squid proxy for all build servers 2016-06-20 12:03:51 i dunno 2016-06-20 12:04:08 imho upstream tarballs should be always verifiable, without caching them etc. if they are not, remove them as broken 2016-06-20 12:04:23 i wrote to security@php.net 2016-06-20 12:04:55 i dont have high hopes though. i assume they are always busy... 2016-06-20 12:05:02 since php is not compiled, what about downloading tarballs directly from the source repository instead of that pear crap? most of them are on GitHub, aren’t they? 2016-06-20 12:05:56 dunno 2016-06-20 12:06:24 i have to go, see ya 2016-06-20 12:07:25 algitbot: retry master 2016-06-20 12:10:09 it would also be nice if a future abuild version could write the checksum it computed to stdout if it didn't match the expected checksum 2016-06-20 12:10:27 good idea 2016-06-20 12:10:50 we should probaly also stop generate all different 2016-06-20 12:11:08 and only do 1 checksum 2016-06-20 12:11:14 sha512 or sha256 2016-06-20 12:14:00 ncopa: why should we do that? Generating multiple checksum doesn't have a disadvantage imho 2016-06-20 12:14:13 makes git log messy 2016-06-20 12:14:23 and if a flaw is discovered in one of the used checksum algorithms we still have 2 different checksum to rely on 2016-06-20 12:14:42 makes it harder to see the diffs 2016-06-20 12:15:02 yes, thats why i added various 2016-06-20 12:15:13 well…if that's the only problem we could move the checksum to an extra file? APKBUILD.checksum or something like that? 2016-06-20 12:15:29 OpenBSD also does it that way iirc 2016-06-20 12:15:37 would still show up in git log 2016-06-20 12:15:44 unless you log a sepcific file 2016-06-20 12:15:58 also, it would double the number of files in the aports tree 2016-06-20 12:16:09 right 2016-06-20 12:17:25 nmeum: re xclip 2016-06-20 12:17:30 we had a tarball from sourceforge 2016-06-20 12:17:36 i have removed it now 2016-06-20 12:17:44 yeah, upstream seems to have moved to github 2016-06-20 12:17:54 so I thought it would be a good idea to use the tagged release from github 2016-06-20 12:18:01 it is 2016-06-20 12:18:12 the change is good 2016-06-20 12:18:18 but the old tarball is still cached in /var/cache/distfiles? 2016-06-20 12:18:22 yes 2016-06-20 12:18:49 algitbot: retry master 2016-06-20 12:19:03 or it was 2016-06-20 12:19:26 ncopa: thanks 2016-06-20 12:19:53 nmeum: thanks to you too :) 2016-06-20 14:50:00 ncopa: the docker build still seems to fail on arm even though the binary should now be paxmarked 2016-06-20 14:56:06 ugh 2016-06-20 15:31:07 seems like go segfaults directly 2016-06-20 15:31:10 sigh 2016-06-21 09:02:47 umpf 2016-06-21 13:48:04 algitbot: retry master 2016-06-22 19:16:09 algitbot: retry 3.3-stable 2016-06-22 19:16:12 or something 2016-06-22 19:16:14 pretty please 2016-06-24 12:21:40 algitbot: retry master 2016-06-24 12:29:29 algitbot: retry master 2016-06-24 14:15:53 algitbot: retry 3.4-stable 2016-06-28 17:26:16 algitbot: retry 3.4-stable