prepare release

With bash-completion 2.0, the completion must have the same name as the binary.

Signed-off-by: Eric Bélanger <snowmaniscool@gmail.com>
Signed-off-by: Pierre Schmitz <pierre@archlinux.de>

.gitignore

@@ -14,3 +14,4 @@ mkarchroot
 rebuildpkgs
 zsh_completion
 find-libdeps
+crossrepomove

Makefile

@@ -1,4 +1,4 @@
-V=20111220
+V=20120720
 
 PREFIX = /usr/local
 
@@ -12,7 +12,8 @@ BINPROGS = \
 	lddd \
 	finddeps \
 	rebuildpkgs \
-	find-libdeps
+	find-libdeps \
+	crossrepomove
 
 SBINPROGS = \
 	mkarchroot \
@@ -26,6 +27,7 @@ CONFIGFILES = \
 	pacman-staging.conf \
 	pacman-multilib.conf \
 	pacman-multilib-testing.conf \
+	pacman-multilib-staging.conf \
 	pacman-kde-unstable.conf \
 	pacman-gnome-unstable.conf
 
@@ -39,6 +41,7 @@ COMMITPKG_LINKS = \
 	community-stagingpkg \
 	multilibpkg \
 	multilib-testingpkg \
+	multilib-stagingpkg \
 	kde-unstablepkg \
 	gnome-unstablepkg
 
@@ -51,11 +54,20 @@ ARCHBUILD_LINKS = \
 	staging-x86_64-build \
 	multilib-build \
 	multilib-testing-build \
+	multilib-staging-build \
 	kde-unstable-i686-build \
 	kde-unstable-x86_64-build \
 	gnome-unstable-i686-build \
 	gnome-unstable-x86_64-build
 
+CROSSREPOMOVE_LINKS = \
+	extra2community \
+	community2extra
+
+BASHCOMPLETION_LINKS = \
+	archco \
+	communityco
+
 all: $(BINPROGS) $(SBINPROGS) bash_completion zsh_completion
 
 edit = sed -e "s|@pkgdatadir[@]|$(DESTDIR)$(PREFIX)/share/devtools|g"
@@ -79,8 +91,10 @@ install:
 	install -m0644 ${CONFIGFILES} $(DESTDIR)$(PREFIX)/share/devtools
 	for l in ${COMMITPKG_LINKS}; do ln -sf commitpkg $(DESTDIR)$(PREFIX)/bin/$$l; done
 	for l in ${ARCHBUILD_LINKS}; do ln -sf archbuild $(DESTDIR)$(PREFIX)/bin/$$l; done
+	for l in ${CROSSREPOMOVE_LINKS}; do ln -sf crossrepomove $(DESTDIR)$(PREFIX)/bin/$$l; done
 	ln -sf find-libdeps $(DESTDIR)$(PREFIX)/bin/find-libprovides
-	install -Dm0644 bash_completion $(DESTDIR)/etc/bash_completion.d/devtools
+	install -Dm0644 bash_completion $(DESTDIR)/usr/share/bash-completion/completions/devtools
+	for l in ${BASHCOMPLETION_LINKS}; do ln -sf devtools $(DESTDIR)/usr/share/bash-completion/completions/$$l; done
 	install -Dm0644 zsh_completion $(DESTDIR)$(PREFIX)/share/zsh/site-functions/_devtools
 	ln -sf archco $(DESTDIR)$(PREFIX)/bin/communityco
 
@@ -90,7 +104,8 @@ uninstall:
 	for f in ${CONFIGFILES}; do rm -f $(DESTDIR)$(PREFIX)/share/devtools/$$f; done
 	for l in ${COMMITPKG_LINKS}; do rm -f $(DESTDIR)$(PREFIX)/bin/$$l; done
 	for l in ${ARCHBUILD_LINKS}; do rm -f $(DESTDIR)$(PREFIX)/bin/$$l; done
-	rm $(DESTDIR)/etc/bash_completion.d/devtools
+	for l in ${CROSSREPOMOVE_LINKS}; do rm -f $(DESTDIR)$(PREFIX)/bin/$$l; done
+	rm $(DESTDIR)/usr/share/bash-completion/completions/devtools
 	rm $(DESTDIR)$(PREFIX)/share/zsh/site-functions/_devtools
 	rm -f $(DESTDIR)$(PREFIX)/bin/communityco
 	rm -f $(DESTDIR)$(PREFIX)/bin/find-libprovides

archbuild.in

@@ -2,8 +2,7 @@
 
 m4_include(lib/common.sh)
 
-# FIXME: temporary added curl until pacman 4.0 moves to [core]
-base_packages=(base base-devel sudo curl)
+base_packages=(base base-devel sudo)
 
 cmd="${0##*/}"
 if [[ "${cmd%%-*}" == 'multilib' ]]; then
@@ -15,7 +14,7 @@ else
 	repo=${tag%-*}
 	arch=${tag##*-}
 fi
-chroots='/var/tmp/archbuild'
+chroots='/var/lib/archbuild'
 clean_first=false
 
 usage() {
@@ -44,36 +43,25 @@ if ${clean_first} || [[ ! -d "${chroots}/${repo}-${arch}" ]]; then
 		[[ -d $copy ]] || continue
 		msg2 "Deleting chroot copy '$(basename "${copy}")'..."
 
-		# Lock the copy
-		exec 9>"${copy}.lock"
+		exec 9>"$copydir.lock"
+		if ! flock -n 9; then
+			stat_busy "Locking chroot copy '$copy'"
 			flock 9
+			stat_done
+		fi
 
 		{ type -P btrfs && btrfs subvolume delete "${copy}"; } &>/dev/null
-		rm -rf "${copy}"
+		rm -rf --one-file-system "${copy}"
 	done
 	exec 9>&-
 
-	# FIXME: temporary workaround until pacman 4.0 moves to [core]
-	if pacman -V | grep -q 'v4.' && ( [[ "$repo" == 'extra' || "$repo" == 'multilib' ]] ); then
-		pacman_conf=$(mktemp)
-		cp "@pkgdatadir@/pacman-${repo}.conf" "${pacman_conf}"
-		sed -r 's/^#(SigLevel = Never)/\1/' -i "${pacman_conf}"
-	else
-		pacman_conf="@pkgdatadir@/pacman-${repo}.conf"
-	fi
-
-	rm -rf "${chroots}/${repo}-${arch}"
+	rm -rf --one-file-system "${chroots}/${repo}-${arch}"
 	mkdir -p "${chroots}/${repo}-${arch}"
 	setarch "${arch}" mkarchroot \
-		-C "${pacman_conf}" \
+		-C "@pkgdatadir@/pacman-${repo}.conf" \
 		-M "@pkgdatadir@/makepkg-${arch}.conf" \
 		"${chroots}/${repo}-${arch}/root" \
 		"${base_packages[@]}"
-
-	# FIXME: temporary workaround until pacman 4.0 moves to [core]
-	if pacman -V | grep -q 'v4.' && ( [[ "$repo" == 'extra' || "$repo" == 'multilib' ]] ); then
-		cp "@pkgdatadir@/pacman-${repo}.conf" "${chroots}/${repo}-${arch}/root/etc/pacman.conf"
-	fi
 else
 	setarch ${arch} mkarchroot \
 		-u \

archrelease.in

@@ -1,13 +1,32 @@
 #!/bin/bash
 
 m4_include(lib/common.sh)
+m4_include(lib/valid-tags.sh)
 
-if [[ -z $1 ]]; then
-	echo 'Usage: archrelease <repo>...'
+# parse command line options
+FORCE=
+while getopts ':f' flag; do
+	case $flag in
+		f) FORCE=1 ;;
+		:) die "Option requires an argument -- '$OPTARG'" ;;
+		\?) die "Invalid option -- '$OPTARG'" ;;
+	esac
+done
+shift $(( OPTIND - 1 ))
+
+if ! (( $# )); then
+	echo 'Usage: archrelease [-f] <repo>...'
 	exit 1
 fi
 
-# TODO: validate repo is really repo-arch
+# validate repo is really repo-arch
+if [[ -z $FORCE ]]; then
+	for tag in "$@"; do
+		if ! in_array "$tag" "${_tags[@]}"; then
+			die 'archrelease: Invalid tag: "'$tag'" (use -f to force release)'
+		fi
+	done
+fi
 
 if [[ ! -f PKGBUILD ]]; then
 	die 'archrelease: PKGBUILD not found'
@@ -35,6 +54,9 @@ for file in "${known_files[@]}"; do
 	fi
 done
 
+# gracefully handle files containing an "@" character
+known_files=("${known_files[@]/%/@}")
+
 for tag in "$@"; do
 	stat_busy "Copying ${trunk} to ${tag}"
 

commitpkg.in

@@ -3,13 +3,19 @@
 m4_include(lib/common.sh)
 
 getpkgfile() {
-	if [[ ${#} -ne 1 ]]; then
-		die 'No canonical package found!'
-	elif [[ ! -f $1 ]]; then
-		die "Package ${1} not found!"
-	fi
+	case $# in
+		0)
+			error 'No canonical package found!'
+			return 1
+			;;
+		[!1])
+			error 'Failed to canonicalize package name -- multiple packages found:'
+			msg2 '%s' "$@"
+			return 1
+			;;
+	esac
 
-	echo ${1}
+	echo "$1"
 }
 
 # Source makepkg.conf; fail if it is not found
@@ -36,7 +42,7 @@ pkgbase=${pkgbase:-$pkgname}
 case "$cmd" in
 	commitpkg)
 		if (( $# == 0 )); then
-			die 'usage: commitpkg <reponame> [-l limit] [-a arch] [commit message]'
+			die 'usage: commitpkg <reponame> [-f] [-s server] [-l limit] [-a arch] [commit message]'
 		fi
 		repo="$1"
 		shift
@@ -45,23 +51,13 @@ case "$cmd" in
 		repo="${cmd%pkg}"
 		;;
 	*)
-		die 'usage: commitpkg <reponame> [-l limit] [-a arch] [commit message]'
+		die 'usage: commitpkg <reponame> [-f] [-s server] [-l limit] [-a arch] [commit message]'
 		;;
 esac
 
-case "$repo" in
-	core|extra|testing|staging|kde-unstable|gnome-unstable)
-		server='gerolde.archlinux.org' ;;
-	community*|multilib*)
-		server='aur.archlinux.org' ;;
-	*)
-		server='gerolde.archlinux.org'
-		msg "Non-standard repository $repo in use, defaulting to server $server" ;;
-esac
-
 # check if all local source files are under version control
 for s in "${source[@]}"; do
-	if [[ $s != *://* ]] && ! svn status -v "$s" | grep -q '^[ AMRX~]'; then
+	if [[ $s != *://* ]] && ! svn status -v "$s@" | grep -q '^[ AMRX~]'; then
 		die "$s is not under version control"
 	fi
 done
@@ -77,18 +73,49 @@ for i in 'changelog' 'install'; do
 	done < <(sed -n "s/^[[:space:]]*$i=//p" PKGBUILD)
 done
 
-# see if any limit options were passed, we'll send them to rsync
 rsyncopts=(-e ssh -p --chmod=ug=rw,o=r -c -h -L --progress --partial -y)
-while getopts ':l:a:' flag; do
+archreleaseopts=()
+while getopts ':l:a:s:f' flag; do
 	case $flag in
-		l) rsyncopts+=("--bwlimit=$2") ;;
-		a) commit_arch=$2 ;;
+		f) archreleaseopts+=('-f') ;;
+		s) server=$OPTARG ;;
+		l) rsyncopts+=("--bwlimit=$OPTARG") ;;
+		a) commit_arch=$OPTARG ;;
 		:) die "Option requires an argument -- '$OPTARG'" ;;
 		\?) die "Invalid option -- '$OPTARG'" ;;
 	esac
 done
 shift $(( OPTIND - 1 ))
 
+# check packages have the packager field set
+for _arch in ${arch[@]}; do
+	if [[ -n $commit_arch && ${_arch} != "$commit_arch" ]]; then
+		continue
+	fi
+	for _pkgname in ${pkgname[@]}; do
+		fullver=$(get_full_version $_pkgname)
+
+		if pkgfile=$(shopt -s nullglob;
+				getpkgfile "${PKGDEST+$PKGDEST/}$_pkgname-$fullver-${_arch}".pkg.tar.?z); then
+			if grep -q "packager = Unknown Packager" <(bsdtar -xOqf $pkgfile .PKGINFO); then
+				die "PACKAGER was not set when building package"
+			fi
+		fi
+	done
+done
+
+if [[ -z $server ]]; then
+	case "$repo" in
+		core|extra|testing|staging|kde-unstable|gnome-unstable)
+			server='gerolde.archlinux.org' ;;
+		community*|multilib*)
+			server='aur.archlinux.org' ;;
+		*)
+			server='gerolde.archlinux.org'
+			msg "Non-standard repository $repo in use, defaulting to server $server" ;;
+	esac
+fi
+
 if [[ -n $(svn status -q) ]]; then
 	msgtemplate="upgpkg: $pkgbase $(get_full_version)"$'\n\n'
 	if [[ -n $1 ]]; then
@@ -127,36 +154,27 @@ for _arch in ${arch[@]}; do
 
 	for _pkgname in ${pkgname[@]}; do
 		fullver=$(get_full_version $_pkgname)
-		pkgfile=$(getpkgfile "$_pkgname-$fullver-${_arch}".pkg.tar.?z 2>/dev/null)
-		pkgdestfile=$(getpkgfile "$PKGDEST/$_pkgname-$fullver-${_arch}".pkg.tar.?z 2>/dev/null)
 
-		if [[ -f $pkgfile ]]; then
-			pkgfile="./$pkgfile"
-		elif [[ -f $pkgdestfile ]]; then
-			pkgfile="$pkgdestfile"
-		else
-			warning "Could not find ${pkgfile}. Skipping ${_arch}"
+		if ! pkgfile=$(shopt -s nullglob;
+				getpkgfile "${PKGDEST+$PKGDEST/}$_pkgname-$fullver-${_arch}".pkg.tar.?z); then
+			warning "Skipping $_pkgname-$fullver-$_arch: failed to locate package file"
 			skip_arches+=($_arch)
 			continue 2
 		fi
 		uploads+=("$pkgfile")
 
 		sigfile="${pkgfile}.sig"
-		if [[ $SIGNPKG == 'y' && ! -f $sigfile ]]; then
+		if [[ ! -f $sigfile ]]; then
 			msg "Signing package ${pkgfile}..."
 			if [[ -n $GPGKEY ]]; then
 				SIGNWITHKEY="-u ${GPGKEY}"
 			fi
 			gpg --detach-sign --use-agent ${SIGNWITHKEY} "${pkgfile}" || die
 		fi
-		if [[ -f $sigfile ]]; then
 		if ! gpg --verify "$sigfile" >/dev/null 2>&1; then
 			die "Signature ${pkgfile}.sig is incorrect!"
 		fi
 		uploads+=("$sigfile")
-		else
-			die "Signature ${pkgfile}.sig was not found"
-		fi
 	done
 done
 
@@ -165,9 +183,21 @@ for _arch in ${arch[@]}; do
 		commit_arches+=($_arch)
 	fi
 done
-archrelease "${commit_arches[@]/#/$repo-}" || die
+
+if [[ ${#commit_arches[*]} -gt 0 ]]; then
+	archrelease "${archreleaseopts[@]}" "${commit_arches[@]/#/$repo-}" || die
+fi
 
 if [[ ${#uploads[*]} -gt 0 ]]; then
+	new_uploads=()
+
+	# convert to absolute paths so rsync can work with colons (epoch)
+	while read -r -d '' upload; do
+		new_uploads+=("$upload")
+	done < <(realpath -z "${uploads[@]}")
+
+	uploads=("${new_uploads[@]}")
+	unset new_uploads
 	msg 'Uploading all package and signature files'
 	rsync "${rsyncopts[@]}" "${uploads[@]}" "$server:staging/$repo/" || die
 fi

crossrepomove.in

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+m4_include(lib/common.sh)
+
+scriptname=${0##*/}
+
+if [[ -z $1 ]]; then
+	echo 'Usage: '$scriptname' [pkgbase]'
+	exit 1
+fi
+
+pkgbase="${1}"
+
+packages_svn='svn+ssh://gerolde.archlinux.org/srv/svn-packages'
+packages_server='gerolde.archlinux.org'
+community_svn='svn+ssh://aur.archlinux.org/srv/svn-packages'
+community_server='aur.archlinux.org'
+mirror='http://mirrors.kernel.org/archlinux'
+
+case $scriptname in
+	extra2community)
+		source_svn="${packages_svn}"
+		target_svn="${community_svn}"
+		source_server="${packages_server}"
+		target_server="${community_server}"
+		source_repo='extra'
+		target_repo='community'
+		;;
+	community2extra)
+		source_svn="${community_svn}"
+		target_svn="${packages_svn}"
+		source_server="${community_server}"
+		target_server="${packages_server}"
+		source_repo='community'
+		target_repo='extra'
+		;;
+	*)
+		die "Couldn't find configuration for $scriptname"
+		;;
+esac
+
+setup_workdir
+
+pushd $WORKDIR >/dev/null
+
+msg "Downloading sources for ${pkgbase}"
+svn -q checkout -N "${target_svn}" target_checkout
+mkdir -p "target_checkout/${pkgbase}/repos"
+svn -q export "${source_svn}/${pkgbase}/trunk" "target_checkout/${pkgbase}/trunk" || die
+. "target_checkout/${pkgbase}/trunk/PKGBUILD"
+
+msg "Downloading packages for ${pkgbase}"
+for _arch in ${arch[@]}; do
+	if [[ "${_arch[*]}" == 'any' ]]; then
+		repo_arch='x86_64'
+	else
+		repo_arch=${_arch}
+	fi
+	for _pkgname in ${pkgname[@]}; do
+		fullver=$(get_full_version $_pkgname)
+		# FIXME: this only works with .xz packages
+		ssh "${target_server}" "cd staging/${target_repo}
+			curl -O ${mirror}/${source_repo}/os/${repo_arch}/$_pkgname-$fullver-${_arch}.pkg.tar.xz
+			curl -O ${mirror}/${source_repo}/os/${repo_arch}/$_pkgname-$fullver-${_arch}.pkg.tar.xz.sig" || die
+	done
+done
+
+msg "Adding ${pkgbase} to ${target_repo}"
+svn -q add "target_checkout/${pkgbase}"
+svn -q propset svn:keywords 'Id' "target_checkout/${pkgbase}/trunk/PKGBUILD"
+svn -q commit -m"${scriptname}: Moving ${pkgbase} from ${source_repo} to ${target_repo}" target_checkout
+pushd "target_checkout/${pkgbase}/trunk" >/dev/null
+archrelease "${arch[@]/#/$target_repo-}" || die
+popd >/dev/null
+ssh "${target_server}" '/arch/db-update' || die
+
+msg "Removing ${pkgbase} from ${source_repo}"
+for _arch in ${arch[@]}; do
+	ssh "${source_server}" "/arch/db-remove ${source_repo} ${_arch} ${pkgbase}"
+done
+svn -q checkout -N "${source_svn}" source_checkout
+svn -q up "source_checkout/${pkgbase}"
+svn -q rm "source_checkout/${pkgbase}"
+svn -q commit -m"${scriptname}: Moving ${pkgbase} from ${source_repo} to ${target_repo}" source_checkout
+
+popd >/dev/null

find-libdeps.in

@@ -3,6 +3,7 @@
 m4_include(lib/common.sh)
 
 set -e
+shopt -s extglob
 
 IGNORE_INTERNAL=0
 
@@ -40,7 +41,7 @@ fi
 
 process_sofile() {
 	# extract the library name: libfoo.so
-	soname="${sofile%%\.so\.*}.so"
+	soname="${sofile%.so?(+(.+([0-9])))}".so
 	# extract the major version: 1
 	soversion="${sofile##*\.so\.}"
 	if [[ "$soversion" = "$sofile" ]] && (($IGNORE_INTERNAL)); then
@@ -73,7 +74,7 @@ find . -type f $find_args | while read filename; do
 	if [[ $script_mode = "provides" ]]; then
 		# get the string binaries link to: libfoo.so.1.2 -> libfoo.so.1
 		sofile=$(LC_ALL=C readelf -d "$filename" 2>/dev/null | sed -n 's/.*Library soname: \[\(.*\)\].*/\1/p')
-		[[ -z $sofile" ]] && sofile="${filename##*/}"
+		[[ -z $sofile ]] && sofile="${filename##*/}"
 		process_sofile
 	elif [[ $script_mode = "deps" ]]; then
 		# process all libraries needed by the binary

lib/common.sh

@@ -62,7 +62,7 @@ setup_workdir() {
 }
 
 cleanup() {
-	trap - EXIT INT QUIT TERM
+	trap - EXIT INT QUIT TERM HUP
 
 	[[ -n $WORKDIR ]] && rm -rf "$WORKDIR"
 	[[ $1 ]] && exit $1

lib/valid-tags.sh

@@ -0,0 +1,20 @@
+_arch=(
+	i686
+	x86_64
+	any
+)
+
+_tags=(
+	core-i686 core-x86_64 core-any
+	extra-i686 extra-x86_64 extra-any
+	multilib-x86_64
+	staging-i686 staging-x86_64 staging-any
+	testing-i686 testing-x86_64 testing-any
+	multilib-testing-x86_64
+	multilib-staging-x86_64
+	community-i686 community-x86_64 community-any
+	community-staging-i686 community-staging-x86_64 community-staging-any
+	community-testing-i686 community-testing-x86_64 community-testing-any
+	kde-unstable-i686 kde-unstable-x86_64 kde-unstable-any
+	gnome-unstable-i686 gnome-unstable-x86_64 gnome-unstable-any
+)

makechrootpkg.in

@@ -20,6 +20,7 @@ install_pkg=
 add_to_db=false
 run_namcap=false
 chrootdir=
+passeddir=
 
 default_copy=$USER
 [[ -n $SUDO_USER ]] && default_copy=$SUDO_USER
@@ -52,8 +53,8 @@ usage() {
 	echo '-I <pkg>   Install a package into the working copy of the chroot'
 	echo '-l <copy>  The directory to use as the working copy of the chroot'
 	echo '           Useful for maintaining multiple copies.'
-	echo '-n         Run namcap on the package'
 	echo "           Default: $default_copy"
+	echo '-n         Run namcap on the package'
 	exit 1
 }
 
@@ -63,16 +64,16 @@ while getopts 'hcudr:I:l:n' arg; do
 		c) clean_first=true ;;
 		u) update_first=true ;;
 		d) add_to_db=true ;;
-		r) chrootdir="$OPTARG" ;;
+		r) passeddir="$OPTARG" ;;
 		I) install_pkg="$OPTARG" ;;
 		l) copy="$OPTARG" ;;
-		n) run_namcap=true ;;
+		n) run_namcap=true; makepkg_args="$makepkg_args -i" ;;
 		*) makepkg_args="$makepkg_args -$arg $OPTARG" ;;
 	esac
 done
 
 # Canonicalize chrootdir, getting rid of trailing /
-chrootdir=$(readlink -e "$chrootdir")
+chrootdir=$(readlink -e "$passeddir")
 
 if [[ ${copy:0:1} = / ]]; then
 	copydir=$copy
@@ -101,7 +102,7 @@ if [[ ! -f PKGBUILD && -z $install_pkg ]]; then
 fi
 
 if [[ ! -d $chrootdir ]]; then
-	die "No chroot dir defined, or invalid path '$chrootdir'"
+	die "No chroot dir defined, or invalid path '$passeddir'"
 fi
 
 if [[ ! -d $chrootdir/root ]]; then
@@ -257,15 +258,11 @@ nobody ALL = NOPASSWD: /usr/bin/pacman
 EOF
 chmod 440 "$copydir/etc/sudoers.d/nobody-pacman"
 
-# Set this system wide as makepkg will source /etc/profile before calling build()
-echo 'LANG=C' > "$copydir/etc/locale.conf"
-
 # This is a little gross, but this way the script is recreated every time in the
 # working copy
 cat >"$copydir/chrootbuild" <<EOF
 #!/bin/bash
 . /etc/profile
-export LANG=C
 export HOME=/build
 
 cd /build

makepkg-i686.conf

@@ -31,7 +31,7 @@ CHOST="i686-pc-linux-gnu"
 # -mtune optimizes for an architecture, but builds for whole processor family
 CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
 CXXFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
-LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,--hash-style=gnu"
+LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
 #-- Make Flags: change this for DistCC/SMP systems
 #MAKEFLAGS="-j2"
 

makepkg-x86_64.conf

@@ -31,7 +31,7 @@ CHOST="x86_64-unknown-linux-gnu"
 # -mtune optimizes for an architecture, but builds for whole processor family
 CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
 CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
-LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,--hash-style=gnu"
+LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
 #-- Make Flags: change this for DistCC/SMP systems
 #MAKEFLAGS="-j2"
 

mkarchroot.in

@@ -10,6 +10,8 @@
 
 m4_include(lib/common.sh)
 
+CHROOT_VERSION='v2'
+
 FORCE='n'
 RUN=''
 NOCOPY='n'
@@ -28,7 +30,7 @@ usage() {
 	echo '    -C <file>     Location of a pacman config file'
 	echo '    -M <file>     Location of a makepkg config file'
 	echo '    -n            Do not copy config files into the chroot'
-	echo '    -c <dir>      Set pacman cache. Default: /var/cache/pacman/pkg'
+	echo '    -c <dir>      Set pacman cache'
 	echo '    -h            This message'
 	exit 1
 }
@@ -65,18 +67,12 @@ shift 1
 [[ -z $working_dir ]] && die 'Please specify a working directory.'
 
 if [[ -z $cache_dir ]]; then
-	cache_conf=${working_dir}/etc/pacman.conf
-	[[ ! -f $cache_conf ]] && cache_conf=${pac_conf:-/etc/pacman.conf}
-	cache_dir=$( (grep -m 1 '^CacheDir' $cache_conf || echo 'CacheDir = /var/cache/pacman/pkg') | sed 's/CacheDir\s*=\s*//')
-	unset cache_conf
+	cache_dirs=($(pacman -v $cache_conf 2>&1 | grep '^Cache Dirs:' | sed 's/Cache Dirs:\s*//g'))
+else
+	cache_dirs=(${cache_dir})
 fi
 
-if [[ -f /etc/pacman.d/mirrorlist ]]; then
 host_mirror=$(pacman -Sddp extra/devtools 2>/dev/null | sed -E 's#(.*/)extra/os/.*#\1$repo/os/$arch#')
-fi
-if [[ -z $host_mirror ]]; then
-	host_mirror='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
-fi
 if echo "${host_mirror}" | grep -q 'file://'; then
 	host_mirror_path=$(echo "${host_mirror}" | sed -E 's#file://(/.*)/\$repo/os/\$arch#\1#g')
 fi
@@ -84,21 +80,26 @@ fi
 # {{{ functions
 chroot_mount() {
 	[[ -e "${working_dir}/sys" ]] || mkdir "${working_dir}/sys"
-	mount -t sysfs sysfs "${working_dir}/sys"
+	mount -o bind /sys "${working_dir}/sys"
+	mount -o remount,ro,bind "${working_dir}/sys"
 
 	[[ -e "${working_dir}/proc" ]] || mkdir "${working_dir}/proc"
-	mount -t proc proc "${working_dir}/proc"
+	mount -t proc proc -o nosuid,noexec,nodev "${working_dir}/proc"
+	mount -o bind /proc/sys "${working_dir}/proc/sys"
+	mount -o remount,ro,bind "${working_dir}/proc/sys"
 
 	[[ -e "${working_dir}/dev" ]] || mkdir "${working_dir}/dev"
-	mount -t tmpfs dev "${working_dir}/dev" -o mode=0755,size=10M,nosuid
+	mount -t tmpfs dev "${working_dir}/dev" -o mode=0755,size=10M,nosuid,strictatime
 	mknod -m 666 "${working_dir}/dev/null" c 1 3
 	mknod -m 666 "${working_dir}/dev/zero" c 1 5
 	mknod -m 600 "${working_dir}/dev/console" c 5 1
 	mknod -m 644 "${working_dir}/dev/random" c 1 8
 	mknod -m 644 "${working_dir}/dev/urandom" c 1 9
 	mknod -m 666 "${working_dir}/dev/tty" c 5 0
+	mknod -m 666 "${working_dir}/dev/ptmx" c 5 2
 	mknod -m 666 "${working_dir}/dev/tty0" c 4 0
 	mknod -m 666 "${working_dir}/dev/full" c 1 7
+	mknod -m 666 "${working_dir}/dev/rtc0" c 254 0
 	ln -s /proc/kcore "${working_dir}/dev/core"
 	ln -s /proc/self/fd "${working_dir}/dev/fd"
 	ln -s /proc/self/fd/0 "${working_dir}/dev/stdin"
@@ -109,24 +110,35 @@ chroot_mount() {
 	mount -t tmpfs shm "${working_dir}/dev/shm" -o nodev,nosuid,size=128M
 
 	[[ -e "${working_dir}/dev/pts" ]] || mkdir "${working_dir}/dev/pts"
-	mount -t devpts devpts "${working_dir}/dev/pts" -o newinstance,ptmxmode=666
-	ln -s pts/ptmx "${working_dir}/dev/ptmx"
+	mount -o bind /dev/pts "${working_dir}/dev/pts"
 
-	[[ -e $cache_dir ]] || mkdir -p "${cache_dir}"
-	[[ -e "${working_dir}/${cache_dir}" ]] || mkdir -p "${working_dir}/${cache_dir}"
-	mount -o bind "${cache_dir}" "${working_dir}/${cache_dir}"
+	[[ -e "${working_dir}/run" ]] || mkdir "${working_dir}/run"
+	mount -t tmpfs tmpfs "${working_dir}/run" -o mode=0755,nodev,nosuid,strictatime,size=64M
 
 	if [[ -n $host_mirror_path ]]; then
 		[[ -e "${working_dir}/${host_mirror_path}" ]] || mkdir -p "${working_dir}/${host_mirror_path}"
 		mount -o bind "${host_mirror_path}" "${working_dir}/${host_mirror_path}"
-		mount -o remount,ro,bind "${host_mirror_path}" "${working_dir}/${host_mirror_path}"
+		mount -o remount,ro,bind "${working_dir}/${host_mirror_path}"
 	fi
 
+	local cache_dir_first=true
+	for cache_dir in ${cache_dirs[@]}; do
+		[[ -e $cache_dir ]] || mkdir -p "${cache_dir}"
+		[[ -e "${working_dir}/${cache_dir}" ]] || mkdir -p "${working_dir}/${cache_dir}"
+		mount -o bind "${cache_dir}" "${working_dir}/${cache_dir}"
+		if ! ${cache_dir_first}; then
+			mount -o remount,ro,bind "${working_dir}/${cache_dir}"
+		else
+			cache_dir_first=false
+		fi
+	done
+
 	trap 'chroot_umount' EXIT INT QUIT TERM HUP
 }
 
 copy_hostconf () {
 	cp /etc/resolv.conf "${working_dir}/etc/resolv.conf"
+	cp -a /etc/pacman.d/gnupg "${working_dir}/etc/pacman.d"
 	echo "Server = ${host_mirror}" > ${working_dir}/etc/pacman.d/mirrorlist
 
 	if [[ -n $pac_conf && $NOCOPY = 'n' ]]; then
@@ -136,15 +148,22 @@ copy_hostconf () {
 	if [[ -n $makepkg_conf && $NOCOPY = 'n' ]]; then
 		cp ${makepkg_conf} ${working_dir}/etc/makepkg.conf
 	fi
+
+	sed -r "s|^#?\\s*CacheDir.+|CacheDir = $(echo -n ${cache_dirs[@]})|g" -i ${working_dir}/etc/pacman.conf
 }
 
 chroot_umount () {
+	trap - EXIT INT QUIT TERM HUP
+	umount "${working_dir}/proc/sys"
 	umount "${working_dir}/proc"
 	umount "${working_dir}/sys"
 	umount "${working_dir}/dev/pts"
 	umount "${working_dir}/dev/shm"
 	umount "${working_dir}/dev"
+	umount "${working_dir}/run"
+	for cache_dir in ${cache_dirs[@]}; do
 		umount "${working_dir}/${cache_dir}"
+	done
 	[[ -n $host_mirror_path ]] && umount "${working_dir}/${host_mirror_path}"
 }
 
@@ -169,13 +188,15 @@ if [[ -n $RUN ]]; then
 	#Sanity check
 	if [[ ! -f "${working_dir}/.arch-chroot" ]]; then
 		die "'${working_dir}' does not appear to be a Arch chroot."
+	elif [[ $(cat "${working_dir}/.arch-chroot") != ${CHROOT_VERSION} ]]; then
+		die "'${working_dir}' is not compatible with ${APPNAME} version ${CHROOT_VERSION}. Please rebuild."
 	fi
 
 	chroot_lock
 	chroot_mount
 	copy_hostconf
 
-	eval chroot "${working_dir}" ${RUN}
+	eval unshare -mui -- chroot "${working_dir}" ${RUN}
 
 	# }}}
 else
@@ -194,7 +215,7 @@ else
 	chroot_lock
 	chroot_mount
 
-	pacargs="--noconfirm --root=${working_dir} --cachedir=${cache_dir}"
+	pacargs="--noconfirm --root=${working_dir} ${cache_dirs[@]/#/--cachedir=}"
 	if [[ -n $pac_conf ]]; then
 		pacargs="$pacargs --config=${pac_conf}"
 	fi
@@ -217,11 +238,12 @@ else
 		sed -i 's@^#\(en_US\|de_DE\)\(\.UTF-8\)@\1\2@' "${working_dir}/etc/locale.gen"
 		chroot "${working_dir}" /usr/sbin/locale-gen
 	fi
+	echo 'UTC' > "${working_dir}/etc/timezone"
+	ln -s /usr/share/zoneinfo/UTC "${working_dir}/etc/localtime"
+	echo 'LANG=C' > "${working_dir}/etc/locale.conf"
 
 	copy_hostconf
 
-	if [[ ! -e "${working_dir}/.arch-chroot" ]]; then
-		date +%s > "${working_dir}/.arch-chroot"
-	fi
+	echo "${CHROOT_VERSION}" > "${working_dir}/.arch-chroot"
 	# }}}
 fi

pacman-extra.conf

@@ -37,18 +37,13 @@ Architecture = auto
 #CheckSpace
 #VerbosePkgLists
 
-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# Disable signature checks for now
-#SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
 
 #
 # REPOSITORIES
@@ -74,18 +69,23 @@ Architecture = auto
 # after the header, and they will be used before the default mirrors.
 
 #[testing]
+#SigLevel = PackageRequired
 #Include = /etc/pacman.d/mirrorlist
 
 [core]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 #[community-testing]
+#SigLevel = PackageRequired
 #Include = /etc/pacman.d/mirrorlist
 
 [community]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for

pacman-gnome-unstable.conf

@@ -37,18 +37,13 @@ Architecture = auto
 #CheckSpace
 #VerbosePkgLists
 
-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# Disable signature checks for now
-SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
 
 #
 # REPOSITORIES
@@ -74,21 +69,27 @@ SigLevel = Never
 # after the header, and they will be used before the default mirrors.
 
 [gnome-unstable]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [testing]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [core]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [community-testing]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [community]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for

pacman-kde-unstable.conf

@@ -37,18 +37,13 @@ Architecture = auto
 #CheckSpace
 #VerbosePkgLists
 
-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# Disable signature checks for now
-SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
 
 #
 # REPOSITORIES
@@ -74,21 +69,27 @@ SigLevel = Never
 # after the header, and they will be used before the default mirrors.
 
 [kde-unstable]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [testing]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [core]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [community-testing]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [community]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for

pacman-multilib-staging.conf

@@ -0,0 +1,118 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir     = /
+#DBPath      = /var/lib/pacman/
+#CacheDir    = /var/cache/pacman/pkg/
+#LogFile     = /var/log/pacman.log
+#GPGDir      = /etc/pacman.d/gnupg/
+HoldPkg     = pacman glibc
+# If upgrades are available for these packages they will be asked for first
+SyncFirst   = pacman
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg   =
+#IgnoreGroup =
+
+#NoUpgrade   =
+#NoExtract   =
+
+# Misc options
+#UseSyslog
+#UseDelta
+#TotalDownload
+# We cannot check disk space from within a chroot environment
+#CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+#SigLevel = Optional TrustedOnly
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+#   - can be defined here or included from another file
+#   - pacman will search repositories in the order defined here
+#   - local/custom mirrors can be added here or in separate files
+#   - repositories listed first will take precedence when packages
+#     have identical names, regardless of version number
+#   - URLs will have $repo replaced by the name of the current repo
+#   - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+#       [repo-name]
+#       Server = ServerName
+#       Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+[staging]
+SigLevel = PackageRequired
+Include = /etc/pacman.d/mirrorlist
+
+[testing]
+SigLevel = PackageRequired
+Include = /etc/pacman.d/mirrorlist
+
+[core]
+SigLevel = PackageRequired
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+SigLevel = PackageRequired
+Include = /etc/pacman.d/mirrorlist
+
+[community-staging]
+SigLevel = PackageRequired
+Include = /etc/pacman.d/mirrorlist
+
+[community-testing]
+SigLevel = PackageRequired
+Include = /etc/pacman.d/mirrorlist
+
+[community]
+SigLevel = PackageRequired
+Include = /etc/pacman.d/mirrorlist
+
+# If you want to run 32 bit applications on your x86_64 system,
+# enable the multilib repositories as required here.
+[multilib-staging]
+SigLevel = PackageRequired
+Include = /etc/pacman.d/mirrorlist
+
+[multilib-testing]
+SigLevel = PackageRequired
+Include = /etc/pacman.d/mirrorlist
+
+[multilib]
+SigLevel = PackageRequired
+Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository.  See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs
+

pacman-multilib-testing.conf

@@ -37,18 +37,13 @@ Architecture = auto
 #CheckSpace
 #VerbosePkgLists
 
-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# Disable signature checks for now
-SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
 
 #
 # REPOSITORIES
@@ -74,31 +69,38 @@ SigLevel = Never
 # after the header, and they will be used before the default mirrors.
 
 [testing]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [core]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [community-testing]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [community]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # If you want to run 32 bit applications on your x86_64 system,
-# enable the multilib repository here.
+# enable the multilib repositories as required here.
 [multilib-testing]
-#SigLevel = Optional TrustAll
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [multilib]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for
 # tips on creating your own repositories.
 #[custom]
+#SigLevel = Optional TrustAll
 #Server = file:///home/custompkgs
 

pacman-multilib.conf

@@ -37,18 +37,13 @@ Architecture = auto
 #CheckSpace
 #VerbosePkgLists
 
-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# Disable signature checks for now
-#SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
 
 #
 # REPOSITORIES
@@ -74,28 +69,39 @@ Architecture = auto
 # after the header, and they will be used before the default mirrors.
 
 #[testing]
+#SigLevel = PackageRequired
 #Include = /etc/pacman.d/mirrorlist
 
 [core]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 #[community-testing]
+#SigLevel = PackageRequired
 #Include = /etc/pacman.d/mirrorlist
 
 [community]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # If you want to run 32 bit applications on your x86_64 system,
-# enable the multilib repository here.
+# enable the multilib repositories as required here.
+
+#[multilib-testing]
+#SigLevel = PackageRequired
+#Include = /etc/pacman.d/mirrorlist
+
 [multilib]
-#SigLevel = Optional TrustAll
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for
 # tips on creating your own repositories.
 #[custom]
+#SigLevel = Optional TrustAll
 #Server = file:///home/custompkgs
 

pacman-staging.conf

@@ -37,18 +37,13 @@ Architecture = auto
 #CheckSpace
 #VerbosePkgLists
 
-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# Disable signature checks for now
-SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
 
 #
 # REPOSITORIES
@@ -74,29 +69,36 @@ SigLevel = Never
 # after the header, and they will be used before the default mirrors.
 
 [staging]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [testing]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [core]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [community-staging]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [community-testing]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
-#SigLevel = Optional TrustAll
 [community]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for
 # tips on creating your own repositories.
 #[custom]
+#SigLevel = Optional TrustAll
 #Server = file:///home/custompkgs
 

pacman-testing.conf

@@ -37,18 +37,13 @@ Architecture = auto
 #CheckSpace
 #VerbosePkgLists
 
-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# Disable signature checks for now
-SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
 
 #
 # REPOSITORIES
@@ -74,18 +69,23 @@ SigLevel = Never
 # after the header, and they will be used before the default mirrors.
 
 [testing]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [core]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [community-testing]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [community]
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for

zsh_completion.in

@@ -1,20 +1,6 @@
-#compdef archbuild archco archrelease archrm commitpkg finddeps makechrootpkg mkarchroot rebuildpkgs extrapkg=commitpkg corepkg=commitpkg testingpkg=commitpkg stagingpkg=commitpkg communitypkg=commitpkg community-testingpkg=commitpkg community-stagingpkg=commitpkg multilibpkg=commitpkg multilib-testingpkg=commitpkg extra-i686-build=archbuild extra-x86_64-build=archbuild testing-i686-build=archbuild testing-x86_64-build=archbuild staging-i686-build=archbuild staging-x86_64-build=archbuild multilib-build=archbuild multilib-testing-build=archbuild kde-unstable-i686-build=archbuild kde-unstable-x86_64-build=archbuild gnome-unstable-i686-build=archbuild gnome-unstable-x86_64-build=archbuild communityco=archco
+#compdef archbuild archco archrelease archrm commitpkg finddeps makechrootpkg mkarchroot rebuildpkgs extrapkg=commitpkg corepkg=commitpkg testingpkg=commitpkg stagingpkg=commitpkg communitypkg=commitpkg community-testingpkg=commitpkg community-stagingpkg=commitpkg multilibpkg=commitpkg multilib-testingpkg=commitpkg extra-i686-build=archbuild extra-x86_64-build=archbuild testing-i686-build=archbuild testing-x86_64-build=archbuild staging-i686-build=archbuild staging-x86_64-build=archbuild multilib-build=archbuild multilib-testing-build=archbuild multilib-staging-build=archbuild kde-unstable-i686-build=archbuild kde-unstable-x86_64-build=archbuild gnome-unstable-i686-build=archbuild gnome-unstable-x86_64-build=archbuild communityco=archco
 
-_arch=(i686 x86_64 any)
-
-_tags=(
-	core-i686 core-x86_64 core-any
-	extra-i686 extra-x86_64 extra-any
-	multilib-i686 multilib-x86_64 multilib-any
-	staging-i686 staging-x86_64 staging-any
-	testing-i686 testing-x86_64 testing-any
-	multilib-testing-i686 multilib-testing-x86_64 multilib-testing-any
-	community-i686 community-x86_64 community-any
-	community-staging-i686 community-staging-x86_64 community-staging-any
-	community-testing-i686 community-testing-x86_64 community-testing-any
-	kde-unstable-i686 kde-unstable-x86_64 kde-unstable-any
-	gnome-unstable-i686 gnome-unstable-x86_64 gnome-unstable-any
-)
+m4_include(lib/valid-tags.sh)
 
 _archbuild_args=(
 	'-c[Recreate the chroot before building]'