Prepare release

Chances are that pubring.kbx has been created by gpgsm but pubring.gpg
is still around with valid data. We do not know what file contains what
we need, so just copy both.

Signed-off-by: Christian Hesse <mail@eworm.de>
Signed-off-by: Pierre Schmitz <pierre@archlinux.de>

Makefile

@@ -1,4 +1,4 @@
-V=20130525
+V=20150514
 
 PREFIX = /usr/local
 
@@ -77,6 +77,7 @@ edit = sed -e "s|@pkgdatadir[@]|$(DESTDIR)$(PREFIX)/share/devtools|g"
 	@m4 -P $@.in | $(edit) >$@
 	@chmod a-w "$@"
 	@chmod +x "$@"
+	@bash -O extglob -n "$@"
 
 clean:
 	rm -f $(BINPROGS) bash_completion zsh_completion

arch-nspawn.in

@@ -26,6 +26,8 @@ usage() {
 	exit 1
 }
 
+orig_argv=("$@")
+
 while getopts 'hC:M:c:' arg; do
 	case "$arg" in
 		C) pac_conf="$OPTARG" ;;
@@ -37,18 +39,18 @@ while getopts 'hC:M:c:' arg; do
 done
 shift $(($OPTIND - 1))
 
-(( $EUID != 0 )) && die 'This script must be run as root.'
 (( $# < 1 )) && die 'You must specify a directory.'
+check_root "$0" "${orig_argv[@]}"
 
-working_dir="$(readlink -f $1)"
+working_dir=$(readlink -f "$1")
 shift 1
 
 [[ -z $working_dir ]] && die 'Please specify a working directory.'
 
 if [[ -z $cache_dir ]]; then
-	cache_dirs=($(pacman -v $cache_conf 2>&1 | grep '^Cache Dirs:' | sed 's/Cache Dirs:\s*//g'))
+	cache_dirs=($(pacman -v 2>&1 | grep '^Cache Dirs:' | sed 's/Cache Dirs:\s*//g'))
 else
-	cache_dirs=(${cache_dir})
+	cache_dirs=("$cache_dir")
 fi
 
 host_mirror=$(pacman -Sddp extra/devtools 2>/dev/null | sed -r 's#(.*/)extra/os/.*#\1$repo/os/$arch#')
@@ -56,31 +58,27 @@ host_mirror=$(pacman -Sddp extra/devtools 2>/dev/null | sed -r 's#(.*/)extra/os/
 
 # {{{ functions
 build_mount_args() {
-	local p
 	declare -g mount_args=()
 
 	if [[ -n $host_mirror_path ]]; then
-		printf -v p '%q' "$host_mirror_path"
-		mount_args+=(--bind-ro="$p")
+		mount_args+=(--bind-ro="$host_mirror_path")
 	fi
 
-	printf -v p '%q' "${cache_dirs[0]}"
-	mount_args+=(--bind="$p")
+	mount_args+=(--bind="${cache_dirs[0]}")
 
 	for cache_dir in ${cache_dirs[@]:1}; do
-		printf -v p '%q' "$cache_dir"
-		mount_args+=(--bind-ro="$p")
+		mount_args+=(--bind-ro="$cache_dir")
 	done
 }
 
 copy_hostconf () {
 	cp -a /etc/pacman.d/gnupg "$working_dir/etc/pacman.d"
-	echo "Server = $host_mirror" > $working_dir/etc/pacman.d/mirrorlist
+	echo "Server = $host_mirror" >"$working_dir/etc/pacman.d/mirrorlist"
 
-	[[ -n $pac_conf ]] && cp $pac_conf $working_dir/etc/pacman.conf
-	[[ -n $makepkg_conf ]] && cp $makepkg_conf $working_dir/etc/makepkg.conf
+	[[ -n $pac_conf ]] && cp $pac_conf "$working_dir/etc/pacman.conf"
+	[[ -n $makepkg_conf ]] && cp $makepkg_conf "$working_dir/etc/makepkg.conf"
 
-	sed -r "s|^#?\\s*CacheDir.+|CacheDir = $(echo -n ${cache_dirs[@]})|g" -i $working_dir/etc/pacman.conf
+	sed -r "s|^#?\\s*CacheDir.+|CacheDir = $(echo -n ${cache_dirs[@]})|g" -i "$working_dir/etc/pacman.conf"
 }
 # }}}
 
@@ -88,9 +86,9 @@ umask 0022
 
 # Sanity check
 if [[ ! -f "$working_dir/.arch-chroot" ]]; then
-	die "'$working_dir' does not appear to be a Arch chroot."
+	die "'%s' does not appear to be an Arch chroot." "$working_dir"
 elif [[ $(cat "$working_dir/.arch-chroot") != $CHROOT_VERSION ]]; then
-	die "chroot '$working_dir' is not at version $CHROOT_VERSION. Please rebuild."
+	die "chroot '%s' is not at version %s. Please rebuild." "$working_dir" "$CHROOT_VERSION"
 fi
 
 build_mount_args
@@ -100,6 +98,6 @@ eval $(grep '^CARCH=' "$working_dir/etc/makepkg.conf")
 
 exec ${CARCH:+setarch "$CARCH"} systemd-nspawn 2>/dev/null \
 	-D "$working_dir" \
-	--machine "${working_dir//\//-}" \
+	--register=no \
 	"${mount_args[@]}" \
 	"$@"

archbuild.in

@@ -29,6 +29,8 @@ usage() {
 	exit 1
 }
 
+orig_argv=("$@")
+
 while getopts 'hcr:' arg; do
 	case "${arg}" in
 		c) clean_first=true ;;
@@ -37,13 +39,11 @@ while getopts 'hcr:' arg; do
 	esac
 done
 
+check_root "$0" "${orig_argv[@]}"
+
 # Pass all arguments after -- right to makepkg
 makechrootpkg_args+=("${@:$OPTIND}")
 
-if (( EUID )); then
-	die 'This script must be run as root.'
-fi
-
 if ${clean_first} || [[ ! -d "${chroots}/${repo}-${arch}" ]]; then
 	msg "Creating chroot for [${repo}] (${arch})..."
 
@@ -51,7 +51,7 @@ if ${clean_first} || [[ ! -d "${chroots}/${repo}-${arch}" ]]; then
 		[[ -d $copy ]] || continue
 		msg2 "Deleting chroot copy '$(basename "${copy}")'..."
 
-		lock 9 "$copydir.lock" "Locking chroot copy '$copy'"
+		lock 9 "$copy.lock" "Locking chroot copy '$copy'"
 
 		if [[ "$(stat -f -c %T "${copy}")" == btrfs ]]; then
 			{ type -P btrfs && btrfs subvolume delete "${copy}"; } &>/dev/null

archco.in

@@ -15,7 +15,7 @@ case $scriptname in
 	communityco)
 		SVNURL="svn+ssh://svn-community@nymeria.archlinux.org/srv/repos/svn-community/svn";;
 	*)
-		die "Couldn't find svn url for $scriptname"
+		die "Couldn't find svn url for %s" "$scriptname"
 		;;
 esac
 

archrelease.in

@@ -8,8 +8,8 @@ FORCE=
 while getopts ':f' flag; do
 	case $flag in
 		f) FORCE=1 ;;
-		:) die "Option requires an argument -- '$OPTARG'" ;;
-		\?) die "Invalid option -- '$OPTARG'" ;;
+		:) die "Option requires an argument -- '%s'" "$OPTARG" ;;
+		\?) die "Invalid option -- '%s'" "$OPTARG" ;;
 	esac
 done
 shift $(( OPTIND - 1 ))
@@ -23,7 +23,7 @@ fi
 if [[ -z $FORCE ]]; then
 	for tag in "$@"; do
 		if ! in_array "$tag" "${_tags[@]}"; then
-			die 'archrelease: Invalid tag: "'$tag'" (use -f to force release)'
+			die "archrelease: Invalid tag: '%s' (use -f to force release)" "$tag"
 		fi
 	done
 fi

checkpkg.in

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+shopt -s extglob
+
 m4_include(lib/common.sh)
 
 # Source makepkg.conf; fail if it is not found
@@ -18,63 +20,54 @@ if [[ ! -f PKGBUILD ]]; then
 	die 'This must be run in the directory of a built package.'
 fi
 
-. PKGBUILD
+. ./PKGBUILD
 if [[ $arch == 'any' ]]; then
 	CARCH='any'
 fi
 
 STARTDIR=$(pwd)
 TEMPDIR=$(mktemp -d --tmpdir checkpkg-script.XXXX)
-cd "$TEMPDIR"
 
 for _pkgname in "${pkgname[@]}"; do
-	pkgfile=${_pkgname}-$(get_full_version $_pkgname)-${CARCH}${PKGEXT}
-
-	if [[ -f "$STARTDIR/$pkgfile" ]]; then
-		ln -s "$STARTDIR/$pkgfile" "$pkgfile"
-	elif [[ -f "$PKGDEST/$pkgfile" ]]; then
-		ln -s "$PKGDEST/$pkgfile" "$pkgfile"
-	else
-		die "File \"$pkgfile\" doesn't exist"
+	target_pkgver=$(get_full_version "$_pkgname")
+	if ! pkgfile=$(find_cached_package "$_pkgname" "$target_pkgver" "$CARCH"); then
+		die 'tarball not found for package: %s' "${_pkgname}-$target_pkgver"
 	fi
 
+	ln -s "$pkgfile" "$TEMPDIR"
+
 	pkgurl=$(pacman -Spdd --print-format '%l' --noconfirm "$_pkgname")
 
 	if [[ $? -ne 0 ]]; then
-		die "Couldn't download previous package for $_pkgname."
+		die "Couldn't download previous package for %s." "$_pkgname"
 	fi
 
 	oldpkg=${pkgurl##*://*/}
 
 	if [[ ${oldpkg##*/} = ${pkgfile##*/} ]]; then
-		die "The built package ($_pkgname) is the one in the repo right now!"
+		die "The built package (%s) is the one in the repo right now!" "$_pkgname"
 	fi
 
-	if [[ ! -f $oldpkg ]]; then
-		if [[ $pkgurl = file://* ]]; then
-			ln -s "${pkgurl#file://}" "${pkgurl##file://*/}"
-		elif [[ -f "$PKGDEST/$oldpkg" ]]; then
-			ln -s "$PKGDEST/$oldpkg" "$oldpkg"
-		elif [[ -f "$STARTDIR/$oldpkg" ]]; then
-			ln -s "$STARTDIR/$oldpkg" "$oldpkg"
-		else
-		        curl -fsLC - --retry 3 --retry-delay 3 -o "$oldpkg" "$pkgurl"
-		fi
+	if [[ $pkgurl = file://* ]]; then
+		ln -s "${pkgurl#file://}" "$TEMPDIR/$oldpkg"
+	elif [[ -f "$PKGDEST/$oldpkg" ]]; then
+		ln -s "$PKGDEST/$oldpkg" "$TEMPDIR/$oldpkg"
+	elif [[ -f "$STARTDIR/$oldpkg" ]]; then
+		ln -s "$STARTDIR/$oldpkg" "$TEMPDIR/$oldpkg"
+	else
+		curl -fsLC - --retry 3 --retry-delay 3 -o "$TEMPDIR/$oldpkg" "$pkgurl"
 	fi
 
-	bsdtar tf "$oldpkg" | sort > "filelist-$_pkgname-old"
-	bsdtar tf "$pkgfile" | sort > "filelist-$_pkgname"
+	bsdtar tf "$TEMPDIR/$oldpkg" | sort > "$TEMPDIR/filelist-$_pkgname-old"
+	bsdtar tf "$pkgfile" | sort > "$TEMPDIR/filelist-$_pkgname"
 
-	sdiff -s "filelist-$_pkgname-old" "filelist-$_pkgname"
+	sdiff -s "$TEMPDIR/filelist-$_pkgname-old" "$TEMPDIR/filelist-$_pkgname"
 
-	if diff "filelist-$_pkgname-old" "filelist-$_pkgname" | grep '\.so' > /dev/null 2>&1; then
-		mkdir -p pkg
-		cd pkg
-		bsdtar xf ../"$pkgfile" > /dev/null
-		diff "../filelist-$_pkgname-old" "../filelist-$_pkgname" | awk '/>.*\.so/{$1 = ""; print $0}' | while read i; do
-			echo "${i}: " "$(objdump -p "$i" | grep SONAME)"
-		done
-		cd ..
+	find-libprovides "$TEMPDIR/$oldpkg" 2>/dev/null | sort > "$TEMPDIR/libraries-$_pkgname-old"
+	find-libprovides "$pkgfile" 2>/dev/null | sort > "$TEMPDIR/libraries-$_pkgname"
+	if ! diff_output="$(sdiff -s "$TEMPDIR/libraries-$_pkgname-old" "$TEMPDIR/libraries-$_pkgname")"; then
+		msg "Sonames differ in $_pkgname!"
+		echo "$diff_output"
 	else
 		msg "No soname differences for $_pkgname."
 	fi

commitpkg.in

@@ -2,22 +2,6 @@
 
 m4_include(lib/common.sh)
 
-getpkgfile() {
-	case $# in
-		0)
-			error 'No canonical package found!'
-			return 1
-			;;
-		[!1])
-			error 'Failed to canonicalize package name -- multiple packages found:'
-			msg2 '%s' "$@"
-			return 1
-			;;
-	esac
-
-	echo "$1"
-}
-
 # Source makepkg.conf; fail if it is not found
 if [[ -r '/etc/makepkg.conf' ]]; then
 	source '/etc/makepkg.conf'
@@ -36,7 +20,7 @@ if [[ ! -f PKGBUILD ]]; then
 	die 'No PKGBUILD file'
 fi
 
-. PKGBUILD
+. ./PKGBUILD
 pkgbase=${pkgbase:-$pkgname}
 
 case "$cmd" in
@@ -55,24 +39,28 @@ case "$cmd" in
 		;;
 esac
 
-# check if all local source files are under version control
+# find files which should be under source control
+needsversioning=()
 for s in "${source[@]}"; do
-	if [[ $s != *://* ]] && ! svn status -v "$s@" | grep -q '^[ AMRX~]'; then
-		die "$s is not under version control"
-	fi
+	[[ $s != *://* ]] && needsversioning+=("$s")
 done
-
-# check if changelog and install files are under version control
 for i in 'changelog' 'install'; do
 	while read -r file; do
 		# evaluate any bash variables used
 		eval file=\"$(sed 's/^\(['\''"]\)\(.*\)\1$/\2/' <<< "$file")\"
-		if ! svn status -v "${file}" | grep -q '^[ AMRX~]'; then
-			die "${file} is not under version control"
-		fi
+		needsversioning+=("$file")
 	done < <(sed -n "s/^[[:space:]]*$i=//p" PKGBUILD)
 done
 
+# assert that they really are controlled by SVN
+if (( ${#needsversioning[*]} )); then
+	# svn status's output is only two columns when the status is unknown
+	while read -r status filename; do
+		[[ $status = '?' ]] && unversioned+=("$filename")
+	done < <(svn status -v "${needsversioning[@]}")
+	(( ${#unversioned[*]} )) && die "%s is not under version control" "${unversioned[@]}"
+fi
+
 rsyncopts=(-e ssh -p --chmod=ug=rw,o=r -c -h -L --progress --partial -y)
 archreleaseopts=()
 while getopts ':l:a:s:f' flag; do
@@ -81,8 +69,8 @@ while getopts ':l:a:s:f' flag; do
 		s) server=$OPTARG ;;
 		l) rsyncopts+=("--bwlimit=$OPTARG") ;;
 		a) commit_arch=$OPTARG ;;
-		:) die "Option requires an argument -- '$OPTARG'" ;;
-		\?) die "Invalid option -- '$OPTARG'" ;;
+		:) die "Option requires an argument -- '%s'" "$OPTARG" ;;
+		\?) die "Invalid option -- '%s'" "$OPTARG" ;;
 	esac
 done
 shift $(( OPTIND - 1 ))
@@ -95,9 +83,8 @@ for _arch in ${arch[@]}; do
 	for _pkgname in ${pkgname[@]}; do
 		fullver=$(get_full_version $_pkgname)
 
-		if pkgfile=$(shopt -s nullglob;
-				getpkgfile "${PKGDEST+$PKGDEST/}$_pkgname-$fullver-${_arch}".pkg.tar.?z); then
-			if grep -q "packager = Unknown Packager" <(bsdtar -xOqf $pkgfile .PKGINFO); then
+		if pkgfile=$(find_cached_package "$_pkgname" "$_arch" "$fullver"); then
+			if grep -q "packager = Unknown Packager" <(bsdtar -xOqf "$pkgfile" .PKGINFO); then
 				die "PACKAGER was not set when building package"
 			fi
 		fi
@@ -147,8 +134,7 @@ for _arch in ${arch[@]}; do
 	for _pkgname in ${pkgname[@]}; do
 		fullver=$(get_full_version $_pkgname)
 
-		if ! pkgfile=$(shopt -s nullglob;
-				getpkgfile "${PKGDEST+$PKGDEST/}$_pkgname-$fullver-${_arch}".pkg.tar.?z); then
+		if ! pkgfile=$(find_cached_package "$_pkgname" "$fullver" "${_arch}"); then
 			warning "Skipping $_pkgname-$fullver-$_arch: failed to locate package file"
 			skip_arches+=($_arch)
 			continue 2
@@ -164,7 +150,7 @@ for _arch in ${arch[@]}; do
 			gpg --detach-sign --use-agent ${SIGNWITHKEY} "${pkgfile}" || die
 		fi
 		if ! gpg --verify "$sigfile" >/dev/null 2>&1; then
-			die "Signature ${pkgfile}.sig is incorrect!"
+			die "Signature %s.sig is incorrect!" "$pkgfile"
 		fi
 		uploads+=("$sigfile")
 	done

crossrepomove.in

@@ -25,7 +25,7 @@ case $scriptname in
 		target_repo='extra'
 		;;
 	*)
-		die "Couldn't find configuration for $scriptname"
+		die "Couldn't find configuration for %s" "$scriptname"
 		;;
 esac
 

find-libdeps.in

@@ -16,7 +16,7 @@ script_mode=${0##*/find-lib}
 
 case $script_mode in
 	deps|provides) true;;
-	*) die "Unknown mode $script_mode" ;;
+	*) die "Unknown mode %s" "$script_mode" ;;
 esac
 
 if [[ -z $1 ]]; then
@@ -32,11 +32,11 @@ else
 	setup_workdir
 
 	case ${script_mode} in
-		deps) bsdtar -C $WORKDIR -xf "$1";;
-		provides) bsdtar -C $WORKDIR -xf "$1" --include="*.so*";;
+		deps) bsdtar -C "$WORKDIR" -xf "$1";;
+		provides) bsdtar -C "$WORKDIR" -xf "$1" --include="*.so*";;
 	esac
 
-	pushd $WORKDIR >/dev/null
+	pushd "$WORKDIR" >/dev/null
 fi
 
 process_sofile() {
@@ -50,16 +50,16 @@ process_sofile() {
 	if ! in_array "${soname}=${soversion}-${soarch}" ${soobjects[@]}; then
 		# libfoo.so=1-64
 		echo "${soname}=${soversion}-${soarch}"
-		soobjects=(${soobjects[@]} "${soname}=${soversion}-${soarch}")
+		soobjects+=("${soname}=${soversion}-${soarch}")
 	fi
 }
 
 case $script_mode in
-	deps) find_args="-perm -u+x";;
-	provides) find_args="-name *.so*";;
+	deps) find_args=(-perm -u+x);;
+  provides) find_args=(-name '*.so*');;
 esac
 
-find . -type f $find_args | while read filename; do
+find . -type f "${find_args[@]}" | while read filename; do
 	if [[ $script_mode = "provides" ]]; then
 		# ignore if we don't have a shared object
 		if ! LC_ALL=C readelf -h "$filename" 2>/dev/null | grep -q '.*Type:.*DYN (Shared object file).*'; then

lib/common.sh

@@ -1,6 +1,8 @@
 # Avoid any encoding problems
 export LANG=C
 
+shopt -s extglob
+
 # check if messages are to be printed using color
 unset ALL_OFF BOLD BLUE GREEN RED YELLOW
 if [[ -t 2 ]]; then
@@ -63,12 +65,12 @@ setup_workdir() {
 
 cleanup() {
 	[[ -n $WORKDIR ]] && rm -rf "$WORKDIR"
-	[[ $1 ]] && exit $1
+	exit ${1:-0}
 }
 
 abort() {
-	msg 'Aborting...'
-	cleanup 0
+	error 'Aborting...'
+	cleanup 255
 }
 
 trap_abort() {
@@ -77,13 +79,14 @@ trap_abort() {
 }
 
 trap_exit() {
+	local r=$?
 	trap - EXIT INT QUIT TERM HUP
-	cleanup
+	cleanup $r
 }
 
 die() {
-	error "$*"
-	cleanup 1
+	(( $# )) && error "$@"
+	cleanup 255
 }
 
 trap 'trap_abort' INT QUIT TERM HUP
@@ -112,7 +115,7 @@ get_full_version() {
 	pkgbase=${pkgbase:-${pkgname[0]}}
 	epoch=${epoch:-0}
 	if [[ -z $1 ]]; then
-		if [[ $epoch ]] && (( ! $epoch )); then
+		if (( ! epoch )); then
 			echo $pkgver-$pkgrel
 		else
 			echo $epoch:$pkgver-$pkgrel
@@ -154,3 +157,87 @@ slock() {
 		stat_done
 	fi
 }
+
+##
+# usage: pkgver_equal( $pkgver1, $pkgver2 )
+##
+pkgver_equal() {
+	local left right
+
+	if [[ $1 = *-* && $2 = *-* ]]; then
+		# if both versions have a pkgrel, then they must be an exact match
+		[[ $1 = "$2" ]]
+	else
+		# otherwise, trim any pkgrel and compare the bare version.
+		[[ ${1%%-*} = "${2%%-*}" ]]
+	fi
+}
+
+##
+#  usage: find_cached_package( $pkgname, $pkgver, $arch )
+#
+#    $pkgver can be supplied with or without a pkgrel appended.
+#    If not supplied, any pkgrel will be matched.
+##
+find_cached_package() {
+	local searchdirs=("$PWD" "$PKGDEST") results=()
+	local targetname=$1 targetver=$2 targetarch=$3
+	local dir pkg pkgbasename pkgparts name ver rel arch size r results
+
+	for dir in "${searchdirs[@]}"; do
+		[[ -d $dir ]] || continue
+
+		for pkg in "$dir"/*.pkg.tar?(.?z); do
+			[[ -f $pkg ]] || continue
+
+			# avoid adding duplicates of the same inode
+			for r in "${results[@]}"; do
+				[[ $r -ef $pkg ]] && continue 2
+			done
+
+			# split apart package filename into parts
+			pkgbasename=${pkg##*/}
+			pkgbasename=${pkgbasename%.pkg.tar?(.?z)}
+
+			arch=${pkgbasename##*-}
+			pkgbasename=${pkgbasename%-"$arch"}
+
+			rel=${pkgbasename##*-}
+			pkgbasename=${pkgbasename%-"$rel"}
+
+			ver=${pkgbasename##*-}
+			name=${pkgbasename%-"$ver"}
+
+			if [[ $targetname = "$name" && $targetarch = "$arch" ]] &&
+					pkgver_equal "$targetver" "$ver-$rel"; then
+				results+=("$pkg")
+			fi
+		done
+	done
+
+	case ${#results[*]} in
+		0)
+			return 1
+			;;
+		1)
+			printf '%s\n' "$results"
+			return 0
+			;;
+		*)
+			error 'Multiple packages found:'
+			printf '\t%s\n' "${results[@]}" >&2
+			return 1
+	esac
+}
+
+##
+#  usage : check_root ("$0" "$@")
+##
+check_root() {
+	(( EUID == 0 )) && return
+	if type -P sudo >/dev/null; then
+		exec sudo -- "$@"
+	else
+		exec su root -c "$(printf ' %q' "$@")"
+	fi
+}

makechrootpkg.in

@@ -12,7 +12,7 @@ m4_include(lib/common.sh)
 
 shopt -s nullglob
 
-makepkg_args='-s --noconfirm -L --holdver'
+makepkg_args=(-s --noconfirm -L --holdver)
 repack=false
 update_first=false
 clean_first=false
@@ -24,6 +24,9 @@ passeddir=
 declare -a install_pkgs
 declare -i ret=0
 
+bindmounts_ro=()
+bindmounts_rw=()
+
 copy=$USER
 [[ -n $SUDO_USER ]] && copy=$SUDO_USER
 [[ -z "$copy" || $copy = root ]] && copy=copy
@@ -32,8 +35,8 @@ src_owner=${SUDO_USER:-$USER}
 usage() {
 	echo "Usage: ${0##*/} [options] -r <chrootdir> [--] [makepkg args]"
 	echo ' Run this script in a PKGBUILD dir to build a package inside a'
-	echo ' clean chroot. All unrecognized arguments passed to this script'
-	echo ' will be passed to makepkg.'
+	echo ' clean chroot. Arguments passed to this script after the'
+	echo ' end-of-options marker (--) will be passed to makepkg.'
 	echo ''
 	echo ' The chroot dir consists of the following directories:'
 	echo ' <chrootdir>/{root, copy} but only "root" is required'
@@ -43,11 +46,13 @@ usage() {
 	echo 'command:'
 	echo '    mkarchroot <chrootdir>/root base-devel'
 	echo ''
-	echo "Default makepkg args: $makepkg_args"
+	echo "Default makepkg args: ${makepkg_args[*]}"
 	echo ''
 	echo 'Flags:'
 	echo '-h         This help'
 	echo '-c         Clean the chroot before building'
+	echo '-d <dir>   Bind directory into build chroot as read-write'
+	echo '-D <dir>   Bind directory into build chroot as read-only'
 	echo '-u         Update the working copy of the chroot before building'
 	echo '           This is useful for rebuilds without dirtying the pristine'
 	echo '           chroot'
@@ -61,62 +66,13 @@ usage() {
 	exit 1
 }
 
-while getopts 'hcur:I:l:nT' arg; do
-	case "$arg" in
-		h) usage ;;
-		c) clean_first=true ;;
-		u) update_first=true ;;
-		r) passeddir="$OPTARG" ;;
-		I) install_pkgs+=("$OPTARG") ;;
-		l) copy="$OPTARG" ;;
-		n) run_namcap=true; makepkg_args="$makepkg_args -i" ;;
-		T) temp_chroot=true; copy+="-$$" ;;
-		*) makepkg_args="$makepkg_args -$arg $OPTARG" ;;
-	esac
-done
-
-(( EUID != 0 )) && die 'This script must be run as root.'
-
-[[ ! -f PKGBUILD && -z "${install_pkgs[*]}" ]] && die 'This must be run in a directory containing a PKGBUILD.'
-
-# Canonicalize chrootdir, getting rid of trailing /
-chrootdir=$(readlink -e "$passeddir")
-[[ ! -d $chrootdir ]] && die "No chroot dir defined, or invalid path '$passeddir'"
-[[ ! -d $chrootdir/root ]] && die "Missing chroot dir root directory. Try using: mkarchroot $chrootdir/root base-devel"
-
-# Detect chrootdir filesystem type
-chroottype=$(stat -f -c %T "$chrootdir")
-
-if [[ ${copy:0:1} = / ]]; then
-	copydir=$copy
-else
-	copydir="$chrootdir/$copy"
-fi
-
-# Pass all arguments after -- right to makepkg
-makepkg_args="$makepkg_args ${*:$OPTIND}"
-
-# See if -R was passed to makepkg
-for arg in ${*:$OPTIND}; do
-	if [[ $arg = -R ]]; then
-		repack=true
-		break
-	fi
-done
-
-if [[ -n $SUDO_USER ]]; then
-	USER_HOME=$(eval echo ~$SUDO_USER)
-else
-	USER_HOME=$HOME
-fi
-
 # {{{ functions
 load_vars() {
 	local makepkg_conf="$1" var
 
 	[[ -f $makepkg_conf ]] || return 1
 
-	for var in {SRC,PKG,LOG}DEST MAKEFLAGS PACKAGER; do
+	for var in {SRC,SRCPKG,PKG,LOG}DEST MAKEFLAGS PACKAGER; do
 		[[ -z ${!var} ]] && eval $(grep "^${var}=" "$makepkg_conf")
 	done
 
@@ -133,13 +89,13 @@ create_chroot() {
 		slock 8 "$chrootdir/root.lock" "Locking clean chroot"
 
 		stat_busy "Creating clean working copy [$copy]"
-		if [[ "$chroottype" == btrfs ]]; then
+		if [[ "$chroottype" == btrfs ]] && ! mountpoint -q "$copydir"; then
 			if [[ -d $copydir ]]; then
 				btrfs subvolume delete "$copydir" >/dev/null ||
-					die "Unable to delete subvolume $copydir"
+					die "Unable to delete subvolume %s" "$copydir"
 			fi
 			btrfs subvolume snapshot "$chrootdir/root" "$copydir" >/dev/null ||
-				die "Unable to create subvolume $copydir"
+				die "Unable to create subvolume %s" "$copydir"
 		else
 			mkdir -p "$copydir"
 			rsync -a --delete -q -W -x "$chrootdir/root/" "$copydir"
@@ -149,17 +105,20 @@ create_chroot() {
 		# Drop the read lock again
 		exec 8>&-
 	fi
+
+	# Update mtime
+	touch "$copydir"
 }
 
 clean_temporary() {
 	stat_busy "Removing temporary copy [$copy]"
-	if [[ "$chroottype" == btrfs ]]; then
+	if [[ "$chroottype" == btrfs ]] && ! mountpoint -q "$copydir"; then
 		btrfs subvolume delete "$copydir" >/dev/null ||
-			die "Unable to delete subvolume $copydir"
+			die "Unable to delete subvolume %s" "$copydir"
 	else
 		# avoid change of filesystem in case of an umount failure
 		rm --recursive --force --one-file-system "$copydir" ||
-			die "Unable to delete $copydir"
+			die "Unable to delete %s" "$copydir"
 	fi
 
 	# remove lock file
@@ -174,7 +133,9 @@ install_packages() {
 		pkgname="${install_pkg##*/}"
 		cp "$install_pkg" "$copydir/$pkgname"
 
-		arch-nspawn "$copydir" pacman -U /$pkgname --noconfirm
+		arch-nspawn "$copydir" \
+			"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
+			pacman -U /$pkgname --noconfirm
 		(( ret += !! $? ))
 
 		rm "$copydir/$pkgname"
@@ -192,10 +153,12 @@ prepare_chroot() {
 		echo 'BUILDDIR="/build"' >> "$copydir/etc/makepkg.conf"
 	fi
 
-	# Read .makepkg.conf and .gnupg/pubring.gpg even if called via sudo
-	if [[ -r "$USER_HOME/.gnupg/pubring.gpg" ]]; then
-		install -D "$USER_HOME/.gnupg/pubring.gpg" \
-			   "$copydir/build/.gnupg/pubring.gpg"
+	# Read .makepkg.conf and gnupg pubring
+	if [[ -r $USER_HOME/.gnupg/pubring.kbx ]]; then
+		install -D "$USER_HOME/.gnupg/pubring.kbx" "$copydir/build/.gnupg/pubring.kbx"
+	fi
+	if [[ -r $USER_HOME/.gnupg/pubring.gpg ]]; then
+		install -D "$USER_HOME/.gnupg/pubring.gpg" "$copydir/build/.gnupg/pubring.gpg"
 	fi
 
 	mkdir -p "$copydir/pkgdest"
@@ -203,6 +166,11 @@ prepare_chroot() {
 		echo 'PKGDEST="/pkgdest"' >> "$copydir/etc/makepkg.conf"
 	fi
 
+	mkdir -p "$copydir/srcpkgdest"
+	if ! grep -q 'SRCPKGDEST="/srcpkgdest"' "$copydir/etc/makepkg.conf"; then
+		echo 'SRCPKGDEST="/srcpkgdest"' >> "$copydir/etc/makepkg.conf"
+	fi
+
 	mkdir -p "$copydir/logdest"
 	if ! grep -q 'LOGDEST="/logdest"' "$copydir/etc/makepkg.conf"; then
 		echo 'LOGDEST="/logdest"' >> "$copydir/etc/makepkg.conf"
@@ -216,7 +184,13 @@ prepare_chroot() {
 		echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf"
 	fi
 
-	chown -R nobody "$copydir"/{build,pkgdest,logdest,srcdest,startdir}
+	builduser_uid=${SUDO_UID:-$UID}
+
+	# We can't use useradd without chrooting, otherwise it invokes PAM modules
+	# which we might not be able to load (i.e. when building i686 packages on
+	# an x86_64 host).
+	printf 'builduser:x:%d:100:builduser:/:/usr/bin/nologin\n' "$builduser_uid" >>"$copydir/etc/passwd"
+	chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
 
 	if [[ -n $MAKEFLAGS ]]; then
 		sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf"
@@ -228,18 +202,33 @@ prepare_chroot() {
 		echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf"
 	fi
 
-	if [[ ! -f $copydir/etc/sudoers.d/nobody-pacman ]]; then
-		cat > "$copydir/etc/sudoers.d/nobody-pacman" <<EOF
+	if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then
+		cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
 Defaults env_keep += "HOME"
-nobody ALL = NOPASSWD: /usr/bin/pacman
+builduser ALL = NOPASSWD: /usr/bin/pacman
 EOF
-		chmod 440 "$copydir/etc/sudoers.d/nobody-pacman"
+		chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
 	fi
 
 	# This is a little gross, but this way the script is recreated every time in the
 	# working copy
-	printf $'#!/bin/bash\n%s\n_chrootbuild %q %q' "$(declare -f _chrootbuild)" \
-		"$makepkg_args" "$run_namcap" >"$copydir/chrootbuild"
+	{
+		printf '#!/bin/bash\n'
+		declare -f _chrootbuild
+		printf '_chrootbuild'
+		printf ' %q' "${makepkg_args[@]}"
+		printf ' || exit\n'
+
+		if $run_namcap; then
+			cat <<'EOF'
+pacman -S --needed --noconfirm namcap
+for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
+	echo "Checking ${pkgfile##*/}"
+	sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
+done
+EOF
+		fi
+	} >"$copydir/chrootbuild"
 	chmod +x "$copydir/chrootbuild"
 }
 
@@ -265,8 +254,6 @@ download_sources() {
 _chrootbuild() {
 	# This function isn't run in makechrootpkg,
 	# so no global variables
-	local makepkg_args="$1"
-	local run_namcap="$2"
 
 	. /etc/profile
 	export HOME=/build
@@ -276,14 +263,16 @@ _chrootbuild() {
 	ln -sft /srcdest /srcdest_host/*
 	ln -sft /startdir /startdir_host/*
 
-	# XXX: Keep svn sources writable
+	# XXX: Keep bzr and svn sources writable
 	# Since makepkg 4.1.1 they get checked out via cp -a, copying the symlink
 	for dir in /srcdest /startdir; do
-		cd $dir
-		for svndir in */.svn; do
-			rm ${svndir%/.svn}
-			cp -a ${dir}_host/${svndir%/.svn} .
-			chown -R nobody ${svndir%/.svn}
+		for vcs in bzr svn; do
+			cd "$dir"
+			for vcsdir in */.$vcs; do
+				rm "${vcsdir%/.$vcs}"
+				cp -a "${dir}_host/${vcsdir%/.$vcs}" .
+				chown -R builduser "${vcsdir%/.$vcs}"
+			done
 		done
 	done
 
@@ -292,7 +281,7 @@ _chrootbuild() {
 	# XXX: Keep PKGBUILD writable for pkgver()
 	rm PKGBUILD*
 	cp /startdir_host/PKGBUILD* .
-	chown nobody PKGBUILD*
+	chown builduser PKGBUILD*
 
 	# Safety check
 	if [[ ! -w PKGBUILD ]]; then
@@ -300,17 +289,7 @@ _chrootbuild() {
 		exit 1
 	fi
 
-	sudo -u nobody makepkg $makepkg_args || exit 1
-
-	if $run_namcap; then
-		pacman -S --needed --noconfirm namcap
-		for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
-			echo "Checking ${pkgfile##*/}"
-			sudo -u nobody namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
-		done
-	fi
-
-	exit 0
+	sudo -u builduser makepkg "$@"
 }
 
 move_products() {
@@ -320,25 +299,88 @@ move_products() {
 	done
 
 	for l in "$copydir"/logdest/*; do
+		[[ $l == */logpipe.* ]] && continue
 		chown "$src_owner" "$l"
 		mv "$l" "$LOGDEST"
 	done
+
+	for s in "$copydir"/srcpkgdest/*; do
+		chown "$src_owner" "$s"
+		mv "$s" "$SRCPKGDEST"
+	done
 }
 # }}}
 
+orig_argv=("$@")
+
+while getopts 'hcur:I:l:nTD:d:' arg; do
+	case "$arg" in
+		c) clean_first=true ;;
+		D) bindmounts_ro+=(--bind-ro="$OPTARG") ;;
+		d) bindmounts_rw+=(--bind="$OPTARG") ;;
+		u) update_first=true ;;
+		r) passeddir="$OPTARG" ;;
+		I) install_pkgs+=("$OPTARG") ;;
+		l) copy="$OPTARG" ;;
+		n) run_namcap=true; makepkg_args+=(-i) ;;
+		T) temp_chroot=true; copy+="-$$" ;;
+		h|*) usage ;;
+	esac
+done
+
+[[ ! -f PKGBUILD && -z "${install_pkgs[*]}" ]] && die 'This must be run in a directory containing a PKGBUILD.'
+
+check_root "$0" "${orig_argv[@]}"
+
+# Canonicalize chrootdir, getting rid of trailing /
+chrootdir=$(readlink -e "$passeddir")
+[[ ! -d $chrootdir ]] && die "No chroot dir defined, or invalid path '%s'" "$passeddir"
+[[ ! -d $chrootdir/root ]] && die "Missing chroot dir root directory. Try using: mkarchroot %s/root base-devel" "$chrootdir"
+
+# Detect chrootdir filesystem type
+chroottype=$(stat -f -c %T "$chrootdir")
+
+if [[ ${copy:0:1} = / ]]; then
+	copydir=$copy
+else
+	copydir="$chrootdir/$copy"
+fi
+
+# Pass all arguments after -- right to makepkg
+makepkg_args+=("${@:$OPTIND}")
+
+# See if -R was passed to makepkg
+for arg in "${@:OPTIND}"; do
+	case ${arg%%=*} in
+		-*R*|--repackage)
+			repack=true
+			break 2
+			;;
+	esac
+done
+
+if [[ -n $SUDO_USER ]]; then
+	eval "USER_HOME=~$SUDO_USER"
+else
+	USER_HOME=$HOME
+fi
+
 umask 0022
 
 load_vars "$USER_HOME/.makepkg.conf"
 load_vars /etc/makepkg.conf
 
 # Use PKGBUILD directory if these don't exist
-[[ -d $PKGDEST ]] || PKGDEST=$PWD
-[[ -d $SRCDEST ]] || SRCDEST=$PWD
-[[ -d $LOGDEST ]] || LOGDEST=$PWD
+[[ -d $PKGDEST ]]    || PKGDEST=$PWD
+[[ -d $SRCDEST ]]    || SRCDEST=$PWD
+[[ -d $SRCPKGDEST ]] || SRCPKGDEST=$PWD
+[[ -d $LOGDEST ]]    || LOGDEST=$PWD
 
 create_chroot
 
-$update_first && arch-nspawn "$copydir" pacman -Syu --noconfirm
+$update_first && arch-nspawn "$copydir" \
+		"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
+		pacman -Syu --noconfirm
 
 [[ -n ${install_pkgs[*]} ]] && install_packages
 
@@ -349,6 +391,7 @@ download_sources
 if arch-nspawn "$copydir" \
 	--bind-ro="$PWD:/startdir_host" \
 	--bind-ro="$SRCDEST:/srcdest_host" \
+	"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
 	/chrootbuild
 then
 	move_products
@@ -362,7 +405,7 @@ if (( ret != 0 )); then
 	if $temp_chroot; then
 		die "Build failed"
 	else
-		die "Build failed, check $copydir/build"
+		die "Build failed, check %s/build" "$copydir"
 	fi
 else
 	true

makepkg-i686.conf

@@ -19,6 +19,13 @@ DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %
 # /usr/bin/lftpget -c
 # /usr/bin/wget
 
+#-- The the package required by makepkg to download VCS sources
+#  Format: 'protocol::package'
+VCSCLIENTS=('bzr::bzr'
+            'git::git'
+            'hg::mercurial'
+            'svn::subversion')
+
 #########################################################################
 # ARCHITECTURE, COMPILE FLAGS
 #########################################################################
@@ -30,8 +37,8 @@ CHOST="i686-pc-linux-gnu"
 # -march (or -mcpu) builds exclusively for an architecture
 # -mtune optimizes for an architecture, but builds for whole processor family
 CPPFLAGS="-D_FORTIFY_SOURCE=2"
-CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4"
-CXXFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4"
+CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
+CXXFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
 LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
 #-- Make Flags: change this for DistCC/SMP systems
 #MAKEFLAGS="-j2"
@@ -67,7 +74,7 @@ BUILDENV=(fakeroot !distcc color !ccache check !sign)
 #   These are default values for the options=() settings
 #########################################################################
 #
-# Default: OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !upx !debug)
+# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
 #  A negated option will do the opposite of the comments below.
 #
 #-- strip:      Strip symbols from binaries/libraries
@@ -80,7 +87,7 @@ BUILDENV=(fakeroot !distcc color !ccache check !sign)
 #-- upx:        Compress binary executable files using UPX
 #-- debug:      Add debugging flags as specified in DEBUG_* variables
 #
-OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !upx !debug)
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
 
 #-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
 INTEGRITY_CHECK=(md5)
@@ -109,6 +116,8 @@ PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
 #SRCDEST=/home/sources
 #-- Source packages: specify a fixed directory where all src packages will be placed
 #SRCPKGDEST=/home/srcpackages
+#-- Log files: specify a fixed directory where all log files will be placed
+#LOGDEST=/home/makepkglogs
 #-- Packager: name/email of the person or organization building packages
 #PACKAGER="John Doe <john@doe.com>"
 #-- Specify a key to use for package signing

makepkg-x86_64.conf

@@ -19,6 +19,13 @@ DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %
 # /usr/bin/lftpget -c
 # /usr/bin/wget
 
+#-- The the package required by makepkg to download VCS sources
+#  Format: 'protocol::package'
+VCSCLIENTS=('bzr::bzr'
+            'git::git'
+            'hg::mercurial'
+            'svn::subversion')
+
 #########################################################################
 # ARCHITECTURE, COMPILE FLAGS
 #########################################################################
@@ -30,8 +37,8 @@ CHOST="x86_64-unknown-linux-gnu"
 # -march (or -mcpu) builds exclusively for an architecture
 # -mtune optimizes for an architecture, but builds for whole processor family
 CPPFLAGS="-D_FORTIFY_SOURCE=2"
-CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4"
-CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4"
+CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
+CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
 LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
 #-- Make Flags: change this for DistCC/SMP systems
 #MAKEFLAGS="-j2"
@@ -67,7 +74,7 @@ BUILDENV=(fakeroot !distcc color !ccache check !sign)
 #   These are default values for the options=() settings
 #########################################################################
 #
-# Default: OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !upx !debug)
+# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
 #  A negated option will do the opposite of the comments below.
 #
 #-- strip:      Strip symbols from binaries/libraries
@@ -80,7 +87,7 @@ BUILDENV=(fakeroot !distcc color !ccache check !sign)
 #-- upx:        Compress binary executable files using UPX
 #-- debug:      Add debugging flags as specified in DEBUG_* variables
 #
-OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !upx !debug)
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
 
 #-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
 INTEGRITY_CHECK=(md5)
@@ -109,6 +116,8 @@ PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
 #SRCDEST=/home/sources
 #-- Source packages: specify a fixed directory where all src packages will be placed
 #SRCPKGDEST=/home/srcpackages
+#-- Log files: specify a fixed directory where all log files will be placed
+#LOGDEST=/home/makepkglogs
 #-- Packager: name/email of the person or organization building packages
 #PACKAGER="John Doe <john@doe.com>"
 #-- Specify a key to use for package signing

mkarchroot.in

@@ -15,7 +15,7 @@ CHROOT_VERSION='v3'
 working_dir=''
 
 usage() {
-	echo "Usage: ${0##*/} [options] working-dir [package-list | app]"
+	echo "Usage: ${0##*/} [options] working-dir package-list..."
 	echo ' options:'
 	echo '    -C <file>     Location of a pacman config file'
 	echo '    -M <file>     Location of a makepkg config file'
@@ -24,6 +24,8 @@ usage() {
 	exit 1
 }
 
+orig_argv=("$@")
+
 while getopts 'hC:M:c:' arg; do
 	case "$arg" in
 		C) pac_conf="$OPTARG" ;;
@@ -35,9 +37,10 @@ while getopts 'hC:M:c:' arg; do
 done
 shift $(($OPTIND - 1))
 
-(( $EUID != 0 )) && die 'This script must be run as root.'
 (( $# < 2 )) && die 'You must specify a directory and one or more packages.'
 
+check_root "$0" "${orig_argv[@]}"
+
 working_dir="$(readlink -f $1)"
 shift 1
 
@@ -51,7 +54,7 @@ fi
 
 umask 0022
 
-[[ -e $working_dir ]] && die "Working directory '$working_dir' already exists"
+[[ -e $working_dir ]] && die "Working directory '%s' already exists" "$working_dir"
 
 mkdir -p "$working_dir"
 
@@ -60,7 +63,7 @@ lock 9 "${working_dir}.lock" "Locking chroot"
 if [[ $(stat -f -c %T "$working_dir") == btrfs ]]; then
 	rmdir "$working_dir"
 	if ! btrfs subvolume create "$working_dir"; then
-		die "Couldn't create subvolume for '$working_dir'"
+		die "Couldn't create subvolume for '%s'" "$working_dir"
 	fi
 	chmod 0755 "$working_dir"
 fi