Version 20170320

The systemd package creates a subvolume at /var/lib/machines (through
tmpfiles), if it can. We need to delete this subvolume before we can
delete the parent subvolume.

Look through the root for inodes with the number 256. These identify
subvolume roots.

Makefile

@@ -1,4 +1,4 @@
-V=20141024
+V=20170320
 
 PREFIX = /usr/local
 
@@ -112,6 +112,7 @@ dist:
 	gpg --detach-sign --use-agent devtools-$(V).tar.gz
 
 upload:
-	scp devtools-$(V).tar.gz devtools-$(V).tar.gz.sig nymeria.archlinux.org:/srv/ftp/other/devtools/
+	scp devtools-$(V).tar.gz devtools-$(V).tar.gz.sig repos.archlinux.org:/srv/ftp/other/devtools/
 
 .PHONY: all clean install uninstall dist upload
+

arch-nspawn.in

@@ -9,8 +9,7 @@
 # GNU General Public License for more details.
 
 m4_include(lib/common.sh)
-
-CHROOT_VERSION='v3'
+m4_include(lib/archroot.sh)
 
 working_dir=''
 
@@ -26,8 +25,6 @@ usage() {
 	exit 1
 }
 
-orig_argv=("$@")
-
 while getopts 'hC:M:c:' arg; do
 	case "$arg" in
 		C) pac_conf="$OPTARG" ;;
@@ -40,7 +37,7 @@ done
 shift $(($OPTIND - 1))
 
 (( $# < 1 )) && die 'You must specify a directory.'
-check_root "$0" "${orig_argv[@]}"
+check_root
 
 working_dir=$(readlink -f "$1")
 shift 1
@@ -53,7 +50,7 @@ else
 	cache_dirs=("$cache_dir")
 fi
 
-host_mirror=$(pacman -Sddp extra/devtools 2>/dev/null | sed -r 's#(.*/)extra/os/.*#\1$repo/os/$arch#')
+host_mirror=$(pacman --cachedir /doesnt/exist -Sddp extra/devtools 2>/dev/null | sed -r 's#(.*/)extra/os/.*#\1$repo/os/$arch#')
 [[ $host_mirror == *file://* ]] && host_mirror_path=$(echo "$host_mirror" | sed -r 's#file://(/.*)/\$repo/os/\$arch#\1#g')
 
 # {{{ functions
@@ -96,7 +93,7 @@ copy_hostconf
 
 eval $(grep '^CARCH=' "$working_dir/etc/makepkg.conf")
 
-exec ${CARCH:+setarch "$CARCH"} systemd-nspawn 2>/dev/null \
+exec ${CARCH:+setarch "$CARCH"} systemd-nspawn -q \
 	-D "$working_dir" \
 	--register=no \
 	"${mount_args[@]}" \

archbuild.in

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 m4_include(lib/common.sh)
+m4_include(lib/archroot.sh)
 
 base_packages=(base-devel)
 makechrootpkg_args=(-c -n)
@@ -29,8 +30,6 @@ usage() {
 	exit 1
 }
 
-orig_argv=("$@")
-
 while getopts 'hcr:' arg; do
 	case "${arg}" in
 		c) clean_first=true ;;
@@ -39,7 +38,7 @@ while getopts 'hcr:' arg; do
 	esac
 done
 
-check_root "$0" "${orig_argv[@]}"
+check_root
 
 # Pass all arguments after -- right to makepkg
 makechrootpkg_args+=("${@:$OPTIND}")
@@ -53,9 +52,7 @@ if ${clean_first} || [[ ! -d "${chroots}/${repo}-${arch}" ]]; then
 
 		lock 9 "$copy.lock" "Locking chroot copy '$copy'"
 
-		if [[ "$(stat -f -c %T "${copy}")" == btrfs ]]; then
-			{ type -P btrfs && btrfs subvolume delete "${copy}"; } &>/dev/null
-		fi
+		subvolume_delete_recursive "${copy}"
 		rm -rf --one-file-system "${copy}"
 	done
 	exec 9>&-

archco.in

@@ -11,9 +11,9 @@ fi
 
 case $scriptname in
 	archco)
-		SVNURL="svn+ssh://svn-packages@nymeria.archlinux.org/srv/repos/svn-packages/svn";;
+		SVNURL="svn+ssh://svn-packages@repos.archlinux.org/srv/repos/svn-packages/svn";;
 	communityco)
-		SVNURL="svn+ssh://svn-community@nymeria.archlinux.org/srv/repos/svn-community/svn";;
+		SVNURL="svn+ssh://svn-community@repos.archlinux.org/srv/repos/svn-community/svn";;
 	*)
 		die "Couldn't find svn url for %s" "$scriptname"
 		;;

checkpkg.in

@@ -63,8 +63,8 @@ for _pkgname in "${pkgname[@]}"; do
 
 	sdiff -s "$TEMPDIR/filelist-$_pkgname-old" "$TEMPDIR/filelist-$_pkgname"
 
-	find-libprovides "$TEMPDIR/$oldpkg" | sort > "$TEMPDIR/libraries-$_pkgname-old"
-	find-libprovides "$pkgfile" | sort > "$TEMPDIR/libraries-$_pkgname"
+	find-libprovides "$TEMPDIR/$oldpkg" 2>/dev/null | sort > "$TEMPDIR/libraries-$_pkgname-old"
+	find-libprovides "$pkgfile" 2>/dev/null | sort > "$TEMPDIR/libraries-$_pkgname"
 	if ! diff_output="$(sdiff -s "$TEMPDIR/libraries-$_pkgname-old" "$TEMPDIR/libraries-$_pkgname")"; then
 		msg "Sonames differ in $_pkgname!"
 		echo "$diff_output"

commitpkg.in

@@ -92,7 +92,7 @@ for _arch in ${arch[@]}; do
 done
 
 if [[ -z $server ]]; then
-	server='nymeria.archlinux.org'
+	server='repos.archlinux.org'
 fi
 
 if [[ -n $(svn status -q) ]]; then
@@ -147,7 +147,7 @@ for _arch in ${arch[@]}; do
 			if [[ -n $GPGKEY ]]; then
 				SIGNWITHKEY="-u ${GPGKEY}"
 			fi
-			gpg --detach-sign --use-agent ${SIGNWITHKEY} "${pkgfile}" || die
+			gpg --detach-sign --use-agent --no-armor ${SIGNWITHKEY} "${pkgfile}" || die
 		fi
 		if ! gpg --verify "$sigfile" >/dev/null 2>&1; then
 			die "Signature %s.sig is incorrect!" "$pkgfile"

crossrepomove.in

@@ -29,7 +29,7 @@ case $scriptname in
 		;;
 esac
 
-server='nymeria.archlinux.org'
+server='repos.archlinux.org'
 source_svn="svn+ssh://svn-${source_name}@${server}/srv/repos/svn-${source_name}/svn"
 target_svn="svn+ssh://svn-${target_name}@${server}/srv/repos/svn-${target_name}/svn"
 source_dbscripts="/srv/repos/svn-${source_name}/dbscripts"

find-libdeps.in

@@ -32,11 +32,11 @@ else
 	setup_workdir
 
 	case ${script_mode} in
-		deps) bsdtar -C $WORKDIR -xf "$1";;
-		provides) bsdtar -C $WORKDIR -xf "$1" --include="*.so*";;
+		deps) bsdtar -C "$WORKDIR" -xf "$1";;
+		provides) bsdtar -C "$WORKDIR" -xf "$1" --include="*.so*";;
 	esac
 
-	pushd $WORKDIR >/dev/null
+	pushd "$WORKDIR" >/dev/null
 fi
 
 process_sofile() {
@@ -50,16 +50,16 @@ process_sofile() {
 	if ! in_array "${soname}=${soversion}-${soarch}" ${soobjects[@]}; then
 		# libfoo.so=1-64
 		echo "${soname}=${soversion}-${soarch}"
-		soobjects=(${soobjects[@]} "${soname}=${soversion}-${soarch}")
+		soobjects+=("${soname}=${soversion}-${soarch}")
 	fi
 }
 
 case $script_mode in
-	deps) find_args="-perm -u+x";;
-	provides) find_args="-name *.so*";;
+	deps) find_args=(-perm -u+x);;
+  provides) find_args=(-name '*.so*');;
 esac
 
-find . -type f $find_args | while read filename; do
+find . -type f "${find_args[@]}" | while read filename; do
 	if [[ $script_mode = "provides" ]]; then
 		# ignore if we don't have a shared object
 		if ! LC_ALL=C readelf -h "$filename" 2>/dev/null | grep -q '.*Type:.*DYN (Shared object file).*'; then

lib/archroot.sh

@@ -0,0 +1,42 @@
+CHROOT_VERSION='v4'
+
+##
+#  usage : check_root
+##
+orig_argv=("$0" "$@")
+check_root() {
+	(( EUID == 0 )) && return
+	if type -P sudo >/dev/null; then
+		exec sudo -- "${orig_argv[@]}"
+	else
+		exec su root -c "$(printf ' %q' "${orig_argv[@]}")"
+	fi
+}
+
+##
+#  usage : is_btrfs( $path )
+# return : whether $path is on a btrfs
+##
+is_btrfs() {
+	[[ -e "$1" && "$(stat -f -c %T "$1")" == btrfs ]]
+}
+
+##
+#  usage : subvolume_delete_recursive( $path )
+#
+#    Find all btrfs subvolumes under and including $path and delete them.
+##
+subvolume_delete_recursive() {
+	local subvol
+
+	is_btrfs "$1" || return 0
+
+	while IFS= read -d $'\0' -r subvol; do
+		if ! btrfs subvolume delete "$subvol" &>/dev/null; then
+			error "Unable to delete subvolume %s" "$subvol"
+			return 1
+		fi
+	done < <(find "$1" -xdev -depth -inum 256 -print0)
+
+	return 0
+}

lib/common.sh

@@ -162,8 +162,6 @@ slock() {
 # usage: pkgver_equal( $pkgver1, $pkgver2 )
 ##
 pkgver_equal() {
-	local left right
-
 	if [[ $1 = *-* && $2 = *-* ]]; then
 		# if both versions have a pkgrel, then they must be an exact match
 		[[ $1 = "$2" ]]
@@ -182,7 +180,7 @@ pkgver_equal() {
 find_cached_package() {
 	local searchdirs=("$PWD" "$PKGDEST") results=()
 	local targetname=$1 targetver=$2 targetarch=$3
-	local dir pkg pkgbasename pkgparts name ver rel arch size r results
+	local dir pkg pkgbasename name ver rel arch r results
 
 	for dir in "${searchdirs[@]}"; do
 		[[ -d $dir ]] || continue
@@ -229,15 +227,3 @@ find_cached_package() {
 			return 1
 	esac
 }
-
-##
-#  usage : check_root ("$0" "$@")
-##
-check_root() {
-	(( EUID == 0 )) && return
-	if type -P sudo >/dev/null; then
-		exec sudo -- "$@"
-	else
-		exec su root -c "$(printf ' %q' "$@")"
-	fi
-}

makechrootpkg.in

@@ -9,6 +9,7 @@
 # GNU General Public License for more details.
 
 m4_include(lib/common.sh)
+m4_include(lib/archroot.sh)
 
 shopt -s nullglob
 
@@ -21,6 +22,7 @@ run_namcap=false
 temp_chroot=false
 chrootdir=
 passeddir=
+makepkg_user=
 declare -a install_pkgs
 declare -i ret=0
 
@@ -46,6 +48,10 @@ usage() {
 	echo 'command:'
 	echo '    mkarchroot <chrootdir>/root base-devel'
 	echo ''
+	echo 'This script reads {SRC,SRCPKG,PKG,LOG}DEST, MAKEFLAGS and PACKAGER'
+	echo 'from makepkg.conf(5), if those variables are not part of the'
+	echo 'environment.'
+	echo ''
 	echo "Default makepkg args: ${makepkg_args[*]}"
 	echo ''
 	echo 'Flags:'
@@ -63,12 +69,195 @@ usage() {
 	echo "           Default: $copy"
 	echo '-n         Run namcap on the package'
 	echo '-T         Build in a temporary directory'
+	echo '-U         Run makepkg as a specified user'
 	exit 1
 }
 
-orig_argv=("$@")
+# {{{ functions
+load_vars() {
+	local makepkg_conf="$1" var
 
-while getopts 'hcur:I:l:nTD:d:' arg; do
+	[[ -f $makepkg_conf ]] || return 1
+
+	for var in {SRC,SRCPKG,PKG,LOG}DEST MAKEFLAGS PACKAGER; do
+		[[ -z ${!var} ]] && eval $(grep "^${var}=" "$makepkg_conf")
+	done
+
+	return 0
+}
+
+create_chroot() {
+	# Lock the chroot we want to use. We'll keep this lock until we exit.
+	lock 9 "$copydir.lock" "Locking chroot copy [$copy]"
+
+	if [[ ! -d $copydir ]] || $clean_first; then
+		# Get a read lock on the root chroot to make
+		# sure we don't clone a half-updated chroot
+		slock 8 "$chrootdir/root.lock" "Locking clean chroot"
+
+		stat_busy "Creating clean working copy [$copy]"
+		if is_btrfs "$chrootdir" && ! mountpoint -q "$copydir"; then
+			subvolume_delete_recursive "$copydir" ||
+				die "Unable to delete subvolume %s" "$copydir"
+			btrfs subvolume snapshot "$chrootdir/root" "$copydir" >/dev/null ||
+				die "Unable to create subvolume %s" "$copydir"
+		else
+			mkdir -p "$copydir"
+			rsync -a --delete -q -W -x "$chrootdir/root/" "$copydir"
+		fi
+		stat_done
+
+		# Drop the read lock again
+		exec 8>&-
+	fi
+
+	# Update mtime
+	touch "$copydir"
+}
+
+clean_temporary() {
+	stat_busy "Removing temporary copy [$copy]"
+	if is_btrfs "$chrootdir" && ! mountpoint -q "$copydir"; then
+		btrfs subvolume delete "$copydir" >/dev/null ||
+			die "Unable to delete subvolume %s" "$copydir"
+	else
+		# avoid change of filesystem in case of an umount failure
+		rm --recursive --force --one-file-system "$copydir" ||
+			die "Unable to delete %s" "$copydir"
+	fi
+
+	# remove lock file
+	rm -f "$copydir.lock"
+	stat_done
+}
+
+install_packages() {
+	local -a pkgnames
+	local ret
+
+	pkgnames=("${install_pkgs[@]##*/}")
+
+	cp -- "${install_pkgs[@]}" "$copydir/root/"
+	arch-nspawn "$copydir" "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
+		pacman -U --noconfirm -- "${pkgnames[@]/#//root/}"
+	ret=$?
+	rm -- "${pkgnames[@]/#/$copydir/root/}"
+
+	# If there is no PKGBUILD we are done
+	[[ -f PKGBUILD ]] || exit $ret
+}
+
+prepare_chroot() {
+	$repack || rm -rf "$copydir/build"
+
+	local builduser_uid="${SUDO_UID:-$UID}"
+	local builduser_gid="$(id -g "$builduser_uid")"
+	local install="install -o $builduser_uid -g $builduser_gid"
+	local x
+
+	# We can't use useradd without chrooting, otherwise it invokes PAM modules
+	# which we might not be able to load (i.e. when building i686 packages on
+	# an x86_64 host).
+	sed -e '/^builduser:/d' -i "$copydir"/etc/{passwd,group}
+	printf >>"$copydir/etc/group"  'builduser:x:%d:\n' $builduser_gid
+	printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' $builduser_uid $builduser_gid
+
+	$install -d "$copydir"/{build,build/.gnupg,startdir,{pkg,srcpkg,src,log}dest}
+
+	for x in .gnupg/pubring.{kbx,gpg}; do
+		[[ -r $USER_HOME/$x ]] || continue
+		$install -m 644 "$USER_HOME/$x" "$copydir/build/$x"
+	done
+
+	sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf"
+	for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \
+		"MAKEFLAGS='$MAKEFLAGS'" "PACKAGER='$PACKAGER'"
+	do
+		grep -q "^$x" "$copydir/etc/makepkg.conf" && continue
+		echo "$x" >>"$copydir/etc/makepkg.conf"
+	done
+
+	cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
+builduser ALL = NOPASSWD: /usr/bin/pacman
+EOF
+	chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
+
+	# This is a little gross, but this way the script is recreated every time in the
+	# working copy
+	{
+		printf '#!/bin/bash\n'
+		declare -f _chrootbuild
+		printf '_chrootbuild'
+		printf ' %q' "${makepkg_args[@]}"
+		printf ' || exit\n'
+
+		if $run_namcap; then
+			declare -f _chrootnamcap
+			printf '_chrootnamcap || exit\n'
+		fi
+	} >"$copydir/chrootbuild"
+	chmod +x "$copydir/chrootbuild"
+}
+
+# These functions aren't run in makechrootpkg,
+# so no global variables
+_chrootbuild() {
+	. /etc/profile
+	sudo -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
+}
+
+_chrootnamcap() {
+	pacman -S --needed --noconfirm namcap
+	for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
+		echo "Checking ${pkgfile##*/}"
+		sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
+	done
+}
+
+download_sources() {
+	local builddir="$(mktemp -d)"
+	chmod 1777 "$builddir"
+
+	# Ensure sources are downloaded
+	makepkg_user=${makepkg_user:-$SUDO_USER}
+	if [[ -n $makepkg_user ]]; then
+		sudo -u "$makepkg_user" env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \
+			makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o
+	else
+		error "Running makepkg as root is not allowed."
+		exit 1
+	fi
+	(( $? != 0 )) && die "Could not download sources."
+
+	# Clean up garbage from verifysource
+	rm -rf $builddir
+}
+
+move_products() {
+	for pkgfile in "$copydir"/pkgdest/*; do
+		chown "$src_owner" "$pkgfile"
+		mv "$pkgfile" "$PKGDEST"
+
+		# Fix broken symlink because of temporary chroot PKGDEST /pkgdest
+		if [[ "$PWD" != "$PKGDEST" && -L "$PWD/${pkgfile##*/}" ]]; then
+			ln -sf "$PKGDEST/${pkgfile##*/}"
+		fi
+	done
+
+	for l in "$copydir"/logdest/*; do
+		[[ $l == */logpipe.* ]] && continue
+		chown "$src_owner" "$l"
+		mv "$l" "$LOGDEST"
+	done
+
+	for s in "$copydir"/srcpkgdest/*; do
+		chown "$src_owner" "$s"
+		mv "$s" "$SRCPKGDEST"
+	done
+}
+# }}}
+
+while getopts 'hcur:I:l:nTD:d:U:' arg; do
 	case "$arg" in
 		c) clean_first=true ;;
 		D) bindmounts_ro+=(--bind-ro="$OPTARG") ;;
@@ -79,22 +268,21 @@ while getopts 'hcur:I:l:nTD:d:' arg; do
 		l) copy="$OPTARG" ;;
 		n) run_namcap=true; makepkg_args+=(-i) ;;
 		T) temp_chroot=true; copy+="-$$" ;;
+		U) makepkg_user="$OPTARG" ;;
 		h|*) usage ;;
 	esac
 done
 
 [[ ! -f PKGBUILD && -z "${install_pkgs[*]}" ]] && die 'This must be run in a directory containing a PKGBUILD.'
+[[ -n $makepkg_user && -z $(id -u "$makepkg_user") ]] && die 'Invalid makepkg user.'
 
-check_root "$0" "${orig_argv[@]}"
+check_root
 
 # Canonicalize chrootdir, getting rid of trailing /
 chrootdir=$(readlink -e "$passeddir")
 [[ ! -d $chrootdir ]] && die "No chroot dir defined, or invalid path '%s'" "$passeddir"
 [[ ! -d $chrootdir/root ]] && die "Missing chroot dir root directory. Try using: mkarchroot %s/root base-devel" "$chrootdir"
 
-# Detect chrootdir filesystem type
-chroottype=$(stat -f -c %T "$chrootdir")
-
 if [[ ${copy:0:1} = / ]]; then
 	copydir=$copy
 else
@@ -120,252 +308,9 @@ else
 	USER_HOME=$HOME
 fi
 
-# {{{ functions
-load_vars() {
-	local makepkg_conf="$1" var
-
-	[[ -f $makepkg_conf ]] || return 1
-
-	for var in {SRC,SRCPKG,PKG,LOG}DEST MAKEFLAGS PACKAGER; do
-		[[ -z ${!var} ]] && eval $(grep "^${var}=" "$makepkg_conf")
-	done
-
-	return 0
-}
-
-create_chroot() {
-	# Lock the chroot we want to use. We'll keep this lock until we exit.
-	lock 9 "$copydir.lock" "Locking chroot copy [$copy]"
-
-	if [[ ! -d $copydir ]] || $clean_first; then
-		# Get a read lock on the root chroot to make
-		# sure we don't clone a half-updated chroot
-		slock 8 "$chrootdir/root.lock" "Locking clean chroot"
-
-		stat_busy "Creating clean working copy [$copy]"
-		if [[ "$chroottype" == btrfs ]] && ! mountpoint -q "$copydir"; then
-			if [[ -d $copydir ]]; then
-				btrfs subvolume delete "$copydir" >/dev/null ||
-					die "Unable to delete subvolume %s" "$copydir"
-			fi
-			btrfs subvolume snapshot "$chrootdir/root" "$copydir" >/dev/null ||
-				die "Unable to create subvolume %s" "$copydir"
-		else
-			mkdir -p "$copydir"
-			rsync -a --delete -q -W -x "$chrootdir/root/" "$copydir"
-		fi
-		stat_done
-
-		# Drop the read lock again
-		exec 8>&-
-	fi
-
-	# Update mtime
-	touch "$copydir"
-}
-
-clean_temporary() {
-	stat_busy "Removing temporary copy [$copy]"
-	if [[ "$chroottype" == btrfs ]] && ! mountpoint -q "$copydir"; then
-		btrfs subvolume delete "$copydir" >/dev/null ||
-			die "Unable to delete subvolume %s" "$copydir"
-	else
-		# avoid change of filesystem in case of an umount failure
-		rm --recursive --force --one-file-system "$copydir" ||
-			die "Unable to delete %s" "$copydir"
-	fi
-
-	# remove lock file
-	rm -f "$copydir.lock"
-	stat_done
-}
-
-install_packages() {
-	local pkgname
-
-	for install_pkg in "${install_pkgs[@]}"; do
-		pkgname="${install_pkg##*/}"
-		cp "$install_pkg" "$copydir/$pkgname"
-
-		arch-nspawn "$copydir" \
-			"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
-			pacman -U /$pkgname --noconfirm
-		(( ret += !! $? ))
-
-		rm "$copydir/$pkgname"
-	done
-
-	# If there is no PKGBUILD we are done
-	[[ -f PKGBUILD ]] || exit $ret
-}
-
-prepare_chroot() {
-	$repack || rm -rf "$copydir/build"
-
-	mkdir -p "$copydir/build"
-	if ! grep -q 'BUILDDIR="/build"' "$copydir/etc/makepkg.conf"; then
-		echo 'BUILDDIR="/build"' >> "$copydir/etc/makepkg.conf"
-	fi
-
-	# Read .makepkg.conf and .gnupg/pubring.gpg even if called via sudo
-	if [[ -r "$USER_HOME/.gnupg/pubring.gpg" ]]; then
-		install -D "$USER_HOME/.gnupg/pubring.gpg" \
-			   "$copydir/build/.gnupg/pubring.gpg"
-	fi
-
-	mkdir -p "$copydir/pkgdest"
-	if ! grep -q 'PKGDEST="/pkgdest"' "$copydir/etc/makepkg.conf"; then
-		echo 'PKGDEST="/pkgdest"' >> "$copydir/etc/makepkg.conf"
-	fi
-
-	mkdir -p "$copydir/srcpkgdest"
-	if ! grep -q 'SRCPKGDEST="/srcpkgdest"' "$copydir/etc/makepkg.conf"; then
-		echo 'SRCPKGDEST="/srcpkgdest"' >> "$copydir/etc/makepkg.conf"
-	fi
-
-	mkdir -p "$copydir/logdest"
-	if ! grep -q 'LOGDEST="/logdest"' "$copydir/etc/makepkg.conf"; then
-		echo 'LOGDEST="/logdest"' >> "$copydir/etc/makepkg.conf"
-	fi
-
-	# These two get bind-mounted read-only
-	# XXX: makepkg dislikes having these dirs read-only, so separate them
-	mkdir -p "$copydir/startdir" "$copydir/startdir_host"
-	mkdir -p "$copydir/srcdest" "$copydir/srcdest_host"
-	if ! grep -q 'SRCDEST="/srcdest"' "$copydir/etc/makepkg.conf"; then
-		echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf"
-	fi
-
-	builduser_uid=${SUDO_UID:-$UID}
-
-	# We can't use useradd without chrooting, otherwise it invokes PAM modules
-	# which we might not be able to load (i.e. when building i686 packages on
-	# an x86_64 host).
-	printf 'builduser:x:%d:100:builduser:/:/usr/bin/nologin\n' "$builduser_uid" >>"$copydir/etc/passwd"
-	chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
-
-	if [[ -n $MAKEFLAGS ]]; then
-		sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf"
-		echo "MAKEFLAGS='${MAKEFLAGS}'" >> "$copydir/etc/makepkg.conf"
-	fi
-
-	if [[ -n $PACKAGER ]]; then
-		sed -i '/^PACKAGER=/d' "$copydir/etc/makepkg.conf"
-		echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf"
-	fi
-
-	if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then
-		cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
-Defaults env_keep += "HOME"
-builduser ALL = NOPASSWD: /usr/bin/pacman
-EOF
-		chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
-	fi
-
-	# This is a little gross, but this way the script is recreated every time in the
-	# working copy
-	{
-		printf '#!/bin/bash\n'
-		declare -f _chrootbuild
-		printf '_chrootbuild'
-		printf ' %q' "${makepkg_args[@]}"
-		printf ' || exit\n'
-
-		if $run_namcap; then
-			cat <<'EOF'
-pacman -S --needed --noconfirm namcap
-for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
-	echo "Checking ${pkgfile##*/}"
-	sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
-done
-EOF
-		fi
-	} >"$copydir/chrootbuild"
-	chmod +x "$copydir/chrootbuild"
-}
-
-download_sources() {
-	local builddir="$(mktemp -d)"
-	chmod 1777 "$builddir"
-
-	# Ensure sources are downloaded
-	if [[ -n $SUDO_USER ]]; then
-		sudo -u $SUDO_USER env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \
-			makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o
-	else
-		( export SRCDEST BUILDDIR="$builddir"
-			makepkg --asroot --config="$copydir/etc/makepkg.conf" --verifysource -o
-		)
-	fi
-	(( $? != 0 )) && die "Could not download sources."
-
-	# Clean up garbage from verifysource
-	rm -rf $builddir
-}
-
-_chrootbuild() {
-	# This function isn't run in makechrootpkg,
-	# so no global variables
-
-	. /etc/profile
-	export HOME=/build
-	shopt -s nullglob
-
-	# XXX: Workaround makepkg disliking read-only dirs
-	ln -sft /srcdest /srcdest_host/*
-	ln -sft /startdir /startdir_host/*
-
-	# XXX: Keep bzr and svn sources writable
-	# Since makepkg 4.1.1 they get checked out via cp -a, copying the symlink
-	for dir in /srcdest /startdir; do
-		for vcs in bzr svn; do
-			cd "$dir"
-			for vcsdir in */.$vcs; do
-				rm "${vcsdir%/.$vcs}"
-				cp -a "${dir}_host/${vcsdir%/.$vcs}" .
-				chown -R builduser "${vcsdir%/.$vcs}"
-			done
-		done
-	done
-
-	cd /startdir
-
-	# XXX: Keep PKGBUILD writable for pkgver()
-	rm PKGBUILD*
-	cp /startdir_host/PKGBUILD* .
-	chown builduser PKGBUILD*
-
-	# Safety check
-	if [[ ! -w PKGBUILD ]]; then
-		echo "Can't write to PKGBUILD!"
-		exit 1
-	fi
-
-	sudo -u builduser makepkg "$@"
-}
-
-move_products() {
-	for pkgfile in "$copydir"/pkgdest/*; do
-		chown "$src_owner" "$pkgfile"
-		mv "$pkgfile" "$PKGDEST"
-	done
-
-	for l in "$copydir"/logdest/*; do
-		[[ $l == */logpipe.* ]] && continue
-		chown "$src_owner" "$l"
-		mv "$l" "$LOGDEST"
-	done
-
-	for s in "$copydir"/srcpkgdest/*; do
-		chown "$src_owner" "$s"
-		mv "$s" "$SRCPKGDEST"
-	done
-}
-# }}}
-
 umask 0022
 
-load_vars "$USER_HOME/.makepkg.conf"
+load_vars "${XDG_CONFIG_HOME:-$USER_HOME/.config}/pacman/makepkg.conf" || load_vars "$USER_HOME/.makepkg.conf"
 load_vars /etc/makepkg.conf
 
 # Use PKGBUILD directory if these don't exist
@@ -382,13 +327,13 @@ $update_first && arch-nspawn "$copydir" \
 
 [[ -n ${install_pkgs[*]} ]] && install_packages
 
-prepare_chroot
-
 download_sources
 
+prepare_chroot
+
 if arch-nspawn "$copydir" \
-	--bind-ro="$PWD:/startdir_host" \
-	--bind-ro="$SRCDEST:/srcdest_host" \
+	--bind="$PWD:/startdir" \
+	--bind="$SRCDEST:/srcdest" \
 	"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
 	/chrootbuild
 then

makepkg-i686.conf

@@ -19,6 +19,13 @@ DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %
 # /usr/bin/lftpget -c
 # /usr/bin/wget
 
+#-- The package required by makepkg to download VCS sources
+#  Format: 'protocol::package'
+VCSCLIENTS=('bzr::bzr'
+            'git::git'
+            'hg::mercurial'
+            'svn::subversion')
+
 #########################################################################
 # ARCHITECTURE, COMPILE FLAGS
 #########################################################################
@@ -30,8 +37,8 @@ CHOST="i686-pc-linux-gnu"
 # -march (or -mcpu) builds exclusively for an architecture
 # -mtune optimizes for an architecture, but builds for whole processor family
 CPPFLAGS="-D_FORTIFY_SOURCE=2"
-CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
-CXXFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
+CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector-strong"
+CXXFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector-strong"
 LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
 #-- Make Flags: change this for DistCC/SMP systems
 #MAKEFLAGS="-j2"
@@ -43,17 +50,16 @@ DEBUG_CXXFLAGS="-g -fvar-tracking-assignments"
 # BUILD ENVIRONMENT
 #########################################################################
 #
-# Defaults: BUILDENV=(fakeroot !distcc color !ccache check !sign)
+# Defaults: BUILDENV=(!distcc color !ccache check !sign)
 #  A negated environment option will do the opposite of the comments below.
 #
-#-- fakeroot: Allow building packages as a non-root user
 #-- distcc:   Use the Distributed C/C++/ObjC compiler
 #-- color:    Colorize output messages
 #-- ccache:   Use ccache to cache compilation
 #-- check:    Run the check() function if present in the PKGBUILD
 #-- sign:     Generate PGP signature file
 #
-BUILDENV=(fakeroot !distcc color !ccache check !sign)
+BUILDENV=(!distcc color !ccache check !sign)
 #
 #-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
 #-- specify a space-delimited list of hosts running in the DistCC cluster.
@@ -67,7 +73,7 @@ BUILDENV=(fakeroot !distcc color !ccache check !sign)
 #   These are default values for the options=() settings
 #########################################################################
 #
-# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !optipng !upx !debug)
 #  A negated option will do the opposite of the comments below.
 #
 #-- strip:      Strip symbols from binaries/libraries
@@ -78,9 +84,10 @@ BUILDENV=(fakeroot !distcc color !ccache check !sign)
 #-- zipman:     Compress manual (man and info) pages in MAN_DIRS with gzip
 #-- purge:      Remove files specified by PURGE_TARGETS
 #-- upx:        Compress binary executable files using UPX
+#-- optipng:    Optimize PNG images with optipng
 #-- debug:      Add debugging flags as specified in DEBUG_* variables
 #
-OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !optipng !upx !debug)
 
 #-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
 INTEGRITY_CHECK=(md5)

makepkg-x86_64.conf

@@ -19,19 +19,26 @@ DLAGENTS=('ftp::/usr/bin/curl -fC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %
 # /usr/bin/lftpget -c
 # /usr/bin/wget
 
+#-- The package required by makepkg to download VCS sources
+#  Format: 'protocol::package'
+VCSCLIENTS=('bzr::bzr'
+            'git::git'
+            'hg::mercurial'
+            'svn::subversion')
+
 #########################################################################
 # ARCHITECTURE, COMPILE FLAGS
 #########################################################################
 #
 CARCH="x86_64"
-CHOST="x86_64-unknown-linux-gnu"
+CHOST="x86_64-pc-linux-gnu"
 
 #-- Compiler and Linker Flags
 # -march (or -mcpu) builds exclusively for an architecture
 # -mtune optimizes for an architecture, but builds for whole processor family
 CPPFLAGS="-D_FORTIFY_SOURCE=2"
-CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
-CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
+CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong"
+CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong"
 LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
 #-- Make Flags: change this for DistCC/SMP systems
 #MAKEFLAGS="-j2"
@@ -43,17 +50,16 @@ DEBUG_CXXFLAGS="-g -fvar-tracking-assignments"
 # BUILD ENVIRONMENT
 #########################################################################
 #
-# Defaults: BUILDENV=(fakeroot !distcc color !ccache check !sign)
+# Defaults: BUILDENV=(!distcc color !ccache check !sign)
 #  A negated environment option will do the opposite of the comments below.
 #
-#-- fakeroot: Allow building packages as a non-root user
 #-- distcc:   Use the Distributed C/C++/ObjC compiler
 #-- color:    Colorize output messages
 #-- ccache:   Use ccache to cache compilation
 #-- check:    Run the check() function if present in the PKGBUILD
 #-- sign:     Generate PGP signature file
 #
-BUILDENV=(fakeroot !distcc color !ccache check !sign)
+BUILDENV=(!distcc color !ccache check !sign)
 #
 #-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
 #-- specify a space-delimited list of hosts running in the DistCC cluster.
@@ -67,7 +73,7 @@ BUILDENV=(fakeroot !distcc color !ccache check !sign)
 #   These are default values for the options=() settings
 #########################################################################
 #
-# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+# Default: OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !optipng !upx !debug)
 #  A negated option will do the opposite of the comments below.
 #
 #-- strip:      Strip symbols from binaries/libraries
@@ -78,9 +84,10 @@ BUILDENV=(fakeroot !distcc color !ccache check !sign)
 #-- zipman:     Compress manual (man and info) pages in MAN_DIRS with gzip
 #-- purge:      Remove files specified by PURGE_TARGETS
 #-- upx:        Compress binary executable files using UPX
+#-- optipng:    Optimize PNG images with optipng
 #-- debug:      Add debugging flags as specified in DEBUG_* variables
 #
-OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug)
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !optipng !upx !debug)
 
 #-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
 INTEGRITY_CHECK=(md5)

mkarchroot.in

@@ -9,8 +9,7 @@
 # GNU General Public License for more details.
 
 m4_include(lib/common.sh)
-
-CHROOT_VERSION='v3'
+m4_include(lib/archroot.sh)
 
 working_dir=''
 
@@ -24,8 +23,6 @@ usage() {
 	exit 1
 }
 
-orig_argv=("$@")
-
 while getopts 'hC:M:c:' arg; do
 	case "$arg" in
 		C) pac_conf="$OPTARG" ;;
@@ -39,7 +36,7 @@ shift $(($OPTIND - 1))
 
 (( $# < 2 )) && die 'You must specify a directory and one or more packages.'
 
-check_root "$0" "${orig_argv[@]}"
+check_root
 
 working_dir="$(readlink -f $1)"
 shift 1
@@ -60,7 +57,7 @@ mkdir -p "$working_dir"
 
 lock 9 "${working_dir}.lock" "Locking chroot"
 
-if [[ $(stat -f -c %T "$working_dir") == btrfs ]]; then
+if is_btrfs "$working_dir"; then
 	rmdir "$working_dir"
 	if ! btrfs subvolume create "$working_dir"; then
 		die "Couldn't create subvolume for '%s'" "$working_dir"
@@ -72,9 +69,11 @@ pacstrap -GMcd ${pac_conf:+-C "$pac_conf"} "$working_dir" \
   "${cache_dirs[@]/#/--cachedir=}" "$@" || die 'Failed to install all packages'
 
 printf '%s.UTF-8 UTF-8\n' en_US de_DE > "$working_dir/etc/locale.gen"
-echo 'LANG=C' > "$working_dir/etc/locale.conf"
+echo 'LANG=en_US.UTF-8' > "$working_dir/etc/locale.conf"
 echo "$CHROOT_VERSION" > "$working_dir/.arch-chroot"
 
+systemd-machine-id-setup --root="$working_dir"
+
 exec arch-nspawn \
 	${pac_conf:+-C "$pac_conf"} \
 	${makepkg_conf:+-M "$makepkg_conf"} \

pacman-extra.conf

@@ -14,6 +14,7 @@
 #CacheDir    = /var/cache/pacman/pkg/
 #LogFile     = /var/log/pacman.log
 #GPGDir      = /etc/pacman.d/gnupg/
+#HookDir     = /etc/pacman.d/hooks/
 HoldPkg     = pacman glibc
 #XferCommand = /usr/bin/curl -C - -f %u > %o
 #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u

pacman-gnome-unstable.conf

@@ -14,6 +14,7 @@
 #CacheDir    = /var/cache/pacman/pkg/
 #LogFile     = /var/log/pacman.log
 #GPGDir      = /etc/pacman.d/gnupg/
+#HookDir     = /etc/pacman.d/hooks/
 HoldPkg     = pacman glibc
 #XferCommand = /usr/bin/curl -C - -f %u > %o
 #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
@@ -72,6 +73,9 @@ LocalFileSigLevel = Optional
 [gnome-unstable]
 Include = /etc/pacman.d/mirrorlist
 
+[staging]
+Include = /etc/pacman.d/mirrorlist
+
 [testing]
 Include = /etc/pacman.d/mirrorlist
 
@@ -81,6 +85,9 @@ Include = /etc/pacman.d/mirrorlist
 [extra]
 Include = /etc/pacman.d/mirrorlist
 
+[community-staging]
+Include = /etc/pacman.d/mirrorlist
+
 [community-testing]
 Include = /etc/pacman.d/mirrorlist
 

pacman-kde-unstable.conf

@@ -14,6 +14,7 @@
 #CacheDir    = /var/cache/pacman/pkg/
 #LogFile     = /var/log/pacman.log
 #GPGDir      = /etc/pacman.d/gnupg/
+#HookDir     = /etc/pacman.d/hooks/
 HoldPkg     = pacman glibc
 #XferCommand = /usr/bin/curl -C - -f %u > %o
 #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u

pacman-multilib-staging.conf

@@ -14,6 +14,7 @@
 #CacheDir    = /var/cache/pacman/pkg/
 #LogFile     = /var/log/pacman.log
 #GPGDir      = /etc/pacman.d/gnupg/
+#HookDir     = /etc/pacman.d/hooks/
 HoldPkg     = pacman glibc
 #XferCommand = /usr/bin/curl -C - -f %u > %o
 #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u

pacman-multilib-testing.conf

@@ -14,6 +14,7 @@
 #CacheDir    = /var/cache/pacman/pkg/
 #LogFile     = /var/log/pacman.log
 #GPGDir      = /etc/pacman.d/gnupg/
+#HookDir     = /etc/pacman.d/hooks/
 HoldPkg     = pacman glibc
 #XferCommand = /usr/bin/curl -C - -f %u > %o
 #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u

pacman-multilib.conf

@@ -14,6 +14,7 @@
 #CacheDir    = /var/cache/pacman/pkg/
 #LogFile     = /var/log/pacman.log
 #GPGDir      = /etc/pacman.d/gnupg/
+#HookDir     = /etc/pacman.d/hooks/
 HoldPkg     = pacman glibc
 #XferCommand = /usr/bin/curl -C - -f %u > %o
 #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u

pacman-staging.conf

@@ -14,6 +14,7 @@
 #CacheDir    = /var/cache/pacman/pkg/
 #LogFile     = /var/log/pacman.log
 #GPGDir      = /etc/pacman.d/gnupg/
+#HookDir     = /etc/pacman.d/hooks/
 HoldPkg     = pacman glibc
 #XferCommand = /usr/bin/curl -C - -f %u > %o
 #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u

pacman-testing.conf

@@ -14,6 +14,7 @@
 #CacheDir    = /var/cache/pacman/pkg/
 #LogFile     = /var/log/pacman.log
 #GPGDir      = /etc/pacman.d/gnupg/
+#HookDir     = /etc/pacman.d/hooks/
 HoldPkg     = pacman glibc
 #XferCommand = /usr/bin/curl -C - -f %u > %o
 #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u

rebuildpkgs.in

@@ -47,7 +47,7 @@ pkg_from_pkgbuild() {
 chrootdir="$1"; shift
 pkgs="$@"
 
-SVNPATH='svn+ssh://nymeria.archlinux.org/srv/repos/svn-packages/svn'
+SVNPATH='svn+ssh://repos.archlinux.org/srv/repos/svn-packages/svn'
 
 msg "Work will be done in $(pwd)/rebuilds"