From 51cf46f34c19b2309ac60e4e436decf714fb5dd0 Mon Sep 17 00:00:00 2001
From: kth5 <alex.bldck@gmail.com>
Date: Fri, 6 Dec 2024 10:23:43 +0100
Subject: [PATCH] * update libcap to 2.71-1

---
 libcap/.SRCINFO                               | 22 +++++-----
 libcap/.nvchecker.toml                        |  6 +++
 libcap/PKGBUILD                               | 41 ++++++++++---------
 ...23D34C577B08C4082CFD76430C5CFF993116B1.asc | 14 +++++++
 libcap/libcap-2.68-cgo_flags.patch            | 41 -------------------
 ...lags.patch => libcap-2.71-cgo-flags.patch} | 13 +++---
 6 files changed, 60 insertions(+), 77 deletions(-)
 create mode 100644 libcap/.nvchecker.toml
 create mode 100644 libcap/keys/pgp/0D23D34C577B08C4082CFD76430C5CFF993116B1.asc
 delete mode 100644 libcap/libcap-2.68-cgo_flags.patch
 rename libcap/{libcap-2.69-cgo_flags.patch => libcap-2.71-cgo-flags.patch} (85%)

diff --git a/libcap/.SRCINFO b/libcap/.SRCINFO
index 4fe9da4fae..29d2088f23 100644
--- a/libcap/.SRCINFO
+++ b/libcap/.SRCINFO
@@ -1,14 +1,16 @@
 pkgbase = libcap
 	pkgdesc = POSIX 1003.1e capabilities
-	pkgver = 2.70
-	pkgrel = 1.1
+	pkgver = 2.71
+	pkgrel = 1
 	url = https://sites.google.com/site/fullycapable/
 	arch = x86_64
 	arch = powerpc64le
 	arch = powerpc64
 	arch = powerpc
+	arch = espresso
 	arch = riscv64
 	license = BSD-3-Clause OR GPL-2.0-only
+	makedepends = git
 	makedepends = go
 	makedepends = linux-api-headers
 	depends = gcc-libs
@@ -17,15 +19,13 @@ pkgbase = libcap
 	provides = libcap.so
 	provides = libpsx.so
 	options = !lto
-	source = https://kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.70.tar.xz
-	source = https://kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.70.tar.sign
-	source = libcap-2.69-cgo_flags.patch
+	source = git+https://git.kernel.org/pub/scm/libs/libcap/libcap.git?signed#tag=sig-libcap-2.71
+	source = libcap-2.71-cgo-flags.patch
 	validpgpkeys = 38A644698C69787344E954CE29EE848AE2CCF3F4
-	sha512sums = 4e0bf0efeccb654c409afe9727b2b53c1d4da8190d7a0a9848fc52550ff3e13502add3eacde04a68a5b7bec09e91df487f64c5746ba987f873236a9e53b3d4e8
-	sha512sums = SKIP
-	sha512sums = f1e301370b1af91d6cdca2433fcfc60f35ccfdfca7a7ce00a0b0ddfb54d67ed1b7e0a52094010c92514460bd142d12bb29eb28c13d9e7da9b92e4b61b6300d2f
-	b2sums = 77b72acee53032117ea481e3380d1b497f9264b6193b9523542508c7c3e46070248ca4ed910d35809ce6e52caa60cbb31edb125c47221627eeda35c61bd0914b
-	b2sums = SKIP
-	b2sums = 535fe70e39caeccb4b71fe0b6329e37b88b69d18361595e78171e3d148370553a055c81e4e691c5b43e54d5c2789fe5390287a1f23efc4529246877eaf8821e5
+	validpgpkeys = 0D23D34C577B08C4082CFD76430C5CFF993116B1
+	sha512sums = 63ce3d8625e989070604c10c90696a732347b4335017693925592f3cdba17d098d44dec704a8bf0dc32bcf51502b922d4c4f765552ee1d4a6a1d94dd759a5fc0
+	sha512sums = bcaf8f2002ac6acd4ac455d71313b71b60617fd6978abf5c722bd9ab7c8cace9a78b25218aef553538467c3a95f3494ce0a0b0c64b8855cfa4ab18d5ba2a28c2
+	b2sums = f1f86559c673d89ce4bc13fdb90e1051e3bf8562571f686845e46b513d804680e00db738736d4d5d118e828c6e98144f40ff19d1d9bec003a946cd6f63a97d8d
+	b2sums = d704ffe7a4b48a1ac269ebf6735dba162dcfd94ff70a32c8154d6d1520eff4a425b54653da0ac361f5120eb4b915039878a08ebd730ee4655be9cccfbe50ad1e
 
 pkgname = libcap
diff --git a/libcap/.nvchecker.toml b/libcap/.nvchecker.toml
new file mode 100644
index 0000000000..aa443516ce
--- /dev/null
+++ b/libcap/.nvchecker.toml
@@ -0,0 +1,6 @@
+[libcap]
+source = "git"
+git = "https://git.kernel.org/pub/scm/libs/libcap/libcap.git"
+include_regex = 'libcap-([\d.]+)'
+exclude_regex = 'libcap-(20070813|20071031)'
+prefix = "libcap-"
diff --git a/libcap/PKGBUILD b/libcap/PKGBUILD
index ca396c84a4..bc46dbe301 100644
--- a/libcap/PKGBUILD
+++ b/libcap/PKGBUILD
@@ -5,11 +5,12 @@
 # Contributor: Hugo Doria <hugo@archlinux.org>
 
 pkgname=libcap
-pkgver=2.70
-pkgrel=1.1
+pkgver=2.71
+pkgrel=1
 pkgdesc="POSIX 1003.1e capabilities"
 arch=(x86_64 powerpc64le powerpc64 powerpc espresso riscv64)
 url="https://sites.google.com/site/fullycapable/"
+_url=https://git.kernel.org/pub/scm/libs/libcap/libcap.git
 license=('BSD-3-Clause OR GPL-2.0-only')
 depends=(
   gcc-libs
@@ -17,6 +18,7 @@ depends=(
   pam
 )
 makedepends=(
+  git
   go
   linux-api-headers
 )
@@ -26,18 +28,19 @@ provides=(
 )
 # we can not use LTO as otherwise we get no reproducible package with full RELRO
 options=(!lto)
+# NOTE: we rely on a specific tagging scheme to verify with the latest signing key: https://bugzilla.kernel.org/show_bug.cgi?id=218860#c3
 source=(
-  https://kernel.org/pub/linux/libs/security/linux-privs/${pkgname}2/$pkgname-$pkgver.tar.{xz,sign}
-  libcap-2.69-cgo_flags.patch  # provide flags to go build (sent upstream)
+  git+$_url?signed#tag=sig-$pkgname-$pkgver
+  libcap-2.71-cgo-flags.patch  # provide flags to go build (sent upstream)
+)
+sha512sums=('63ce3d8625e989070604c10c90696a732347b4335017693925592f3cdba17d098d44dec704a8bf0dc32bcf51502b922d4c4f765552ee1d4a6a1d94dd759a5fc0'
+            'bcaf8f2002ac6acd4ac455d71313b71b60617fd6978abf5c722bd9ab7c8cace9a78b25218aef553538467c3a95f3494ce0a0b0c64b8855cfa4ab18d5ba2a28c2')
+b2sums=('f1f86559c673d89ce4bc13fdb90e1051e3bf8562571f686845e46b513d804680e00db738736d4d5d118e828c6e98144f40ff19d1d9bec003a946cd6f63a97d8d'
+        'd704ffe7a4b48a1ac269ebf6735dba162dcfd94ff70a32c8154d6d1520eff4a425b54653da0ac361f5120eb4b915039878a08ebd730ee4655be9cccfbe50ad1e')
+validpgpkeys=(
+  38A644698C69787344E954CE29EE848AE2CCF3F4  # Andrew G. Morgan <morgan@kernel.org>
+  0D23D34C577B08C4082CFD76430C5CFF993116B1  # Andrew G. Morgan (2024+ libcap signing key) <morgan@kernel.org>
 )
-sha512sums=('4e0bf0efeccb654c409afe9727b2b53c1d4da8190d7a0a9848fc52550ff3e13502add3eacde04a68a5b7bec09e91df487f64c5746ba987f873236a9e53b3d4e8'
-            'SKIP'
-            'f1e301370b1af91d6cdca2433fcfc60f35ccfdfca7a7ce00a0b0ddfb54d67ed1b7e0a52094010c92514460bd142d12bb29eb28c13d9e7da9b92e4b61b6300d2f')
-b2sums=('77b72acee53032117ea481e3380d1b497f9264b6193b9523542508c7c3e46070248ca4ed910d35809ce6e52caa60cbb31edb125c47221627eeda35c61bd0914b'
-        'SKIP'
-        '535fe70e39caeccb4b71fe0b6329e37b88b69d18361595e78171e3d148370553a055c81e4e691c5b43e54d5c2789fe5390287a1f23efc4529246877eaf8821e5')
-# NOTE: contacted upstream on 2024-05-19 about unsafe (and differing) key for signed git tags and use of SHA-1 binding signatures in key used for custom source tarballs in the hopes of them using a new key in the future
-validpgpkeys=(38A644698C69787344E954CE29EE848AE2CCF3F4) # Andrew G. Morgan <morgan@kernel.org>
 
 # NOTE: with CGO_ENABLED we need all relevant make options in build(), check() and package() otherwise the package is not reproducible
 _common_make_options=(
@@ -52,7 +55,7 @@ _common_make_options=(
 
 prepare() {
   # ensure to use CGO_ENABLED all the way (so that we can have full RELRO)
-  patch -Np1 -d $pkgname-$pkgver -i ../libcap-2.69-cgo_flags.patch
+  patch -Np1 -d $pkgname -i ../libcap-2.71-cgo-flags.patch
 }
 
 build() {
@@ -65,7 +68,7 @@ build() {
     lib=lib
     prefix=/usr
     sbindir=bin
-    -C $pkgname-$pkgver
+    -C $pkgname
   )
 
   make "${make_options[@]}"
@@ -78,7 +81,7 @@ check() {
     "${_common_make_options[@]}"
     test
     -k
-    -C $pkgname-$pkgver
+    -C $pkgname
   )
 
   make "${make_options[@]}"
@@ -95,11 +98,11 @@ package() {
     prefix=/usr
     sbindir=bin
     install
-    -C $pkgname-$pkgver
+    -C $pkgname
   )
 
   make "${make_options[@]}"
-  install -vDm 644 $pkgname-$pkgver/{CHANGELOG,README} -t "$pkgdir/usr/share/doc/$pkgname/"
-  install -vDm 644 $pkgname-$pkgver/License -t "$pkgdir/usr/share/licenses/$pkgname/"
-  install -vDm 644 $pkgname-$pkgver/pam_cap/capability.conf -t "$pkgdir/usr/share/doc/$pkgname/examples/"
+  install -vDm 644 $pkgname/{CHANGELOG,README} -t "$pkgdir/usr/share/doc/$pkgname/"
+  install -vDm 644 $pkgname/License -t "$pkgdir/usr/share/licenses/$pkgname/"
+  install -vDm 644 $pkgname/pam_cap/capability.conf -t "$pkgdir/usr/share/doc/$pkgname/examples/"
 }
diff --git a/libcap/keys/pgp/0D23D34C577B08C4082CFD76430C5CFF993116B1.asc b/libcap/keys/pgp/0D23D34C577B08C4082CFD76430C5CFF993116B1.asc
new file mode 100644
index 0000000000..9e6bd39405
--- /dev/null
+++ b/libcap/keys/pgp/0D23D34C577B08C4082CFD76430C5CFF993116B1.asc
@@ -0,0 +1,14 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZxxqQxYJKwYBBAHaRw8BAQdAAlgXHf/4BU68VzEE51MNEljYf/t1gyseA2mU
+Kh/+/i20P0FuZHJldyBHLiBNb3JnYW4gKDIwMjQrIGxpYmNhcCBzaWduaW5nIGtl
+eSkgPG1vcmdhbkBrZXJuZWwub3JnPoiTBBMWCgA7FiEEDSPTTFd7CMQILP12Qwxc
+/5kxFrEFAmccakMCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQQwxc
+/5kxFrFjaQEA1CkyQNNg8HlfXkV6+DnzdsQN8YycicrYXmSzV42z35YA/1raz/En
+wuMZzDOwXx/DsdOipDESmi4+f5hHoUjSiREAuDgEZxxqQxIKKwYBBAGXVQEFAQEH
+QNEebjvioE1SOgLslz/YtW38q9dVi5WyrareoaES0glJAwEIB4h4BBgWCgAgFiEE
+DSPTTFd7CMQILP12Qwxc/5kxFrEFAmccakMCGwwACgkQQwxc/5kxFrGkaAD7BxKn
+awy8yyaG0+eIiG/c78B/d5brbnVj3cws1gzYD0gBAPTZz+Ui/VwsUQNhiam822GR
+hbpiIP1cjbNci5xFttcF
+=R8eF
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/libcap/libcap-2.68-cgo_flags.patch b/libcap/libcap-2.68-cgo_flags.patch
deleted file mode 100644
index 84ccbafa2a..0000000000
--- a/libcap/libcap-2.68-cgo_flags.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 522b78b9d6a1b6cf282a22657dea59bc5c960557 Mon Sep 17 00:00:00 2001
-From: David Runge <dvzrv@archlinux.org>
-Date: Tue, 28 Mar 2023 13:44:20 +0200
-Subject: [PATCH] Provide flags when building go binaries
-
-go/Makefile:
-Provide CGO_CFLAGS, CGO_CPPFLAGS, CGO_CXXFLAGS, CGO_LDFLAGS and GOFLAGS
-to the go compiler, so that they may be set for e.g. supplying
-downstream flags (such as for PIE and full RELRO).
----
- go/Makefile | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/go/Makefile b/go/Makefile
-index 38c1cf3..3a98af3 100644
---- a/go/Makefile
-+++ b/go/Makefile
-@@ -68,16 +68,16 @@ ifeq ($(RAISE_GO_FILECAP),yes)
- endif
- 
- setid: ../goapps/setid/setid.go CAPGOPACKAGE PSXGOPACKAGE
--	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) $(GO) build $(GO_BUILD_FLAGS) -mod=vendor -o $@ $<
-+	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) CGO_CFLAGS="$(CGO_CFLAGS)" CGO_CPPFLAGS="$(CGO_CPPFLAGS)" CGO_CXXFLAGS="$(CGO_CXXFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" $(GO) build $(GO_BUILD_FLAGS) $(GOFLAGS) -mod=vendor -o $@ $<
- 
- gowns: ../goapps/gowns/gowns.go CAPGOPACKAGE
--	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) $(GO) build $(GO_BUILD_FLAGS) -mod=vendor -o $@ $<
-+	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) CGO_CFLAGS="$(CGO_CFLAGS)" CGO_CPPFLAGS="$(CGO_CPPFLAGS)" CGO_CXXFLAGS="$(CGO_CXXFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" $(GO) build $(GO_BUILD_FLAGS) $(GOFLAGS) -mod=vendor -o $@ $<
- 
- captree: ../goapps/captree/captree.go CAPGOPACKAGE
--	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) $(GO) build $(GO_BUILD_FLAGS) -mod=vendor -o $@ $<
-+	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) CGO_CFLAGS="$(CGO_CFLAGS)" CGO_CPPFLAGS="$(CGO_CPPFLAGS)" CGO_CXXFLAGS="$(CGO_CXXFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" $(GO) build $(GO_BUILD_FLAGS) $(GOFLAGS) -mod=vendor -o $@ $<
- 
- captrace: ../goapps/captrace/captrace.go CAPGOPACKAGE
--	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) $(GO) build $(GO_BUILD_FLAGS) -mod=vendor -o $@ $<
-+	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) CGO_CFLAGS="$(CGO_CFLAGS)" CGO_CPPFLAGS="$(CGO_CPPFLAGS)" CGO_CXXFLAGS="$(CGO_CXXFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" $(GO) build $(GO_BUILD_FLAGS) $(GOFLAGS) -mod=vendor -o $@ $<
- 
- ok: ok.go vendor/modules.txt
- 	CC="$(CC)" CGO_ENABLED="0" $(GO) build $(GO_BUILD_FLAGS)  -mod=vendor $<
--- 
-2.40.0
-
diff --git a/libcap/libcap-2.69-cgo_flags.patch b/libcap/libcap-2.71-cgo-flags.patch
similarity index 85%
rename from libcap/libcap-2.69-cgo_flags.patch
rename to libcap/libcap-2.71-cgo-flags.patch
index e21cf88beb..04c5e26c7e 100644
--- a/libcap/libcap-2.69-cgo_flags.patch
+++ b/libcap/libcap-2.71-cgo-flags.patch
@@ -1,7 +1,8 @@
-diff -ruN a/go/Makefile b/go/Makefile
---- a/go/Makefile	2022-10-10 01:01:27.000000000 +0200
-+++ b/go/Makefile	2024-03-19 12:33:19.217467384 +0100
-@@ -68,19 +68,19 @@
+diff --git i/go/Makefile w/go/Makefile
+index d0b081d..ba3a357 100644
+--- i/go/Makefile
++++ w/go/Makefile
+@@ -68,19 +68,19 @@ ifeq ($(RAISE_GO_FILECAP),yes)
  endif
  
  setid: ../goapps/setid/setid.go CAPGOPACKAGE PSXGOPACKAGE
@@ -21,8 +22,8 @@ diff -ruN a/go/Makefile b/go/Makefile
 +	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) CGO_CFLAGS="$(CGO_CFLAGS)" CGO_CPPFLAGS="$(CGO_CPPFLAGS)" CGO_CXXFLAGS="$(CGO_CXXFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" $(GO) build $(GO_BUILD_FLAGS) $(GOFLAGS) -mod=vendor -o $@ $<
  
  ok: ok.go vendor/modules.txt
--	CC="$(CC)" CGO_ENABLED="0" $(GO) build $(GO_BUILD_FLAGS)  -mod=vendor $<
-+	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(GO) build $(GO_BUILD_FLAGS)  -mod=vendor $<
+-	CC="$(CC)" CGO_ENABLED="0"  $(GO) build $(GO_BUILD_FLAGS) -mod=vendor $<
++	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)"  $(GO) build $(GO_BUILD_FLAGS) $(GOFLAGS) -mod=vendor $<
  
  try-launching: try-launching.go CAPGOPACKAGE ok
  	CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) $(GO) build $(GO_BUILD_FLAGS) -mod=vendor $<