[aur-dev] AUR 2.1.0 released
canyonknight
canyonknight at gmail.com
Mon Mar 18 17:40:08 EDT 2013
On Mon, Mar 18, 2013 at 5:10 PM, Dave Reisner <d at falconindy.com> wrote:
> On Mon, Mar 18, 2013 at 08:18:19PM +0100, Lukas Fleischer wrote:
>> Changes since 2.0.1:
>>
>> * Typeahead suggest for packages.
>> * Fix account editing and hijacking vulnerability.
>> * Fix account privilege escalation vulnerability.
>> * Clear a user's active sessions following account suspension.
>> * Several translation fixes/updates.
>> * pkgsubmit.php: Parse .AURINFO metadata.
>>
>> .AURINFO files can now be included in source packages to overwrite
>> specific PKGBUILD fields. .AURINFO files are parsed line by line. The
>> syntax for each line is "key = value", where key is any of the following
>> field names:
>>
>> * pkgname
>
> I'll file a proper bug report if it really turns out to be the AUR's
> fault (when I get some more time to play), but my 60 second test drive
> of this makes me believe that overriding the pkgname fails silently on
> the upload if you specify a pkgname which already exists (and which
> isn't the package you're uploading).
Quickly tried this on my local setup. Uploaded a source package named
"foo", then tried to upload a "bar" source package with pkgname set in
.AURINFO to "foo" and received the error message: "You are not allowed
to overwrite the foo package." Might be a burp issue or some sort of
strange edge case.
>
> I'm only testing this from burp, so grain of salt and all that...
>
> d
>
>> * pkgver
>> * pkgdesc
>> * url
>> * license
>> * depend
>>
>> Multiple "depend" lines can be specified to add multiple dependencies.
>>
>> You can check the Git log [1] for a complete list of commits.
>>
>> The official Arch Linux AUR setup [2] has already been upgraded!
>>
>> [1] https://projects.archlinux.org/aur.git/log/?id=v2.1.0
>> [2] https://aur.archlinux.org/
More information about the aur-dev
mailing list