Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxmlb for openSUSE:Factory checked in at 2024-04-18 22:08:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxmlb (Old) and /work/SRC/openSUSE:Factory/.libxmlb.new.26366 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxmlb" Thu Apr 18 22:08:05 2024 rev:15 rq:1168793 version:0.3.18 Changes: -------- --- /work/SRC/openSUSE:Factory/libxmlb/libxmlb.changes 2024-01-07 21:39:05.277368754 +0100 +++ /work/SRC/openSUSE:Factory/.libxmlb.new.26366/libxmlb.changes 2024-04-18 22:08:08.827649373 +0200 @@ -1,0 +2,12 @@ +Thu Apr 18 07:54:47 UTC 2024 - Christophe Marin <[email protected]> + +- Update to 0.3.18. Changes since 0.3.15: + * Add the lzma and zstd support to the pkgconfig file + * Create SECURITY.md for the OpenSSF scorecard + * Fix decompressing large zstd files + * Use zst as the file extension for zstd + * Fix decompressing large zstd files, harder + * Include the pkgconfig variables in the subproject declared + dependenc + +------------------------------------------------------------------- Old: ---- libxmlb-0.3.15.tar.gz New: ---- libxmlb-0.3.18.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxmlb.spec ++++++ --- /var/tmp/diff_new_pack.9cpDZ9/_old 2024-04-18 22:08:09.527675099 +0200 +++ /var/tmp/diff_new_pack.9cpDZ9/_new 2024-04-18 22:08:09.531675246 +0200 @@ -19,7 +19,7 @@ %define sover 2 Name: libxmlb -Version: 0.3.15 +Version: 0.3.18 Release: 0 Summary: Library for querying compressed XML metadata License: LGPL-2.1-or-later ++++++ libxmlb-0.3.15.tar.gz -> libxmlb-0.3.18.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/.github/dependabot.yml new/libxmlb-0.3.18/.github/dependabot.yml --- old/libxmlb-0.3.15/.github/dependabot.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/libxmlb-0.3.18/.github/dependabot.yml 2024-04-09 22:24:57.000000000 +0200 @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/.github/workflows/main.yml new/libxmlb-0.3.18/.github/workflows/main.yml --- old/libxmlb-0.3.15/.github/workflows/main.yml 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/.github/workflows/main.yml 2024-04-09 22:24:57.000000000 +0200 @@ -6,6 +6,9 @@ pull_request: branches: [ main ] +permissions: + contents: read + jobs: build-linux: runs-on: ubuntu-latest @@ -16,6 +19,6 @@ - debian fail-fast: false steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - run: docker build -t libxmlb-${{ matrix.distro }} -f contrib/ci/Dockerfile-${{ matrix.distro }} . - run: docker run -t -v `pwd`:/build libxmlb-${{ matrix.distro }} ./contrib/ci/build-${{ matrix.distro }}.sh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/.github/workflows/scorecard.yml new/libxmlb-0.3.18/.github/workflows/scorecard.yml --- old/libxmlb-0.3.15/.github/workflows/scorecard.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/libxmlb-0.3.18/.github/workflows/scorecard.yml 2024-04-09 22:24:57.000000000 +0200 @@ -0,0 +1,73 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '25 11 * * 1' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + with: + sarif_file: results.sarif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/NEWS new/libxmlb-0.3.18/NEWS --- old/libxmlb-0.3.15/NEWS 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/NEWS 2024-04-09 22:24:57.000000000 +0200 @@ -1,3 +1,30 @@ +Version 0.3.18 +~~~~~~~~~~~~~~ +Released: 2024-04-09 + +Bugfixes: + - Fix decompressing large zstd files, harder (Richard Hughes) + - Include the pkgconfig variables in the subproject declared dependency (Richard Hughes) + +Version 0.3.17 +~~~~~~~~~~~~~~ +Released: 2024-04-05 + +Bugfixes: + - Create SECURITY.md for the OpenSSF scorecard (Richard Hughes) + - Fix decompressing large zstd files (Richard Hughes) + - Use zst as the file extension for zstd (Richard Hughes) + +Version 0.3.16 +~~~~~~~~~~~~~~ +Released: 2024-04-03 + +New Features: + - Add the lzma and zstd support to the pkgconfig file (Richard Hughes) + +Bugfixes: + - Make the LZMA support optional (Richard Hughes) + Version 0.3.15 ~~~~~~~~~~~~~~ Released: 2024-01-02 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/README.md new/libxmlb-0.3.18/README.md --- old/libxmlb-0.3.15/README.md 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/README.md 2024-04-09 22:24:57.000000000 +0200 @@ -1,6 +1,9 @@ libxmlb ======= +[](https://scan.coverity.com/projects/17055) +[](https://securityscorecards.dev/viewer/?uri=github.com/hughsie/libxmlb) + Introduction ------------ @@ -117,3 +120,11 @@ This will by default install the library into `/usr/local`. On some Linux distributions you may need to configure the linker path in `/etc/ld.so.conf` to be able to locate it. The call to `ldconfig` is needed to refresh the linker cache. + +`meson build` has options that can be used to disable certain features, e.g. + +``` +# meson build -Dintrospection=false -Dgtkdoc=false -Dcli=false +``` + +will remove support for GObject introspection, Gtk documentation, and will only build the library without the command line tool. As a result, fewer libraries are needed for building and running the project. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/RELEASE new/libxmlb-0.3.18/RELEASE --- old/libxmlb-0.3.15/RELEASE 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/RELEASE 2024-04-09 22:24:57.000000000 +0200 @@ -2,9 +2,9 @@ 1. Write NEWS entries for libxmlb in the same format as usual. -git shortlog 0.3.14.. | grep -i -v trivial | grep -v Merge > NEWS.new +git shortlog 0.3.17.. | grep -i -v trivial | grep -v Merge > NEWS.new -Version 0.3.15 +Version 0.3.18 ~~~~~~~~~~~~~~ Released: 2024-xx-xx @@ -15,7 +15,7 @@ Commit changes to git: # MAKE SURE THESE ARE CORRECT -export release_ver="0.3.15" +export release_ver="0.3.18" git commit -a -m "Release libxmlb ${release_ver}" --no-verify git tag -s -f -m "Release libxmlb ${release_ver}" "${release_ver}" @@ -23,7 +23,8 @@ git push --tags git push gpg -b -a meson-dist/libxmlb-${release_ver}.tar.xz -scp meson-dist/libxmlb-${release_ver}.tar.* [email protected]:~/public_html/releases + +Upload release artifacts via https://github.com/hughsie/libxmlb/tags Do post release version bump in meson.build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/SECURITY.md new/libxmlb-0.3.18/SECURITY.md --- old/libxmlb-0.3.15/SECURITY.md 1970-01-01 01:00:00.000000000 +0100 +++ new/libxmlb-0.3.18/SECURITY.md 2024-04-09 22:24:57.000000000 +0200 @@ -0,0 +1,13 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 0.3.x | :white_check_mark: | +| 0.2.x | :x: | +| 0.1.x | :x: | + +## Reporting a Vulnerability + +We have enabled private reporting in GitHub, so please [follow these steps](https://github.com/hughsie/libxmlb/security) to report vulnerabilities. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/contrib/libxmlb.spec.in new/libxmlb-0.3.18/contrib/libxmlb.spec.in --- old/libxmlb-0.3.15/contrib/libxmlb.spec.in 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/contrib/libxmlb.spec.in 2024-04-09 22:24:57.000000000 +0200 @@ -6,7 +6,7 @@ Name: libxmlb Version: #VERSION# Release: 0.#BUILD#%{?alphatag}%{?dist} -License: LGPLv2+ +License: LGPL-2.1-or-later URL: https://github.com/hughsie/libxmlb Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/data/meson.build new/libxmlb-0.3.18/data/meson.build --- old/libxmlb-0.3.15/data/meson.build 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/data/meson.build 2024-04-09 22:24:57.000000000 +0200 @@ -13,7 +13,7 @@ 'test.xml', 'test.xml.gz.gz.gz', 'test.xml.xz', - 'test.xml.zstd', + 'test.xml.zst', ], install_dir: installed_test_bindir, ) Binary files old/libxmlb-0.3.15/data/test.xml.zst and new/libxmlb-0.3.18/data/test.xml.zst differ Binary files old/libxmlb-0.3.15/data/test.xml.zstd and new/libxmlb-0.3.18/data/test.xml.zstd differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/meson.build new/libxmlb-0.3.18/meson.build --- old/libxmlb-0.3.15/meson.build 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/meson.build 2024-04-09 22:24:57.000000000 +0200 @@ -1,7 +1,7 @@ project('libxmlb', 'c', - version : '0.3.15', + version : '0.3.18', license : 'LGPL-2.1+', - meson_version : '>=0.47.0', + meson_version : '>=0.60.0', default_options : ['warning_level=2', 'c_std=c99'], ) @@ -131,13 +131,13 @@ gio = dependency('gio-2.0', version : '>= 2.45.8') giounix = dependency('gio-unix-2.0', version : '>= 2.45.8', required: false) -lzma = dependency('liblzma') -zstd = dependency('libzstd', required: false) -if get_option('zstd') - if not zstd.found() - error('libzstd is missing, please install it to continue!') - endif - conf.set('HAVE_ZSTD', 1) +lzma = dependency('liblzma', required: get_option('lzma')) +if lzma.found() + conf.set('HAVE_LZMA', 1) +endif +zstd = dependency('libzstd', required: get_option('zstd')) +if zstd.found() + conf.set('HAVE_ZSTD', 1) endif if giounix.found() conf.set('HAVE_GIO_UNIX', '1') @@ -151,10 +151,12 @@ libxmlb_deps = [ gio, - lzma ] -if get_option('zstd') - libxmlb_deps += zstd +if lzma.found() + libxmlb_deps += lzma +endif +if zstd.found() + libxmlb_deps += zstd endif # support stemming of search tokens if get_option('stemmer') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/meson_options.txt new/libxmlb-0.3.18/meson_options.txt --- old/libxmlb-0.3.15/meson_options.txt 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/meson_options.txt 2024-04-09 22:24:57.000000000 +0200 @@ -1,6 +1,17 @@ -option('gtkdoc', type : 'boolean', value : true, description : 'enable developer documentation') +option('gtkdoc',type : 'boolean', value : true, description : 'enable developer documentation') option('introspection', type : 'boolean', value : true, description : 'generate GObject Introspection data') option('tests', type : 'boolean', value : true, description : 'enable tests') option('stemmer', type : 'boolean', value : false, description : 'enable stemmer support') option('cli', type : 'boolean', value : true, description : 'build and install the xb-tool CLI') -option('zstd', type : 'boolean', value : true, description : 'enable zstd support') +option('lzma', + type: 'feature', + description : 'enable lzma (xz) support', +) +option('zstd', + type: 'feature', + description: 'enable zstd support', + deprecated: { + 'true': 'enabled', + 'false': 'disabled', + }, +) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/src/meson.build new/libxmlb-0.3.18/src/meson.build --- old/libxmlb-0.3.15/src/meson.build 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/src/meson.build 2024-04-09 22:24:57.000000000 +0200 @@ -41,8 +41,11 @@ mapfile = 'libxmlb.map' vflag = '-Wl,--version-script,@0@/@1@'.format(meson.current_source_dir(), mapfile) extra_sources = [] -if get_option('zstd') - extra_sources += ['xb-zstd-decompressor.c'] +if zstd.found() + extra_sources += ['xb-zstd-decompressor.c'] +endif +if lzma.found() + extra_sources += ['xb-lzma-decompressor.c'] endif def_file_target = custom_target( @@ -67,7 +70,6 @@ 'xb-builder-source.c', 'xb-builder-source-ctx.c', 'xb-common.c', - 'xb-lzma-decompressor.c', 'xb-machine.c', 'xb-opcode.c', 'xb-node.c', @@ -97,7 +99,11 @@ libxmlb_dep = declare_dependency( link_with : libxmlb, include_directories : include_directories('.'), - dependencies : libxmlb_deps + dependencies : libxmlb_deps, + variables : { + 'lzma': '@0@'.format(lzma.found()), + 'zstd': '@0@'.format(zstd.found()), + }, ) if get_option('cli') @@ -135,6 +141,10 @@ name : 'libxmlb', filebase : 'xmlb', description : 'libxmlb is a library to create or query compressed XML files', + variables : { + 'lzma': '@0@'.format(lzma.found()), + 'zstd': '@0@'.format(zstd.found()), + }, ) if get_option('introspection') @@ -239,7 +249,6 @@ 'xb-builder-source.c', 'xb-builder-source-ctx.c', 'xb-common.c', - 'xb-lzma-decompressor.c', 'xb-machine.c', 'xb-node.c', 'xb-node-query.c', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/src/xb-builder-source.c new/libxmlb-0.3.18/src/xb-builder-source.c --- old/libxmlb-0.3.15/src/xb-builder-source.c 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/src/xb-builder-source.c 2024-04-09 22:24:57.000000000 +0200 @@ -14,7 +14,9 @@ #include "xb-builder-fixup-private.h" #include "xb-builder-source-ctx-private.h" #include "xb-builder-source-private.h" +#ifdef HAVE_LZMA #include "xb-lzma-decompressor.h" +#endif #ifdef HAVE_ZSTD #include "xb-zstd-decompressor.h" #endif @@ -530,6 +532,7 @@ return g_converter_input_stream_new(istream, conv); } +#ifdef HAVE_LZMA static GInputStream * xb_builder_source_load_lzma_cb(XbBuilderSource *self, XbBuilderSourceCtx *ctx, @@ -541,6 +544,8 @@ g_autoptr(GConverter) conv = G_CONVERTER(xb_lzma_decompressor_new()); return g_converter_input_stream_new(istream, conv); } +#endif + #ifdef HAVE_ZSTD static GInputStream * xb_builder_source_load_zstd_cb(XbBuilderSource *self, @@ -603,11 +608,13 @@ xb_builder_source_load_gzip_cb, NULL, NULL); +#ifdef HAVE_LZMA xb_builder_source_add_adapter(self, "application/x-xz,org.tukaani.xz-archive", xb_builder_source_load_lzma_cb, NULL, NULL); +#endif #ifdef HAVE_ZSTD xb_builder_source_add_adapter(self, "application/zstd", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/src/xb-self-test.c new/libxmlb-0.3.18/src/xb-self-test.c --- old/libxmlb-0.3.15/src/xb-self-test.c 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/src/xb-self-test.c 2024-04-09 22:24:57.000000000 +0200 @@ -175,7 +175,7 @@ {"test.xml", "application/xml"}, {"test.xml.gz.gz.gz", "application/gzip"}, {"test.xml.xz", "application/x-xz"}, - {"test.xml.zstd", "application/zstd"}, + {"test.xml.zst", "application/zstd"}, {NULL, NULL}}; for (guint i = 0; items[i].fn != NULL; i++) { gboolean ret; @@ -497,6 +497,12 @@ g_autoptr(XbBuilderSource) source = xb_builder_source_new(); g_autoptr(XbSilo) silo = NULL; +#ifndef HAVE_LZMA + /* not supported */ + g_test_skip("compiled without -Dlzma"); + return; +#endif + /* import a source file */ path = g_test_build_filename(G_TEST_DIST, "test.xml.xz", NULL); file_src = g_file_new_for_path(path); @@ -532,7 +538,7 @@ g_autoptr(XbSilo) silo = NULL; /* import a source file */ - path = g_test_build_filename(G_TEST_DIST, "test.xml.zstd", NULL); + path = g_test_build_filename(G_TEST_DIST, "test.xml.zst", NULL); file_src = g_file_new_for_path(path); if (!g_file_query_exists(file_src, NULL)) { g_test_skip("does not work in subproject test"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxmlb-0.3.15/src/xb-zstd-decompressor.c new/libxmlb-0.3.18/src/xb-zstd-decompressor.c --- old/libxmlb-0.3.15/src/xb-zstd-decompressor.c 2024-01-02 11:25:44.000000000 +0100 +++ new/libxmlb-0.3.18/src/xb-zstd-decompressor.c 2024-04-09 22:24:57.000000000 +0200 @@ -90,8 +90,6 @@ size_t res; res = ZSTD_decompressStream(self->zstdstream, &output, &input); - if (res == 0) - return G_CONVERTER_FINISHED; if (ZSTD_isError(res)) { g_set_error(error, G_IO_ERROR, @@ -102,7 +100,9 @@ } *bytes_read = input.pos; *bytes_written = output.pos; - return G_CONVERTER_CONVERTED; + + /* success */ + return res == 0 ? G_CONVERTER_FINISHED : G_CONVERTER_CONVERTED; } static void
