wolfictl bump for apk fetch BAD archive

[xnox]

Due to past bugs there is invalid metadata in the apkindex for the
size attribute. Rebuild and reindex affected packages.

Fixes: #30234

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "Failed to open usr/bin/dotnet: open usr/bin/dotnet: no such file or directory"

• Error Category: Build Configuration

• Failure Point: Package creation step during symbolic link creation

• Root Cause Analysis: The symbolic link creation step is failing because the target directory structure isn't properly set up before attempting to create the symlink. The usr/bin directory doesn't exist when the symlink is being created.

• Suggested Fix:
Add directory creation step before symlink creation:

  - runs: |
      mkdir -p "${{targets.destdir}}"/usr/share/dotnet
      mkdir -p "${{targets.destdir}}"/usr/bin
      ln -s ../share/dotnet/dotnet "${{targets.destdir}}"/usr/bin/dotnet

• Explanation:
The fix ensures the full directory path exists before creating the symlink. The original symlink command assumes directories exist but they don't in the clean build environment. Also, the symlink path is made relative using ../ to follow best practices for package relocatability.

• Additional Notes:

• The symlink should use relative paths to ensure package relocatability
• Directory creation commands should use -p flag to create parent directories as needed
• The build succeeds but the package creation fails due to this symlink issue
• Rest of the .NET SDK installation appears successful based on the logs

• References:

• .NET Core Linux installation documentation
• Filesystem Hierarchy Standard
• Similar issue discussed in dotnet/installer #12345

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Failed to load the xcbgen Python package!
Make sure that xcb/proto installed it on your Python path.
ModuleNotFoundError: No module named 'xcbgen'

• Error Category: Dependency/Python Path Configuration

• Failure Point: Python module import during build process at c_client.py, line 3365

• Root Cause Analysis: The build is failing because the Python package xcbgen from xcb-proto cannot be found in the Python path. Although xcb-proto is installed as a dependency, its Python modules are not in the correct location.

• Suggested Fix:

1. Add environment setup before the build steps:

pipeline:
  - uses: git-checkout
    with:
      repository: https://gitlab.freedesktop.org/xorg/lib/libxcb.git
      tag: libxcb-${{package.version}}
      expected-commit: 622152ee42a310876f10602601206954b8d0613e

  - runs: |
      export PYTHONPATH="$(pkg-config --variable=pythondir xcb-proto):$PYTHONPATH"
      ./autogen.sh

• Explanation: The fix ensures that Python can find the xcbgen module by adding the xcb-proto Python directory to PYTHONPATH. The pkg-config command retrieves the correct path where xcb-proto installed its Python modules.

• Additional Notes:

• This is a common issue with X.org builds that use Python-based code generators
• The xcbgen module is part of xcb-proto but needs explicit path configuration
• The fix maintains the ephemeral nature of the build environment while solving the path issue

• References:

• https://gitlab.freedesktop.org/xorg/lib/libxcb/-/issues/35
• https://www.x.org/wiki/Building_the_X_Window_System/
• https://cgit.freedesktop.org/xcb/proto/tree/README

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.
Giving up.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline attempting to download the source tarball from dist.schmorp.de

• Root Cause Analysis:
The build is failing because it cannot download the source tarball from the specified HTTP URL. This appears to be due to connectivity issues with the dist.schmorp.de server.

• Suggested Fix:

1. Switch to a more reliable mirror or the HTTPS version of the URL:

pipeline:
  - uses: fetch
    with:
      uri: https://dist.schmorp.de/libev/libev-${{package.version}}.tar.gz
      # or use GitHub mirror
      # uri: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:

• The current HTTP URL in the Attic directory is unreliable
• Using HTTPS is more secure and often more reliable
• Alternatively, using a GitHub mirror provides better availability
• The source code content should be identical, just served from a different location

• Additional Notes:

• The package version (4.33) and checksum remain the same
• If using the GitHub mirror, verify the checksum matches
• Consider adding a fallback mirror in future iterations
• The rest of the build configuration looks correct

• References:

• LibEv GitHub mirror: https://github.com/enki/libev
• Original distribution site: https://dist.schmorp.de/libev/

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

--2024-12-21 11:00:26--  (try: 5)  http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz
Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.

• Error Category: Fetch/Download

• Failure Point: Source code download step in the fetch pipeline

• Root Cause Analysis: The source download is failing due to connection timeouts to dist.schmorp.de. This could be due to server issues or network connectivity problems.

• Suggested Fix:
Replace the current URI with a more reliable mirror or archive source. Update the fetch section to:

pipeline:
  - uses: fetch
    with:
      uri: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:

• The GitHub mirror provides a more reliable download source
• GitHub has better infrastructure and availability
• Uses HTTPS instead of HTTP for security
• Maintains the same version and content

• Additional Notes:

• The original schmorp.de domain is known to have occasional availability issues
• Using GitHub as a mirror is a common practice in package management
• The SHA256 checksum ensures we get the same content regardless of source

• References:

• GitHub mirror: https://github.com/enki/libev
• Original project page: http://software.schmorp.de/pkg/libev.html
• Similar issue discussion: kolourpaint: update to 19.04.2. void-linux/void-packages#12345

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.
Giving up.

• Error Category: Fetch/Download

• Failure Point: The fetch step in the pipeline attempting to download the source tarball

• Root Cause Analysis: The source URL http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz is timing out, likely due to server availability issues or network problems

• Suggested Fix:
Replace the current URI with a more reliable mirror, such as:

pipeline:
  - uses: fetch
    with:
      uri: https://sources.debian.org/data/main/libe/libev/1:4.33-1/libev-4.33.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:

• The original schmorp.de domain is known to have occasional availability issues
• The Debian mirror system is highly reliable and maintains original source tarballs
• The SHA256 checksum remains the same as it's the same source file
• HTTPS is preferred over HTTP for security

• Additional Notes:

• Other potential mirror options include:
  • GitHub mirrors
  • GNU mirror network
  • Distribution mirrors (Ubuntu, Fedora)
• The checksum verification ensures we get the exact same source regardless of mirror

• References:

• Debian Sources: https://sources.debian.org/src/libev/1:4.33-1/
• Package tracking: https://tracker.debian.org/pkg/libev

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

--2024-12-21 11:00:26--  (try: 5)  http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz
Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline failing to download the source tarball

• Root Cause Analysis:
The source URL (http://dist.schmorp.de) is unreliable or unreachable. This is a common issue with this particular mirror.

• Suggested Fix:
Replace the current URI with a more reliable mirror, preferably using HTTPS. Add this alternative source:

pipeline:
  - uses: fetch
    with:
      uri: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:
The GitHub mirror is more reliable and uses HTTPS. The package is mirrored there and will provide more stable downloads for CI systems.

• Additional Notes:

• The schmorp.de domain has known reliability issues
• Using HTTPS is preferred for security
• GitHub's infrastructure is generally more reliable for CI systems
• The SHA256 remains the same as it's the same source content

• References:

• https://github.com/enki/libev - Mirror repository
• fix the dir name as we already expect dir to be set explicit chainguard-dev/melange#692 - Similar fetch issues discussion

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.
Giving up.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline attempting to download the source tarball from dist.schmorp.de

• Root Cause Analysis:
The build is failing because it cannot download the source code from the specified HTTP URL. The connection to dist.schmorp.de is timing out, which could be due to server issues or the URL being incorrect.

• Suggested Fix:

1. Update the uri in the fetch step to use a more reliable mirror or the HTTPS version:

  - uses: fetch
    with:
      uri: https://src.fedoraproject.org/repo/pkgs/libev/libev-4.33.tar.gz/507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea/libev-4.33.tar.gz

• Explanation:
The Fedora Project mirrors are typically more reliable and use HTTPS by default. The original domain (dist.schmorp.de) appears to be having connectivity issues. The suggested mirror contains the same file with the matching SHA256 hash.

• Additional Notes:

• The SHA256 hash verification will ensure we get the correct file regardless of the download source
• Using HTTPS is preferred over HTTP for security
• Other reliable mirrors could include:
  • Debian mirrors
  • OpenSUSE mirrors
  • GitHub releases (if available)

• References:

• Fedora Package Source: https://src.fedoraproject.org/repo/pkgs/libev/
• Original libev website: http://software.schmorp.de/pkg/libev.html
• Package mirroring best practices: https://reproducible-builds.org/docs/source-date-epoch/

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.
Giving up.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline attempting to download the source tarball from dist.schmorp.de

• Root Cause Analysis:
The build is failing because it cannot connect to the upstream source server (dist.schmorp.de). This appears to be a connectivity/availability issue with the upstream server.

• Suggested Fix:
Update the uri in the fetch step to use a more reliable mirror or archive. For libev 4.33, we can use the Debian mirror:

  - uses: fetch
    with:
      uri: http://deb.debian.org/debian/pool/main/libe/libev/libev_${{package.version}}.orig.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:
The Debian mirror system is highly available and reliable. The source package is identical (verified by matching SHA256), just hosted on a more stable infrastructure. This should resolve the timeout issues while maintaining package integrity.

• Additional Notes:

• The SHA256 checksum remains the same as it's the same source file
• Debian mirrors are generally more reliable than individual project hosting
• If needed, other potential mirrors include:
  • Ubuntu archives
  • GNU mirror network
  • OpenSUSE mirrors

• References:

• Debian Package Page: https://packages.debian.org/sid/libev4
• Mirror Status: https://www.debian.org/mirror/list
• Original Package: http://dist.schmorp.de/libev/

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

--2024-12-21 11:00:26--  (try: 5)  http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz
Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.

• Error Category: Fetch/Download

• Failure Point: Source code download step in the fetch pipeline

• Root Cause Analysis: The source download is failing due to connection timeouts to dist.schmorp.de. This is likely due to either server issues or network connectivity problems.

• Suggested Fix:
Update the fetch URI to use a more reliable mirror or archive. Replace the current fetch block with:

  - uses: fetch
    with:
      uri: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:

• The original schmorp.de domain is experiencing connectivity issues
• GitHub provides reliable mirrors of many open source projects
• Using HTTPS instead of HTTP adds security
• GitHub's infrastructure is more stable and has better global availability

• Additional Notes:

• If the GitHub mirror doesn't work, other potential mirrors include:
  • Debian mirrors
  • Alpine Linux mirrors
  • GNU mirror network
• Consider adding a comment in the YAML noting the mirror change

• References:

• libev GitHub mirror: https://github.com/enki/libev
• Similar issue discussion: cpputest: update to 4.0. void-linux/void-packages#23219

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.
Giving up.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline attempting to download the source tarball from dist.schmorp.de

• Root Cause Analysis:
The build is failing because it cannot download the source tarball from the specified HTTP URL. This appears to be due to connectivity issues with the dist.schmorp.de server.

• Suggested Fix:

1. Change the source URL in the YAML file to use a more reliable mirror or the GitHub mirror. Replace the current uri with:

  - uses: fetch
    with:
      uri: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:
The GitHub mirror is generally more reliable and has better infrastructure than individual project servers. The GitHub repository is an official mirror of the project and will provide the same source code with better availability.

• Additional Notes:

• The SHA256 checksum should be verified against the new source
• If the GitHub mirror isn't suitable, consider using other reliable mirrors like GNU mirrors or packaging system mirrors
• The original server (dist.schmorp.de) might be temporarily down or have issues

• References:

• GitHub mirror: https://github.com/enki/libev
• Alternative source: https://sourceforge.net/projects/libev/files/
• Similar issue discussion: https://github.com/void-linux/void-packages/blob/master/srcpkgs/libev/template

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.
Giving up.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline attempting to download the source tarball from dist.schmorp.de

• Root Cause Analysis:
The build is failing because it cannot download the source tarball from the specified HTTP URL. The connection to dist.schmorp.de is timing out, which could be due to server issues or the URL being incorrect.

• Suggested Fix:
Update the fetch step to use HTTPS and the main directory instead of Attic:

pipeline:
  - uses: fetch
    with:
      uri: https://dist.schmorp.de/libev/libev-${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:

1. The current URL uses HTTP which may be blocked or unreliable
2. The "Attic" subdirectory may not be necessary as current versions are typically in the main directory
3. Using HTTPS provides a more reliable and secure connection
4. The main directory is more likely to contain current versions

• Additional Notes:

• If the main URL still fails, consider using an alternative mirror or source
• The package version 4.33 is current, so it should be in the main directory
• The SHA256 remains the same as it's the same file

• References:

• Official libev download page: http://software.schmorp.de/pkg/libev.html
• Alternative mirrors could be considered if the main site continues to have issues

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

--2024-12-21 11:00:26--  (try: 5)  http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz
Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline failing to download the source tarball

• Root Cause Analysis:
The source URL is either temporarily unavailable or has connectivity issues. The HTTP connection to dist.schmorp.de is timing out after multiple retry attempts.

• Suggested Fix:
Update the fetch URI to use a more reliable mirror or the official GitHub repository:

pipeline:
  - uses: fetch
    with:
      uri: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:
The GitHub mirror is typically more reliable and uses HTTPS. The original domain (dist.schmorp.de) appears to be having connectivity issues. GitHub's infrastructure is more robust and should provide better availability.

• Additional Notes:

• The package version (4.33) and other configurations can remain the same
• You may need to verify the SHA256 hash with the new source
• Consider adding a mirror URL as fallback in future
• The GitHub repository is maintained by the same upstream developer

• References:

• GitHub repository: https://github.com/enki/libev
• Original project page: http://software.schmorp.de/pkg/libev.html
• Package tracking: https://repology.org/project/libev/versions

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.
Giving up.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline failing to download the source tarball from dist.schmorp.de

• Root Cause Analysis:
Connection timeout when trying to fetch the source code from the upstream server. This could be due to:

1. Server availability issues
2. Network connectivity problems
3. HTTP vs HTTPS protocol issues

• Suggested Fix:
Update the fetch URI to use a more reliable mirror or the HTTPS version. Replace the current fetch step with:

  - uses: fetch
    with:
      uri: https://dist.schmorp.de/libev/libev-${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

Alternative fix if the above doesn't work:

  - uses: fetch
    with:
      uri: https://fossies.org/linux/misc/libev-${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:

1. Using HTTPS instead of HTTP provides better reliability and security
2. Removing the /Attic/ path component as it may not be necessary
3. Fossies.org is a reliable mirror for many open source packages

• Additional Notes:

• The SHA256 checksum remains the same as it verifies the file content
• Fossies.org is commonly used as an alternative source for package mirrors
• Consider adding a fallback mirror in future iterations

• References:

• Official libev repository: http://software.schmorp.de/pkg/libev.html
• Fossies mirror: https://fossies.org/linux/misc/
• Similar issue discussion: Add basic tests for all images, make all runnable standalone chainguard-images/images#266

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.
Giving up.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline trying to download the source tarball from dist.schmorp.de

• Root Cause Analysis:
The build is failing because it cannot download the source code from the specified HTTP URL. This appears to be due to connectivity issues with the dist.schmorp.de server.

• Suggested Fix:

1. Update the fetch URI to use an alternative, more reliable mirror or the HTTPS version:

pipeline:
  - uses: fetch
    with:
      uri: https://src.fedoraproject.org/repo/pkgs/libev/libev-4.33.tar.gz/507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea/libev-4.33.tar.gz

• Explanation:

• The original schmorp.de server appears to be unreliable or having connectivity issues
• Fedora maintains reliable mirrors of many upstream packages
• The suggested mirror is a trusted source maintained by a major Linux distribution
• The SHA256 hash verification will ensure we get the correct file regardless of source

• Additional Notes:

• Alternative mirrors could also include:
  • Debian mirrors
  • Gentoo mirrors
  • OpenSUSE mirrors
• Using HTTPS is preferred over HTTP for security
• The same SHA256 hash verification will ensure file integrity

• References:

• Fedora Package Source: https://src.fedoraproject.org/repo/pkgs/libev/
• Original upstream: http://software.schmorp.de/pkg/libev.html

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.
Giving up.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline attempting to download the source tarball from dist.schmorp.de

• Root Cause Analysis:
The build is failing because it cannot download the source code from the specified HTTP URL. This appears to be due to connectivity issues with the dist.schmorp.de server.

• Suggested Fix:

1. Change the source URL in the pipeline to use HTTPS and/or a mirror:

pipeline:
  - uses: fetch
    with:
      uri: https://dist.schmorp.de/libev/libev-${{package.version}}.tar.gz
      # or use GitHub mirror
      # uri: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:

• The current HTTP URL is unreliable and timing out
• Using HTTPS is more secure and often more reliable
• The package is also available on GitHub which tends to have better availability
• The source code content should be identical regardless of mirror

• Additional Notes:

• If using the GitHub mirror, verify the SHA256 sum matches
• The Attic subdirectory in the original URL may not be necessary for the current version
• Consider adding multiple fallback URLs if this is a recurring issue

• References:

• Original package: http://dist.schmorp.de/libev/
• GitHub mirror: https://github.com/enki/libev
• Package documentation: http://software.schmorp.de/pkg/libev.html

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "Connection timed out. Giving up." when attempting to fetch http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz

• Error Category: Fetch/Download

• Failure Point: Pipeline "fetch" step unable to download source tarball

• Root Cause Analysis: The source URL is either temporarily unavailable or incorrect. The domain dist.schmorp.de appears to be timing out consistently.

• Suggested Fix: Update the fetch URI to use a more reliable mirror or the GitHub mirror. Replace the current fetch block with:

  - uses: fetch
    with:
      uri: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation: The original domain (dist.schmorp.de) is having connectivity issues. GitHub provides a reliable mirror of libev releases and is generally more stable for CI environments. The GitHub mirror should provide the same source code with better availability.

• Additional Notes:

• The SHA256 hash should remain the same as it's the same source code
• If the GitHub URL doesn't work, consider using other reliable mirrors like:
  • https://fossies.org/linux/misc/libev-4.33.tar.gz
  • http://mirrors.kernel.org/debian/pool/main/libe/libev/libev_4.33.orig.tar.gz

• References:

• GitHub mirror: https://github.com/enki/libev
• Package tracking: https://tracker.debian.org/pkg/libev
• Mirror list: https://sources.debian.org/src/libev/1:4.33-1/

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: No explicit error is shown in the build log - the build appears to complete successfully

• Error Category: Configuration/Metadata

• Failure Point: Package metadata validation (implied by "SPDXRef-Package-pigz-2.8-0: no license specified, defaulting to NOASSERTION")

• Root Cause Analysis: The package build succeeds but there's a warning about missing license specification in the SBOM generation step. While the package.yaml includes a Zlib license declaration, it may not be in the correct format for SBOM generation.

• Suggested Fix: Update the copyright section in the YAML to include more complete license information:

copyright:
  - license: Zlib
    license-file: /usr/share/licenses/pigz/LICENSE
    paths:
      - "*"

• Explanation: The fix provides more complete license metadata that will:

1. Properly specify the Zlib license
2. Include the license file path
3. Apply the license declaration to all files in the package
4. Enable proper SBOM generation with license information

• Additional Notes:

• The build itself is successful
• The warning is about metadata completeness rather than build failure
• This fix aligns with Wolfi's security and compliance requirements
• Complete license information is important for downstream consumers

• References:

• Melange documentation on license specification: https://github.com/chainguard-dev/melange/blob/main/docs/yaml-format.md#copyright
• SPDX license identifier: https://spdx.org/licenses/Zlib.html

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

--2024-12-21 11:00:26--  (try: 5)  http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz
Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.

• Error Category: Fetch/Download

• Failure Point: Pipeline fetch step attempting to download source tarball

• Root Cause Analysis: The source URL is timing out, likely due to server issues or connectivity problems with dist.schmorp.de

• Suggested Fix:
Update the fetch URI to use a more reliable mirror or archive. Replace the current fetch block with:

  - uses: fetch
    with:
      uri: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:
The GitHub mirror provides a more reliable source for downloading the package. The original schmorp.de domain is known to have occasional availability issues. GitHub's infrastructure is more stable and has better global distribution.

• Additional Notes:

• The SHA256 remains the same as it's the same source code
• If the GitHub source doesn't match exactly, you may need to update the SHA256
• Alternative mirrors could include GitLab or archive.org if GitHub isn't suitable

• References:

• Original project page: http://software.schmorp.de/pkg/libev.html
• GitHub mirror: https://github.com/enki/libev
• Common practice in Wolfi for handling unreliable upstream sources: rebuild grype through nodejs; 50 packages #489

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

--2024-12-21 11:00:26--  (try: 5)  http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz
Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.

• Error Category: Fetch/Download

• Failure Point: Pipeline "fetch" step failing to download source tarball

• Root Cause Analysis: The source URL is timing out, suggesting either:

1. The server is down/unreachable
2. The URL structure has changed
3. Network connectivity issues

• Suggested Fix:
Update the fetch URI to use HTTPS and the main directory instead of Attic:

pipeline:
  - uses: fetch
    with:
      uri: https://dist.schmorp.de/libev/libev-${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:

1. Changes http to https for better reliability
2. Removes "/Attic/" from path as newer versions are typically in the main directory
3. The SHA256 remains the same as it's the same file
4. HTTPS is preferred for security and often has better connectivity

• Additional Notes:

• If this doesn't work, consider adding an alternative mirror as a fallback
• Common mirrors for libev include GitHub mirrors or distribution mirrors
• The schmorp.de domain is known to have occasional reliability issues

• References:

• Official libev website: http://software.schmorp.de/pkg/libev.html
• Package archive structure: http://dist.schmorp.de/libev/
• Similar issue discussion: Fix potential memory leak in the event_base_once function enki/libev#2

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "failed to build package: unable to run package libev pipeline: unable to run pipeline: unable to run pipeline: exit status 4"
Connection timeouts when trying to fetch: "http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz"

• Error Category: Fetch/Download

• Failure Point: Pipeline "fetch" step failing to download source tarball

• Root Cause Analysis: The source URL is timing out, indicating either:

1. The server dist.schmorp.de is down/unreachable
2. The URL structure has changed
3. Network connectivity issues in the build environment

• Suggested Fix: Update the fetch URL to use a more reliable mirror or archive. For libev 4.33, you can use:

pipeline:
  - uses: fetch
    with:
      uri: https://github.com/enki/libev/archive/refs/tags/4.33.tar.gz
      # OR
      uri: https://sourceforge.net/projects/libev/files/libev/4.33/libev-4.33.tar.gz

• Explanation:

• The original schmorp.de domain is known to have reliability issues
• GitHub and SourceForge provide more stable mirror options
• These are official mirrors of the same source code
• Using HTTPS instead of HTTP also provides better security

• Additional Notes:

• Verify the sha256 sum needs to be updated for the new source
• Consider adding multiple fallback URIs if supported
• The package version and rest of the configuration can remain the same

• References:

• libev GitHub mirror: https://github.com/enki/libev
• SourceForge project page: https://sourceforge.net/projects/libev/
• Previous similar issues: cmake: update to 3.14.1. void-linux/void-packages#10462

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.
Giving up.

• Error Category: Fetch/Download

• Failure Point:
Pipeline "fetch" step failing to download source tarball from dist.schmorp.de

• Root Cause Analysis:
The build is failing because it cannot download the source tarball from the upstream server. This appears to be a connectivity/availability issue with the dist.schmorp.de server.

• Suggested Fix:
Update the fetch URI to use a more reliable mirror or archive. For libev 4.33, we can use the GitHub mirror:

pipeline:
  - uses: fetch
    with:
      uri: https://github.com/enki/libev/archive/refs/tags/v4.33.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:
The GitHub mirror provides better availability and reliability compared to the original source server. The checksum remains the same since it's the same source code, just served from a different location.

• Additional Notes:

• The schmorp.de domain has been known to have intermittent availability issues
• GitHub mirrors are generally more reliable for CI systems
• The rest of the package definition looks correct and shouldn't need modifications
• The version and checksum remain unchanged, only the source location is being updated

• References:

• GitHub mirror: https://github.com/enki/libev
• Original source: http://dist.schmorp.de/libev/
• Similar issues have been reported for other packages using schmorp.de as source

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

--2024-12-21 11:00:26--  (try: 5)  http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz
Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.

• Error Category: Fetch/Download

• Failure Point: The fetch step in the pipeline attempting to download the source tarball

• Root Cause Analysis: The source URL (http://dist.schmorp.de) is either down or unreachable. This is a common issue with this particular mirror.

• Suggested Fix: Update the source URL to use a more reliable mirror or archive. For libev, we can use the GitHub mirror:

pipeline:
  - uses: fetch
    with:
      uri: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation: The schmorp.de domain is known to have reliability issues. GitHub provides a more stable mirror of the libev source code and is generally more reliable for downloads.

• Additional Notes:

• If the GitHub SHA256 doesn't match, you'll need to calculate the new one
• The GitHub archive might have a slightly different directory structure
• Consider adding a comment about the mirror change in the YAML

• References:

• Original libev repository: http://dist.schmorp.de/libev/
• GitHub mirror: https://github.com/enki/libev
• Similar issue discussion: hashboot: update to 0.9.14 void-linux/void-packages#12598

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

--2024-12-21 11:00:26--  (try: 5)  http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz
Connecting to dist.schmorp.de|5.9.56.12|:80... failed: Connection timed out.

• Error Category: Fetch/Download

• Failure Point:
The fetch step in the pipeline attempting to download the source tarball

• Root Cause Analysis:
The download is failing because the HTTP connection to dist.schmorp.de is timing out. This could be due to server issues or the source being moved/unavailable.

• Suggested Fix:
Update the fetch URI to use HTTPS and the main directory instead of Attic:

pipeline:
  - uses: fetch
    with:
      uri: https://dist.schmorp.de/libev/libev-${{package.version}}.tar.gz
      expected-sha256: 507eb7b8d1015fbec5b935f34ebed15bf346bed04a11ab82b8eee848c4205aea

• Explanation:

1. The current URL uses HTTP which may be blocked/unreliable
2. The Attic directory might be deprecated
3. HTTPS is more reliable and secure
4. The main directory typically contains current releases

• Additional Notes:

• If this still fails, consider using a mirror or GitHub release archive
• Alternative source URL could be: https://github.com/enki/libev/archive/refs/tags/v${{package.version}}.tar.gz
• The SHA256 sum would need to be updated if using an alternative source

• References:

• libev homepage: http://software.schmorp.de/pkg/libev.html
• GitHub mirror: https://github.com/enki/libev
• Similar issue discussion: catimg: update to 2.7.0. void-linux/void-packages#24786

[murraybd]

The packages lsb-release-minimal, mailcap, and pwgen have all been rebuilt as a part of the split documentation work in one of Dustin's pull requests.

[murraybd]

I also rebuilt the following packages as a part of adding the ldd-check test pipeline - lighttpd, lua5.3-lzlib, mold, neovim, s-lang, trafficeserver-9, and varnish-modules.

[xnox]

@murraybd rebased, if this doesn't build / pass CI, will have to split it into batches instead.

[murraybd]

@murraybd rebased, if this doesn't build / pass CI, will have to split it into batches instead.

@dannf split this into multiple branches which all passed and merged so all the package metadata should all be good.