cmd/app: optional insecure options

These are useful for very specific cases by the maintainer. No app should ever require this. Signed-off-by: Ophestra <cat@gensokyo.uk>
internal/rosa/package/glib: 2.89.0 to 2.89.1
2026-06-26 21:56:07 +09:00 · 2026-06-26 11:33:10 +09:00 · 2026-06-26 11:29:27 +09:00 · 2026-06-25 20:29:18 +09:00 · 2026-06-25 20:28:48 +09:00 · 2026-06-25 14:08:07 +09:00
13 changed files with 99 additions and 22 deletions
@@ -207,6 +207,17 @@ func parse(
 			c.SchedPriority = ext.Int(v)
 			continue

+		case "insecure":
+			switch value {
+			case "pipewire":
+				*c.Enablements |= hst.EPipeWire
+				c.DirectPipeWire = true
+				continue
+
+			default:
+				return nil, fmt.Errorf("invalid insecure flag %q", value)
+			}
+
 		case "env":
 			if key, value, ok = strings.Cut(value, "="); !ok {
 				return nil, fmt.Errorf("invalid environment %q", key)
@@ -309,7 +320,10 @@ func parse(
 		c.SystemBus = nil
 	}

-	if c.Container.Flags&hst.FShareTmpdir == 0 {
+	if c.Container.Flags&hst.FShareTmpdir == 0 &&
+		(c.Enablements.Unwrap()&hst.EX11 == 0 ||
+			c.Container.Flags&(hst.FHostNet|hst.FHostAbstract) ==
+				hst.FHostNet|hst.FHostAbstract) {
 		c.Container.Filesystem = append(c.Container.Filesystem,
 			hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{
 				Target: fhs.AbsTmp,
@@ -33,8 +33,9 @@ func main() {
 	defer stop()

 	var (
-		flagVerbose bool
-		flagBase    string
+		flagVerbose  bool
+		flagBase     string
+		flagInsecure bool

 		base, template, initial *check.Absolute
 	)
@@ -61,6 +62,10 @@ func main() {
 		&flagBase,
 		"d", command.StringFlag("$ROSA_APP_PATH"),
 		"Configuration and state directory",
+	).Flag(
+		&flagInsecure,
+		"insecure", command.BoolFlag(false),
+		"Allow use of insecure compatibility options",
 	)

 	{
@@ -132,7 +137,7 @@ func main() {
 				if err != nil {
 					return err
 				}
-				err = run(ctx, msg, &config)
+				err = run(ctx, msg, false, &config)
 				return errors.Join(err, remove())
 			},
 		).Flag(
@@ -206,7 +211,7 @@ func main() {
 				if err = enterTemplate(base, name); err != nil {
 					return err
 				}
-				return run(ctx, msg, config, args[1:]...)
+				return run(ctx, msg, flagInsecure, config, args[1:]...)
 			},
 		).
 			Flag(
@@ -15,6 +15,7 @@ import (
 func run(
 	ctx context.Context,
 	msg message.Msg,
+	insecure bool,
 	config *hst.Config,
 	args ...string,
 ) error {
@@ -29,6 +30,9 @@ func run(
 	if msg.IsVerbose() {
 		cmd.Args = append(cmd.Args, "-v")
 	}
+	if insecure {
+		cmd.Args = append(cmd.Args, "--insecure")
+	}
 	cmd.Args = append(cmd.Args, "run", "3")
 	cmd.Args = append(cmd.Args, args...)

@@ -3,10 +3,10 @@ package curl {
 	website = "https://curl.se";
 	anitya = 381;

-	version# = "8.20.0";
+	version# = "8.21.0";
 	source = remoteTar {
 		url = "https://curl.se/download/curl-"+version+".tar.bz2";
-		checksum = "xyHXwrngIRGMasuzhn-I5MSCOhktwINbsWt1f_LuR-5jRVvyx_g6U1EQfDLEbr9r";
+		checksum = "lJSm8bVjS0OmsarEdbvejdQdvXsb7yGarlr6oMtA9FW1EXOga8zZxa1LPtfaq_qX";
 		compress = bzip2;
 	};

@@ -3,11 +3,11 @@ package glib {
 	website = "https://developer.gnome.org/glib";
 	anitya = 10024;

-	version# = "2.89.0";
+	version# = "2.89.1";
 	source = remoteGit {
 		url = "https://gitlab.gnome.org/GNOME/glib.git";
 		tag = version;
-		checksum = "4FXKhdS3pC98LevYa_h7piRylG86cZ_c9zAtGr78oHodU1ob8rBxGU0hoIZ4nzcA";
+		checksum = "9_6Eew2KIwa1AHopjU7CqC13_nur5FPJMu-iGUd7sD_1gAM1pa_HVUuAtqExJoYU";
 	};

 	files = {
@@ -2,11 +2,11 @@ package hakurei-source {
 	description = "hakurei source tree";
 	exclude = true;

-	version# = "0.4.4";
+	version# = "0.4.5";
 	output = remoteTar {
 		url = "https://git.gensokyo.uk/rosa/hakurei/archive/"+
 			"v"+version+".tar.gz";
-		checksum = "BCIKpRiVv2tDg8lyX1bG_VgTBBMFCByv726x6DfJ0LiRg5ma4T5fcxYUaQl8JMVB";
+		checksum = "5bvbuIRcDIrtijogwqXn3y8h5f3rVS4ZSVhOig6Galfzt3g-O3Ufb-tHL1kQCQWK";
 		compress = gzip;
 	};
 }
@@ -3,7 +3,7 @@ package libexpat {
 	website = "https://libexpat.github.io";
 	anitya = 770;

-	version# = "2.8.1";
+	version# = "2.8.2";
 	source = remoteGitHubRelease {
 		suffix = "libexpat/libexpat";
 		tag = "R_"+replace {
@@ -12,7 +12,7 @@ package libexpat {
 			new = "_";
 		};
 		name = "expat-"+version+".tar.bz2";
-		checksum = "iMEtbOJhQfGof2GxSlxffQSI1va_NDDQ9VIuqcPbNZ0291Dr8wttD5QecYyjIQap";
+		checksum = "98Pdyj5QtO7QRtNFXTWsCNCixQDx701ZGql2B-JIrTDkw49J5WXXUwnS4AdMlM4L";
 		compress = bzip2;
 	};

@@ -3,12 +3,12 @@ package libpsl {
 	website = "https://rockdaboot.github.io/libpsl";
 	anitya = 7305;

-	version# = "0.21.5";
+	version# = "0.22.0";
 	source = remoteGitHubRelease {
 		suffix = "rockdaboot/libpsl";
 		tag = version;
 		name = "libpsl-"+version+".tar.gz";
-		checksum = "XjfxSzh7peG2Vg4vJlL8z4JZJLcXqbuP6pLWkrGCmRxlnYUFTKNBqWGHCxEOlCad";
+		checksum = "sYrq75kNAJvU5gA2gv2tFYIFbFFit6PuYuW1tYSgcsJsIUzwMJTodofsaEGq3iGf";
 		compress = gzip;
 	};

@@ -21,5 +21,8 @@ test_disable 'int main(){return 0;}' tests/test-is-public-builtin.c

 	exec = make {};

-	inputs = [ python ];
+	inputs = [
+		pkg-config,
+		python,
+	];
 }
@@ -0,0 +1,32 @@
+package noto {
+	description = "a typeface for the world";
+	website = "https://fonts.google.com/noto";
+	anitya = 10671;
+
+	version# = "2026.06.01";
+	source = remoteGitHub {
+		suffix = "notofonts/notofonts.github.io";
+		tag = "noto-monthly-release-"+version;
+		checksum = "QpCYYssOY-OIFKn0_K_7JG7Ij2VDbIkccWrWTC4db1ZPPE1yZnLrf7Kja-IuB4XS";
+	};
+
+	enterSource = true;
+	exec = generic {
+		inPlace = true;
+		install = `
+DEST=/work/system/share/fonts/noto
+for font in $(ls -d fonts/*/); do
+	if [[ -d "$font"unhinted/variable-ttf ]]; then
+		install -m444 -vDt "$DEST" "$font"unhinted/variable-ttf/*.ttf
+	elif [[ -d "$font"unhinted/otf ]]; then
+		install -m444 -vDt "$DEST" "$font"unhinted/otf/*.otf
+	else
+		install -m444 -vDt "$DEST" "$font"unhinted/ttf/*.ttf
+	fi
+done
+rename -v 's/\[.*\]//' $DEST/*
+`;
+	};
+
+	inputs = [ rename ];
+}
@@ -124,11 +124,11 @@ package python-vcs-versioning {
 	website = "https://setuptools-scm.readthedocs.io/en/latest";
 	anitya = 389421;

-	version# = "2.1.1";
+	version# = "2.2.0";
 	source = remoteGitHub {
 		suffix = "pypa/setuptools-scm";
 		tag = "vcs-versioning-v"+version;
-		checksum = "9QRY65iBhyohRC0xPJeq4KUalL-a7p3qTPeD7Y7l6O4qMfvq0psg0X-bb4WPqdGW";
+		checksum = "SxG7WjLdbeqhQ8ikXCPS6VHGSGNk4GV-8Gz9MaKhuI4B539AWHq-jd4MlJnVjV6_";
 	};

 	env = [
@@ -158,11 +158,11 @@ package python-setuptools-scm {
 	website = "https://setuptools-scm.readthedocs.io/en/latest";
 	anitya = 7874;

-	version# = "10.1.2";
+	version# = "10.2.0";
 	source = remoteGitHub {
 		suffix = "pypa/setuptools-scm";
 		tag = "setuptools-scm-v"+version;
-		checksum = "pu9_XHYONnvziRwJ-Q44yjmCI0inPSCs0SvyAudTrpcdUluo65Fy-tmJkLgNOIzs";
+		checksum = "vbZMqPbhScSE5gQXHIvG3pPNw7Iqsi9sEpI13wPdTNQQYOI2skfCvwSTXLq9Ncq8";
 	};

 	env = [
@@ -0,0 +1,17 @@
+package rename {
+	description = "rename renames the filenames supplied according to the rule specified as the first argument";
+	website = "https://search.cpan.org/dist/rename";
+	anitya = 14302;
+
+	version# = "1.16.2";
+	// CPAN missing files
+	source = remoteGitHub {
+		suffix = "pstray/rename";
+		tag = "v"+version;
+		checksum = "4VTeBcv1-oa_OlxpKS4h9ZxZMEq1wrk8hzaiBVZTMYCVQ0adDZ8ubPZ3VFf6qqeo";
+	};
+
+	exec = makeMaker {};
+
+	runtime = [ perl ];
+}
@@ -2,10 +2,10 @@ package toybox-source {
 	description = "toybox source tree";
 	exclude = true;

-	version# = "0.8.13";
+	version# = "0.8.14";
 	output = remoteTar {
 		url = "https://landley.net/toybox/downloads/toybox-"+version+".tar.gz";
-		checksum = "rZ1V1ATDte2WeQZanxLVoiRGdfPXhMlEo5-exX-e-ml8cGn9qOv0ABEUVZpX3wTI";
+		checksum = "RZQp2CTsLt_y15vsZxwqUb2O1XfK7uvwn-2sTd38O4HAsFKPQpS1UP0brYJ3dRA-";
 		compress = gzip;
 	};
 }
@@ -2,6 +2,8 @@ package vim {
 	description = "a greatly improved version of the good old UNIX editor Vi";
 	website = "https://www.vim.org";
 	anitya = 5092;
+	exclude = true;
+	block = "not exposed to end users";

 	version# = "9.2.0707";
 	source = remoteGitHub {
Author	SHA1	Message	Date
cat	6863bcafd1	cmd/app: optional insecure options Test / Create distribution (push) Successful in 55s Details Test / Sandbox (push) Successful in 2m58s Details Test / ShareFS (push) Successful in 3m52s Details Test / Hakurei (push) Successful in 4m1s Details Test / Sandbox (race detector) (push) Successful in 5m35s Details Test / Hakurei (race detector) (push) Successful in 6m39s Details Test / Flake checks (push) Successful in 1m11s Details These are useful for very specific cases by the maintainer. No app should ever require this. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-26 21:56:07 +09:00
cat	39f023d0e5	internal/rosa/package/glib: 2.89.0 to 2.89.1 Test / Create distribution (push) Successful in 1m0s Details Test / Sandbox (push) Successful in 3m5s Details Test / ShareFS (push) Successful in 4m16s Details Test / Hakurei (push) Successful in 4m22s Details Test / Sandbox (race detector) (push) Successful in 5m56s Details Test / Hakurei (race detector) (push) Successful in 6m53s Details Test / Flake checks (push) Successful in 1m14s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-26 11:33:10 +09:00
cat	a8a2f692e7	internal/rosa/package/libexpat: 2.8.1 to 2.8.2 Test / Create distribution (push) Successful in 59s Details Test / Sandbox (push) Successful in 2m56s Details Test / ShareFS (push) Successful in 4m18s Details Test / Hakurei (push) Successful in 4m22s Details Test / Sandbox (race detector) (push) Successful in 5m48s Details Test / Hakurei (race detector) (push) Successful in 7m3s Details Test / Flake checks (push) Successful in 1m22s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-26 11:29:27 +09:00
cat	19f24c7206	internal/rosa/package/python: setuptools-scm 10.1.2 to 10.2.0 Test / Sandbox (push) Successful in 4m28s Details Test / Create distribution (push) Successful in 1m3s Details Test / ShareFS (push) Successful in 6m15s Details Test / Hakurei (push) Successful in 6m18s Details Test / Sandbox (race detector) (push) Successful in 7m33s Details Test / Hakurei (race detector) (push) Successful in 8m52s Details Test / Flake checks (push) Successful in 1m13s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-25 20:29:18 +09:00
cat	320432774a	internal/rosa/package/python: vcs-versioning 2.1.2 to 2.2.0 Test / Create distribution (push) Successful in 1m16s Details Test / Sandbox (push) Successful in 4m41s Details Test / Hakurei (push) Successful in 6m2s Details Test / ShareFS (push) Successful in 6m7s Details Test / Sandbox (race detector) (push) Successful in 7m46s Details Test / Hakurei (race detector) (push) Successful in 9m12s Details Test / Flake checks (push) Successful in 1m13s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-25 20:28:48 +09:00
cat	0721b0fe6d	internal/rosa/package/curl: 8.20.0 to 8.21.0 Test / Create distribution (push) Successful in 1m16s Details Test / Sandbox (push) Successful in 4m7s Details Test / Hakurei (push) Successful in 6m28s Details Test / ShareFS (push) Successful in 6m28s Details Test / Sandbox (race detector) (push) Successful in 7m40s Details Test / Hakurei (race detector) (push) Successful in 9m0s Details Test / Flake checks (push) Successful in 1m7s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-25 14:08:07 +09:00
cat	418e4a874d	internal/rosa/package/libpsl: 0.21.5 to 0.22.0 Test / Create distribution (push) Successful in 1m6s Details Test / Sandbox (push) Successful in 4m5s Details Test / Hakurei (push) Successful in 6m17s Details Test / ShareFS (push) Successful in 5m55s Details Test / Sandbox (race detector) (push) Successful in 7m21s Details Test / Hakurei (race detector) (push) Successful in 8m58s Details Test / Flake checks (push) Successful in 1m8s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-25 14:07:38 +09:00
cat	8378e7a2c9	internal/rosa/package/vim: annotate blocked update Test / Create distribution (push) Successful in 54s Details Test / Sandbox (push) Successful in 3m3s Details Test / Hakurei (push) Successful in 4m41s Details Test / ShareFS (push) Successful in 4m50s Details Test / Sandbox (race detector) (push) Successful in 6m46s Details Test / Hakurei (race detector) (push) Successful in 8m52s Details Test / Flake checks (push) Successful in 1m23s Details Releases are unreasonably frequent, and the package is never exposed to the end user and never expected to run unconfined or consume untrusted input. Additionally, upstream is accepting AI slop. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-25 14:06:03 +09:00
cat	6210c9f272	internal/rosa/package: noto Test / Create distribution (push) Successful in 58s Details Test / Sandbox (push) Successful in 2m42s Details Test / ShareFS (push) Successful in 3m49s Details Test / Hakurei (push) Successful in 4m1s Details Test / Sandbox (race detector) (push) Successful in 5m33s Details Test / Hakurei (race detector) (push) Successful in 6m43s Details Test / Flake checks (push) Successful in 1m7s Details Internationalisation is required anyway, so just package the entire noto fonts. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-24 10:45:01 +09:00
cat	c2038fa925	internal/rosa/package: rename Test / Create distribution (push) Successful in 52s Details Test / Sandbox (push) Successful in 2m52s Details Test / ShareFS (push) Successful in 3m56s Details Test / Hakurei (push) Successful in 4m6s Details Test / Sandbox (race detector) (push) Successful in 5m34s Details Test / Hakurei (race detector) (push) Successful in 6m45s Details Test / Flake checks (push) Successful in 1m20s Details Useful for packaging. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-24 10:39:38 +09:00
cat	d797cca1f2	internal/rosa/package/python: vcs-versioning 2.1.1 to 2.1.2 Test / ShareFS (push) Successful in 32s Details Test / Sandbox (race detector) (push) Successful in 36s Details Test / Sandbox (push) Successful in 40s Details Test / Create distribution (push) Successful in 58s Details Test / Hakurei (race detector) (push) Successful in 1m13s Details Test / Hakurei (push) Successful in 3m0s Details Test / Flake checks (push) Successful in 1m16s Details Another bug fix release already. Turns out upstream is using AI slop. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-24 09:52:59 +09:00
cat	2a51b433c8	cmd/app: exclude /tmp/ for X11 pathname socket Test / Create distribution (push) Successful in 1m1s Details Test / Sandbox (push) Successful in 2m57s Details Test / ShareFS (push) Successful in 4m1s Details Test / Hakurei (push) Successful in 4m3s Details Test / Sandbox (race detector) (push) Successful in 5m41s Details Test / Hakurei (race detector) (push) Successful in 6m37s Details Test / Flake checks (push) Successful in 1m10s Details This would otherwise cover the pathname socket. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-24 08:49:16 +09:00
cat	e5ce36532b	internal/rosa/package/toybox: 0.8.13 to 0.8.14 Test / Create distribution (push) Successful in 54s Details Test / Sandbox (push) Successful in 2m56s Details Test / ShareFS (push) Successful in 5m1s Details Test / Hakurei (push) Successful in 5m11s Details Test / Sandbox (race detector) (push) Successful in 7m10s Details Test / Hakurei (race detector) (push) Successful in 7m54s Details Test / Flake checks (push) Successful in 1m13s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-24 06:41:56 +09:00
cat	4c647388b0	internal/rosa/package/hakurei: 0.4.4 to 0.4.5 Test / Create distribution (push) Successful in 56s Details Test / Sandbox (push) Successful in 3m1s Details Test / ShareFS (push) Successful in 3m57s Details Test / Hakurei (push) Successful in 4m2s Details Test / Sandbox (race detector) (push) Successful in 5m31s Details Test / Hakurei (race detector) (push) Successful in 6m39s Details Test / Flake checks (push) Successful in 1m8s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-06-24 06:28:56 +09:00