git.ipfire.org Git - thirdparty/libarchive.git/log

tests: setenv LANG to en_US.UTF-8 in bsdunzip test_I.c

archive_string: Clean up strncat_from_utf8_to_utf8 (#2147)

Replace some tricky direct manipulation of string internals with simpler
and safer high-level string APIs.

lha: Do not allow negative file sizes (#2155)

Files sizes cannot be negative, so abort lha processing if archive
claims otherwise.

archive_match: Turn counter into flag (#2154)

When working with matches, the code does not care about the actual
amount of times when it matched, but just if it matched so far at least
once or never.

Turning the counter into a boolean flag has the advantage that even
insanely huge archives will never lead to integer overflow here.

archive_match: check archive_read_support_format_raw() return value (#2153)

If call of archive_read_support_format_raw fails, do not override the
error return value with the return value of
archive_read_support_format_empty(). Instead, return error code as expected.

fix: OOB in rar audio filter (#2149)

This patch ensures that `src` won't move ahead of `dst`, so `src` will
not OOB. Similar situation like in a1cb648.

fix: OOB in rar delta filter (#2148)

Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
Since `dst` won't move in this function, and we are only increasing `src`
position, this check should be enough. It should be safe to early return
because this function does not allocate resources.

xar: Fix another infinite loop and expat error handling (#2150)

Fixes two issues:
- expat code keeps track of error conditions
- adding link=original multiple times is prohibited

bsdtar: Fix error handling around strtol() usages (#2110)

The code here had a couple of bad code patterns that seem to have been
copied throughout:
* Checking errno after strtol() -- Standard C doesn't seem to actually
require this, so we shouldn't rely on it
* Casting the result of strtol() directly to `int`. This loses
information prematurely.

Instead, I've added `l` as a temporary of type `long`, use that to hold
the result of `strtol()` until it can be checked. I've also removed the
`errno` tests in favor of checking the end pointer value.

The limit for --strip-components has been raised to 100 000.

Fix typos (#2143)

Fix typos in comments, documentation, and error messages.

warc: Check realloc return value (#2144)

Since realloc could fail, check its return value and set a proper error
message.

zip: Fix out of boundary access (#2145)

If a ZIP file contains a file with an empty name and mac-ext option is
set, then a check accesses memory out of bound of `name`.

CI: bump the all-actions group with 3 updates (#2140)

Updates actions/checkout from 4.1.2 to 4.1.3
Updates actions/upload-artifact from 4.3.1 to 4.3.3
Updates github/codeql-action from 3.24.8 to 3.25.2

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

CI: add "CI" prefix to dependabot commit messages

zstd: Implement core detection on Windows

Fixes #2071

Co-authored-by: Mostyn Bramley-Moore <mostyn@antipode.se>

zstd: Implement core detection (#2083)

The bsdtar manual page claims that setting zstd:threads to 0 tells zstd
to use as many threads as there are cores in the system, but it actually
disables multi-threading. Replace 0 with the number of configured
processors.

While here, add a previously missing overflow check.

Co-authored-by: Martin Matuska <martin@matuska.de>

CI: add libxml2 to MacOS test build

xar: Avoid infinite link loop (#2123)

A file may have only one link target at a time. Otherwise the internal
link structure could loop. Besides, a hard link realistically can only
link to one file, not multiple ones.

Consider such an archive invalid.

Co-authored-by: Martin Matuska <martin@matuska.de>

rar: Avoid overwriting data at "end" of circular window buffer (#2124)

fix "File CRC Error" when extracting specific rar4 archives

Fixes #1794

unzip: explicitly set en_US.UTF-8 locale in test_I.c

fix: OOB in rar e8 filter (#2135)

This patch fixes an out-of-bound error in rar e8 filter.

Update AppleDouble support for directories (#2108)

This is a clone of the reverted pull request #2100. Due to the latest
circumstances we should require a more deep review of each new PR.

---------

Co-authored-by: Justin Vreeland <j_vreeland@apple.com>

7zip: Limit amount of properties (#2131)

The uint64_t variable propertiesSize is eventually casted to size_t
which, on 32 bit systems, can result in integer truncation.

In such a situation, it is possible that less than the minimum of 5
properties are parsed and processed, which will result in out of
boundary reads in init_decompression because the error check `if
(coder1->propertiesSize < 5)` still takes the uint64_t variable into
account.

[Windows] Ignore more directories generated by Visual Studio (#2133)

Compiling libarchive with Visual Studio (not Visual Studio Code)
generates files in different directories.

Ignore these as well.

tests: fix null format string error in test_compat_lzip.c

Change CMAKE_BUILD_TYPE comparison to be case-insensitive (#2130)

Currently the `CMAKE_BUILD_TYPE` is being compared in a case-sensitive
way. It seems current CMake documentation [suggests treating this in a
case-insensitive manner
now-a-days](https://cmake.org/cmake/help/latest/manual/cmake-buildsystem.7.html#case-sensitivity).

This being case-sensitive creates needless complexities in other
projects if they compile their own project with `cmake
-DCMAKE_BUILD_TYPE=release ..`, etc. In this specific case, libarchive
has a fatal error due to the lowercase `release`.

I'd honestly like to remove these comparisons entirely; as I'm not sure
if they're really needed or not if `libarchive` is only using the
Makefile or Ninja generators with CMake.

This PR changes the `CMAKE_BUILD_TYPE` comparison to be
case-insensitive, and leaves the rest alone.

This should also fix the following issue(s):
* https://github.com/libarchive/libarchive/issues/1792

Never allow empty passwords (#2116)

Passwords for encryption must not be empty. Neither through command line
option nor through interactive input.

With this PR applied:
```
$ bsdtar --format zip --options zip:encryption -cf archive.zip input.txt
Enter passphrase: <press enter>
bsdtar: Encryption needs passphrase
```

Output with command line argument (unaffected by this PR):
```
$ bsdtar --format zip --options zip:encryption --passphrase '' -cf archive.zip input.txt
bsdtar: Empty passphrase is unacceptable
```

The outputs differ due to internal difference in handling the results.

It is still possible to supply a passphrase through command line
argument which cannot be entered interactively, i.e. $'\r\n'. See
https://github.com/libarchive/libarchive/pull/2115 for more details.

Improve newline handling on Windows (#2115)

If libarchive is compiled on Windows without cygwin, strip \r and \n the
same way as it is done on POSIX systems.

Also, entering an empty password as "\r\n" should lead to an empty
string. Right now, the newlines are kept.

Proof of Concept:

1. Compile libarchive with Visual Studio
2. Create a password-protected ZIP file
```
PS> bsdtar.exe --format zip --options 'zip:encryption' -cf archive.zip input.txt
Enter passphrase: <press enter>
```
3. Extract ZIP file on Windows
```
PS> bsdtar.exe -xf archive.zip
Enter passphrase: <press enter>
```
4. Extract ZIP file on Linux
```
$ bsdtar -xf archive.zip
Enter passphrase: <press enter>
Enter passphrase:
```

As can be seen in step 4, it is impossible to extract the file on Linux
with interactive input, because \r and \n are stripped.
The only way to extract the content is through command line option
passphrase:
```
$ bsdtar -xf archive.zip --passphrase $'\r\n'
```

It's also true the other way around: Creating a ZIP file with an empty
password on Linux cannot be extracted interactively on Windows. Not
allowing empty passwords at all should be part of another PR. This one
is about unifying Windows and POSIX systems regarding newline handling.

[Windows] Ignore files generated by Visual Studio with CMake (#2120)

These files are created when building libarchive within Visual Studio
Code, its CMake plugin and Visual Studio 2022 as compiler.

Without this change, Visual Studio Code shows hundreds of files in
GitLense plugin waiting to be commited.

tools: Fix stack overflow with many arguments (#2122)

Supplying a lot of "-" arguments to tools can lead to stack overflow due
to recursive *_getopt function calls.

Proof of Concept:

1. Compile libarchive with Visual Studio 2022
2. Call bsdtar with insane amount of arguments
```
PS> bsdtar.exe ("- "*10000).split(" ")
```
The event log shows that bsdtar.exe failed with `0xc00000fd` (stack
overflow).

If compiled with gcc, this does not happen by default because the code
is internally optimized to use this suggested loop instead. You have to
compile with CFLAGS="-O0" to provoke it with gcc as well.

Prevent usage of uninitialized variable in `__archive_mkstemp` (#2121)

Calling `__archive_mkstemp` can lead to access of an uninitialized
variable in `__archive_mktempx`, because `temp_name` is only initialized
if supplied `template` argument is `NULL`.

If `template` is not `NULL`, it is eventually compared with
`temp_name.s` anyway.

The fix is simple: Always initialize `temp_name`, which merely sets
values in the struct. No memory allocation occurs and the check leads to
the expected result.

How to reproduce:

1. Compile libarchive with Visual Studio 2022 and CMake's Debug profile
2. Run test `bsdtar_test_option_safe_writes`
3. A popup (Microsoft Visual C++ Runtime Library) appears, stating that
variable temp_name is being used without being initialized

Fix unused-function warning. (#2114)

`string_to_size` is only used in a code block conditionally compiled
with `#if HAVE_ZSTD_H && HAVE_ZSTD_compressStream`. If this block is not
compiled, GCC raises a warning with -Wunused-function.

Fix version string (#2118)

Looks like the recent version number update from 3.7.3 -> 3.7.4dev
missed a spot...

configure.ac: fix bashism in dead code removal check (#2117)

configure scripts need to be runnable with a POSIX-compliant /bin/sh.

On many (but not all!) systems, /bin/sh is provided by Bash, so errors
like this aren't spotted. Notably Debian defaults to /bin/sh provided by
dash which doesn't tolerate such bashisms as '=='.

This retains compatibility with bash.

Signed-off-by: Sam James <sam@gentoo.org>

build: use standard HAVE_ pattern for ZSTD compression check (#2111)

Follow-on to #1649: this just changes the name of the preprocessor macro
to use the standard pattern HAVE_<function name>

In particular: newer ZSTD implementations have a growing variety of
compression functions; the standard pattern will make it easier to
select among those someday.

contrib/untar.c: cleanup (#2112)

This reworks PR #1613 (commit a902fcd4), addressing the same issues as that
earlier PR, but in a simpler and more portable fashion.

Co-authored-by: Martin Matuška <martin@matuska.org>

Revert "zip: update AppleDouble support for directories (#2100)"

This reverts commit 390d83012fdba8c8db7fc9915338805882b0597a.
PR reopened back for review.

zip: update AppleDouble support for directories (#2100)

rar5: don't continue if the last block produced no data (#2105)

There appear to be RAR5 archives out in the wild that have blocks at the
end of files that don't produce any data. The code in libarchive has an
infinite loop that won't break until it processes a block that produces
data, which will end up reading past the end of the file if the last
block in the file produces no data.

ci: use liblzma 1.5.5 in MSVC build until fix from upstream (#2105)

Signed-off-by: Duncan Horn

cmake: look for libxml2 only if HAVE_ICONV is set (#2105)

Signed-off-by: Duncan Horn

read 64bit instead of 32bit integer in fallback code in archive_read_support_format_zip.c (#2104)

Ancillary issue discovered while auditing some old PRs.

A 64-bit size value was being read as a 32-bit value.

tar: make error reporting more robust and use correct errno (#2101)

As discussed in #1609.

bump zstd version: 1.5.5 -> 1.5.6 (#2099)

https://github.com/facebook/zstd/releases/tag/v1.5.6

https://github.com/facebook/zstd/issues/3999

Remove the write_all_states() return type (#1995)

The return value is never used, so let's change it to void.

Overhaul Zip end-of-data marker parsing (#2042)

This significantly changes how end-of-data markers are parsed.

In particular, the spec allows the end-of-data marker to have either
32-bit or 64-bit size values, and there is basically no indication which
is being used. (The spec mentions "Zip64 mode" in many places, but there
is no definitive way for a Zip reader to know whether the writer is
using this mode or not. My mis-reading of another part of the spec
caused me to believe that the Zip64 Extra Data field was such a marker,
but I've been patiently corrected. ;-)

So a Zip reader just has to guess: Try every possible end-of-data marker
format and accept it if any of the four possible forms is correct. In
libarchive's case, this required some non-trivial additional refactoring
to ensure that the CRC32, compressed size, and uncompressed size
statistics are always updated _before_ we need to look for an
end-of-data marker.

This generally follows the strategy outlined by Mark Adler for his
`sunzip` streaming unzip implementation.

While testing this, I played with pmqs/zipdetails which pointed out a
discrepancy in how libarchive writes the `UT` extra field. I folded a
fix for that in here as well.

Resolves #1834

TODO: It would be nice to augment the test suite with some static files
created by Java's implementation to verify that we can read those when
they hold entries of +/- 4GiB. The existing
`test_write_format_zip_large` uses an ad hoc RLE encoding trick to
exercise writing and reading back multi-gigabyte entries. I wonder if
that could be generalized to support deflate-compressed Zip data stored
in test files?

Fix syntax error of DONT_FAIL_ON_CRC_ERROR in archive_read_support_fo… (#2066)

Following code snippet in
`libarchive/archive_read_support_format_7zip.c` causing a build fail
while enable the `DONT_FAIL_ON_CRC_ERROR`

```
/* Check the EncodedHeader CRC.*/
if (r == 0 && zip->header_crc32 != next_header_crc) {
archive_set_error(&a->archive, -1,
#ifndef DONT_FAIL_ON_CRC_ERROR
"Damaged 7-Zip archive");
r = -1;
#endif
```

I fix it like this:

```
/* Check the EncodedHeader CRC.*/
if (r == 0 && zip->header_crc32 != next_header_crc) {
#ifndef DONT_FAIL_ON_CRC_ERROR
archive_set_error(&a->archive, -1,
"Damaged 7-Zip archive");
r = -1;
#endif
```

Co-authored-by: Huka <huka@DEVCORE.local>

CMake: Add missing include directories for archive_static (#2078)

When one tries to link with archive_static when cross compiling,
compiler cannot find header files.
This PR adds TARGET_INCLUDE_DIRECTORIES for archive_static target,
similar as it is done for shared target.

Similar issues:
https://github.com/libarchive/libarchive/issues/1328

https://discourse.cmake.org/t/cannot-find-library-header-files-when-cross-compiling/5926

Co-authored-by: asolawa <asolawa@cern.ch>

build(deps): bump the all-actions group with 4 updates (#2094)

Bumps the all-actions group with 4 updates:
[actions/checkout](https://github.com/actions/checkout),
[actions/upload-artifact](https://github.com/actions/upload-artifact),
[github/codeql-action](https://github.com/github/codeql-action) and
[ossf/scorecard-action](https://github.com/ossf/scorecard-action).

Updates `actions/checkout` from 4.1.0 to 4.1.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v4.1.2</h2>
<p>We are investigating the following issue with this release and have
rolled-back the <code>v4</code> tag to point to <code>v4.1.1</code></p>
<ul>
<li><code>sparse-checkout</code> is not available on git versions prior
to 2.27.0 (see <a
href="https://redirect.github.com/actions/checkout/issues/1651">actions/checkout#1651</a>)</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Fix: Disable sparse checkout whenever <code>sparse-checkout</code>
option is not present <a
href="https://github.com/dscho"><code>@dscho</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1598">actions/checkout#1598</a></li>
<li>Bump tough-cookie from 4.0.0 to 4.1.3 by <a
href="https://github.com/dependabot"><code>@dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1406">actions/checkout#1406</a></li>
<li>Bump <code>@babel/traverse</code> from 7.20.5 to 7.24.0 by <a
href="https://github.com/dependabot"><code>@dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1642">actions/checkout#1642</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/jww3"><code>@jww3</code></a> made their
first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1616">actions/checkout#1616</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4.1.1...v4.1.2">https://github.com/actions/checkout/compare/v4.1.1...v4.1.2</a></p>
<h2>v4.1.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Update CODEOWNERS to Launch team by <a
href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1510">actions/checkout#1510</a></li>
<li>Correct link to GitHub Docs by <a
href="https://github.com/peterbe"><code>@peterbe</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li>
<li>Link to release page from what's new section by <a
href="https://github.com/cory-miller"><code>@cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1514">actions/checkout#1514</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/joshmgross"><code>@joshmgross</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1510">actions/checkout#1510</a></li>
<li><a href="https://github.com/peterbe"><code>@peterbe</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4.1.0...v4.1.1">https://github.com/actions/checkout/compare/v4.1.0...v4.1.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v4.1.2</h2>
<ul>
<li>Fix: Disable sparse checkout whenever <code>sparse-checkout</code>
option is not present <a
href="https://github.com/dscho"><code>@dscho</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1598">actions/checkout#1598</a></li>
</ul>
<h2>v4.1.1</h2>
<ul>
<li>Correct link to GitHub Docs by <a
href="https://github.com/peterbe"><code>@peterbe</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li>
<li>Link to release page from what's new section by <a
href="https://github.com/cory-miller"><code>@cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1514">actions/checkout#1514</a></li>
</ul>
<h2>v4.1.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1396">Add
support for partial checkout filters</a></li>
</ul>
<h2>v4.0.0</h2>
<ul>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1067">Support
fetching without the --progress option</a></li>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1436">Update to
node20</a></li>
</ul>
<h2>v3.6.0</h2>
<ul>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1377">Fix: Mark
test scripts with Bash'isms to be run via Bash</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/579">Add
option to fetch tags even if fetch-depth > 0</a></li>
</ul>
<h2>v3.5.3</h2>
<ul>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1196">Fix:
Checkout fail in self-hosted runners when faulty submodule are
checked-in</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1287">Fix
typos found by codespell</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1369">Add
support for sparse checkouts</a></li>
</ul>
<h2>v3.5.2</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1289">Fix
api endpoint for GHES</a></li>
</ul>
<h2>v3.5.1</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1246">Fix
slow checkout on Windows</a></li>
</ul>
<h2>v3.5.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1237">Add
new public key for known_hosts</a></li>
</ul>
<h2>v3.4.0</h2>
<ul>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1209">Upgrade
codeql actions to v2</a></li>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1210">Upgrade
dependencies</a></li>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1225">Upgrade
<code>@actions/io</code></a></li>
</ul>
<h2>v3.3.0</h2>
<ul>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1045">Implement
branch list using callbacks from exec function</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1050">Add
in explicit reference to private checkout options</a></li>
<li>[Fix comment typos (that got added in <a
href="https://redirect.github.com/actions/checkout/issues/770">#770</a>)](<a
href="https://redirect.github.com/actions/checkout/pull/1057">actions/checkout#1057</a>)</li>
</ul>
<h2>v3.2.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/942">Add
GitHub Action to perform release</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/967">Fix
status badge</a></li>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1002">Replace
datadog/squid with ubuntu/squid Docker image</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/964">Wrap
pipeline commands for submoduleForeach in quotes</a></li>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1029">Update
<code>@actions/io</code> to 1.1.2</a></li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/checkout/commit/9bb56186c3b09b4f86b1c65136769dd318469633"><code>9bb5618</code></a>
Prep for release of v4.1.2 (<a
href="https://redirect.github.com/actions/checkout/issues/1649">#1649</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/8eb1f6a495037164bea451156472f35fdd6bafc0"><code>8eb1f6a</code></a>
Bump <code>@babel/traverse</code> from 7.20.5 to 7.24.0 (<a
href="https://redirect.github.com/actions/checkout/issues/1642">#1642</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/556e4c3cb0b8b54b734286d5439adadcb0a8cb92"><code>556e4c3</code></a>
Bump tough-cookie from 4.0.0 to 4.1.3 (<a
href="https://redirect.github.com/actions/checkout/issues/1406">#1406</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/b32f140b0c872d58512e0a66172253c302617b90"><code>b32f140</code></a>
Warn on attempts to publish <code>test-ubuntu-git</code> from non-main
branch. (<a
href="https://redirect.github.com/actions/checkout/issues/1623">#1623</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/2650dbd060003e3b5ae211e4358852f336b682a7"><code>2650dbd</code></a>
Give <code>test-ubuntu-git</code> its own <code>README</code> (<a
href="https://redirect.github.com/actions/checkout/issues/1620">#1620</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/aadec899646c8e0f34c52d9219c2faac36626b55"><code>aadec89</code></a>
Explicitly disable sparse checkout unless asked for (<a
href="https://redirect.github.com/actions/checkout/issues/1598">#1598</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/df0bcddf6d6823307c716b56a7ef9c3b25078874"><code>df0bcdd</code></a>
Refine workflow for generating <code>test-ubuntu-git</code> (<a
href="https://redirect.github.com/actions/checkout/issues/1617">#1617</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/473055ba18d6d2da209cd46110aadb9275e3194e"><code>473055b</code></a>
Create <code>test-ubuntu-git</code> Docker Container for Proxy Tests (<a
href="https://redirect.github.com/actions/checkout/issues/1616">#1616</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/b4ffde65f46336ab88eb53be808477a3936bae11"><code>b4ffde6</code></a>
Link to release page from what's new section (<a
href="https://redirect.github.com/actions/checkout/issues/1514">#1514</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/8530928916aaef40f59e6f221989ccb31f5759e7"><code>8530928</code></a>
Correct link to GitHub Docs (<a
href="https://redirect.github.com/actions/checkout/issues/1511">#1511</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...9bb56186c3b09b4f86b1c65136769dd318469633">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/upload-artifact` from 3.1.3 to 4.3.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's
releases</a>.</em></p>
<blockquote>
<h2>v4.3.1</h2>
<ul>
<li>Bump <code>@actions/artifacts</code> to latest version to include
<a href="https://redirect.github.com/actions/toolkit/pull/1648">updated
GHES host check</a></li>
</ul>
<h2>v4.3.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Reorganize upload code in prep for merge logic & add more tests
by <a href="https://github.com/robherley"><code>@robherley</code></a>
in <a
href="https://redirect.github.com/actions/upload-artifact/pull/504">actions/upload-artifact#504</a></li>
<li>Add sub-action to merge artifacts by <a
href="https://github.com/robherley"><code>@robherley</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/505">actions/upload-artifact#505</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v4...v4.3.0">https://github.com/actions/upload-artifact/compare/v4...v4.3.0</a></p>
<h2>v4.2.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Ability to overwrite an Artifact by <a
href="https://github.com/robherley"><code>@robherley</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/501">actions/upload-artifact#501</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v4...v4.2.0">https://github.com/actions/upload-artifact/compare/v4...v4.2.0</a></p>
<h2>v4.1.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add migrations docs by <a
href="https://github.com/robherley"><code>@robherley</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/482">actions/upload-artifact#482</a></li>
<li>Update README.md by <a
href="https://github.com/samuelwine"><code>@samuelwine</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/492">actions/upload-artifact#492</a></li>
<li>Support artifact-url output by <a
href="https://github.com/konradpabjan"><code>@konradpabjan</code></a>
in <a
href="https://redirect.github.com/actions/upload-artifact/pull/496">actions/upload-artifact#496</a></li>
<li>Update readme to reflect new 500 artifact per job limit by <a
href="https://github.com/robherley"><code>@robherley</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/497">actions/upload-artifact#497</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/samuelwine"><code>@samuelwine</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/upload-artifact/pull/492">actions/upload-artifact#492</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v4...v4.1.0">https://github.com/actions/upload-artifact/compare/v4...v4.1.0</a></p>
<h2>v4.0.0</h2>
<h2>What's Changed</h2>
<p>The release of upload-artifact@v4 and download-artifact@v4 are major
changes to the backend architecture of Artifacts. They have numerous
performance and behavioral improvements.</p>
<p>ℹ️ However, this is a major update that includes breaking changes.
Artifacts created with versions v3 and below are not compatible with the
v4 actions. Uploads and downloads <em>must</em> use the same major
actions versions. There are also key differences from previous versions
that may require updates to your workflows.</p>
<p>For more information, please see:</p>
<ol>
<li>The <a
href="https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/">changelog</a>
post.</li>
<li>The <a
href="https://github.com/actions/upload-artifact/blob/main/README.md">README</a>.</li>
<li>The <a
href="https://github.com/actions/upload-artifact/blob/main/docs/MIGRATION.md">migration
documentation</a>.</li>
<li>As well as the underlying npm package, <a
href="https://github.com/actions/toolkit/tree/main/packages/artifact"><code>@actions/artifact</code></a>
documentation.</li>
</ol>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/vmjoseph"><code>@vmjoseph</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/upload-artifact/pull/464">actions/upload-artifact#464</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v3...v4.0.0">https://github.com/actions/upload-artifact/compare/v3...v4.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/upload-artifact/commit/5d5d22a31266ced268874388b861e4b58bb5c2f3"><code>5d5d22a</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/515">#515</a>
from actions/eggyhead/update-artifact-v2.1.1</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/f1e993d9663a03508e7fc0370c744c4b963f0044"><code>f1e993d</code></a>
update artifact license</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/4881bfd3f27855c63733d8cfff17721cc0ad611f"><code>4881bfd</code></a>
updating dist:</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/a30777e2653648a0a7bbd3efb5c96ef9131b96cc"><code>a30777e</code></a>
<a href="https://github.com/eggyhead"><code>@eggyhead</code></a></li>
<li><a
href="https://github.com/actions/upload-artifact/commit/3a8048248f2f288c271830f8ecf2a1c5d8eb0e9a"><code>3a80482</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/511">#511</a>
from actions/robherley/migration-docs-typo</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/9d63e3f2f81d9dc4e13d83fc330408f8a94b79d1"><code>9d63e3f</code></a>
Merge branch 'main' into robherley/migration-docs-typo</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/dfa1ab292d2fdd78d056187f11c568c16ab53de9"><code>dfa1ab2</code></a>
fix typo with v3 artifact downloads in migration guide</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/d00351bf698398c17253d21cf8f90e57a344e14b"><code>d00351b</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/509">#509</a>
from markmssd/patch-1</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/707f5a7b71e0fb01c5df1e16e9679a3292606ef2"><code>707f5a7</code></a>
Update limitation of <code>10</code> artifacts upload to
<code>500</code></li>
<li><a
href="https://github.com/actions/upload-artifact/commit/26f96dfa697d77e81fd5907df203aa23a56210a8"><code>26f96df</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/505">#505</a>
from actions/robherley/merge-artifacts</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/upload-artifact/compare/a8a3f3ad30e3422c9c7b888a15615d19a852ae32...5d5d22a31266ced268874388b861e4b58bb5c2f3">compare
view</a></li>
</ul>
</details>
<br />

Updates `github/codeql-action` from 2.22.1 to 3.24.8
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.24.8 - 18 Mar 2024</h2>
<ul>
<li>Improve the ease of debugging extraction issues by increasing the
verbosity of the extractor logs when running in debug mode. <a
href="https://redirect.github.com/github/codeql-action/pull/2195">#2195</a></li>
</ul>
<h2>3.24.7 - 12 Mar 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.16.4. <a
href="https://redirect.github.com/github/codeql-action/pull/2185">#2185</a></li>
</ul>
<h2>3.24.6 - 29 Feb 2024</h2>
<p>No user facing changes.</p>
<h2>3.24.5 - 23 Feb 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.16.3. <a
href="https://redirect.github.com/github/codeql-action/pull/2156">#2156</a></li>
</ul>
<h2>3.24.4 - 21 Feb 2024</h2>
<ul>
<li>Fix an issue where an existing, but empty,
<code>/sys/fs/cgroup/cpuset.cpus</code> file always resulted in a
single-threaded run. <a
href="https://redirect.github.com/github/codeql-action/pull/2151">#2151</a></li>
</ul>
<h2>3.24.3 - 15 Feb 2024</h2>
<ul>
<li>Fix an issue where the CodeQL Action would fail to load a
configuration specified by the <code>config</code> input to the
<code>init</code> Action. <a
href="https://redirect.github.com/github/codeql-action/pull/2147">#2147</a></li>
</ul>
<h2>3.24.2 - 15 Feb 2024</h2>
<ul>
<li>Enable improved multi-threaded performance on larger runners for
GitHub Enterprise Server users. This feature is already available to
GitHub.com users. <a
href="https://redirect.github.com/github/codeql-action/pull/2141">#2141</a></li>
</ul>
<h2>3.24.1 - 13 Feb 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.16.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2124">#2124</a></li>
<li>The CodeQL action no longer fails if it can't write to the telemetry
api endpoint. <a
href="https://redirect.github.com/github/codeql-action/pull/2121">#2121</a></li>
</ul>
<h2>3.24.0 - 02 Feb 2024</h2>
<ul>
<li>CodeQL Python analysis will no longer install dependencies on GitHub
Enterprise Server, as is already the case for GitHub.com. See <a
href="https://github.com/github/codeql-action/blob/main/#3230---08-jan-2024">release
notes for 3.23.0</a> for more details. <a
href="https://redirect.github.com/github/codeql-action/pull/2106">#2106</a></li>
</ul>
<h2>3.23.2 - 26 Jan 2024</h2>
<ul>
<li>On Linux, the maximum possible value for the <code>--threads</code>
option now respects the CPU count as specified in <code>cgroup</code>
files to more accurately reflect the number of available cores when
running in containers. <a
href="https://redirect.github.com/github/codeql-action/pull/2083">#2083</a></li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/05963f47d870e2cb19a537396c1f668a348c7d8f"><code>05963f4</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2200">#2200</a>
from github/update-v3.24.8-1ecc2779e</li>
<li><a
href="https://github.com/github/codeql-action/commit/2b9b521560767d809d8ee77b5025b01153ffe766"><code>2b9b521</code></a>
Update changelog for v3.24.8</li>
<li><a
href="https://github.com/github/codeql-action/commit/1ecc2779e9e8a1005dab2bfab0c908371cd4a830"><code>1ecc277</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2198">#2198</a>
from github/henrymercer/improve-tracking-autobuild-e...</li>
<li><a
href="https://github.com/github/codeql-action/commit/e28ae3a84c136adc8b7e8c73705c6aa4b1cd7b60"><code>e28ae3a</code></a>
Add config error for Swift build failures</li>
<li><a
href="https://github.com/github/codeql-action/commit/bddfc7c6d5f02cfb909b01104ebb039eab86ed0e"><code>bddfc7c</code></a>
Add config error for Gradle build failures</li>
<li><a
href="https://github.com/github/codeql-action/commit/3edd1bf725dc2142b5eecac26e3cc7ddab176aa2"><code>3edd1bf</code></a>
Truncate autobuild errors to 10 lines</li>
<li><a
href="https://github.com/github/codeql-action/commit/88a0b7abb3b047d4c1ef5f2762ce215fb098dc06"><code>88a0b7a</code></a>
Mark Maven build failures as configuration errors</li>
<li><a
href="https://github.com/github/codeql-action/commit/88b28eb70de0ce90819beb741e488921e89177e1"><code>88b28eb</code></a>
Surface autobuild errors from stderr stream</li>
<li><a
href="https://github.com/github/codeql-action/commit/f055b5e672ed1ea4fd98a276788e4bcb5a64ad17"><code>f055b5e</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2197">#2197</a>
from github/henrymercer/log-job-status</li>
<li><a
href="https://github.com/github/codeql-action/commit/0d680ab61c4b566d5870b32c2b4b1e65910864be"><code>0d680ab</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2196">#2196</a>
from github/henrymercer/update-packs-input-description</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/fdcae64e1484d349b3366718cdfef3d404390e85...05963f47d870e2cb19a537396c1f668a348c7d8f">compare
view</a></li>
</ul>
</details>
<br />

Updates `ossf/scorecard-action` from 2.3.0 to 2.3.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/ossf/scorecard-action/releases">ossf/scorecard-action's
releases</a>.</em></p>
<blockquote>
<h2>v2.3.1</h2>
<h2>What's Changed</h2>
<ul>
<li>:seedling: Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by <a
href="https://github.com/spencerschrock"><code>@spencerschrock</code></a>
in <a
href="https://redirect.github.com/ossf/scorecard-action/pull/1282">ossf/scorecard-action#1282</a>
<ul>
<li>Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
<a
href="https://github.com/ossf/scorecard/releases/tag/v4.13.1">v4.13.1</a>
release notes</li>
</ul>
</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1">https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/ossf/scorecard-action/commit/0864cf19026789058feabb7e87baa5f140aac736"><code>0864cf1</code></a>
:seedling: Bump docker tag to for v2.3.1 release (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1284">#1284</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/72df3bff668d052aaec251accaffec0b280410fb"><code>72df3bf</code></a>
:seedling: Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1282">#1282</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/0ea411f94ac145b6fd793458b7f75ebbe7ae0a8f"><code>0ea411f</code></a>
:seedling: Bump the docker-images group with 1 update (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1281">#1281</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/dbfd042453ccc43ade96943685dbece2dd86bbae"><code>dbfd042</code></a>
:seedling: Bump the github-actions group with 1 update (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1280">#1280</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/2fa1e2fa153141e2950c7e1299ed05e2081ead0c"><code>2fa1e2f</code></a>
:seedling: Bump golang.org/x/net from 0.16.0 to 0.17.0 (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1278">#1278</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/652ddd06c802ac1ba4021a9f02978dc5150b223e"><code>652ddd0</code></a>
:seedling: Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1277">#1277</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/28d0c92b8bb9dd266a8cf4dde7bae71c06a0c62f"><code>28d0c92</code></a>
:seedling: Group Dependabot updates for GitHub Actions and Dockerfiles
(<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1276">#1276</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/cb50491a46a858cb57669a16a720b7a00e1f9d29"><code>cb50491</code></a>
:seedling: Bump distroless/base from <code>a35b652</code> to
<code>b31a6e0</code> (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1275">#1275</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/87157ac77d7ec18a631049bc92fdac7ee63a471a"><code>87157ac</code></a>
:seedling: Bump github/codeql-action from 2.21.9 to 2.22.1 (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1274">#1274</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/7c1648b23e27a96acf7c3842fd1921d16bd8d4d2"><code>7c1648b</code></a>
:seedling: Bump step-security/harden-runner from 2.5.1 to 2.6.0 (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1273">#1273</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/ossf/scorecard-action/compare/483ef80eb98fb506c348f7d62e28055e49fe2398...0864cf19026789058feabb7e87baa5f140aac736">compare
view</a></li>
</ul>
</details>
<br />

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

cmake: Set CMP0075 to NEW (#2067)

The new behavior of this policy makes check_include_file() and friends
use the CMAKE_REQUIRED_LIBRARIES variable before checking for headers.
This is used to check for cryptography algorithms provided by OpenSSL.

Signed-off-by: Collin Funk <collin.funk1@gmail.com>

Fix tests on Windows (#2091)

For the most part, a good number of
failing tests are failing because they make the assumption that archive
contents are read as utf-8 by default, which is not true for Windows,
which assumes OEM code page by default.

Set umask before testing `--exclude-vcs`. (#2082)

Improved control over frame size in zstd filter. (#2081)

Instead of just `min-frame-size` and `max-frame-size`, we now have four
separate options:

* `min-frame-in` delays the creation of a new frame on flush until the
uncompressed size of the current frame passes a certain threshold.

* `min-frame-out` delays the creation of a new frame on flush until the
compressed size of the current frame passes a certain threshold.

* `max-frame-in` forces the creation of a new frame as soon as possible
after the uncompressed size of the current frame reaches a certain
limit.

* `max-frame-out` forces the creation of a new frame as soon as possible
after the compressed size of the current frame reaches a certain limit.

We now also support `k`, `kB`, `M`, `MB`, `G` and `GB` suffixes for all
four options.

The old options are retained as aliases for the corresponding new
options.

tar: Warn when multiple --option values are specified (#2073)

The accepted way to specify multiple options is to list them all as one
comma-separated parameter. bsdtar would silently ignore all but the last
value, which can be very confusing. Print a warning in this scenario.

Update 'archive_mstring_update_utf8' to attempt UTF8->WCS conversion on Windows if MBS conversion fails (#1978)

Currently, functions like `archive_entry_pathname_w` etc. fail on
Windows for .rar files that contain entries with Unicode filenames that
cannot be represented by the active codepage. This is because
`archive_mstring_update_utf8` first attempts to perform a UTF8->MBS
conversion before doing an MBS->WCS conversion. The first conversion (to
MBS) fails, which short-circuits to return failure. Later when we try
and read the string, `archive_mstring_get_wcs` will fail because it
_also_ tries to do a UTF8->MBS followed by an MBS->WCS conversion. The
conversion to MBS will of course fail again.

One possible workaround is to call `setlocale` with something like
`"en_US.utf8"`, however this is not feasible for some consumers.

This change fixes this issue by adding a "fallback" in
'archive_mstring_update_utf8' which will attempt to do a UTF8->WCS
conversion on Windows if the MBS conversion failed. This is not too
dissimilar from the implementation of `archive_mstring_copy_mbs_len_l`
which most - if not all - other archive formats seem to take, which will
by default call `archive_wstring_append_from_mbs_in_codepage` if the
passed in `archive_string_conv` object is non-null

Fixes #1971

Fix archive_write_set_format_option for 7zip format (#2093)

A couple of small fixes to the documentation of the
`archive_write_set_format_option` for the 7zip format. See commits for
details.

Fix DONT_FAIL_ON_CRC_ERROR ifndef logic (#2079)

An `if` without curly braces guards the following statement.

When `#ifndef` removes that statement, the `if` now guards whatever
statement comes next.

I have not yet tested the changes.

Introduced in https://github.com/libarchive/libarchive/pull/1790.
CC people from original PR: @jvoisin @mmatuska

add support for CMAKE_BUILD_TYPE None (#2074)

closes https://github.com/libarchive/libarchive/issues/2060

tar: Add support for --group and --owner (#2054)

Closes: https://github.com/libarchive/libarchive/issues/278

Fix FILETIME truncation on `archive_write_finish_entry()` on Windows (#2050)

On Windows, `archive_write_finish_entry()` does not restore time
correctly.
It truncates the last digit of original FILETIME which is stored in the
archive.
This commit fixes this behavior.
See libarchive#2049 for detailed explanation on this issue.

CI: drop FreeBSD 12.4, as it is EOL (#2047)

Enable CTEST_OUTPUT_ON_FAILURE (#2044)

This provides more information when tests fail in CI.

document supported formats for `--mac-metadata` - see #2041 (#2046)

Doc fix to clarify that `--mac-metadata` is only supported for certain
formats. Hopefully just a short-term fix until support is added for
other formats. (See discussion on #2041)

Gardening: Fix the `begin` lines in many of the uuencoded test data (#2043)

The libarchive test harness always extracts these to the truncated
source filename, ignoring the name in the `begin` line. However, for
ease of experimentation, people will want to manually extract these with
`uudecode`, so the `begin` lines should have the correct filename.

CI: Add FreeBSD 14.0 (#2034)

Add a couple of missing HAVE_PCRE2POSIX_H ifdefs (#2033)

Followup to #2031.

Add trailing letter b to bsdtar substitute pattern (#2012)

The letter b stands for "from (b)eginning" and specifies that a
substitute expression should be matched from the beginning of the
string, regardless if and where a previous substitute expression
matched.

Example:
Transform filename from B-A to A-B and remove all underscores.

Attempt without option b:

    bsdtar -cft -s '/$.*$-$.*$/\2-\1/gp' -s "/_//g" ab_c-d_ef
    ab_c-d_ef >> d_ef-ab_c

With option b:

    bsdtar -cft -s '/$.*$-$.*$/\2-\1/gp' -s "/_//gb" ab_c-d_ef
    ab_c-d_ef >> def-abc

CI: install mingw and set correct path

Add support for PCRE2 (#2031)

The original PCRE is now end-of-life, and no longer actively maintained.

Implements #2013.

Fix encoding detection on platforms with nl_langinfo() (#2030)

libarchive relies on its host program to call setlocale() on platforms
with nl_langinfo() present in order to correctly detect the user
selected locale. This ensures that bsdunzip does so.

Minor __LA_NORETURN inspired fixes (#2028)

Earlier MR https://github.com/libarchive/libarchive/pull/2000 forgot to
annotate some functions as __LA_NORETURN. While fixing that I've noticed
that the bsdcat.h header could use some fixes so I've snuck those in.

Kind of make sense to group in one PR, but can split people prefer so.

/cc @AtariDreams fyi

---------

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>

Replace __LA_DEAD with __LA_NORETURN (#2000)

Also add the MSC_VER version of the macro.

Perform "dead stripping" on macos (#1997)

Since Xcode 1.5, macos ld has a -dead_strip flag which is roughly
equivalent to --gc-sections in GNU style linkers, let's use it.

Reference:
https://opensource.apple.com/source/cctools/cctools-622.5.1/RelNotes/CompilerTools.html

Results from running the following command, before and after this
change, formatted for easy comparison (the actual values will vary with
toolchain and library versions used):
```
size bsdtar bsdcpio bsdunzip bsdcat .libs/libarchive.13.dylib

__TEXT __DATA __OBJC others     dec        hex

655360 16384  0      4295196672 4295868416 1000dc000 bsdtar # before
638976 16384  0      4295180288 4295835648 1000d4000 bsdtar # after

638976 32768  0      4295196672 4295868416 1000dc000 bsdcpio # before
606208 32768  0      4295163904 4295802880 1000cc000 bsdcpio # after

147456 16384  0      4295065600 4295229440 100040000 bsdunzip # before
114688 16384  0      4295032832 4295163904 100030000 bsdunzip # after

131072 16384  0      4295065600 4295213056 10003c000 bsdcat # before
49152 16384  0      4295016448 4295081984 10001c000 bsdcat # after

638976 16384  0          229376     884736     d8000 .libs/libarchive.13.dylib # before
622592 16384  0          229376     868352     d4000 .libs/libarchive.13.dylib # after
```

Including getopt.h if HAVE_GETOPT_OPTRESET is defined (#2007)

On platforms that uses optreset we must also include getopt.h to have it
defined

xz: fix incorrect eof at the end of an lzip member. (#2027)

xz filter returns incorrect eof if the end of an lzip member is at the
end of the read buffer (`state->stream.next_in`).
At next call of `xz_filter_read()`, following lzip members are never
read since `state->eof` is still flagged.
Fixes #2026.

unzip: Increment option count after swallowing -- (#2022)

* Option count is used later for the position of the file in the
arguments and otherwise it uses -- as the file.

---------

Signed-off-by: Alfred Wingate <parona@protonmail.com>

Prefer OPENSSL_cleanse to memset in OpenSSL code path (#2020)

`memset` can be optimized away. `OPENSSL_cleanse` is implemented in a
way that usually survives optimizations.

win32: ensure that the MSVC build doesn't terminate when MinGW fails (#2018)

For `matrix`-strategy builds, GitHub actions will terminate all related
matrix legs when one of them fails.

Disabling `fail-fast` knocks this behavior off.

Add a new Windows-only public API, archive_read_open_filenames_w (#2016)

There is a discrepancy between the w and non-w filename APIs, wherein a
consumer of libarchive can open a multi-volume set with names in the
current locale (on Windows) but not with UTF-16 names.

This patch addresses that issue.

archive_read_open_filename_w delegates its work to
archive_read_open_filenames_w.

Fixes #1728

Tested passing on Windows. In the meantime, I will also test on Linux.
I am hoping that the build agents can help me determine FreeBSD and
macOS coverage.

VCSid removal (#2017)

The libarchive source tree is littered with `__FBSDID("$FreeBSD.*")` and
'$FreeBSD$' tags left over from extracting it from FreeBSD's Subversion
repo. They never made sense for a git repo as git doesn't expand them
and FreeBSD has now removed `$FreeBSD$` from most local source files so
these stand out.

In addition to `__FBSDID` I've removed `__RCSID` which was used once for
a `$NetBSD$` expansion. There might be more of a case to be made for
preserving this one as a diff-reduction measure, but it seems mostly
pointless.

This builds and tests pass except for
libarchive_test_read_disk_directory_traversals which failed on master as
well.

Use calloc arguments that correspond with the variable's true purpose (#1993)

First argument is number of times to allocate a region of the second
size, which is the size of the element being allocated.

build(deps): bump the all-actions group with 3 updates (#1989)

actions/checkout from 4.0.0 to 4.1.0r
github/codeql-action from 2.21.7 to 2.22.1
ossf/scorecard-action from 2.2.0 to 2.3.0

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

fix detection of lzma_stream_encoder_mt with Werror (#1965)

the function is marked as warn-unused-result, so by default in a Debug
build with cmake, when Werror is set, this fails to detect. do the same
for autotools.

build(deps): bump the all-actions group with 1 update (#1975)

github/codeql-action v2.21.5 -> v2.21.7

Preserve the natural order in ISO9660 archives for linked files (#1974)

When an ISO9660 archive contains hard links or sym links, the order of
the files in the output of 'bsdtar -tf filename' is not the natural
order.

With an extension to the key (while still supporting ISO files up to 2^48
bytes) the sorting order is guaranteed for ISO files that contain linked
files for up to 2^16 files in total.

Co-authored-by: Martin Matuska <martin@matuska.de>

Add Scorecard GHA (#1973)

Fixes #1972

This adds the Scorecard GitHub Action to monitor the project's
supply-chain security posture.

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

build(deps): bump the all-actions group with 1 update (#1967)

Signed-off-by: dependabot[bot] <support@github.com>

tests: fix zstd long option test for 32-bit architectures

Fixes #1968

CI: update Windows zlib build dependency to 1.3

Hash-pin GitHub Actions, keep them updated with dependabot (#1960)

Fixes #1959.

This PR hash-pins GitHub Actions used in workflows and sets up
dependabot to keep the Actions up-to-date.

I've configured dependabot to group all Actions together. So if it ever
discovers that multiple Actions have new versions, it'll only send a
single PR to bump them all together.

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

Add --long write option for zstd (#1962)

Fixes #1795

Set read-only workflow tokens (#1958)

Fixes #1957.

This PR ensures all workflows run with minimal permissions, instead of
with `write-all` permissions. This will protect the project from
supply-chain attacks.

The change to codeql.yml is for consistency and future-proofing. Should
another job eventually be added to the workflow, it will run with just
`contents: read`.

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

Fix MSVC warnings on x64 (#1956)

On Windows x64, `long` & `ulong` are 4 bytes instead of 8 bytes like
everywhere else

Co-authored-by: Jarred Sumner

Add threads write option for zstd to man pages (#1952)

The threads option of zstd is supported by libarchive, but it is missing
in the man pages.
Fixes #1951