There was a mismatch between documentation and the implementation where
documentation stated `STOP` as the keyword for transaction end and the
code instead was using `END`. In the end it doesn't matter which we
choose and it is easier for use to just tweak the documentation instead
changing the code now and thus from now on it is `END` and not `STOP`.

It turns out that calculating hash can be pretty time consuming
specially if device the package is installed on is too slow. These trace
messages should give us a hint that updater is not just stuck that it
only waits for storage to calculate the hash of the files.

Added
* Change log that leaves minimal trace of changes updater performed
  stored in system.
* Support for `FilesSignature` field in packages. On mismatch it trigger
  reinstall.
* Support for `files-sha256sum` in packages as hash index

Fixed
* Subprocess call is now terminated way earlier thanks to `SIGCHLD`
  signal handling. This improves update time for any scripts spawning
  "daemon" processes that do not correctly redirect or close standard
  outputs.
* Reinstall of packages if some fields were formated differently in
  index than in package (updater no longer detects change by simple
  string comparison)

Changed
* Internal implementation of base64 replaced with base64c library.
* Utility opkg-create template and input format

Removed
* `--state-log` argument
* `--task-log` argument

This fixed issues that package is reinstalled if Depends field has a
different formating (spaces) than what is specified in the package. This
is caused by OPKG formating it automatically.
The solution here is to parse the dependency and compare parsed tree
instead. It is not exactly ideal solution as we have to parse
dependencies possibly multiple times but it is for now the easiest. The
ideal way would be to have here already parsed form we could compare
directly.

The hashes of modified files are now stored in file *.files-sha256sum
instead of *.files-sha256.

It turns out that we also were not reading the *.files-sha256 and thus
move of modified files actually did not work.

In reality base64c library is based on this code so it is pretty much
same code just moved to separate library. The reason for the move is
that we want to use it in other projects as well and having it as
dedicated library should give us less code to maintain and fix.

This updates C tests to run only as one binary.

The important change is that tests are enabled explicitly and thus in
default disabled. The same now also applies to linters.

This updates code to be better and in general just more sensible bash.
This also modifies the template by removing control directory. The files
that can go to control archive are strictly defined thus we can have
them in top level directory and just cherry pick them.

Karel Koci authored Nov 03, 2020 and Karel Koci committed Oct 04, 2021

The Changelog replaces previous logs that are right now pretty much no
longer relevant and in case of state log not even used.

This is replacement for task log. It is suppose to server as long term
log that is easy to parse and thus easy to use in scripts.

The primary use for this is in reporting changes done to system by
updater.

The subprocess now handles SIGCHLD for faster subprocess termination. We
care about the original child and nothild else. If that dies we consider
it as termination of subprocess and abandon reading from pipes even when
there could be still process writing to them.

This should prevent from scripts hanging.

The issue here was that invalid function was used to mask extra option
version. It was called before the correct call and thus message was
reported for version instead of ignore argument.

Changed
* Error generated from Lua when URI is being finished now includes error
  message from downloader if it was download failure.

Linters in general sometimes do invalid assumptions and try to rather
report possible issue over ignoring it. This makes them kind of
unreliable as tests required for success. The failed tests are still
manifested with alert but it clearly differentiates between just
possible error and truly hones error detected in tests.

The download error reported on URI finish was handled by else branch
that only printed error that download failed. This reaches to downloader
for error message in case of download fail. This should expand info
available to users on download fail.

We need this to cover case when files change in package without anything
other changing. The issue this tries to cover is conflicts between
packages because two packages provide same file but in reality that is
only because local version is older than the one in repository. This
forces reinstall and thus resolved such collision.

Fixed
- Immediate reboot not being performed when combined with replan that actually
  performs some changes in the system

The replan correctly passed flag to pkgupdate that reboot has to be
performed but if that run did any changes we unconditionally overwrote
it. This fixes that.

The test verifies that fix is really working by forcing installation and
removal of package while at the same time requesting reboot.

Fixed
* error on transaction recovery created by updater before version 69.0.1
  about `upgraded_packages` being nil

On update the old transaction created by updater version before 69.0.1
does not contain this field. We should not expect it. In worst case it
is going to be reported as not upgrade as it was previously.

Changed
* Package requests solver no longer tries to maximize number of selected
  requests but rahter follows strictly rules of requests priority
* `Install` requests with same priority as `Unistall` are resolved first
* `Install` and `Unistall` requests without condition as resolved before
  requests with condition given they have same priority specified.

Removed
* Error reported when request to install and unistall same package was
  specified

The original implementation tries to satisfy maximum number of requests
in given priority level. This has been seen as ideal solution because
this way most of the user's requests are satisfied.
This changes this behavior to rather be strictly defined. This means
that we do not care about number of requests satisfied. We care only
about priority of request and satisfy them in order.

This also removes error raised when there was Install and Uninstall
request for same package with same priority. Now Install request is
simply preferred.

This was required because of conditions. The demonstration of this issue
can be done on two packages. Let's have package 'a' and 'b'. There are
three requests of same priority:
* To install 'a'
* To unistall 'b'
* To install 'b' with condition 'a'
The intuitive resolution is that user clearly wants to install 'a' and
not to have 'b'. The third request need not apply as there is more
accurate request to not have 'b'.
The o...

Fixed
* environment variable `PKG_UPGRADE` were always set to `1` for package
  `postinst` script no matter if it was package upgrade or not.

Changed
* usage of `example.org` replaced with `application-test.turris.cz` in
  tests

This simply adds these script to dep-package as well as to test-package.
It is nice test for this as one package is newly installed and another
is only upgraded.

The issue here was that control fields in status were updated in
pkg_move function but same and thus invalid check was used in
pkg_scripts later on.
This adds new table with all upgraded packages. This way we check
original state before it is removed from status and pass this info to
subsequent pkg_scripts.

Web example.org now responds with valid HTML site on any URL thus we
have to use different web to get 404 response. We use our own server
that is used in other tests already.

It also turns out that curl changed error messages so instead of
matching exact error message this just tries to match the known minimum.

The usage of this was removed in commit
6e670a7a.

Added
* extra argument `pkg_hash_required` for `Repository` command
* support for version limitation of `Install` and `Uninstall` requests
  in package name (such as `foo (>= 1.0.0)`).

Changed
* Execution is now terminated when there is no hash for package being
  installed in repository index unless `pkg_hash_required` is set to
  `false` for that repository.

Removed
* Extra option `version` for `Install` request. You should append
  version specifier to package name the same way as it is done for
  dependencies.

Fixed
* `ROOT_DIR` not being defined for `hook_postinst` and
  `hook_reboot_required` on replan execution.

The previous expectation that ROOT_DIR is already set is true only if
current execution is reexecution (subsequent execution after replan). In
case of reexecution the ROOT_DIR set is skipped so we have to add it for
postinst as well.

That applies for both postupdate as well as reboot required hook.

This changes how user can specify version limitation for Install request
and adds the same feature for Uninstall as well.

The original method might have been in some ways confusing. Extra field
affects potentially multiple packages but version is commonly specified
only for one specific package request. There is also fully supported way
to specify version limitation in dependency description. This includes
that and reuses the same code.

Also note that code that splits package name from version is improved
here. It should be more reliable now.

This change makes extra option version of Install request obsolete so it
is removed and no longer supported.

Important thing to point out is also that documentation stated that
version extra option can be also table but code never supported that. It
could always have been just single string. That means that we do not
loose any feature set.

This changes default behavior for security reasons. The idea is to fail
if package can't be verified from repository index as there is no hash
supported to use for that. This prevents issue that packages can be
potentially even falsified if index contains hashes unsupported by
updater or even no hash at all.

New extra argument was added to Repository command `pkg_hash_required`.
This is considered in default as set to `true` but it can be
overwritten and set to `false` to disable new behavior.

This new behavior is reported by new feature in updater language:
fatal_missing_pkg_hash

It is possible that if we try to immediately kill process that it won't
make it to exec and that way kill might be caught by check library and
reported as failure. By waiting at least short amount we pretty much
make sure that exec happens and that we are killing sleep process rather
our fork.

With four parallel jobs it is common that connection fails with OCSP
response error. This seems to be an issue with some sort of
rate-limiting in nginx (target web server) on OCSP stamping. It looks
like as 3 is the magic number here for that.

This is no longer valid. All this is now implemented differently or is
going to be shortly.

These documentation is kind of old and although partially correct they
also say a lot of stuff that are no longer true. We should replace them
with more accurate documentation.

Added
* Queue messages for 'upgrade' and 'downgrade' now also print current
  version in square brackets.

Changed
* Default connection timeout for download was extended from one minute
  to ten minutes.

Removed
* Possibility to reboot immediatelly after package installation. Reboot
  after update is deemed sufficient.

Fixed
* Queue messages now state 'upgrade', 'downgrade' and 'reinstall'
  instead of original generic 'install'.