v0.9.3 - Ebuild Install Helpers Hotfix

Release Date: 2026-01-20

This hotfix release fixes critical issues with relative path resolution in ebuild install helpers and the unpack phase.

🐛 Bug Fixes

• fix(ebuild): resolve relative paths in all install helpers - Commands like dobin, dosbin, newbin, doexe, doins, dolib, doheader, and doinitd now correctly resolve relative file paths against $S (source directory) instead of the working directory
• fix(ebuild): correct unpack phase to use $A variable - The unpack phase now uses the $A variable (archive list from Manifest) instead of hardcoded patterns, fixing packages with non-standard archive names like app-text/tree (tarball: unix-tree-*.tar.bz2)
• fix(ebuild): correct exit status handling - Phase functions now properly propagate exit status from bash interpreter

📖 Technical Details

• Added centralized resolveSourcePath() helper following DRY principle
• Updated 12 install helper functions to use the new path resolution
• phaseUnpack() now parses $A from Manifest DIST entries

✅ Verified

• grpm emerge app-text/tree now completes successfully on Gentoo
• All unit tests passing
• All integration tests passing

📦 Installation

VERSION="0.9.3"
wget "https://github.com/grpmsoft/grpm/releases/download/v${VERSION}/grpm_${VERSION}_linux_x86_64.tar.gz"
tar -xzf "grpm_${VERSION}_linux_x86_64.tar.gz"
sudo install -m 0755 grpm /usr/bin/grpm

Full Changelog: v0.9.2...v0.9.3

v0.9.2 — Emerge Installed Package Filtering

Fixes inconsistency where resolve correctly filters installed packages but emerge showed full dependency tree.

Fixed

• emerge ignores installed packages — grpm emerge -p mc now shows 1 package instead of 93 (#61)

Added

• Portage-compatible flags for emerge:
  • --deep, -D — Traverse dependencies of already-installed packages
  • --with-bdeps — Include build-time dependencies for installed packages
  • --emptytree, -e — Assume no packages installed (full dependency tree)
  • --vardb — Custom path to installed packages database

Example

# Show only packages to install (default, Portage-compatible)
grpm emerge -p mc                    # 1 package

# Show full dependency tree
grpm emerge -e -p mc                 # 93 packages

# Deep update with build deps
grpm emerge -D --with-bdeps @world

Installation

wget https://github.com/grpmsoft/grpm/releases/download/v0.9.2/grpm_0.9.2_linux_x86_64.tar.gz
tar -xzf grpm_0.9.2_linux_x86_64.tar.gz
sudo install -m 0755 grpm /usr/bin/grpm
grpm --version

Full Changelog: v0.9.1...v0.9.2

GRPM v0.9.1 — Enterprise CLI, Dependency Filtering & Mirror Fallback

Major release combining CLI improvements, Portage-compatible dependency filtering, and mirror fallback.

Highlights

🔧 Critical Fix: Dependency Explosion

• grpm resolve app-misc/mc now shows 1 package instead of 2094
• Root cause: USE-conditional deps included regardless of USE flag state
• Root cause: All deps traversed even if already installed
• Root cause: BDEPEND included for packages already built

🎯 Portage-Compatible Resolution

• --deep — Traverse dependencies of installed packages
• --with-bdeps — Include BDEPEND for installed packages
• --emptytree — Show full tree (assume nothing installed)
• --vardb — Custom path to installed packages database

🖥️ Enterprise CLI

• Professional help formatter with combined flags (-p, --pretend)
• Shell completion for bash, zsh, fish (grpm completion bash)
• Man page generation (grpm doc man)
• "Did you mean?" suggestions for typos

📦 Mirror Fallback

• GENTOO_MIRRORS tried first (reduces upstream load)
• SRC_URI as fallback with user-friendly error messages

Installation

# Download
wget https://github.com/grpmsoft/grpm/releases/download/v0.9.1/grpm_0.9.1_linux_x86_64.tar.gz

# Extract and install
tar -xzf grpm_0.9.1_linux_x86_64.tar.gz
sudo install -m 0755 grpm /usr/bin/grpm

# Verify
grpm -V

Shell Completion

# Bash
grpm completion bash > /etc/bash_completion.d/grpm

# Zsh
grpm completion zsh > ~/.zsh/completions/_grpm

# Fish
grpm completion fish > ~/.config/fish/completions/grpm.fish

Quick Example

# Default: only packages to install (Portage-compatible)
grpm resolve app-misc/mc           # 1 package

# Full dependency tree for analysis
grpm resolve --emptytree app-misc/mc  # 95 packages

Full Changelog: v0.9.0...v0.9.1

v0.9.0 — Enterprise Tool Check & Bug Fixes

This release brings Portage-compatible tool handling and critical bug fixes for package installation.

🏢 Enterprise Tool Check

Tool check is now opt-in instead of opt-out, following Portage's BDEPEND pattern:

# Default behavior (no tool pre-check)
grpm emerge @world

# Optional pre-validation
grpm emerge --check-tools @world

Why this change?

• Portage handles tool dependencies via BDEPEND, not global pre-flight checks
• Pre-checking 2000+ packages caused false positives (one Rust package requiring cargo for entire @world)
• Now follows enterprise pattern: BDEPEND + natural build failures + rich error reporting

🐛 Bug Fixes

• Collision detection — Only files are checked for collisions, directories are skipped (was counting 147 collisions for 49 files)
• VarDB persistence — Packages are now properly tracked in /var/db/pkg after installation
• Shared file collision — /usr/share/info/dir excluded from collision check (GNU Info directory file)
• Collision logging — Added detailed collision reporting for better diagnostics

📦 Package Sets (from v0.8.4)

Package sets now work in all commands:

• grpm resolve @world / @system / @selected
• grpm emerge @world
• grpm fetch @system

⚠️ Breaking Change

# Before (v0.8.x):
grpm emerge --skip-tool-check @world

# After (v0.9.0):
grpm emerge @world                    # No flag needed
grpm emerge --check-tools @world      # Optional pre-validation

✅ Tested on Real Gentoo

• grpm resolve @system → 2086 packages resolved
• grpm emerge app-misc/hello → builds and installs successfully
• VarDB tracking → /var/db/pkg/app-misc/hello-2.12.2/ created correctly

📥 Installation

# Download
wget https://github.com/grpmsoft/grpm/releases/download/v0.9.0/grpm_linux_amd64.tar.gz
tar -xzf grpm_linux_amd64.tar.gz
sudo install -m 0755 grpm /usr/bin/grpm

# Verify
grpm -V

Full Changelog: v0.8.4...v0.9.0

GRPM 0.8.3 — SRC_URI Evaluation Hotfix

Critical fix for packages with dynamic SRC_URI generation (#50).

Summary

Fixes grpm fetch for packages like gcc that use eclasses to dynamically generate SRC_URI. Previously, version extraction was broken causing incorrect distfile URLs.

What's Fixed

• gcc distfile selection — grpm fetch =sys-devel/gcc-13.4.1_p20250807 now downloads correct files
• SRC_URI evaluation — Pure Go evaluation using mvdan.cc/sh interpreter with full eclass support
• ver_cut function — PMS-compliant version extraction (e.g., gcc-13-20250807 instead of broken gcc-13.4.1_p20250807-20250807)
• Eclass caching — Efficient eclass loading with inheritance tracking

Technical Notes

The ver_cut implementation uses indexed variables instead of bash array slicing due to a bug in mvdan.cc/sh where ${arr[@]:start:len} doesn't work correctly in command substitution. This workaround ensures correct version extraction for toolchain.eclass and similar complex eclasses.

Installation

# Download for your platform
wget https://github.com/grpmsoft/grpm/releases/download/v0.8.3/grpm_0.8.3_linux_x86_64.tar.gz

# Extract and install
tar -xzf grpm_0.8.3_linux_x86_64.tar.gz
sudo install -m 0755 grpm /usr/bin/grpm

# Verify
grpm version

Verification

# This should now work correctly
grpm fetch =sys-devel/gcc-13.4.1_p20250807

Full Changelog: v0.8.2...v0.8.3

UX Improvements Release

User experience improvements and bug fixes based on community feedback.

New Features

• emerge --info — Display system environment information (Go version, platform, memory, repositories, installed packages)
• USE flags in --pretend — Shows USE="flag1 -flag2" in emerge pretend output, matching Portage behavior
• User-friendly error messages — Clear, actionable error messages with package suggestions
• Fuzzy package matching — Similar package suggestions when package not found (e.g., neofatch → neofetch)
• Per-package tool check — grpm tools --check now shows which tools are required by specific eclasses

Bug Fixes

• Search version sorting — Versions now sorted correctly using PMS-compliant comparison
• Info command filtering — Now respects mask and keyword filtering like resolve/emerge
• Dependency deduplication — Info output no longer shows duplicate dependencies

Installation

# Download and install
curl -LO https://github.com/grpmsoft/grpm/releases/download/v0.8.2/grpm_0.8.2_linux_amd64.tar.gz
tar xzf grpm_0.8.2_linux_amd64.tar.gz
sudo mv grpm /usr/local/bin/

Testing

• All 137+ unit tests pass
• Smoke tests verified on mock repository
• Integration tests verified on Gentoo container
• 98.2% Portage tree coverage maintained

Full Changelog: v0.8.1...v0.8.2

Package Mask, Keywords Filtering & Atom Parsing Fix

This release adds critical filtering functionality to the dependency resolver and fixes atom parsing issues that caused incorrect Manifest path construction.

Highlights

• Package Mask Support — Solver now respects package.mask from repository, profile cascade, and user configuration
• KEYWORDS Filtering — Packages are filtered by KEYWORDS vs ACCEPT_KEYWORDS, preventing selection of unkeyworded packages (e.g., gcc-16.0.9999)
• Atom Parsing Fix — Versioned atoms like =sys-devel/gcc-13.4.1_p20250807 now correctly resolve to sys-devel/gcc for path construction

Bug Fixes

• #45 — Fixed Manifest path construction for versioned atoms. Before: =sys-devel/gcc-13.4.1 → sys-devel/gcc-13.4.1/Manifest (wrong). After: sys-devel/gcc/Manifest (correct)
• #46 — Solver now properly filters masked packages
• #48 — Solver now filters unkeyworded packages

New Features

• MaskManager — Multi-source mask loading with priority handling
• KeywordManager — Architecture-aware keyword filtering
• loadPackageFromAtom() — PMS-compliant atom loading helper
• 18 new test cases for atom parsing edge cases

Verified

GRPM now selects the same package versions as Portage (tested with sys-devel/gcc):

• Before: gcc-16.0.9999 (unkeyworded, masked)
• After: gcc-15.2.1_p20251122 (stable, same as Portage)

Installation

# Download for your platform
wget https://github.com/grpmsoft/grpm/releases/download/v0.8.1/grpm_0.8.1_linux_x86_64.tar.gz

# Extract and install
tar -xzf grpm_0.8.1_linux_x86_64.tar.gz
sudo install -m 0755 grpm /usr/bin/grpm

# Verify
grpm version

Testing

Tested on Gentoo Linux with real Portage repository:

• Unit tests: ✅ All passing
• Integration tests: ✅ All passing (E2E in Gentoo container)
• Real-world: ✅ 98.2% tree coverage verified

Full Changelog: v0.8.0...v0.8.1

Configuration Management Release

Full Portage configuration compatibility for seamless integration with existing Gentoo setups.

Highlights

• Dynamic make.conf parser — Variable expansion (${VAR}, $VAR), source directive support, circular reference prevention
• repos.conf support — INI format parsing, Portage fallback chain (repos.conf → PORTDIR → auto-detect)
• package.use patterns — Full atom syntax (=, >=, ~, =*, slots, wildcards), priority-based USE flag resolution, USE_EXPAND support

Issues Closed

• #40 — Dynamic make.conf parser with variable expansion
• #41 — repos.conf support with Portage fallback chain
• #42 — package.use pattern matching with atom specificity

Installation

# Download
wget https://github.com/grpmsoft/grpm/releases/download/v0.8.0/grpm_0.8.0_linux_x86_64.tar.gz

# Extract and install
tar -xzf grpm_0.8.0_linux_x86_64.tar.gz
sudo install -m 0755 grpm /usr/bin/grpm

# Verify
grpm version

Testing

• 101 tests in configuration module
• Full test suite: 26 packages pass
• CI: Unit tests, smoke tests, integration tests

Full Changelog: v0.7.11...v0.8.0

GRPM 0.7.11 - Security Release

Release Date: 2026-01-17

Security Advisory: Path Traversal Vulnerability (CWE-22)

This release fixes a path traversal vulnerability that could allow malicious
package names to access files outside the repository directory.

Severity: High
Affected Versions: All versions prior to 0.7.11
CVE: Pending assignment
Issue: #36

Reported by: Max Steel via Gentoo Forums

Upgrade Recommendation

All users should upgrade immediately. This vulnerability could potentially
allow reading arbitrary files on the system if a malicious package name was
processed.

What's Fixed

• Input Validation — Category and package names are now validated against PMS format

  • Rejects ../, .hidden, null bytes, and other directory traversal sequences
  • Enforces PMS-compliant naming patterns

• Path Containment — Defense-in-depth check ensures constructed paths stay within base directory

  • Uses filepath.Clean() and prefix comparison
  • Protects against symlink-based escapes

Technical Details

• New security utilities: ValidateCategoryPackageName(), ValidatePathContainment(), SafeJoinPath()
• Protection applied to: LoadPackage(), LoadPackageVersion(), GetAllVersions(), VarDB Write()
• 86+ security test cases covering attack vectors:
  • Parent directory traversal (../../../etc/passwd)
  • Package name traversal (sys-libs/../../etc)
  • Hidden directory access (.hidden/pkg)
  • Null byte injection

Installation

# Download for your platform (Linux x86_64 example)
wget https://github.com/grpmsoft/grpm/releases/download/v0.7.11/grpm_0.7.11_linux_x86_64.tar.gz

# Extract
tar -xzf grpm_0.7.11_linux_x86_64.tar.gz

# Install
sudo install -m 0755 grpm /usr/bin/grpm

# Verify
grpm version

Available Platforms

• Linux x86_64
• Linux ARM64
• Linux ARMv7
• Linux ARMv6
• Linux i386

Full Changelog

v0.7.10...v0.7.11

For detailed changes, see CHANGELOG.md

GRPM v0.7.10 — Docker Layer Caching & Version Selection Fix

Release Date: 2026-01-17

Highlights

This release adds Docker layer caching support and fixes a critical bug in versioned atom handling.

New Features

• --onlydeps / -o flag for emerge (#33)
  • Build dependencies only, skip target package(s)
  • Perfect for Docker layer caching: pre-build dependencies in a separate layer
  • Example: grpm emerge --onlydeps app-misc/hello
  • Portage-compatible behavior

Bug Fixes

• Versioned atoms now correctly select specified version (#32)
  • Previously: =sys-devel/gcc-13.4.1_p20250807 incorrectly selected gcc-16.0.9999
  • Now: Resolver properly uses version from SAT solver solution
  • Added LoadPackageVersion() to Repository interface for exact version loading

Installation

# Download and install
curl -LO https://github.com/grpmsoft/grpm/releases/download/v0.7.10/grpm_0.7.10_linux_x86_64.tar.gz
tar xzf grpm_0.7.10_linux_x86_64.tar.gz
sudo mv grpm /usr/local/bin/

# Verify
grpm --version

Testing

All tests passed:

• ✅ Unit Tests
• ✅ Integration Tests (Gentoo WSL2)
• ✅ Smoke Tests

Full Changelog: https://github.com/grpmsoft/grpm/blob/main/CHANGELOG.md