Arch Linux User Repository

Patch to fix source download and licenses.

diff --git a/PKGBUILD b/PKGBUILD
index b0a9492..3551d03 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,3 +1,4 @@
+# Maintainer: lvrodrigues <lvrodriguesline@gmail.com>
 # Maintainer: pingplug < aur at pingplug dot me >
 # Contributor: Philip A Reimer < antreimer at gmail dot com >
 # Contributor: Schala Zeal < schalaalexiazeal at gmail dot com >
@@ -7,26 +8,24 @@ _architectures="i686-w64-mingw32 x86_64-w64-mingw32"

 pkgname=mingw-w64-xz
 pkgver=5.6.2
-pkgrel=1
+pkgrel=2
 pkgdesc="Library and command line tools for XZ and LZMA compressed files (mingw-w64)"
 arch=('any')
 url="https://tukaani.org/xz/"
-license=('custom' 'GPL' 'LGPL')
-depends=('mingw-w64-crt')
-makedepends=('mingw-w64-configure' 'git' 'po4a' 'doxygen')
+license=('0BSD' 'GPL-2.0-only' 'GPL-3.0-only' 'LGPL-2.1-only')
+makedepends=('mingw-w64-crt' 'mingw-w64-configure' 'git' 'po4a' 'doxygen')
 options=('!strip' 'staticlibs' '!buildflags')
-validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
-source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
-sha256sums=('a71fcf56faa1f7d9e9708ca8d6a97906b929307d6a98d220018852eef37853c8')
+source=("https://github.com/tukaani-project/xz/releases/download/v$pkgver/xz-$pkgver.tar.xz")
+sha256sums=('a9db3bb3d64e248a0fae963f8fb6ba851a26ba1822e504dc0efd18a80c626caf')

 prepare() {
-  cd "${srcdir}/${_pkgname}"
+  cd "${srcdir}/${_pkgname}-${pkgver}"

   ./autogen.sh
 }

 build() {
-  cd "${srcdir}/${_pkgname}"
+  cd "${srcdir}/${_pkgname}-${pkgver}"
   for _arch in ${_architectures}; do
     mkdir -p build-${_arch} && pushd build-${_arch}
     ${_arch}-configure
@@ -37,14 +36,18 @@ build() {

 package() {
   for _arch in ${_architectures}; do
-    cd "${srcdir}/${_pkgname}/build-${_arch}"
+    cd "${srcdir}/${_pkgname}-${pkgver}/build-${_arch}"
     make DESTDIR="${pkgdir}" install
-    find "${pkgdir}/usr/${_arch}" -name '*.exe' | xargs -rtl1 rm
-    find "${pkgdir}/usr/${_arch}" -name '*.dll' | xargs -rtl1 ${_arch}-strip -x
-    find "${pkgdir}/usr/${_arch}" -name '*.a' -o -name '*.dll' | xargs -rtl1 ${_arch}-strip -g
+    find "${pkgdir}/usr/${_arch}" -name '*.exe' | xargs -rtL1 rm
+    find "${pkgdir}/usr/${_arch}" -name '*.dll' | xargs -rtL1 ${_arch}-strip -x
+    find "${pkgdir}/usr/${_arch}" -name '*.a' -o -name '*.dll' | xargs -rtL1 ${_arch}-strip -g
+    find "${pkgdir}/usr/${_arch}" -name '*.a' -o -name '*.dll' | xargs -rtL1 chmod 644
     rm "${pkgdir}/usr/${_arch}/bin/"{lz{cmp,diff,egrep,fgrep,grep,less,more},xz{cmp,diff,egrep,fgrep,grep,less,more}}
     rm -r "${pkgdir}/usr/${_arch}/share"
   done
+
+   install -d "$pkgdir/usr/share/licenses/$pkgname"
+   find  "${srcdir}/${_pkgname}-${pkgver}" -name 'COPYING*' | xargs -rtL1 install -m644 -t "$pkgdir/usr/share/licenses/$pkgname"   
 }

 # vim:set ts=2 sw=2 et:

This package does not build because Github has suspended the upstream repository because this package has a backdoor.

This package should be updated to follow the main arch xz package and build from git checkout and remove Jia Tan's key.

See: https://archlinux.org/news/the-xz-package-has-been-backdoored/

https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commits/main

When updating, please change the sources in accordance with https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad to avoid the recently disclosed security problem.

Probably it makes most sense to change the source URL to be in-line with https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/blob/main/PKGBUILD?ref_type=heads.

Signature also fails to be verified. Sources from github are fine, maybe he forgot to update it on his site?

Source checksum does not pass.