pacman reports multiple package broken due to empty dependency

[astro-angelfish]

• I have searched open and closed issues for duplicates
• I am submitting a bug report for existing functionality that does not work as intended

---

Bug description

Some tool package may contain empty depend = entry, causing pacman complains about corrupted packages and refuses to install for me.

I've found stegolego, syringe package has the bad entry and I remember I've also corrected other broken packages.

Example .PKGINFO on syringe:

# Generated by makepkg 5.1.1
# using fakeroot version 1.23
pkgname = syringe
pkgbase = syringe
pkgver = 12.79a703e-1
pkgdesc = A General Purpose DLL & Code Injection Utility.
url = https://github.com/securestate/syringe
builddate = 1542069352
packager = Levon Kayan <[email protected]>
size = 47104
arch = any
license = GPL3
group = blackarch
group = blackarch-backdoor
group = blackarch-binary
group = blackarch-windows
depend = 
makedepend = git

Steps to reproduce

• Initialize blackarch setup with strap.sh on a fresh arch install
• Switch to mirrors in China (optional?)
• Do pacman -S blackarch on root

• Do pacman -S syringe on the top of arch install

Actual result: Describe here what happens after you run the steps above (i.e. the buggy behaviour)

Trying to focus on the single package:

warning: cannot resolve "", a dependency of "stegolego"
:: The following package cannot be upgraded due to unresolvable dependencies:
      stegolego

:: Do you want to skip the above package for this upgrade? [y/N] 
error: failed to prepare transaction (could not satisfy dependencies)

Same report on syringe.

Trying to install the whole group, causing pacman reports false corruptions:

error: failed to commit transaction (invalid or corrupted package)
arduino-1:1.8.19-2-x86_64.pkg.tar.zst is invalid or corrupted
atftp-0.8.0-3-x86_64.pkg.tar.zst is invalid or corrupted
bandit-1.7.7-2-any.pkg.tar.zst is invalid or corrupted
cadaver-0.24-1-x86_64.pkg.tar.zst is invalid or corrupted
cfr-0.152-2-any.pkg.tar.zst is invalid or corrupted
cppcheck-2.14.1-1-x86_64.pkg.tar.zst is invalid or corrupted
dscanner-0.15.2-1-x86_64.pkg.tar.zst is invalid or corrupted
flawfinder-2.0.19-2-any.pkg.tar.zst is invalid or corrupted
freeipmi-1.6.14-1-x86_64.pkg.tar.zst is invalid or corrupted
gsocket-1.4.43-1-x86_64.pkg.tar.zst is invalid or corrupted
i2pd-2.52.0-1-x86_64.pkg.tar.zst is invalid or corrupted
jhead-3.08-1-x86_64.pkg.tar.zst is invalid or corrupted
mtr-0.95-4-x86_64.pkg.tar.zst is invalid or corrupted
multimon-ng-1.3.0-1-x86_64.pkg.tar.zst is invalid or corrupted
ngrep-1.47-4-x86_64.pkg.tar.zst is invalid or corrupted
packeth-3.0-1-x86_64.pkg.tar.zst is invalid or corrupted
shellcheck-0.10.0-5-x86_64.pkg.tar.zst is invalid or corrupted
splint-3.1.2.git20180129-3-x86_64.pkg.tar.zst is invalid or corrupted
sslh-2.1.2-1-x86_64.pkg.tar.zst is invalid or corrupted
stegolego-8.85354f6-3-x86_64.pkg.tar.xz is invalid or corrupted
swaks-20240103.0-1-any.pkg.tar.zst is invalid or corrupted
tcpreplay-4.4.3-1-x86_64.pkg.tar.zst is invalid or corrupted
tinc-1.0.36-3-x86_64.pkg.tar.zst is invalid or corrupted
urh-2.9.6-4-x86_64.pkg.tar.zst is invalid or corrupted
Errors occurred, no packages were upgraded.

Expected result: Describe here what should happen after you run the steps above (i.e. what would be the correct behaviour)

:: Processing package changes...
(1/1) installing stegolego                                                  [##########################################] 100%
:: Running post-transaction hooks...

Screenshots

Info for developers

Device: Hasee TX6-CU5DS with 16GB memory.
GNU/Linux distribution: Arch Linux
Tool version: stegolego-8.85354f6-3

Link to debug log

They can't even be correctly installed. No log available.

[saltasatelites]

https://wiki.archlinux.org/title/Pacman/Package_signing#Removing_packages_from_cache

[saltasatelites]

https://wiki.archlinux.org/title/Pacman/Package_signing#Removing_packages_from_cache

[astro-angelfish]

https://wiki.archlinux.org/title/Pacman/Package_signing#Removing_packages_from_cache

I guess I've already tried sudo pacman -Scc and confirmed the removal when pacman notifies me before redownloaded for a few times. Finally I had to install each category individually and figured out broken packages with empty dependency.

Tools in BlackArch always requires me to build from rubygem or pypi but I'm in a restricted network and power supply will shut down each night in my dormitory. It is really painful when installing BlackArch. It just made me more suffering when got hit by these broken packages. So I also highly suggest complete prebuilt packages in BlackArch.

[ikstream]

Some of these tools have dependencies which would conflict with system libraries. That’s the reason they require isolated installation. This is in line with arch Linux packaging guidelines.

BTW I can’t reproduce your issue with empty dependencies on an up to date system.
I can confirm the corruption for stegolego though.

It is not recommended to install all tools at once and should be in any of our guides anymore. Where did you find the command?

[astro-angelfish]

Some of these tools have dependencies which would conflict with system libraries. That’s the reason they require isolated installation. This is in line with arch Linux packaging guidelines.

BTW I can’t reproduce your issue with empty dependencies on an up to date system. I can confirm the corruption for stegolego though.

It is not recommended to install all tools at once and should be in any of our guides anymore. Where did you find the command?

stegolego is an example in my memory and I've noticed that there are multiple (for about 4 to 5? I guess) packages that contain empty depend entry. But I'm sorry that I've already forgot their names. They are just aborting the whole installation and bring up other false positives of corruption detection.

I've also noticed that there are false positives when getting some other innocent BlackArch packages installed. But it could be easily fixed by separating them. I don't know whether it is a problem with pacman since I did not found enough document for the problem.

I got that on legacy website and it burnt into my memory. I did not check the newer installation guide because it worked for a long time and I always do that before I sleep when I was at home.

I guess some packages like pypi packages would use virtualenv to make an isolated environment and could be prebuilt into the package archive than building them in post installation hooks to reduce building time on installation. I think I should do some experiments first and could bring up some PRs if my assumptions are correct.

[ikstream]

I got that on legacy website and it burnt into my memory. I did not check the newer installation guide because it worked for a long time and I always do that before I sleep when I was at home.

It's more likely to break during install the more tools are added as there might be conflicts between them. How often do you recreate your blackarch environment?

I guess some packages like pypi packages would use virtualenv to make an isolated environment and could be prebuilt into the package archive than building them in post installation hooks to reduce building time on installation. I think I should do some experiments first and could bring up some PRs if my assumptions are correct.

This would blow up package size. As installing all tools at once isn't recommended anyways the build times shouldn't be that big of an issue. If you want to have all tools available, you could also go with the ova, without installing them all, just updating.

[astro-angelfish]

It's more likely to break during install the more tools are added as there might be conflicts between them. How often do you recreate your blackarch environment?

Not very often. I just decided to recreate my environment because I've encountered other issues that are not related to blackarch on my laptop and I'm too lazy to inspect and resolve them (and they seem to be hard to resolve). Last time I recreate my environment before this incident is for about one or two years ago.

This would blow up package size. As installing all tools at once isn't recommended anyways the build times shouldn't be that big of an issue. If you want to have all tools available, you could also go with the ova, without installing them all, just updating.

Thanks for letting me know about ova images. I'll figure out how to use them to get tools on the top of Arch Linux later.

Anyways, this issue could be closed at the time the packages with bad entries are all fixed.

[ikstream]

Anyways, this issue could be closed at the time the packages with bad entries are all fixed.

As I said before, I can't reproduce your empty dependency related issue.

[astro-angelfish]

Anyways, this issue could be closed at the time the packages with bad entries are all fixed.

As I said before, I can't reproduce your empty dependency related issue.

I wonder if there is anything wrong on my side

Here is my output of stegolego, with commands I've issued and pacman version. And I also tried pacman -Sy stegolego but just got the same error.

This is my /etc/pacman.conf

[D3vil0p3r]

I guess the package needs to be rebuilt. @noptrix can you rebuild stegolego please?

[astro-angelfish]

Update: I've also found another package syringe also preventing me from install correctly.