add Debian build

client/CMakeLists.txt

@@ -58,7 +58,11 @@ target_link_libraries(${LIB_TDNF}
 set_target_properties(${LIB_TDNF} PROPERTIES
     VERSION ${PROJECT_VERSION}
     SOVERSION ${PROJECT_VERSION_MAJOR}
+    POSITION_INDEPENDENT_CODE ON
 )
 
+# Apply appropriate flags for shared library
+apply_tdnf_flags(${LIB_TDNF} SHARED)
+
 install(FILES ${CMAKE_CURRENT_BINARY_DIR}/tdnf.pc DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
 install(TARGETS ${LIB_TDNF} LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} COMPONENT library)

client/remoterepo.c

@@ -376,7 +376,7 @@ TDNFDownloadPackage(
     uint32_t dwError = 0;
     char *pszPackageFile = NULL;
     char *pszCopyOfPackageLocation = NULL;
-    int nSize;
+    int nSize = 0;
 
     if(!pTdnf ||
        !pTdnf->pArgs ||

client/repoutils.c

@@ -434,7 +434,7 @@ TDNFRepoApplyDownloadSettings(
     if((curlError = curl_easy_setopt(
             pCurl,
             CURLOPT_MAX_RECV_SPEED_LARGE,
-            pRepo->nThrottle)) != CURLE_OK)
+            (curl_off_t)pRepo->nThrottle)) != CURLE_OK)
     {
         dwError = ERROR_TDNF_CURL_BASE + curlError;
         BAIL_ON_TDNF_ERROR(dwError);

client/rpmtrans.c

@@ -783,7 +783,7 @@ TDNFTransAddInstallPkg(
     const char* pszPkgName = NULL;
     uint8_t digest_from_file[EVP_MAX_MD_SIZE] = {0};
     hash_op *hash = NULL;
-    int nSize;
+    int nSize = 0;
 
     if(!pTS || !pTdnf || !pInfo || !pRepo)
     {
@@ -942,7 +942,7 @@ TDNFTransAddInstallPkg(
     return dwError;
 
 error:
-    pr_err("Error processing package: %s\n", pszPackageLocation);
+    pr_err("Error processing package: %s\n", pszPackageLocation ? pszPackageLocation : "(null)");
     TDNF_SAFE_FREE_MEMORY(pszFilePath);
     TDNF_SAFE_FREE_MEMORY(pRpmCache);
     goto cleanup;

cmake/CFlags.cmake

@@ -44,11 +44,9 @@ set(EXTRA_WARN_CFLAGS
     -Walloc-zero -Walloca -Wtrampolines
 )
 
-# Extra security / hardening flags
-set(EXTRA_SECURITY_CFLAGS
-    -D_FORTIFY_SOURCE=2
+# Extra security / hardening flags for executables
+set(EXTRA_SECURITY_CFLAGS_EXE
     -fstack-clash-protection
-    -fcf-protection=full
     -fPIE
     -pie
     -Wl,-z,relro
@@ -57,6 +55,31 @@ set(EXTRA_SECURITY_CFLAGS
     -fno-plt
 )
 
+# Extra security / hardening flags for shared libraries
+set(EXTRA_SECURITY_CFLAGS_SO
+    -fstack-clash-protection
+    -fPIC
+    -Wl,-z,relro
+    -Wl,-z,now
+    -Wl,-z,noexecstack
+    -fno-plt
+)
+
+# Extra security / hardening flags for static libraries (no linker flags, no LTO)
+set(EXTRA_SECURITY_CFLAGS_STATIC
+    -fstack-clash-protection
+    -fPIC
+    -fno-plt
+    -fno-lto
+)
+
+# Add architecture-specific flags
+if(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64")
+    list(APPEND EXTRA_SECURITY_CFLAGS_EXE -fcf-protection=full)
+    list(APPEND EXTRA_SECURITY_CFLAGS_SO -fcf-protection=full)
+    list(APPEND EXTRA_SECURITY_CFLAGS_STATIC -fcf-protection=full)
+endif()
+
 # Build-type dependent flags
 set(DEBUG_CFLAGS
     -Og -g
@@ -72,22 +95,65 @@ set(FEATURE_FLAGS
     -D_DEFAULT_SOURCE
 )
 
-### Combine all flags
-set(TDNF_CFLAGS
+# Add _FORTIFY_SOURCE if not already defined by the build system
+# Check if _FORTIFY_SOURCE is already in the compiler flags
+string(FIND "${CMAKE_C_FLAGS}" "_FORTIFY_SOURCE" FORTIFY_POS)
+if(FORTIFY_POS EQUAL -1)
+    list(APPEND FEATURE_FLAGS -D_FORTIFY_SOURCE=2)
+endif()
+
+### Combine all flags for executables
+set(TDNF_CFLAGS_EXE
+    ${WARN_CFLAGS}
+    ${OPTIMIZE_CFLAGS}
+    ${SECURITY_CFLAGS}
+    ${EXTRA_WARN_CFLAGS}
+    ${EXTRA_SECURITY_CFLAGS_EXE}
+    ${FEATURE_FLAGS}
+)
+
+### Combine all flags for shared libraries
+set(TDNF_CFLAGS_SO
     ${WARN_CFLAGS}
     ${OPTIMIZE_CFLAGS}
     ${SECURITY_CFLAGS}
     ${EXTRA_WARN_CFLAGS}
-    ${EXTRA_SECURITY_CFLAGS}
+    ${EXTRA_SECURITY_CFLAGS_SO}
+    ${FEATURE_FLAGS}
+)
+
+### Combine all flags for static libraries
+set(TDNF_CFLAGS_STATIC
+    ${WARN_CFLAGS}
+    ${OPTIMIZE_CFLAGS}
+    ${SECURITY_CFLAGS}
+    ${EXTRA_WARN_CFLAGS}
+    ${EXTRA_SECURITY_CFLAGS_STATIC}
     ${FEATURE_FLAGS}
 )
 
 if(CMAKE_BUILD_TYPE STREQUAL "Debug")
-    list(APPEND TDNF_CFLAGS ${DEBUG_CFLAGS})
+    list(APPEND TDNF_CFLAGS_EXE ${DEBUG_CFLAGS})
+    list(APPEND TDNF_CFLAGS_SO ${DEBUG_CFLAGS})
+    list(APPEND TDNF_CFLAGS_STATIC ${DEBUG_CFLAGS})
 elseif(CMAKE_BUILD_TYPE STREQUAL "Release")
-    list(APPEND TDNF_CFLAGS ${RELEASE_CFLAGS})
+    list(APPEND TDNF_CFLAGS_EXE ${RELEASE_CFLAGS})
+    list(APPEND TDNF_CFLAGS_SO ${RELEASE_CFLAGS})
+    list(APPEND TDNF_CFLAGS_STATIC ${RELEASE_CFLAGS})
 endif()
 
-foreach(flag IN LISTS TDNF_CFLAGS)
+# Apply flags to executables by default
+foreach(flag IN LISTS TDNF_CFLAGS_EXE)
     add_c_compiler_flag(${flag})
 endforeach()
+
+# Function to apply appropriate flags based on target type
+function(apply_tdnf_flags target_name target_type)
+    if(target_type STREQUAL "SHARED")
+        target_compile_options(${target_name} PRIVATE ${TDNF_CFLAGS_SO})
+    elseif(target_type STREQUAL "STATIC")
+        target_compile_options(${target_name} PRIVATE ${TDNF_CFLAGS_STATIC})
+    else()
+        target_compile_options(${target_name} PRIVATE ${TDNF_CFLAGS_EXE})
+    endif()
+endfunction()

common/CMakeLists.txt

@@ -16,4 +16,10 @@ add_library(${LIB_TDNF_COMMON} STATIC
     lock.c
 )
 
-set_target_properties(${LIB_TDNF_COMMON} PROPERTIES POSITION_INDEPENDENT_CODE ON)
+# Apply appropriate flags for static library
+apply_tdnf_flags(${LIB_TDNF_COMMON} STATIC)
+
+set_target_properties(${LIB_TDNF_COMMON} PROPERTIES
+    POSITION_INDEPENDENT_CODE ON
+    INTERFACE_POSITION_INDEPENDENT_CODE ON
+)

debian/README.Debian

@@ -0,0 +1,67 @@
+tdnf for Debian
+===============
+
+This package provides tdnf, a lightweight package manager that is compatible
+with yum/dnf but implemented in C using libsolv and libcurl for better
+performance and lower memory usage.
+
+Package Structure
+-----------------
+
+The Debian packaging splits tdnf into several packages:
+
+- tdnf: Main package with the tdnf binary and core functionality
+- tdnf-dev: Development headers and libraries
+- tdnf-cli-libs: Shared libraries for CLI functionality
+- tdnf-plugin-metalink: Plugin for metalink repository support
+- tdnf-plugin-repogpgcheck: Plugin for GPG verification of repository metadata
+- tdnf-automatic: Systemd services for automatic updates
+- tdnf-pytests: Test suite (development/testing only)
+
+Compatibility
+-------------
+
+This package provides yum compatibility through symbolic links and provides/conflicts
+declarations. The following commands are available as alternatives to yum:
+
+- yum -> tdnf
+- tyum -> tdnf (transitional yum)
+- tdnfj -> tdnf (JSON output variant)
+
+Configuration
+-------------
+
+Configuration files are located in:
+- /etc/tdnf/tdnf.conf - Main configuration
+- /etc/tdnf/pluginconf.d/ - Plugin configurations
+
+Cache and data directories:
+- /var/cache/tdnf/ - Package cache
+- /var/lib/tdnf/ - History database and persistent data
+
+Automatic Updates
+-----------------
+
+The tdnf-automatic package provides systemd timers for automatic updates:
+- tdnf-automatic.timer - Full automatic updates
+- tdnf-automatic-install.timer - Install updates automatically
+- tdnf-automatic-notifyonly.timer - Check and notify only
+
+These services are installed but not enabled by default. Enable them with:
+  systemctl enable --now tdnf-automatic.timer
+
+Package Format
+--------------
+
+This is a Debian native package, meaning the Debian packaging is maintained
+directly alongside the upstream source code. This approach is used because
+VMware maintains both the upstream tdnf project and the Debian packaging.
+
+Repository Setup
+----------------
+
+Unlike RPM-based distributions, Debian systems typically use APT repositories.
+This package is primarily useful for managing RPM packages on Debian systems
+or in containerized environments where RPM package management is needed.
+
+ -- VMware, Inc. <support@vmware.com>  Wed, 10 Sep 2025 12:00:00 +0000

debian/build-packages.sh

@@ -0,0 +1,118 @@
+#!/bin/bash
+#
+# Build script for creating Debian packages for tdnf
+# Supports Ubuntu 22.04, 24.04, and Debian Bookworm
+#
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+print_status() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}[WARNING]${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# Check if we're in the right directory
+if [ ! -f "tdnf.spec" ] || [ ! -d "debian" ]; then
+    print_error "This script must be run from the tdnf source directory"
+    exit 1
+fi
+
+# Detect distribution
+if [ -f /etc/os-release ]; then
+    . /etc/os-release
+    DISTRO="$ID"
+    VERSION="$VERSION_ID"
+else
+    print_error "Cannot detect distribution"
+    exit 1
+fi
+
+print_status "Detected distribution: $DISTRO $VERSION"
+
+# Check if this is a supported distribution
+case "$DISTRO" in
+    ubuntu)
+        case "$VERSION" in
+            "22.04"|"24.04")
+                print_status "Supported Ubuntu version: $VERSION"
+                ;;
+            *)
+                print_warning "Untested Ubuntu version: $VERSION"
+                ;;
+        esac
+        ;;
+    debian)
+        case "$VERSION" in
+            "12")
+                print_status "Supported Debian version: $VERSION (Bookworm)"
+                ;;
+            *)
+                print_warning "Untested Debian version: $VERSION"
+                ;;
+        esac
+        ;;
+    *)
+        print_warning "Untested distribution: $DISTRO"
+        ;;
+esac
+
+# Install build dependencies
+print_status "Installing build dependencies..."
+sudo apt-get update
+sudo apt-get install -y \
+    debhelper-compat \
+    cmake \
+    gcc \
+    make \
+    libpopt-dev \
+    librpm-dev \
+    libssl-dev \
+    libsolv-dev \
+    libcurl4-openssl-dev \
+    libexpat1-dev \
+    libsqlite3-dev \
+    zlib1g-dev \
+    systemd \
+    libgpgme-dev \
+    pkg-config \
+    devscripts \
+    build-essential \
+    fakeroot \
+    git
+
+# Clean previous builds
+print_status "Cleaning previous builds..."
+rm -rf debian/tmp debian/.debhelper debian/files
+
+# Native packages don't need upstream tarballs
+VERSION=$(dpkg-parsechangelog -S Version)
+print_status "Building native package version: $VERSION"
+
+# Build source package
+print_status "Building source package..."
+dpkg-buildpackage -S -us -uc
+
+# Build binary packages
+print_status "Building binary packages..."
+dpkg-buildpackage -b -us -uc
+
+print_status "Build completed successfully!"
+print_status "Packages are available in the parent directory:"
+ls -la ../*.deb
+
+print_status "To install the packages, run:"
+echo "  sudo dpkg -i ../*.deb"
+echo "  sudo apt-get install -f  # to fix any dependency issues"

debian/changelog

@@ -0,0 +1,10 @@
+tdnf (3.6.0) unstable; urgency=medium
+
+  * Initial Debian package release
+  * Port from RPM spec file to Debian packaging
+  * Support for Ubuntu 22.04, 24.04 and Debian Bookworm
+  * dnf/yum equivalent using C libs with libsolv and libcurl
+  * Includes plugins for metalink and repository GPG checking
+  * Automatic update functionality via systemd timers
+
+ -- VMware, Inc. <support@vmware.com>  Wed, 10 Sep 2025 12:00:00 +0000