From 318f0fe129d2479461ccb601a5a01756eed5a496 Mon Sep 17 00:00:00 2001
From: Jason Hall <jason@chainguard.dev>
Date: Fri, 31 Jan 2025 15:34:51 -0500
Subject: [PATCH 1/3] remove build options

Signed-off-by: Jason Hall <jason@chainguard.dev>
---
 docs/md/melange_build.md                      |   3 +-
 docs/md/melange_compile.md                    |   1 -
 docs/md/melange_lint.md                       |   2 +-
 pkg/build/build.go                            |  44 -------
 pkg/build/compile.go                          |   4 +-
 pkg/build/options.go                          |  11 --
 pkg/build/pipeline.go                         |  12 +-
 pkg/build/pipeline_test.go                    |   6 +-
 pkg/build/pipelines/cargo/README.md           |   2 +
 pkg/cli/build.go                              |   3 -
 pkg/cli/compile.go                            |   3 -
 pkg/config/build_option.go                    |  11 --
 pkg/config/config.go                          |   2 -
 pkg/config/schema.json                        | 110 ++++++------------
 pkg/linter/linter.go                          |   2 +-
 .../generated/x86_64/shbang-test-1-r1.apk     | Bin 4522 -> 5910 bytes
 16 files changed, 46 insertions(+), 170 deletions(-)

diff --git a/docs/md/melange_build.md b/docs/md/melange_build.md
index 623323d46..09dbea6ba 100644
--- a/docs/md/melange_build.md
+++ b/docs/md/melange_build.md
@@ -31,7 +31,6 @@ melange build [flags]
       --apk-cache-dir string                                    directory used for cached apk packages (default is system-defined cache directory)
       --arch strings                                            architectures to build for (e.g., x86_64,ppc64le,arm64) -- default is all, unless specified in config
       --build-date string                                       date used for the timestamps of the files inside the image
-      --build-option strings                                    build options to enable
       --cache-dir string                                        directory used for cached inputs (default "./melange-cache/")
       --cache-source string                                     directory or bucket used for preloading the cache
       --cleanup                                                 when enabled, the temp dir used for the guest will be cleaned up after completion (default true)
@@ -54,7 +53,7 @@ melange build [flags]
   -k, --keyring-append strings                                  path to extra keys to include in the build environment keyring
       --license string                                          license to use for the build config file itself (default "NOASSERTION")
       --lint-require strings                                    linters that must pass (default [dev,infodir,tempdir,varempty])
-      --lint-warn strings                                       linters that will generate warnings (default [object,opt,pkgconf,python/docs,python/multiple,python/test,setuidgid,srv,strip,usrlocal,usrmerge,worldwrite])
+      --lint-warn strings                                       linters that will generate warnings (default [empty,object,opt,pkgconf,python/docs,python/multiple,python/test,setuidgid,srv,strip,usrlocal,usrmerge,worldwrite])
       --memory string                                           default memory resources to use for builds
       --namespace string                                        namespace to use in package URLs in SBOM (eg wolfi, alpine) (default "unknown")
       --out-dir string                                          directory where packages will be output (default "./packages/")
diff --git a/docs/md/melange_compile.md b/docs/md/melange_compile.md
index 3f488f6aa..1415148f8 100644
--- a/docs/md/melange_compile.md
+++ b/docs/md/melange_compile.md
@@ -31,7 +31,6 @@ melange compile [flags]
       --apk-cache-dir string        directory used for cached apk packages (default is system-defined cache directory)
       --arch string                 architectures to compile for
       --build-date string           date used for the timestamps of the files inside the image
-      --build-option strings        build options to enable
       --cache-dir string            directory used for cached inputs (default "./melange-cache/")
       --cache-source string         directory or bucket used for preloading the cache
       --cpu string                  default CPU resources to use for builds
diff --git a/docs/md/melange_lint.md b/docs/md/melange_lint.md
index 8ab0659ec..371c46ffb 100644
--- a/docs/md/melange_lint.md
+++ b/docs/md/melange_lint.md
@@ -30,7 +30,7 @@ melange lint [flags]
 ```
   -h, --help                   help for lint
       --lint-require strings   linters that must pass (default [dev,infodir,tempdir,varempty])
-      --lint-warn strings      linters that will generate warnings (default [object,opt,pkgconf,python/docs,python/multiple,python/test,setuidgid,srv,strip,usrlocal,usrmerge,worldwrite])
+      --lint-warn strings      linters that will generate warnings (default [empty,object,opt,pkgconf,python/docs,python/multiple,python/test,setuidgid,srv,strip,usrlocal,usrmerge,worldwrite])
 ```
 
 ### Options inherited from parent commands
diff --git a/pkg/build/build.go b/pkg/build/build.go
index 99f9cf9fb..49629d69e 100644
--- a/pkg/build/build.go
+++ b/pkg/build/build.go
@@ -141,8 +141,6 @@ type Build struct {
 	Auth                  map[string]options.Auth
 	IgnoreSignatures      bool
 
-	EnabledBuildOptions []string
-
 	// Initialized in New and mutated throughout the build process as we gain
 	// visibility into our packages' (including subpackages') composition. This is
 	// how we get "build-time" SBOMs!
@@ -257,17 +255,6 @@ func New(ctx context.Context, opts ...Option) (*Build, error) {
 		return nil, fmt.Errorf("unable to run containers using %s, specify --runner and one of %s", b.Runner.Name(), GetAllRunners())
 	}
 
-	// Apply build options to the context.
-	for _, optName := range b.EnabledBuildOptions {
-		log.Infof("applying configuration patches for build option %s", optName)
-
-		if opt, ok := b.Configuration.Options[optName]; ok {
-			if err := b.applyBuildOption(opt); err != nil {
-				return nil, err
-			}
-		}
-	}
-
 	return &b, nil
 }
 
@@ -412,37 +399,6 @@ func copyFile(base, src, dest string, perm fs.FileMode) error {
 	return nil
 }
 
-// applyBuildOption applies a patch described by a BuildOption to a package build.
-func (b *Build) applyBuildOption(bo config.BuildOption) error {
-	// Patch the variables block.
-	if b.Configuration.Vars == nil {
-		b.Configuration.Vars = make(map[string]string)
-	}
-
-	for k, v := range bo.Vars {
-		b.Configuration.Vars[k] = v
-	}
-
-	// Patch the build environment configuration.
-	lo := bo.Environment.Contents.Packages
-	b.Configuration.Environment.Contents.Packages = append(b.Configuration.Environment.Contents.Packages, lo.Add...)
-
-	for _, pkg := range lo.Remove {
-		pkgList := b.Configuration.Environment.Contents.Packages
-
-		for pos, ppkg := range pkgList {
-			if pkg == ppkg {
-				pkgList[pos] = pkgList[len(pkgList)-1]
-				pkgList = pkgList[:len(pkgList)-1]
-			}
-		}
-
-		b.Configuration.Environment.Contents.Packages = pkgList
-	}
-
-	return nil
-}
-
 func (b *Build) loadIgnoreRules(ctx context.Context) ([]*xignore.Pattern, error) {
 	log := clog.FromContext(ctx)
 	ignorePath := filepath.Join(b.SourceDir, b.WorkspaceIgnore)
diff --git a/pkg/build/compile.go b/pkg/build/compile.go
index 4c77fb1e7..d71aed0b7 100644
--- a/pkg/build/compile.go
+++ b/pkg/build/compile.go
@@ -39,7 +39,7 @@ func (t *Test) Compile(ctx context.Context) error {
 	// TODO: Make this parameter go away when we revisit subtitutions.
 	flavor := "gnu"
 
-	sm, err := NewSubstitutionMap(&cfg, t.Arch, flavor, nil)
+	sm, err := NewSubstitutionMap(&cfg, t.Arch, flavor)
 	if err != nil {
 		return err
 	}
@@ -116,7 +116,7 @@ func (t *Test) Compile(ctx context.Context) error {
 // Compile compiles all configuration, including tests, by loading any pipelines and substituting all variables.
 func (b *Build) Compile(ctx context.Context) error {
 	cfg := b.Configuration
-	sm, err := NewSubstitutionMap(&cfg, b.Arch, b.buildFlavor(), b.EnabledBuildOptions)
+	sm, err := NewSubstitutionMap(&cfg, b.Arch, "gnu")
 	if err != nil {
 		return err
 	}
diff --git a/pkg/build/options.go b/pkg/build/options.go
index 16926008f..b2fdfde5f 100644
--- a/pkg/build/options.go
+++ b/pkg/build/options.go
@@ -274,17 +274,6 @@ func WithNamespace(namespace string) Option {
 	}
 }
 
-// WithEnabledBuildOptions takes an array of strings representing enabled build
-// options.  These options are referenced in the options block of the Configuration,
-// and represent patches to the configured build process which are optionally
-// applied.
-func WithEnabledBuildOptions(enabledBuildOptions []string) Option {
-	return func(b *Build) error {
-		b.EnabledBuildOptions = enabledBuildOptions
-		return nil
-	}
-}
-
 // WithCreateBuildLog indicates whether to generate a package.log file containing the
 // list of packages that were built.  Some packages may have been skipped
 // during the build if , so it can be hard to know exactly which packages were built
diff --git a/pkg/build/pipeline.go b/pkg/build/pipeline.go
index 2707e9310..ca2d58e13 100644
--- a/pkg/build/pipeline.go
+++ b/pkg/build/pipeline.go
@@ -74,7 +74,7 @@ func (sm *SubstitutionMap) Subpackage(subpkg *config.Subpackage) *SubstitutionMa
 	return &SubstitutionMap{nw}
 }
 
-func NewSubstitutionMap(cfg *config.Configuration, arch apkoTypes.Architecture, flavor string, buildOpts []string) (*SubstitutionMap, error) {
+func NewSubstitutionMap(cfg *config.Configuration, arch apkoTypes.Architecture, flavor string) (*SubstitutionMap, error) {
 	pkg := cfg.Package
 
 	nw := map[string]string{
@@ -122,16 +122,6 @@ func NewSubstitutionMap(cfg *config.Configuration, arch apkoTypes.Architecture,
 		nw[k] = fmt.Sprintf("/home/build/melange-out/%s", pn)
 	}
 
-	for k := range cfg.Options {
-		nk := fmt.Sprintf("${{options.%s.enabled}}", k)
-		nw[nk] = "false"
-	}
-
-	for _, opt := range buildOpts {
-		nk := fmt.Sprintf("${{options.%s.enabled}}", opt)
-		nw[nk] = "true"
-	}
-
 	return &SubstitutionMap{nw}, nil
 }
 
diff --git a/pkg/build/pipeline_test.go b/pkg/build/pipeline_test.go
index a28113c89..b3f03c985 100644
--- a/pkg/build/pipeline_test.go
+++ b/pkg/build/pipeline_test.go
@@ -66,7 +66,7 @@ func Test_substitutionMap(t *testing.T) {
 					},
 				},
 			}
-			m, err := NewSubstitutionMap(&cfg, "", "", nil)
+			m, err := NewSubstitutionMap(&cfg, "", "")
 			require.NoError(t, err)
 			require.Equal(t, tt.expected, m.Substitutions["${{vars.mangled-package-version}}"])
 		})
@@ -92,7 +92,7 @@ func Test_MutateWith(t *testing.T) {
 				Epoch:   tc.epoch,
 			},
 		}
-		sm, err := NewSubstitutionMap(&cfg, "", "", nil)
+		sm, err := NewSubstitutionMap(&cfg, "", "")
 		require.NoError(t, err)
 		got, err := sm.MutateWith(map[string]string{})
 		if err != nil {
@@ -128,7 +128,7 @@ func Test_substitutionNeedPackages(t *testing.T) {
 	pipelineDirs := []string{"pipelines"}
 
 	c := &Compiled{PipelineDirs: pipelineDirs}
-	sm, err := NewSubstitutionMap(&cfg, "", "", nil)
+	sm, err := NewSubstitutionMap(&cfg, "", "")
 	require.NoError(t, err)
 
 	err = c.CompilePipelines(ctx, sm, cfg.Pipeline)
diff --git a/pkg/build/pipelines/cargo/README.md b/pkg/build/pipelines/cargo/README.md
index 3c4c0e516..e2a41203c 100755
--- a/pkg/build/pipelines/cargo/README.md
+++ b/pkg/build/pipelines/cargo/README.md
@@ -16,7 +16,9 @@ Compile an auditable rust binary with Cargo
 | modroot | false | Top directory of the rust package, this is where the target package lives. Before building, the cargo pipeline wil cd into this directory. Defaults to current working directory  | . |
 | opts | false | Options to pass to cargo build. Defaults to release  | --release |
 | output | false | Filename to use when writing the binary. The final install location inside the apk will be in prefix / install-dir / output  |  |
+| output-dir | false | Directory where the binaris will be placed after building. Defaults to target/release  | target/release |
 | prefix | false | Installation prefix. Defaults to usr  | usr |
+| rustflags | false | Rustc flags to be passed to pass to all compiler invocations that Cargo performs. In contrast with cargo rustc, this is useful for passing a flag to all compiler instances. This string is split by whitespace.  |  |
 
 
 <!-- end:pipeline-reference-gen -->
\ No newline at end of file
diff --git a/pkg/cli/build.go b/pkg/cli/build.go
index e6b0cab58..27867fbf3 100644
--- a/pkg/cli/build.go
+++ b/pkg/cli/build.go
@@ -64,7 +64,6 @@ func buildCmd() *cobra.Command {
 	var envFile string
 	var varsFile string
 	var purlNamespace string
-	var buildOption []string
 	var createBuildLog bool
 	var debug bool
 	var debugRunner bool
@@ -172,7 +171,6 @@ func buildCmd() *cobra.Command {
 				build.WithEnvFile(envFile),
 				build.WithVarsFile(varsFile),
 				build.WithNamespace(purlNamespace),
-				build.WithEnabledBuildOptions(buildOption),
 				build.WithCreateBuildLog(createBuildLog),
 				build.WithDebug(debug),
 				build.WithDebugRunner(debugRunner),
@@ -240,7 +238,6 @@ func buildCmd() *cobra.Command {
 	cmd.Flags().StringVar(&purlNamespace, "namespace", "unknown", "namespace to use in package URLs in SBOM (eg wolfi, alpine)")
 	cmd.Flags().StringSliceVar(&archstrs, "arch", nil, "architectures to build for (e.g., x86_64,ppc64le,arm64) -- default is all, unless specified in config")
 	cmd.Flags().StringVar(&libc, "override-host-triplet-libc-substitution-flavor", "gnu", "override the flavor of libc for ${{host.triplet.*}} substitutions (e.g. gnu,musl) -- default is gnu")
-	cmd.Flags().StringSliceVar(&buildOption, "build-option", []string{}, "build options to enable")
 	cmd.Flags().StringVar(&runner, "runner", "", fmt.Sprintf("which runner to use to enable running commands, default is based on your platform. Options are %q", build.GetAllRunners()))
 	cmd.Flags().StringSliceVarP(&extraKeys, "keyring-append", "k", []string{}, "path to extra keys to include in the build environment keyring")
 	cmd.Flags().StringSliceVarP(&extraRepos, "repository-append", "r", []string{}, "path to extra repositories to include in the build environment")
diff --git a/pkg/cli/compile.go b/pkg/cli/compile.go
index 76a9dd780..20d82b713 100644
--- a/pkg/cli/compile.go
+++ b/pkg/cli/compile.go
@@ -52,7 +52,6 @@ func compile() *cobra.Command {
 	var envFile string
 	var varsFile string
 	var purlNamespace string
-	var buildOption []string
 	var logPolicy []string
 	var createBuildLog bool
 	var debug bool
@@ -128,7 +127,6 @@ func compile() *cobra.Command {
 				build.WithEnvFile(envFile),
 				build.WithVarsFile(varsFile),
 				build.WithNamespace(purlNamespace),
-				build.WithEnabledBuildOptions(buildOption),
 				build.WithCreateBuildLog(createBuildLog),
 				build.WithDebug(debug),
 				build.WithDebugRunner(debugRunner),
@@ -192,7 +190,6 @@ func compile() *cobra.Command {
 	cmd.Flags().StringVar(&dependencyLog, "dependency-log", "", "log dependencies to a specified file")
 	cmd.Flags().StringVar(&overlayBinSh, "overlay-binsh", "", "use specified file as /bin/sh overlay in build environment")
 	cmd.Flags().StringVar(&purlNamespace, "namespace", "unknown", "namespace to use in package URLs in SBOM (eg wolfi, alpine)")
-	cmd.Flags().StringSliceVar(&buildOption, "build-option", []string{}, "build options to enable")
 	cmd.Flags().StringSliceVar(&logPolicy, "log-policy", []string{"builtin:stderr"}, "logging policy to use")
 	cmd.Flags().StringVar(&runner, "runner", "", fmt.Sprintf("which runner to use to enable running commands, default is based on your platform. Options are %q", build.GetAllRunners()))
 	cmd.Flags().StringSliceVarP(&extraKeys, "keyring-append", "k", []string{}, "path to extra keys to include in the build environment keyring")
diff --git a/pkg/config/build_option.go b/pkg/config/build_option.go
index dd93ec307..d05e7be4b 100644
--- a/pkg/config/build_option.go
+++ b/pkg/config/build_option.go
@@ -26,14 +26,3 @@ type ListOption struct {
 type ContentsOption struct {
 	Packages ListOption `yaml:"packages,omitempty"`
 }
-
-// EnvironmentOption describes an optional deviation to an apko environment.
-type EnvironmentOption struct {
-	Contents ContentsOption `yaml:"contents,omitempty"`
-}
-
-// BuildOption describes an optional deviation to a package build.
-type BuildOption struct {
-	Vars        map[string]string `yaml:"vars,omitempty"`
-	Environment EnvironmentOption `yaml:"environment,omitempty"`
-}
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 3b556a14e..e8def36e4 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -636,8 +636,6 @@ type Configuration struct {
 	// Optional: A list of transformations to create for the builtin template
 	// variables
 	VarTransforms []VarTransforms `json:"var-transforms,omitempty" yaml:"var-transforms,omitempty"`
-	// Optional: Deviations to the build
-	Options map[string]BuildOption `json:"options,omitempty" yaml:"options,omitempty"`
 
 	// Test section for the main package.
 	Test *Test `json:"test,omitempty" yaml:"test,omitempty"`
diff --git a/pkg/config/schema.json b/pkg/config/schema.json
index 61a9feb40..828b7a153 100644
--- a/pkg/config/schema.json
+++ b/pkg/config/schema.json
@@ -15,25 +15,26 @@
       "additionalProperties": false,
       "type": "object"
     },
-    "BuildOption": {
+    "Capabilities": {
       "properties": {
-        "Vars": {
-          "additionalProperties": {
+        "add": {
+          "items": {
             "type": "string"
           },
-          "type": "object"
+          "type": "array",
+          "description": "Linux process capabilities to add to the pipeline container."
         },
-        "Environment": {
-          "$ref": "#/$defs/EnvironmentOption"
+        "drop": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array",
+          "description": "Linux process capabilities to drop from the pipeline container."
         }
       },
       "additionalProperties": false,
       "type": "object",
-      "required": [
-        "Vars",
-        "Environment"
-      ],
-      "description": "BuildOption describes an optional deviation to a package build."
+      "description": "Capabilities is the configuration for Linux capabilities for the runner."
     },
     "Checks": {
       "properties": {
@@ -58,6 +59,10 @@
           "$ref": "#/$defs/ImageConfiguration",
           "description": "The specification for the packages build environment"
         },
+        "capabilities": {
+          "$ref": "#/$defs/Capabilities",
+          "description": "Optional: Linux capabilities configuration to apply to the melange runner."
+        },
         "pipeline": {
           "items": {
             "$ref": "#/$defs/Pipeline"
@@ -97,13 +102,6 @@
           "type": "array",
           "description": "Optional: A list of transformations to create for the builtin template\nvariables"
         },
-        "options": {
-          "additionalProperties": {
-            "$ref": "#/$defs/BuildOption"
-          },
-          "type": "object",
-          "description": "Optional: Deviations to the build"
-        },
         "test": {
           "$ref": "#/$defs/Test",
           "description": "Test section for the main package."
@@ -115,20 +113,7 @@
         "package",
         "environment"
       ],
-      "description": "The root melange configuration"
-    },
-    "ContentsOption": {
-      "properties": {
-        "Packages": {
-          "$ref": "#/$defs/ListOption"
-        }
-      },
-      "additionalProperties": false,
-      "type": "object",
-      "required": [
-        "Packages"
-      ],
-      "description": "ContentsOption describes an optional deviation to an apko environment's contents block."
+      "description": "Configuration is the root melange configuration."
     },
     "Copyright": {
       "properties": {
@@ -194,24 +179,15 @@
         "replaces-priority": {
           "type": "string",
           "description": "Optional: An integer string compared against other equal package provides used to\ndetermine priority of file replacements"
+        },
+        "install-if": {
+          "type": "string",
+          "description": "Optional: Expression indicating conditions under which to also install this package."
         }
       },
       "additionalProperties": false,
       "type": "object"
     },
-    "EnvironmentOption": {
-      "properties": {
-        "Contents": {
-          "$ref": "#/$defs/ContentsOption"
-        }
-      },
-      "additionalProperties": false,
-      "type": "object",
-      "required": [
-        "Contents"
-      ],
-      "description": "EnvironmentOption describes an optional deviation to an apko environment."
-    },
     "GitHubMonitor": {
       "properties": {
         "identifier": {
@@ -430,7 +406,7 @@
       "properties": {
         "description": {
           "type": "string",
-          "description": "Optional: The human readable description of the input"
+          "description": "Optional: The human-readable description of the input"
         },
         "default": {
           "type": "string",
@@ -444,29 +420,6 @@
       "additionalProperties": false,
       "type": "object"
     },
-    "ListOption": {
-      "properties": {
-        "Add": {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        },
-        "Remove": {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      },
-      "additionalProperties": false,
-      "type": "object",
-      "required": [
-        "Add",
-        "Remove"
-      ],
-      "description": "ListOption describes an optional deviation to a list, for example, a list of packages."
-    },
     "Needs": {
       "properties": {
         "Packages": {
@@ -499,7 +452,7 @@
         },
         "description": {
           "type": "string",
-          "description": "A human readable description of the package"
+          "description": "A human-readable description of the package"
         },
         "url": {
           "type": "string",
@@ -608,6 +561,10 @@
     },
     "Pipeline": {
       "properties": {
+        "if": {
+          "type": "string",
+          "description": "Optional: A condition to evaluate before running the pipeline"
+        },
         "name": {
           "type": "string",
           "description": "Optional: A user defined name for the pipeline"
@@ -632,7 +589,7 @@
             "$ref": "#/$defs/Pipeline"
           },
           "type": "array",
-          "description": "Optional: The list of pipelines to run.\n\nEach pipeline runs in it's own context that is not shared between other\npipelines. To share context between pipelines, nest a pipeline within an\nexisting pipeline. This can be useful when you wish to share common\nconfiguration, such as an alternative `working-directory`."
+          "description": "Optional: The list of pipelines to run.\n\nEach pipeline runs in its own context that is not shared between other\npipelines. To share context between pipelines, nest a pipeline within an\nexisting pipeline. This can be useful when you wish to share common\nconfiguration, such as an alternative `working-directory`."
         },
         "inputs": {
           "additionalProperties": {
@@ -649,10 +606,6 @@
           "type": "string",
           "description": "Optional: Labels to apply to the pipeline"
         },
-        "if": {
-          "type": "string",
-          "description": "Optional: A condition to evaluate before running the pipeline"
-        },
         "assertions": {
           "$ref": "#/$defs/PipelineAssertions",
           "description": "Optional: Assertions to evaluate whether the pipeline was successful"
@@ -733,6 +686,9 @@
         "cpu": {
           "type": "string"
         },
+        "cpumodel": {
+          "type": "string"
+        },
         "memory": {
           "type": "string"
         },
@@ -898,6 +854,10 @@
           "type": "boolean",
           "description": "Indicates that this package should be manually updated, usually taking\ncare over special version numbers"
         },
+        "require-sequential": {
+          "type": "boolean",
+          "description": "Indicates that automated pull requests should be merged in order rather than superseding and closing previous unmerged PRs"
+        },
         "shared": {
           "type": "boolean",
           "description": "Indicate that an update to this package requires an epoch bump of\ndownstream dependencies, e.g. golang, java"
diff --git a/pkg/linter/linter.go b/pkg/linter/linter.go
index f07449847..3e471f85c 100644
--- a/pkg/linter/linter.go
+++ b/pkg/linter/linter.go
@@ -159,7 +159,7 @@ var linterMap = map[string]linter{
 	"empty": {
 		LinterFunc:      emptyLinter,
 		Explain:         "Verify that this package is supposed to be empty; if it is, disable this linter; otherwise check the build",
-		defaultBehavior: Ignore, // TODO: Needs to ignore packages that specify no-provides.
+		defaultBehavior: Warn,
 	},
 	"python/docs": {
 		LinterFunc:      pythonDocsLinter,
diff --git a/pkg/sca/testdata/generated/x86_64/shbang-test-1-r1.apk b/pkg/sca/testdata/generated/x86_64/shbang-test-1-r1.apk
index 76f402ed1ca19b7f146e9e714d6669957f71333d..3a1d937750f6c2f349c5ec81d476903e801aac66 100644
GIT binary patch
literal 5910
zcmYjUcRbV&_&+3@Y-NUI6uycp>qru^w=<HJvt?vnN=WuBdvAxcGIAs%;>zA<c67L}
z73aq1*KfRjzu)_h=k<F2c|Y&x`RDz9gx}MHKny<dAYji5>bv}jd&2XVRsIudvEA&h
zMA<u*WuS%m&f>?PcYZb8W=tp-pXI1YpPtWHA>(NkC#`c$dVHE0jGq!jcOz6WovB#k
zz^L=%ZZ>#m`00)eEBd(S9&>jUHgwoX?$72xcpOm%lOh}q-Z+Pq&0Mb2DXc2L>r6O2
zS0t@P03^s&qjf>fCr$&BE-KYFZ?*e*#)Gc=jf>FQyIFIM$a~iZj&YT*iEYa@iQXvp
z>wX7Zjbj>zEbUU<+75Y54`07G^B%o>|8dEtmj$iVt@wIR9}!v(Z_B%E8wMJWlff~M
zaFXv!{S0XKIC~~UpZGo5)E;EuTwElbuTQ;3#xlT8J#$^GbIcexmze6ugfY{BjCWPc
z^w{rFej6fOO-;=Gf3B7;86<A}_&Iq$x9`rgio@5>-ssnROCR;Iq0z@8&(@U}&+jtM
zhxV{OfV}^5EcrFmZ{qcN{<bDp+C2w4lT<pJ_CHFVU8CT`XUMx4mwV&{6%{)x=QXeZ
z$`tSy2-7(gzJ%L3y8w7jF;4@Mn6htyy!vluB+$+)RCIDN+#+vNzfw%kWH@I6K}Qq7
zm0D+dKV<ej?}xsWqPeoL$0eudEJ&sC!zyHw8~kdIc~?zZ9G1BpFd9hxsLd<&K*suJ
z>ZYD>`K+KSyG*5PUAzUbn?uV9MU+>6+^Of3V&<&usIV4O1e^NL>eq)<{F7v8*MTk!
z_HoI25r=G$335Nn-RI&Rq_J2&pz&~^mu1xP*t_dJyUQwZ@IgV=c0i^8kuUETQEnMx
zJSLN%P;c{FtnKQzQ`wA;8vG^CVXaXWkxOD<GS~0loR?2RTK-6=kn!cdpw!}y2c}=A
zPO}wcZ6?()EitgWLU9w!rn;|XV!e2Lu~qqcIEkc!zC{Ms2Z*}q7nZo@W33!@r|Orn
zN%e&Mf!Xp!#i639+?3`Go9oybMjP<)2nzbd(`z);oL{e(h!|T^J68=}B4Bo74R<c(
z=^9>+5F*yIoSI?Y<@41%=ju}1(~FfdQ%(|u@V%Hl&kYJxH(l4P@`+zDPKHR-=Gj#!
z6~8lop7cC8-A_jL<FE8W4W!cp+%k{vfJ~(^hN`PzcQ9D^JOtX(DI3of+O>$!Wq;Zs
zD0*o{a`~=OyDmKu*>Y;SUf`AF%GQ(Reij)aLa;mZ5|EO3*d8KS%1w{El-;gL-I`lt
z(!7X{bl!)x<j}O{ORR;jrn<b^cvz}$X+if)MbGBWs0B45@&#U!>Bf?qOFOZ!B^*}a
z7Niugz#3?b1YWAefadPDcdEcXfba-)2m78-@-MP0^#PAe&Qnu`4xr7C$wq(i-Ngc=
zhjJ3d@dg*z1Re1iBG#qka7O(6H`c-~5X(h9!&uOVjx+{e<wZO88IiG@h)s<`*&>40
zFCk8^wV9)ZGhUy%tUUj9^)WUPv5J`Or1aQ+`pdw~!Vg>F3}iOftjQ(Er-X_k0$E#`
zwH{5C-r!%QQzv+;xXoyM=em6q`}7UV?-l8ZHL<%>SKO<*;GZKR4-Y46b~zk+dwRl_
z>Y}7OFC*3+8<bvY9@j3i(6KH1nZ3?dqzN8-?CEFu&x*{dN#Om5)Y%>S=bcav>y6s%
zMG;G|TU>xcbN`H*YWjfwoKQ?@L+v*%qF741fS5%4?DqEd%u@8$ZpMJELNl#On~t)h
z9xK??;^gZTdy5j|QW5L4(w)8FNO$WOH*n2uoNls0dnc;*IiZ<jmd1goG`VwCBjvZr
z1*?v4gm!}9?!WsV`8yTLc{ipLGvypfJeEIF<h$B5Ww!w@KWl9G#<dk1fJw%FJSa_N
z>q8!sX<KH$zPDtKA)%J;lf1FBY~d1bJ>!v%$PLSX>FN{qF%<u~5mtvSPB29_TaFSq
z9hjVx!TUh^SJ77@mwNmc(X-#$!(m2+eQ|05jjO*O;yoHWy5`Vp4;!tR4p`(=E&1!;
z-n5aTrxGuLO7YF&_Ly5udUglh-8Ev*{8fTgUUoL+<hdN2<T>ye0`vRt6o1b#y*l&=
z4lATu&dkpw3f)<r>YY7DgFd)_cLZ^PK*Im$3-*p)%a6i@b+gOv!RuRd3iB@Ux^ZF#
zy@Nx}i_A;jyXqePo`9R{`{4a@q_qO7U3>IpA0uvUr_O34v=gT_E&}dxof)4<NhYYD
z_RG=c>$8{3#cl1|o?QPlt3ln$OZB<ElSlsjLV-=%38JFSst)QN_3Few76aCr0AtSf
zby&Z-alIyAj=A!?cCpen?}4tzloE2Ov|NLh{<k3~G0u&v?25*@bOJTJ>O$$BP%Z8F
zJ^L(8?3$Dy``xl8uh0<X!*CtoB1bz52mf#(Cs#Jk_=uIYjN?|Bty=tsC<46EP>P%J
zvn_>h#YyOt(7))_FfU<^Zu;osg6cads=W}^yc5&8?aO0@E`qd}BJ1XRxfF2~S)=*)
zWD*du0yImtG2&Cksc%zpJMCUIrIinCz~<1`U4h~&Lc`Ca7l2m=y+(lCuRTYz8}u<H
z^IN>j0Ndbj0BN+;lhk2se*2Mse9tM&&PyqH9?vM)z50S=6)1Ul4(~g3)F~}{$CJ&>
za`ndyw|<Mc%R*PFsD1E_foxa(mKCv@U-up{f2YuS9g(-;$m|xlfu*<*5XTM_MOKzk
z#O4u~AIxwr%U3hGJn$P6avEFZ4;uzp*tnZfX>PsxfqP+S0_ws1OA=)M+!yxab(ah*
z-RbGzTlxn!uS=7-t2MQCc+%}%7DUfD#P)6|9K!u1Fql(E?a>8P?TB;=pp^i4F+PQB
zjgVMB3B)MILC@%+X9qh%fEuK>^1}i9-&KxJ;kp?vLIB%6iVVk>^k<$(X71-*TcwbI
zhhvil7E>&`mO-}`N~t>I_?+1K_uzehCy*U&&<iM0561tRAPyL5lP&+CrOomM&cy!e
z?{}s7Phv7$d;0Ew5krw)wzZYdOJ(`fYo*&=uTQ;dM>xlOj|aJGao;Yyo){3D`VJrl
zQaznJb%g!y&={jw7)-t-37eAK&0cK*1Ps+YMzTwDDkOn4+!sl3F7_k|Pk(_h!sa9E
zfeecREI?NPs619mOKeV1)Nd{p)31ef&MR85B*ZeL;rNW>B+i(`_IQ;i;7t-3M^c=;
zFmU4?1`r-40|*K#!Lv<dJji#1ZTtX-BAj9zqj9KYmyuFfUgf(cX&A@!Kf!6P)wPJc
zN(ugi+e_JX{s3I~9H7dJ5GEAWYbfFYZrx1+#`p*Yu~j{uJfF9&Ql;u;eY`sw*d38R
z3z3^lvMityqPp2{wx;XH2lA`7$k}!efC!=|rEDRZ+sSE3vL{lh6?^o<)pm09Tdz#H
zejJMgWYh!{`XsqZeV91C`Qt)>Ogl2!DsVp&H)zRjS2RB9`_n(vRaHhO;o$*|^jW`G
zwoi(y6hB()1YNxOv1&|2|2V+cl%hIb;N!k$<uf!<B1_(z#VBOuRkHl5p+;t&o^^wr
z<7$JAieVt$=kU)b##hm%%00z)$F~fm=JKD7ALr!_8feMD^rRT|Ox*<xC+`PcENho`
z@RtjRT|6b}wX0qp@)6K$gBXr6$L&mu6LrJuQ|L5<9hyRE`-C&#uads$oZk%UTHubs
z&jlw4nwxeRIM>smrrtn)o4}bt#*eM!@8<ennw^Cex;C=&3N+57Vc)bVhI2M_7N)>f
zJ^4~sTz)9}U3{OcAt=^}XH8GE*S~73m}&83Wj*ZT9lU3!rsBvH(UVYr?XssQ?zFF}
zp|Q=TTcLd@g!##p+a^g#(f<FoWp+PTUst2=yL8241w$sVv2xbfq_%mwSv9K8imp9E
zI250n-E1M%lcsnzbsD{7IU@3F-DTgbWtgkAaKGL+CyO_TovT_DwO6rukZEe}fA9Yv
z_yg;Zl&EdEj4z33zTNN*E=^-h$lyPGdE~U61pg4$IG9=uH@PfwpHij((kW73*zmp0
zLOF5QP5<PZ5fDJ~9Rq#RDRKZckiQ)!Js~{XUfg3#p*HReJI;XXra$aCJPOw-qC{1}
z4<Xrzs1v%ZI!Im5q3_aI-TMueLt&XYH;h5Lc&ME$&A&_?U(f&cD1+qV#Vy(g-_e`H
zGQI|s%W5Zd87V31k#FUDbv*v^Ga!$1ZAG@eHjK{fk9I@g%|{1V&aCD$8R3-#lzFJ<
zkz375pZSqL@zY1u`xKcL7w~h+pTSZ77KlV%RvmaVPR4h<*O7WH!*NwF-6&sNceRK_
z<N!HuZ7CcTIT)tLw9j0_P3#2t{eLjiZK+#%?&}aeeC7XaeZ@<j6#hI3PEWNH_PP0O
zX)6jFoZdqNvR*Yz=LfwS3Qlh#_BfUX?zJ&J^?DJu_bpENLs)pdz0twC@RDJABS-98
zx{>`m{|bB_Cgv2~(8cwxmrcp3h3)a{2zRLl(e|9j5THjd8kS<qSMb!JsB@e2rtq%%
z!dpWxRjiCIF7AN(@``RSbe_@k2p3SM4t-SvJ{|o_v$rZh_kS3cT+bRt;usce`x{Lz
z<SV?WHpN=4%K}ggNSsqqxoftV8Wj@9TQs^4G(vT83?(5uudUjL{4!)8xOg%_%83hF
zqH~gw@srM(>V{G@+%$8$U0)9cAY)+R;*+sVL&1qzD~T3t(3>N*54a*hx&h$E{xN@9
zRmA)3l%Idn3&^*<rjDGtfSlIv6V5-*pDI~tQq}YlX`%42u&Ag<FDYkla&Zi$rs;Z3
zeAjO7NPsG;uMIjS-ZDNS@x`$iAHCtrnI*f`uwP~o7=pIK4yH~2d4wx&YfLDWmb?#*
zYPIm4y61&o=yTeljjC+od2Jf+881KC@aVRLeb_%Dc@?Lxd>+nUuHf?>D&7j~rPFg-
zE9Q&lKp;A=*KW4eavo$Zde@i8KZJTSwC{Tnst*>5r+GR`=`;6=9fqUu?i6C5*7PHl
z<CmiPA0w$!+uUOvt6oG3xXdkJ=a$~&3*L!PyovEFfM|u?{s)=@V01Z}D435Uli25E
z@sUOTfw^72L@bH=m<|7GuM1m~Z{Pbc^2^H!w3pE61vdyuNnICcvyp(mRL~c$INduR
zesQ8QP1khcoMFSL8N8yT5*2H;`ym-iGIdqJ<vc%ZKTfG3)#MlDDd(R$KBSD<Zvm+j
zsDaK;pvo3XQ8cS39rS*vld_J7+CX4(6yzp6Kw1AP1hk+~hsw@yESxYMqSI*q{u`c}
z0e4l_7k(nwj-Omj2{>vSMrIDqIc%O;nHTN~)7y+Dx8#r<v0LG4;3<7dm|?G|%P!_e
zSZW@e8B(dFkVahb`~0DxQ3MQMP^B<{)}BivTCk!%dnS~k-D5`1&hs<Pe~5O|>-nnu
zbKqS97H(xHH|1Y^`uPHw%a6cPfj{iultce3)!<AvG9!4*7eK&*{b&y$^D~VEz-^h9
z;l7_(F{GZvkp&b99SNL)yVL=E15q>H%qU`&|0reXfI<deO+SMiouLGGh!}CRRxU~D
zk(spXiwLQN<ahR0J-S3|q%FOZdIWfmu>k(fUtj$jTs{K^nJ@5g6LS+R8erQb0PaQH
z*`%P-FrOhYuc446m9Ox3$mKiA!Jn~s)TpspC<(H5j@KwxLDs7vE~WWA&aM8fpd>gL
z>}_UcR}Mv%ep~iWL~cI)19_T($CDfFHy{87=hq8dd~f+;3O!v;)R|AjUkix`j#%eD
zM}PdfiUMS{D3miAIM98)yNg9|YTDHz%}!V0$<km~iEUR5mpxLz=5Ej%6o8L<31I%F
zIn){IJx2;a#|?O#=X7$XG;w3p4z2(Tb>|0HL#O7=NOS+Ka;I`jZ(cDCQIp^UGagoM
z7w1=zRkEwb%?EkE!vbeU6o~v^jYPSX4b;dn;IswYB3pg>U%DBtCADbVU`GOK0tH0<
zz`#SqwL1c5kR=EAl38z<fV~%*9(q+HytT&sQtSAaUnC;2BSS#+#|StEjteF`{yK#7
z9RgQ_sWi6TRKK`I%<WtQ_@Vxa|Gqa75cU1M7(Rh#pGFctQ5v5|kTKDXfELH=ktRFc
zsoS)$_;L!eRAgql*;~2t9gF>)l0m^?dKFeTfJTX+jskL1fZXq!fZqoEH?eVFN+jpu
z?qjhN(mCP5??H{XoXg*J=D&xu0X~OtW5+jc63u5sAc6YtO?J+GuRXRDtk+-~OP5@%
zEP>VDl6o8`8*Hcl^ND?%!HD1hy-KVd36sOthrb|)7+@A82+`GPM$|_nI6VO_P07Hc
zc&#q&`Q9q7?ox0Jxdf&^_l+iAbbw5v%(d6mBmRWq|FAhtP+YlT8uLYUX=)n)?=(f_
zLQW;RpjKEs_!Q{abxbq=h=cE3$mv)x5paWiI-iYN;U|r7gP%7L0L=_sNvx;oUWZ?B
zvw6q|J4kWvz8Em&V!weyvA!hd>{`d}^6`1bdgv--+KYGR`h4oD;iH#U9x5%-EWpCW
z3W1;wAY6gK9B<;8FiE^<%<iVhXi6SpQE^A4GuX`gOL80z-jAAJ#f;R=w8vaV%9RA&
zviq}9dxbXW)|!DA*!jp}J3fy{pGWkb*Kq3kB)0>c6^VP2&H&>mz_+-`?zld1rtc?;
z;%dUvNr|flkS!@@YqBSe38V|OF#<3q%Bfi1N4^dVo9p|5qHt?(UqI-|?k$w*?c!2v
z=0VeGKPCOf)diCS^}F2|U`DsA?-+P94tN`AwX<62v@+|1o1|@&GF=Bu?dGD>cSemB
z(k6}plL_GX4@4vbe-p6!O1kjX&Abk$cuJz-k@$EKF3W7*-nLfb4<5eueLnu{B+_8Z
zd#ojsTq;?;))~pGD9e4!Sw5~wJ%De+Y)#}!>D}o3JjMD?!skB6qm^QLu~b=`+rjkR
z&tYyRnF+{G(z$o8OlVlg{AP}M%WK-B$;a&$gKsUTEor)TsqJb>vge57@RwuO)xI`P
zbB!yE*nyy}@WwXfLiS&EBgb=jl7S9avLm{Gz_wf$!^T^hh1c&ma8*rc%Ib2ghZp#9
zk3iSat%MPFG<u-a8Yb-6&#)&EYDBtkK5Rm>a61_$051I)@G<d;6#X2O-|(r9Yxj#=
zu3;yxS_*+yrY`!50^DLWxRESzgTY*<ZwY0tM4P@e!7!fHtI5f$*-KVFK68`oVO_Lg
z-tIbo!o9xw6w#_dafu3fSEZ5*3QlGy=KF8!%m03ycd=!Qvz`sQYo)d^D&aMHzi2QB
z#R49!^<_e5R@NX>ojw-LeU!*Fk0@yx4+-`Naz}C6{qdv<n79<|DShH4N&h(reY2%r
zKBGvDm#iP<w}A0bgehH9WW&FmVZ8>uZljG#06TvHR?Jmi-We)Mf$=tVm!-Cv(lcHU
z_K%O`N0;$6(yjA&xP|&q@?KQ&zIVq?j2Afc7{4s3dx&d&GwZJ;+kh?}st9O_RPZo@
zr&s^d=31OtFwlZdWePPk_$b;g`rI9`Eg3jeUJ2{ehW<iU*;v2~c%NDC?%FOsIJNz0
z$@0zLbv)I3NjrAGx(ilQTdJbK;av`uMy5St5xc{w?>Y;+V1_pQ$^S?`YlpXV$Y7$;
z8%{>kL2?MChJdkmLOIyc;fkD{p8fWqfJVlMV7Zn}*<TUE-RX_lsXvoz9h}{Zm4`H*
z^*v+Bc-p)b*zykX)8b0N?G|TSYrBuAra+j#)BbcvNZ`!I*NIU>N1|J#&b)O`#8yz@
d<wU=0ef|B1v|j-l5D55NynlW|fTls9{{SN@6%_yg

literal 4522
zcmYj!X*|^b*ZxTOB1=Um%a`m~OUgP$VzMvUWhap$OSbt~B3qUrM3#igHg;)Zl09pS
zEn5tYeHvpdGh^O&zyJS!-S>SxI8V;&EY~>?&UHjm{(-?*{S#r}M~0~{PKmqc(Zn0>
z&1tXY{sy5xKDivPcDb7NFQO`1-pR8dSP}530BIkTa5!5NVJBhXoR)Yw*OkHXIY6D}
zWrCHIX<mgnsxMmz;dK=*W_G4_A^OIfSWh0E_>}Ihxspp!fZw5aK}qyK5^6jA1A*;$
zM)K-ew~fi(#cLmbzZzf77q>_}J%_?y=1bx`(e4vA99kZ3jf&sCZ_n4GY3aA?^t}!J
zMxN<W8EveMsD)O$gi{I%$ft~Cuv<=UttZ*pXElEO?N!JA?3I?(atlyuN{3h?gsb=K
zh2}JQr=_@XrLBmCwqb?o=d$J(Io!kR$9yiC_sHG!Q#LX!y9Hx2w9ifc?a3)!&eL$p
z-dgQm_sirV9>p{DvKK}FZ9P+>5-;6ZYO%RF2xZT+zzz_qzOdskn8^Q(aMQ`zPp~gc
z1XZdx*m9#)x%8(`u=Y&S`0BP77*SyCEtRqBvxjVx?xjd7Xkj!WS|{eVT|-U9gx&|2
zG$r2q$6&0~fSTR0Qllt8)-mv~K=rzL|22_WP1gGy{nySm-o<?YO`WsDf}u8=SyF{*
zYF<d#;oJ~%VQ4#&6tyt2J!GQ6))~kAgj>vb!=l~rRdt9D-}C}X?7RR^)3BJZ;7{{Z
zU6^YkT169kroAOhnz66zS&7h_z=qXA&DZX+Aw1S{qo&>*LU9|;@s(phn(S=X>w7y^
z=+sS5+s<cR+&vQC{CYMdCVexSx_|XwF;3HA{T&%ocK!HuS9z!YxMP!$?1ne%2Xk9n
zWLs0<_UszFC&pyc&>UmeVdj+aTVi0m-ksYatKRRdY>QHekjI4_$+fdq8Ly@<-q?u=
z3Oj~l@&~%AhYUy9>_(_eM~LU9TNWHghs3q5f4w>5&<nBalP!3jPF0QLEHKRjNYh`E
z^`rx|m~_ekc91CII`CB@r9UB!V^wVYn>>eus>S709vf9Zz51XTtqfTcm!VHvP`@O6
z>cI5tqrG$wrsM;7@&Oq7u0<C4H$+SNM|<o!=HX*o+@BlzrW!&M=tR)))UX@-(yK#%
zcQYJMEN)0Tz+#9CKVC6qURY~z<sOgc*U?Kr8C$*8<#lDhpwQxnc$}oXck0CfTr*2#
z^AIhI-*mR|(CY>#d!TuyM5ryJjqClXCmi~=`}_|3dsFK42&9#%@|;w7NIQ;*tsYEH
z1Q<bZTi~=^bFf~Ftcnw5Ohg0aDQfvWQ}n`Fu?Beov&V_bd)%}1r+zze?clcA2>mi5
zOOGaEPJ4p`RzC=-^f0evOBcmbh$b?Bx5Rr=1EMRgec%U#or47np6}m+Zs%sW_2*ao
z%!xN<{Q1vG1HZXoUfnD?WgUL}NgYW#yo3cdGXlO@>>m@NPF_av5}_N!;!p;4`se}+
zHwYZy_}O83>I!4Tj+e{e0lYd1Ix$qo@))4+8l-~I2pYkqr<+am>{t2m*fcTU{FPIa
zKZ2wMB)e<fuN^mD<m;VM+<gfi8YAltxLmdAhN#B?j@kzf6rk>-600(KB)Xt7GYU?P
zLJ(UK&_RrQAOegAQO0wDo?UtwV{c2Y^Sa0JC+G-Ho}xos2SBud2E)Pio?CR3;6zqQ
z&Wk{Q2|)PewOmOl$?!FqKYG_J2OH;h19BioH@JEj^WzhOEX53_F;8JI>bFQW%DhL;
zNF7Z^GBl4q6^mr{kb!rxN=|Y$?mn^LsoN+C{QfSeNL8wVXXy9(g*uwxk$y(Gk6O6w
z6~jXD_iDxEw<i<^v+UIJ%K}^TW@`=w3;QkRi>On@oj)&`lEMcDYn17l!%qI_Eya%_
z8q}7z-WW>Gi&?n~N~Y;Cax3Jcb!vT=73RFs<!DlM2QoZ5%kE1)pVir-@~Y<vmiHbb
zBWjwwRwbO|^{?A)H#2%ft^b%#aoI6`7&p<SAYv4qbdGAVV%(t8r#->D79cx17|HKJ
zWgzIoBA?S4KXS}VfH4nv>+uz8+pq`Mc(%g#ywxtk?qWJ+S%ewJ^Ibr&CPXl1d_2K>
zy6VSDZ<X=pp-b@iovx}{JT75honcq$zK76D_4eJRrAo(~L3=`LY3z9U^Gj8ntcc+h
zw^Ow*?fi~w+jUyUMURi$U;1OWR^>DyFQBod!BFuwC$CrXllXz-7p<n^U14SyHUl}r
zDE3gF%lutfMzg!W{-1!~_`t(+)#pcqM|ViO&-kvHqCXPMX-=}mn17NB-bMPK;~|vq
zys;DRsj))#B5jYTmQmK%{u?d?9Gvs$8?ZvtA68H%c4v5DmDq^$MMnPCXgYaFV^_(b
ziC_aWD56r?U{BKoSq2`d%)Jn#b=HU@P<VRTv1sbEps;UPd8df|*2+nGTR7SIN{)@m
ztt(}O+vrh91eT#m3}lK1L4!}zB5S&w+qHqQJ%PNo@TQw~6<JD|2zpWYrE8!@SAV`N
zlAvVYuARQtx$*OXMc}Rp`R7gYmPor<6czVwy*spuFrNg!9py^_gLB8cP!8L#&P%DT
ztdTp^KngEqokZfRvcW@U6|YNu34Q6-3;9?}=3jeX#S#7*2vlS!rOy*4c_$1%mYGUp
zu|bKq*|zT?$?II+=yoDB?z{DDoxFy<YQRpJnE^pk2s&zl+#YJNHREf}@P85WHLhcS
zeduVlc8~eAsd3aIe?+SaCQ}^!ZU5yt#7;0J4LXllrFOjrMdAxyJH<;YACbaF)x##5
z<W>5M2S!1pH4OC`SJrZ4_F^}Eq@d250VWIkr6D4Tz#lDkPUmt8)1T|6JH7}z{qfH-
zAJQ(Yg+$5t0tvwWY;k2h!Mfu}46EX)Xn*m)t8icZwMj5m(B2!XO5ZjmvHtVF*bM&E
z*GS?#eEE4)nIio<vJ~eocPN`hWy&a&qVgD$>c_KEJFXNLz8Ovj2PWU_)OO`nPv(s3
zRW}YKM{+K4guGM~ZW~!WpDOIN%X(8SkN^Gf@5?5?4-Ov(!Cx19?c&z_I+P2w2<K7>
zi;hR2Ks-{y>M5Dia8&8=NqLyYgSuV)&2Ugqei%kL<3H?;(ps$+iJtxV!!jl1Q9RzX
zu>En<zcQZXC+tShEF6>WcI9T<LQE@fg?n66<<0hJc~Ab@xV&s%BxaT^?hGp~IH&o~
zl7&p~<uNtuK69b$!eF@lgAgCVkaR~$*JUQ8Wc}ILK!dY+7aN>wZW>kXx?O{Ee6OGQ
zqHLFPeVQD}mEHBJQ<>S*!Z}!XR=g@$YSt)N&nAF>iClXeY*ka=uT4ki7#K3I_^Vm-
z#54%06m%27<!B+?Nw3%KNX_TvkwV8=2;PG5Q3^%8e*`-^+Qp)#v2x&N(y>5;I45c%
zN=5^<Z=s?mLCrh4sGJqkxa#(R$js(Wj}gU(;Ezy7p@>!%iAzzrSm_1n5;@8a`we|G
z@(m&Ljs)&H=LioK0*^Fg(&6zU_@%;fZV!AYiG+Xrta<Hkyuf!mY&R;@2^v~<9y)AG
zf76J}mV~#*(;hUct_^b(4_j;lHCxhdT~U_e&~NEMd_ON&M@|-8yP%vF&d^^GMkl|d
z?fCsIBJ)ycdyy+}2d!OHuBp9;p~Jm)9HEko^2V8d;PaPDcpj1r>`ds7MGZm5N}MAm
zfX2Ilvut}0HD=%U&hQPLr$daetJ%qew2oixLSL|h6B0%%OI8n#PJds}RSTQ1b@rZw
zGc|0;_>T$Pfkor(kXQ<ok%iyqZGEBXJJPWOP+7&UoT1EKqo<dbuWGw^5=ro(Wv(ti
zEy1?!6Ugoz{s=C|qD;(knA&NXxpH&QSkU}p+<{A~F0^ii0-=Aih$3nZKEjuCd;PH>
z<yi3TNZ^@^1!4uLavemE!si4JOoh0bWB_mV`P&mJrPJz1SLIG_fc;OD{~S7(1t=?<
zMuB+mxg7!N2>>S<xelPs$Js9lyI<<?j?|&$3JgZQ{(JN1fpN?S$t9rB2eG&<OS1(!
z3b=Xne<%};&r7?9X-Tr;J8x(ntamjnAVl#0Yl$cjTy>zh2MG<((WY=q+x5yjc|`sK
zq89G-61HI=80s(R-J@b<%_2e6Bo_EfD>S@v&o}sLHT~SPtH~+$#IVjq>r6kjWDhZ2
zzBKn#A$?Uk*YGk6m5vertIr&W#qp4yEs@`W*#4i4U&6Ne!oE)-K`7I@K{s$p1DqE<
zZ6s@xGHc)U{}2^Rv~4gJ%;i_Ok@&t=K7|P81;Br@%>d7;gY@nLhzAF0(`@2-)9ZN`
zG_*zOzA`P;V~v~0puxXxIswxTFz2iKb@DxRm#=chHaszMP?k&L&-a}fyC}FRru#T8
zU{7%R0IrfH;s;vgi+~|25xh<WrX&_vz7kGZ6&KN)L&P=<PcmY8dPMi`k?B#$r!F~K
z*Jw7u%HY8y9=HnV`q|c2pErzGuh50`Zr6K>xfP`OoMK#)<e`Gi_#-I6Z-;Rk<fj9J
zGek&*2yX_yt?bgC2<<U8EjY3xkD_Eoe5*uKRwdovf~x*XskxFi#AYN7U1`=0=F&h#
z4DYb0Y*V6`A?p6w{92iY<dZ>b9Z;pe*s$uWhbP=O`2&d{#t(+wq7&4A(v169P-#4W
zn-eDi3u5s$xbxv!Ya~48H6^~M!t!C<wORJfwFrhv+S{})mbxv{$d<_Gmq%4>7S|U$
zHJ|b96}NyQ`UMl02VPvfGZcW?MI$Q3cj19YHl-ipkL+b6zbX~OPSiqWt7fZ^4Y^q8
zWD&gW;nL7R;P=JAxM-h{Xku~gzjmo0B!Y&wO<3c9vYOyCz-HxG{a*c|qemrkf~?q$
zi$RIq2M>n&Acq+c^&*n_$J^lBTYzRWss)~lqPi)B%xZAwU4(gO3LCol_4{b{%*nge
zeD+fvPkhTB_M~jYOW#EuvpXN6QGt=u|2*3_HB0#HDOi!kbv$kX$TUc91N}e%2|RtC
z;9cIBkk&~?>#(vOrJDg>JVQuK#2AD>O8<YaO;UBq3vCsZzkH0%<LRNgVA>p74=_W>
z##^Y}Q}bP!Ed6B4S1-R~+;~KFzVVdZjfTbGpy_PmnU<hIbDrv|<3E#qb*n2|DsH94
z$S3~WjmiU;M@ZP6J-B$5hzCv4@GbtdG%Q=g&W#3-B?22x9=0C#K`EsB+Kqr(>V{^3
zq11@{9nD8Oo41JkTH83uSNZ`P7BUOhKM1NQ(d_plwm#;e9IZdFY-RkKVy8(ga3nus
zvX>Z@;PlKjI&Nqtd)<fW)+6qb>j#G;=}YxI54dmkw0+K1{}!(kAo0)HNAZ$AF4&uF
zqZ-Q>eFQy^#p@6qZM!=5!{02meRdOyK-N6d#oM|Lw5Am5+;J_xqFHcoQf*5wVEt@%
zgPdi@6=|DHB=smLH@%3sBqoPg**@eg{N(=~-C5jYe5$!_Zt-njz=ixOtGk2Qadi`i
zi^oH(>Lc(LuHMdH?;H6!e6C!o%;$WyC9Uv-w<mySvh$2NkI@NBR3o|Y-%O$KGt+)K
zMf4nu>BH@b35Jkqy}eX#%e@O9SGKn~q6{~hRSBXpX~S`wx^$zXp6arV%LYxqaJ`g`
z!jWG~H*bXNzqogXalyZ-kW-hq*%r^vXHw*Brykmp=dF2tlbI6}>78S(ny%5wi#_Rr
z4{{0paAP4hcC0E)d+UBrTcqNLRp*_!3v{n{=9uw&k3FQSL&og6*8C{E4QDLrif_J%
z`YN+V&0aN~HI6TPu48^8$xvr$#^YpP*_kIBO?fNvJ-K`)g^pT{4?`Az43K)<9c~3F
zXso{U-mtjO*{X2+=UfURf`+rYtoUoJb`&i@sjS_Tx$oIN{xzgZNHtk2?aCC|hVzeA
x->2jtEc4H0^Euz(+U@6z4-z91lsmk+xw)s#9k9Y+FaQ`~4)g0VurV0yzW^<COD_Nb


From 6144d4f055526e7ddf162e32b60f23972cfb9ff7 Mon Sep 17 00:00:00 2001
From: Jason Hall <jason@chainguard.dev>
Date: Fri, 31 Jan 2025 15:40:58 -0500
Subject: [PATCH 2/3] remove libc flavor flag, disable empty linter

Signed-off-by: Jason Hall <jason@chainguard.dev>
---
 docs/md/melange_build.md                      |  85 +++++++++---------
 docs/md/melange_lint.md                       |   2 +-
 pkg/build/build.go                            |  10 ---
 pkg/build/options.go                          |   8 --
 pkg/cli/build.go                              |   3 -
 pkg/config/schema.json                        |   4 -
 pkg/linter/linter.go                          |   2 +-
 .../generated/x86_64/shbang-test-1-r1.apk     | Bin 5910 -> 5909 bytes
 8 files changed, 44 insertions(+), 70 deletions(-)

diff --git a/docs/md/melange_build.md b/docs/md/melange_build.md
index 09dbea6ba..ad6a4bddd 100644
--- a/docs/md/melange_build.md
+++ b/docs/md/melange_build.md
@@ -28,49 +28,48 @@ melange build [flags]
 ### Options
 
 ```
-      --apk-cache-dir string                                    directory used for cached apk packages (default is system-defined cache directory)
-      --arch strings                                            architectures to build for (e.g., x86_64,ppc64le,arm64) -- default is all, unless specified in config
-      --build-date string                                       date used for the timestamps of the files inside the image
-      --cache-dir string                                        directory used for cached inputs (default "./melange-cache/")
-      --cache-source string                                     directory or bucket used for preloading the cache
-      --cleanup                                                 when enabled, the temp dir used for the guest will be cleaned up after completion (default true)
-      --cpu string                                              default CPU resources to use for builds
-      --cpumodel string                                         default memory resources to use for builds
-      --create-build-log                                        creates a package.log file containing a list of packages that were built by the command
-      --debug                                                   enables debug logging of build pipelines
-      --debug-runner                                            when enabled, the builder pod will persist after the build succeeds or fails
-      --dependency-log string                                   log dependencies to a specified file
-      --disk string                                             disk size to use for builds
-      --empty-workspace                                         whether the build workspace should be empty
-      --env-file string                                         file to use for preloaded environment variables
-      --generate-index                                          whether to generate APKINDEX.tar.gz (default true)
-      --git-commit string                                       commit hash of the git repository containing the build config file (defaults to detecting HEAD)
-      --git-repo-url string                                     URL of the git repository containing the build config file (defaults to detecting from configured git remotes)
-      --guest-dir string                                        directory used for the build environment guest
-  -h, --help                                                    help for build
-      --ignore-signatures                                       ignore repository signature verification
-  -i, --interactive                                             when enabled, attaches stdin with a tty to the pod on failure
-  -k, --keyring-append strings                                  path to extra keys to include in the build environment keyring
-      --license string                                          license to use for the build config file itself (default "NOASSERTION")
-      --lint-require strings                                    linters that must pass (default [dev,infodir,tempdir,varempty])
-      --lint-warn strings                                       linters that will generate warnings (default [empty,object,opt,pkgconf,python/docs,python/multiple,python/test,setuidgid,srv,strip,usrlocal,usrmerge,worldwrite])
-      --memory string                                           default memory resources to use for builds
-      --namespace string                                        namespace to use in package URLs in SBOM (eg wolfi, alpine) (default "unknown")
-      --out-dir string                                          directory where packages will be output (default "./packages/")
-      --overlay-binsh string                                    use specified file as /bin/sh overlay in build environment
-      --override-host-triplet-libc-substitution-flavor string   override the flavor of libc for ${{host.triplet.*}} substitutions (e.g. gnu,musl) -- default is gnu (default "gnu")
-      --package-append strings                                  extra packages to install for each of the build environments
-      --pipeline-dir string                                     directory used to extend defined built-in pipelines
-  -r, --repository-append strings                               path to extra repositories to include in the build environment
-      --rm                                                      clean up intermediate artifacts (e.g. container images, temp dirs) (default true)
-      --runner string                                           which runner to use to enable running commands, default is based on your platform. Options are ["bubblewrap" "docker" "qemu"]
-      --signing-key string                                      key to use for signing
-      --source-dir string                                       directory used for included sources
-      --strip-origin-name                                       whether origin names should be stripped (for bootstrap)
-      --timeout duration                                        default timeout for builds
-      --trace string                                            where to write trace output
-      --vars-file string                                        file to use for preloaded build configuration variables
-      --workspace-dir string                                    directory used for the workspace at /home/build
+      --apk-cache-dir string        directory used for cached apk packages (default is system-defined cache directory)
+      --arch strings                architectures to build for (e.g., x86_64,ppc64le,arm64) -- default is all, unless specified in config
+      --build-date string           date used for the timestamps of the files inside the image
+      --cache-dir string            directory used for cached inputs (default "./melange-cache/")
+      --cache-source string         directory or bucket used for preloading the cache
+      --cleanup                     when enabled, the temp dir used for the guest will be cleaned up after completion (default true)
+      --cpu string                  default CPU resources to use for builds
+      --cpumodel string             default memory resources to use for builds
+      --create-build-log            creates a package.log file containing a list of packages that were built by the command
+      --debug                       enables debug logging of build pipelines
+      --debug-runner                when enabled, the builder pod will persist after the build succeeds or fails
+      --dependency-log string       log dependencies to a specified file
+      --disk string                 disk size to use for builds
+      --empty-workspace             whether the build workspace should be empty
+      --env-file string             file to use for preloaded environment variables
+      --generate-index              whether to generate APKINDEX.tar.gz (default true)
+      --git-commit string           commit hash of the git repository containing the build config file (defaults to detecting HEAD)
+      --git-repo-url string         URL of the git repository containing the build config file (defaults to detecting from configured git remotes)
+      --guest-dir string            directory used for the build environment guest
+  -h, --help                        help for build
+      --ignore-signatures           ignore repository signature verification
+  -i, --interactive                 when enabled, attaches stdin with a tty to the pod on failure
+  -k, --keyring-append strings      path to extra keys to include in the build environment keyring
+      --license string              license to use for the build config file itself (default "NOASSERTION")
+      --lint-require strings        linters that must pass (default [dev,infodir,tempdir,varempty])
+      --lint-warn strings           linters that will generate warnings (default [object,opt,pkgconf,python/docs,python/multiple,python/test,setuidgid,srv,strip,usrlocal,usrmerge,worldwrite])
+      --memory string               default memory resources to use for builds
+      --namespace string            namespace to use in package URLs in SBOM (eg wolfi, alpine) (default "unknown")
+      --out-dir string              directory where packages will be output (default "./packages/")
+      --overlay-binsh string        use specified file as /bin/sh overlay in build environment
+      --package-append strings      extra packages to install for each of the build environments
+      --pipeline-dir string         directory used to extend defined built-in pipelines
+  -r, --repository-append strings   path to extra repositories to include in the build environment
+      --rm                          clean up intermediate artifacts (e.g. container images, temp dirs) (default true)
+      --runner string               which runner to use to enable running commands, default is based on your platform. Options are ["bubblewrap" "docker" "qemu"]
+      --signing-key string          key to use for signing
+      --source-dir string           directory used for included sources
+      --strip-origin-name           whether origin names should be stripped (for bootstrap)
+      --timeout duration            default timeout for builds
+      --trace string                where to write trace output
+      --vars-file string            file to use for preloaded build configuration variables
+      --workspace-dir string        directory used for the workspace at /home/build
 ```
 
 ### Options inherited from parent commands
diff --git a/docs/md/melange_lint.md b/docs/md/melange_lint.md
index 371c46ffb..8ab0659ec 100644
--- a/docs/md/melange_lint.md
+++ b/docs/md/melange_lint.md
@@ -30,7 +30,7 @@ melange lint [flags]
 ```
   -h, --help                   help for lint
       --lint-require strings   linters that must pass (default [dev,infodir,tempdir,varempty])
-      --lint-warn strings      linters that will generate warnings (default [empty,object,opt,pkgconf,python/docs,python/multiple,python/test,setuidgid,srv,strip,usrlocal,usrmerge,worldwrite])
+      --lint-warn strings      linters that will generate warnings (default [object,opt,pkgconf,python/docs,python/multiple,python/test,setuidgid,srv,strip,usrlocal,usrmerge,worldwrite])
 ```
 
 ### Options inherited from parent commands
diff --git a/pkg/build/build.go b/pkg/build/build.go
index 49629d69e..f1eb2cd22 100644
--- a/pkg/build/build.go
+++ b/pkg/build/build.go
@@ -113,7 +113,6 @@ type Build struct {
 	EmptyWorkspace        bool
 	OutDir                string
 	Arch                  apko_types.Architecture
-	Libc                  string
 	ExtraKeys             []string
 	ExtraRepos            []string
 	ExtraPackages         []string
@@ -1090,15 +1089,6 @@ func (b *Build) summarize(ctx context.Context) {
 	b.SummarizePaths(ctx)
 }
 
-// buildFlavor determines if a build context uses glibc or musl, it returns
-// "gnu" for GNU systems, and "musl" for musl systems.
-func (b *Build) buildFlavor() string {
-	if b.Libc == "" {
-		return "gnu"
-	}
-	return b.Libc
-}
-
 func (b *Build) buildWorkspaceConfig(ctx context.Context) *container.Config {
 	log := clog.FromContext(ctx)
 	if b.isBuildLess() {
diff --git a/pkg/build/options.go b/pkg/build/options.go
index b2fdfde5f..092c43be5 100644
--- a/pkg/build/options.go
+++ b/pkg/build/options.go
@@ -386,14 +386,6 @@ func WithAuth(domain, user, pass string) Option {
 	}
 }
 
-// WithLibcFlavorOverride sets the libc flavor for the build.
-func WithLibcFlavorOverride(libc string) Option {
-	return func(b *Build) error {
-		b.Libc = libc
-		return nil
-	}
-}
-
 // WithIgnoreIndexSignatures sets whether to ignore repository signature verification.
 func WithIgnoreSignatures(ignore bool) Option {
 	return func(b *Build) error {
diff --git a/pkg/cli/build.go b/pkg/cli/build.go
index 27867fbf3..5938e996c 100644
--- a/pkg/cli/build.go
+++ b/pkg/cli/build.go
@@ -73,7 +73,6 @@ func buildCmd() *cobra.Command {
 	var cpu, cpumodel, memory, disk string
 	var timeout time.Duration
 	var extraPackages []string
-	var libc string
 	var lintRequire, lintWarn []string
 	var ignoreSignatures bool
 	var cleanup bool
@@ -184,7 +183,6 @@ func buildCmd() *cobra.Command {
 				build.WithDisk(disk),
 				build.WithMemory(memory),
 				build.WithTimeout(timeout),
-				build.WithLibcFlavorOverride(libc),
 				build.WithIgnoreSignatures(ignoreSignatures),
 				build.WithConfigFileRepositoryCommit(configFileGitCommit),
 				build.WithConfigFileRepositoryURL(configFileGitRepoURL),
@@ -237,7 +235,6 @@ func buildCmd() *cobra.Command {
 	cmd.Flags().StringVar(&overlayBinSh, "overlay-binsh", "", "use specified file as /bin/sh overlay in build environment")
 	cmd.Flags().StringVar(&purlNamespace, "namespace", "unknown", "namespace to use in package URLs in SBOM (eg wolfi, alpine)")
 	cmd.Flags().StringSliceVar(&archstrs, "arch", nil, "architectures to build for (e.g., x86_64,ppc64le,arm64) -- default is all, unless specified in config")
-	cmd.Flags().StringVar(&libc, "override-host-triplet-libc-substitution-flavor", "gnu", "override the flavor of libc for ${{host.triplet.*}} substitutions (e.g. gnu,musl) -- default is gnu")
 	cmd.Flags().StringVar(&runner, "runner", "", fmt.Sprintf("which runner to use to enable running commands, default is based on your platform. Options are %q", build.GetAllRunners()))
 	cmd.Flags().StringSliceVarP(&extraKeys, "keyring-append", "k", []string{}, "path to extra keys to include in the build environment keyring")
 	cmd.Flags().StringSliceVarP(&extraRepos, "repository-append", "r", []string{}, "path to extra repositories to include in the build environment")
diff --git a/pkg/config/schema.json b/pkg/config/schema.json
index 828b7a153..a29733511 100644
--- a/pkg/config/schema.json
+++ b/pkg/config/schema.json
@@ -179,10 +179,6 @@
         "replaces-priority": {
           "type": "string",
           "description": "Optional: An integer string compared against other equal package provides used to\ndetermine priority of file replacements"
-        },
-        "install-if": {
-          "type": "string",
-          "description": "Optional: Expression indicating conditions under which to also install this package."
         }
       },
       "additionalProperties": false,
diff --git a/pkg/linter/linter.go b/pkg/linter/linter.go
index 3e471f85c..f07449847 100644
--- a/pkg/linter/linter.go
+++ b/pkg/linter/linter.go
@@ -159,7 +159,7 @@ var linterMap = map[string]linter{
 	"empty": {
 		LinterFunc:      emptyLinter,
 		Explain:         "Verify that this package is supposed to be empty; if it is, disable this linter; otherwise check the build",
-		defaultBehavior: Warn,
+		defaultBehavior: Ignore, // TODO: Needs to ignore packages that specify no-provides.
 	},
 	"python/docs": {
 		LinterFunc:      pythonDocsLinter,
diff --git a/pkg/sca/testdata/generated/x86_64/shbang-test-1-r1.apk b/pkg/sca/testdata/generated/x86_64/shbang-test-1-r1.apk
index 3a1d937750f6c2f349c5ec81d476903e801aac66..888576a8a40a4d4f57cadf682c189ce3183d790b 100644
GIT binary patch
delta 5749
zcmYjTcRbXA|2~m*g^Ex_Q8tmiDSPiEdz>xG9-mN@8M02C>=9>Y&p4yA_vp;b$UNNm
ze0zO=fBe4BfA4>u=Xt$%nqaCRz!pmhflzsVfPi~u9*GN$H-=}<&9uMRB%Nq#e0H4M
zRVDG6LqlWU(6)uR#YQ~f`DppkSYxndc!_|Gs98^Scl5G&d4*mwEJ>7hGn3ILDi7O(
zz=WO;EtIQSdy^^A{V<r6k7Sn&BNtAfJrGEE8n>oKcTKW=-Z}2!r2(BYP`IZbCL4BL
zK@uYe>h&1~pdQZr@FCx(;kCM%d2Ak<t!3z~-bv4sBvrHcoNLMFI+abqVVv^|#Vg-;
z&k^3DPgZNQ5@uEc9~-?`SI%*L;<=?nEda~cQnyhxF`<G|@&A>EiX`;BzO7n*%-#37
z$ouU;GFd=<oD@v!W;UwU5YQKlue~_zDP~?1OTTtAmtmpc2faO2`U2E0h7Duver;05
zg1hPOs{k$uS0fQ)>bb?d1>d;U{wISnaCXC;e_n2AQQN)b9p<<xD8&KQ_HKCYSpLD$
zKr@ow{tohjS4V1Ocp#AeRl6)|NX$IRgsE^_dcFLy1zJ_>SSM<x0%-isVIoBq)^o^r
z%7!v{Wemplx?ThmfY?hURof#e%umS6E-zIEXw}9%<wJ?bsAFabl0iWHEeulmxxU0B
zc0V=OXnyAC_e$Y4MU%FP2SVRolR=csma-ZeNsQh4_Y6w)E2c~zdy3om_5^RYN1(|?
z4B?TJO;1(r(DAOKfbWh1L1fK`uP&J(y~4MwU}M~`K@^#K!_=iq=Hqc?RfG6l%s~yT
z^{$Ciw|&Si-^6^|Zy5mxq9Q{FK~Z(xuzztPD!@0Tp}Fm&Op$SaU(7h?S4IKZxHkb5
zVtEeS52Lu4woes3{Ysm4s=hxDBpL4_`ATL`S<z4SFzxPVaUeNWmMZdbx1>8RL_w@r
zv@3}*sOyuoe>R<PyYId>dtqL|dcWhLU(jG_U0KSkg``Yuq<)47RqHFUH|+=GT-OTK
zKboXw_{?Tbw#={cRBSV8CH;1V^O~8+#p7G<e|yl7p&IXa(sD50x)iBr|GfgN@LX5<
zWhXbNk*H^nhzA@cyMB$wCRx!a`$t=LQLW8$R!1{F9gcZ<oJPaJ%KD}Z-h6#y<-UOl
zOxl|yzF?f`$9T#+8Sk!m{XH^6vGhKN$^bV5pZI2)(fyz7emDrm1AQr7tm&lDh!G?0
z^pJVR(>zvCY3ZI%cjmacQ^+YZ^&Hhs+1>dEcdmHUL=S8~HdHQk-IspGaYOiSMhiLB
zC{rax?~Xh+zP<vjOEXH@K*B;6noM$Z>myHq`MnQI+{V3`qj&!<WdUlLZc~$_wSTam
zmyGxrkmKP)p1G09IMgmXS%F>k(2_w9S%ClP;m#_0SK>fOV%h8C8PC_N*cNN3f?29v
zMM)N+XBW^rP!m44g5sK7VXYmP0aD$t`jS8%hhW|Nqw%75&zqn-j~I?Fpy#EykVQY1
z{^W}%i?Ds+hqtZJh)`ffLKRo~iCDV_@p-|WfpK<}x@Oaf9KM{s%($IuSM@@01<K#?
z=1E6~dQ`Ztlww&m@!Z)rzu8Hdv`nqwSSX^19f0Gs$L^abgtDxz8-vJnq>#K-5JOha
zP<pzVm&}yj`^W6p@a4j{DVYq?T8PWxcWt4M%T_zRq&)aFv^=GIWn#pm)w}V2Gz#Cf
zuDmuh9en<ye12d5k>;<K=4c9^fbEt@eQ`%A_-fetm?_<ljp-)Yj@F=s6xmRp=URf_
zmw_Tb^<Ay|%c|SS*#Xiv;-<H-6XEcnh^2}HGPfcVu{ytQ{`JW0oJX5Ju_9CIQTq}{
zR}sY;sL|>PoZBdA+y1^b>vOmJe~z1WO<WO27qOUb>dPDC-^KesUm~ub?S|;Rj0|1|
zYzr%z#C;O)y@qNGMR^Cf@ZTEbv+{lW={CUoVEr{#`He0}S;u~dsQ9Lxu%NJiXRa&O
zeZ3E}f$v2mz=scgVqWs14>el#Rw940`XGNDJwF(@bzY^mKLyo0$?*$XX$uq7J&~^O
zZCg=6xwh4Baq>wOzNN3@yGjVk&JM4BF`0e7cg-1;cSnUmM_~ItwVBd{KE|jC1;EeW
z?)v5FHJbo<b`A_8@jkb=9d&}OLy8ffK(x)mZb0ZEkpH<6me%eps6e*lJnbRi*>~^!
zdDT{Vi;q*6`%d6NjSYWHfv@&SG()Ml($08oOKofYz8`H%F#UFC1$FWJt7dO;H_24)
z#mF<Oj1|jo6~1L*1fp;^XT4m;C^#x0cb)C8=vWkAt?ODuv-q3&KhTrD_xcDAIa<gh
zv}Z0|{KmCsEoEjq(MJ%--_h-q%@@7MQr2*p5U)Yy6)0Y%+|j*(i*};Vr&B!VjkyAF
z;lw5Hm0d+kW~VA`uJW+n5Y4Z05A<(73|0d#(^XP;fs9L`lp}H$hO9?wUnyU=D;j^L
z39rf&bm-_jK@6sFP)L(lrdUzf0IQO!*M1Ty+>Z$Hpo0Jmgnv_)CDL*b6>!>W1hp#5
z>+j0A8g2C%)uWfw<hs+^Bu)~*yZ3nQ01k9W`qu1e4hp2UT{{GA);da+pgWZ%8d2d4
zj1MRssba)UbIBQ4&DH&q9Ag)?;;Pd7e}G+?A;1X0zykxz9+dwR0(gkEf^P}e?;p!7
z`_N6ZcrJ0cFSX<c<FWV>xLvc_o4ufs5%8f-av)w|`5dWEsTET(AYz=mog7W<zagL{
zVWK0!X+Bl$5KF#(&+eTZSuIGC6#^Upj&d+Crhw<41P?Lg5a8YUt_t!$=^gM^$n(du
zEjs7g&jg2oNYxMUzBP~p1!$$|Xid@UOgcU_H0f>Ncepb;?R%}dqN&ooB(GPEGGA8t
zpZm}tNYyT0NbJ-i*AXmx<nmwkT0zCW6cQ>%;D-XW>ul&xFvTQ05u^>mAF$6o6Y1lf
z=I@P2;4dxPu$wU!<G%CgS*5)qD|}HXuF85#66}J90EcYdA^3DoA`##|09!6W-pZ*6
z(V4dU7}1sy@b?G+T+IQclkdltdB7iamz8Mfqh?jozLqt6!r|`R4el0|eFQLc836xP
zF*FWzxLOtnBGvD(f!7`JSX3;`>JHo8-2$%884?Z4OwVGyar~xA(CFZkPL5^H0BTt(
z8d3;N{ZS2Gd!K8~Tw3Lrt7K8wXY{@N)tb+iD@>`oSHoZG$6N_wd*&&UIy_NP&3|>G
z>5>eN$XB2+ho^C*`?Sq!M(oxC=9dEVg2*`7hI(>;sN#lv273HYHNWGZzz;;`I=SOF
z%nmMA`#OV&;--Z^b%a6mtkh&-&eD!Wk<Ub3r>u!$TFqq`)@e_FYM;vZ`tp?uWcoec
zHFM1@#?Nj!g*+Q@qi=y>uWK7!oK<vqRFpJ!>UuQhi**q#>L-4YlTW<>wm9p7B2?#W
z{L|7SlnZ=??hkxjmM3xQkiGv5I*o*!-#VhL62G7X8+B=0BK{KQb!#FuHNU&Woi6(a
z{Z*4YN+f|$Z(oa2eUi{Q{{mgRC$<`~Rxf=NQq|z(l_xfHY=92FPU-^}Z6?=6m`jUw
zJW4G{o|j5vsA{MS@<Rh%_pPvbOwr}AO}Fqwvm}!q8xN1Rd*^j0_2O=3eWtjCaH_nA
zW!1uuY1-3#7|~p<6eJmt2WT9w<D6*wKnz;rhu+&sMZF+f?B9Tj0y_?Ah(h4#!PZvl
zsY*nm(Zx?kx{%~SSc7s^_8_7lkPK0LG;wxv9}TciMN3Ia0+Rp5z5;$`42ieihzB#u
zTE#9#93i|w5XU_|`ERX<iAD$YOgB%3h9I0M;5qs7)&!RYzM`}XK@`=viS<a<O#m&K
zA=s@6Xs)lkRC|(!^|zN<gf0UJubEfa5mF=hgM?Ms!PW$3cT$MBIX;z0tnxW6PL&{r
z1_uJZ2CesrMjP{cEgH$3i9?Q%u>CY9;9vZGz}G6PRq?|`AU<HDVgQqyPP92X94kiB
z^<lXyUS`QD=~@{<-+gH`X==6%#KMG3e-T3RM9#uC@+}V2dA)Rg@z+B$H03?5B~rL%
z0LQd1<Y-L$^FaGEwe^4cPWV?F6?0fX3lee^YoT%UF@<vgmjdcvv58xJsY;v}(nuby
zdEv3-VoCGANLYE>y6K80I3v%<?e%o=3Cb8|9WO2_=G~q@oPk-b2aCGN{t(E}f`$(%
zWOP>d=2;F_>vKYzA4!~tZlc`9Us5Bl#QNg_8NB_1#*s-kQ1urQ7)qX#e-Hrf)N;DC
zNrb$)EL2MjUE6w^UR?Q>5%Cz%3adPw|MVG00eQ<7lE%50EjYxLBK&K3Bc++h0{QzJ
zrlI^xE}~bh7<9+qO=PK*#Y2K6P+k8IVa<Sz>b($UakIZ}pXIfAvO3Qxb*4)ey(0F2
zkXbGlczjY0WbPtXZ(|t5Rut4LZ?Q_Rq@slv3sUIj7Q1P;0~^%W?-bG+1jUV`cpP)>
zmZh`PC3DtbYiJ5?f=HoJbnQjzz+UK5ZV2t~9oS6QUr+-_?AsE+<Zav6wK{BuKo>+q
zGjhPII<+_^(SI}UsIORd5Z3h@0p#Q$5I1r_LhkRNh?36*H~FLbsDdaJdCFA1nK+=I
zWfl5tNk8M+`wD$K%w69pkwzchM#E+5jpN3oowLjHN~kr5)7U(w7DQ<lVB)Ws0>cp+
z-`?lauikkOcT!>ytC4DTt>4x~E|=m)gAz|)mN0iy&Ox{#lO(rl?z?g~PvFB&K*i2G
znNmMyH|}d=rWO&bG8Xb>!Q$NYy%pS79?F!=RAYkC09(L^dFNs_JqMmzAxO>H&%e8M
z$i&D!SsXqj_*1QY6!Q0aF!~s#KJw7%_z>jMxMB**+%mspK_ke_gYD0yJt7akSlbX+
zSU+WBWm9X1(o6K1MlLeZz*F;%D~i)>B46^wht_HJoVN2t5td*;LRj=ABn@yE(YoJ1
zyx=r5@|V|R;vYqswiDr|&M!YuI8`C_`1QZc6Jz^<rdT}N7|~ynk+Jj5H27rH>5mN`
zmyq@*HyV~PJa(|LuBQv*S)*Xja=MuDIU1TUA3TTj7nu{WuYn_^Hf%d`d*IA+5NE5~
ze)c@A=6t@KK!guIA&}nJn)5wN2D83|Abp>-ts^(r`IOU$0%(dRBI+-PE61%S%=MYr
zIU=<WA^miXjTDklv?^`E=xv{P1S-$)X|JzhD0=srOM0XNrz^e2aU)=5qgBx##pB>9
z&`auK_=*IOQNblN@|Oo~f2wD6;WC@8FvHq4;!OD5M*0Y3NJ~nAZNwGM%g5hL1u^%I
zSg;b!l^}MS!2Y9@0fCLekIyb)ft33fL=KR+5FQ5Vh^T0V=S93^WzPEp&)dqFO-(A|
zOD?mUn(jy03R{B!+c%J{Y5<ERNEi%<f+_|SD%nVot?x1=iS8~yuy!mdl_j#h!uzw2
zvzkw{nnkEfaOxQQGG`^&wKSCS362Yxk2&m1s?K>o#{D19jNl>S0F?ehuto%$K6fq8
z$vULWI<#D)Ikf(@(k$^fWfn&~5Lw3n3V#ne?$(qqj0)>mnlcQea`x0&e!E*%sHHyk
za41Q|Na7s8g8R`2;Pu&c9FEw+eRvM&A0ncFOp8NGi^HXVjEK;fgPbIZc)4C68wHXk
zfC-+OmG3NXZNtm9ipYJx*=yBQui5pyZ%(kBNjpCWiOeAF&vo1aSZIM~yf_D#)&Oz5
zStCPY6$3_YpAMX&Uyuub;b*-DWFLTGqX4c$COOZd*>z6epG7S?xg@K>{rLlN<C%u9
zj*|UT*Y~AV=UzLkft}jz9Ry6X9GD)6XH&%kQF0LdCg#K{W{g;KAJ}L5@;cs*KDyrm
zdA5HXOjf@qp9AvUL4f|t$Ka=T>>~VT<8QRW?>u-4m>Ya@-I*0<o%j(|nK`-&B-p=W
zrTFhJhQM|FUh8;te6H~295D~pFI`<v=4N$ym&2xDtscr$@+u<hf->u(@(d$Dq;-{W
zcDfl1fJp97C@?YsEDCp+>Y}cz;{TZEai^?kFgfDQmK~~|9zAKY@NQ8!uFAf@7Yv<)
zgv}5zVxgNEakS6k-KqLf0Qi&%EM8TZ1KS!O*Z}q<DpRQ!%^ZzNod9%krsL{|qkLX!
ztnI>P+k(P7DO|cq35hL`qk8rMwARNRY<29B`SAjuW~V?*5ujq|SP6dJ?O-txSVuD2
zvz)e%5yv`+Vk+s4L|S8T?#9ad-lq4pv4zb&>z5=`?rducI>7Wpd2sjbCXkunn2``(
z?Ua$m`E*XDrhGf9JS!$VH_x8`&Yj7NbFUvLVCfH-qb*NrHwn)>2_u$o<baxVnjr+N
z{xpCzZBzgIU}egQ9;*JK^@WF)Gdu3)3skqGP$jj2KI+P^AAV0BweYGfE~?Egdi9V~
zPYi@AfgK<xV7}G?Mjzn-()Sy1SYa)B0`XKRwx<77;Ta)4J9O`g|5w0deFTU)!bi^o
zbJc@M43iVZ<Wa;^BscF2sI;XZv!f?R!yD79&#!VFR(rCO&APGwZ{_2xv#&A!>qi?D
z`1}^bn4z}WIOkAxm0NiOPfOYr4+CRgqwm*mSpW~LLAk-*j^i^0_LKt{9{FJ#M)CvH
z%DZ-fM}GYYUhdye;{L`j6yoOc_3?y!^V_A>?u(097~@FAZ7cT8P-E0Ozw1lh-!kf1
zkz`RAH((%}!RWK553YdKjy^cNW4%SmR+ZhP=H(up-`M2OJZ=U@Zxc}%`<L)4$|+__
zC?Hf25c!z*Cnd&31FCE*M(O%QnRVt<N5cC}*4A)0u9COx^uy7+{a7nE6IqU*W=We!
z34^UxcK!>$uO|INbtiC`y+Svvm0Ncy@?|n-H&%Lu_Y<-k;c}eBmxG8_sh(_akGM6f
zbCiAlx+Ec=yvBlMO49S$lMNA<OhdZL?*Pr0&V)g~%@>0wJ3~<pTa^X<X|9sIs^rs2
zd>Zf=v7TfGwV~<Sw;VDj{H+r#tZf3{5sQnJg&Ze-(3830ggt-r*ri|4ptNZh$LS}A
zEHYf%#e~v%sJX^W`HJ(fT7AXLi|kI7dP@Ic!_=P??UruR0#V&f$FKSLVi`@-hXDlN
zIx}OH<x|_NgT3*c;Xtm&y_qZPU#Rv>&9=<->4J81^n%Q7A7O$8FVpeMH62E-lkTFf
z_kKakSw$O^MPkDky!zzaP+7t>p~fw5msrsS^-uLFt7D(;Ed<=_4UnV!t{yn_`WW*?
zrtP_`jKAmp$?E%VsO7^KShhOBMsL6+lw3?OHS14{W(z*$nVL}EXyvfyoq2fC3AcxD
z`IupFKJzp+Yr@R-*pR?{O_rQ5(y$yu2i3wZjNdMsiK%gJ9PQ0>NZxQR%KO;h;iCVH
zHzKdnl}U!zQ2WoBpgC`?;e`JzZ#|6hPe%h`x6kr|rd5WvCBHJ*yWS<$;+OA9qpX>{
zVB0gC$M^h{V3XzA;B8j_u}vAzG<R#|7cyl*@!3&3Or%ugv0~bJeaRE(N6k^@O8u!n
zD_v~89f{rJrM>U#jWEB)Ok!`z@X7f8$vS1V^*B6Anz;zDd50opVPUam!QX^HK#&xY
Mrsek)G6{kF2PL7?mH+?%

delta 5768
zcmYjTcQn-j*uGX~WGh6Gj6w=!U6O?C?Hb9-wPj@f8bY#X*<_E4Yh~n;jEGzIzGfE}
zH!H3?eqY}>-}gO#yyv{<yytnI_x<O2Go&-60ipK{5D24pECk%Kg!wFd<{tI<ZJGO+
zT4XD;Jzn~@#V5$@Ok3fjFPpz>Z!*P|h)!`-rcTVHEt2tc@?%!n#+}{`j7CogSGU4d
zFm1_LqkzcM!wxneB<y%oiWPm>d6%W592+uVDD!u%H!OxIg-H^6rMP+u|1^27T06fS
zD7oWA*gusgEr)|7=taX7LC(jHz2eTw71nRHdU!?xulSA#)7iONaSh6P)dUQ4l`M;F
z$kboGR^r?74!jt{JOZ8HqPRBi^P23xesAhEbm!iqqBT!*I*A*xH6Gr=bR1q5ci2|-
z)gL7)Mm@xdzc2RHr`h4`9KHJ3_wkxmAHc{tH%B^M8Gnt8W`rMmWIJ1BnKE+DGuI3Y
zVI~5Y?kJn;vfrg_8z5XvjLrOhEfvq}$FKhUHFht%`}Wh){nt<5=+$^h9(1#z(TBoM
zSCr;X?=a1Tbh6%uzW;hC{w>6J^z~`(h6Y#4U3+@tWP0nCzX~4hLyG%Pk#{i8cgaAU
zva+qE)3Txf$^`Ti2-Q9oqQz~VoPj*Ym?!=T%$YYJo;}yo;^=1NO53;?Z;&^rU&^PZ
zGoCU-U_)_=Wtu0tKc#j(?uERNpt&%+!zH8ZBuJ(H(=vFBTk+)%%a*F7C_H_^e<*<Z
zVY6rQo|M(~<TYKPk|{wIcBwL#>R7-W+{&Wkgds{QK5o`<O0aO2wU%0m$Sa!oP3hGH
zm)=S+ux&->2YEYZJdZ)vN(H)|WbbnE_R*Lx?9sT}Ge|ROyYJlbn%ZI&+xs9VZPP22
zhsc%n4KJ|>HX4?SldG}b7HPit{a8A!wGvP3F`zl5EKDo%HGSpY^%>a&qy_LZu2jm0
z`;1bBJM5i!ojk#om$8;m$vn@<?gGP&vY6<+mWuY|@xhko>f*!_^1A03S??pNC!Sm2
z8V)tH)Ep~bL?_e`a(kyr=H&Ye#<P<eR;{mKE19en4+l}O#~z+TA!hu#T|~t2yy~e+
z&^!UN6>YFdo1<fJF8ngF1~`9gig}mISNV*qU3Et{TEbK*K@iIKeCjkiFhI>@MWft1
zcF`yiDpr+aTdGj_&g@yjv!GO8Dd~^DQ}fl4j`wj3JU+crWkwjP_PnjWAfeM>SYw-X
zELTYT96p=<Nvq&h+C}k&I|?m23`At(vB^rFXMzh`XNKEJM7S`)7TEU`kPv&&5-eEE
z&48oLY|)@@%C0nSm_tW6?ZO+gXqs}xmcy2konNj#DAuzur+=!fYkhmjoEj1F952p%
zZQj+ng_z$M1}}9DRPdi=4KPB2FI1x-(|20hl;IyBc!Zk0U1tdSH`#@Hk4Gx&iHTe*
z*zC(}tvC1XY!=!HP>v!w-rxf2VT0cN#OkCh&hTG<qRnjsuw2xWOnKet2qVRdyl97R
zLo#*^v8J9cT|m(MeVNm9dGcWPgx9+|Bgbz=ZJ141q%>+HAvL;(;T$+Q`_o1!4VlR`
zWlZbvgiu;QAZsbH)}X0UYyHZ#s|AncH<*lWU$Kj1pST8C{3uP0uZ-Rrzu;Eh4txoZ
z*xw(k+~TnB>g)`iua1;#JBL_ts8x8Waac8Xo}O*N*YtI!JWbH>BM)DTTZ>Xl#sT*p
zP-nL4owmU^tX8Ws=Y%a3U1R+18+s;HRZ@HPrY}bo*H(S!B8nun2#AQaOl@pzOwPYr
z-%9JXk!zp>l$*7c9CTR~P0WwJjk7l@FwGaRPAJ^o35syDdVUSp(9G#7eR=0d<sK(2
zeb~Y%0F@$hs$!`0HZgC>;mzgEK)`Lg=b@itzKmC0DluKgfy86+GfB3+SwngQ^z^mD
zhOJ&&qyd?w>_!4pl-EDxFq<@|_vm?vXBiNx=s(K>Mo!ZC^Sm`o2in5dEdJ2f#O-1z
ze$#`j_UoLA6zNPEO29-wVpbaOeaYVi--ujlv0tyAY-<gK8s>M$sQT9}Z9l-f*R{4!
zqn97lSu*dPmr=3cuX%gjT7rQ}v<N1_H-+0_X)^BI>T`2bk3R8J4pM&6R-cvQymypi
z&u0JvGrRBPx2Kt3?z;zt=2I=C=cW@c-(DE+nmR>8KDhmGfN((||1Tr#96T2uh6?Fq
ze!2_PG-c)I(DJ%+V*0#-f=>&~ir%~E>~D_(W_sRu-z-T@{|c8*J?Te?8ym?}S_rN9
z3H3AoyIdzmM-t+3YR5e?bh&x}dx=cU`mW8<mCsY^)J?opUs~FDWZ%!`S*IK!N}DaK
zVQ!HxkNl!BikhQ}n3G*?*6*%dugT}4E^JrLmD%Ln*Kr?LK+YGJsM9fQ8*mb1T)947
zP(PK7qXx>)6z*QGq8qtum!W}OmJnpW^Qqo5Bv@%bOdCAQ(#pUAAI@ab4$cX1$B1bc
zF+A^5H!EU&RsYf38P$DMP?aV^uSB(&W>5bF_<i>w%MS{@=K*;GKxQ@q`WB*>!5DV1
zAfoIOMPvqX?*1g_f@}q|^L^jp%Z|fK{GkKjc{c6_REletUcgQ$nt-}L^MVAOIrV}6
zeBCYuPj!6K_m<(l_3PpU?g|YpZJty+=h>?#93nf{<n{qyF%0I|L2GChRW&G?1Zo0t
zpeNH4Ky#49`dJ`KJ_dHe06W>+ybP*BtI9s?u?u!A9UcQZY0j5Hw!0K5j<2atJ&-Ki
z&)V0Eq5cns$Mns|&+AwO-k2?>YK!4>Wb4@hy8lU#9jwu_sH^Tw|0Lo-QP5C}Z1EQ@
zX__l=BJyv69v7PbBqjq|z{H*ZVum3-ZK}$i6-)D{R!O$FTp54af^drU8VPjK<i44I
zCEh<e`5j0Mpn5WW>;T_xRUf99>yN!437L@GOkb{p1Ps*-M!a2PJUEUt&>cZ=D)b-;
zO?-ti!Dk|Bz%=tbEJ&XRDnC+4iEoIL*J~&g(W`>D&B&Vr=i{OoQ*eAnF=8joB0IcF
zqd>hF#(@+gD+FG9hXI9#$RL7(it}g|9trdrWE<JTp$NwqhgUdMqVr%eJg4kky(FAt
z;#N?KOGOnTr%a4L?&f@EwI2uwoq|+3;X;Ih8g+R*$gQ(Rz!)8%pf)OpW2ZA#<tkKN
ztdF*Up@5F?)G4UUSb{|!)n%&dJ*LY#zI+hh3iGTDH-D%gdQ8Fws<Dxnk|2E~kzBgN
zFi>GD!?6C+gzM*_uzy;mf4+Bui^PY~<Lf`q1juxQV@(40(s6wj?6w6XV?Mw9LR?g&
zwBsJ^(MX>3cxHMhxk&J%HILARYah#ph4l^re;*Ty%1EBK+m5Ao|7ejkd1neEmyuI;
z{&yucGX40ZL(wUwD#)-94&i+Ud^s|@h&EB`EVMnmp)WC=`*h?mC#O$eQwpvt!K7>A
zCSWjjFYs(ZtGJcFL@4y^2}!p_<y^nFfNnF?V3;Llb3&A;6IPQ%uMuQlA41nHlm-AV
z6TWMoUJq=a<&MHn2gM1RnY8OW)zG8H-$1vG0TzhSBTLyk*?zQBQ}BG3I(A-xy2%vm
zn`Zei&f2#8B>0jCU-F{!PkG<7A7hmS`AX4@iP4stm(8V<jUKG5`|Z4acWqUb9hk#A
z<7zIQ^YFkOcbC`JHCuPcwe$zGJiY+jG)_o(<@cvKz2lkMiYh}l?FIKm44J^j%2{ch
z-0b0MS*J2}b@?H}zVO)edLyZZG|sD`UFRvy5uRJ+CjDkP%}lkC`}M9FS+rK<RK>iY
zrJT*3OjCL9N6-Jj4_tvJMQ#96J|v>qM(uY%lE#RT#=rmKz;Po106v7)^(9vT#^;3Z
zQ9j8*v<uW`SAA}tryRNIq<;2E^Y<tD3`0I^7uZ8;$=~-A9uuB!%<ZrxQ5&^|9;N|0
zsSi5$55lwyD3RsBJ~R^%c|@O44Xy6n_n9BAe!qHtUr1`&6{DXj8e%I=^M|?h+v&d^
zrJr~>w@!Ee2YL+{kn+)|oKrobPfJQti+C&BrS1MtfDw6^Z6mz?t#)W~cc=pjG#u<<
zIWrngq=XjZP-Y<>2d<Ti-DU@V#Lpj9?op%~ofV%^{`L*=H$ug7GO88VVx)XVx*VvN
z(;Sv`Qw?)Pb(RW9L=K44`nudffxSU$RLkTg+~}siFW~$Cz(T*SX6do3O?3B>{k#4R
zFMgE&>nJES*;dH=`uF+uNNiAQCk@1E$sm;<^0GfDwVv4NP#mz+%>2ajdFamf7@-fL
zVKsJ!dn-co2B~!%(QoMocW?g@_%cAuD!8VD>st9VE~6T{!>=vWt`bPsc^XB40SC`(
z=c7v&@zjvWQ|r|Fu=bk#8~rboEe+4kZbQ0r3a&A>oiOkS<x$4>eN_BEAN--&SrVZC
zKMaVkWDFp2jI%a9b;f71rJhu4B28AG{85ZZoMS<WOQwh_6%xl=FtiKS!E|tpMZue|
zEnE71)1>b^doV+R65_1p)oJmF*fFPcH3JD6Zkp+>_HX+F&|yWP!lU7I1HsWLOR+|5
z;F|;054ZwB`d;wb?jirD^6>YWNx%N4=8<oDjvqL-gIP^KMxB11K2fmLpsMU5(!qex
z(8$P#FDNH(vT=;XCaJphe3!0oia|;%F7-La-!M8L@x`16j1J!LWlfP?E7{MT7wCsI
z!S^OiZau^mHrK@!ON!rvMK+oHjNkRd&vrYm(?yom^Sm~R^@x=nt9^J=%r5kna8Bv*
zOYa9W=Sul}`U}@XyXbWtmkaq`aUc+FSE|;Ut2p=4=e%l)WFNr17+ZEd2^D*@g%doj
z#SG~?h4urH0N#y4?ADxksC@Y1s@}&4s^n(3XovFW5dzNBv)JkRH@Skh!{x7IJo2EL
zp*L^Al0b|OM?D4eac~U#j4V1h$KN}>#TSnyQ6IA5U+%PHD|79-9z=Y7F^cxQJaonl
zK~j=e1e&eIfERLlLZ!z$rvuNAlqcxx&z#b%nKXicMFr)^Xv?h+iCB_}iySWN*?!Am
zQYEP}w;)F;_t@b9W!P>VOddt`wta?_HBt&*v3k(M?u9riX}hcT1|&v8uLJ%{dKaOP
zS-EOdW|~9(s7XJ)ddrV(AUO?iQPLB7EYpG?TT1djXdXbO_f6ZcomiUXZwWD24<$Bc
zkpKtmdYG!>xE>|cpzEsh7UpMYat^=(EmM$7AujrU`H)v9tO(4iP#7W0&m<9z*sI<<
z#*~7sLnh9)(-VzbMB9m#TowLl#VrCBu(XvK_bWX9at2Q4hGVG|KkQzYLI07cbs`&@
z65MC<po)S$Xm>FE3ym1aZIP1Zwj1wU+OL+tkpUK5J`gxjY*z#EwM30rQ^W8j{)43c
zJqlUzV(JO>-~=VONyLbnHgSnd4o;?AnL|j#CBCz}=-z&{QqsaJp;Lh85DVhp{EOLt
zpUf9fKm9o#Fg7#BqCvJbLR!iNegKaeGBOPzL6=YQ>Ltp^8f64+iua@JifuUs!M-3b
zQ%l<t7_#{Lf?qsx?a5#0lQcY@TxYim1t~b+F7WI}<5v^d@j|@zOg#Qla4dMhI{oF<
z$8Sq0P+F5hIiUf-jw>DQ=LN?nT+CB!b>tq;_q7+<v`2B-AqA}O1ik@KAU^U1h<T~s
zg*rjK=STwSxk2~StTyhXdTxyB-UV>B`gHGN$oPyYY5KoyZkDa<&d8@AD&xH2MgvMM
zqWsFz3bqxvnLw|1Sn$M<0+sz|k|?vdiW)ow9oNAdWXsS0OE<|iulmX+$bo<wMS+n&
z0Spi<s?{1Wi7eW?o5*_2SkY^?{()x&!b@}5H@TXB;dwj~JJ=7t`WXIi6c<Ex_`MJC
z?SmJCsMI%HRld50Pj6lV`C)$Yf8HAlT=n@f7dDD#pFk2nQ|g|DlQFOAKuwO<gY~vL
z<2UKxu_Y8_vGC+XgO^g-yYqIpi~0b;0S0AOSCB@5poRjolfdjBYoPBcuuZJnl@QK)
zu=Pmfh;&N0zul+)mUH2U_RNpqX3%>dFmia~D%Nm91mmdxU1jss=h7n!!5Veu;Z*Ut
zvLblZ4T(oF(m}R*zaHB)>kkU{GAKvek}z3p-S{(dus&v1jPR-=#gO^{AOQ>nK$4P%
zNAX(H?)cm&tZ0{W2&PqJIQ4l&JZps*N1AD^sD=Lx!T)7*9HqE$!_{XBs#8=~LEZ_9
z@|leCtGp^9(V%0nb;}{e>?01?Jd@EjXC~nK__V(mHUUR<fc~#*2#{tHP!Q>?zuW2?
z)L<6;!4_JWy(<Ea1I~7<I27v(a@Lkr^cEkVN3^?+T)LfTN4EFp_DVhmNu~bcB8@yO
zAd(LTwt``D1eRE1kGL`7SzTraMM^__AB&1PAf3P`-_y!)*n2%}co{WVJ=qd<4k=R<
zc*FMZYSjh0z#Gf@o{CNf<{Pm&M1~xq*NnPj`)8R=@T33`^&p*qMv<UTVZH5PO~7RL
zFBHYan5T^rQvo6ylT4STkLuz`XJ{h?Xhf7zwz!9U9U3~_{S!su*4j9OGLYRGDH9uo
z#a1kRCKJ92dUZ>)#(QdaIxyg*PJ8zu_+|w3(${QZHP>!p(NnCKv{p!W={2#PewDg8
zWF(gYj2?o<qu}9RsBjwoI%xTgbmpUzeg&X-h@*iBe5^2+MJ8`obCb~rcOScMZ@(21
zsju-p)`D3knXFdjgyfZ%=04;s8PTBb#W!QtN3$h#ueE&{XT25orQ6|Pu~1edS=#z$
z5JSf^xT|q`9P+bd_U#L!>Q+(PEKzTHO*#P$K5o}2d{YTsQT-*_=8Hv%9)k`8Uk_QA
zx|=!8)Gsh$djr?Q>YA1E*?(6L9!}?o2iRZ84Da{}Uw4@c9cgS3TDfh{RX(aAt;4Yr
zmgmbo2wOon5eC`O=-y&0xR65+<BnK}A?cpkfHBSN%|y6>V(~}+kMWNs7^Y$T22TKO
zmyYK*TtbgrH01&;O`P@Q1-M0MaDy45`hD4s-{U^H5UsmY1Vee2E+!@}WzJiAdryzC
zhqlv&dbw%;4fFiwT|lP_!^O+xT$D)6%R8E+nC-r;DZx$p-obvFoARjDSuVDTQVy%s
z{Y`^G$mj8Bt}GDRGBWy@tM#yG?gJp6c?MBbKN1||9_WVRwEgQr<v&Ur<RN+FDbDaE
z5PiL|MmDWLm6xm+={t*Ymxn7{l4rxeon*ZPyJD?{ic@s@3ND%{zqs9BlmzFk@A#D5
zWWvC7CCD!}f*<{fua16&$K5r=o09XqocFyOc621qzSHPMQS}2{)0-(j1!<rbUD#jh
z-xwk1ZV04S{MO={o1E3xgpH?PuC4W!x0&<4(`!@IyRWnu+NK5jjV!k|hwJk`wc6UU
znY({%^ULD=cR!brWUqOx=-rBTcx6?wvK)t32}}~1^6<RKZB9LxDfk%+toCp2NAgJv
z(AX-4d4*neG@J;OK`7Mv4+p)woP`}4D9zgJ+-(W;uVV@il4)F%{vAHhky@9T{424_
z-pQ>{sbBqR_tW!fPa4((8s8y)nP2d~+2~|rW&06T9{~4r+?{9*4wzj1HacYBKy;1J
kp0Vl-Uk}Vb7w>ziyQgQL?i)x0fq?&t*RRhA$OHuPAGqJehX4Qo


From 779cc80b8401c004513b9c29883ccacfadece437 Mon Sep 17 00:00:00 2001
From: Jason Hall <jason@chainguard.dev>
Date: Fri, 31 Jan 2025 15:51:15 -0500
Subject: [PATCH 3/3] clean up flavor gnu

Signed-off-by: Jason Hall <jason@chainguard.dev>
---
 pkg/build/compile.go | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/pkg/build/compile.go b/pkg/build/compile.go
index d71aed0b7..8b2e51a75 100644
--- a/pkg/build/compile.go
+++ b/pkg/build/compile.go
@@ -36,10 +36,7 @@ const unidentifiablePipeline = "???"
 func (t *Test) Compile(ctx context.Context) error {
 	cfg := t.Configuration
 
-	// TODO: Make this parameter go away when we revisit subtitutions.
-	flavor := "gnu"
-
-	sm, err := NewSubstitutionMap(&cfg, t.Arch, flavor)
+	sm, err := NewSubstitutionMap(&cfg, t.Arch, "gnu")
 	if err != nil {
 		return err
 	}