commit: d55b2909725634bd3e522d3da6612358ab8df111 Author: Michał Górny <mgorny <AT> gentoo <DOT> org> AuthorDate: Sat Dec 20 13:07:00 2025 +0000 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> CommitDate: Sat Dec 20 13:14:15 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d55b2909
sys-auth/polkit: Remove old Signed-off-by: Michał Górny <mgorny <AT> gentoo.org> sys-auth/polkit/Manifest | 1 - sys-auth/polkit/files/polkit-123-mozjs-JIT.patch | 36 ----- .../files/polkit-123-pkexec-uninitialized.patch | 35 ----- sys-auth/polkit/files/polkit-126-musl.patch | 34 ----- sys-auth/polkit/files/polkit-126-realpath.patch | 133 ----------------- sys-auth/polkit/polkit-123-r1.ebuild | 157 -------------------- sys-auth/polkit/polkit-126-r1.ebuild | 159 --------------------- 7 files changed, 555 deletions(-) diff --git a/sys-auth/polkit/Manifest b/sys-auth/polkit/Manifest index 53e2efde44cd..54fc3fb1fff8 100644 --- a/sys-auth/polkit/Manifest +++ b/sys-auth/polkit/Manifest @@ -1,2 +1 @@ -DIST polkit-123.tar.bz2 707480 BLAKE2B 27d8764606d8156118269fb4cd5eda1cfd0d56df219e4157cd78fd4c2a2d001c474271b7bb31e7e82ca376eacd26411418695058cc888700690606348b4d014a SHA512 4306363d3ed7311243de462832199bd10ddda35e36449104daff0895725d8189b07a4c88340f28607846fdf761c23470da2d43288199c46aa816426384124bb6 DIST polkit-126.tar.gz 456138 BLAKE2B 2e86c8853edf29879d8367b77d210d3a891178297cb5f9eb204a953bfaa66f6ff2307da265f4c3f89265ba8ce32e94641272d654a78d116dfb32a65d402f877a SHA512 dbdbc31b7a231c963788b37cf1a138e30336466fb662225a812faaf58e45439925d9d39346cc8f07e54f22040c2f142435acb9fded315d33e24930e0abc736c7 diff --git a/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch b/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch deleted file mode 100644 index 5b3f2c4a3641..000000000000 --- a/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch +++ /dev/null @@ -1,36 +0,0 @@ -https://gitlab.freedesktop.org/polkit/polkit/-/commit/4b7a5c35fb3dd439e490f8fd6b1265d17c6d4bcb - -From 4b7a5c35fb3dd439e490f8fd6b1265d17c6d4bcb Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao <[email protected]> -Date: Sat, 29 Jul 2023 17:44:58 +0800 -Subject: [PATCH] jsauthority: mozjs: Disable JIT - -The JIT compiling of mozjs needs W/X mapping, but our systemd hardening -setting does not allow it. - -For polkit, security is much more important than the speed running -Javascript code in rule files, so we should disable JIT. - -Fixes #199. ---- a/src/polkitbackend/polkitbackendjsauthority.cpp -+++ b/src/polkitbackend/polkitbackendjsauthority.cpp -@@ -56,7 +56,16 @@ - static class JsInitHelperType - { - public: -- JsInitHelperType() { JS_Init(); } -+ JsInitHelperType() -+ { -+ /* Disable JIT because it needs W/X mapping, which is not allowed by -+ * our systemd hardening setting. -+ */ -+ JS::DisableJitBackend(); -+ -+ JS_Init(); -+ } -+ - ~JsInitHelperType() { JS_ShutDown(); } - } JsInitHelper; - --- -GitLab diff --git a/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch b/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch deleted file mode 100644 index f19560943c43..000000000000 --- a/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch +++ /dev/null @@ -1,35 +0,0 @@ -https://gitlab.freedesktop.org/polkit/polkit/-/commit/c79ee5595c8d397098978ad50eb521ba2ae8467d - -From c79ee5595c8d397098978ad50eb521ba2ae8467d Mon Sep 17 00:00:00 2001 -From: Vincent Mihalkovic <[email protected]> -Date: Wed, 16 Aug 2023 08:59:55 +0000 -Subject: [PATCH] pkexec: fix uninitialized pointer warning - ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -53,6 +53,7 @@ - static gchar *original_user_name = NULL; - static gchar *original_cwd; - static gchar *command_line = NULL; -+static gchar *cmdline_short = NULL; - static struct passwd *pw; - - #ifndef HAVE_CLEARENV -@@ -508,6 +509,7 @@ main (int argc, char *argv[]) - path = NULL; - exec_argv = NULL; - command_line = NULL; -+ cmdline_short = NULL; - opt_user = NULL; - local_agent_handle = NULL; - -@@ -802,7 +804,6 @@ main (int argc, char *argv[]) - polkit_details_insert (details, "program", path); - polkit_details_insert (details, "command_line", command_line); - -- gchar *cmdline_short = NULL; - cmdline_short = g_strdup(command_line); - if (strlen(command_line) > 80) - g_stpcpy(g_stpcpy( cmdline_short + 38, " ... " ), --- -GitLab diff --git a/sys-auth/polkit/files/polkit-126-musl.patch b/sys-auth/polkit/files/polkit-126-musl.patch deleted file mode 100644 index 3bc3cc128472..000000000000 --- a/sys-auth/polkit/files/polkit-126-musl.patch +++ /dev/null @@ -1,34 +0,0 @@ -https://github.com/polkit-org/polkit/commit/074ad836836167190cfe5649f9fc50da2e79a0ab - -From 074ad836836167190cfe5649f9fc50da2e79a0ab Mon Sep 17 00:00:00 2001 -From: Jan Rybar <[email protected]> -Date: Wed, 19 Feb 2025 14:20:22 +0100 -Subject: [PATCH] Fix musl compilation error on Alpine - -Disruptions between glibc and musl-(not-)predefined feature-test macros led to -a decision to remove a check for POSIX standards older than 17 years. It makes no -sense to test the existence of a macro that we explicitly define in -meson.build either (shall we test for _GNU_SOURCE). ---- - src/programs/pkexec.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index b439475f..4274c92b 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -674,12 +674,8 @@ main (int argc, char *argv[]) - argv[n] = path_abs; - } - } --#if _POSIX_C_SOURCE >= 200809L -+ - s = realpath(path, NULL); --#else -- s = NULL; --# error We have to deal with realpath(3) PATH_MAX madness --#endif - if (s != NULL) - { - /* The called program resolved to the canonical location. We don't update - diff --git a/sys-auth/polkit/files/polkit-126-realpath.patch b/sys-auth/polkit/files/polkit-126-realpath.patch deleted file mode 100644 index 3946932fa1ff..000000000000 --- a/sys-auth/polkit/files/polkit-126-realpath.patch +++ /dev/null @@ -1,133 +0,0 @@ -https://github.com/polkit-org/polkit/commit/9aa43e089d870a8ee695e625237c5b731b250678 - -From 9aa43e089d870a8ee695e625237c5b731b250678 Mon Sep 17 00:00:00 2001 -From: Walter Doekes <[email protected]> -Date: Fri, 25 Oct 2024 23:18:16 +0200 -Subject: [PATCH] pkexec: Use realpath when comparing - org.freedesktop.policykit.exec.path - -This changes the pkexec path that is compared from the original supplied -path to the path resolved by realpath(3). - -That means that "/bin/something" might now be matched as -"/usr/bin/something", a review of your - <annotate key="org.freedesktop.policykit.exec.path"> -actions might be in order. - -Fixes: polkit-org/polkit#194 - -See also: systemd/systemd#34714 ---- - src/programs/pkexec.c | 29 +++++++++++++++++++++++++++-- - test/integration/pkexec/test.sh | 23 +++++++++++++++++++++++ - 2 files changed, 50 insertions(+), 2 deletions(-) - -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 65c13090..b439475f 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -452,6 +452,7 @@ main (int argc, char *argv[]) - gchar *action_id; - gboolean allow_gui; - gchar **exec_argv; -+ gchar *path_abs; - gchar *path; - struct passwd pwstruct; - gchar pwbuf[8192]; -@@ -508,6 +509,7 @@ main (int argc, char *argv[]) - result = NULL; - action_id = NULL; - saved_env = NULL; -+ path_abs = NULL; - path = NULL; - exec_argv = NULL; - command_line = NULL; -@@ -624,6 +626,8 @@ main (int argc, char *argv[]) - * but do check this is the case. - * - * We also try to locate the program in the path if a non-absolute path is given. -+ * -+ * And then we resolve the real path of the program. - */ - g_assert (argv[argc] == NULL); - path = g_strdup (argv[n]); -@@ -647,7 +651,7 @@ main (int argc, char *argv[]) - } - if (path[0] != '/') - { -- /* g_find_program_in_path() is not suspectible to attacks via the environment */ -+ /* g_find_program_in_path() is not susceptible to attacks via the environment */ - s = g_find_program_in_path (path); - if (s == NULL) - { -@@ -662,9 +666,29 @@ main (int argc, char *argv[]) - */ - if (argv[n] != NULL) - { -- argv[n] = path; -+ /* Must copy because we might replace path later on. */ -+ path_abs = g_strdup(path); -+ /* argv[n:] is used as argv arguments to execv(). The called program -+ * sees the original called path, but we make sure it's absolute. */ -+ if (path_abs != NULL) -+ argv[n] = path_abs; - } - } -+#if _POSIX_C_SOURCE >= 200809L -+ s = realpath(path, NULL); -+#else -+ s = NULL; -+# error We have to deal with realpath(3) PATH_MAX madness -+#endif -+ if (s != NULL) -+ { -+ /* The called program resolved to the canonical location. We don't update -+ * argv[n] this time. The called program still sees the original -+ * called path. This is very important for multi-call binaries like -+ * busybox. */ -+ g_free (path); -+ path = s; -+ } - if (access (path, F_OK) != 0) - { - g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); -@@ -1084,6 +1108,7 @@ main (int argc, char *argv[]) - } - - g_free (original_cwd); -+ g_free (path_abs); - g_free (path); - g_free (command_line); - g_free (cmdline_short); -diff --git a/test/integration/pkexec/test.sh b/test/integration/pkexec/test.sh -index 4c76687b..e57b948f 100755 ---- a/test/integration/pkexec/test.sh -+++ b/test/integration/pkexec/test.sh -@@ -142,3 +142,26 @@ sudo -u "$TEST_USER" expect "$TMP_DIR/SIGTRAP-on-EOF.exp" | tee "$TMP_DIR/SIGTRA - grep -q "AUTHENTICATION FAILED" "$TMP_DIR/SIGTRAP-on-EOF.log" - grep -q "Not authorized" "$TMP_DIR/SIGTRAP-on-EOF.log" - rm -f "$TMP_DIR/SIGTRAP-on-EOF.log" -+ -+: "Check absolute (but not canonicalized) path" -+BASH_ABS=$(command -v bash) -+ln -s "$BASH_ABS" ./my-bash -+sudo -u "$TEST_USER" expect "$TMP_DIR/basic-auth.exp" "$TEST_USER_PASSWORD" ./my-bash -c true | tee "$TMP_DIR/absolute-path.log" -+grep -Eq "Authentication is needed to run \`/.*/${PWD##*/}/./my-bash -c true' as the super user" "$TMP_DIR/absolute-path.log" -+grep -q "AUTHENTICATION COMPLETE" "$TMP_DIR/absolute-path.log" -+rm -f "$TMP_DIR/absolute-path.log" -+rm -f "./my-bash" -+ -+: "Check canonicalized path" -+if command -v strace; then -+ BASH_ABS=$(command -v bash) -+ ln -s "$BASH_ABS" ./my-bash -+ sudo -u "$TEST_USER" strace -s 512 -o "$TMP_DIR/canonical-path.strace" -feexecve \ -+ expect "$TMP_DIR/basic-auth.exp" "$TEST_USER_PASSWORD" ./my-bash -c true | tee "$TMP_DIR/canonical-path.log" -+ cat "$TMP_DIR/canonical-path.strace" -+ grep -qF "execve(\"$BASH_ABS\", [\"$PWD/./my-bash\"," "$TMP_DIR/canonical-path.strace" -+ grep -q "AUTHENTICATION COMPLETE" "$TMP_DIR/canonical-path.log" -+ rm -f "$TMP_DIR/canonical-path.log" "$TMP_DIR/canonical-path.strace" -+ rm -f "./my-bash" -+ rm -f "$TMP_DIR/preload.c" "$TMP_DIR/preload.so" -+fi - diff --git a/sys-auth/polkit/polkit-123-r1.ebuild b/sys-auth/polkit/polkit-123-r1.ebuild deleted file mode 100644 index 34b4e42c38f8..000000000000 --- a/sys-auth/polkit/polkit-123-r1.ebuild +++ /dev/null @@ -1,157 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_11 ) -inherit meson pam pax-utils python-any-r1 systemd xdg-utils - -DESCRIPTION="Policy framework for controlling privileges for system-wide services" -HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://github.com/polkit-org/polkit"; -if [[ ${PV} == *_p* ]] ; then - # Upstream don't make releases very often. Test snapshots throughly - # and review commits, but don't shy away if there's useful stuff there - # we want. - MY_COMMIT="" - SRC_URI="https://gitlab.freedesktop.org/polkit/polkit/-/archive/${MY_COMMIT}/polkit-${MY_COMMIT}.tar.bz2 -> ${P}.tar.bz2" - - S="${WORKDIR}"/${PN}-${MY_COMMIT} -else - SRC_URI="https://gitlab.freedesktop.org/polkit/polkit/-/archive/${PV}/${P}.tar.bz2"; -fi - -LICENSE="LGPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~mips ppc ppc64 ~riscv ~s390 ~sparc x86" -IUSE="examples gtk +introspection kde pam selinux systemd test" -# https://gitlab.freedesktop.org/polkit/polkit/-/issues/181 for test restriction -RESTRICT="!test? ( test ) test" - -# This seems to be fixed with 121? -#if [[ ${PV} == *_p* ]] ; then -# RESTRICT="!test? ( test )" -#else -# # Tests currently don't work with meson in the dist tarballs. See -# # https://gitlab.freedesktop.org/polkit/polkit/-/issues/144 -# RESTRICT="test" -#fi - -BDEPEND=" - acct-user/polkitd - app-text/docbook-xml-dtd:4.1.2 - app-text/docbook-xsl-stylesheets - dev-libs/glib - dev-libs/gobject-introspection-common - dev-libs/libxslt - dev-util/glib-utils - sys-devel/gettext - virtual/pkgconfig - introspection? ( >=dev-libs/gobject-introspection-1.82.0-r2 ) - test? ( - $(python_gen_any_dep ' - dev-python/dbus-python[${PYTHON_USEDEP}] - dev-python/python-dbusmock[${PYTHON_USEDEP}] - ') - ) -" -DEPEND=" - >=dev-libs/glib-2.32:2 - dev-libs/expat - dev-lang/duktape:= - pam? ( - sys-auth/pambase - sys-libs/pam - ) - !pam? ( virtual/libcrypt:= ) - systemd? ( sys-apps/systemd:0=[policykit] ) - !systemd? ( sys-auth/elogind ) -" -RDEPEND=" - ${DEPEND} - acct-user/polkitd - selinux? ( sec-policy/selinux-policykit ) -" -PDEPEND=" - gtk? ( || ( - >=gnome-extra/polkit-gnome-0.105 - >=lxde-base/lxsession-0.5.2 - ) ) - kde? ( kde-plasma/polkit-kde-agent ) -" - -DOCS=( docs/TODO HACKING.md NEWS.md README.md ) - -QA_MULTILIB_PATHS=" - usr/lib/polkit-1/polkit-agent-helper-1 - usr/lib/polkit-1/polkitd -" - -PATCHES=( - "${FILESDIR}"/${P}-mozjs-JIT.patch - "${FILESDIR}"/${P}-pkexec-uninitialized.patch -) - -python_check_deps() { - python_has_version "dev-python/dbus-python[${PYTHON_USEDEP}]" && - python_has_version "dev-python/python-dbusmock[${PYTHON_USEDEP}]" -} - -pkg_setup() { - use test && python-any-r1_pkg_setup -} - -src_prepare() { - default - - # bug #401513 - sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die -} - -src_configure() { - xdg_environment_reset - - local emesonargs=( - --localstatedir="${EPREFIX}"/var - -Dauthfw="$(usex pam pam shadow)" - -Dexamples=false - -Dgtk_doc=false - -Dman=true - -Dos_type=gentoo - -Dsession_tracking="$(usex systemd libsystemd-login libelogind)" - -Dsystemdsystemunitdir="$(systemd_get_systemunitdir)" - -Djs_engine=duktape - -Dlibs-only=false - $(meson_use introspection) - $(meson_use test tests) - $(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '') - ) - meson_src_configure -} - -src_compile() { - meson_src_compile - - # Required for polkitd on hardened/PaX due to spidermonkey's JIT - pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest -} - -src_install() { - meson_src_install - - if use examples ; then - docinto examples - dodoc src/examples/{*.c,*.policy*} - fi - - if [[ ${EUID} == 0 ]]; then - diropts -m 0700 -o polkitd - fi - keepdir /etc/polkit-1/rules.d -} - -pkg_postinst() { - if [[ ${EUID} == 0 ]]; then - chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d - chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d - fi -} diff --git a/sys-auth/polkit/polkit-126-r1.ebuild b/sys-auth/polkit/polkit-126-r1.ebuild deleted file mode 100644 index 1511837ee9fb..000000000000 --- a/sys-auth/polkit/polkit-126-r1.ebuild +++ /dev/null @@ -1,159 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{11..13} ) -inherit meson pam pax-utils python-any-r1 systemd tmpfiles xdg-utils - -DESCRIPTION="Policy framework for controlling privileges for system-wide services" -HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://github.com/polkit-org/polkit"; -if [[ ${PV} == 9999 ]] ; then - EGIT_REPO_URI="https://github.com/polkit-org/polkit"; - inherit git-r3 -elif [[ ${PV} == *_p* ]] ; then - # Upstream don't make releases very often. Test snapshots throughly - # and review commits, but don't shy away if there's useful stuff there - # we want. - MY_COMMIT="" - SRC_URI="https://github.com/polkit-org/polkit/archive/${MY_COMMIT}.tar.gz -> ${P}.tar.gz" - - S="${WORKDIR}"/${PN}-${MY_COMMIT} -else - SRC_URI="https://github.com/polkit-org/polkit/archive/refs/tags/${PV}.tar.gz -> ${P}.tar.gz" -fi - -LICENSE="LGPL-2" -SLOT="0" -if [[ ${PV} != 9999 ]] ; then - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~mips ppc ppc64 ~riscv ~s390 ~sparc x86" -fi -IUSE="examples gtk +introspection kde pam nls selinux systemd test" -RESTRICT="!test? ( test )" - -BDEPEND=" - acct-user/polkitd - app-text/docbook-xml-dtd:4.1.2 - app-text/docbook-xsl-stylesheets - >=dev-libs/glib-2.32 - dev-libs/gobject-introspection-common - dev-libs/libxslt - dev-util/glib-utils - virtual/pkgconfig - introspection? ( >=dev-libs/gobject-introspection-1.82.0-r2 ) - nls? ( sys-devel/gettext ) - test? ( - $(python_gen_any_dep ' - dev-python/dbus-python[${PYTHON_USEDEP}] - dev-python/python-dbusmock[${PYTHON_USEDEP}] - ') - ) -" -DEPEND=" - >=dev-libs/glib-2.32:2 - dev-libs/expat - dev-lang/duktape:= - pam? ( - sys-auth/pambase - sys-libs/pam - ) - !pam? ( virtual/libcrypt:= ) - systemd? ( sys-apps/systemd:0=[policykit] ) - !systemd? ( sys-auth/elogind ) -" -RDEPEND=" - ${DEPEND} - acct-user/polkitd - selinux? ( sec-policy/selinux-policykit ) -" -PDEPEND=" - gtk? ( || ( - >=gnome-extra/polkit-gnome-0.105 - >=lxde-base/lxsession-0.5.2 - ) ) - kde? ( kde-plasma/polkit-kde-agent ) -" - -DOCS=( docs/TODO HACKING.md NEWS.md README.md ) - -QA_MULTILIB_PATHS=" - usr/lib/polkit-1/polkit-agent-helper-1 - usr/lib/polkit-1/polkitd -" - -PATCHES=( - "${FILESDIR}"/${P}-elogind.patch - "${FILESDIR}"/${P}-realpath.patch - "${FILESDIR}"/${P}-musl.patch -) - -python_check_deps() { - python_has_version "dev-python/dbus-python[${PYTHON_USEDEP}]" && - python_has_version "dev-python/python-dbusmock[${PYTHON_USEDEP}]" -} - -pkg_setup() { - use test && python-any-r1_pkg_setup -} - -src_prepare() { - default - - # bug #401513 - sed -i -e 's|unix-group:@PRIVILEGED_GROUP@|unix-user:@PRIVILEGED_GROUP@|' src/polkitbackend/*-default.rules.in || die -} - -src_configure() { - xdg_environment_reset - - local emesonargs=( - --localstatedir="${EPREFIX}"/var - -Dauthfw="$(usex pam pam shadow)" - -Dexamples=false - -Dgtk_doc=false - -Dman=true - -Dos_type=gentoo - -Dpam_module_dir=$(getpam_mod_dir) - -Dprivileged_group=0 - -Dsession_tracking="$(usex systemd logind elogind)" - -Dsystemdsystemunitdir="$(systemd_get_systemunitdir)" - -Dlibs-only=false - $(meson_use introspection) - $(meson_use nls gettext) - $(meson_use test tests) - ) - meson_src_configure -} - -src_compile() { - meson_src_compile - - # Required for polkitd on hardened/PaX due to spidermonkey's JIT - pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest -} - -src_install() { - meson_src_install - - # acct-user/polkitd installs its own (albeit with a different filename) - rm -rf "${ED}"/usr/lib/sysusers.d || die - - if use examples ; then - docinto examples - dodoc src/examples/{*.c,*.policy*} - fi - - if [[ ${EUID} == 0 ]]; then - diropts -m 0700 -o polkitd - fi - keepdir /etc/polkit-1/rules.d -} - -pkg_postinst() { - tmpfiles_process polkit-tmpfiles.conf - - if [[ ${EUID} == 0 ]]; then - chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d - chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d - fi -}
