Hello community,
here is the log from the commit of package ca-certificates for openSUSE:Factory
checked in at 2013-08-30 11:32:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ca-certificates (Old)
and /work/SRC/openSUSE:Factory/.ca-certificates.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ca-certificates"
Changes:
--------
--- /work/SRC/openSUSE:Factory/ca-certificates/ca-certificates.changes
2013-08-24 10:14:38.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.ca-certificates.new/ca-certificates.changes
2013-08-30 11:32:51.000000000 +0200
@@ -1,0 +2,11 @@
+Tue Aug 27 12:53:44 UTC 2013 - lnus...@suse.de
+
+- re-enable the CA bundle again for glib-networking (bnc#825903)
+
+-------------------------------------------------------------------
+Tue Aug 27 07:11:04 UTC 2013 - lnus...@suse.de
+
+- make sure we have p11-kit >= 0.19.3 which has the 'trust' command
+ (bnc#836560)
+
+-------------------------------------------------------------------
Old:
----
ca-certificates-1_201308051322.tar.xz
New:
----
ca-certificates-1_201308271454.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ca-certificates.spec ++++++
--- /var/tmp/diff_new_pack.nbLuEO/_old 2013-08-30 11:32:52.000000000 +0200
+++ /var/tmp/diff_new_pack.nbLuEO/_new 2013-08-30 11:32:52.000000000 +0200
@@ -17,10 +17,10 @@
# the ca bundle file was meant as compat option for e.g.
-# proprietary packages. Now that I see it abused in free software
-# packages that can be trivially patched to do the right thing I'm
-# disabling this for now again.
-%bcond_with cabundle
+# proprietary packages. It's not meant to be used at all.
+# unfortunately glib-networking has such a complicated abstraction
+# on top of gnutls that we have to live with the bundle for now
+%bcond_without cabundle
BuildRequires: openssl
BuildRequires: p11-kit-devel
@@ -29,7 +29,7 @@
%define ssletcdir %{_sysconfdir}/ssl
%define cabundle /var/lib/ca-certificates/ca-bundle.pem
%define sslcerts %{ssletcdir}/certs
-Version: 1_201308051322
+Version: 1_201308271454
Release: 0
Summary: Utilities for system wide CA certificate installation
License: GPL-2.0+
@@ -40,7 +40,7 @@
#
Requires: openssl
Requires: p11-kit
-Requires: p11-kit-tools
+Requires: p11-kit-tools >= 0.19.3
# needed for %post
Requires(post): coreutils openssl p11-kit-tools
Recommends: ca-certificates-mozilla
++++++ ca-certificates-1_201308051322.tar.xz ->
ca-certificates-1_201308271454.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ca-certificates-1_201308051322/certbundle.run
new/ca-certificates-1_201308271454/certbundle.run
--- old/ca-certificates-1_201308051322/certbundle.run 2013-08-05
13:22:58.000000000 +0200
+++ new/ca-certificates-1_201308271454/certbundle.run 2013-08-27
14:54:33.000000000 +0200
@@ -28,7 +28,7 @@
# functions that know the operating system defaults instead:
#
# - openssl: SSL_CTX_set_default_verify_paths()
-# - gnutls: gnutls_x509_trust_list_add_system_trust()
+# - gnutls: gnutls_certificate_set_x509_system_trust(cred)
#
EOF
trust extract --format=pem-bundle --purpose=server-auth --filter=ca-anchors
$cafile.tmp
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ca-certificates-1_201308051322/extractcerts.pl
new/ca-certificates-1_201308271454/extractcerts.pl
--- old/ca-certificates-1_201308051322/extractcerts.pl 2013-08-05
13:22:58.000000000 +0200
+++ new/ca-certificates-1_201308271454/extractcerts.pl 1970-01-01
01:00:00.000000000 +0100
@@ -1,217 +0,0 @@
-#!/usr/bin/perl -w
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-use strict;
-use Encode;
-
-my $count = 0;
-my @certificates = ();
-my %trusts = ();
-my $object = undef;
-my $output_trustbits;
-
-my %trust_types = (
- "CKA_TRUST_DIGITAL_SIGNATURE" => "digital-signature",
- "CKA_TRUST_NON_REPUDIATION" => "non-repudiation",
- "CKA_TRUST_KEY_ENCIPHERMENT" => "key-encipherment",
- "CKA_TRUST_DATA_ENCIPHERMENT" => "data-encipherment",
- "CKA_TRUST_KEY_AGREEMENT" => "key-agreement",
- "CKA_TRUST_KEY_CERT_SIGN" => "cert-sign",
- "CKA_TRUST_CRL_SIGN" => "crl-sign",
- "CKA_TRUST_SERVER_AUTH" => "server-auth",
- "CKA_TRUST_CLIENT_AUTH" => "client-auth",
- "CKA_TRUST_CODE_SIGNING" => "code-signing",
- "CKA_TRUST_EMAIL_PROTECTION" => "email-protection",
- "CKA_TRUST_IPSEC_END_SYSTEM" => "ipsec-end-system",
- "CKA_TRUST_IPSEC_TUNNEL" => "ipsec-tunnel",
- "CKA_TRUST_IPSEC_USER" => "ipsec-user",
- "CKA_TRUST_TIME_STAMPING" => "time-stamping",
- "CKA_TRUST_STEP_UP_APPROVED" => "step-up-approved",
-);
-
-my %openssl_trust = (
- CKA_TRUST_SERVER_AUTH => 'serverAuth',
- CKA_TRUST_CLIENT_AUTH => 'clientAuth',
- CKA_TRUST_EMAIL_PROTECTION => 'emailProtection',
- CKA_TRUST_CODE_SIGNING => 'codeSigning',
-);
-
-if (@ARGV && $ARGV[0] eq '--trustbits') {
- shift @ARGV;
- $output_trustbits = 1;
-}
-
-sub colonhex
-{
- return join(':', unpack("(H2)*", $_[0]));
-}
-
-sub handle_object($)
-{
- my $object = shift;
- return unless $object;
- if($object->{'CKA_CLASS'} eq 'CKO_CERTIFICATE' &&
$object->{'CKA_CERTIFICATE_TYPE'} eq 'CKC_X_509') {
- push @certificates, $object;
- } elsif ($object->{'CKA_CLASS'} eq 'CKO_NETSCAPE_TRUST') {
- my $label = $object->{'CKA_LABEL'};
- my $serial = colonhex($object->{'CKA_SERIAL_NUMBER'});
- die "$label exists ($serial)" if exists($trusts{$label.$serial});
- $trusts{$label.$serial} = $object;
- } elsif ($object->{'CKA_CLASS'} eq 'CKO_NETSCAPE_BUILTIN_ROOT_LIST') {
- # ignore
- } else {
- print STDERR "class ", $object->{'CKA_CLASS'} ," not handled\n";
- }
-}
-
-while(<>) {
- my @fields = ();
-
- s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
- next if (/^\s*$/);
-
- if( /(^CVS_ID\s+)(.*)/ ) {
- next;
- }
-
- # This was taken from the perl faq #4.
- my $text = $_;
- push(@fields, $+) while $text =~ m{
- "([^\"\\]*(?:\\.[^\"\\]*)*)"\s? # groups the phrase inside the quotes
- | ([^\s]+)\s?
- | \s
- }gx;
- push(@fields, undef) if substr($text,-1,1) eq '\s';
-
- if( $fields[0] =~ /BEGINDATA/ ) {
- next;
- }
-
- if( $fields[1] =~ /MULTILINE/ ) {
- die "expected MULTILINE_OCTAL" unless $fields[1] eq 'MULTILINE_OCTAL';
- $fields[2] = "";
- while(<>) {
- last if /END/;
- chomp;
- $fields[2] .= pack("C", oct($+)) while $_ =~ /\G\\([0-3][0-7][0-7])/g;
- }
- }
-
- if( $fields[0] =~ /CKA_CLASS/ ) {
- $count++;
- handle_object($object);
- $object = {};
- }
-
- $object->{$fields[0]} = $fields[2];
-}
-handle_object($object);
-undef $object;
-
-use MIME::Base64;
-for my $cert (@certificates) {
- my $alias = $cert->{'CKA_LABEL'};
- my $serial = colonhex($cert->{'CKA_SERIAL_NUMBER'});
- if(!exists($trusts{$alias.$serial})) {
- print STDERR "NO TRUST: $alias\n";
- next;
- }
- # check trust. We only include certificates that are trusted for identifying
- # web sites
- my $trust = $trusts{$alias.$serial};
- my @addtrust;
- my @addtrust_openssl;
- my $trusted;
- if ($output_trustbits) {
- for my $type (keys %trust_types) {
- if (exists $trust->{$type}
- && $trust->{$type} eq 'CKT_NETSCAPE_TRUSTED_DELEGATOR') {
- push @addtrust, $trust_types{$type};
- if (exists $openssl_trust{$type}) {
- push @addtrust_openssl, $openssl_trust{$type};
- }
- $trusted = 1;
- }
- }
- } else {
- if($trust->{'CKA_TRUST_SERVER_AUTH'} eq
'CKT_NETSCAPE_TRUSTED_DELEGATOR') {
- $trusted = 1;
- }
- }
-
- if (!$trusted) {
- my $t = $trust->{'CKA_TRUST_SERVER_AUTH'};
- $t =~ s/CKT_NETSCAPE_//;
- print STDERR "$t: $alias\n";
- next;
- }
-
- if ($alias =~ /\\x[0-9a-fA-F]{2}/) {
- $alias =~ s/\\x([0-9a-fA-F]{2})/chr(hex($1))/ge; # thanks mls!
- $alias = Encode::decode("UTF-8", $alias);
- }
- my $file = $alias;
- $alias =~ s/'/-/g;
- $file =~ s/[^[:alnum:]\\]+/_/g;
- $file = Encode::encode("UTF-8", $file);
- if (-e $file.'.pem') {
- my $i = 1;
- while (-e $file.".$i.pem") {
- ++$i;
- }
- $file .= ".$i.pem";
- } else {
- $file .= '.pem';
- }
- if (!open(O, '>', $file)) {
- print STDERR "$file: $!\n";
- next;
- }
- print "$file\n" if $ENV{'VERBOSE'};
- my $value = $cert->{'CKA_VALUE'};
- if ($output_trustbits) {
- print O "# alias=",Encode::encode("UTF-8", $alias),"\n";
- print O "# trust=",join(" ", @addtrust),"\n";
- if (@addtrust_openssl) {
- print O "# openssl-trust=",join(" ", @addtrust_openssl),"\n";
- }
- }
- print O "-----BEGIN CERTIFICATE-----\n";
- print O encode_base64($value);
- print O "-----END CERTIFICATE-----\n";
- close O;
-}
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
