Hello community, here is the log from the commit of package ca-certificates-mozilla for openSUSE:Factory checked in at 2015-01-20 12:26:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ca-certificates-mozilla (Old) and /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ca-certificates-mozilla" Changes: -------- --- /work/SRC/openSUSE:Factory/ca-certificates-mozilla/ca-certificates-mozilla.changes 2014-09-08 21:28:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new/ca-certificates-mozilla.changes 2015-01-20 12:26:33.000000000 +0100 @@ -1,0 +2,81 @@ +Wed Jan 14 09:40:00 UTC 2015 - meiss...@suse.com + +- diff-from-upstream-2.2.patch: + Temporary reenable some root ca trusts, as openssl/gnutls + have trouble using intermediates as root CA. + + - GTE CyberTrust Global Root + - Thawte Server CA + - Thawte Premium Server CA + - ValiCert Class 1 VA + - ValiCert Class 2 VA + - RSA Root Certificate 1 + - Entrust.net Secure Server CA + - America Online Root Certification Authority 1 + - America Online Root Certification Authority 2 + +------------------------------------------------------------------- +Mon Jan 12 16:45:23 UTC 2015 - meiss...@suse.com + +- Updated to 2.2 (bnc#888534) + - The following CAs were removed: + + America_Online_Root_Certification_Authority_1 + + America_Online_Root_Certification_Authority_2 + + GTE_CyberTrust_Global_Root + + Thawte_Premium_Server_CA + + Thawte_Server_CA + - The following CAs were added: + + COMODO_RSA_Certification_Authority + codeSigning emailProtection serverAuth + + GlobalSign_ECC_Root_CA_-_R4 + codeSigning emailProtection serverAuth + + GlobalSign_ECC_Root_CA_-_R5 + codeSigning emailProtection serverAuth + + USERTrust_ECC_Certification_Authority + codeSigning emailProtection serverAuth + + USERTrust_RSA_Certification_Authority + codeSigning emailProtection serverAuth + + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal + - The following CAs were changed: + + Equifax_Secure_eBusiness_CA_1 + remote code signing and https trust, leave email trust + + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2 + only trust emailProtection + +------------------------------------------------------------------- +Tue Aug 26 13:30:12 UTC 2014 - meiss...@suse.com + +- Updated to 2.1 (bnc#888534) + +- The following 1024-bit CA certificates were removed + - Entrust.net Secure Server Certification Authority + - ValiCert Class 1 Policy Validation Authority + - ValiCert Class 2 Policy Validation Authority + - ValiCert Class 3 Policy Validation Authority + - TDC Internet Root CA +- The following CA certificates were added: + - Certification Authority of WoSign + - CA 沃通根证书 + - DigiCert Assured ID Root G2 + - DigiCert Assured ID Root G3 + - DigiCert Global Root G2 + - DigiCert Global Root G3 + - DigiCert Trusted Root G4 + - QuoVadis Root CA 1 G3 + - QuoVadis Root CA 2 G3 + - QuoVadis Root CA 3 G3 +- The Trust Bits were changed for the following CA certificates + - Class 3 Public Primary Certification Authority + - Class 3 Public Primary Certification Authority + - Class 2 Public Primary Certification Authority - G2 + - VeriSign Class 2 Public Primary Certification Authority - G3 + - AC Raíz Certicámara S.A. + - NetLock Uzleti (Class B) Tanusitvanykiado + - NetLock Expressz (Class C) Tanusitvanykiado + +- certdata-temporary-1024.patch: restore some certificates removed + from NSS as these are still used for some major sites. + openssl is not as clever as NSS in selecting the new ones in the + chain correctly. + +------------------------------------------------------------------- New: ---- diff-from-upstream-2.2.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ca-certificates-mozilla.spec ++++++ --- /var/tmp/diff_new_pack.ILfgMR/_old 2015-01-20 12:26:37.000000000 +0100 +++ /var/tmp/diff_new_pack.ILfgMR/_new 2015-01-20 12:26:37.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package ca-certificates-mozilla # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,8 +25,8 @@ Name: ca-certificates-mozilla # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file: -# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h -Version: 1.97 +# http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/nssckbi.h +Version: 2.2 Release: 0 Summary: CA certificates for OpenSSL License: MPL-2.0 @@ -34,22 +34,24 @@ Url: http://www.mozilla.org # IMPORTANT: procedure to update certificates: # - Check the log of the cert file: -# http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt +# http://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt # - download the new certdata.txt -# wget -O certdata.txt "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt" +# wget -O certdata.txt "http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/certdata.txt" # - run compareoldnew to show fingerprints of new and changed certificates # - check the bugs referenced in hg log and compare the checksum # to output of compareoldnew -# The correct history of the file is actually in the nss repo: -# http://hg.mozilla.org/projects/nss/log/8f026c806587/lib/ckfw/builtins/certdata.txt # - Watch out that blacklisted or untrusted certificates are not # accidentally included! -Source: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt -Source1: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h +Source: http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt +Source1: http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h # from Fedora. Note: currently contains extra fix to remove quotes. Pending upstream approval. Source10: certdata2pem.py Source11: %{name}.COPYING Source12: compareoldnew + +# temporary legacy patch +Patch0: diff-from-upstream-2.2.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch # for update-ca-certificates @@ -67,7 +69,10 @@ %prep %setup -qcT + /bin/cp %{SOURCE0} . +patch <%{PATCH0} + install -m 644 %{SOURCE11} COPYING ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"` if [ "%{version}" != "$ver" ]; then ++++++ certdata.txt ++++++ ++++ 4407 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/ca-certificates-mozilla/certdata.txt ++++ and /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new/certdata.txt ++++++ diff-from-upstream-2.2.patch ++++++ ++++ 1402 lines (skipped) ++++++ nssckbi.h ++++++ --- /var/tmp/diff_new_pack.ILfgMR/_old 2015-01-20 12:26:37.000000000 +0100 +++ /var/tmp/diff_new_pack.ILfgMR/_new 2015-01-20 12:26:37.000000000 +0100 @@ -44,9 +44,9 @@ * whether we may use its full range (0-255) or only 0-99 because * of the comment in the CK_VERSION type definition. */ -#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 97 -#define NSS_BUILTINS_LIBRARY_VERSION "1.97" +#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 2 +#define NSS_BUILTINS_LIBRARY_VERSION "2.2" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org