diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2014-03-19 22:05:23 +0000 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2014-03-19 22:05:23 +0000 |
| commit | 67da7ed7f90e05c89086ce0c466a4c526942439f (patch) | |
| tree | 8c1869e23be092bb97c325b856a7e3c81643209e /app-misc/ca-certificates | |
| parent | Keyword amd64-linux and x86-linux (diff) | |
| download | historical-67da7ed7f90e05c89086ce0c466a4c526942439f.tar.gz historical-67da7ed7f90e05c89086ce0c466a4c526942439f.tar.bz2 historical-67da7ed7f90e05c89086ce0c466a4c526942439f.zip | |
Support pulling the cert database out of a nss release #504670 by Helmut Jarausch.
Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64
Manifest-Sign-Key: 0xD2E96200
Diffstat (limited to 'app-misc/ca-certificates')
| -rw-r--r-- | app-misc/ca-certificates/ChangeLog | 10 | ||||
| -rw-r--r-- | app-misc/ca-certificates/Manifest | 36 | ||||
| -rw-r--r-- | app-misc/ca-certificates/ca-certificates-20140223.3.15.5.ebuild | 180 | ||||
| -rw-r--r-- | app-misc/ca-certificates/ca-certificates-20140223.ebuild | 125 | ||||
| -rw-r--r-- | app-misc/ca-certificates/metadata.xml | 6 |
5 files changed, 319 insertions, 38 deletions
diff --git a/app-misc/ca-certificates/ChangeLog b/app-misc/ca-certificates/ChangeLog index 86f54a4dbbfa..39f64102c054 100644 --- a/app-misc/ca-certificates/ChangeLog +++ b/app-misc/ca-certificates/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-misc/ca-certificates # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-misc/ca-certificates/ChangeLog,v 1.97 2014/03/19 07:46:25 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-misc/ca-certificates/ChangeLog,v 1.98 2014/03/19 22:05:21 vapier Exp $ + +*ca-certificates-20140223.3.15.5 (19 Mar 2014) + + 19 Mar 2014; Mike Frysinger <vapier@gentoo.org> + +ca-certificates-20140223.3.15.5.ebuild, ca-certificates-20140223.ebuild, + metadata.xml: + Support pulling the cert database out of a nss release #504670 by Helmut + Jarausch. 19 Mar 2014; Mike Frysinger <vapier@gentoo.org> ca-certificates-20130906.ebuild: diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest index be1b9f333699..ecdaffd2d51a 100644 --- a/app-misc/ca-certificates/Manifest +++ b/app-misc/ca-certificates/Manifest @@ -14,7 +14,10 @@ DIST ca-certificates_20121114_all.deb 192630 SHA256 f6991820d1c6431a7db42e92efa5 DIST ca-certificates_20130119_all.deb 185428 SHA256 08f8e5a1fab74a365c284ed4e353b4f14596f5ef533fced6395ead81fb3a76f7 SHA512 b93621e578dfa5ea224b3528839ca250fd9470dc28b17dd82e8669d64a631cb62218f1c53ebdb165ea3fffcaa8717210132215b5407ea0185e76ac2a11c0d157 WHIRLPOOL 9cedaba913d90f9f10ce7c97bcd248400b17c4fc3016e2fc3fca81333094f33ce60997da49144763fe86d705c458a273fd1e279a0237a1e855ae8ffe6d1e4c51 DIST ca-certificates_20130610_all.deb 184342 SHA256 ab20ee409012c980725a6392d71ac0464bb87edd1645221d0eb4ecb32c2e00bd SHA512 6f5f3523d4f70b1a5f2ec45ee36ae2bd706fc713edfdcddab4bafe27c42c2c169f87852abfc7e9daf4d597b633bfcaea08cb0a36ea3a88b770a45c62c134e248 WHIRLPOOL 7dd5e5a0dc0c8a3bc1556aefea5d5544183af68fce234899e56678fcdba4ac988c07f8a76a4f05e4861ed086cc3c1d1c15601d3372bbc4431c8d8e7bb54f1c4a DIST ca-certificates_20130906_all.deb 185064 SHA256 b2326834479192de2298c607bc020715c949cbd4dc5dd6be28a1b3f348eb9b76 SHA512 0410d11843e36fb488698a5ce7e1eda473b91d476c99d8e3bd006705167c9f2ac9a554e7fce1595f3717f1781a1390af345b3e7e4bc1e58c055e0a11321ececa WHIRLPOOL b9cf04b0e080752567a82c8fecffd033d10f19e41c0ecb1e676246947a34d1380002f9860539611dd79b04c47d19f6631a126c5887cff7ee52ff866b36c50109 +DIST ca-certificates_20140223.tar.xz 274768 SHA256 815b7cd97200b0d76450bb3e7d9b65997ac494ab6467b17369f65b2ef94bcb0c SHA512 14855eba51f90ab062b53a0d1986889de9ad7db4cb52bd4d764872b7c90eaaee62920543a4670ab45329469f76365d1e902219397b660034689159f13b8668d8 WHIRLPOOL f841d9a5fa2d4b3d46d06a2de947108ccb8bf7f19c99979822e22f043624656e789ba0340657b21a15560fd6593efa4256efc9f317974bdca8088a3647836e49 DIST ca-certificates_20140223_all.deb 190226 SHA256 13cb11144a97d95a8be130e4bcdd6c9ffc3df269bb194699bcd21ca377e01df2 SHA512 003b6fd2301eee3ca2119781ee75a1b195f142678d4570b598c4b93847de23c4f659152f834db1f0c8866767324d02b27807260cf43f6ae16207538fa419aa31 WHIRLPOOL 179a0bcf341e7de07d02f6574850614ef221851379945db00018d25f485cee6c11915322ee370e72321d81464d7d6bb96401b41029b8f7215a68e46971671deb +DIST nss-3.14.1-add_spi+cacerts_ca_certs.patch 25018 SHA256 82ca25982828fd7153ad15fc6e81408c115476eeeb4045d3a71469380b56824b SHA512 2aafbd972b073061bfd66a66a4b50060691957f2910f716f7a69d22d655c499f186f05db2101bea5248a00949f339327ba8bfffec024c61c8ee908766201ae00 WHIRLPOOL c9fe397e316dac7983b187acf7227078ebd8f8da5df53f77f2564489e85f123c4d2afb88d56e8dc14b9ebfffe8a71ade4724b3c1ea683c5c4c487cb3a64eda43 +DIST nss-3.15.5.tar.gz 6367893 SHA256 1442c85624b7de74c7745132a65aa0de47d280c4f01f293d111bc0b6d8271f43 SHA512 4db27ea98f17f1a5bc6f513455497945fc35957f573b3ac7e730b166fbe0e8fd741c188187c578faf361d969db63d83ff8ccf15ac2b8ca72a367f33a018695ca WHIRLPOOL c3c687ac53dca571d1c45bdf4a80e192ca58da07e06ef56de7ac9736480c97689dd12d14351860764b70a1d823092a1ddbc471328c4bae4a899edd0e331c8aee EBUILD ca-certificates-20090709.ebuild 2126 SHA256 86820ea4d33d9e0e779c0a0d631242b12821bf4135ec6bccd2c284e948c51b19 SHA512 5c47bd113f19d733219b57c5f5845617fd37802a1a2556af928c6affdb30a210ce91d2b9f97a55c13a22c586f20abe0865a8ec7237ba1841bfadd5cba4184e3a WHIRLPOOL 472cffbb69b7888aeca35faf6e03ae7d862f839b74fef6617d2008f12d8ed6b5f9451ea0f536141b7fd80fd6a121dc8617ad1b87634127fe95557c95f74e1089 EBUILD ca-certificates-20110421.ebuild 2119 SHA256 1223e4710e2d72fbb97f93bfa77351912b20b6ea07e83c7672bd24b1d812a634 SHA512 324615e914c150b991576df567b5f5042e527d05cd4674e44060771cf7e0e68cfa8495e432fa925d074b6602334d9b80cec50fdad7ae64cb3633c4c9726b42d6 WHIRLPOOL dffadcbc624cee7b9203c8ff6bba375508679c8d87ebb8a12da543d68cc937159b3f26b95bca94c444522e40c30b5b06741f1116233a6af3c6df5a428218fa16 EBUILD ca-certificates-20110502-r1.ebuild 2116 SHA256 39b705809344be81df5d717a63f7909127481f9ec052c2169d74ac2eda508e68 SHA512 570c7611404cb2cd230bf5925967230aa9e2f90f84bad157d6da522ab5d49c08ae8e6a2170694a094331c549373b2d253388d67a69032f775f9a94dfe476c794 WHIRLPOOL c24f06ad859f69187caacb83ff2835d40d17a7e1e6c03c16cbaf7794c9eab1a2cfb01b7b58290d72abb4f36cec6a655e79efb9a9acd53e99ee5c6d75caf8193e @@ -29,23 +32,24 @@ EBUILD ca-certificates-20121114.ebuild 3225 SHA256 d7fd5b94ac5931d221ffacc1ed9f4 EBUILD ca-certificates-20130119.ebuild 3163 SHA256 3aaec3295ddb8ce08d1c9834835961ff4dfd0b3e1eb18c7cb3447ea6b481a6d8 SHA512 174393d515abdace8945ea7efad61fa08f1a08829a6cf91e9603a2de2f3b0bf733a8e258d016a5480616d5d2ca2065c2307c8e8f88943952a81cd0949827888f WHIRLPOOL aeaacbebac5861d58b065ae279af0e79a8ecb23f66a283a1a4856e32b8b3d8cba77039fe75e021e06a2f560327f2554609fe9787091105e7853d39cdd30b24bc EBUILD ca-certificates-20130610.ebuild 3161 SHA256 f0f9a61e15ba170bbb3ac882ed077d2c02413fa723a53e0786b73f2cd08a9320 SHA512 7fba2c6963cda448346065ea96c251429b6c65db6204b970720e0398003bc2b6949f383a4fdeb66457d5612454d5943f38a010c369de8a01946393629821dcf5 WHIRLPOOL 1b6351270751804f6e896e34a9ab2efbb6f9755c2e00df5a526683a26de908fc9034bfeaa639937fdc572986be6af5bb171da7d2e87e3b1176f81ec3d3b1a1d0 EBUILD ca-certificates-20130906.ebuild 3149 SHA256 ef68ff3cdd8e1d024dd2adb65a5170148a244e0da5b6c50b009d6be701a9fb9b SHA512 cd1c6200eaecd0f56d9aeb3984d2ca082c0385c79d1d0af459216e33e336439137d364a76970a8a2c3254b6b3529ab7c6fd1ec382326e6c87db8871661bc733b WHIRLPOOL 1acd1b5f3b273870f9d9bc5c819cef5e7703a7d396bf38bf534c2ad6276ad21053db5f716d26e3560cf7071c54ce76d3096a94f889f0c1256c838889cfa2e9e4 -EBUILD ca-certificates-20140223.ebuild 3164 SHA256 55ddf0f345f6abfe78c6315deb05c6c9d4fd6f75f8e0bc6503b1beb696e93167 SHA512 7ab294aa56c7cea740c1ad38c056176d8a864bfd3bc11ed959db6827b0761752c393772799ae4b938035ff82779def09b701f62d4ea631a7de714674d7803d39 WHIRLPOOL 9676d9d7b9b8937ad5fe6e617c043c7cf64cfbe13829f16b1b9901d2dd4115a2a6d412d9782a26bc93026a7bddad2412ee7a6f48154a93997b8ec414beff3049 -MISC ChangeLog 14723 SHA256 28d55597326988c5635cd6166aacf5e2f61869ccbcdd4e54f162113a651ff4f6 SHA512 648746a07eefae6ee309134d2037461a7e5f7199828340c34314f8c46d9650e343fe1492897ce87ef7aa183920e26a4654b432ed6514ff3e6e51626f3f8a687c WHIRLPOOL 5edddc42a6221ff925cb2069f6b564bdc9b68114d2d0653d1be641be2c47970d9ad5dab14c69774f73a98f6f8f81b9e39b19f8fe7db721c6441e982ddbcd4efd -MISC metadata.xml 164 SHA256 f5f2891f2a4791cd31350bb2bb572131ad7235cd0eeb124c9912c187ac10ce92 SHA512 8eb0d5153d388f6ea069c64b93882244816a0a09aecc0d73cb872121ce0eb24c5ccafa96aad0b620b2300f319e1af101fa7fa6c5d0d561719d49bb07da0a2eca WHIRLPOOL 11a1441bddb7a6c69653c663902b7da5767ae6ad515ac2aabfc42fe37927a1ccc21472deeee454009ff720201a41c3e4a912df42661a0a87150fb46126da2d52 +EBUILD ca-certificates-20140223.3.15.5.ebuild 6261 SHA256 9df29ff7674ead74ec769ed468715abca1892ed4fde8cb7bee71ffbb049666d4 SHA512 73dcd17ab4878218080072d3455ed5dde150300f38f7c909348584d210a4eef4161f26dcaeb71d29e66acb0b1985ce6d605c038f67890742448ef789bdd2a667 WHIRLPOOL bb6eee8bc85774508509a02206bd7bb3738b2eb11f9d885a8be3db630c6c5857aebe1fd1bbbd1ab6c0a826405d0671ba013a2c21439f18cd9e59f2ff4be57361 +EBUILD ca-certificates-20140223.ebuild 6254 SHA256 7796f93aa77bd9945b465a82c268664260759f8220760df9e394281e54e100fe SHA512 cdc42033f5dee3a96da8186d5f683351f8a112caeae15ec7d69f115b537980dd7ecef352eeccb8e982ae683727c1ab2f6dd6baeeef1f0f2f5313525fe3193028 WHIRLPOOL 57faf9400adcabd235a4a49892eb662b49a82ddc9bf4c2e078b098f585bc2c90fe400e041652e75ca7dec1a54795cc5062aa10e6a9831eefeed2ec4d031b03b6 +MISC ChangeLog 15001 SHA256 fdc3061dd9034a69462d6c076ebd52e7a7ab4056b6ff8af9c20fade93f605053 SHA512 44dc1c31e19d9e9ba1ed96a923cc971f2a54e08db49f13f2444e8bc99eb6040f79fb361509a1e2118a5100b4ca636990f8a036128549cf2776eb61a7c9c11fda WHIRLPOOL 715a464b16d8159e0f374ba41a18a5b78390e575ad85647bc57ce8b45ff04e1f1fb7f15bb1a15f78bfbe1d179c41def30f1dd71e5c95a97f416a53529f99c439 +MISC metadata.xml 343 SHA256 770e903b1433ea49a4d4e8fc47084cfa0412e76d2ab59f973d80d2e3db2eaae9 SHA512 3d72166eaf516edbd6d68652f9debbc864046ab548f6e7c171c2790add07f436fb426781f5ef98bfc4b9c3f36e3b616c8b8973e5c601b13f2fa4bdf2bba3f89d WHIRLPOOL bbffa556e696d62479bcdd2d67b03368f412859a1eb9d47ae93f4b364d6e44aca229b20649f97b3a3fc0ad51e2b831b2e1cdd1da84b3abf8ffa17c5e75305088 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) -iQIcBAEBCAAGBQJTKUtSAAoJEPGu1DbS6WIACi4P/RLVqJbsvXhhdKVUdRMIEIvi -UnclJjOQMBM+igMCUKnYZLlAQgC0OrVeNwgltzzh4TqS2jZD9KbZmQpN8W0Gp4R9 -i/+c42rxAlB5y68Ct4wtrOAof4bqGfmurso50HJgsv3SkAkmQtilU2dqGbEcp4At -OiPX/n09pLdthrRuAumu/qLXdi1V/9nNddfXJ2ZqPfLcSwjyM72kiNPlwg/rqBby -WqQpTEpwyaolJo1RLDkAsEOQPVQ0OUOGcu0l3ge8PsPdkUekaiCMCB/6KTub0pfM -MyjC88Zzpv/ozddJCxypY71dR/5AYIWUrFJ0eqJIY8nE2fxUufQmgS69CJEz4128 -yRkDXjqLHlsaEV2pTeTy0/8T/DNGNOODM5I0MEcWH70NOcpfTeTU6Ew8bwEXgMk/ -KdQwMLuwAqwoteYH4fvmGteoJsUlDzZithcpq6GwBjBi4es5JkkELfJ/5sQyZP7k -PEiEvdRXBzp1eIY68tjS1dyj3ILzRRpA/4eYzLnc86jDNN9xGfWMkflmhgPg42EW -bpppnegexnVH+g4Az8BL2f+IT8svzig6/AnpzRpUO3t0G9Y9Qrf2S2BsPJBBxvcJ -8Sy10W8zx9ZjtfI1hUqSReqOUkQWY5GVLr67EoLMiRWFu4Yl/hC1e8pn1U9Ab9+c -WbVfQy5M2gcrhQWxD0v8 -=t3N8 +iQIcBAEBCAAGBQJTKhSmAAoJEPGu1DbS6WIADx8P/jnYb86bsvQnC3O9ybtTnxe+ +Sr6gmUCI3URX2JMgKflFzEuvFsID5rnaUM5oxZwWI+V7d/QvQbKVZ0Z2UNm/fPwH +zWA3S6LlTo3kmY5rOxz0ojHBJ+VvBm7puBDmmkfHnaRFtV3bOW5IKG6hOA1GW1mm +KU33wmHAWhQf7W5aO5XalS7u4udKHrYOmp7S7NWdJ9Z0M30kG4ip9fSmufrAcw6/ +KRczJkhyirolO2fCuqYsExRotHxGBxnVVxcMnFxpDASEVsd0v4H7bWazoIQdiCz4 +OhAUOZlVfVSGRPotj1llDsi96rbEEWBwNUevYH589pwp07b2+Lv/qnsm2712OlCK +sdDmtWehVVwIQxk9h77wJm3dRJMkgSWlB/93VUZn9HCgqjbUTk8CT0OGLXAq3pqj +310l4c07Jgzjx9fLk1hd19qGCuSLdHUMoAZdxAaBScY67eJ369h1d/d2I8RAlpC4 +J2TSfYHMkdx+A2N9JJ71Eb12WH9Z6ENogK7tJvGXy8CFicZN/EpbhCfnnIWRgZqH +omShZqB5aGMNPtoZGDybmeDBHxoKSrvZRnXaRWRgYW59iLbbBKtYz+MxXiy5bPtj +EK1EOluI7UaVMAsFtylnna1tsb+po+N8f51FDN9lMIJesLQ5PjJvDc1hNCD88Zy2 +AUBeMj5KKqMVcIGStpnK +=p1se -----END PGP SIGNATURE----- diff --git a/app-misc/ca-certificates/ca-certificates-20140223.3.15.5.ebuild b/app-misc/ca-certificates/ca-certificates-20140223.3.15.5.ebuild new file mode 100644 index 000000000000..0c3c2558403b --- /dev/null +++ b/app-misc/ca-certificates/ca-certificates-20140223.3.15.5.ebuild @@ -0,0 +1,180 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-misc/ca-certificates/ca-certificates-20140223.3.15.5.ebuild,v 1.1 2014/03/19 22:05:21 vapier Exp $ + +# The Debian ca-certificates package merely takes the CA database as it exists +# in the nss package and repackages it for use by openssl. +# +# The issue with using the compiled debs directly is two fold: +# - they do not update frequently enough for us to rely on them +# - they pull the CA database from nss tip of tree rather than the release +# +# So we take the Debian source tools and combine them with the latest nss +# release to produce (largely) the same end result. The difference is that +# now we know our cert database is kept in sync with nss and, if need be, +# can be sync with nss tip of tree more frequently to respond to bugs. + +# When triaging bugs from users, here's some handy tips: +# - To see what cert is hitting errors, use openssl: +# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME +# Focus on the errors written to stderr. +# +# - Look at the upstream log as to why certs were added/removed: +# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt +# +# - If people want to add/remove certs, tell them to file w/mozilla: +# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk + +EAPI="4" + +inherit eutils + +if [[ ${PV} == *.* ]] ; then + # Compile from source ourselves. + PRECOMPILED=false + inherit versionator + + DEB_VER=$(get_version_component_range 1) + NSS_VER=$(get_version_component_range 2-) + RTM_NAME="NSS_${NSS_VER//./_}_RTM" +else + # Debian precompiled version. + PRECOMPILED=true + inherit unpacker +fi + +DESCRIPTION="Common CA Certificates PEM files" +HOMEPAGE="http://packages.debian.org/sid/ca-certificates" +if ${PRECOMPILED} ; then + #NMU_PR="1" + SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb" +else + SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz + ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz + cacert? ( http://dev.gentoo.org/~anarchy/patches/nss-3.14.1-add_spi+cacerts_ca_certs.patch )" +fi + +LICENSE="MPL-1.1" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" +IUSE="" +${PRECOMPILED} || IUSE+=" +cacert" + +DEPEND="" +if ${PRECOMPILED} ; then + # platforms like AIX don't have a good ar + DEPEND+=" + kernel_AIX? ( app-arch/deb2targz ) + !<sys-apps/portage-2.1.10.41" +fi +# openssl: we run `c_rehash` +# debianutils: we run `run-parts` +RDEPEND="${DEPEND} + dev-libs/openssl + sys-apps/debianutils" + +S=${WORKDIR} + +pkg_setup() { + # For the conversion to having it in CONFIG_PROTECT_MASK, + # we need to tell users about it once manually first. + [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \ + || ewarn "You should run update-ca-certificates manually after etc-update" +} + +src_unpack() { + ${PRECOMPILED} || default + + # Do all the work in the image subdir to avoid conflicting with source + # dirs in $WORKDIR. Need to perform everything in the offset #381937 + mkdir "image/${EPREFIX}" + cd "image/${EPREFIX}" || die + + ${PRECOMPILED} && unpacker_src_unpack +} + +src_prepare() { + cd "image/${EPREFIX}" || die + if ! ${PRECOMPILED} ; then + mkdir -p usr/sbin + cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die + + if use cacert ; then + pushd "${S}"/nss-${NSS_VER} >/dev/null + epatch "${DISTDIR}"/nss-3.14.1-add_spi+cacerts_ca_certs.patch + popd >/dev/null + fi + fi + + epatch "${FILESDIR}"/${PN}-20110502-root.patch + local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g') + sed -i \ + -e '/="$ROOT/s:ROOT/:ROOT'"${EPREFIX}"'/:' \ + -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \ + usr/sbin/update-ca-certificates || die +} + +src_compile() { + cd "image/${EPREFIX}" || die + if ! ${PRECOMPILED} ; then + local d="${S}/${PN}/mozilla" + # Grab the database from the nss sources. + cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die + emake -C "${d}" + + # Now move the files to the same places that the precompiled would. + mkdir -p etc/ssl/certs etc/ca-certificates/update.d usr/share/ca-certificates/mozilla + if use cacert ; then + mkdir -p usr/share/ca-certificates/{cacert.org,spi-inc.org} + mv "${d}"/CAcert_Inc..crt usr/share/ca-certificates/cacert.org/cacert.org_root.crt || die + mv "${d}"/SPI_Inc..crt usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt || die + fi + mv "${d}"/*.crt usr/share/ca-certificates/mozilla/ || die + else + mv usr/share/doc/{ca-certificates,${PF}} || die + fi + + ( + echo "# Automatically generated by ${CATEGORY}/${PF}" + echo "# $(date -u)" + echo "# Do not edit." + cd usr/share/ca-certificates + find * -name '*.crt' | LC_ALL=C sort + ) > etc/ca-certificates.conf + + sh usr/sbin/update-ca-certificates --root "${S}/image" || die +} + +src_install() { + cp -pPR image/* "${D}"/ || die + if ! ${PRECOMPILED} ; then + cd ca-certificates + doman sbin/*.8 + dodoc debian/README.* examples/ca-certificates-local/README + fi + + echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates + doenvd 98ca-certificates +} + +pkg_postinst() { + if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then + # if the user has local certs, we need to rebuild again + # to include their stuff in the db. + # However it's too overzealous when the user has custom certs in place. + # --fresh is to clean up dangling symlinks + "${EROOT}"/usr/sbin/update-ca-certificates --root "${EROOT}" + fi + + local c badcerts=0 + for c in $(find -L "${EROOT}"etc/ssl/certs/ -type l) ; do + ewarn "Broken symlink for a certificate at $c" + badcerts=1 + done + if [ $badcerts -eq 1 ]; then + ewarn "You MUST remove the above broken symlinks" + ewarn "Otherwise any SSL validation that use the directory may fail!" + ewarn "To batch-remove them, run:" + ewarn "find -L ${EROOT}etc/ssl/certs/ -type l -exec rm {} +" + fi +} diff --git a/app-misc/ca-certificates/ca-certificates-20140223.ebuild b/app-misc/ca-certificates/ca-certificates-20140223.ebuild index a831e9cf8a94..636b129df971 100644 --- a/app-misc/ca-certificates/ca-certificates-20140223.ebuild +++ b/app-misc/ca-certificates/ca-certificates-20140223.ebuild @@ -1,24 +1,72 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-misc/ca-certificates/ca-certificates-20140223.ebuild,v 1.1 2014/03/13 23:31:00 radhermit Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-misc/ca-certificates/ca-certificates-20140223.ebuild,v 1.2 2014/03/19 22:05:21 vapier Exp $ + +# The Debian ca-certificates package merely takes the CA database as it exists +# in the nss package and repackages it for use by openssl. +# +# The issue with using the compiled debs directly is two fold: +# - they do not update frequently enough for us to rely on them +# - they pull the CA database from nss tip of tree rather than the release +# +# So we take the Debian source tools and combine them with the latest nss +# release to produce (largely) the same end result. The difference is that +# now we know our cert database is kept in sync with nss and, if need be, +# can be sync with nss tip of tree more frequently to respond to bugs. + +# When triaging bugs from users, here's some handy tips: +# - To see what cert is hitting errors, use openssl: +# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME +# Focus on the errors written to stderr. +# +# - Look at the upstream log as to why certs were added/removed: +# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt +# +# - If people want to add/remove certs, tell them to file w/mozilla: +# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk EAPI="4" -inherit eutils unpacker +inherit eutils + +if [[ ${PV} == *.* ]] ; then + # Compile from source ourselves. + PRECOMPILED=false + inherit versionator + + DEB_VER=$(get_version_component_range 1) + NSS_VER=$(get_version_component_range 2-) + RTM_NAME="NSS_${NSS_VER//./_}_RTM" +else + # Debian precompiled version. + PRECOMPILED=true + inherit unpacker +fi DESCRIPTION="Common CA Certificates PEM files" HOMEPAGE="http://packages.debian.org/sid/ca-certificates" -#NMU_PR="1" -SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb" +if ${PRECOMPILED} ; then + #NMU_PR="1" + SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb" +else + SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz + ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz + cacert? ( http://dev.gentoo.org/~anarchy/patches/nss-3.14.1-add_spi+cacerts_ca_certs.patch )" +fi LICENSE="MPL-1.1" SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" IUSE="" - -# platforms like AIX don't have a good ar -DEPEND="kernel_AIX? ( app-arch/deb2targz ) - !<sys-apps/portage-2.1.10.41" +${PRECOMPILED} || IUSE+=" +cacert" + +DEPEND="" +if ${PRECOMPILED} ; then + # platforms like AIX don't have a good ar + DEPEND+=" + kernel_AIX? ( app-arch/deb2targz ) + !<sys-apps/portage-2.1.10.41" +fi # openssl: we run `c_rehash` # debianutils: we run `run-parts` RDEPEND="${DEPEND} @@ -35,16 +83,29 @@ pkg_setup() { } src_unpack() { - if [[ -n ${EPREFIX} ]] ; then - # need to perform everything in the offset, #381937 - mkdir -p "./${EPREFIX}" - cd "./${EPREFIX}" || die - fi - unpack_deb ${A} + ${PRECOMPILED} || default + + # Do all the work in the image subdir to avoid conflicting with source + # dirs in $WORKDIR. Need to perform everything in the offset #381937 + mkdir "image/${EPREFIX}" + cd "image/${EPREFIX}" || die + + ${PRECOMPILED} && unpacker_src_unpack } src_prepare() { - cd "./${EPREFIX}" || die + cd "image/${EPREFIX}" || die + if ! ${PRECOMPILED} ; then + mkdir -p usr/sbin + cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die + + if use cacert ; then + pushd "${S}"/nss-${NSS_VER} >/dev/null + epatch "${DISTDIR}"/nss-3.14.1-add_spi+cacerts_ca_certs.patch + popd >/dev/null + fi + fi + epatch "${FILESDIR}"/${PN}-20110502-root.patch local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g') sed -i \ @@ -54,21 +115,43 @@ src_prepare() { } src_compile() { + cd "image/${EPREFIX}" || die + if ! ${PRECOMPILED} ; then + local d="${S}/${PN}/mozilla" + # Grab the database from the nss sources. + cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die + emake -C "${d}" + + # Now move the files to the same places that the precompiled would. + mkdir -p etc/ssl/certs etc/ca-certificates/update.d usr/share/ca-certificates/mozilla + if use cacert ; then + mkdir -p usr/share/ca-certificates/{cacert.org,spi-inc.org} + mv "${d}"/CAcert_Inc..crt usr/share/ca-certificates/cacert.org/cacert.org_root.crt || die + mv "${d}"/SPI_Inc..crt usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt || die + fi + mv "${d}"/*.crt usr/share/ca-certificates/mozilla/ || die + else + mv usr/share/doc/{ca-certificates,${PF}} || die + fi + ( echo "# Automatically generated by ${CATEGORY}/${PF}" echo "# $(date -u)" echo "# Do not edit." - cd "${S}${EPREFIX}"/usr/share/ca-certificates + cd usr/share/ca-certificates find * -name '*.crt' | LC_ALL=C sort - ) > "${S}${EPREFIX}"/etc/ca-certificates.conf + ) > etc/ca-certificates.conf - sh "${S}${EPREFIX}"/usr/sbin/update-ca-certificates --root "${S}" || die + sh usr/sbin/update-ca-certificates --root "${S}/image" || die } src_install() { - cp -pPR . "${D}"/ || die - - mv "${ED}"/usr/share/doc/{ca-certificates,${PF}} || die + cp -pPR image/* "${D}"/ || die + if ! ${PRECOMPILED} ; then + cd ca-certificates + doman sbin/*.8 + dodoc debian/README.* examples/ca-certificates-local/README + fi echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates doenvd 98ca-certificates diff --git a/app-misc/ca-certificates/metadata.xml b/app-misc/ca-certificates/metadata.xml index 96a2d586367d..58355e7c0fce 100644 --- a/app-misc/ca-certificates/metadata.xml +++ b/app-misc/ca-certificates/metadata.xml @@ -2,4 +2,10 @@ <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <pkgmetadata> <herd>base-system</herd> +<use> + <flag name='cacert'> + Include root certs from CAcert (http://http://www.cacert.org/) and + Software in the Public Interest (http://www.spi-inc.org/) + </flag> +</use> </pkgmetadata> |