* [gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/files/, app-misc/ca-certificates/
@ 2015-09-26 17:46 Mike Frysinger
0 siblings, 0 replies; 5+ messages in thread
From: Mike Frysinger @ 2015-09-26 17:46 UTC (permalink / raw
To: gentoo-commits
commit: 26c99295c5d5ed67f6be2a04445d36be70f18ce3
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Sep 26 16:23:19 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Sep 26 17:45:28 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26c99295
app-misc/ca-certificates: version bump to 20150426.3.20
app-misc/ca-certificates/Manifest | 2 +
.../ca-certificates-20150426.3.20.ebuild | 190 +++++++++++++++++++++
.../files/ca-certificates-20150426-root.patch | 49 ++++++
3 files changed, 241 insertions(+)
diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest
index 436f77d..901ae7e 100644
--- a/app-misc/ca-certificates/Manifest
+++ b/app-misc/ca-certificates/Manifest
@@ -1,6 +1,8 @@
DIST ca-certificates_20140927.tar.xz 288824 SHA256 e582724ebb9d5d6fe02d02db1773c9ca76d3aaab4b15375a0d72e9abf88a65c5 SHA512 3cd08559c52aeba763a8ecc0333c7c20838db0111e52d9adf65719f14f858611271d61801a60fb3aea4e74be4a7903c1b462bf889172f5afb774280bb615b98b WHIRLPOOL e32e54b21109b7c44266480a6a5d78693b5ef7ffae1df595c4edfe2cce85d1cd29664e6d916c5bfffb965e4bb01fce6a8327a2ead5bb0ca7cdd8afd04346a270
DIST ca-certificates_20141019.tar.xz 289092 SHA256 684902d3f4e9ad27829f4af0d9d2d588afed03667997579b9c2be86fcd1eb73a SHA512 5b0e8fb917f5642a5a2b4fde46a706db0c652ff3fb31a5053d9123a5b670b50c6e3cf2496915cc01c613dcbe964d6432f393c12d8a697baedfad58f9d13e568b WHIRLPOOL 6d3c0ccfbd4b1598ed529cb07390baaf741e24c8fd4762aa1786ada7188ec0c4e327513047bca2b93a488681e80b5a8fabc37b98b7f6e5e92cba62580c4cf74f
+DIST ca-certificates_20150426.tar.xz 303256 SHA256 37dbaa93ed64cc4ae93ac295f9248fbc741bd51376438cfb1257f17efab5494f SHA512 920dfc512c018c5338bf07b6a6afcb664d9bfba659d4233ca9e87471d5e0ed05de054c96f3d7e6091549aa6deb46106a79f7f982696081f9b2164e18133eb34d WHIRLPOOL 6d068fa13ffdb1b232b1cdb99063e52e52ee9f4cd44917f4eca263f36b5d4fa3c261b45bbf51143fc08965937adc477afd88c9a909300b619d42ae72b4c4acd9
DIST nss-3.14.1-add_spi+cacerts_ca_certs.patch 25018 SHA256 82ca25982828fd7153ad15fc6e81408c115476eeeb4045d3a71469380b56824b SHA512 2aafbd972b073061bfd66a66a4b50060691957f2910f716f7a69d22d655c499f186f05db2101bea5248a00949f339327ba8bfffec024c61c8ee908766201ae00 WHIRLPOOL c9fe397e316dac7983b187acf7227078ebd8f8da5df53f77f2564489e85f123c4d2afb88d56e8dc14b9ebfffe8a71ade4724b3c1ea683c5c4c487cb3a64eda43
DIST nss-3.17.2.tar.gz 6927414 SHA256 134929e44e44b968a4883f4ee513a71ae45d55b486cee41ee8e26c3cc84dab8b SHA512 a3d165bb2c578e7b5d90349729e85a2fce09260d069093080c76cce3b8a996c6489232324fd6a0c69b959321bcdf5f1806054f165cd6ce851fe4ffeb2883ae7f WHIRLPOOL 01b3cc546aa2dd0974caa2267aa9874b01cf6096f307a114393ba5a98adc216e0f2b217631b89b20752be5881f70fc1a7e94e0e90618707d5f9b9d18fd55d859
DIST nss-3.17.4.tar.gz 6924699 SHA256 1d98ad1881a4237ec98cbe472fc851480f0b0e954dfe224d047811fb96ff9d79 SHA512 dfc44e28c303743a72b4553f471089bc991c3cb61d5f3071082c16400d5e4f216f84a2e44536570316fe0e798c14ca370c875dad791a873034595b9e4dd70b89 WHIRLPOOL bb6e1027c5237d12fe58b4c520536022d8d4e83183a78c3421fd46bf9c3503b1f0ca4644240e383f216ec1e5174c0ae4148372db68fb9f1c10275954559d5bbf
DIST nss-3.19.tar.gz 6951461 SHA256 989ebdf79374f24181f060d332445b1a4baf3df39d08514c4349ba8573cefa9b SHA512 e428d206a4fd30087f275a33771a1d7e753b000e8fc3e7c746972a89d1b32300d3619f430ea15e870d82b3af52785d4dd36ae89c9c496f014f9f323ea373da14 WHIRLPOOL 3a8b58a8a28e31f65f40cfa6a9bd9ca2177a17552082d8de2189da6c92ff7ba9c90be13793666558a2bff609da738cb1f4313968077e1041b8f283d36005e76c
+DIST nss-3.20.tar.gz 6955552 SHA256 5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c SHA512 50f666209cadd4e463f98643ec67e35f4d1b88381e17db9eed7c67559b19799fcc27e49d72536f546d4c45bca2afa4664e5590f868775a4397a77111d68fc366 WHIRLPOOL 84f20e6764b3621762fcfcb9223a3861e1f5ff02078b19b7df2eb58430a5f96943d962dca2d3366b18cd434acf3d3be746242c5064497167d5671c50233834de
diff --git a/app-misc/ca-certificates/ca-certificates-20150426.3.20.ebuild b/app-misc/ca-certificates/ca-certificates-20150426.3.20.ebuild
new file mode 100644
index 0000000..2431504
--- /dev/null
+++ b/app-misc/ca-certificates/ca-certificates-20150426.3.20.ebuild
@@ -0,0 +1,190 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+# The Debian ca-certificates package merely takes the CA database as it exists
+# in the nss package and repackages it for use by openssl.
+#
+# The issue with using the compiled debs directly is two fold:
+# - they do not update frequently enough for us to rely on them
+# - they pull the CA database from nss tip of tree rather than the release
+#
+# So we take the Debian source tools and combine them with the latest nss
+# release to produce (largely) the same end result. The difference is that
+# now we know our cert database is kept in sync with nss and, if need be,
+# can be sync with nss tip of tree more frequently to respond to bugs.
+
+# When triaging bugs from users, here's some handy tips:
+# - To see what cert is hitting errors, use openssl:
+# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
+# Focus on the errors written to stderr.
+#
+# - Look at the upstream log as to why certs were added/removed:
+# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
+#
+# - If people want to add/remove certs, tell them to file w/mozilla:
+# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
+
+EAPI="4"
+PYTHON_COMPAT=( python2_7 )
+
+inherit eutils python-any-r1
+
+if [[ ${PV} == *.* ]] ; then
+ # Compile from source ourselves.
+ PRECOMPILED=false
+ inherit versionator
+
+ DEB_VER=$(get_version_component_range 1)
+ NSS_VER=$(get_version_component_range 2-)
+ RTM_NAME="NSS_${NSS_VER//./_}_RTM"
+else
+ # Debian precompiled version.
+ PRECOMPILED=true
+ inherit unpacker
+fi
+
+DESCRIPTION="Common CA Certificates PEM files"
+HOMEPAGE="http://packages.debian.org/sid/ca-certificates"
+NMU_PR=""
+if ${PRECOMPILED} ; then
+ SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
+else
+ SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
+ ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
+ cacert? ( https://dev.gentoo.org/~anarchy/patches/nss-3.14.1-add_spi+cacerts_ca_certs.patch )"
+fi
+
+LICENSE="MPL-1.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
+IUSE="libressl"
+${PRECOMPILED} || IUSE+=" +cacert"
+
+DEPEND=""
+if ${PRECOMPILED} ; then
+ # platforms like AIX don't have a good ar
+ DEPEND+="
+ kernel_AIX? ( app-arch/deb2targz )
+ !<sys-apps/portage-2.1.10.41"
+fi
+# openssl: we run `c_rehash`; newer version for alt-cert-paths #552540
+# debianutils: we run `run-parts`
+RDEPEND="${DEPEND}
+ !libressl? ( >=dev-libs/openssl-1.0.1o:0 )
+ libressl? (
+ app-misc/c_rehash
+ dev-libs/libressl
+ )
+ sys-apps/debianutils"
+
+if ! ${PRECOMPILED}; then
+ DEPEND+=" ${PYTHON_DEPS}"
+fi
+
+S=${WORKDIR}
+
+pkg_setup() {
+ # For the conversion to having it in CONFIG_PROTECT_MASK,
+ # we need to tell users about it once manually first.
+ [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
+ || ewarn "You should run update-ca-certificates manually after etc-update"
+}
+
+src_unpack() {
+ ${PRECOMPILED} || default
+
+ mv ${PN}-*/ ${PN} || die
+
+ # Do all the work in the image subdir to avoid conflicting with source
+ # dirs in $WORKDIR. Need to perform everything in the offset #381937
+ mkdir -p "image/${EPREFIX}"
+ cd "image/${EPREFIX}" || die
+
+ ${PRECOMPILED} && unpacker_src_unpack
+}
+
+src_prepare() {
+ cd "image/${EPREFIX}" || die
+ if ! ${PRECOMPILED} ; then
+ mkdir -p usr/sbin
+ cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die
+
+ if use cacert ; then
+ pushd "${S}"/nss-${NSS_VER} >/dev/null
+ epatch "${DISTDIR}"/nss-3.14.1-add_spi+cacerts_ca_certs.patch
+ popd >/dev/null
+ fi
+ fi
+
+ epatch "${FILESDIR}"/${PN}-20150426-root.patch
+ local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
+ sed -i \
+ -e '/="$ROOT/s:ROOT/:ROOT'"${EPREFIX}"'/:' \
+ -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
+ usr/sbin/update-ca-certificates || die
+}
+
+src_compile() {
+ cd "image/${EPREFIX}" || die
+ if ! ${PRECOMPILED} ; then
+ python_setup
+ local d="${S}/${PN}/mozilla"
+ # Grab the database from the nss sources.
+ cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
+ emake -C "${d}"
+
+ # Now move the files to the same places that the precompiled would.
+ mkdir -p etc/ssl/certs etc/ca-certificates/update.d usr/share/ca-certificates/mozilla
+ if use cacert ; then
+ mkdir -p usr/share/ca-certificates/{cacert.org,spi-inc.org}
+ mv "${d}"/CAcert_Inc..crt usr/share/ca-certificates/cacert.org/cacert.org_root.crt || die
+ mv "${d}"/SPI_Inc..crt usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt || die
+ fi
+ mv "${d}"/*.crt usr/share/ca-certificates/mozilla/ || die
+ else
+ mv usr/share/doc/{ca-certificates,${PF}} || die
+ fi
+
+ (
+ echo "# Automatically generated by ${CATEGORY}/${PF}"
+ echo "# $(date -u)"
+ echo "# Do not edit."
+ cd usr/share/ca-certificates
+ find * -name '*.crt' | LC_ALL=C sort
+ ) > etc/ca-certificates.conf
+
+ sh usr/sbin/update-ca-certificates --root "${S}/image" || die
+}
+
+src_install() {
+ cp -pPR image/* "${D}"/ || die
+ if ! ${PRECOMPILED} ; then
+ cd ca-certificates
+ doman sbin/*.8
+ dodoc debian/README.* examples/ca-certificates-local/README
+ fi
+
+ echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
+ doenvd 98ca-certificates
+}
+
+pkg_postinst() {
+ if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then
+ # if the user has local certs, we need to rebuild again
+ # to include their stuff in the db.
+ # However it's too overzealous when the user has custom certs in place.
+ # --fresh is to clean up dangling symlinks
+ "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
+ fi
+
+ local c badcerts=0
+ for c in $(find -L "${EROOT}"etc/ssl/certs/ -type l) ; do
+ ewarn "Broken symlink for a certificate at $c"
+ badcerts=1
+ done
+ if [ $badcerts -eq 1 ]; then
+ ewarn "Removing the following broken symlinks:"
+ ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
+ fi
+}
diff --git a/app-misc/ca-certificates/files/ca-certificates-20150426-root.patch b/app-misc/ca-certificates/files/ca-certificates-20150426-root.patch
new file mode 100644
index 0000000..6e41ac3
--- /dev/null
+++ b/app-misc/ca-certificates/files/ca-certificates-20150426-root.patch
@@ -0,0 +1,49 @@
+add a --root option so we can generate with DESTDIR installs
+
+--- a/image/usr/sbin/update-ca-certificates
++++ b/image/usr/sbin/update-ca-certificates
+@@ -30,6 +30,8 @@ LOCALCERTSDIR=/usr/local/share/ca-certificates
+ CERTBUNDLE=ca-certificates.crt
+ ETCCERTSDIR=/etc/ssl/certs
+ HOOKSDIR=/etc/ca-certificates/update.d
++ROOT=""
++RELPATH=""
+
+ while [ $# -gt 0 ];
+ do
+@@ -59,13 +61,25 @@ do
+ --hooksdir)
+ shift
+ HOOKSDIR="$1";;
++ --root|-r)
++ shift
++ # Needed as c_rehash wants to read the files directly.
++ # This gets us from $CERTSCONF to $CERTSDIR.
++ RELPATH="../../.."
++ ROOT=$(readlink -f "$1");;
+ --help|-h|*)
+- echo "$0: [--verbose] [--fresh]"
++ echo "$0: [--verbose] [--fresh] [--root <dir>]"
+ exit;;
+ esac
+ shift
+ done
+
++CERTSCONF="$ROOT$CERTSCONF"
++CERTSDIR="$ROOT$CERTSDIR"
++LOCALCERTSDIR="$ROOT$LOCALCERTSDIR"
++ETCCERTSDIR="$ROOT$ETCCERTSDIR"
++HOOKSDIR="$ROOT$HOOKSDIR"
++
+ if [ ! -s "$CERTSCONF" ]
+ then
+ fresh=1
+@@ -94,7 +107,7 @@ add() {
+ -e 's/,/_/g').pem"
+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
+ then
+- ln -sf "$CERT" "$PEM"
++ ln -sf "${RELPATH}${CERT#$ROOT}" "$PEM"
+ echo "+$PEM" >> "$ADDED"
+ fi
+ # Add trailing newline to certificate, if it is missing (#635570)
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/files/, app-misc/ca-certificates/
@ 2015-09-26 17:46 Mike Frysinger
0 siblings, 0 replies; 5+ messages in thread
From: Mike Frysinger @ 2015-09-26 17:46 UTC (permalink / raw
To: gentoo-commits
commit: 6e28397b91d9a84ccc36f8fdb3499f747d50e3d9
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Sep 26 16:23:38 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Sep 26 17:45:28 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e28397b
app-misc/ca-certificates: add python 3 support #548374
Patch taken from Debian bug report.
.../ca-certificates-20150426.3.20.ebuild | 5 +-
...ertificates-20150426-nss-certdata2pem-py3.patch | 82 ++++++++++++++++++++++
2 files changed, 86 insertions(+), 1 deletion(-)
diff --git a/app-misc/ca-certificates/ca-certificates-20150426.3.20.ebuild b/app-misc/ca-certificates/ca-certificates-20150426.3.20.ebuild
index 2431504..c37ecde 100644
--- a/app-misc/ca-certificates/ca-certificates-20150426.3.20.ebuild
+++ b/app-misc/ca-certificates/ca-certificates-20150426.3.20.ebuild
@@ -26,7 +26,7 @@
# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
EAPI="4"
-PYTHON_COMPAT=( python2_7 )
+PYTHON_COMPAT=( python{2_7,3_3,3_4} )
inherit eutils python-any-r1
@@ -123,6 +123,9 @@ src_prepare() {
-e '/="$ROOT/s:ROOT/:ROOT'"${EPREFIX}"'/:' \
-e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
usr/sbin/update-ca-certificates || die
+
+ cd "${S}"
+ epatch "${FILESDIR}"/${PN}-20150426-nss-certdata2pem-py3.patch #548374
}
src_compile() {
diff --git a/app-misc/ca-certificates/files/ca-certificates-20150426-nss-certdata2pem-py3.patch b/app-misc/ca-certificates/files/ca-certificates-20150426-nss-certdata2pem-py3.patch
new file mode 100644
index 0000000..300ce47
--- /dev/null
+++ b/app-misc/ca-certificates/files/ca-certificates-20150426-nss-certdata2pem-py3.patch
@@ -0,0 +1,82 @@
+https://bugs.debian.org/789753
+https://bugs.gentoo.org/548374
+
+--- a/ca-certificates/mozilla/certdata2pem.py
++++ b/ca-certificates/mozilla/certdata2pem.py
+@@ -53,7 +53,7 @@ for line in open('certdata.txt', 'r'):
+ if type == 'MULTILINE_OCTAL':
+ line = line.strip()
+ for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
+- value += chr(int(i.group(1), 8))
++ value.append(int(i.group(1), 8))
+ else:
+ value += line
+ continue
+@@ -70,13 +70,13 @@ for line in open('certdata.txt', 'r'):
+ field, type = line_parts
+ value = None
+ else:
+- raise NotImplementedError, 'line_parts < 2 not supported.'
++ raise NotImplementedError('line_parts < 2 not supported.')
+ if type == 'MULTILINE_OCTAL':
+ in_multiline = True
+- value = ""
++ value = bytearray()
+ continue
+ obj[field] = value
+-if len(obj.items()) > 0:
++if len(obj) > 0:
+ objects.append(obj)
+
+ # Read blacklist.
+@@ -95,7 +95,7 @@ for obj in objects:
+ if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'):
+ continue
+ if obj['CKA_LABEL'] in blacklist:
+- print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']
++ print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
+ elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
+ 'CKT_NSS_TRUSTED_DELEGATOR'):
+ trust[obj['CKA_LABEL']] = True
+@@ -104,13 +104,13 @@ for obj in objects:
+ trust[obj['CKA_LABEL']] = True
+ elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED',
+ 'CKT_NSS_NOT_TRUSTED'):
+- print '!'*74
+- print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
+- print '!'*74
++ print('!'*74)
++ print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'])
++ print('!'*74)
+ else:
+- print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \
++ print("Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \
+ (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
+- obj['CKA_TRUST_EMAIL_PROTECTION'])
++ obj['CKA_TRUST_EMAIL_PROTECTION']))
+
+ for obj in objects:
+ if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+@@ -121,13 +121,19 @@ for obj in objects:
+ .replace('(', '=')\
+ .replace(')', '=')\
+ .replace(',', '_')
+- bname = bname.decode('string_escape')
++
++ # this is the only way to decode the way NSS stores multi-byte UTF-8
++ if bytes != str:
++ bname = bname.encode('utf-8')
++ bname = bname.decode('unicode_escape').encode('latin-1').decode('utf-8')
+ fname = bname + '.crt'
++
+ if os.path.exists(fname):
+- print "Found duplicate certificate name %s, renaming." % bname
++ print("Found duplicate certificate name %s, renaming." % bname)
+ fname = bname + '_2.crt'
+ f = open(fname, 'w')
+ f.write("-----BEGIN CERTIFICATE-----\n")
+- f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
++ encoded = base64.b64encode(obj['CKA_VALUE']).decode('utf-8')
++ f.write("\n".join(textwrap.wrap(encoded, 64)))
+ f.write("\n-----END CERTIFICATE-----\n")
+
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/files/, app-misc/ca-certificates/
@ 2016-03-21 2:39 Mike Frysinger
0 siblings, 0 replies; 5+ messages in thread
From: Mike Frysinger @ 2016-03-21 2:39 UTC (permalink / raw
To: gentoo-commits
commit: 899fae43aa70ee77e338e8fbaa5f83950a6b8213
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 21 00:05:05 2016 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Mar 21 02:38:59 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=899fae43
app-misc/ca-certificates: drop old <20151214.3.21 versions
app-misc/ca-certificates/Manifest | 7 -
.../ca-certificates-20140927.3.17.2.ebuild | 186 --------------------
.../ca-certificates-20141019.3.17.4.ebuild | 186 --------------------
.../ca-certificates-20141019.3.19-r1.ebuild | 190 --------------------
.../ca-certificates-20141019.3.19.ebuild | 186 --------------------
.../ca-certificates-20150426.3.20-r1.ebuild | 189 --------------------
.../ca-certificates-20150426.3.20.ebuild | 193 ---------------------
.../files/ca-certificates-20110502-root.patch | 110 ------------
.../files/ca-certificates-20141019-root.patch | 116 -------------
...ertificates-20150426-nss-certdata2pem-py3.patch | 97 -----------
10 files changed, 1460 deletions(-)
diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest
index ba808a2..60ecc83 100644
--- a/app-misc/ca-certificates/Manifest
+++ b/app-misc/ca-certificates/Manifest
@@ -1,11 +1,4 @@
-DIST ca-certificates_20140927.tar.xz 288824 SHA256 e582724ebb9d5d6fe02d02db1773c9ca76d3aaab4b15375a0d72e9abf88a65c5 SHA512 3cd08559c52aeba763a8ecc0333c7c20838db0111e52d9adf65719f14f858611271d61801a60fb3aea4e74be4a7903c1b462bf889172f5afb774280bb615b98b WHIRLPOOL e32e54b21109b7c44266480a6a5d78693b5ef7ffae1df595c4edfe2cce85d1cd29664e6d916c5bfffb965e4bb01fce6a8327a2ead5bb0ca7cdd8afd04346a270
-DIST ca-certificates_20141019.tar.xz 289092 SHA256 684902d3f4e9ad27829f4af0d9d2d588afed03667997579b9c2be86fcd1eb73a SHA512 5b0e8fb917f5642a5a2b4fde46a706db0c652ff3fb31a5053d9123a5b670b50c6e3cf2496915cc01c613dcbe964d6432f393c12d8a697baedfad58f9d13e568b WHIRLPOOL 6d3c0ccfbd4b1598ed529cb07390baaf741e24c8fd4762aa1786ada7188ec0c4e327513047bca2b93a488681e80b5a8fabc37b98b7f6e5e92cba62580c4cf74f
-DIST ca-certificates_20150426.tar.xz 303256 SHA256 37dbaa93ed64cc4ae93ac295f9248fbc741bd51376438cfb1257f17efab5494f SHA512 920dfc512c018c5338bf07b6a6afcb664d9bfba659d4233ca9e87471d5e0ed05de054c96f3d7e6091549aa6deb46106a79f7f982696081f9b2164e18133eb34d WHIRLPOOL 6d068fa13ffdb1b232b1cdb99063e52e52ee9f4cd44917f4eca263f36b5d4fa3c261b45bbf51143fc08965937adc477afd88c9a909300b619d42ae72b4c4acd9
DIST ca-certificates_20151214.tar.xz 293672 SHA256 59286e6403f482a24c672e09b810c7d089a73153d4772ff4a66e86053a920525 SHA512 acee5565aa7d1f0cc120a6abb6503e0ac4b4e12f5fd1cb12442ec1374ae1570ec6dc3a8f3a247fad6835a29d96e856f12c664f466e92344db3aa1ae6292a27ac WHIRLPOOL c03d214fb15a791c14f235c58296fb06f1408c98bb78049f58b3ebf7bc1c1cea4662f90a031d86de2548267feacf6a9e3fef957aa44a19e29e9a6ba803aaa3fa
DIST ca-certificates_20160104.tar.xz 293632 SHA256 09eb770122e23260316120c0cbbddc8a1d33e7147210ce44e146084d5d5abcdd SHA512 4291ba58057b66d56853162b71862832135eab6f444a5e2cf3dd1089495d44624246dc0c540871851fe9aaceb42054516309402525c8f16a88911d3af9c3518a WHIRLPOOL 8a45acdf2c0673156bc546808df5160ebbfc3a85d775cefa8918c5b64ea6ba905e89017689a407a20444f3e550133c2af228f4d4a878670af50d88fc4739edeb
DIST nss-3.14.1-add_spi+cacerts_ca_certs.patch 25018 SHA256 82ca25982828fd7153ad15fc6e81408c115476eeeb4045d3a71469380b56824b SHA512 2aafbd972b073061bfd66a66a4b50060691957f2910f716f7a69d22d655c499f186f05db2101bea5248a00949f339327ba8bfffec024c61c8ee908766201ae00 WHIRLPOOL c9fe397e316dac7983b187acf7227078ebd8f8da5df53f77f2564489e85f123c4d2afb88d56e8dc14b9ebfffe8a71ade4724b3c1ea683c5c4c487cb3a64eda43
-DIST nss-3.17.2.tar.gz 6927414 SHA256 134929e44e44b968a4883f4ee513a71ae45d55b486cee41ee8e26c3cc84dab8b SHA512 a3d165bb2c578e7b5d90349729e85a2fce09260d069093080c76cce3b8a996c6489232324fd6a0c69b959321bcdf5f1806054f165cd6ce851fe4ffeb2883ae7f WHIRLPOOL 01b3cc546aa2dd0974caa2267aa9874b01cf6096f307a114393ba5a98adc216e0f2b217631b89b20752be5881f70fc1a7e94e0e90618707d5f9b9d18fd55d859
-DIST nss-3.17.4.tar.gz 6924699 SHA256 1d98ad1881a4237ec98cbe472fc851480f0b0e954dfe224d047811fb96ff9d79 SHA512 dfc44e28c303743a72b4553f471089bc991c3cb61d5f3071082c16400d5e4f216f84a2e44536570316fe0e798c14ca370c875dad791a873034595b9e4dd70b89 WHIRLPOOL bb6e1027c5237d12fe58b4c520536022d8d4e83183a78c3421fd46bf9c3503b1f0ca4644240e383f216ec1e5174c0ae4148372db68fb9f1c10275954559d5bbf
-DIST nss-3.19.tar.gz 6951461 SHA256 989ebdf79374f24181f060d332445b1a4baf3df39d08514c4349ba8573cefa9b SHA512 e428d206a4fd30087f275a33771a1d7e753b000e8fc3e7c746972a89d1b32300d3619f430ea15e870d82b3af52785d4dd36ae89c9c496f014f9f323ea373da14 WHIRLPOOL 3a8b58a8a28e31f65f40cfa6a9bd9ca2177a17552082d8de2189da6c92ff7ba9c90be13793666558a2bff609da738cb1f4313968077e1041b8f283d36005e76c
-DIST nss-3.20.tar.gz 6955552 SHA256 5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c SHA512 50f666209cadd4e463f98643ec67e35f4d1b88381e17db9eed7c67559b19799fcc27e49d72536f546d4c45bca2afa4664e5590f868775a4397a77111d68fc366 WHIRLPOOL 84f20e6764b3621762fcfcb9223a3861e1f5ff02078b19b7df2eb58430a5f96943d962dca2d3366b18cd434acf3d3be746242c5064497167d5671c50233834de
DIST nss-3.21.tar.gz 6978112 SHA256 3f7a5b027d7cdd5c0e4ff7544da33fdc6f56c2f8c27fff02938fd4a6fbe87239 SHA512 0645465b5d1ab05d819355a3f4a2879499539a00d95bfab3ca14a7dcd901e510b5d9ae797386ff5a42f68b0b57f7bbec4ec9d3a85ebd508eb824aba1fb589d53 WHIRLPOOL 7504d83de606d61840e06cb855ea688eb022d5eef062bcb7ac4d1064db96b96e35ae4ce0aff9d389a2140a7c3b974aaa9a86ada52af1199d462fdb48b11b42e4
diff --git a/app-misc/ca-certificates/ca-certificates-20140927.3.17.2.ebuild b/app-misc/ca-certificates/ca-certificates-20140927.3.17.2.ebuild
deleted file mode 100644
index d5538e5..0000000
--- a/app-misc/ca-certificates/ca-certificates-20140927.3.17.2.ebuild
+++ /dev/null
@@ -1,186 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-# The Debian ca-certificates package merely takes the CA database as it exists
-# in the nss package and repackages it for use by openssl.
-#
-# The issue with using the compiled debs directly is two fold:
-# - they do not update frequently enough for us to rely on them
-# - they pull the CA database from nss tip of tree rather than the release
-#
-# So we take the Debian source tools and combine them with the latest nss
-# release to produce (largely) the same end result. The difference is that
-# now we know our cert database is kept in sync with nss and, if need be,
-# can be sync with nss tip of tree more frequently to respond to bugs.
-
-# When triaging bugs from users, here's some handy tips:
-# - To see what cert is hitting errors, use openssl:
-# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
-# Focus on the errors written to stderr.
-#
-# - Look at the upstream log as to why certs were added/removed:
-# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
-#
-# - If people want to add/remove certs, tell them to file w/mozilla:
-# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
-
-EAPI="4"
-PYTHON_COMPAT=( python2_7 )
-
-inherit eutils python-any-r1
-
-if [[ ${PV} == *.* ]] ; then
- # Compile from source ourselves.
- PRECOMPILED=false
- inherit versionator
-
- DEB_VER=$(get_version_component_range 1)
- NSS_VER=$(get_version_component_range 2-)
- RTM_NAME="NSS_${NSS_VER//./_}_RTM"
-else
- # Debian precompiled version.
- PRECOMPILED=true
- inherit unpacker
-fi
-
-DESCRIPTION="Common CA Certificates PEM files"
-HOMEPAGE="http://packages.debian.org/sid/ca-certificates"
-NMU_PR=""
-if ${PRECOMPILED} ; then
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
-else
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
- ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
- cacert? ( https://dev.gentoo.org/~anarchy/patches/nss-3.14.1-add_spi+cacerts_ca_certs.patch )"
-fi
-
-LICENSE="MPL-1.1"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
-IUSE=""
-${PRECOMPILED} || IUSE+=" +cacert"
-
-DEPEND=""
-if ${PRECOMPILED} ; then
- # platforms like AIX don't have a good ar
- DEPEND+="
- kernel_AIX? ( app-arch/deb2targz )
- !<sys-apps/portage-2.1.10.41"
-fi
-# openssl: we run `c_rehash`
-# debianutils: we run `run-parts`
-RDEPEND="${DEPEND}
- dev-libs/openssl
- sys-apps/debianutils"
-
-if ! ${PRECOMPILED}; then
- DEPEND+=" ${PYTHON_DEPS}"
-fi
-
-S=${WORKDIR}
-
-pkg_setup() {
- # For the conversion to having it in CONFIG_PROTECT_MASK,
- # we need to tell users about it once manually first.
- [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
- || ewarn "You should run update-ca-certificates manually after etc-update"
-}
-
-src_unpack() {
- ${PRECOMPILED} || default
-
- mv ${PN}-*/ ${PN} || die
-
- # Do all the work in the image subdir to avoid conflicting with source
- # dirs in $WORKDIR. Need to perform everything in the offset #381937
- mkdir -p "image/${EPREFIX}"
- cd "image/${EPREFIX}" || die
-
- ${PRECOMPILED} && unpacker_src_unpack
-}
-
-src_prepare() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- mkdir -p usr/sbin
- cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die
-
- if use cacert ; then
- pushd "${S}"/nss-${NSS_VER} >/dev/null
- epatch "${DISTDIR}"/nss-3.14.1-add_spi+cacerts_ca_certs.patch
- popd >/dev/null
- fi
- fi
-
- epatch "${FILESDIR}"/${PN}-20110502-root.patch
- local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
- sed -i \
- -e '/="$ROOT/s:ROOT/:ROOT'"${EPREFIX}"'/:' \
- -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
- usr/sbin/update-ca-certificates || die
-}
-
-src_compile() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- python_setup
- local d="${S}/${PN}/mozilla"
- # Grab the database from the nss sources.
- cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
- emake -C "${d}"
-
- # Now move the files to the same places that the precompiled would.
- mkdir -p etc/ssl/certs etc/ca-certificates/update.d usr/share/ca-certificates/mozilla
- if use cacert ; then
- mkdir -p usr/share/ca-certificates/{cacert.org,spi-inc.org}
- mv "${d}"/CAcert_Inc..crt usr/share/ca-certificates/cacert.org/cacert.org_root.crt || die
- mv "${d}"/SPI_Inc..crt usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt || die
- fi
- mv "${d}"/*.crt usr/share/ca-certificates/mozilla/ || die
- else
- mv usr/share/doc/{ca-certificates,${PF}} || die
- fi
-
- (
- echo "# Automatically generated by ${CATEGORY}/${PF}"
- echo "# $(date -u)"
- echo "# Do not edit."
- cd usr/share/ca-certificates
- find * -name '*.crt' | LC_ALL=C sort
- ) > etc/ca-certificates.conf
-
- sh usr/sbin/update-ca-certificates --root "${S}/image" || die
-}
-
-src_install() {
- cp -pPR image/* "${D}"/ || die
- if ! ${PRECOMPILED} ; then
- cd ca-certificates
- doman sbin/*.8
- dodoc debian/README.* examples/ca-certificates-local/README
- fi
-
- echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
- doenvd 98ca-certificates
-}
-
-pkg_postinst() {
- if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then
- # if the user has local certs, we need to rebuild again
- # to include their stuff in the db.
- # However it's too overzealous when the user has custom certs in place.
- # --fresh is to clean up dangling symlinks
- "${EROOT}"/usr/sbin/update-ca-certificates --root "${EROOT}"
- fi
-
- local c badcerts=0
- for c in $(find -L "${EROOT}"etc/ssl/certs/ -type l) ; do
- ewarn "Broken symlink for a certificate at $c"
- badcerts=1
- done
- if [ $badcerts -eq 1 ]; then
- ewarn "Removing the following broken symlinks:"
- ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
- fi
-}
diff --git a/app-misc/ca-certificates/ca-certificates-20141019.3.17.4.ebuild b/app-misc/ca-certificates/ca-certificates-20141019.3.17.4.ebuild
deleted file mode 100644
index 89bc13e..0000000
--- a/app-misc/ca-certificates/ca-certificates-20141019.3.17.4.ebuild
+++ /dev/null
@@ -1,186 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-# The Debian ca-certificates package merely takes the CA database as it exists
-# in the nss package and repackages it for use by openssl.
-#
-# The issue with using the compiled debs directly is two fold:
-# - they do not update frequently enough for us to rely on them
-# - they pull the CA database from nss tip of tree rather than the release
-#
-# So we take the Debian source tools and combine them with the latest nss
-# release to produce (largely) the same end result. The difference is that
-# now we know our cert database is kept in sync with nss and, if need be,
-# can be sync with nss tip of tree more frequently to respond to bugs.
-
-# When triaging bugs from users, here's some handy tips:
-# - To see what cert is hitting errors, use openssl:
-# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
-# Focus on the errors written to stderr.
-#
-# - Look at the upstream log as to why certs were added/removed:
-# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
-#
-# - If people want to add/remove certs, tell them to file w/mozilla:
-# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
-
-EAPI="4"
-PYTHON_COMPAT=( python2_7 )
-
-inherit eutils python-any-r1
-
-if [[ ${PV} == *.* ]] ; then
- # Compile from source ourselves.
- PRECOMPILED=false
- inherit versionator
-
- DEB_VER=$(get_version_component_range 1)
- NSS_VER=$(get_version_component_range 2-)
- RTM_NAME="NSS_${NSS_VER//./_}_RTM"
-else
- # Debian precompiled version.
- PRECOMPILED=true
- inherit unpacker
-fi
-
-DESCRIPTION="Common CA Certificates PEM files"
-HOMEPAGE="http://packages.debian.org/sid/ca-certificates"
-NMU_PR=""
-if ${PRECOMPILED} ; then
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
-else
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
- ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
- cacert? ( https://dev.gentoo.org/~anarchy/patches/nss-3.14.1-add_spi+cacerts_ca_certs.patch )"
-fi
-
-LICENSE="MPL-1.1"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
-IUSE=""
-${PRECOMPILED} || IUSE+=" +cacert"
-
-DEPEND=""
-if ${PRECOMPILED} ; then
- # platforms like AIX don't have a good ar
- DEPEND+="
- kernel_AIX? ( app-arch/deb2targz )
- !<sys-apps/portage-2.1.10.41"
-fi
-# openssl: we run `c_rehash`; newer version for alt-cert-paths #552540
-# debianutils: we run `run-parts`
-RDEPEND="${DEPEND}
- >=dev-libs/openssl-1.0.1o
- sys-apps/debianutils"
-
-if ! ${PRECOMPILED}; then
- DEPEND+=" ${PYTHON_DEPS}"
-fi
-
-S=${WORKDIR}
-
-pkg_setup() {
- # For the conversion to having it in CONFIG_PROTECT_MASK,
- # we need to tell users about it once manually first.
- [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
- || ewarn "You should run update-ca-certificates manually after etc-update"
-}
-
-src_unpack() {
- ${PRECOMPILED} || default
-
- mv ${PN}-*/ ${PN} || die
-
- # Do all the work in the image subdir to avoid conflicting with source
- # dirs in $WORKDIR. Need to perform everything in the offset #381937
- mkdir -p "image/${EPREFIX}"
- cd "image/${EPREFIX}" || die
-
- ${PRECOMPILED} && unpacker_src_unpack
-}
-
-src_prepare() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- mkdir -p usr/sbin
- cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die
-
- if use cacert ; then
- pushd "${S}"/nss-${NSS_VER} >/dev/null
- epatch "${DISTDIR}"/nss-3.14.1-add_spi+cacerts_ca_certs.patch
- popd >/dev/null
- fi
- fi
-
- epatch "${FILESDIR}"/${PN}-20141019-root.patch
- local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
- sed -i \
- -e '/="$ROOT/s:ROOT/:ROOT'"${EPREFIX}"'/:' \
- -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
- usr/sbin/update-ca-certificates || die
-}
-
-src_compile() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- python_setup
- local d="${S}/${PN}/mozilla"
- # Grab the database from the nss sources.
- cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
- emake -C "${d}"
-
- # Now move the files to the same places that the precompiled would.
- mkdir -p etc/ssl/certs etc/ca-certificates/update.d usr/share/ca-certificates/mozilla
- if use cacert ; then
- mkdir -p usr/share/ca-certificates/{cacert.org,spi-inc.org}
- mv "${d}"/CAcert_Inc..crt usr/share/ca-certificates/cacert.org/cacert.org_root.crt || die
- mv "${d}"/SPI_Inc..crt usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt || die
- fi
- mv "${d}"/*.crt usr/share/ca-certificates/mozilla/ || die
- else
- mv usr/share/doc/{ca-certificates,${PF}} || die
- fi
-
- (
- echo "# Automatically generated by ${CATEGORY}/${PF}"
- echo "# $(date -u)"
- echo "# Do not edit."
- cd usr/share/ca-certificates
- find * -name '*.crt' | LC_ALL=C sort
- ) > etc/ca-certificates.conf
-
- sh usr/sbin/update-ca-certificates --root "${S}/image" || die
-}
-
-src_install() {
- cp -pPR image/* "${D}"/ || die
- if ! ${PRECOMPILED} ; then
- cd ca-certificates
- doman sbin/*.8
- dodoc debian/README.* examples/ca-certificates-local/README
- fi
-
- echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
- doenvd 98ca-certificates
-}
-
-pkg_postinst() {
- if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then
- # if the user has local certs, we need to rebuild again
- # to include their stuff in the db.
- # However it's too overzealous when the user has custom certs in place.
- # --fresh is to clean up dangling symlinks
- "${EROOT}"/usr/sbin/update-ca-certificates --root "${EROOT}"
- fi
-
- local c badcerts=0
- for c in $(find -L "${EROOT}"etc/ssl/certs/ -type l) ; do
- ewarn "Broken symlink for a certificate at $c"
- badcerts=1
- done
- if [ $badcerts -eq 1 ]; then
- ewarn "Removing the following broken symlinks:"
- ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
- fi
-}
diff --git a/app-misc/ca-certificates/ca-certificates-20141019.3.19-r1.ebuild b/app-misc/ca-certificates/ca-certificates-20141019.3.19-r1.ebuild
deleted file mode 100644
index 309784d..0000000
--- a/app-misc/ca-certificates/ca-certificates-20141019.3.19-r1.ebuild
+++ /dev/null
@@ -1,190 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-# The Debian ca-certificates package merely takes the CA database as it exists
-# in the nss package and repackages it for use by openssl.
-#
-# The issue with using the compiled debs directly is two fold:
-# - they do not update frequently enough for us to rely on them
-# - they pull the CA database from nss tip of tree rather than the release
-#
-# So we take the Debian source tools and combine them with the latest nss
-# release to produce (largely) the same end result. The difference is that
-# now we know our cert database is kept in sync with nss and, if need be,
-# can be sync with nss tip of tree more frequently to respond to bugs.
-
-# When triaging bugs from users, here's some handy tips:
-# - To see what cert is hitting errors, use openssl:
-# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
-# Focus on the errors written to stderr.
-#
-# - Look at the upstream log as to why certs were added/removed:
-# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
-#
-# - If people want to add/remove certs, tell them to file w/mozilla:
-# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
-
-EAPI="4"
-PYTHON_COMPAT=( python2_7 )
-
-inherit eutils python-any-r1
-
-if [[ ${PV} == *.* ]] ; then
- # Compile from source ourselves.
- PRECOMPILED=false
- inherit versionator
-
- DEB_VER=$(get_version_component_range 1)
- NSS_VER=$(get_version_component_range 2-)
- RTM_NAME="NSS_${NSS_VER//./_}_RTM"
-else
- # Debian precompiled version.
- PRECOMPILED=true
- inherit unpacker
-fi
-
-DESCRIPTION="Common CA Certificates PEM files"
-HOMEPAGE="http://packages.debian.org/sid/ca-certificates"
-NMU_PR=""
-if ${PRECOMPILED} ; then
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
-else
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
- ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
- cacert? ( https://dev.gentoo.org/~anarchy/patches/nss-3.14.1-add_spi+cacerts_ca_certs.patch )"
-fi
-
-LICENSE="MPL-1.1"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
-IUSE="libressl"
-${PRECOMPILED} || IUSE+=" +cacert"
-
-DEPEND=""
-if ${PRECOMPILED} ; then
- # platforms like AIX don't have a good ar
- DEPEND+="
- kernel_AIX? ( app-arch/deb2targz )
- !<sys-apps/portage-2.1.10.41"
-fi
-# openssl: we run `c_rehash`; newer version for alt-cert-paths #552540
-# debianutils: we run `run-parts`
-RDEPEND="${DEPEND}
- !libressl? ( >=dev-libs/openssl-1.0.1o:0 )
- libressl? (
- app-misc/c_rehash
- dev-libs/libressl
- )
- sys-apps/debianutils"
-
-if ! ${PRECOMPILED}; then
- DEPEND+=" ${PYTHON_DEPS}"
-fi
-
-S=${WORKDIR}
-
-pkg_setup() {
- # For the conversion to having it in CONFIG_PROTECT_MASK,
- # we need to tell users about it once manually first.
- [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
- || ewarn "You should run update-ca-certificates manually after etc-update"
-}
-
-src_unpack() {
- ${PRECOMPILED} || default
-
- mv ${PN}-*/ ${PN} || die
-
- # Do all the work in the image subdir to avoid conflicting with source
- # dirs in $WORKDIR. Need to perform everything in the offset #381937
- mkdir -p "image/${EPREFIX}"
- cd "image/${EPREFIX}" || die
-
- ${PRECOMPILED} && unpacker_src_unpack
-}
-
-src_prepare() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- mkdir -p usr/sbin
- cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die
-
- if use cacert ; then
- pushd "${S}"/nss-${NSS_VER} >/dev/null
- epatch "${DISTDIR}"/nss-3.14.1-add_spi+cacerts_ca_certs.patch
- popd >/dev/null
- fi
- fi
-
- epatch "${FILESDIR}"/${PN}-20141019-root.patch
- local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
- sed -i \
- -e '/="$ROOT/s:ROOT/:ROOT'"${EPREFIX}"'/:' \
- -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
- usr/sbin/update-ca-certificates || die
-}
-
-src_compile() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- python_setup
- local d="${S}/${PN}/mozilla"
- # Grab the database from the nss sources.
- cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
- emake -C "${d}"
-
- # Now move the files to the same places that the precompiled would.
- mkdir -p etc/ssl/certs etc/ca-certificates/update.d usr/share/ca-certificates/mozilla
- if use cacert ; then
- mkdir -p usr/share/ca-certificates/{cacert.org,spi-inc.org}
- mv "${d}"/CAcert_Inc..crt usr/share/ca-certificates/cacert.org/cacert.org_root.crt || die
- mv "${d}"/SPI_Inc..crt usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt || die
- fi
- mv "${d}"/*.crt usr/share/ca-certificates/mozilla/ || die
- else
- mv usr/share/doc/{ca-certificates,${PF}} || die
- fi
-
- (
- echo "# Automatically generated by ${CATEGORY}/${PF}"
- echo "# $(date -u)"
- echo "# Do not edit."
- cd usr/share/ca-certificates
- find * -name '*.crt' | LC_ALL=C sort
- ) > etc/ca-certificates.conf
-
- sh usr/sbin/update-ca-certificates --root "${S}/image" || die
-}
-
-src_install() {
- cp -pPR image/* "${D}"/ || die
- if ! ${PRECOMPILED} ; then
- cd ca-certificates
- doman sbin/*.8
- dodoc debian/README.* examples/ca-certificates-local/README
- fi
-
- echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
- doenvd 98ca-certificates
-}
-
-pkg_postinst() {
- if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then
- # if the user has local certs, we need to rebuild again
- # to include their stuff in the db.
- # However it's too overzealous when the user has custom certs in place.
- # --fresh is to clean up dangling symlinks
- "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
- fi
-
- local c badcerts=0
- for c in $(find -L "${EROOT}"etc/ssl/certs/ -type l) ; do
- ewarn "Broken symlink for a certificate at $c"
- badcerts=1
- done
- if [ $badcerts -eq 1 ]; then
- ewarn "Removing the following broken symlinks:"
- ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
- fi
-}
diff --git a/app-misc/ca-certificates/ca-certificates-20141019.3.19.ebuild b/app-misc/ca-certificates/ca-certificates-20141019.3.19.ebuild
deleted file mode 100644
index 4551747..0000000
--- a/app-misc/ca-certificates/ca-certificates-20141019.3.19.ebuild
+++ /dev/null
@@ -1,186 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-# The Debian ca-certificates package merely takes the CA database as it exists
-# in the nss package and repackages it for use by openssl.
-#
-# The issue with using the compiled debs directly is two fold:
-# - they do not update frequently enough for us to rely on them
-# - they pull the CA database from nss tip of tree rather than the release
-#
-# So we take the Debian source tools and combine them with the latest nss
-# release to produce (largely) the same end result. The difference is that
-# now we know our cert database is kept in sync with nss and, if need be,
-# can be sync with nss tip of tree more frequently to respond to bugs.
-
-# When triaging bugs from users, here's some handy tips:
-# - To see what cert is hitting errors, use openssl:
-# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
-# Focus on the errors written to stderr.
-#
-# - Look at the upstream log as to why certs were added/removed:
-# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
-#
-# - If people want to add/remove certs, tell them to file w/mozilla:
-# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
-
-EAPI="4"
-PYTHON_COMPAT=( python2_7 )
-
-inherit eutils python-any-r1
-
-if [[ ${PV} == *.* ]] ; then
- # Compile from source ourselves.
- PRECOMPILED=false
- inherit versionator
-
- DEB_VER=$(get_version_component_range 1)
- NSS_VER=$(get_version_component_range 2-)
- RTM_NAME="NSS_${NSS_VER//./_}_RTM"
-else
- # Debian precompiled version.
- PRECOMPILED=true
- inherit unpacker
-fi
-
-DESCRIPTION="Common CA Certificates PEM files"
-HOMEPAGE="http://packages.debian.org/sid/ca-certificates"
-NMU_PR=""
-if ${PRECOMPILED} ; then
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
-else
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
- ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
- cacert? ( https://dev.gentoo.org/~anarchy/patches/nss-3.14.1-add_spi+cacerts_ca_certs.patch )"
-fi
-
-LICENSE="MPL-1.1"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
-IUSE=""
-${PRECOMPILED} || IUSE+=" +cacert"
-
-DEPEND=""
-if ${PRECOMPILED} ; then
- # platforms like AIX don't have a good ar
- DEPEND+="
- kernel_AIX? ( app-arch/deb2targz )
- !<sys-apps/portage-2.1.10.41"
-fi
-# openssl: we run `c_rehash`; newer version for alt-cert-paths #552540
-# debianutils: we run `run-parts`
-RDEPEND="${DEPEND}
- >=dev-libs/openssl-1.0.1o
- sys-apps/debianutils"
-
-if ! ${PRECOMPILED}; then
- DEPEND+=" ${PYTHON_DEPS}"
-fi
-
-S=${WORKDIR}
-
-pkg_setup() {
- # For the conversion to having it in CONFIG_PROTECT_MASK,
- # we need to tell users about it once manually first.
- [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
- || ewarn "You should run update-ca-certificates manually after etc-update"
-}
-
-src_unpack() {
- ${PRECOMPILED} || default
-
- mv ${PN}-*/ ${PN} || die
-
- # Do all the work in the image subdir to avoid conflicting with source
- # dirs in $WORKDIR. Need to perform everything in the offset #381937
- mkdir -p "image/${EPREFIX}"
- cd "image/${EPREFIX}" || die
-
- ${PRECOMPILED} && unpacker_src_unpack
-}
-
-src_prepare() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- mkdir -p usr/sbin
- cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die
-
- if use cacert ; then
- pushd "${S}"/nss-${NSS_VER} >/dev/null
- epatch "${DISTDIR}"/nss-3.14.1-add_spi+cacerts_ca_certs.patch
- popd >/dev/null
- fi
- fi
-
- epatch "${FILESDIR}"/${PN}-20141019-root.patch
- local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
- sed -i \
- -e '/="$ROOT/s:ROOT/:ROOT'"${EPREFIX}"'/:' \
- -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
- usr/sbin/update-ca-certificates || die
-}
-
-src_compile() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- python_setup
- local d="${S}/${PN}/mozilla"
- # Grab the database from the nss sources.
- cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
- emake -C "${d}"
-
- # Now move the files to the same places that the precompiled would.
- mkdir -p etc/ssl/certs etc/ca-certificates/update.d usr/share/ca-certificates/mozilla
- if use cacert ; then
- mkdir -p usr/share/ca-certificates/{cacert.org,spi-inc.org}
- mv "${d}"/CAcert_Inc..crt usr/share/ca-certificates/cacert.org/cacert.org_root.crt || die
- mv "${d}"/SPI_Inc..crt usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt || die
- fi
- mv "${d}"/*.crt usr/share/ca-certificates/mozilla/ || die
- else
- mv usr/share/doc/{ca-certificates,${PF}} || die
- fi
-
- (
- echo "# Automatically generated by ${CATEGORY}/${PF}"
- echo "# $(date -u)"
- echo "# Do not edit."
- cd usr/share/ca-certificates
- find * -name '*.crt' | LC_ALL=C sort
- ) > etc/ca-certificates.conf
-
- sh usr/sbin/update-ca-certificates --root "${S}/image" || die
-}
-
-src_install() {
- cp -pPR image/* "${D}"/ || die
- if ! ${PRECOMPILED} ; then
- cd ca-certificates
- doman sbin/*.8
- dodoc debian/README.* examples/ca-certificates-local/README
- fi
-
- echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
- doenvd 98ca-certificates
-}
-
-pkg_postinst() {
- if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then
- # if the user has local certs, we need to rebuild again
- # to include their stuff in the db.
- # However it's too overzealous when the user has custom certs in place.
- # --fresh is to clean up dangling symlinks
- "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
- fi
-
- local c badcerts=0
- for c in $(find -L "${EROOT}"etc/ssl/certs/ -type l) ; do
- ewarn "Broken symlink for a certificate at $c"
- badcerts=1
- done
- if [ $badcerts -eq 1 ]; then
- ewarn "Removing the following broken symlinks:"
- ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
- fi
-}
diff --git a/app-misc/ca-certificates/ca-certificates-20150426.3.20-r1.ebuild b/app-misc/ca-certificates/ca-certificates-20150426.3.20-r1.ebuild
deleted file mode 100644
index 249bd53..0000000
--- a/app-misc/ca-certificates/ca-certificates-20150426.3.20-r1.ebuild
+++ /dev/null
@@ -1,189 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-# The Debian ca-certificates package merely takes the CA database as it exists
-# in the nss package and repackages it for use by openssl.
-#
-# The issue with using the compiled debs directly is two fold:
-# - they do not update frequently enough for us to rely on them
-# - they pull the CA database from nss tip of tree rather than the release
-#
-# So we take the Debian source tools and combine them with the latest nss
-# release to produce (largely) the same end result. The difference is that
-# now we know our cert database is kept in sync with nss and, if need be,
-# can be sync with nss tip of tree more frequently to respond to bugs.
-
-# When triaging bugs from users, here's some handy tips:
-# - To see what cert is hitting errors, use openssl:
-# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
-# Focus on the errors written to stderr.
-#
-# - Look at the upstream log as to why certs were added/removed:
-# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
-#
-# - If people want to add/remove certs, tell them to file w/mozilla:
-# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
-
-EAPI="4"
-PYTHON_COMPAT=( python{2_7,3_3,3_4} )
-
-inherit eutils python-any-r1
-
-if [[ ${PV} == *.* ]] ; then
- # Compile from source ourselves.
- PRECOMPILED=false
- inherit versionator
-
- DEB_VER=$(get_version_component_range 1)
- NSS_VER=$(get_version_component_range 2-)
- RTM_NAME="NSS_${NSS_VER//./_}_RTM"
-else
- # Debian precompiled version.
- PRECOMPILED=true
- inherit unpacker
-fi
-
-DESCRIPTION="Common CA Certificates PEM files"
-HOMEPAGE="http://packages.debian.org/sid/ca-certificates"
-NMU_PR=""
-if ${PRECOMPILED} ; then
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
-else
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
- ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
- cacert? ( https://dev.gentoo.org/~anarchy/patches/nss-3.14.1-add_spi+cacerts_ca_certs.patch )"
-fi
-
-LICENSE="MPL-1.1"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
-IUSE=""
-${PRECOMPILED} || IUSE+=" +cacert"
-
-DEPEND=""
-if ${PRECOMPILED} ; then
- # platforms like AIX don't have a good ar
- DEPEND+="
- kernel_AIX? ( app-arch/deb2targz )
- !<sys-apps/portage-2.1.10.41"
-fi
-# c_rehash: we run `c_rehash`; newer version for alt-cert-paths #552540
-# debianutils: we run `run-parts`
-RDEPEND="${DEPEND}
- >=app-misc/c_rehash-1.7-r1
- sys-apps/debianutils"
-
-if ! ${PRECOMPILED}; then
- DEPEND+=" ${PYTHON_DEPS}"
-fi
-
-S=${WORKDIR}
-
-pkg_setup() {
- # For the conversion to having it in CONFIG_PROTECT_MASK,
- # we need to tell users about it once manually first.
- [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
- || ewarn "You should run update-ca-certificates manually after etc-update"
-}
-
-src_unpack() {
- ${PRECOMPILED} || default
-
- mv ${PN}-*/ ${PN} || die
-
- # Do all the work in the image subdir to avoid conflicting with source
- # dirs in $WORKDIR. Need to perform everything in the offset #381937
- mkdir -p "image/${EPREFIX}"
- cd "image/${EPREFIX}" || die
-
- ${PRECOMPILED} && unpacker_src_unpack
-}
-
-src_prepare() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- mkdir -p usr/sbin
- cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die
-
- if use cacert ; then
- pushd "${S}"/nss-${NSS_VER} >/dev/null
- epatch "${DISTDIR}"/nss-3.14.1-add_spi+cacerts_ca_certs.patch
- popd >/dev/null
- fi
- fi
-
- epatch "${FILESDIR}"/${PN}-20150426-root.patch
- local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
- sed -i \
- -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
- -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
- usr/sbin/update-ca-certificates || die
-
- cd "${S}"
- epatch "${FILESDIR}"/${PN}-20150426-nss-certdata2pem-py3.patch #548374
-}
-
-src_compile() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- python_setup
- local d="${S}/${PN}/mozilla"
- # Grab the database from the nss sources.
- cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
- emake -C "${d}"
-
- # Now move the files to the same places that the precompiled would.
- mkdir -p etc/ssl/certs etc/ca-certificates/update.d usr/share/ca-certificates/mozilla
- if use cacert ; then
- mkdir -p usr/share/ca-certificates/{cacert.org,spi-inc.org}
- mv "${d}"/CAcert_Inc..crt usr/share/ca-certificates/cacert.org/cacert.org_root.crt || die
- mv "${d}"/SPI_Inc..crt usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt || die
- fi
- mv "${d}"/*.crt usr/share/ca-certificates/mozilla/ || die
- else
- mv usr/share/doc/{ca-certificates,${PF}} || die
- fi
-
- (
- echo "# Automatically generated by ${CATEGORY}/${PF}"
- echo "# $(date -u)"
- echo "# Do not edit."
- cd usr/share/ca-certificates
- find * -name '*.crt' | LC_ALL=C sort
- ) > etc/ca-certificates.conf
-
- sh usr/sbin/update-ca-certificates --root "${S}/image" || die
-}
-
-src_install() {
- cp -pPR image/* "${D}"/ || die
- if ! ${PRECOMPILED} ; then
- cd ca-certificates
- doman sbin/*.8
- dodoc debian/README.* examples/ca-certificates-local/README
- fi
-
- echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
- doenvd 98ca-certificates
-}
-
-pkg_postinst() {
- if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then
- # if the user has local certs, we need to rebuild again
- # to include their stuff in the db.
- # However it's too overzealous when the user has custom certs in place.
- # --fresh is to clean up dangling symlinks
- "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
- fi
-
- local c badcerts=0
- for c in $(find -L "${EROOT}"etc/ssl/certs/ -type l) ; do
- ewarn "Broken symlink for a certificate at $c"
- badcerts=1
- done
- if [ $badcerts -eq 1 ]; then
- ewarn "Removing the following broken symlinks:"
- ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
- fi
-}
diff --git a/app-misc/ca-certificates/ca-certificates-20150426.3.20.ebuild b/app-misc/ca-certificates/ca-certificates-20150426.3.20.ebuild
deleted file mode 100644
index c37ecde..0000000
--- a/app-misc/ca-certificates/ca-certificates-20150426.3.20.ebuild
+++ /dev/null
@@ -1,193 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-# The Debian ca-certificates package merely takes the CA database as it exists
-# in the nss package and repackages it for use by openssl.
-#
-# The issue with using the compiled debs directly is two fold:
-# - they do not update frequently enough for us to rely on them
-# - they pull the CA database from nss tip of tree rather than the release
-#
-# So we take the Debian source tools and combine them with the latest nss
-# release to produce (largely) the same end result. The difference is that
-# now we know our cert database is kept in sync with nss and, if need be,
-# can be sync with nss tip of tree more frequently to respond to bugs.
-
-# When triaging bugs from users, here's some handy tips:
-# - To see what cert is hitting errors, use openssl:
-# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
-# Focus on the errors written to stderr.
-#
-# - Look at the upstream log as to why certs were added/removed:
-# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
-#
-# - If people want to add/remove certs, tell them to file w/mozilla:
-# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
-
-EAPI="4"
-PYTHON_COMPAT=( python{2_7,3_3,3_4} )
-
-inherit eutils python-any-r1
-
-if [[ ${PV} == *.* ]] ; then
- # Compile from source ourselves.
- PRECOMPILED=false
- inherit versionator
-
- DEB_VER=$(get_version_component_range 1)
- NSS_VER=$(get_version_component_range 2-)
- RTM_NAME="NSS_${NSS_VER//./_}_RTM"
-else
- # Debian precompiled version.
- PRECOMPILED=true
- inherit unpacker
-fi
-
-DESCRIPTION="Common CA Certificates PEM files"
-HOMEPAGE="http://packages.debian.org/sid/ca-certificates"
-NMU_PR=""
-if ${PRECOMPILED} ; then
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
-else
- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
- ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
- cacert? ( https://dev.gentoo.org/~anarchy/patches/nss-3.14.1-add_spi+cacerts_ca_certs.patch )"
-fi
-
-LICENSE="MPL-1.1"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
-IUSE="libressl"
-${PRECOMPILED} || IUSE+=" +cacert"
-
-DEPEND=""
-if ${PRECOMPILED} ; then
- # platforms like AIX don't have a good ar
- DEPEND+="
- kernel_AIX? ( app-arch/deb2targz )
- !<sys-apps/portage-2.1.10.41"
-fi
-# openssl: we run `c_rehash`; newer version for alt-cert-paths #552540
-# debianutils: we run `run-parts`
-RDEPEND="${DEPEND}
- !libressl? ( >=dev-libs/openssl-1.0.1o:0 )
- libressl? (
- app-misc/c_rehash
- dev-libs/libressl
- )
- sys-apps/debianutils"
-
-if ! ${PRECOMPILED}; then
- DEPEND+=" ${PYTHON_DEPS}"
-fi
-
-S=${WORKDIR}
-
-pkg_setup() {
- # For the conversion to having it in CONFIG_PROTECT_MASK,
- # we need to tell users about it once manually first.
- [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
- || ewarn "You should run update-ca-certificates manually after etc-update"
-}
-
-src_unpack() {
- ${PRECOMPILED} || default
-
- mv ${PN}-*/ ${PN} || die
-
- # Do all the work in the image subdir to avoid conflicting with source
- # dirs in $WORKDIR. Need to perform everything in the offset #381937
- mkdir -p "image/${EPREFIX}"
- cd "image/${EPREFIX}" || die
-
- ${PRECOMPILED} && unpacker_src_unpack
-}
-
-src_prepare() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- mkdir -p usr/sbin
- cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die
-
- if use cacert ; then
- pushd "${S}"/nss-${NSS_VER} >/dev/null
- epatch "${DISTDIR}"/nss-3.14.1-add_spi+cacerts_ca_certs.patch
- popd >/dev/null
- fi
- fi
-
- epatch "${FILESDIR}"/${PN}-20150426-root.patch
- local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
- sed -i \
- -e '/="$ROOT/s:ROOT/:ROOT'"${EPREFIX}"'/:' \
- -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
- usr/sbin/update-ca-certificates || die
-
- cd "${S}"
- epatch "${FILESDIR}"/${PN}-20150426-nss-certdata2pem-py3.patch #548374
-}
-
-src_compile() {
- cd "image/${EPREFIX}" || die
- if ! ${PRECOMPILED} ; then
- python_setup
- local d="${S}/${PN}/mozilla"
- # Grab the database from the nss sources.
- cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
- emake -C "${d}"
-
- # Now move the files to the same places that the precompiled would.
- mkdir -p etc/ssl/certs etc/ca-certificates/update.d usr/share/ca-certificates/mozilla
- if use cacert ; then
- mkdir -p usr/share/ca-certificates/{cacert.org,spi-inc.org}
- mv "${d}"/CAcert_Inc..crt usr/share/ca-certificates/cacert.org/cacert.org_root.crt || die
- mv "${d}"/SPI_Inc..crt usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt || die
- fi
- mv "${d}"/*.crt usr/share/ca-certificates/mozilla/ || die
- else
- mv usr/share/doc/{ca-certificates,${PF}} || die
- fi
-
- (
- echo "# Automatically generated by ${CATEGORY}/${PF}"
- echo "# $(date -u)"
- echo "# Do not edit."
- cd usr/share/ca-certificates
- find * -name '*.crt' | LC_ALL=C sort
- ) > etc/ca-certificates.conf
-
- sh usr/sbin/update-ca-certificates --root "${S}/image" || die
-}
-
-src_install() {
- cp -pPR image/* "${D}"/ || die
- if ! ${PRECOMPILED} ; then
- cd ca-certificates
- doman sbin/*.8
- dodoc debian/README.* examples/ca-certificates-local/README
- fi
-
- echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
- doenvd 98ca-certificates
-}
-
-pkg_postinst() {
- if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then
- # if the user has local certs, we need to rebuild again
- # to include their stuff in the db.
- # However it's too overzealous when the user has custom certs in place.
- # --fresh is to clean up dangling symlinks
- "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
- fi
-
- local c badcerts=0
- for c in $(find -L "${EROOT}"etc/ssl/certs/ -type l) ; do
- ewarn "Broken symlink for a certificate at $c"
- badcerts=1
- done
- if [ $badcerts -eq 1 ]; then
- ewarn "Removing the following broken symlinks:"
- ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
- fi
-}
diff --git a/app-misc/ca-certificates/files/ca-certificates-20110502-root.patch b/app-misc/ca-certificates/files/ca-certificates-20110502-root.patch
deleted file mode 100644
index f3fcf5d..0000000
--- a/app-misc/ca-certificates/files/ca-certificates-20110502-root.patch
+++ /dev/null
@@ -1,110 +0,0 @@
---- a/usr/sbin/update-ca-certificates
-+++ b/usr/sbin/update-ca-certificates
-@@ -23,6 +23,8 @@
-
- verbose=0
- fresh=0
-+ROOT=""
-+RELPATH=""
- while [ $# -gt 0 ];
- do
- case $1 in
-@@ -30,6 +31,11 @@
- verbose=1;;
- --fresh|-f)
- fresh=1;;
-+ --root|-r)
-+ ROOT=$(readlink -f "$2")
-+ # needed as c_rehash wants to read the files directly
-+ RELPATH="../../.."
-+ shift;;
- --help|-h|*)
-- echo "$0: [--verbose] [--fresh]"
-+ echo "$0: [--verbose] [--fresh] [--root <dir>]"
- exit;;
-@@ -37,11 +41,11 @@
- shift
- done
-
--CERTSCONF=/etc/ca-certificates.conf
--CERTSDIR=/usr/share/ca-certificates
--LOCALCERTSDIR=/usr/local/share/ca-certificates
-+CERTSCONF="$ROOT/etc/ca-certificates.conf"
-+CERTSDIR="$ROOT/usr/share/ca-certificates"
-+LOCALCERTSDIR="$ROOT/usr/local/share/ca-certificates"
- CERTBUNDLE=ca-certificates.crt
--ETCCERTSDIR=/etc/ssl/certs
-+ETCCERTSDIR="$ROOT/etc/ssl/certs"
-
- cleanup() {
- rm -f "$TEMPBUNDLE"
-@@ -66,7 +70,7 @@
- -e 's/,/_/g').pem"
- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
- then
-- ln -sf "$CERT" "$PEM"
-+ ln -sf "${RELPATH}${CERT#$ROOT}" "$PEM"
- echo +$PEM >> "$ADDED"
- fi
- cat "$CERT" >> "$TEMPBUNDLE"
-@@ -78,22 +82,22 @@
- if test -L "$PEM"
- then
- rm -f "$PEM"
-- echo -$PEM >> "$REMOVED"
-+ echo "-$PEM" >> "$REMOVED"
- fi
- }
-
--cd $ETCCERTSDIR
-+cd "$ETCCERTSDIR"
- if [ "$fresh" = 1 ]; then
- echo -n "Clearing symlinks in $ETCCERTSDIR..."
- find . -type l -print | while read symlink
- do
-- case $(readlink $symlink) in
-- $CERTSDIR*) rm -f $symlink;;
-+ case $(readlink "$symlink") in
-+ "$CERTSDIR"*) rm -f "$symlink";;
- esac
- done
- find . -type l -print | while read symlink
- do
-- test -f $symlink || rm -f $symlink
-+ test -f "$symlink" || rm -f "$symlink"
- done
- echo "done."
- fi
-@@ -102,12 +106,12 @@
-
- # Handle certificates that should be removed. This is an explicit act
- # by prefixing lines in the configuration files with exclamation marks (!).
--sed -n -e '/^$/d' -e 's/^!//p' $CERTSCONF | while read crt
-+sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read crt
- do
- remove "$CERTSDIR/$crt"
- done
-
--sed -e '/^$/d' -e '/^#/d' -e '/^!/d' $CERTSCONF | while read crt
-+sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read crt
- do
- if ! test -f "$CERTSDIR/$crt"
- then
-@@ -146,14 +150,14 @@
-
- echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
-
--HOOKSDIR=/etc/ca-certificates/update.d
-+HOOKSDIR="$ROOT/etc/ca-certificates/update.d"
- echo -n "Running hooks in $HOOKSDIR...."
- VERBOSE_ARG=
- [ "$verbose" = 0 ] || VERBOSE_ARG=--verbose
--eval run-parts $VERBOSE_ARG --test -- $HOOKSDIR | while read hook
-+eval run-parts $VERBOSE_ARG --test -- \""$HOOKSDIR"\" | while read hook
- do
- ( cat $ADDED
-- cat $REMOVED ) | $hook || echo E: $hook exited with code $?.
-+ cat $REMOVED ) | "$hook" || echo E: "$hook" exited with code $?.
- done
- echo "done."
-
diff --git a/app-misc/ca-certificates/files/ca-certificates-20141019-root.patch b/app-misc/ca-certificates/files/ca-certificates-20141019-root.patch
deleted file mode 100644
index 2b2a42c..0000000
--- a/app-misc/ca-certificates/files/ca-certificates-20141019-root.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-add a --root option so we can generate with DESTDIR installs
-
---- a/usr/sbin/update-ca-certificates
-+++ b/usr/sbin/update-ca-certificates
-@@ -23,6 +23,8 @@
-
- verbose=0
- fresh=0
-+ROOT=""
-+RELPATH=""
- while [ $# -gt 0 ];
- do
- case $1 in
-@@ -30,18 +32,23 @@ do
- verbose=1;;
- --fresh|-f)
- fresh=1;;
-+ --root|-r)
-+ ROOT=$(readlink -f "$2")
-+ # needed as c_rehash wants to read the files directly
-+ RELPATH="../../.."
-+ shift;;
- --help|-h|*)
-- echo "$0: [--verbose] [--fresh]"
-+ echo "$0: [--verbose] [--fresh] [--root <dir>]"
- exit;;
- esac
- shift
- done
-
--CERTSCONF=/etc/ca-certificates.conf
--CERTSDIR=/usr/share/ca-certificates
--LOCALCERTSDIR=/usr/local/share/ca-certificates
-+CERTSCONF="$ROOT/etc/ca-certificates.conf"
-+CERTSDIR="$ROOT/usr/share/ca-certificates"
-+LOCALCERTSDIR="$ROOT/usr/local/share/ca-certificates"
- CERTBUNDLE=ca-certificates.crt
--ETCCERTSDIR=/etc/ssl/certs
-+ETCCERTSDIR="$ROOT/etc/ssl/certs"
-
- cleanup() {
- rm -f "$TEMPBUNDLE"
-@@ -66,7 +73,7 @@ add() {
- -e 's/,/_/g').pem"
- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
- then
-- ln -sf "$CERT" "$PEM"
-+ ln -sf "${RELPATH}${CERT#$ROOT}" "$PEM"
- echo +$PEM >> "$ADDED"
- fi
- # Add trailing newline to certificate, if it is missing (#635570)
-@@ -79,36 +86,36 @@ remove() {
- if test -L "$PEM"
- then
- rm -f "$PEM"
-- echo -$PEM >> "$REMOVED"
-+ echo "-$PEM" >> "$REMOVED"
- fi
- }
-
--cd $ETCCERTSDIR
-+cd "$ETCCERTSDIR"
- if [ "$fresh" = 1 ]; then
-- echo -n "Clearing symlinks in $ETCCERTSDIR..."
-+ printf "Clearing symlinks in $ETCCERTSDIR..."
- find . -type l -print | while read symlink
- do
-- case $(readlink $symlink) in
-- $CERTSDIR*) rm -f $symlink;;
-+ case $(readlink "$symlink") in
-+ "$CERTSDIR"*) rm -f "$symlink";;
- esac
- done
- find . -type l -print | while read symlink
- do
-- test -f $symlink || rm -f $symlink
-+ test -f "$symlink" || rm -f "$symlink"
- done
- echo "done."
- fi
-
--echo -n "Updating certificates in $ETCCERTSDIR... "
-+printf "Updating certificates in $ETCCERTSDIR... "
-
- # Handle certificates that should be removed. This is an explicit act
- # by prefixing lines in the configuration files with exclamation marks (!).
--sed -n -e '/^$/d' -e 's/^!//p' $CERTSCONF | while read crt
-+sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read crt
- do
- remove "$CERTSDIR/$crt"
- done
-
--sed -e '/^$/d' -e '/^#/d' -e '/^!/d' $CERTSCONF | while read crt
-+sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read crt
- do
- if ! test -f "$CERTSDIR/$crt"
- then
-@@ -151,14 +158,14 @@ mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
-
- echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
-
--HOOKSDIR=/etc/ca-certificates/update.d
--echo -n "Running hooks in $HOOKSDIR...."
-+HOOKSDIR="$ROOT/etc/ca-certificates/update.d"
-+printf "Running hooks in $HOOKSDIR...."
- VERBOSE_ARG=
- [ "$verbose" = 0 ] || VERBOSE_ARG=--verbose
--eval run-parts $VERBOSE_ARG --test -- $HOOKSDIR | while read hook
-+eval run-parts $VERBOSE_ARG --test -- \""$HOOKSDIR"\" | while read hook
- do
- ( cat $ADDED
-- cat $REMOVED ) | $hook || echo E: $hook exited with code $?.
-+ cat $REMOVED ) | "$hook" || echo E: "$hook" exited with code $?.
- done
- echo "done."
-
diff --git a/app-misc/ca-certificates/files/ca-certificates-20150426-nss-certdata2pem-py3.patch b/app-misc/ca-certificates/files/ca-certificates-20150426-nss-certdata2pem-py3.patch
deleted file mode 100644
index d639aef..0000000
--- a/app-misc/ca-certificates/files/ca-certificates-20150426-nss-certdata2pem-py3.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-https://bugs.debian.org/789753
-https://bugs.gentoo.org/548374
-
---- a/ca-certificates/mozilla/certdata2pem.py
-+++ b/ca-certificates/mozilla/certdata2pem.py
-@@ -31,7 +31,11 @@ objects = []
- # Dirty file parser.
- in_data, in_multiline, in_obj = False, False, False
- field, type, value, obj = None, None, None, dict()
--for line in open('certdata.txt', 'r'):
-+try:
-+ f = open('certdata.txt', 'r', encoding='utf-8')
-+except TypeError:
-+ f = open('certdata.txt', 'r')
-+for line in f:
- # Ignore the file header.
- if not in_data:
- if line.startswith('BEGINDATA'):
-@@ -53,7 +53,7 @@ for line in open('certdata.txt', 'r'):
- if type == 'MULTILINE_OCTAL':
- line = line.strip()
- for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
-- value += chr(int(i.group(1), 8))
-+ value.append(int(i.group(1), 8))
- else:
- value += line
- continue
-@@ -70,13 +70,13 @@ for line in open('certdata.txt', 'r'):
- field, type = line_parts
- value = None
- else:
-- raise NotImplementedError, 'line_parts < 2 not supported.'
-+ raise NotImplementedError('line_parts < 2 not supported.')
- if type == 'MULTILINE_OCTAL':
- in_multiline = True
-- value = ""
-+ value = bytearray()
- continue
- obj[field] = value
--if len(obj.items()) > 0:
-+if len(obj) > 0:
- objects.append(obj)
-
- # Read blacklist.
-@@ -95,7 +95,7 @@ for obj in objects:
- if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'):
- continue
- if obj['CKA_LABEL'] in blacklist:
-- print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']
-+ print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
- elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
- 'CKT_NSS_TRUSTED_DELEGATOR'):
- trust[obj['CKA_LABEL']] = True
-@@ -104,13 +104,13 @@ for obj in objects:
- trust[obj['CKA_LABEL']] = True
- elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED',
- 'CKT_NSS_NOT_TRUSTED'):
-- print '!'*74
-- print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
-- print '!'*74
-+ print('!'*74)
-+ print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'])
-+ print('!'*74)
- else:
-- print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \
-+ print("Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \
- (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
-- obj['CKA_TRUST_EMAIL_PROTECTION'])
-+ obj['CKA_TRUST_EMAIL_PROTECTION']))
-
- for obj in objects:
- if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
-@@ -121,13 +121,19 @@ for obj in objects:
- .replace('(', '=')\
- .replace(')', '=')\
- .replace(',', '_')
-- bname = bname.decode('string_escape')
-- fname = bname + '.crt'
-+
-+ # this is the only way to decode the way NSS stores multi-byte UTF-8
-+ if bytes != str:
-+ bname = bname.encode('utf-8')
-+ bname = bname.decode('unicode_escape').encode('latin-1').decode('utf-8')
-+ fname = (bname + '.crt').encode('utf-8')
-+
- if os.path.exists(fname):
-- print "Found duplicate certificate name %s, renaming." % bname
-- fname = bname + '_2.crt'
-+ print("Found duplicate certificate name %s, renaming." % fname)
-+ fname = (bname + '_2.crt').encode('utf-8')
- f = open(fname, 'w')
- f.write("-----BEGIN CERTIFICATE-----\n")
-- f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
-+ encoded = base64.b64encode(obj['CKA_VALUE']).decode('utf-8')
-+ f.write("\n".join(textwrap.wrap(encoded, 64)))
- f.write("\n-----END CERTIFICATE-----\n")
-
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/files/, app-misc/ca-certificates/
@ 2024-01-30 5:10 Sam James
0 siblings, 0 replies; 5+ messages in thread
From: Sam James @ 2024-01-30 5:10 UTC (permalink / raw
To: gentoo-commits
commit: 6e6ccafd58bc7401fa371d2f255d72ddae0131e6
Author: Eli Schwartz <eschwartz93 <AT> gmail <DOT> com>
AuthorDate: Tue Jan 30 04:24:23 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Jan 30 05:09:51 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e6ccafd
app-misc/ca-certificates: drop pointless dependency on debianutils
It is used internally by the debian script update-ca-certificates,
because on Debian, debianutils is "essential". But on Gentoo it is not,
and this is the only package that is essentially unavoidable and drags
it in. There is also kernel packages, but that is potentially
avoidable...
Patch out the script to use a trivial bash construct which is even
shorter than shelling out to an external program, and allows dropping
this dependency.
Signed-off-by: Eli Schwartz <eschwartz93 <AT> gmail.com>
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../ca-certificates-20230311.3.96.1-r1.ebuild | 201 +++++++++++++++++++++
...ertificates-drop-pointless-dependency-on-.patch | 46 +++++
2 files changed, 247 insertions(+)
diff --git a/app-misc/ca-certificates/ca-certificates-20230311.3.96.1-r1.ebuild b/app-misc/ca-certificates/ca-certificates-20230311.3.96.1-r1.ebuild
new file mode 100644
index 000000000000..677373ebda39
--- /dev/null
+++ b/app-misc/ca-certificates/ca-certificates-20230311.3.96.1-r1.ebuild
@@ -0,0 +1,201 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# The Debian ca-certificates package merely takes the CA database as it exists
+# in the nss package and repackages it for use by openssl.
+#
+# The issue with using the compiled debs directly is two fold:
+# - they do not update frequently enough for us to rely on them
+# - they pull the CA database from nss tip of tree rather than the release
+#
+# So we take the Debian source tools and combine them with the latest nss
+# release to produce (largely) the same end result. The difference is that
+# now we know our cert database is kept in sync with nss and, if need be,
+# can be sync with nss tip of tree more frequently to respond to bugs.
+
+# Where possible, bump to stable/LTS releases of NSS for the last part
+# of the version (when not using a pure Debian release).
+
+# When triaging user reports, refer to our wiki for tips:
+# https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..12} )
+
+inherit python-any-r1
+
+if [[ ${PV} == *.* ]] ; then
+ # Compile from source ourselves.
+ PRECOMPILED=false
+
+ DEB_VER=$(ver_cut 1)
+ NSS_VER=$(ver_cut 2-)
+ RTM_NAME="NSS_${NSS_VER//./_}_RTM"
+else
+ # Debian precompiled version.
+ PRECOMPILED=true
+ inherit unpacker
+fi
+
+DESCRIPTION="Common CA Certificates PEM files"
+HOMEPAGE="https://packages.debian.org/sid/ca-certificates"
+NMU_PR=""
+if ${PRECOMPILED} ; then
+ SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
+else
+ SRC_URI="
+ mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
+ https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
+ cacert? (
+ https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r2.patch
+ )
+ "
+fi
+
+LICENSE="MPL-1.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE=""
+${PRECOMPILED} || IUSE+=" cacert"
+
+BDEPEND="${CDEPEND}"
+if ! ${PRECOMPILED} ; then
+ BDEPEND+=" ${PYTHON_DEPS}"
+fi
+
+DEPEND=""
+if ${PRECOMPILED} ; then
+ DEPEND+=" !<sys-apps/portage-2.1.10.41"
+fi
+
+RDEPEND="${CDEPEND}
+ ${DEPEND}"
+
+S="${WORKDIR}"
+
+pkg_setup() {
+ # For the conversion to having it in CONFIG_PROTECT_MASK,
+ # we need to tell users about it once manually first.
+ [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
+ || ewarn "You should run update-ca-certificates manually after etc-update"
+
+ if ! ${PRECOMPILED} ; then
+ python-any-r1_pkg_setup
+ fi
+}
+
+src_unpack() {
+ if ! ${PRECOMPILED} ; then
+ default
+ # Initial 20200601 deb release had bad naming inside the debian source tarball.
+ DEB_S="${WORKDIR}/${PN}-${DEB_VER}"
+ DEB_BAD_S="${WORKDIR}/work"
+ if [[ -d "${DEB_BAD_S}" ]] && [[ ! -d "${DEB_S}" ]] ; then
+ mv "${DEB_BAD_S}" "${DEB_S}"
+ fi
+ fi
+
+ # Do all the work in the image subdir to avoid conflicting with source
+ # dirs in ${WORKDIR}. Need to perform everything in the offset #381937
+ mkdir -p "image/${EPREFIX}" || die
+ cd "image/${EPREFIX}" || die
+
+ ${PRECOMPILED} && unpacker_src_unpack
+}
+
+src_prepare() {
+ cd "image/${EPREFIX}" || die
+
+ if ! ${PRECOMPILED} ; then
+ mkdir -p usr/sbin || die
+ cp -p "${S}"/${PN}/sbin/update-ca-certificates \
+ usr/sbin/ || die
+
+ if use cacert ; then
+ pushd "${S}"/nss-${NSS_VER} >/dev/null || die
+ eapply "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
+ popd >/dev/null || die
+ fi
+ fi
+
+ default
+ eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch
+ eapply -p2 "${FILESDIR}"/0001-update-ca-certificates-drop-pointless-dependency-on-.patch
+
+ pushd "${S}/${PN}" >/dev/null || die
+ # We patch out the dep on cryptography as it's not particularly useful
+ # for us. Please see the discussion in bug #821706. Not to be removed lightly!
+ eapply "${FILESDIR}"/${PN}-20230311.3.89-no-cryptography.patch
+ popd >/dev/null || die
+
+ local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
+ sed -i \
+ -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
+ -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
+ usr/sbin/update-ca-certificates || die
+}
+
+src_compile() {
+ cd "image/${EPREFIX}" || die
+
+ if ! ${PRECOMPILED} ; then
+ local d="${S}/${PN}/mozilla" c="usr/share/${PN}"
+
+ # Grab the database from the nss sources.
+ cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
+ emake -C "${d}"
+
+ # Now move the files to the same places that the precompiled would.
+ mkdir -p etc/ssl/certs \
+ etc/ca-certificates/update.d \
+ "${c}"/mozilla \
+ || die
+ if use cacert ; then
+ mkdir -p "${c}"/cacert.org || die
+ mv "${d}"/CA_Cert_Signing_Authority.crt \
+ "${c}"/cacert.org/cacert.org_class1.crt || die
+ mv "${d}"/CAcert_Class_3_Root.crt \
+ "${c}"/cacert.org/cacert.org_class3.crt || die
+ fi
+ mv "${d}"/*.crt "${c}"/mozilla/ || die
+ else
+ mv usr/share/doc/{ca-certificates,${PF}} || die
+ fi
+
+ (
+ echo "# Automatically generated by ${CATEGORY}/${PF}"
+ echo "# Do not edit."
+ cd "${c}" || die
+ find * -name '*.crt' | LC_ALL=C sort
+ ) > etc/ca-certificates.conf
+
+ sh usr/sbin/update-ca-certificates --root "${S}/image" || die
+}
+
+src_install() {
+ cp -pPR image/* "${D}"/ || die
+ if ! ${PRECOMPILED} ; then
+ cd ${PN} || die
+ doman sbin/*.8
+ dodoc debian/README.* examples/ca-certificates-local/README
+ fi
+
+ echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates || die
+ doenvd 98ca-certificates
+}
+
+pkg_postinst() {
+ if [[ -d "${EROOT}/usr/local/share/ca-certificates" ]] ; then
+ # If the user has local certs, we need to rebuild again
+ # to include their stuff in the db.
+ # However it's too overzealous when the user has custom certs in place.
+ # --fresh is to clean up dangling symlinks
+ "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
+ fi
+
+ if [[ -n "$(find -L "${EROOT}"/etc/ssl/certs/ -type l)" ]] ; then
+ ewarn "Removing the following broken symlinks:"
+ ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
+ fi
+}
diff --git a/app-misc/ca-certificates/files/0001-update-ca-certificates-drop-pointless-dependency-on-.patch b/app-misc/ca-certificates/files/0001-update-ca-certificates-drop-pointless-dependency-on-.patch
new file mode 100644
index 000000000000..e64a42808552
--- /dev/null
+++ b/app-misc/ca-certificates/files/0001-update-ca-certificates-drop-pointless-dependency-on-.patch
@@ -0,0 +1,46 @@
+From 0d5077f59b12bcf64a0489c884e6715cb98ae4b3 Mon Sep 17 00:00:00 2001
+From: Eli Schwartz <eschwartz93@gmail.com>
+Date: Mon, 29 Jan 2024 21:54:04 -0500
+Subject: [PATCH] update-ca-certificates: drop pointless dependency on external
+ run-parts
+
+This external program belongs to debianutils and hence is used
+internally by the update-ca-certificates script synced from Debian.
+
+It has a couple utilities:
+- it sorts files in a directory with LC_ALL=C
+- it runs each of them in turn
+- it can print them instead of running them
+
+Here, it's used for sorting and printing the scripts to run. They need
+to each accept some stdin, so run-parts cannot actually be used for
+dispatch. But this functionality works fine directly from a shell, so
+the additional dependency honestly seems frivolous. In particular, this
+is the only reason why all Debian systems have debianutils installed,
+through openssl. (This is in contrast to Debian, where debianutils is
+part of the essential system set and provides a vastly greater number of
+programs than the ones Gentoo repackages.)
+
+It's very easy to replace with `printf %s\\n *`, so do so. Even if it
+wasn't easy to replace with printf, it would be easy to replace with
+`for x in *; "$x"; done` instead.
+---
+ image/usr/sbin/update-ca-certificates | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/image/usr/sbin/update-ca-certificates b/image/usr/sbin/update-ca-certificates
+index bb5aa54..7abffc9 100755
+--- a/image/usr/sbin/update-ca-certificates
++++ b/image/usr/sbin/update-ca-certificates
+@@ -218,7 +218,7 @@ then
+ echo "Running hooks in $HOOKSDIR..."
+ VERBOSE_ARG=
+ [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
+- eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
++ ( LC_ALL=C; printf %s\\n "$HOOKSDIR"/* ) | while read hook
+ do
+ ( cat "$ADDED"
+ cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
+--
+2.43.0
+
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/files/, app-misc/ca-certificates/
@ 2024-03-02 1:16 Sam James
0 siblings, 0 replies; 5+ messages in thread
From: Sam James @ 2024-03-02 1:16 UTC (permalink / raw
To: gentoo-commits
commit: 2d839da180554b5e76f8a5869378fcf73fcfcf64
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat Mar 2 01:15:31 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Mar 2 01:15:31 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d839da1
app-misc/ca-certificates: add 20240203.3.98
Signed-off-by: Sam James <sam <AT> gentoo.org>
app-misc/ca-certificates/Manifest | 2 +
.../ca-certificates-20240203.3.98.ebuild | 201 +++++++++++++++++++++
...ca-certificates-drop-pointless-dependency.patch | 45 +++++
3 files changed, 248 insertions(+)
diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest
index 8730e479b3ba..77c3d12321e3 100644
--- a/app-misc/ca-certificates/Manifest
+++ b/app-misc/ca-certificates/Manifest
@@ -1,4 +1,6 @@
DIST ca-certificates_20230311.tar.xz 257772 BLAKE2B b807a6415126afdc11896efea8e6509d7ad58b26bc8562b276e93176e80bb8b467a5bd2ba948d3dbbeaf0e4477d93f3ea2b99d3186e856fb47d1033cb779d560 SHA512 00571bdc87897813fd7dbe024f3a186cfc9f0d4f55e92545a90888c9e5282f99cb8d75b5932c034731b911bf27a9b38fd7d062dd511eb1152acf8b2811490fa7
+DIST ca-certificates_20240203.tar.xz 263276 BLAKE2B 44d22aa91fe589e2ae67cb32c6594f1252e99d4460969bf7c925e7047178168c8881c2c93d6c63171059239e34aeea73b95f135f6b60a4e2fa61caa1ddfa3c44 SHA512 e9d7b5283c2be9425d18eb4a9b54b1fa54db0b9d1bdb28f9c6db7f8b2e03fd93442ac973f9b024b7a148d71ac2789edbc1207c2048ce4be589eb1a5376640670
DIST nss-3.96.1.tar.gz 76715092 BLAKE2B 2a9ea65dd89cba82ea10a57887b10109369af81d4c2911c54cfd081a661498ad7f56ad419092539caaa16341045edcc50f5a3c74d87d66094dacbc91226a9d1c SHA512 fe8baefa767b711a108aafdb496a45d15d2296c3bdd0b1e4389c49197d1cf5365872ee41c23b6823285803887c74538d13347af87d64750551e9cbc87a9cb338
DIST nss-3.97.tar.gz 76664827 BLAKE2B ede68cf0269edd8ffbe1e90682fb51c202d6298f8bfa5ebbd81e12785e29e6a6611ef3f0feceee73bea4d25ae12f251225649a73d249fdd90af179e07e39f3f6 SHA512 1ad6ac6ff626dc187f42b313c1088ef4b4ac0ee3e156d37824c36e778faa977e8f132302ac00d74aa8f9903e791a0fee6cecb5244d2601e0825cc125b6f33d6a
+DIST nss-3.98.tar.gz 76685475 BLAKE2B d382cc65e450b5b7d6b152952a8188822eab5fdbaa0faeefc3f98ef5aa70ed7534abcb7114aaa25c1e49f89dcda7cf75d85957d1a8e5ff964599362757138cb4 SHA512 4f335c5c284eff6424745cc15e32037715a915f6f61687ec36a8ffaef0e45d152602a1be275bbb2f14650c7d258d6488430cdcf512b18ba7cb73cd43ac625681
DIST nss-cacert-class1-class3-r2.patch 21925 BLAKE2B 7627ff9a09f084c19d72d0490676865e3cab3ca7c920ae1ce4bea2db664f37fd0aa84fcda919809a516891ab2a62e2e7a43a9d6ada4c231adfe4c216525fac7d SHA512 1ce6ff9ab310aaca9005eafb461338b291df8523cc7044e096cd75774ce746c26eed19ec6bb2643c6c67f94650f2f309463492d80a90568f38ce2557f8ada2f4
diff --git a/app-misc/ca-certificates/ca-certificates-20240203.3.98.ebuild b/app-misc/ca-certificates/ca-certificates-20240203.3.98.ebuild
new file mode 100644
index 000000000000..d159923c9a9b
--- /dev/null
+++ b/app-misc/ca-certificates/ca-certificates-20240203.3.98.ebuild
@@ -0,0 +1,201 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# The Debian ca-certificates package merely takes the CA database as it exists
+# in the nss package and repackages it for use by openssl.
+#
+# The issue with using the compiled debs directly is two fold:
+# - they do not update frequently enough for us to rely on them
+# - they pull the CA database from nss tip of tree rather than the release
+#
+# So we take the Debian source tools and combine them with the latest nss
+# release to produce (largely) the same end result. The difference is that
+# now we know our cert database is kept in sync with nss and, if need be,
+# can be sync with nss tip of tree more frequently to respond to bugs.
+
+# Where possible, bump to stable/LTS releases of NSS for the last part
+# of the version (when not using a pure Debian release).
+
+# When triaging user reports, refer to our wiki for tips:
+# https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..12} )
+
+inherit python-any-r1
+
+if [[ ${PV} == *.* ]] ; then
+ # Compile from source ourselves.
+ PRECOMPILED=false
+
+ DEB_VER=$(ver_cut 1)
+ NSS_VER=$(ver_cut 2-)
+ RTM_NAME="NSS_${NSS_VER//./_}_RTM"
+else
+ # Debian precompiled version.
+ PRECOMPILED=true
+ inherit unpacker
+fi
+
+DESCRIPTION="Common CA Certificates PEM files"
+HOMEPAGE="https://packages.debian.org/sid/ca-certificates"
+NMU_PR=""
+if ${PRECOMPILED} ; then
+ SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
+else
+ SRC_URI="
+ mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
+ https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
+ cacert? (
+ https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r2.patch
+ )
+ "
+fi
+
+S="${WORKDIR}"
+
+LICENSE="MPL-1.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+${PRECOMPILED} || IUSE+=" cacert"
+
+BDEPEND="${COMMON_DEPEND}"
+if ! ${PRECOMPILED} ; then
+ BDEPEND+=" ${PYTHON_DEPS}"
+fi
+
+if ${PRECOMPILED} ; then
+ DEPEND+=" !<sys-apps/portage-2.1.10.41"
+fi
+
+RDEPEND="
+ ${COMMON_DEPEND}
+ ${DEPEND}
+"
+
+pkg_setup() {
+ # For the conversion to having it in CONFIG_PROTECT_MASK,
+ # we need to tell users about it once manually first.
+ [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
+ || ewarn "You should run update-ca-certificates manually after etc-update"
+
+ if ! ${PRECOMPILED} ; then
+ python-any-r1_pkg_setup
+ fi
+}
+
+src_unpack() {
+ if ! ${PRECOMPILED} ; then
+ default
+ # Initial 20200601 deb release had bad naming inside the debian source tarball.
+ DEB_S="${WORKDIR}/${PN}-${DEB_VER}"
+ DEB_BAD_S="${WORKDIR}/work"
+ if [[ -d "${DEB_BAD_S}" ]] && [[ ! -d "${DEB_S}" ]] ; then
+ mv "${DEB_BAD_S}" "${DEB_S}"
+ fi
+ fi
+
+ # Do all the work in the image subdir to avoid conflicting with source
+ # dirs in ${WORKDIR}. Need to perform everything in the offset #381937
+ mkdir -p "image/${EPREFIX}" || die
+ cd "image/${EPREFIX}" || die
+
+ ${PRECOMPILED} && unpacker_src_unpack
+}
+
+src_prepare() {
+ cd "image/${EPREFIX}" || die
+
+ if ! ${PRECOMPILED} ; then
+ mkdir -p usr/sbin || die
+ cp -p "${S}"/${PN}/sbin/update-ca-certificates \
+ usr/sbin/ || die
+
+ if use cacert ; then
+ pushd "${S}"/nss-${NSS_VER} >/dev/null || die
+ eapply "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
+ popd >/dev/null || die
+ fi
+ fi
+
+ default
+ eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch
+ eapply -p2 "${FILESDIR}"/${PN}-20240203.3.98-update-ca-certificates-drop-pointless-dependency.patch
+
+ pushd "${S}/${PN}" >/dev/null || die
+ # We patch out the dep on cryptography as it's not particularly useful
+ # for us. Please see the discussion in bug #821706. Not to be removed lightly!
+ eapply "${FILESDIR}"/${PN}-20230311.3.89-no-cryptography.patch
+ popd >/dev/null || die
+
+ local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
+ sed -i \
+ -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
+ -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
+ usr/sbin/update-ca-certificates || die
+}
+
+src_compile() {
+ cd "image/${EPREFIX}" || die
+
+ if ! ${PRECOMPILED} ; then
+ local d="${S}/${PN}/mozilla" c="usr/share/${PN}"
+
+ # Grab the database from the nss sources.
+ cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
+ emake -C "${d}"
+
+ # Now move the files to the same places that the precompiled would.
+ mkdir -p etc/ssl/certs \
+ etc/ca-certificates/update.d \
+ "${c}"/mozilla \
+ || die
+ if use cacert ; then
+ mkdir -p "${c}"/cacert.org || die
+ mv "${d}"/CA_Cert_Signing_Authority.crt \
+ "${c}"/cacert.org/cacert.org_class1.crt || die
+ mv "${d}"/CAcert_Class_3_Root.crt \
+ "${c}"/cacert.org/cacert.org_class3.crt || die
+ fi
+ mv "${d}"/*.crt "${c}"/mozilla/ || die
+ else
+ mv usr/share/doc/{ca-certificates,${PF}} || die
+ fi
+
+ (
+ echo "# Automatically generated by ${CATEGORY}/${PF}"
+ echo "# Do not edit."
+ cd "${c}" || die
+ find * -name '*.crt' | LC_ALL=C sort
+ ) > etc/ca-certificates.conf
+
+ sh usr/sbin/update-ca-certificates --root "${S}/image" || die
+}
+
+src_install() {
+ cp -pPR image/* "${D}"/ || die
+ if ! ${PRECOMPILED} ; then
+ cd ${PN} || die
+ doman sbin/*.8
+ dodoc debian/README.* examples/ca-certificates-local/README
+ fi
+
+ echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates || die
+ doenvd 98ca-certificates
+}
+
+pkg_postinst() {
+ if [[ -d "${EROOT}/usr/local/share/ca-certificates" ]] ; then
+ # If the user has local certs, we need to rebuild again
+ # to include their stuff in the db.
+ # However it's too overzealous when the user has custom certs in place.
+ # --fresh is to clean up dangling symlinks
+ "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
+ fi
+
+ if [[ -n "$(find -L "${EROOT}"/etc/ssl/certs/ -type l)" ]] ; then
+ ewarn "Removing the following broken symlinks:"
+ ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
+ fi
+}
diff --git a/app-misc/ca-certificates/files/ca-certificates-20240203.3.98-update-ca-certificates-drop-pointless-dependency.patch b/app-misc/ca-certificates/files/ca-certificates-20240203.3.98-update-ca-certificates-drop-pointless-dependency.patch
new file mode 100644
index 000000000000..55c082595579
--- /dev/null
+++ b/app-misc/ca-certificates/files/ca-certificates-20240203.3.98-update-ca-certificates-drop-pointless-dependency.patch
@@ -0,0 +1,45 @@
+From c33e85bc2fe61e66e2fa5c2ab0efc4277b7cef5e Mon Sep 17 00:00:00 2001
+From: Eli Schwartz <eschwartz93@gmail.com>
+Date: Mon, 29 Jan 2024 21:54:04 -0500
+Subject: [PATCH] update-ca-certificates: drop pointless dependency on external
+ run-parts
+
+This external program belongs to debianutils and hence is used
+internally by the update-ca-certificates script synced from Debian.
+
+It has a couple utilities:
+- it sorts files in a directory with LC_ALL=C
+- it runs each of them in turn
+- it can print them instead of running them
+
+Here, it's used for sorting and printing the scripts to run. They need
+to each accept some stdin, so run-parts cannot actually be used for
+dispatch. But this functionality works fine directly from a shell, so
+the additional dependency honestly seems frivolous. In particular, this
+is the only reason why all Debian systems have debianutils installed,
+through openssl. (This is in contrast to Debian, where debianutils is
+part of the essential system set and provides a vastly greater number of
+programs than the ones Gentoo repackages.)
+
+It's very easy to replace with `printf %s\\n *`, so do so. Even if it
+wasn't easy to replace with printf, it would be easy to replace with
+`for x in *; "$x"; done` instead.
+---
+ image/usr/sbin/update-ca-certificates | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/image/usr/sbin/update-ca-certificates b/image/usr/sbin/update-ca-certificates
+index bb5aa54..fbf1ee2 100755
+--- a/image/usr/sbin/update-ca-certificates
++++ b/image/usr/sbin/update-ca-certificates
+@@ -218,8 +218,9 @@ then
+ echo "Running hooks in $HOOKSDIR..."
+ VERBOSE_ARG=
+ [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
+- eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read -r hook
++ ( LC_ALL=C; printf %s\\n "$HOOKSDIR"/* ) | while read hook
+ do
++ [ -f "$hook" ] || continue
+ ( cat "$ADDED"
+ cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
+ done
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-03-02 1:16 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-30 5:10 [gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/files/, app-misc/ca-certificates/ Sam James
-- strict thread matches above, loose matches on Subject: below --
2024-03-02 1:16 Sam James
2016-03-21 2:39 Mike Frysinger
2015-09-26 17:46 Mike Frysinger
2015-09-26 17:46 Mike Frysinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox