[gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/
Date:	Mon, 07 Jan 2019 19:53:15
Message-Id:	`1546890783.2c00aa56056878ddb20ecd9f171c155d76a875bd.whissi@gentoo`

1

commit:     2c00aa56056878ddb20ecd9f171c155d76a875bd

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Mon Jan  7 19:51:41 2019 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Mon Jan  7 19:53:03 2019 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c00aa56

7

8

app-misc/ca-certificates: drop old

9

10

Package-Manager: Portage-2.3.54, Repoman-2.3.12

11

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

12

13

 app-misc/ca-certificates/Manifest                  |   2 -

14

 .../ca-certificates-20170717.3.36.1.ebuild         | 190 ---------------------

15

 .../ca-certificates-20180409.3.36.1-r1.ebuild      | 179 -------------------

16

 app-misc/ca-certificates/metadata.xml              |   3 -

17

 4 files changed, 374 deletions(-)

18

19

diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest

20

index f871a29de34..f559af13ed9 100644

21

--- a/app-misc/ca-certificates/Manifest

22

+++ b/app-misc/ca-certificates/Manifest

23

@@ -1,5 +1,3 @@

24

-DIST ca-certificates_20170717.tar.xz 293028 BLAKE2B 85076cd980841f32e2544c7be020fca9bcd5ef7066ae3cef195cbf9755f8b8e800a8e4076662fa1b7da600c2235e49048eb6e1166b0618fc7685221ab790fed3 SHA512 dfeb5a19bb33bcb127a159b73fcc63b41c99827d77eb4a6069def0cffc7ae8dd10dab97c1ddfdd5b70d0c93e650a51ed5dcd03908516e7ca8b3022bf46eeb7e6

25

 DIST ca-certificates_20180409.tar.xz 246908 BLAKE2B b553d4347f1a5b88fe59c7269dee617f61cde54d4df1a3aa4b3a7e9aa4b2ee81415e5c421352505ca4b2e0e480b053ccb04024bddfb51450d298d8fdd0567c36 SHA512 e0742da19416d367618547107cc0f1cc045d5ba62c30fb7238e0e36ec0d19ea48e2ffdee2c68a9f06954025c58db9a5376f149e221ede95a3a029cda39d86a53

26

-DIST nss-3.36.1.tar.gz 23026430 BLAKE2B 76eaf5b24f8954a4e14cf556912250a3ddb7b333054a2ea4ee3d218493a8f12c77a37455aae354ef6ddd9bd55c33a269dad515806d70ef38727fa8a382d47fd4 SHA512 096fe4360b6d584a746ac6156830f8cff821fd173bd889d7a396238919328a227fa4ebb46f738970a4001773046f3dd4f4675b85ff6de8420a4a7657b3ba0c65

27

 DIST nss-3.37.tar.gz 23027581 BLAKE2B 0ce7190a029321d5620dc8b9aedf1f4252c53dbef57149afbad432b6bc4b590db026505d23f5c766827d5c0179ab931b8a0435a2e9785eff3db515ed7211e512 SHA512 ad5175f126705f57092ac80421ac005bcc32bb18a4a44a527df25994fa90b3bc18af08506683564f619a22076f71232e2b3c9e6e25d6312d0bfed63684139103

28

 DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0

29

30

diff --git a/app-misc/ca-certificates/ca-certificates-20170717.3.36.1.ebuild b/app-misc/ca-certificates/ca-certificates-20170717.3.36.1.ebuild

31

deleted file mode 100644

32

index 4a23bdb1939..00000000000

33

--- a/app-misc/ca-certificates/ca-certificates-20170717.3.36.1.ebuild

34

+++ /dev/null

35

@@ -1,190 +0,0 @@

36

-# Copyright 1999-2018 Gentoo Authors

37

-# Distributed under the terms of the GNU General Public License v2

38

-

39

-# The Debian ca-certificates package merely takes the CA database as it exists

40

-# in the nss package and repackages it for use by openssl.

41

-#

42

-# The issue with using the compiled debs directly is two fold:

43

-# - they do not update frequently enough for us to rely on them

44

-# - they pull the CA database from nss tip of tree rather than the release

45

-#

46

-# So we take the Debian source tools and combine them with the latest nss

47

-# release to produce (largely) the same end result.  The difference is that

48

-# now we know our cert database is kept in sync with nss and, if need be,

49

-# can be sync with nss tip of tree more frequently to respond to bugs.

50

-

51

-# When triaging bugs from users, here's some handy tips:

52

-# - To see what cert is hitting errors, use openssl:

53

-#   openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME

54

-#   Focus on the errors written to stderr.

55

-#

56

-# - Look at the upstream log as to why certs were added/removed:

57

-#   https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt

58

-#

59

-# - If people want to add/remove certs, tell them to file w/mozilla:

60

-#   https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk

61

-

62

-EAPI=6

63

-

64

-PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} )

65

-

66

-inherit eutils python-any-r1

67

-

68

-if [[ ${PV} == *.* ]] ; then

69

-	# Compile from source ourselves.

70

-	PRECOMPILED=false

71

-	inherit eapi7-ver

72

-

73

-	DEB_VER=$(ver_cut 1)

74

-	NSS_VER=$(ver_cut 2-)

75

-	RTM_NAME="NSS_${NSS_VER//./_}_RTM"

76

-else

77

-	# Debian precompiled version.

78

-	PRECOMPILED=true

79

-	inherit unpacker

80

-fi

81

-

82

-DESCRIPTION="Common CA Certificates PEM files"

83

-HOMEPAGE="https://packages.debian.org/sid/ca-certificates"

84

-NMU_PR=""

85

-if ${PRECOMPILED} ; then

86

-	SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"

87

-else

88

-	SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz

89

-		https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz

90

-		cacert? (

91

-			https://dev.gentoo.org/~axs/distfiles/nss-cacert-class1-class3.patch

92

-		)"

93

-fi

94

-

95

-LICENSE="MPL-1.1"

96

-SLOT="0"

97

-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"

98

-IUSE="insecure_certs"

99

-${PRECOMPILED} || IUSE+=" cacert"

100

-

101

-DEPEND=""

102

-if ${PRECOMPILED} ; then

103

-	DEPEND+=" !<sys-apps/portage-2.1.10.41"

104

-fi

105

-# c_rehash: we run `c_rehash`

106

-# debianutils: we run `run-parts`

107

-RDEPEND="${DEPEND}

108

-	app-misc/c_rehash

109

-	sys-apps/debianutils"

110

-

111

-if ! ${PRECOMPILED}; then

112

-	DEPEND+=" ${PYTHON_DEPS}"

113

-fi

114

-

115

-S=${WORKDIR}

116

-

117

-pkg_setup() {

118

-	# For the conversion to having it in CONFIG_PROTECT_MASK,

119

-	# we need to tell users about it once manually first.

120

-	[[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \

121

-		|| ewarn "You should run update-ca-certificates manually after etc-update"

122

-}

123

-

124

-src_unpack() {

125

-	${PRECOMPILED} || default

126

-

127

-	# Do all the work in the image subdir to avoid conflicting with source

128

-	# dirs in $WORKDIR.  Need to perform everything in the offset #381937

129

-	mkdir -p "image/${EPREFIX}"

130

-	cd "image/${EPREFIX}" || die

131

-

132

-	${PRECOMPILED} && unpacker_src_unpack

133

-}

134

-

135

-src_prepare() {

136

-	cd "image/${EPREFIX}" || die

137

-	if ! ${PRECOMPILED} ; then

138

-		mkdir -p usr/sbin

139

-		cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die

140

-

141

-		if use cacert ; then

142

-			pushd "${S}"/nss-${NSS_VER} >/dev/null

143

-			epatch "${DISTDIR}"/nss-cacert-class1-class3.patch

144

-			popd >/dev/null

145

-		fi

146

-	fi

147

-

148

-	default

149

-	eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch

150

-	local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')

151

-	sed -i \

152

-		-e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \

153

-		-e '/RELPATH="\.\./s:"$:'"${relp}"'":' \

154

-		usr/sbin/update-ca-certificates || die

155

-}

156

-

157

-src_compile() {

158

-	cd "image/${EPREFIX}" || die

159

-	if ! ${PRECOMPILED} ; then

160

-		python_setup

161

-		local d="${S}/${PN}/mozilla" c="usr/share/${PN}"

162

-		# Grab the database from the nss sources.

163

-		cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die

164

-		emake -C "${d}"

165

-

166

-		# Now move the files to the same places that the precompiled would.

167

-		mkdir -p etc/ssl/certs etc/ca-certificates/update.d "${c}"/mozilla

168

-		if use cacert ; then

169

-			mkdir -p "${c}"/cacert.org

170

-			mv "${d}"/CAcert_Inc..crt "${c}"/cacert.org/cacert.org_root.crt || die

171

-		fi

172

-		mv "${d}"/*.crt "${c}"/mozilla/ || die

173

-	else

174

-		mv usr/share/doc/{ca-certificates,${PF}} || die

175

-	fi

176

-

177

-	if ! use insecure_certs ; then

178

-		elog "To prevent applications relying on system's trusted root certificate store"

179

-		elog "from using CAs where at least one major browser vendor Gentoo is following"

180

-		elog "has decided to apply trust level restrictions, the following"

181

-		elog "certificate(s) were removed:"

182

-		# Remove untrusted certs from StartCom and WoSign (bug #598072)

183

-		elog "$(find "${c}" -type f \( \

184

-			-iname '*startcom*' \

185

-			-o -iname '*wosign*' \

186

-			\) -printf '%P removed; see https://bugs.gentoo.org/598072 for details\n' -delete)"

187

-	fi

188

-

189

-	(

190

-	echo "# Automatically generated by ${CATEGORY}/${PF}"

191

-	echo "# $(date -u)"

192

-	echo "# Do not edit."

193

-	cd "${c}"

194

-	find * -name '*.crt' | LC_ALL=C sort

195

-	) > etc/ca-certificates.conf

196

-

197

-	sh usr/sbin/update-ca-certificates --root "${S}/image" || die

198

-}

199

-

200

-src_install() {

201

-	cp -pPR image/* "${D}"/ || die

202

-	if ! ${PRECOMPILED} ; then

203

-		cd ca-certificates

204

-		doman sbin/*.8

205

-		dodoc debian/README.* examples/ca-certificates-local/README

206

-	fi

207

-

208

-	echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates

209

-	doenvd 98ca-certificates

210

-}

211

-

212

-pkg_postinst() {

213

-	if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then

214

-		# if the user has local certs, we need to rebuild again

215

-		# to include their stuff in the db.

216

-		# However it's too overzealous when the user has custom certs in place.

217

-		# --fresh is to clean up dangling symlinks

218

-		"${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"

219

-	fi

220

-

221

-	if [ -n "$(find -L "${EROOT}"etc/ssl/certs/ -type l)" ] ; then

222

-		ewarn "Removing the following broken symlinks:"

223

-		ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"

224

-	fi

225

-}

226

227

diff --git a/app-misc/ca-certificates/ca-certificates-20180409.3.36.1-r1.ebuild b/app-misc/ca-certificates/ca-certificates-20180409.3.36.1-r1.ebuild

228

deleted file mode 100644

229

index c956522df0e..00000000000

230

--- a/app-misc/ca-certificates/ca-certificates-20180409.3.36.1-r1.ebuild

231

+++ /dev/null

232

@@ -1,179 +0,0 @@

233

-# Copyright 1999-2018 Gentoo Authors

234

-# Distributed under the terms of the GNU General Public License v2

235

-

236

-# The Debian ca-certificates package merely takes the CA database as it exists

237

-# in the nss package and repackages it for use by openssl.

238

-#

239

-# The issue with using the compiled debs directly is two fold:

240

-# - they do not update frequently enough for us to rely on them

241

-# - they pull the CA database from nss tip of tree rather than the release

242

-#

243

-# So we take the Debian source tools and combine them with the latest nss

244

-# release to produce (largely) the same end result.  The difference is that

245

-# now we know our cert database is kept in sync with nss and, if need be,

246

-# can be sync with nss tip of tree more frequently to respond to bugs.

247

-

248

-# When triaging bugs from users, here's some handy tips:

249

-# - To see what cert is hitting errors, use openssl:

250

-#   openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME

251

-#   Focus on the errors written to stderr.

252

-#

253

-# - Look at the upstream log as to why certs were added/removed:

254

-#   https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt

255

-#

256

-# - If people want to add/remove certs, tell them to file w/mozilla:

257

-#   https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk

258

-

259

-EAPI=6

260

-

261

-PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} )

262

-

263

-inherit eutils python-any-r1

264

-

265

-if [[ ${PV} == *.* ]] ; then

266

-	# Compile from source ourselves.

267

-	PRECOMPILED=false

268

-	inherit eapi7-ver

269

-

270

-	DEB_VER=$(ver_cut 1)

271

-	NSS_VER=$(ver_cut 2-)

272

-	RTM_NAME="NSS_${NSS_VER//./_}_RTM"

273

-else

274

-	# Debian precompiled version.

275

-	PRECOMPILED=true

276

-	inherit unpacker

277

-fi

278

-

279

-DESCRIPTION="Common CA Certificates PEM files"

280

-HOMEPAGE="https://packages.debian.org/sid/ca-certificates"

281

-NMU_PR=""

282

-if ${PRECOMPILED} ; then

283

-	SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"

284

-else

285

-	SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz

286

-		https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz

287

-		cacert? (

288

-			https://dev.gentoo.org/~axs/distfiles/nss-cacert-class1-class3.patch

289

-		)"

290

-fi

291

-

292

-LICENSE="MPL-1.1"

293

-SLOT="0"

294

-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"

295

-IUSE=""

296

-${PRECOMPILED} || IUSE+=" cacert"

297

-

298

-DEPEND=""

299

-if ${PRECOMPILED} ; then

300

-	DEPEND+=" !<sys-apps/portage-2.1.10.41"

301

-fi

302

-# c_rehash: we run `c_rehash`

303

-# debianutils: we run `run-parts`

304

-RDEPEND="${DEPEND}

305

-	app-misc/c_rehash

306

-	sys-apps/debianutils"

307

-

308

-if ! ${PRECOMPILED}; then

309

-	DEPEND+=" ${PYTHON_DEPS}"

310

-fi

311

-

312

-S=${WORKDIR}

313

-

314

-pkg_setup() {

315

-	# For the conversion to having it in CONFIG_PROTECT_MASK,

316

-	# we need to tell users about it once manually first.

317

-	[[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \

318

-		|| ewarn "You should run update-ca-certificates manually after etc-update"

319

-}

320

-

321

-src_unpack() {

322

-	${PRECOMPILED} || default

323

-

324

-	# Do all the work in the image subdir to avoid conflicting with source

325

-	# dirs in $WORKDIR.  Need to perform everything in the offset #381937

326

-	mkdir -p "image/${EPREFIX}"

327

-	cd "image/${EPREFIX}" || die

328

-

329

-	${PRECOMPILED} && unpacker_src_unpack

330

-}

331

-

332

-src_prepare() {

333

-	cd "image/${EPREFIX}" || die

334

-	if ! ${PRECOMPILED} ; then

335

-		mkdir -p usr/sbin

336

-		cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die

337

-

338

-		if use cacert ; then

339

-			pushd "${S}"/nss-${NSS_VER} >/dev/null

340

-			eapply -p0 "${DISTDIR}"/nss-cacert-class1-class3.patch

341

-			popd >/dev/null

342

-		fi

343

-	fi

344

-

345

-	default

346

-	eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch

347

-	local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')

348

-	sed -i \

349

-		-e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \

350

-		-e '/RELPATH="\.\./s:"$:'"${relp}"'":' \

351

-		-e 's/openssl rehash/c_rehash/' \

352

-		usr/sbin/update-ca-certificates || die

353

-}

354

-

355

-src_compile() {

356

-	cd "image/${EPREFIX}" || die

357

-	if ! ${PRECOMPILED} ; then

358

-		python_setup

359

-		local d="${S}/${PN}/mozilla" c="usr/share/${PN}"

360

-		# Grab the database from the nss sources.

361

-		cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die

362

-		emake -C "${d}"

363

-

364

-		# Now move the files to the same places that the precompiled would.

365

-		mkdir -p etc/ssl/certs etc/ca-certificates/update.d "${c}"/mozilla

366

-		if use cacert ; then

367

-			mkdir -p "${c}"/cacert.org

368

-			mv "${d}"/CAcert_Inc..crt "${c}"/cacert.org/cacert.org_root.crt || die

369

-		fi

370

-		mv "${d}"/*.crt "${c}"/mozilla/ || die

371

-	else

372

-		mv usr/share/doc/{ca-certificates,${PF}} || die

373

-	fi

374

-

375

-	(

376

-	echo "# Automatically generated by ${CATEGORY}/${PF}"

377

-	echo "# $(date -u)"

378

-	echo "# Do not edit."

379

-	cd "${c}"

380

-	find * -name '*.crt' | LC_ALL=C sort

381

-	) > etc/ca-certificates.conf

382

-

383

-	sh usr/sbin/update-ca-certificates --root "${S}/image" || die

384

-}

385

-

386

-src_install() {

387

-	cp -pPR image/* "${D}"/ || die

388

-	if ! ${PRECOMPILED} ; then

389

-		cd ca-certificates

390

-		doman sbin/*.8

391

-		dodoc debian/README.* examples/ca-certificates-local/README

392

-	fi

393

-

394

-	echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates

395

-	doenvd 98ca-certificates

396

-}

397

-

398

-pkg_postinst() {

399

-	if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then

400

-		# if the user has local certs, we need to rebuild again

401

-		# to include their stuff in the db.

402

-		# However it's too overzealous when the user has custom certs in place.

403

-		# --fresh is to clean up dangling symlinks

404

-		"${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"

405

-	fi

406

-

407

-	if [ -n "$(find -L "${EROOT}"etc/ssl/certs/ -type l)" ] ; then

408

-		ewarn "Removing the following broken symlinks:"

409

-		ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"

410

-	fi

411

-}

412

413

diff --git a/app-misc/ca-certificates/metadata.xml b/app-misc/ca-certificates/metadata.xml

414

index 3aa7f10648b..f4cf8a2a018 100644

415

--- a/app-misc/ca-certificates/metadata.xml

416

+++ b/app-misc/ca-certificates/metadata.xml

417

@@ -10,8 +10,5 @@

418

 			Include root certificates from CAcert (http://www.cacert.org/) and Software

419

 			in the Public Interest (http://www.spi-inc.org/)

420

 		</flag>

421

-		<flag name="insecure_certs">

422

-			Install certificates which are known to be untrustworthy.

423

-		</flag>

424

 	</use>

425

 </pkgmetadata>

1	commit: 2c00aa56056878ddb20ecd9f171c155d76a875bd
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Mon Jan 7 19:51:41 2019 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Mon Jan 7 19:53:03 2019 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c00aa56
7
8	app-misc/ca-certificates: drop old
9
10	Package-Manager: Portage-2.3.54, Repoman-2.3.12
11	Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
12
13	app-misc/ca-certificates/Manifest \| 2 -
14	.../ca-certificates-20170717.3.36.1.ebuild \| 190 ---------------------
15	.../ca-certificates-20180409.3.36.1-r1.ebuild \| 179 -------------------
16	app-misc/ca-certificates/metadata.xml \| 3 -
17	4 files changed, 374 deletions(-)
18
19	diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest
20	index f871a29de34..f559af13ed9 100644
21	--- a/app-misc/ca-certificates/Manifest
22	+++ b/app-misc/ca-certificates/Manifest
23	@@ -1,5 +1,3 @@
24	-DIST ca-certificates_20170717.tar.xz 293028 BLAKE2B 85076cd980841f32e2544c7be020fca9bcd5ef7066ae3cef195cbf9755f8b8e800a8e4076662fa1b7da600c2235e49048eb6e1166b0618fc7685221ab790fed3 SHA512 dfeb5a19bb33bcb127a159b73fcc63b41c99827d77eb4a6069def0cffc7ae8dd10dab97c1ddfdd5b70d0c93e650a51ed5dcd03908516e7ca8b3022bf46eeb7e6
25	DIST ca-certificates_20180409.tar.xz 246908 BLAKE2B b553d4347f1a5b88fe59c7269dee617f61cde54d4df1a3aa4b3a7e9aa4b2ee81415e5c421352505ca4b2e0e480b053ccb04024bddfb51450d298d8fdd0567c36 SHA512 e0742da19416d367618547107cc0f1cc045d5ba62c30fb7238e0e36ec0d19ea48e2ffdee2c68a9f06954025c58db9a5376f149e221ede95a3a029cda39d86a53
26	-DIST nss-3.36.1.tar.gz 23026430 BLAKE2B 76eaf5b24f8954a4e14cf556912250a3ddb7b333054a2ea4ee3d218493a8f12c77a37455aae354ef6ddd9bd55c33a269dad515806d70ef38727fa8a382d47fd4 SHA512 096fe4360b6d584a746ac6156830f8cff821fd173bd889d7a396238919328a227fa4ebb46f738970a4001773046f3dd4f4675b85ff6de8420a4a7657b3ba0c65
27	DIST nss-3.37.tar.gz 23027581 BLAKE2B 0ce7190a029321d5620dc8b9aedf1f4252c53dbef57149afbad432b6bc4b590db026505d23f5c766827d5c0179ab931b8a0435a2e9785eff3db515ed7211e512 SHA512 ad5175f126705f57092ac80421ac005bcc32bb18a4a44a527df25994fa90b3bc18af08506683564f619a22076f71232e2b3c9e6e25d6312d0bfed63684139103
28	DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0
29
30	diff --git a/app-misc/ca-certificates/ca-certificates-20170717.3.36.1.ebuild b/app-misc/ca-certificates/ca-certificates-20170717.3.36.1.ebuild
31	deleted file mode 100644
32	index 4a23bdb1939..00000000000
33	--- a/app-misc/ca-certificates/ca-certificates-20170717.3.36.1.ebuild
34	+++ /dev/null
35	@@ -1,190 +0,0 @@
36	-# Copyright 1999-2018 Gentoo Authors
37	-# Distributed under the terms of the GNU General Public License v2
38	-
39	-# The Debian ca-certificates package merely takes the CA database as it exists
40	-# in the nss package and repackages it for use by openssl.
41	-#
42	-# The issue with using the compiled debs directly is two fold:
43	-# - they do not update frequently enough for us to rely on them
44	-# - they pull the CA database from nss tip of tree rather than the release
45	-#
46	-# So we take the Debian source tools and combine them with the latest nss
47	-# release to produce (largely) the same end result. The difference is that
48	-# now we know our cert database is kept in sync with nss and, if need be,
49	-# can be sync with nss tip of tree more frequently to respond to bugs.
50	-
51	-# When triaging bugs from users, here's some handy tips:
52	-# - To see what cert is hitting errors, use openssl:
53	-# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
54	-# Focus on the errors written to stderr.
55	-#
56	-# - Look at the upstream log as to why certs were added/removed:
57	-# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
58	-#
59	-# - If people want to add/remove certs, tell them to file w/mozilla:
60	-# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
61	-
62	-EAPI=6
63	-
64	-PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} )
65	-
66	-inherit eutils python-any-r1
67	-
68	-if [[ ${PV} == . ]] ; then
69	- # Compile from source ourselves.
70	- PRECOMPILED=false
71	- inherit eapi7-ver
72	-
73	- DEB_VER=$(ver_cut 1)
74	- NSS_VER=$(ver_cut 2-)
75	- RTM_NAME="NSS_${NSS_VER//./_}_RTM"
76	-else
77	- # Debian precompiled version.
78	- PRECOMPILED=true
79	- inherit unpacker
80	-fi
81	-
82	-DESCRIPTION="Common CA Certificates PEM files"
83	-HOMEPAGE="https://packages.debian.org/sid/ca-certificates"
84	-NMU_PR=""
85	-if ${PRECOMPILED} ; then
86	- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
87	-else
88	- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
89	- https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
90	- cacert? (
91	- https://dev.gentoo.org/~axs/distfiles/nss-cacert-class1-class3.patch
92	- )"
93	-fi
94	-
95	-LICENSE="MPL-1.1"
96	-SLOT="0"
97	-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
98	-IUSE="insecure_certs"
99	-${PRECOMPILED} \|\| IUSE+=" cacert"
100	-
101	-DEPEND=""
102	-if ${PRECOMPILED} ; then
103	- DEPEND+=" !<sys-apps/portage-2.1.10.41"
104	-fi
105	-# c_rehash: we run `c_rehash`
106	-# debianutils: we run `run-parts`
107	-RDEPEND="${DEPEND}
108	- app-misc/c_rehash
109	- sys-apps/debianutils"
110	-
111	-if ! ${PRECOMPILED}; then
112	- DEPEND+=" ${PYTHON_DEPS}"
113	-fi
114	-
115	-S=${WORKDIR}
116	-
117	-pkg_setup() {
118	- # For the conversion to having it in CONFIG_PROTECT_MASK,
119	- # we need to tell users about it once manually first.
120	- [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
121	- \|\| ewarn "You should run update-ca-certificates manually after etc-update"
122	-}
123	-
124	-src_unpack() {
125	- ${PRECOMPILED} \|\| default
126	-
127	- # Do all the work in the image subdir to avoid conflicting with source
128	- # dirs in $WORKDIR. Need to perform everything in the offset #381937
129	- mkdir -p "image/${EPREFIX}"
130	- cd "image/${EPREFIX}" \|\| die
131	-
132	- ${PRECOMPILED} && unpacker_src_unpack
133	-}
134	-
135	-src_prepare() {
136	- cd "image/${EPREFIX}" \|\| die
137	- if ! ${PRECOMPILED} ; then
138	- mkdir -p usr/sbin
139	- cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ \|\| die
140	-
141	- if use cacert ; then
142	- pushd "${S}"/nss-${NSS_VER} >/dev/null
143	- epatch "${DISTDIR}"/nss-cacert-class1-class3.patch
144	- popd >/dev/null
145	- fi
146	- fi
147	-
148	- default
149	- eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch
150	- local relp=$(echo "${EPREFIX}" \| sed -e 's:[^/]\+:..:g')
151	- sed -i \
152	- -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
153	- -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
154	- usr/sbin/update-ca-certificates \|\| die
155	-}
156	-
157	-src_compile() {
158	- cd "image/${EPREFIX}" \|\| die
159	- if ! ${PRECOMPILED} ; then
160	- python_setup
161	- local d="${S}/${PN}/mozilla" c="usr/share/${PN}"
162	- # Grab the database from the nss sources.
163	- cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" \|\| die
164	- emake -C "${d}"
165	-
166	- # Now move the files to the same places that the precompiled would.
167	- mkdir -p etc/ssl/certs etc/ca-certificates/update.d "${c}"/mozilla
168	- if use cacert ; then
169	- mkdir -p "${c}"/cacert.org
170	- mv "${d}"/CAcert_Inc..crt "${c}"/cacert.org/cacert.org_root.crt \|\| die
171	- fi
172	- mv "${d}"/*.crt "${c}"/mozilla/ \|\| die
173	- else
174	- mv usr/share/doc/{ca-certificates,${PF}} \|\| die
175	- fi
176	-
177	- if ! use insecure_certs ; then
178	- elog "To prevent applications relying on system's trusted root certificate store"
179	- elog "from using CAs where at least one major browser vendor Gentoo is following"
180	- elog "has decided to apply trust level restrictions, the following"
181	- elog "certificate(s) were removed:"
182	- # Remove untrusted certs from StartCom and WoSign (bug #598072)
183	- elog "$(find "${c}" -type f \( \
184	- -iname 'startcom' \
185	- -o -iname 'wosign' \
186	- \) -printf '%P removed; see https://bugs.gentoo.org/598072 for details\n' -delete)"
187	- fi
188	-
189	- (
190	- echo "# Automatically generated by ${CATEGORY}/${PF}"
191	- echo "# $(date -u)"
192	- echo "# Do not edit."
193	- cd "${c}"
194	- find * -name '*.crt' \| LC_ALL=C sort
195	- ) > etc/ca-certificates.conf
196	-
197	- sh usr/sbin/update-ca-certificates --root "${S}/image" \|\| die
198	-}
199	-
200	-src_install() {
201	- cp -pPR image/* "${D}"/ \|\| die
202	- if ! ${PRECOMPILED} ; then
203	- cd ca-certificates
204	- doman sbin/*.8
205	- dodoc debian/README.* examples/ca-certificates-local/README
206	- fi
207	-
208	- echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
209	- doenvd 98ca-certificates
210	-}
211	-
212	-pkg_postinst() {
213	- if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then
214	- # if the user has local certs, we need to rebuild again
215	- # to include their stuff in the db.
216	- # However it's too overzealous when the user has custom certs in place.
217	- # --fresh is to clean up dangling symlinks
218	- "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
219	- fi
220	-
221	- if [ -n "$(find -L "${EROOT}"etc/ssl/certs/ -type l)" ] ; then
222	- ewarn "Removing the following broken symlinks:"
223	- ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
224	- fi
225	-}
226
227	diff --git a/app-misc/ca-certificates/ca-certificates-20180409.3.36.1-r1.ebuild b/app-misc/ca-certificates/ca-certificates-20180409.3.36.1-r1.ebuild
228	deleted file mode 100644
229	index c956522df0e..00000000000
230	--- a/app-misc/ca-certificates/ca-certificates-20180409.3.36.1-r1.ebuild
231	+++ /dev/null
232	@@ -1,179 +0,0 @@
233	-# Copyright 1999-2018 Gentoo Authors
234	-# Distributed under the terms of the GNU General Public License v2
235	-
236	-# The Debian ca-certificates package merely takes the CA database as it exists
237	-# in the nss package and repackages it for use by openssl.
238	-#
239	-# The issue with using the compiled debs directly is two fold:
240	-# - they do not update frequently enough for us to rely on them
241	-# - they pull the CA database from nss tip of tree rather than the release
242	-#
243	-# So we take the Debian source tools and combine them with the latest nss
244	-# release to produce (largely) the same end result. The difference is that
245	-# now we know our cert database is kept in sync with nss and, if need be,
246	-# can be sync with nss tip of tree more frequently to respond to bugs.
247	-
248	-# When triaging bugs from users, here's some handy tips:
249	-# - To see what cert is hitting errors, use openssl:
250	-# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
251	-# Focus on the errors written to stderr.
252	-#
253	-# - Look at the upstream log as to why certs were added/removed:
254	-# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
255	-#
256	-# - If people want to add/remove certs, tell them to file w/mozilla:
257	-# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
258	-
259	-EAPI=6
260	-
261	-PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} )
262	-
263	-inherit eutils python-any-r1
264	-
265	-if [[ ${PV} == . ]] ; then
266	- # Compile from source ourselves.
267	- PRECOMPILED=false
268	- inherit eapi7-ver
269	-
270	- DEB_VER=$(ver_cut 1)
271	- NSS_VER=$(ver_cut 2-)
272	- RTM_NAME="NSS_${NSS_VER//./_}_RTM"
273	-else
274	- # Debian precompiled version.
275	- PRECOMPILED=true
276	- inherit unpacker
277	-fi
278	-
279	-DESCRIPTION="Common CA Certificates PEM files"
280	-HOMEPAGE="https://packages.debian.org/sid/ca-certificates"
281	-NMU_PR=""
282	-if ${PRECOMPILED} ; then
283	- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
284	-else
285	- SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
286	- https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
287	- cacert? (
288	- https://dev.gentoo.org/~axs/distfiles/nss-cacert-class1-class3.patch
289	- )"
290	-fi
291	-
292	-LICENSE="MPL-1.1"
293	-SLOT="0"
294	-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
295	-IUSE=""
296	-${PRECOMPILED} \|\| IUSE+=" cacert"
297	-
298	-DEPEND=""
299	-if ${PRECOMPILED} ; then
300	- DEPEND+=" !<sys-apps/portage-2.1.10.41"
301	-fi
302	-# c_rehash: we run `c_rehash`
303	-# debianutils: we run `run-parts`
304	-RDEPEND="${DEPEND}
305	- app-misc/c_rehash
306	- sys-apps/debianutils"
307	-
308	-if ! ${PRECOMPILED}; then
309	- DEPEND+=" ${PYTHON_DEPS}"
310	-fi
311	-
312	-S=${WORKDIR}
313	-
314	-pkg_setup() {
315	- # For the conversion to having it in CONFIG_PROTECT_MASK,
316	- # we need to tell users about it once manually first.
317	- [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
318	- \|\| ewarn "You should run update-ca-certificates manually after etc-update"
319	-}
320	-
321	-src_unpack() {
322	- ${PRECOMPILED} \|\| default
323	-
324	- # Do all the work in the image subdir to avoid conflicting with source
325	- # dirs in $WORKDIR. Need to perform everything in the offset #381937
326	- mkdir -p "image/${EPREFIX}"
327	- cd "image/${EPREFIX}" \|\| die
328	-
329	- ${PRECOMPILED} && unpacker_src_unpack
330	-}
331	-
332	-src_prepare() {
333	- cd "image/${EPREFIX}" \|\| die
334	- if ! ${PRECOMPILED} ; then
335	- mkdir -p usr/sbin
336	- cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ \|\| die
337	-
338	- if use cacert ; then
339	- pushd "${S}"/nss-${NSS_VER} >/dev/null
340	- eapply -p0 "${DISTDIR}"/nss-cacert-class1-class3.patch
341	- popd >/dev/null
342	- fi
343	- fi
344	-
345	- default
346	- eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch
347	- local relp=$(echo "${EPREFIX}" \| sed -e 's:[^/]\+:..:g')
348	- sed -i \
349	- -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
350	- -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
351	- -e 's/openssl rehash/c_rehash/' \
352	- usr/sbin/update-ca-certificates \|\| die
353	-}
354	-
355	-src_compile() {
356	- cd "image/${EPREFIX}" \|\| die
357	- if ! ${PRECOMPILED} ; then
358	- python_setup
359	- local d="${S}/${PN}/mozilla" c="usr/share/${PN}"
360	- # Grab the database from the nss sources.
361	- cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" \|\| die
362	- emake -C "${d}"
363	-
364	- # Now move the files to the same places that the precompiled would.
365	- mkdir -p etc/ssl/certs etc/ca-certificates/update.d "${c}"/mozilla
366	- if use cacert ; then
367	- mkdir -p "${c}"/cacert.org
368	- mv "${d}"/CAcert_Inc..crt "${c}"/cacert.org/cacert.org_root.crt \|\| die
369	- fi
370	- mv "${d}"/*.crt "${c}"/mozilla/ \|\| die
371	- else
372	- mv usr/share/doc/{ca-certificates,${PF}} \|\| die
373	- fi
374	-
375	- (
376	- echo "# Automatically generated by ${CATEGORY}/${PF}"
377	- echo "# $(date -u)"
378	- echo "# Do not edit."
379	- cd "${c}"
380	- find * -name '*.crt' \| LC_ALL=C sort
381	- ) > etc/ca-certificates.conf
382	-
383	- sh usr/sbin/update-ca-certificates --root "${S}/image" \|\| die
384	-}
385	-
386	-src_install() {
387	- cp -pPR image/* "${D}"/ \|\| die
388	- if ! ${PRECOMPILED} ; then
389	- cd ca-certificates
390	- doman sbin/*.8
391	- dodoc debian/README.* examples/ca-certificates-local/README
392	- fi
393	-
394	- echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
395	- doenvd 98ca-certificates
396	-}
397	-
398	-pkg_postinst() {
399	- if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then
400	- # if the user has local certs, we need to rebuild again
401	- # to include their stuff in the db.
402	- # However it's too overzealous when the user has custom certs in place.
403	- # --fresh is to clean up dangling symlinks
404	- "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
405	- fi
406	-
407	- if [ -n "$(find -L "${EROOT}"etc/ssl/certs/ -type l)" ] ; then
408	- ewarn "Removing the following broken symlinks:"
409	- ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
410	- fi
411	-}
412
413	diff --git a/app-misc/ca-certificates/metadata.xml b/app-misc/ca-certificates/metadata.xml
414	index 3aa7f10648b..f4cf8a2a018 100644
415	--- a/app-misc/ca-certificates/metadata.xml
416	+++ b/app-misc/ca-certificates/metadata.xml
417	@@ -10,8 +10,5 @@
418	Include root certificates from CAcert (http://www.cacert.org/) and Software
419	in the Public Interest (http://www.spi-inc.org/)
420	</flag>
421	- <flag name="insecure_certs">
422	- Install certificates which are known to be untrustworthy.
423	- </flag>
424	</use>
425	</pkgmetadata>

Gentoo Archives: gentoo-commits