Hello community, here is the log from the commit of package ca-certificates for openSUSE:Factory checked in at 2013-07-03 10:11:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ca-certificates (Old) and /work/SRC/openSUSE:Factory/.ca-certificates.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ca-certificates" Changes: -------- --- /work/SRC/openSUSE:Factory/ca-certificates/ca-certificates.changes 2013-06-25 17:20:12.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ca-certificates.new/ca-certificates.changes 2013-07-03 10:11:38.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Jun 27 16:17:51 UTC 2013 - [email protected] + +- disable generating ca-bundle for now again so people don't submit + new packages that use this file. + +------------------------------------------------------------------- @@ -5,0 +12,5 @@ + +------------------------------------------------------------------- +Mon Jun 24 12:46:30 UTC 2013 - [email protected] + +- update manpage Old: ---- ca-certificates-1_201306200949.tar.xz New: ---- ca-certificates-1_201307011044.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ca-certificates.spec ++++++ --- /var/tmp/diff_new_pack.BydYCo/_old 2013-07-03 10:11:38.000000000 +0200 +++ /var/tmp/diff_new_pack.BydYCo/_new 2013-07-03 10:11:38.000000000 +0200 @@ -16,6 +16,12 @@ # +# the ca bundle file was meant as compat option for e.g. +# proprietary packages. Now that I see it abused in free software +# packages that can be trivially patched to do the right thing I'm +# disabling this for now again. +%bcond_with cabundle + BuildRequires: openssl BuildRequires: p11-kit-devel @@ -23,7 +29,7 @@ %define ssletcdir %{_sysconfdir}/ssl %define cabundle /var/lib/ca-certificates/ca-bundle.pem %define sslcerts %{ssletcdir}/certs -Version: 1_201306200949 +Version: 1_201307011044 Release: 0 Summary: Utilities for system wide CA certificate installation License: GPL-2.0+ @@ -57,6 +63,9 @@ %build %install +%if %{without cabundle} +rm -f certbundle.run +%endif %make_install install -d m 755 %{buildroot}%{trustdir_cfg}/{anchors,blacklist} install -d m 755 %{buildroot}%{trustdir_static}/{anchors,blacklist} @@ -65,9 +74,11 @@ install -d m 755 %{buildroot}%{_prefix}/lib/ca-certificates/update.d install -d m 755 %{buildroot}/var/lib/ca-certificates/pem install -d m 755 %{buildroot}/var/lib/ca-certificates/openssl +%if %{with cabundle} install -D -m 644 /dev/null %{buildroot}/%{cabundle} -install -D -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem +%endif +install -D -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts %post if [ -s /etc/ca-certificates.conf ]; then @@ -104,8 +115,6 @@ %dir %{trustdir_static}/anchors %dir %{trustdir_static}/blacklist %dir /etc/ssl/certs -%{ssletcdir}/ca-bundle.pem -%ghost %{cabundle} %ghost /var/lib/ca-certificates/java-cacerts %dir /etc/ca-certificates %dir /etc/ca-certificates/update.d @@ -117,8 +126,13 @@ %{_sbindir}/update-ca-certificates %{_mandir}/man8/update-ca-certificates.8* %{_prefix}/lib/ca-certificates/update.d/java.run -%{_prefix}/lib/ca-certificates/update.d/certbundle.run %{_prefix}/lib/ca-certificates/update.d/etc_ssl.run %{_prefix}/lib/ca-certificates/update.d/openssl.run +# +%if %{with cabundle} +%{ssletcdir}/ca-bundle.pem +%ghost %{cabundle} +%{_prefix}/lib/ca-certificates/update.d/certbundle.run +%endif %changelog ++++++ ca-certificates-1_201306200949.tar.xz -> ca-certificates-1_201307011044.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ca-certificates-1_201306200949/update-ca-certificates.8 new/ca-certificates-1_201307011044/update-ca-certificates.8 --- old/ca-certificates-1_201306200949/update-ca-certificates.8 2013-06-20 09:49:53.000000000 +0200 +++ new/ca-certificates-1_201307011044/update-ca-certificates.8 2013-07-01 10:44:11.000000000 +0200 @@ -21,24 +21,22 @@ .B update-ca-certificates .RI [ options ] .SH DESCRIPTION -\fBupdate-ca-certificates\fP updates the directory -/etc/ssl/certs to hold SSL certificates and generates /etc/ssl/ca-bundle.pem, -a concatenated single-file list of certificates. +\fBupdate-ca-certificates\fP is intended to keep the certificate stores of +various components in sync with the system CA certificates. .PP -It reads the file /etc/ca-certificates.conf. Each line gives a pathname of -a CA certificate under /usr/share/ca-certificates that should be trusted. -Lines that begin with "#" are comment lines and thus ignored. -Lines that begin with "!" are deselected, causing the deactivation -of the CA certificate in question. All certificates are implicitly -trusted if no trusted certificates are listed. +The canonical source of CA certificates is what p11-kit knows about. +By default p11-kit looks into /usr/share/pki/anchors +resp /etc/pki/trust/anchors but there could be other plugins that +serve as source for certificates as well. .PP -Furthermore all certificates found below /usr/local/share/ca-certificates -are also included as implicitly trusted. +To blacklist certificates symlinks to the respective certificates +can be placed in /etc/pki/trust/blacklist .PP -After populating /etc/ssl/certs \fBupdate-ca-certificates\fP invokes +\fBupdate-ca-certificates\fP invokes custom hooks in /usr/lib/ca-certificates/update.d/*.run and -/etc/ca-certificates/update.d/*.run. The command line options used -for invoking update-ca-certificates are passed to the hooks as well. +/etc/ca-certificates/update.d/*.run to generate various certificate storages as +used by differnt programs. The command line options used for invoking +update-ca-certificates are passed to the hooks as well. .SH OPTIONS A summary of options is included below. .TP @@ -49,25 +47,19 @@ Be verbose. Output \fBc_rehash\fP. .TP .B \-f, \-\-fresh -Fresh updates. Removes symlinks in /etc/ssl/certs directory and -re-creates them from scratch. +Fresh updates. Don't update stores incrementally but create from scratch. .SH FILES .TP -.I /etc/ca-certificates.conf -A configuration file. +.I /usr/share/pki/trust/anchors +Directory of CA certificate trust anchors. .TP -.I /etc/ssl/ca-bundle.pem -A single-file version of all CA certificates. Use of this file is -deprecated and should only be used as last resort by applications -that cannot parse the /etc/ssl/certs directory. -.TP -.I /usr/share/ca-certificates -Directory of CA certificates. -.I /usr/local/share/ca-certificates -Directory of local CA certificates. +.I /usr/share/pki/trust/blacklist +Directory of blacklisted CA certificates +.TP +.I /etc/pki/trust/anchors +Directory of CA certificate trust anchors for use by the admin +.TP +.I /etc/pki/trust/anchors +Directory of blacklisted CA certificates for use by the admin .SH SEE ALSO .BR c_rehash (1), -.SH AUTHOR -This manual page was written by Fumitoshi UKAI <[email protected]>, -for the Debian project and modified by Ludwig Nussel -<[email protected]>. -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
