On Sun, Apr 10, 2016 at 12:49:34 +0200, Mehdi Dogguy wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: [email protected] > Usertags: pu > > Hi, > > Following a recommendation from the Security team[1], I'd like to update > Opam in Jessie to fix #818081. > > Please find attached my diff. > > [1] https://lists.debian.org/debian-ocaml-maint/2016/04/msg00012.html > > -- System Information: > Debian Release: stretch/sid > APT prefers testing > APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system)
> --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +opam (1.2.0-1+deb8u1) jessie; urgency=medium > + > + * Stop using insecure and no-check-certificate flags when fetching > + files using wget and curl. > + Missing "closes:"? Cheers, Julien > + -- Mehdi Dogguy <[email protected]> Sun, 10 Apr 2016 12:27:13 +0200 > + > opam (1.2.0-1) unstable; urgency=medium > > * New upstream release. > --- a/debian/gbp.conf > +++ b/debian/gbp.conf > @@ -1,4 +1,6 @@ > [DEFAULT] > +debian-branch = "debian/jessie" > +upstream-branch = "upstream/1.2.0" > pristine-tar = True > filter-pristine-tar = True > filter = [ > --- /dev/null > +++ b/debian/patches/0003-remove-insecure-no-check-certificate-flags.patch > @@ -0,0 +1,30 @@ > +From: Mehdi Dogguy <[email protected]> > +Date: Sun, 10 Apr 2016 12:26:17 +0200 > +Subject: remove insecure / no-check-certificate flags > + > +--- > + src/core/opamSystem.ml | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/src/core/opamSystem.ml b/src/core/opamSystem.ml > +index a8e3168..c4151e9 100644 > +--- a/src/core/opamSystem.ml > ++++ b/src/core/opamSystem.ml > +@@ -597,7 +597,7 @@ let download_command = > + let wget ~compress:_ src = > + let wget = [ > + "wget"; > +- "--content-disposition"; "--no-check-certificate"; > ++ "--content-disposition"; > + "-t"; retry; > + src > + ] in > +@@ -605,7 +605,7 @@ let download_command = > + let curl command ~compress src = > + let curl = [ > + command; > +- "--write-out"; "%{http_code}\\n"; "--insecure"; > ++ "--write-out"; "%{http_code}\\n"; > + "--retry"; retry; "--retry-delay"; "2"; > + ] @ (if compress then ["--compressed"] else []) @ [ > + "-OL"; src > --- a/debian/patches/series > +++ b/debian/patches/series > @@ -1,2 +1,3 @@ > 0001-Fix-some-spelling-errors.patch > 0002-Import-uutf-and-jsonm-temporarily.patch > +0003-remove-insecure-no-check-certificate-flags.patch
