Can you please explain why you are removing the packaging changelog history? Without the changelog there is no way to know what exactly happened if something goes wrong. History should not be changed, even if you are reverting to an older version. Or do you have something else in mind?
Anas On 2010-12-23, at 8:47 AM, Yan Li wrote: > Hi, > I have made the following changes to gnupg2 in project Trunk:Testing. Please > review and accept ASAP. > > Thank You, > Yan Li > > [This message was auto-generated] > > --- > > Request #11222: > > submit: home:yanli:variant/gnupg2(r2) -> Trunk:Testing/gnupg2 > > > Message: > Use version 2.0.4 > > State: new 2010-12-23T00:47:35 yanli > Comment: None > > > > changes files: > -------------- > --- gnupg2.changes > +++ gnupg2.changes > @@ -1,2 +1,2 @@ > -* Tue Dec 21 2010 Ye Gang <[email protected]> 2.0.14-1 > -- Add a patch to fix BMC #11641 > +* Tue Aug 31 2010 Yan Li <[email protected]> - 2.0.4 > +- Fixed CVE-2010-2547: gnupg_bmc5114_cve_2010_2547.patch (BMC#5114) > @@ -4,2 +4,2 @@ > -* Thu Feb 02 2010 Passion Zhao <[email protected]> - 2.0.14-1 > -- Add the gnupg-2.0.14.tar.bz2.sig > +* Wed Jul 7 2010 Yan Li <[email protected]> - 2.0.4 > +- Initial import into MeeGo, spectacle used > @@ -7,21 +6,0 @@ > -* Wed Jan 27 2010 Passion Zhao <[email protected]> - 2.0.14-1 > -- Update to 2.0.14 > - > -* Sun Dec 20 2009 Peter Zhu <[email protected]> - 2.0.13-1 > -- remove conflict files with 1.x > -- remnove rpmlint error > - > -* Mon Sep 07 2009 Passion Zhao <[email protected]> - 2.0.13-1 > -- Upgrade to 2.0.13 > - > -* Mon May 25 2009 Anas Nashif <[email protected]> 2.0.11 > -- Fixed ChangeLog > - > -* Fri Mar 14 2009 Passion Zhao <[email protected]> 2.0.11 > -- Update to 2.0.11 > - > -* Wed Dec 17 2008 Arjan van de Ven <[email protected]> 2.0.9 > -- Create standardized spec file > - > -* Mon Sep 22 2008 Yin Kangkai <[email protected]> 2.0.9-2 > -- fixed install-info warnings > > old: > ---- > gnupg-2.0.14.tar.bz2 > gnupg-2.0.14.tar.bz2.sig > gnupg-CVE-2010-2547.patch > gnupg2.desc > gnupg2.files > gnupg2.ini > > new: > ---- > gnupg-2.0.4.tar.bz2 > gnupg-2.0.4.tar.bz2.sig > gnupg-2_0_4-curl_easy_setopt_para_error.patch > gnupg2.yaml > gnupg_bmc5114_cve_2010_2547.patch > > spec files: > ----------- > --- gnupg2.spec > +++ gnupg2.spec > @@ -1,37 +1,35 @@ > -############################################### > -# Do not Edit! Generated by: > -# spec-builder version 0.13 > -############################################### > +# > +# Do NOT Edit the Auto-generated Part! > +# Generated by: spectacle version 0.19 > +# > +# >> macros > +# << macros > > Name: gnupg2 > Summary: Utility for secure communication and data storage > +Version: 2.0.4 > +Release: 1 > +Epoch: 1 > Group: Applications/System > -Version: 2.0.14 > -License: GPLv3+ > +License: GPLv2+ > URL: http://www.gnupg.org/download/index.en.html > -Release: 1 > Source0: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2 > - > -Patch101: gnupg-CVE-2010-2547.patch > - > -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) > - > +Source100: gnupg2.yaml > +Patch0: gnupg-2_0_4-curl_easy_setopt_para_error.patch > +Patch1: gnupg_bmc5114_cve_2010_2547.patch > BuildRequires: pkgconfig(libcurl) > BuildRequires: pkgconfig(libusb) > - > +BuildRequires: pkgconfig(libgcrypt) > +BuildRequires: pkgconfig(ncurses) > BuildRequires: bzip2-devel > BuildRequires: gettext > BuildRequires: libassuan-devel >= 1.0.4 > -BuildRequires: libgcrypt-devel >= 1.2.2 > BuildRequires: libgpg-error-devel > -BuildRequires: libksba-devel >= 1.0.2 > +BuildRequires: libksba-devel > BuildRequires: pth-devel > BuildRequires: readline-devel > -BuildRequires: ncurses-devel > BuildRequires: zlib-devel > > -Requires(post): /sbin/install-info > -Requires(postun): /sbin/install-info > > %description > GnuPG is GNU's tool for secure communication and data storage. It can > @@ -39,9 +37,11 @@ > an advanced key management facility and is compliant with the proposed > OpenPGP Internet standard as described in RFC2440 and the S/MIME > standard as described by several RFCs. > + > GnuPG 2.0 is the stable version of GnuPG integrating support for > OpenPGP and S/MIME. It does not conflict with an installed 1.x > OpenPGP-only version. > + > GnuPG 2.0 is a newer version of GnuPG with additional support for > S/MIME. It has a different design philosophy that splits > functionality up into several modules. Both versions may be installed > @@ -51,62 +51,47 @@ > caching. The advantage of GnupG 1.x is its smaller size and no > dependency on other modules at run and build time. > > + > + > + > %prep > %setup -q -n gnupg-%{version} > > -%patch101 -p1 -b .gnupg-CVE-2010-2547 > +# gnupg-2_0_4-curl_easy_setopt_para_error.patch > +%patch0 -p1 > +# gnupg_bmc5114_cve_2010_2547.patch > +%patch1 -p1 > +# >> setup > +# << setup > > %build > -%configure --disable-static > +# >> build pre > +# << build pre > > -make %{?_smp_mflags} > +%configure --disable-static > +make %{?jobs:-j%jobs} > > +# >> build post > +# << build post > %install > rm -rf %{buildroot} > +# >> install pre > +# << install pre > +%make_install > + > +# >> install post > +# << install post > +%find_lang gnupg2 > > -make install DESTDIR=%{buildroot} \ > - INSTALL="install -p" \ > - docdir=%{_docdir}/%{name}-%{version} > - > -%find_lang %{name} > - > -# gpgconf.conf > -mkdir -p %{buildroot}%{_sysconfdir}/gnupg > -touch %{buildroot}%{_sysconfdir}/gnupg/gpgconf.conf > - > -# more docs > -install -m644 -p AUTHORS COPYING ChangeLog NEWS THANKS TODO \ > - %{buildroot}%{_docdir}/%{name}-%{version}/ > - > -## Unpackaged files > -# file conflicts with gnupg-1.x > -# shouldn't gnupg2 be providing these now (maybe only f11+)? -- Rex > -rm -f %{buildroot}%{_bindir}/{gpgsplit,gpg-zip} > -rm -f %{buildroot}%{_mandir}/man1/gpg-zip.1* > > -# info dir > -rm -f %{buildroot}%{_infodir}/dir > > -%clean > -rm -rf %{buildroot} > > -%post > -if [ -e %{_infodir}/gnupg2.info.gz ]; then > - /sbin/install-info %{_infodir}/gnupg2.info.gz %{_infodir}/dir > -fi > - > -%postun > -if [ $1 = 0 ] && [ -e %{_infodir}/gnupg2.info.gz ]; then > - /sbin/install-info --delete %{_infodir}/gnupg2.info.gz %{_infodir}/dir > > -fi > > %files -f gnupg2.lang > %defattr(-,root,root,-) > -#%doc AUTHORS COPYING ChangeLog NEWS README THANKS TODO > -%{_docdir}/%{name}-%{version}/ > -%dir %{_sysconfdir}/gnupg > -%ghost %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf > +# >> files > +%doc AUTHORS COPYING ChangeLog NEWS README THANKS TODO > %{_bindir}/gpg2 > %{_bindir}/gpgv2 > %{_bindir}/gpg-connect-agent > @@ -123,3 +108,6 @@ > %{_libexecdir}/* > %doc %{_infodir}/*.info* > %doc %{_mandir}/man?/* > +# << files > + > + > > other changes: > -------------- > > ++++++ Makefile > --- Makefile > +++ Makefile > @@ -1,11 +1,6 @@ > -PKGNAME = gnupg2 > +PKG_NAME := gnupg2 > +SPECFILE = $(addsuffix .spec, $(PKG_NAME)) > +YAMLFILE = $(addsuffix .yaml, $(PKG_NAME)) > > -${PKGNAME}.spec: ${PKGNAME}.ini *.files > - spec-builder ${PKGNAME}.ini > ${PKGNAME}.spec > - > -clean: > - rm -f *.spec > - > -build: ${PKGNAME}.spec > - osc build > +include /usr/share/meego-packaging-tools/Makefile.common > > > ++++++ gnupg-2.0.14.tar.bz2 -> gnupg-2.0.4.tar.bz2 > 529811 lines of diff (skipped) > > ++++++ gnupg-2.0.14.tar.bz2.sig -> gnupg-2.0.4.tar.bz2.sig > !!! gnupg-2.0.14.tar.bz2.sig and gnupg-2.0.4.tar.bz2.sig differ > > ++++++ gnupg-2_0_4-curl_easy_setopt_para_error.patch (new) > --- gnupg-2_0_4-curl_easy_setopt_para_error.patch > +++ gnupg-2_0_4-curl_easy_setopt_para_error.patch > +This patch fixed a parameter error when calling > +curl_easy_setopt(). GCC doesn't allow using typeof() on bit fields > +now. > + > +Written by Yan Li under the instruction of Yang Yi <[email protected]>. > + > +Signed-off-by: Yan Li <[email protected]> > +--- > +diff -Nur gnupg-2.0.4.orig/keyserver/gpgkeys_curl.c > gnupg-2.0.4/keyserver/gpgkeys_curl.c > +--- gnupg-2.0.4.orig/keyserver/gpgkeys_curl.c 2007-03-19 > 21:49:36.000000000 +0800 > ++++ gnupg-2.0.4/keyserver/gpgkeys_curl.c 2010-07-09 12:00:35.000000000 > +0800 > +@@ -302,7 +302,7 @@ > + curl_easy_setopt(curl,CURLOPT_VERBOSE,1); > + } > + > +- curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert); > ++ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(unsigned > int)opt->flags.check_cert); > + curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file); > + > + if(proxy) > > ++++++ gnupg2.yaml (new) > --- gnupg2.yaml > +++ gnupg2.yaml > +Name: gnupg2 > +Summary: Utility for secure communication and data storage > +Version: 2.0.4 > +Release: 1 > +Epoch: 1 > +Group: Applications/System > +License: GPLv2+ > +URL: http://www.gnupg.org/download/index.en.html > +Sources: > + - ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2 > +Patches: > + - gnupg-2_0_4-curl_easy_setopt_para_error.patch > + - gnupg_bmc5114_cve_2010_2547.patch > +Description: | > + GnuPG is GNU's tool for secure communication and data storage. It can > + be used to encrypt data and to create digital signatures. It includes > + an advanced key management facility and is compliant with the proposed > + OpenPGP Internet standard as described in RFC2440 and the S/MIME > + standard as described by several RFCs. > + > + GnuPG 2.0 is the stable version of GnuPG integrating support for > + OpenPGP and S/MIME. It does not conflict with an installed 1.x > + OpenPGP-only version. > + > + GnuPG 2.0 is a newer version of GnuPG with additional support for > + S/MIME. It has a different design philosophy that splits > + functionality up into several modules. Both versions may be installed > + simultaneously without any conflict (gpg is called gpg2 in GnuPG 2). > + In fact, the gpg version from GnuPG 1.x is able to make use of the > + gpg-agent as included in GnuPG 2 and allows for seamless passphrase > + caching. The advantage of GnupG 1.x is its smaller size and no > + dependency on other modules at run and build time. > + > +PkgBR: > + - bzip2-devel > + - gettext > + - libassuan-devel >= 1.0.4 > + - libgpg-error-devel > + - libksba-devel > + - pth-devel > + - readline-devel > + - zlib-devel > +PkgConfigBR: > + - libcurl > + - libusb > + - libgcrypt > + - ncurses > +Configure: configure > +LocaleName: gnupg2 > > ++++++ gnupg_bmc5114_cve_2010_2547.patch (new) > --- gnupg_bmc5114_cve_2010_2547.patch > +++ gnupg_bmc5114_cve_2010_2547.patch > +From 615c1f037bfd3dbc8e748e5cb8b9c9fce354f07c Mon Sep 17 00:00:00 2001 > +Message-Id: > <615c1f037bfd3dbc8e748e5cb8b9c9fce354f07c.1283230685.git.yan.i...@intel.com> > +From: Yan Li <[email protected]> > +Date: Tue, 31 Aug 2010 12:56:49 +0800 > +Subject: [PATCH] CVE-2010-2547 Remote attack to cause DoS or arbitrary code > execution via crafted certificate (BMC#5114) > + > + > +Signed-off-by: Yan Li <[email protected]> > +--- > + kbx/keybox-blob.c | 1 + > + 1 files changed, 1 insertions(+), 0 deletions(-) > + > +diff --git a/kbx/keybox-blob.c b/kbx/keybox-blob.c > +index 0aa2a0e..c1b7730 100644 > +--- a/kbx/keybox-blob.c > ++++ b/kbx/keybox-blob.c > +@@ -887,6 +887,7 @@ _keybox_create_x509_blob (KEYBOXBLOB *r_blob, > ksba_cert_t cert, > + rc = gpg_error (gpg_err_code_from_errno (errno)); > + goto leave; > + } > ++ names = tmp; > + } > + names[blob->nuids++] = p; > + if (!i && (p=x509_email_kludge (p))) > +-- > +1.7.1 > + > > ++++++ deleted files: > --- gnupg-CVE-2010-2547.patch > --- gnupg2.desc > --- gnupg2.files > --- gnupg2.ini > > _______________________________________________ > MeeGo-commits mailing list > [email protected] > http://lists.meego.com/listinfo/meego-commits _______________________________________________ MeeGo-packaging mailing list [email protected] http://lists.meego.com/listinfo/meego-packaging
