On 2010-12-23, at 9:48 AM, Carsten Munk wrote: > > ----- Original message ----- >> Can you please explain why you are removing the packaging changelog >> history? Without the changelog there is no way to know what exactly >> happened if something goes wrong. History should not be changed, even if >> you are reverting to an older version. Or do you have something else in >> mind? >> >> Anas >> > > Do we have a decision from someone about what packages will be downgraded > because of GPLv3, just to keep track? > > (am not protesting the downgrade, it will be interesting to see if things > work properly and how security fixes from later versions will be handled and > consequence for stuff like binutils and gcc) > > Even a metabug would be good :)
Yes exactly, we need a 'dummy' bug :) <rant> Most of my package changes recently took much more less time than creating the associated bug. </rant> Anas > > /Carsten > >> >> >> On 2010-12-23, at 8:47 AM, Yan Li wrote: >> >>> Hi, >>> I have made the following changes to gnupg2 in project Trunk:Testing. >>> Please review and accept ASAP. >>> >>> Thank You, >>> Yan Li >>> >>> [This message was auto-generated] >>> >>> --- >>> >>> Request #11222: >>> >>> submit: home:yanli:variant/gnupg2(r2) -> Trunk:Testing/gnupg2 >>> >>> >>> Message: >>> Use version 2.0.4 >>> >>> State: new 2010-12-23T00:47:35 yanli >>> Comment: None >>> >>> >>> >>> changes files: >>> -------------- >>> --- gnupg2.changes >>> +++ gnupg2.changes >>> @@ -1,2 +1,2 @@ >>> -* Tue Dec 21 2010 Ye Gang <[email protected]> 2.0.14-1 >>> -- Add a patch to fix BMC #11641 >>> +* Tue Aug 31 2010 Yan Li <[email protected]> - 2.0.4 >>> +- Fixed CVE-2010-2547: gnupg_bmc5114_cve_2010_2547.patch (BMC#5114) >>> @@ -4,2 +4,2 @@ >>> -* Thu Feb 02 2010 Passion Zhao <[email protected]> - 2.0.14-1 >>> -- Add the gnupg-2.0.14.tar.bz2.sig >>> +* Wed Jul 7 2010 Yan Li <[email protected]> - 2.0.4 >>> +- Initial import into MeeGo, spectacle used >>> @@ -7,21 +6,0 @@ >>> -* Wed Jan 27 2010 Passion Zhao <[email protected]> - 2.0.14-1 >>> -- Update to 2.0.14 >>> - >>> -* Sun Dec 20 2009 Peter Zhu <[email protected]> - 2.0.13-1 >>> -- remove conflict files with 1.x >>> -- remnove rpmlint error >>> - >>> -* Mon Sep 07 2009 Passion Zhao <[email protected]> - 2.0.13-1 >>> -- Upgrade to 2.0.13 >>> - >>> -* Mon May 25 2009 Anas Nashif <[email protected]> 2.0.11 >>> -- Fixed ChangeLog >>> - >>> -* Fri Mar 14 2009 Passion Zhao <[email protected]> 2.0.11 >>> -- Update to 2.0.11 >>> - >>> -* Wed Dec 17 2008 Arjan van de Ven <[email protected]> 2.0.9 >>> -- Create standardized spec file >>> - >>> -* Mon Sep 22 2008 Yin Kangkai <[email protected]> 2.0.9-2 >>> -- fixed install-info warnings >>> >>> old: >>> ---- >>> gnupg-2.0.14.tar.bz2 >>> gnupg-2.0.14.tar.bz2.sig >>> gnupg-CVE-2010-2547.patch >>> gnupg2.desc >>> gnupg2.files >>> gnupg2.ini >>> >>> new: >>> ---- >>> gnupg-2.0.4.tar.bz2 >>> gnupg-2.0.4.tar.bz2.sig >>> gnupg-2_0_4-curl_easy_setopt_para_error.patch >>> gnupg2.yaml >>> gnupg_bmc5114_cve_2010_2547.patch >>> >>> spec files: >>> ----------- >>> --- gnupg2.spec >>> +++ gnupg2.spec >>> @@ -1,37 +1,35 @@ >>> -############################################### >>> -# Do not Edit! Generated by: >>> -# spec-builder version 0.13 >>> -############################################### >>> +# >>> +# Do NOT Edit the Auto-generated Part! >>> +# Generated by: spectacle version 0.19 >>> +# >>> +# >> macros >>> +# << macros >>> >>> Name: gnupg2 >>> Summary: Utility for secure communication and data storage >>> +Version: 2.0.4 >>> +Release: 1 >>> +Epoch: 1 >>> Group: Applications/System >>> -Version: 2.0.14 >>> -License: GPLv3+ >>> +License: GPLv2+ >>> URL: http://www.gnupg.org/download/index.en.html >>> -Release: 1 >>> Source0: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2 >>> - >>> -Patch101: gnupg-CVE-2010-2547.patch >>> - >>> -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} >>> -n) - >>> +Source100: gnupg2.yaml >>> +Patch0: gnupg-2_0_4-curl_easy_setopt_para_error.patch >>> +Patch1: gnupg_bmc5114_cve_2010_2547.patch >>> BuildRequires: pkgconfig(libcurl) >>> BuildRequires: pkgconfig(libusb) >>> - >>> +BuildRequires: pkgconfig(libgcrypt) >>> +BuildRequires: pkgconfig(ncurses) >>> BuildRequires: bzip2-devel >>> BuildRequires: gettext >>> BuildRequires: libassuan-devel >= 1.0.4 >>> -BuildRequires: libgcrypt-devel >= 1.2.2 >>> BuildRequires: libgpg-error-devel >>> -BuildRequires: libksba-devel >= 1.0.2 >>> +BuildRequires: libksba-devel >>> BuildRequires: pth-devel >>> BuildRequires: readline-devel >>> -BuildRequires: ncurses-devel >>> BuildRequires: zlib-devel >>> >>> -Requires(post): /sbin/install-info >>> -Requires(postun): /sbin/install-info >>> >>> %description >>> GnuPG is GNU's tool for secure communication and data storage. It can >>> @@ -39,9 +37,11 @@ >>> an advanced key management facility and is compliant with the proposed >>> OpenPGP Internet standard as described in RFC2440 and the S/MIME >>> standard as described by several RFCs. >>> + >>> GnuPG 2.0 is the stable version of GnuPG integrating support for >>> OpenPGP and S/MIME. It does not conflict with an installed 1.x >>> OpenPGP-only version. >>> + >>> GnuPG 2.0 is a newer version of GnuPG with additional support for >>> S/MIME. It has a different design philosophy that splits >>> functionality up into several modules. Both versions may be installed >>> @@ -51,62 +51,47 @@ >>> caching. The advantage of GnupG 1.x is its smaller size and no >>> dependency on other modules at run and build time. >>> >>> + >>> + >>> + >>> %prep >>> %setup -q -n gnupg-%{version} >>> >>> -%patch101 -p1 -b .gnupg-CVE-2010-2547 >>> +# gnupg-2_0_4-curl_easy_setopt_para_error.patch >>> +%patch0 -p1 >>> +# gnupg_bmc5114_cve_2010_2547.patch >>> +%patch1 -p1 >>> +# >> setup >>> +# << setup >>> >>> %build >>> -%configure --disable-static >>> +# >> build pre >>> +# << build pre >>> >>> -make %{?_smp_mflags} >>> +%configure --disable-static >>> +make %{?jobs:-j%jobs} >>> >>> +# >> build post >>> +# << build post >>> %install >>> rm -rf %{buildroot} >>> +# >> install pre >>> +# << install pre >>> +%make_install >>> + >>> +# >> install post >>> +# << install post >>> +%find_lang gnupg2 >>> >>> -make install DESTDIR=%{buildroot} \ >>> - INSTALL="install -p" \ >>> - docdir=%{_docdir}/%{name}-%{version} >>> - >>> -%find_lang %{name} >>> - >>> -# gpgconf.conf >>> -mkdir -p %{buildroot}%{_sysconfdir}/gnupg >>> -touch %{buildroot}%{_sysconfdir}/gnupg/gpgconf.conf >>> - >>> -# more docs >>> -install -m644 -p AUTHORS COPYING ChangeLog NEWS THANKS TODO \ >>> - %{buildroot}%{_docdir}/%{name}-%{version}/ >>> - >>> -## Unpackaged files >>> -# file conflicts with gnupg-1.x >>> -# shouldn't gnupg2 be providing these now (maybe only f11+)? -- Rex >>> -rm -f %{buildroot}%{_bindir}/{gpgsplit,gpg-zip} >>> -rm -f %{buildroot}%{_mandir}/man1/gpg-zip.1* >>> >>> -# info dir >>> -rm -f %{buildroot}%{_infodir}/dir >>> >>> -%clean >>> -rm -rf %{buildroot} >>> >>> -%post >>> -if [ -e %{_infodir}/gnupg2.info.gz ]; then >>> - /sbin/install-info %{_infodir}/gnupg2.info.gz %{_infodir}/dir >>> -fi >>> - >>> -%postun >>> -if [ $1 = 0 ] && [ -e %{_infodir}/gnupg2.info.gz ]; then >>> - /sbin/install-info --delete %{_infodir}/gnupg2.info.gz >>> %{_infodir}/dir >>> >>> -fi >>> >>> %files -f gnupg2.lang >>> %defattr(-,root,root,-) >>> -#%doc AUTHORS COPYING ChangeLog NEWS README THANKS TODO >>> -%{_docdir}/%{name}-%{version}/ >>> -%dir %{_sysconfdir}/gnupg >>> -%ghost %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf >>> +# >> files >>> +%doc AUTHORS COPYING ChangeLog NEWS README THANKS TODO >>> %{_bindir}/gpg2 >>> %{_bindir}/gpgv2 >>> %{_bindir}/gpg-connect-agent >>> @@ -123,3 +108,6 @@ >>> %{_libexecdir}/* >>> %doc %{_infodir}/*.info* >>> %doc %{_mandir}/man?/* >>> +# << files >>> + >>> + >>> >>> other changes: >>> -------------- >>> >>> ++++++ Makefile >>> --- Makefile >>> +++ Makefile >>> @@ -1,11 +1,6 @@ >>> -PKGNAME = gnupg2 >>> +PKG_NAME := gnupg2 >>> +SPECFILE = $(addsuffix .spec, $(PKG_NAME)) >>> +YAMLFILE = $(addsuffix .yaml, $(PKG_NAME)) >>> >>> -${PKGNAME}.spec: ${PKGNAME}.ini *.files >>> - spec-builder ${PKGNAME}.ini > ${PKGNAME}.spec >>> - >>> -clean: >>> - rm -f *.spec >>> - >>> -build: ${PKGNAME}.spec >>> - osc build >>> +include /usr/share/meego-packaging-tools/Makefile.common >>> >>> >>> ++++++ gnupg-2.0.14.tar.bz2 -> gnupg-2.0.4.tar.bz2 >>> 529811 lines of diff (skipped) >>> >>> ++++++ gnupg-2.0.14.tar.bz2.sig -> gnupg-2.0.4.tar.bz2.sig >>> !!! gnupg-2.0.14.tar.bz2.sig and gnupg-2.0.4.tar.bz2.sig differ >>> >>> ++++++ gnupg-2_0_4-curl_easy_setopt_para_error.patch (new) >>> --- gnupg-2_0_4-curl_easy_setopt_para_error.patch >>> +++ gnupg-2_0_4-curl_easy_setopt_para_error.patch >>> +This patch fixed a parameter error when calling >>> +curl_easy_setopt(). GCC doesn't allow using typeof() on bit fields >>> +now. >>> + >>> +Written by Yan Li under the instruction of Yang Yi >>> <[email protected]>. + >>> +Signed-off-by: Yan Li <[email protected]> >>> +--- >>> +diff -Nur gnupg-2.0.4.orig/keyserver/gpgkeys_curl.c >>> gnupg-2.0.4/keyserver/gpgkeys_curl.c +--- >>> gnupg-2.0.4.orig/keyserver/gpgkeys_curl.c 2007-03-19 >>> 21:49:36.000000000 +0800 ++++ gnupg-2.0.4/keyserver/gpgkeys_curl.c >>> 2010-07-09 12:00:35.000000000 +0800 +@@ -302,7 +302,7 @@ + >>> curl_easy_setopt(curl,CURLOPT_VERBOSE,1); + } >>> + >>> +- >>> curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert); >>> ++ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(unsigned >>> int)opt->flags.check_cert); + >>> curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file); + + >>> if(proxy) >>> >>> ++++++ gnupg2.yaml (new) >>> --- gnupg2.yaml >>> +++ gnupg2.yaml >>> +Name: gnupg2 >>> +Summary: Utility for secure communication and data storage >>> +Version: 2.0.4 >>> +Release: 1 >>> +Epoch: 1 >>> +Group: Applications/System >>> +License: GPLv2+ >>> +URL: http://www.gnupg.org/download/index.en.html >>> +Sources: >>> + - ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2 >>> +Patches: >>> + - gnupg-2_0_4-curl_easy_setopt_para_error.patch >>> + - gnupg_bmc5114_cve_2010_2547.patch >>> +Description: | >>> + GnuPG is GNU's tool for secure communication and data storage. >>> It can + be used to encrypt data and to create digital signatures. >>> It includes + an advanced key management facility and is compliant >>> with the proposed + OpenPGP Internet standard as described in >>> RFC2440 and the S/MIME + standard as described by several RFCs. >>> + >>> + GnuPG 2.0 is the stable version of GnuPG integrating support for >>> + OpenPGP and S/MIME. It does not conflict with an installed 1.x >>> + OpenPGP-only version. >>> + >>> + GnuPG 2.0 is a newer version of GnuPG with additional support for >>> + S/MIME. It has a different design philosophy that splits >>> + functionality up into several modules. Both versions may be >>> installed + simultaneously without any conflict (gpg is called gpg2 >>> in GnuPG 2). + In fact, the gpg version from GnuPG 1.x is able to >>> make use of the + gpg-agent as included in GnuPG 2 and allows for >>> seamless passphrase + caching. The advantage of GnupG 1.x is its >>> smaller size and no + dependency on other modules at run and build >>> time. + >>> +PkgBR: >>> + - bzip2-devel >>> + - gettext >>> + - libassuan-devel >= 1.0.4 >>> + - libgpg-error-devel >>> + - libksba-devel >>> + - pth-devel >>> + - readline-devel >>> + - zlib-devel >>> +PkgConfigBR: >>> + - libcurl >>> + - libusb >>> + - libgcrypt >>> + - ncurses >>> +Configure: configure >>> +LocaleName: gnupg2 >>> >>> ++++++ gnupg_bmc5114_cve_2010_2547.patch (new) >>> --- gnupg_bmc5114_cve_2010_2547.patch >>> +++ gnupg_bmc5114_cve_2010_2547.patch >>> +From 615c1f037bfd3dbc8e748e5cb8b9c9fce354f07c Mon Sep 17 00:00:00 2001 >>> +Message-Id: >>> <615c1f037bfd3dbc8e748e5cb8b9c9fce354f07c.1283230685.git.yan.i...@intel.com> >>> +From: Yan Li <[email protected]> +Date: Tue, 31 Aug 2010 12:56:49 >>> +0800 +Subject: [PATCH] CVE-2010-2547 Remote attack to cause DoS or >>> arbitrary code execution via crafted certificate (BMC#5114) + >>> + >>> +Signed-off-by: Yan Li <[email protected]> >>> +--- >>> + kbx/keybox-blob.c | 1 + >>> + 1 files changed, 1 insertions(+), 0 deletions(-) >>> + >>> +diff --git a/kbx/keybox-blob.c b/kbx/keybox-blob.c >>> +index 0aa2a0e..c1b7730 100644 >>> +--- a/kbx/keybox-blob.c >>> ++++ b/kbx/keybox-blob.c >>> +@@ -887,6 +887,7 @@ _keybox_create_x509_blob (KEYBOXBLOB *r_blob, >>> ksba_cert_t cert, + rc = gpg_error >>> (gpg_err_code_from_errno (errno)); + goto leave; >>> + } >>> ++ names = tmp; >>> + } >>> + names[blob->nuids++] = p; >>> + if (!i && (p=x509_email_kludge (p))) >>> +-- >>> +1.7.1 >>> + >>> >>> ++++++ deleted files: >>> --- gnupg-CVE-2010-2547.patch >>> --- gnupg2.desc >>> --- gnupg2.files >>> --- gnupg2.ini >>> >>> _______________________________________________ >>> MeeGo-commits mailing list >>> [email protected] >>> http://lists.meego.com/listinfo/meego-commits >> >> _______________________________________________ >> MeeGo-packaging mailing list >> [email protected] >> http://lists.meego.com/listinfo/meego-packaging > _______________________________________________ MeeGo-packaging mailing list [email protected] http://lists.meego.com/listinfo/meego-packaging
