Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2019-02-19 13:54:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5" Tue Feb 19 13:54:57 2019 rev:138 rq:674895 version:1.17 Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2018-10-29 14:56:48.197705382 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new.28833/krb5-mini.changes 2019-02-19 13:54:59.724720977 +0100 @@ -1,0 +2,71 @@ +Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt <[email protected]> + +- Replace old $RPM_* shell vars + +------------------------------------------------------------------- +Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero <[email protected]> + +- Upgrade to 1.17. Major changes: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should + perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust. + User experience: + * The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + * The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to + 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch + +------------------------------------------------------------------- @@ -1800 +1870,0 @@ - --- /work/SRC/openSUSE:Factory/krb5/krb5.changes 2018-10-29 14:56:48.217705458 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new.28833/krb5.changes 2019-02-19 13:54:59.764720948 +0100 @@ -1,0 +2,71 @@ +Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt <[email protected]> + +- Replace old $RPM_* shell vars + +------------------------------------------------------------------- +Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero <[email protected]> + +- Upgrade to 1.17. Major changes: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should + perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust. + User experience: + * The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + * The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to + 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch + +------------------------------------------------------------------- @@ -1863 +1933,0 @@ - Old: ---- krb5-1.12-api.patch krb5-1.12-buildconf.patch krb5-1.12-ksu-path.patch krb5-1.12-pam.patch krb5-1.12-selinux-label.patch krb5-1.16.1.tar.gz krb5-1.16.1.tar.gz.asc krb5-1.6.3-gssapi_improve_errormessages.dif krb5-1.6.3-ktutil-manpage.dif krb5-1.9-debuginfo.patch krb5-1.9-manpaths.dif New: ---- 0001-krb5-1.12-pam.patch 0002-krb5-1.9-manpaths.patch 0003-krb5-1.12-buildconf.patch 0004-krb5-1.6.3-gssapi_improve_errormessages.patch 0005-krb5-1.6.3-ktutil-manpage.patch 0006-krb5-1.12-api.patch 0007-krb5-1.12-ksu-path.patch 0008-krb5-1.12-selinux-label.patch 0009-krb5-1.9-debuginfo.patch krb5-1.17.tar.gz krb5-1.17.tar.gz.asc krb5.tmpfiles ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.TM64v1/_old 2019-02-19 13:55:00.796720210 +0100 +++ /var/tmp/diff_new_pack.TM64v1/_new 2019-02-19 13:55:00.800720207 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,26 +21,26 @@ %define _fillupdir /var/adm/fillup-templates %endif -%define srcRoot krb5-1.16.1 +%define srcRoot krb5-%{version} %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 Name: krb5-mini -Url: https://web.mit.edu/kerberos/www/ +Version: 1.17 +Release: 0 +Summary: MIT Kerberos5 implementation and libraries with minimal dependencies +License: MIT +Group: Productivity/Networking/Security +URL: https://web.mit.edu/kerberos/www/ +Obsoletes: krb5-plugin-preauth-pkinit-nss BuildRequires: autoconf BuildRequires: bison BuildRequires: keyutils BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel -BuildRequires: ncurses-devel -Version: 1.16.1 -Release: 0 -Summary: MIT Kerberos5 implementation and libraries with minimal dependencies -License: MIT -Group: Productivity/Networking/Security -Obsoletes: krb5-plugin-preauth-pkinit-nss BuildRequires: libverto-devel +BuildRequires: ncurses-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-64bit @@ -52,21 +52,22 @@ Conflicts: krb5-plugin-kdb-ldap Conflicts: krb5-plugin-preauth-pkinit Conflicts: krb5-plugin-preauth-otp -Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz -Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc +Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz +Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf Source5: krb5-rpmlintrc -Patch1: krb5-1.12-pam.patch -Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.12-buildconf.patch -Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch6: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.12-api.patch -Patch11: krb5-1.12-ksu-path.patch -Patch12: krb5-1.12-selinux-label.patch -Patch13: krb5-1.9-debuginfo.patch +Source6: krb5.tmpfiles +Patch1: 0001-krb5-1.12-pam.patch +Patch2: 0002-krb5-1.9-manpaths.patch +Patch3: 0003-krb5-1.12-buildconf.patch +Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch +Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch +Patch6: 0006-krb5-1.12-api.patch +Patch7: 0007-krb5-1.12-ksu-path.patch +Patch8: 0008-krb5-1.12-selinux-label.patch +Patch9: 0009-krb5-1.9-debuginfo.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %fillup_prereq @@ -104,11 +105,11 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch8 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 +%patch9 -p1 %build # needs to be re-generated @@ -118,7 +119,7 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME ./configure \ CC="%{__cc}" \ - CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ + CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ CPPFLAGS="-I%{_includedir}/et " \ SS_LIB="-lss" \ --prefix=/usr/lib/mit \ @@ -147,25 +148,19 @@ cp man/kadmin.man man/kadmin.local.8 %install - -# Where per-user keytabs live by default. -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5 - -cd src -make DESTDIR=%{buildroot} install -cd .. +mkdir -p %{buildroot}/%{_localstatedir}/log/krb5 +%make_install -C src # Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks # of the buildconf patch already conspire to strip out /usr/<anything> from the # list of link flags, and it helps prevent file conflicts on multilib systems. -sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config +sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config # install autoconf macro mkdir -p %{buildroot}/%{_datadir}/aclocal install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ # install sample config files # I'll probably do something about this later on -mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc +mkdir -p %{buildroot}%{_sysconfdir} mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d mkdir -p %{buildroot}/etc/profile.d/ mkdir -p %{buildroot}/var/log/krb5 @@ -176,13 +171,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} -install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind + +# Do not write directly to /var/lib/kerberos anymore as it breaks transactional +# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist +install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/ +install -m 644 %{SOURCE6} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc +# Where per-user keytabs live by default. +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user +install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ + # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -204,9 +208,9 @@ install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd %endif # install sysconfig templates -mkdir -p $RPM_BUILD_ROOT/%{_fillupdir} -install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/ -install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/ +mkdir -p %{buildroot}/%{_fillupdir} +install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/ +install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/ # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server @@ -239,10 +243,10 @@ rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf %{buildroot}/usr/lib/mit/share/examples -# manually remove otp plugin for krb5-mini since configure +# manually remove otp, spake and test plugin for krb5-mini since configure # doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so -# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %find_lang mit-krb5 @@ -261,6 +265,7 @@ %post /sbin/ldconfig %service_add_post krb5kdc.service kadmind.service kpropd.service +%tmpfiles_create krb5.conf %{fillup_only -n kadmind} %{fillup_only -n krb5kdc} %{fillup_only -n kpropd} @@ -313,10 +318,6 @@ %dir %{_libdir}/krb5/plugins/preauth %dir %{_libdir}/krb5/plugins/libkrb5 %dir %{_libdir}/krb5/plugins/tls -%dir %{_localstatedir}/lib/kerberos/ -%dir %{_localstatedir}/lib/kerberos/krb5kdc -%dir %{_localstatedir}/lib/kerberos/krb5 -%dir %{_localstatedir}/lib/kerberos/krb5/user %attr(0700,root,root) %dir /var/log/krb5 %dir /usr/lib/mit %dir /usr/lib/mit/sbin @@ -326,9 +327,6 @@ %dir %{_sysconfdir}/krb5.conf.d %attr(0644,root,root) %config /etc/profile.d/krb5* %config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_fillupdir}/sysconfig.* %{_unitdir}/kadmind.service @@ -345,6 +343,21 @@ %{_libdir}/libkrad.so.* %{_libdir}/krb5/plugins/kdb/* %{_libdir}/krb5/plugins/tls/* +%{_libexecdir}/tmpfiles.d/krb5.conf +%dir %{_datadir}/kerberos/ +%dir %{_datadir}/kerberos/krb5kdc +%dir %{_datadir}/kerberos/krb5 +%dir %{_datadir}/kerberos/krb5/user +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict +%ghost %dir %{_sharedstatedir}/kerberos/ +%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc +%ghost %dir %{_sharedstatedir}/kerberos/krb5 +%ghost %dir %{_sharedstatedir}/kerberos/krb5/user +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict /usr/lib/mit/sbin/kadmin.local /usr/lib/mit/sbin/kadmind /usr/lib/mit/sbin/kpropd @@ -387,6 +400,7 @@ %{_mandir}/man5/* %{_mandir}/man5/.k5login.5.gz %{_mandir}/man5/.k5identity.5* +%{_mandir}/man7/kerberos.7.gz %{_mandir}/man8/* %changelog ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.TM64v1/_old 2019-02-19 13:55:00.828720188 +0100 +++ /var/tmp/diff_new_pack.TM64v1/_new 2019-02-19 13:55:00.832720185 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,22 +22,22 @@ %endif Name: krb5 -Url: https://web.mit.edu/kerberos/www/ -BuildRequires: autoconf -BuildRequires: bison -BuildRequires: keyutils -BuildRequires: keyutils-devel -BuildRequires: libcom_err-devel -BuildRequires: libselinux-devel -BuildRequires: ncurses-devel -Version: 1.16.1 +Version: 1.17 Release: 0 Summary: MIT Kerberos5 implementation License: MIT Group: Productivity/Networking/Security +URL: https://web.mit.edu/kerberos/www/ Obsoletes: krb5-plugin-preauth-pkinit-nss +BuildRequires: autoconf +BuildRequires: bison +BuildRequires: keyutils +BuildRequires: keyutils-devel +BuildRequires: libcom_err-devel BuildRequires: libopenssl-devel +BuildRequires: libselinux-devel BuildRequires: libverto-devel +BuildRequires: ncurses-devel BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkgconfig(systemd) @@ -46,22 +46,23 @@ Obsoletes: krb5-64bit %endif Conflicts: krb5-mini -Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz -Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc +Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz +Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf Source5: krb5-rpmlintrc Source6: ksu-pam.d -Patch1: krb5-1.12-pam.patch -Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.12-buildconf.patch -Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch6: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.12-api.patch -Patch11: krb5-1.12-ksu-path.patch -Patch12: krb5-1.12-selinux-label.patch -Patch13: krb5-1.9-debuginfo.patch +Source7: krb5.tmpfiles +Patch1: 0001-krb5-1.12-pam.patch +Patch2: 0002-krb5-1.9-manpaths.patch +Patch3: 0003-krb5-1.12-buildconf.patch +Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch +Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch +Patch6: 0006-krb5-1.12-api.patch +Patch7: 0007-krb5-1.12-ksu-path.patch +Patch8: 0008-krb5-1.12-selinux-label.patch +Patch9: 0009-krb5-1.9-debuginfo.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -129,6 +130,15 @@ which can improve network security by eliminating the insecure practice of cleartext passwords. This package includes a OTP plugin. +%package plugin-preauth-spake +Summary: SPAKE preauthentication plugin for MIT Kerberos5 +Group: Productivity/Networking/Security + +%description plugin-preauth-spake +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes a SPAKE plugin. + %package doc Summary: Documentation for the MIT Kerberos5 implementation Group: Documentation/Other @@ -169,11 +179,11 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch8 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 +%patch9 -p1 %build # needs to be re-generated @@ -183,7 +193,7 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME ./configure \ CC="%{__cc}" \ - CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ + CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ CPPFLAGS="-I%{_includedir}/et " \ SS_LIB="-lss" \ --prefix=/usr/lib/mit \ @@ -202,7 +212,7 @@ --with-ldap \ --with-pam \ --enable-pkinit \ - --with-pkinit-crypto-impl=openssl \ + --with-crypto-impl=openssl \ --with-selinux \ --with-system-et \ --with-system-ss \ @@ -214,25 +224,19 @@ cp man/kadmin.man man/kadmin.local.8 %install - -# Where per-user keytabs live by default. -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5 - -cd src -make DESTDIR=%{buildroot} install -cd .. +mkdir -p %{buildroot}/%{_localstatedir}/log/krb5 +%make_install -C src # Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks # of the buildconf patch already conspire to strip out /usr/<anything> from the # list of link flags, and it helps prevent file conflicts on multilib systems. -sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config +sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config # install autoconf macro mkdir -p %{buildroot}/%{_datadir}/aclocal install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ # install sample config files # I'll probably do something about this later on -mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc +mkdir -p %{buildroot}%{_sysconfdir} mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d mkdir -p %{buildroot}/etc/profile.d/ mkdir -p %{buildroot}/var/log/krb5 @@ -243,13 +247,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} -install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind + +# Do not write directly to /var/lib/kerberos anymore as it breaks transactional +# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist +install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/ +install -m 644 %{SOURCE7} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc +# Where per-user keytabs live by default. +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user +install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ + # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -271,13 +284,13 @@ install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd %endif # install sysconfig templates -mkdir -p $RPM_BUILD_ROOT/%{_fillupdir} -install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/ -install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/ +mkdir -p %{buildroot}/%{_fillupdir} +install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/ +install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/ # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server -find . -type f -name '*.ps' -exec gzip -9 {} \; +find . -type f -name '*.ps' -exec gzip -9 {} + # create rc* links mkdir -p %{buildroot}/usr/bin/ mkdir -p %{buildroot}/usr/sbin/ @@ -329,6 +342,7 @@ %post server %service_add_post krb5kdc.service kadmind.service kpropd.service +%tmpfiles_create krb5.conf %{fillup_only -n kadmind} %{fillup_only -n krb5kdc} %{fillup_only -n kpropd} @@ -406,6 +420,7 @@ %{_unitdir}/kadmind.service %{_unitdir}/krb5kdc.service %{_unitdir}/kpropd.service +%{_libexecdir}/tmpfiles.d/krb5.conf %else %{_sysconfdir}/init.d/kadmind %{_sysconfdir}/init.d/krb5kdc @@ -414,17 +429,24 @@ %dir %{krb5docdir} %dir /usr/lib/mit %dir /usr/lib/mit/sbin -%dir %{_localstatedir}/lib/kerberos/ -%dir %{_localstatedir}/lib/kerberos/krb5kdc -%dir %{_localstatedir}/lib/kerberos/krb5 -%dir %{_localstatedir}/lib/kerberos/krb5/user +%dir %{_datadir}/kerberos/ +%dir %{_datadir}/kerberos/krb5kdc +%dir %{_datadir}/kerberos/krb5 +%dir %{_datadir}/kerberos/krb5/user %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/kdb %dir %{_libdir}/krb5/plugins/tls -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict +%ghost %dir %{_sharedstatedir}/kerberos/ +%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc +%ghost %dir %{_sharedstatedir}/kerberos/krb5 +%ghost %dir %{_sharedstatedir}/kerberos/krb5/user +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_fillupdir}/sysconfig.* /usr/sbin/rc* @@ -489,6 +511,7 @@ %{_mandir}/man5/k5login.5* %{_mandir}/man1/ksu.1.gz %{_mandir}/man1/sclient.1.gz +%{_mandir}/man7/kerberos.7.gz %files plugin-kdb-ldap %defattr(-,root,root) @@ -518,4 +541,11 @@ %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/otp.so +%files plugin-preauth-spake +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/spake.so + %changelog ++++++ 0001-krb5-1.12-pam.patch ++++++ ++++ 780 lines (skipped) ++++++ 0002-krb5-1.9-manpaths.patch ++++++ >From 84aceebf6f76934c5d8fa11b0f7cd662542c286a Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:06:55 +0100 Subject: [PATCH 2/9] krb5-1.9-manpaths Import krb5-1.9-manpaths.dif Change the absolute paths included in the man pages so that the correct values can be dropped in by config.status. After applying this patch, these files should be renamed to their ".in" counterparts, and then the configure scripts should be rebuilt. Originally RT#6525 --- src/man/kpropd.man | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/man/kpropd.man b/src/man/kpropd.man index 38daa5e79..a0106ec5f 100644 --- a/src/man/kpropd.man +++ b/src/man/kpropd.man @@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this: .sp .nf .ft C -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +kprop stream tcp nowait root @SBINDIR@/kpropd kpropd .ft P .fi .UNINDENT -- 2.20.1 ++++++ 0003-krb5-1.12-buildconf.patch ++++++ >From a04d1b609e0ca89d1ad93faeeafa5b3202cca4df Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:08:07 +0100 Subject: [PATCH 3/9] krb5-1.12-buildconf Import krb5-1.12-buildconf.patch Build binaries in this package as RELRO PIEs, libraries as partial RELRO, and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. --- src/build-tools/krb5-config.in | 7 +++++++ src/config/pre.in | 2 +- src/config/shlib.conf | 5 +++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in index f6184da3f..0edf6a1a5 100755 --- a/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in @@ -225,6 +225,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` + if test `dirname $libdir` = /usr ; then + lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` + fi + lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"` + lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"` + lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"` + if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 diff --git a/src/config/pre.in b/src/config/pre.in index ce87e21ca..164bf8301 100644 --- a/src/config/pre.in +++ b/src/config/pre.in @@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ -INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root +INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 ## This is needed because autoconf will sometimes define @exec_prefix@ to be ## ${prefix}. prefix=@prefix@ diff --git a/src/config/shlib.conf b/src/config/shlib.conf index 3e4af6c02..a43736137 100644 --- a/src/config/shlib.conf +++ b/src/config/shlib.conf @@ -423,7 +423,7 @@ mips-*-netbsd*) # Linux ld doesn't default to stuffing the SONAME field... # Use objdump -x to examine the fields of the library # UNDEF_CHECK is suppressed by --enable-asan - LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' + LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro' UNDEF_CHECK='-Wl,--no-undefined' # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' @@ -435,7 +435,8 @@ mips-*-netbsd*) SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' - CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' + CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' + INSTALL_SHLIB='${INSTALL} -m755' CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' -- 2.20.1 ++++++ 0004-krb5-1.6.3-gssapi_improve_errormessages.patch ++++++ >From 3cdd9863a1a7a9a004f3d75e32136bb0be26a32b Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:09:05 +0100 Subject: [PATCH 4/9] krb5-1.6.3-gssapi_improve_errormessages Import krb5-1.6.3-gssapi_improve_errormessages.dif --- src/lib/gssapi/generic/disp_com_err_status.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c index bc416107e..22612f970 100644 --- a/src/lib/gssapi/generic/disp_com_err_status.c +++ b/src/lib/gssapi/generic/disp_com_err_status.c @@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value, status_string->value = NULL; if (! g_make_string_buffer(((status_value == 0)?no_error: - error_message(status_value)), + error_message((long)status_value)), status_string)) { *minor_status = ENOMEM; return(GSS_S_FAILURE); -- 2.20.1 ++++++ 0005-krb5-1.6.3-ktutil-manpage.patch ++++++ >From af0fe879800e72101b6d306c1b510880aec7cdaa Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:14:47 +0100 Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage Import krb5-1.6.3-ktutil-manpage.dif --- src/man/ktutil.man | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/man/ktutil.man b/src/man/ktutil.man index 4e174c0fe..f6d6ae814 100644 --- a/src/man/ktutil.man +++ b/src/man/ktutil.man @@ -171,6 +171,18 @@ ktutil: .sp See kerberos(7) for a description of Kerberos environment variables. +.SH REMARKS +Changes to the keytab are appended to the keytab file (i.e., the keytab file +is never overwritten). To directly modify a keytab, save the changes to a +temporary file and then overwrite the keytab file of interest. +.TP +.nf +Example: +ktutil> rkt /etc/krb5.keytab +(modifications to keytab) +ktutil> wkt /tmp/krb5.newtab +ktutil> q +# mv /tmp/krb5.newtab /etc/krb5.keytab .SH SEE ALSO .sp kadmin(1), kdb5_util(8), kerberos(7) -- 2.20.1 ++++++ 0006-krb5-1.12-api.patch ++++++ >From 70039109cc843f4958e89fd674d098c7c89affa8 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:15:50 +0100 Subject: [PATCH 6/9] krb5-1.12-api Import krb5-1.12-api.patch Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. --- src/lib/krb5/krb/princ_comp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c index a6936107d..0ed78833b 100644 --- a/src/lib/krb5/krb/princ_comp.c +++ b/src/lib/krb5/krb/princ_comp.c @@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context, const krb5_data *realm1 = &princ1->realm; const krb5_data *realm2 = &princ2->realm; + if (princ1 == NULL || princ2 == NULL) + return FALSE; + if (realm1 == NULL || realm2 == NULL) + return FALSE; if (realm1->length != realm2->length) return FALSE; if (realm1->length == 0) @@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context, krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; + if (princ1 == NULL || princ2 == NULL) + return FALSE; + if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { /* Treat UPNs as if they were real principals */ if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { -- 2.20.1 ++++++ 0007-krb5-1.12-ksu-path.patch ++++++ >From 2af2add95fdd3973437cd0ce5ca1794afb461227 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:16:29 +0100 Subject: [PATCH 7/9] krb5-1.12-ksu Import krb5-1.12-ksu-path.patch Set the default PATH to the one set by login. --- src/clients/ksu/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in index 5755bb58a..9d58f29b5 100644 --- a/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in @@ -1,6 +1,6 @@ mydir=clients$(S)ksu BUILDTOP=$(REL)..$(S).. -DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' +DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' KSU_LIBS=@KSU_LIBS@ PAM_LIBS=@PAM_LIBS@ -- 2.20.1 ++++++ 0008-krb5-1.12-selinux-label.patch ++++++ ++++ 1014 lines (skipped) ++++++ 0009-krb5-1.9-debuginfo.patch ++++++ >From ea232e6646a96e0b1dff41b1b1e0b30f95214ebe Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:18:16 +0100 Subject: [PATCH 9/9] krb5-1.9-debuginfo Import krb5-1.9-debuginfo.patch We want to keep these y.tab.c files around because the debuginfo points to them. It would be more elegant at the end to use symbolic links, but that could mess up people working in the tree on other things. --- src/kadmin/cli/Makefile.in | 5 +++++ src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in index adfea6e2b..d1327e400 100644 --- a/src/kadmin/cli/Makefile.in +++ b/src/kadmin/cli/Makefile.in @@ -37,3 +37,8 @@ clean-unix:: # CC_LINK is not meant for compilation and this use may break in the future. datetest: getdate.c $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c + +%.c: %.y + $(RM) y.tab.c $@ + $(YACC.y) $< + $(CP) y.tab.c $@ diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in index 8669c2436..a22f23c02 100644 --- a/src/plugins/kdb/ldap/ldap_util/Makefile.in +++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in @@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) getdate.c: $(GETDATE) $(RM) getdate.c y.tab.c $(YACC) $(GETDATE) - $(MV) y.tab.c getdate.c + $(CP) y.tab.c getdate.c install: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) -- 2.20.1 ++++++ krb5-1.16.1.tar.gz -> krb5-1.17.tar.gz ++++++ /work/SRC/openSUSE:Factory/krb5/krb5-1.16.1.tar.gz /work/SRC/openSUSE:Factory/.krb5.new.28833/krb5-1.17.tar.gz differ: char 5, line 1 ++++++ krb5-rpmlintrc ++++++ --- /var/tmp/diff_new_pack.TM64v1/_old 2019-02-19 13:55:00.980720079 +0100 +++ /var/tmp/diff_new_pack.TM64v1/_new 2019-02-19 13:55:00.984720076 +0100 @@ -1,6 +1,8 @@ addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so") addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz") +addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz") addFilter("files-duplicate .*css") addFilter("files-duplicate .*img.*png") addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so") addFilter("shlib-policy-missing-suffix") +addFilter("non-etc-or-var-file-marked-as-conffile") ++++++ krb5.tmpfiles ++++++ d /var/lib/kerberos 0755 root root - d /var/lib/kerberos/krb5 0755 root root - d /var/lib/kerberos/krb5/user 0755 root root - d /var/lib/kerberos/krb5kdc 0755 root root - C /var/lib/kerberos/krb5kdc/kdc.conf 0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf C /var/lib/kerberos/krb5kdc/kadm5.acl 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl C /var/lib/kerberos/krb5kdc/kadm5.dict 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict
