Hello community, here is the log from the commit of package cups for openSUSE:Factory checked in at 2014-02-07 10:25:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cups (Old) and /work/SRC/openSUSE:Factory/.cups.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cups" Changes: -------- --- /work/SRC/openSUSE:Factory/cups/cups.changes 2014-01-09 17:24:06.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.cups.new/cups.changes 2014-02-07 10:25:42.000000000 +0100 @@ -1,0 +2,35 @@ +Wed Jan 29 14:27:52 CET 2014 - [email protected] + +- cups-0003-systemd-secure-cups.service-unit-file.patch changes + the cups.service systemd unit file to be more secure and + to let the cupsd again work as it did all the time for printing + in a network (bnc#857372 in particular comment #61 therein). +- cups-1.5-additional_policies.patch was updated to avoid + cupsd warning messages of the form "No limit for ... defined + in policy allowallforanybody and no suitable template found" + (bnc#857372 in particular comment #48 therein). + +------------------------------------------------------------------- +Fri Jan 10 11:51:41 CET 2014 - [email protected] + +- Fix how to use CUPS' own fonts (bnc#856731). In ancient times + (see the below entry dated "Thu Aug 16 17:05:19 CEST 2001") + there was the idea to deviate from CUPS upstream and save + some disk space and do not install CUPS' own fonts. + CUPS' own fonts were removed and the CUPS font + directory was replaced by a symbolic link + /usr/share/cups/fonts -> ../ghostscript/fonts + because at that times the Ghostscript fonts had been the same + as CUPS' own fonts. In any case such a link is a fragile + non-future-proof interference because when either the Ghostscript + fonts or CUPS' own fonts change, linking them as same is wrong. + Since a long time the Ghostscript fonts do no longer work + for CUPS' particular needs but nobody noticed it until now. + But it is not possible with RPM to replace a directory by a + symbolic link or vice versa. This means /usr/share/cups/fonts + must stay forever as a symbolic link and the only way out is + to move CUPS' own fonts to an artificial surrogate directory + /usr/share/cups/CUPSfonts and have the symbolic link now + /usr/share/cups/fonts -> /usr/share/cups/CUPSfonts + +------------------------------------------------------------------- New: ---- cups-0003-systemd-secure-cups.service-unit-file.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ --- /var/tmp/diff_new_pack.ECN2s9/_old 2014-02-07 10:25:43.000000000 +0100 +++ /var/tmp/diff_new_pack.ECN2s9/_new 2014-02-07 10:25:43.000000000 +0100 @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - Name: cups BuildRequires: dbus-1-devel BuildRequires: fdupes @@ -183,9 +182,16 @@ # Patch110 avoids any possible busy loop in cups-polld in case of unusual issues # by sleeping interval seconds see https://bugzilla.novell.com/show_bug.cgi?id=828228 Patch110: cups-polld_avoid_busy_loop.patch -# Patch111 fixes the systemd cups.socket file so that systemd listens only on localhost -# (i.e. where the cupsd itself listens by default). Patch111 must be applied on top of Patch105. +# Patch111 fixes the cups.socket systemd unit file from Patch105 to be more secure +# so that systemd listens only on localhost (i.e. where the cupsd itself listens by default) +# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c24 +# Patch111 must be applied on top of Patch105. Patch111: cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch +# Patch112 changes the cups.service systemd unit file from Patch105 to be more secure +# and to let the cupsd again work as it did all the time for printing in a network +# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61 +# Patch111 must be applied on top of Patch105. +Patch112: cups-0003-systemd-secure-cups.service-unit-file.patch # Install into this non-root directory (required when norootforbuild is used): BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -332,9 +338,16 @@ %patch109 # Patch110 avoids any possible busy loop in cups-polld %patch110 -# Patch111 fixes the systemd cups.socket file so that systemd listens only on localhost -# (i.e. where the cupsd itself listens by default). Patch111 must be applied on top of Patch105. +# Patch111 fixes the cups.socket systemd unit file from Patch105 to be more secure +# so that systemd listens only on localhost (i.e. where the cupsd itself listens by default) +# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c24 +# Patch111 must be applied on top of Patch105. %patch111 +# Patch112 changes the cups.service systemd unit file from Patch105 to be more secure +# and to let the cupsd again work as it did all the time for printing in a network +# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61 +# Patch111 must be applied on top of Patch105. +%patch112 %build # Disable SILENT run of make so that make runs verbose as usual: @@ -384,6 +397,28 @@ %install make BUILDROOT=$RPM_BUILD_ROOT install install -d -m755 $RPM_BUILD_ROOT/etc/init.d +# Use CUPS' own fonts (i.e. make CUPS work again in compliance with upstream). +# In ancient times (see the RPM changelog entry dated "Thu Aug 16 17:05:19 CEST 2001") +# there was the general opinion it would be a great idea to deviate from CUPS upstream +# and save some disk space and do not install CUPS' own fonts in CUPS' own font directory. +# Therefore CUPS' own fonts were removed and the CUPS font directory was replaced +# by a symbolic link /usr/share/cups/fonts -> ../ghostscript/fonts +# because at that times the Ghostscript fonts had been the same as CUPS' own fonts. +# In any case such a link is a fragile non-future-proof interference because when either +# the Ghostscript fonts or CUPS' own fonts change, linking them as same is wrong. +# Meanwhile (I don't know exactly since when but since a long time) the Ghostscript fonts +# do no longer work for CUPS' particular needs (CUPS has its own fonts because it needs them). +# Nobody noticed it until 2014 via https://bugzilla.novell.com/show_bug.cgi?id=856731 +# But it is not possible with RPM to replace a directory by a symbolic link or vice versa +# see https://bugzilla.novell.com/show_bug.cgi?id=856731#c7 +# and https://bugzilla.novell.com/show_bug.cgi?id=856731#c8 +# This means /usr/share/cups/fonts must stay forever as a symbolic link +# and the only way out is to move CUPS' own fonts to an artificial +# surrogate directory /usr/share/cups/CUPSfonts and have the +# symbolic link /usr/share/cups/fonts -> /usr/share/cups/CUPSfonts: +pushd $RPM_BUILD_ROOT/usr/share/cups/ +mv fonts CUPSfonts && ln -s CUPSfonts fonts +popd # Source101: cups.init install -m755 %{SOURCE101} $RPM_BUILD_ROOT/etc/init.d/cups ln -sf ../../etc/init.d/cups $RPM_BUILD_ROOT/usr/sbin/rccups @@ -452,8 +487,15 @@ sed -i -e 's/^# Sample configuration /# Configuration /' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf grep -q '^# Sample configuration ' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf.default sed -i -e 's/^# Sample configuration /# Default configuration /' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf.default - +# systemd stuff: %if 0%{?have_systemd} +# move the installed cups.socket and cups.path into a documentation directory +# so that experienced admins can make their own individual systemd unit files +# for socket activation and/or path activation as they need it for their particular cases +# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61 +mkdir $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd +mv $RPM_BUILD_ROOT/%{_unitdir}/cups.path $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd/cups.path +mv $RPM_BUILD_ROOT/%{_unitdir}/cups.socket $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd/cups.socket # install /usr/lib/tmpfiles.d/cups.conf mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/cups.conf <<EOF @@ -464,7 +506,17 @@ EOF %endif # Run fdupes: -%fdupes $RPM_BUILD_ROOT +# The RPM macro fdupes runs /usr/bin/fdupes that links files with identical content. +# Never run fdupes carelessly over the whole buildroot directory +# because in older openSUSE and SLE11 versions fdupes +# links files with different owner, group, or permissions +# see https://bugzilla.novell.com/show_bug.cgi?id=784670 +# and even in current openSUSE versions fdupes links across sub-package boundaries, +# compare https://bugzilla.novell.com/show_bug.cgi?id=784869 +# so that fdupes can only run for specific directories where linking files is safe. +# Using fdupes -s, which will create symlinks that are easier to grasp for rpm and +# rpmlint will give a "dangling symlink" error if the file and link ended up in different packages: +%fdupes -s $RPM_BUILD_ROOT/%{_datadir}/cups %pre /usr/sbin/groupadd -g 71 -o -r ntadmin 2>/dev/null || : @@ -610,9 +662,7 @@ %{_datadir}/cups/ %exclude %{_datadir}/cups/ppdc/ %if 0%{?have_systemd} -%{_unitdir}/cups.path %{_unitdir}/cups.service -%{_unitdir}/cups.socket %{_tmpfilesdir}/cups.conf %endif ++++++ cups-0003-systemd-secure-cups.service-unit-file.patch ++++++ --- data/cups.service.in.orig 2014-01-29 13:57:17.000000000 +0100 +++ data/cups.service.in 2014-01-29 14:14:54.000000000 +0100 @@ -1,10 +1,10 @@ [Unit] Description=CUPS Printing Service +After=network.target [Service] ExecStart=@sbindir@/cupsd -f [Install] -Alias=cupsd.service -Also=cups.socket cups.path -WantedBy=printer.target +WantedBy=multi-user.target + ++++++ cups-1.5-additional_policies.patch ++++++ --- /var/tmp/diff_new_pack.ECN2s9/_old 2014-02-07 10:25:43.000000000 +0100 +++ /var/tmp/diff_new_pack.ECN2s9/_new 2014-02-07 10:25:43.000000000 +0100 @@ -1,10 +1,9 @@ ---- conf/cupsd.conf.in.orig 2010-12-09 22:24:51.000000000 +0100 -+++ conf/cupsd.conf.in 2011-10-05 13:51:39.000000000 +0200 -@@ -138,3 +138,25 @@ WebInterface @CUPS_WEBIF@ - # - # End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $". - # -+ +--- conf/cupsd.conf.in.orig 2014-01-29 14:31:32.000000000 +0100 ++++ conf/cupsd.conf.in 2014-01-29 15:20:30.000000000 +0100 +@@ -136,6 +136,39 @@ WebInterface @CUPS_WEBIF@ + </Limit> + </Policy> + +# The policy below is added by SUSE during build of our cups package. +# The policy 'allowallforanybody' is totally open and insecure and therefore +# it can only be used within an internal network where only trused users exist @@ -17,12 +16,27 @@ +# For documentation regarding 'Managing Operation Policies' see +# http://www.cups.org/documentation.php/doc-1.5/policies.html +<Policy allowallforanybody> -+ <Limit All> ++ # Allow anybody to access job's private values: ++ JobPrivateAccess all ++ # Make none of the job values to be private: ++ JobPrivateValues none ++ # Allow anybody to access subscription's private values: ++ SubscriptionPrivateAccess all ++ # Make none of the subscription values to be private: ++ SubscriptionPrivateValues none ++ # Allow anybody to do all IPP operations: ++ # Currently the IPP operations Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document ++ # must be additionally exlicitly specified because those IPP operations are not included ++ # in the "All" wildcard value - otherwise cupsd prints error messages of the form ++ # "No limit for Validate-Job defined in policy allowallforanybody and no suitable template found." ++ <Limit All Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document> + Order deny,allow + Allow from all + </Limit> +</Policy> +# Explicitly set the CUPS 'default' policy to be used by default: +DefaultPolicy default -+# End of additions by SUSE. + + # + # End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $". + # -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
