Hello community,
here is the log from the commit of package ca-certificates-mozilla for
openSUSE:Factory checked in at 2015-01-20 12:26:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ca-certificates-mozilla (Old)
and /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ca-certificates-mozilla"
Changes:
--------
---
/work/SRC/openSUSE:Factory/ca-certificates-mozilla/ca-certificates-mozilla.changes
2014-09-08 21:28:21.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new/ca-certificates-mozilla.changes
2015-01-20 12:26:33.000000000 +0100
@@ -1,0 +2,81 @@
+Wed Jan 14 09:40:00 UTC 2015 - [email protected]
+
+- diff-from-upstream-2.2.patch:
+ Temporary reenable some root ca trusts, as openssl/gnutls
+ have trouble using intermediates as root CA.
+
+ - GTE CyberTrust Global Root
+ - Thawte Server CA
+ - Thawte Premium Server CA
+ - ValiCert Class 1 VA
+ - ValiCert Class 2 VA
+ - RSA Root Certificate 1
+ - Entrust.net Secure Server CA
+ - America Online Root Certification Authority 1
+ - America Online Root Certification Authority 2
+
+-------------------------------------------------------------------
+Mon Jan 12 16:45:23 UTC 2015 - [email protected]
+
+- Updated to 2.2 (bnc#888534)
+ - The following CAs were removed:
+ + America_Online_Root_Certification_Authority_1
+ + America_Online_Root_Certification_Authority_2
+ + GTE_CyberTrust_Global_Root
+ + Thawte_Premium_Server_CA
+ + Thawte_Server_CA
+ - The following CAs were added:
+ + COMODO_RSA_Certification_Authority
+ codeSigning emailProtection serverAuth
+ + GlobalSign_ECC_Root_CA_-_R4
+ codeSigning emailProtection serverAuth
+ + GlobalSign_ECC_Root_CA_-_R5
+ codeSigning emailProtection serverAuth
+ + USERTrust_ECC_Certification_Authority
+ codeSigning emailProtection serverAuth
+ + USERTrust_RSA_Certification_Authority
+ codeSigning emailProtection serverAuth
+ + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
+ - The following CAs were changed:
+ + Equifax_Secure_eBusiness_CA_1
+ remote code signing and https trust, leave email trust
+ + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2
+ only trust emailProtection
+
+-------------------------------------------------------------------
+Tue Aug 26 13:30:12 UTC 2014 - [email protected]
+
+- Updated to 2.1 (bnc#888534)
+
+- The following 1024-bit CA certificates were removed
+ - Entrust.net Secure Server Certification Authority
+ - ValiCert Class 1 Policy Validation Authority
+ - ValiCert Class 2 Policy Validation Authority
+ - ValiCert Class 3 Policy Validation Authority
+ - TDC Internet Root CA
+- The following CA certificates were added:
+ - Certification Authority of WoSign
+ - CA 沃通根证书
+ - DigiCert Assured ID Root G2
+ - DigiCert Assured ID Root G3
+ - DigiCert Global Root G2
+ - DigiCert Global Root G3
+ - DigiCert Trusted Root G4
+ - QuoVadis Root CA 1 G3
+ - QuoVadis Root CA 2 G3
+ - QuoVadis Root CA 3 G3
+- The Trust Bits were changed for the following CA certificates
+ - Class 3 Public Primary Certification Authority
+ - Class 3 Public Primary Certification Authority
+ - Class 2 Public Primary Certification Authority - G2
+ - VeriSign Class 2 Public Primary Certification Authority - G3
+ - AC Raíz Certicámara S.A.
+ - NetLock Uzleti (Class B) Tanusitvanykiado
+ - NetLock Expressz (Class C) Tanusitvanykiado
+
+- certdata-temporary-1024.patch: restore some certificates removed
+ from NSS as these are still used for some major sites.
+ openssl is not as clever as NSS in selecting the new ones in the
+ chain correctly.
+
+-------------------------------------------------------------------
New:
----
diff-from-upstream-2.2.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ca-certificates-mozilla.spec ++++++
--- /var/tmp/diff_new_pack.ILfgMR/_old 2015-01-20 12:26:37.000000000 +0100
+++ /var/tmp/diff_new_pack.ILfgMR/_new 2015-01-20 12:26:37.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package ca-certificates-mozilla
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -25,8 +25,8 @@
Name: ca-certificates-mozilla
# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
-#
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
-Version: 1.97
+# http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/nssckbi.h
+Version: 2.2
Release: 0
Summary: CA certificates for OpenSSL
License: MPL-2.0
@@ -34,22 +34,24 @@
Url: http://www.mozilla.org
# IMPORTANT: procedure to update certificates:
# - Check the log of the cert file:
-#
http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
+#
http://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt
# - download the new certdata.txt
-# wget -O certdata.txt
"https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt";
+# wget -O certdata.txt
"http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/certdata.txt";
# - run compareoldnew to show fingerprints of new and changed certificates
# - check the bugs referenced in hg log and compare the checksum
# to output of compareoldnew
-# The correct history of the file is actually in the nss repo:
-#
http://hg.mozilla.org/projects/nss/log/8f026c806587/lib/ckfw/builtins/certdata.txt
# - Watch out that blacklisted or untrusted certificates are not
# accidentally included!
-Source:
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
-Source1:
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
+Source:
http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
+Source1:
http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
# from Fedora. Note: currently contains extra fix to remove quotes. Pending
upstream approval.
Source10: certdata2pem.py
Source11: %{name}.COPYING
Source12: compareoldnew
+
+# temporary legacy patch
+Patch0: diff-from-upstream-2.2.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
# for update-ca-certificates
@@ -67,7 +69,10 @@
%prep
%setup -qcT
+
/bin/cp %{SOURCE0} .
+patch <%{PATCH0}
+
install -m 644 %{SOURCE11} COPYING
ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
if [ "%{version}" != "$ver" ]; then
++++++ certdata.txt ++++++
++++ 4407 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/ca-certificates-mozilla/certdata.txt
++++ and /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new/certdata.txt
++++++ diff-from-upstream-2.2.patch ++++++
++++ 1402 lines (skipped)
++++++ nssckbi.h ++++++
--- /var/tmp/diff_new_pack.ILfgMR/_old 2015-01-20 12:26:37.000000000 +0100
+++ /var/tmp/diff_new_pack.ILfgMR/_new 2015-01-20 12:26:37.000000000 +0100
@@ -44,9 +44,9 @@
* whether we may use its full range (0-255) or only 0-99 because
* of the comment in the CK_VERSION type definition.
*/
-#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 97
-#define NSS_BUILTINS_LIBRARY_VERSION "1.97"
+#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 2
+#define NSS_BUILTINS_LIBRARY_VERSION "2.2"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
