This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "eclipse - Powerful IDE written in java - Debian package.".
The branch, maverick has been updated
via 3117f4ac09806cfecbb6646dd347b8e266687bd5 (commit)
via 80057d5fe42016a745494420a21fbec7d2440c49 (commit)
via e7c384be925c2e16437858f63047b55e9fa31d0f (commit)
via d204af835d431ddf9e14e69ed295e9fd77a4eec6 (commit)
from 1c787f5a3c181fc5549308fff9d44d4cf2bbea19 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3117f4ac09806cfecbb6646dd347b8e266687bd5
Author: Benjamin Drung <[email protected]>
Date: Wed Oct 20 01:17:04 2010 +0200
Update Maintainer field.
commit 80057d5fe42016a745494420a21fbec7d2440c49
Author: Benjamin Drung <[email protected]>
Date: Wed Oct 20 01:16:22 2010 +0200
Added NEWS entry about how to workaround #587657.
commit e7c384be925c2e16437858f63047b55e9fa31d0f
Author: Benjamin Drung <[email protected]>
Date: Wed Oct 20 01:11:46 2010 +0200
Backported fix for finding root CA in keystore rather than from JAR. (LP:
#655833)
commit d204af835d431ddf9e14e69ed295e9fd77a4eec6
Author: Benjamin Drung <[email protected]>
Date: Wed Oct 20 01:09:39 2010 +0200
Update git-buildpackage configuration.
-----------------------------------------------------------------------
Summary of changes:
debian/NEWS | 15 ----
debian/changelog | 11 +++
debian/control | 3 +-
debian/eclipse-platform.NEWS | 39 ++++++++++
debian/gbp.conf | 4 +
debian/patches/bp-osgi-ignore-root-CA.patch | 77 ++++++++++++++++++++
debian/patches/series | 1 +
.../service/security/KeyStoreTrustEngine.java | 37 ++++++----
8 files changed, 157 insertions(+), 30 deletions(-)
diff --git a/debian/NEWS b/debian/NEWS
deleted file mode 100644
index bc09e60..0000000
--- a/debian/NEWS
+++ /dev/null
@@ -1,15 +0,0 @@
-eclipse (3.5.2-1) unstable; urgency=low
-
- In previous versions of eclipse (<< 3.5), it would extract shared
- libraries to users ~/.eclipse. This has been fixed in the 3.5
- series, but means that eclipse will have issues starting if you are
- upgrading from an eclipse older than 3.5. Removing or renaming
- ~/.eclipse fixes this at the cost of losing personal configuration.
-
- In 3.5 all the "choose a suitable JVM" code has been removed and
- instead eclipse now respect alternatives. Old configuration files
- for this purpose (including the user file ~/.eclipse/eclipserc) is
- now obsolete and will be silently ignored.
-
- -- Debian Orbital Alignment Team
<[email protected]> Thu, 18 Mar 2010 12:13:51 +0100
-
diff --git a/debian/changelog b/debian/changelog
index 2421ea8..c0bc163 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+eclipse (3.5.2-6ubuntu1.1) maverick-proposed; urgency=low
+
+ [ Thomas Watson ]
+ * Backported fix for finding root CA in keystore rather than from JAR.
+ (LP: #655833)
+
+ [ Benjamin Drung ]
+ * Added NEWS entry about how to workaround #587657.
+
+ -- Benjamin Drung <[email protected]> Wed, 20 Oct 2010 01:15:47 +0200
+
eclipse (3.5.2-6ubuntu1) maverick; urgency=low
* debian/extra/eclipse:
diff --git a/debian/control b/debian/control
index 0464305..e31a1c6 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
Source: eclipse
Section: devel
Priority: optional
-Maintainer: Debian Orbital Alignment Team
<[email protected]>
+Maintainer: Ubuntu Developers <[email protected]>
+XSBC-Original-Maintainer: Debian Orbital Alignment Team
<[email protected]>
Uploaders: Niels Thykier <[email protected]>,
Benjamin Drung <[email protected]>,
Adrian Perez <[email protected]>,
diff --git a/debian/eclipse-platform.NEWS b/debian/eclipse-platform.NEWS
new file mode 100644
index 0000000..22d3289
--- /dev/null
+++ b/debian/eclipse-platform.NEWS
@@ -0,0 +1,39 @@
+eclipse-platform (3.5.2-6) unstable; urgency=low
+
+ The upgrade of eclipse may cause plugins to silently disappear.
+ The exact reason has yet to be determined and we are looking for
+ an automatic solution for this problem.
+
+ There are two known workarounds; one is two completely remove
+ ~/.eclipse and re-install all user plugins. The other is to
+ manually merge "bundles.info" from ~/.eclipse with the
+ "bundles.info" from /usr/lib/eclipse. This solution is slightly
+ more complicated, but appears to restore user installed plugins
+ without having to reinstall them.
+
+ For more information on how to merge the bundles.info files,
+ you may want to have a look at #587657[1].
+
+ Note: this issue may also affect plugins installed via packages
+ from repositories (such as the packages eclipse-emf and
+ eclipse-rse).
+
+ [1] http://bugs.debian.org/587657
+
+ -- Niels Thykier <[email protected]> Mon, 13 Sep 2010 20:06:13 +0200
+
+eclipse-platform (3.5.2-1) unstable; urgency=low
+
+ In previous versions of eclipse (<< 3.5), it would extract shared
+ libraries to users ~/.eclipse. This has been fixed in the 3.5
+ series, but means that eclipse will have issues starting if you are
+ upgrading from an eclipse older than 3.5. Removing or renaming
+ ~/.eclipse fixes this at the cost of losing personal configuration.
+
+ In 3.5 all the "choose a suitable JVM" code has been removed and
+ instead eclipse now respect alternatives. Old configuration files
+ for this purpose (including the user file ~/.eclipse/eclipserc) is
+ now obsolete and will be silently ignored.
+
+ -- Debian Orbital Alignment Team
<[email protected]> Thu, 18 Mar 2010 12:13:51 +0100
+
diff --git a/debian/gbp.conf b/debian/gbp.conf
index a7cda7e..8e7facc 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,2 +1,6 @@
[DEFAULT]
compression=bzip2
+debian-branch = maverick
+
+[git-dch]
+meta = True
diff --git a/debian/patches/bp-osgi-ignore-root-CA.patch
b/debian/patches/bp-osgi-ignore-root-CA.patch
new file mode 100644
index 0000000..ec0d4e0
--- /dev/null
+++ b/debian/patches/bp-osgi-ignore-root-CA.patch
@@ -0,0 +1,77 @@
+Description: If the root CA in a signed jar is invalid, check the cacerts
+ for an alternative/newer root CA.
+ .
+ This fixes the issue where signed jars has root CAs using MD2withRSA or
+ other weak signatures that are now automatically rejected by e.g. OpenJDK.
+Author: Thomas Watson <[email protected]>
+Bug-Ubuntu: https://launchpad.net/bugs/655833
+Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=309059
+Applied-Upstream: yes
+
+---
a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
++++
b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+@@ -101,27 +101,19 @@
+
+ try {
+ Certificate rootCert = null;
+-
+ KeyStore store = getKeyStore();
+ for (int i = 0; i < certChain.length; i++) {
+ if (certChain[i] instanceof X509Certificate) {
+- if (i == certChain.length - 1) { //this
is the last certificate in the chain
++ if (i == certChain.length - 1) {
++ // this is the last certificate
in the chain
++ // determine if we have a valid
root
+ X509Certificate cert =
(X509Certificate) certChain[i];
+ if
(cert.getSubjectDN().equals(cert.getIssuerDN())) {
+-
certChain[i].verify(certChain[i].getPublicKey());
+- rootCert =
certChain[i]; // this is a self-signed certificate
++
cert.verify(cert.getPublicKey());
++ rootCert = cert; //
this is a self-signed certificate
+ } else {
+ // try to find a
parent, we have an incomplete chain
+- synchronized (store) {
+- for
(Enumeration e = store.aliases(); e.hasMoreElements();) {
+-
Certificate nextCert = store.getCertificate((String) e.nextElement());
+- if
(nextCert instanceof X509Certificate && ((X509Certificate)
nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+-
cert.verify(nextCert.getPublicKey());
+-
rootCert = nextCert;
+-
break;
+- }
+- }
+- }
++ return
findAlternativeRoot(cert, store);
+ }
+ } else {
+ X509Certificate nextX509Cert =
(X509Certificate) certChain[i + 1];
+@@ -138,6 +130,10 @@
+ if (alias != null)
+ return
store.getCertificate(alias);
+ }
++ // if we have reached the end and the
last cert is not found to be a valid root CA
++ // then we need to back off the root CA
and try to find an alternative
++ if (certChain.length > 1 && i ==
certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
++ return
findAlternativeRoot((X509Certificate) certChain[i - 1], store);
+ }
+ }
+ } catch (KeyStoreException e) {
+@@ -149,6 +145,19 @@
+ return null;
+ }
+
++ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore
store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException,
NoSuchProviderException, SignatureException, CertificateException {
++ synchronized (store) {
++ for (Enumeration e = store.aliases();
e.hasMoreElements();) {
++ Certificate nextCert =
store.getCertificate((String) e.nextElement());
++ if (nextCert instanceof X509Certificate &&
((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
++ cert.verify(nextCert.getPublicKey());
++ return nextCert;
++ }
++ }
++ return null;
++ }
++ }
++
+ protected String doAddTrustAnchor(Certificate cert, String alias)
throws IOException, GeneralSecurityException {
+ if (isReadOnly())
+ throw new
IOException(SignedContentMessages.Default_Trust_Read_Only);
diff --git a/debian/patches/series b/debian/patches/series
index 7a10dc6..34831f5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ build-arch.patch
sat4j-version.patch
add-o.e.equinox.concurrent.patch
pdebuild-workspace.patch
+bp-osgi-ignore-root-CA.patch
diff --git
a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
index cd3ca9e..96cd4f6 100644
---
a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+++
b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
@@ -101,27 +101,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
try {
Certificate rootCert = null;
-
KeyStore store = getKeyStore();
for (int i = 0; i < certChain.length; i++) {
if (certChain[i] instanceof X509Certificate) {
- if (i == certChain.length - 1) { //this
is the last certificate in the chain
+ if (i == certChain.length - 1) {
+ // this is the last certificate
in the chain
+ // determine if we have a valid
root
X509Certificate cert =
(X509Certificate) certChain[i];
if
(cert.getSubjectDN().equals(cert.getIssuerDN())) {
-
certChain[i].verify(certChain[i].getPublicKey());
- rootCert =
certChain[i]; // this is a self-signed certificate
+
cert.verify(cert.getPublicKey());
+ rootCert = cert; //
this is a self-signed certificate
} else {
// try to find a
parent, we have an incomplete chain
- synchronized (store) {
- for
(Enumeration e = store.aliases(); e.hasMoreElements();) {
-
Certificate nextCert = store.getCertificate((String) e.nextElement());
- if
(nextCert instanceof X509Certificate && ((X509Certificate)
nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
-
cert.verify(nextCert.getPublicKey());
-
rootCert = nextCert;
-
break;
- }
- }
- }
+ return
findAlternativeRoot(cert, store);
}
} else {
X509Certificate nextX509Cert =
(X509Certificate) certChain[i + 1];
@@ -138,6 +130,10 @@ public class KeyStoreTrustEngine extends TrustEngine {
if (alias != null)
return
store.getCertificate(alias);
}
+ // if we have reached the end and the
last cert is not found to be a valid root CA
+ // then we need to back off the root CA
and try to find an alternative
+ if (certChain.length > 1 && i ==
certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
+ return
findAlternativeRoot((X509Certificate) certChain[i - 1], store);
}
}
} catch (KeyStoreException e) {
@@ -149,6 +145,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
return null;
}
+ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore
store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException,
NoSuchProviderException, SignatureException, CertificateException {
+ synchronized (store) {
+ for (Enumeration e = store.aliases();
e.hasMoreElements();) {
+ Certificate nextCert =
store.getCertificate((String) e.nextElement());
+ if (nextCert instanceof X509Certificate &&
((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+ cert.verify(nextCert.getPublicKey());
+ return nextCert;
+ }
+ }
+ return null;
+ }
+ }
+
protected String doAddTrustAnchor(Certificate cert, String alias)
throws IOException, GeneralSecurityException {
if (isReadOnly())
throw new
IOException(SignedContentMessages.Default_Trust_Read_Only);
hooks/post-receive
--
eclipse - Powerful IDE written in java - Debian package.
_______________________________________________
pkg-java-commits mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits
