From 3acb3a9042a00307ba35d10052d81cdc206c34a4 Mon Sep 17 00:00:00 2001 From: Michael Shuler Date: Wed, 30 Nov 2016 20:37:34 -0600 Subject: Add ca-certificates udeb package #845456 --- debian/ca-certificates-udeb.links | 1 + debian/ca-certificates.dirs | 4 + debian/ca-certificates.postinst | 187 ++++++++++++++++++++++++++++++++++++++ debian/ca-certificates.postrm | 65 +++++++++++++ debian/changelog | 7 ++ debian/control | 14 ++- debian/dirs | 4 - debian/postinst | 187 -------------------------------------- debian/postrm | 65 ------------- debian/rules | 10 +- 10 files changed, 285 insertions(+), 259 deletions(-) create mode 100644 debian/ca-certificates-udeb.links create mode 100644 debian/ca-certificates.dirs create mode 100644 debian/ca-certificates.postinst create mode 100644 debian/ca-certificates.postrm delete mode 100644 debian/dirs delete mode 100644 debian/postinst delete mode 100644 debian/postrm diff --git a/debian/ca-certificates-udeb.links b/debian/ca-certificates-udeb.links new file mode 100644 index 0000000..51bf8d3 --- /dev/null +++ b/debian/ca-certificates-udeb.links @@ -0,0 +1 @@ +etc/ssl/certs usr/lib/ssl/certs diff --git a/debian/ca-certificates.dirs b/debian/ca-certificates.dirs new file mode 100644 index 0000000..b64bbd3 --- /dev/null +++ b/debian/ca-certificates.dirs @@ -0,0 +1,4 @@ +etc/ssl/certs +usr/sbin +usr/share/ca-certificates/ +etc/ca-certificates/update.d diff --git a/debian/ca-certificates.postinst b/debian/ca-certificates.postinst new file mode 100644 index 0000000..21586bb --- /dev/null +++ b/debian/ca-certificates.postinst @@ -0,0 +1,187 @@ +#! /bin/sh +# postinst script for ca-certificates +# +# see: dh_installdeb(1) + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see /usr/share/doc/packaging-manual/ +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# post-installation script, and should be protected with a conditional +# so that unnecessary prompting doesn't happen if a package's +# installation fails and the `postinst' is called with `abort-upgrade', +# `abort-remove' or `abort-deconfigure'. + +set -e + +each_value() { + echo "$1" |tr ',' '\n' | sed -e 's/^[[:space:]]*//' +} + +memberp() { + m="$1" + l="$2" + each_value "$l" | grep -q "^$m\$" +} + +delca() { + m="$1" + l="$2" + echo "$l" |sed -e 's|'"$m"', ||' -e 's|'"$m"'$||' -e 's/,[[:space:]]*,/, /' -e 's/^[[:space:]]*//' -e 's/,[[:space:]]*$//' +} + +case "$1" in + configure) + if [ ! -e /usr/local/share/ca-certificates ]; then + if mkdir -m $(stat -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then + chgrp $(stat -c %g /usr/local) /usr/local/share/ca-certificates + fi + # Handle upgrades and allow local admin to override: + # e.g. dpkg-statoverride --add root staff 2775 /usr/local/share/ca-certificates + elif ! dpkg-statoverride --list /usr/local/share/ca-certificates >/dev/null; then + chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates + chown $(stat -c %u /usr/local):$(stat -c %g /usr/local) /usr/local/share/ca-certificates + fi + + . /usr/share/debconf/confmodule + db_version 2.0 + db_capb multiselect + db_metaget ca-certificates/enable_crts choices + CERTS_AVAILABLE="$RET" + db_get ca-certificates/enable_crts + CERTS_ENABLED="$RET" + # XXX unmark seen for next configuration + db_fset ca-certificates/new_crts seen false + db_stop || true + if test -f /etc/ca-certificates.conf; then + # XXX: while in subshell? + while read line + do + if echo "$line" | grep -q '^#'; then + echo "$line" + else + case "$line" in + !*) ca=$(echo "$line" | sed -e 's/^!//');; + *) ca="$line";; + esac + if memberp "$ca" "$CERTS_ENABLED"; then + echo "$ca" + # CERTS_ENABLED=$(delca "$ca" "$CERTS_ENABLED") + elif memberp "$ca" "$CERTS_AVAILABLE" || + echo "$line" | grep -q '^!'; then + echo "!$ca" + elif [ -f /usr/share/ca-certificates/"$ca" ] || \ + [ -f /usr/local/share/ca-certificates/"$ca" ]; then + echo "$ca" + else + echo "!$ca" + fi + # CERTS_AVAILABLE=$(delca "$ca" "$CERTS_AVAILABLE") + fi + done < /etc/ca-certificates.conf > /etc/ca-certificates.conf.dpkg-new + if echo "$CERTS_ENABLED" | egrep -q "^([[:space:]]*,)*[[:space:]]*$"; then + : + else + each_value "$CERTS_ENABLED" | while read ca + do + if grep -q "^$ca" /etc/ca-certificates.conf.dpkg-new; then + : + else + echo "$ca" >> /etc/ca-certificates.conf.dpkg-new + fi + done + fi + each_value "$CERTS_AVAILABLE" | while read ca + do + if memberp "$ca" "$CERTS_ENABLED"; then + : + elif grep -q "^!$ca" /etc/ca-certificates.conf.dpkg-new; then + : + else + echo "!$ca" >> /etc/ca-certificates.conf.dpkg-new + fi + done + if cmp -s /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-new; then + rm -f /etc/ca-certificates.conf.dpkg-new + else + mv -f /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-old + mv /etc/ca-certificates.conf.dpkg-new /etc/ca-certificates.conf + fi + else + # new file + cat > /etc/ca-certificates.conf <> /etc/ca-certificates.conf + fi + # update /etc/ssl/certs without running the hooks + # fix bogus symlink to ca-certificates.crt on upgrades; see + # Debian #643667; drop after wheezy + if dpkg --compare-versions "$2" lt-nl 20111025; then + update-ca-certificates --hooksdir "" --fresh + else + update-ca-certificates --hooksdir "" + fi + # deferred update of /etc/ssl/certs including running the hooks + dpkg-trigger --no-await update-ca-certificates + ;; + + triggered) + for trigger in $2; do + case "$trigger" in + update-ca-certificates) + update-ca-certificates + ;; + update-ca-certificates-fresh) + update-ca-certificates --fresh + ;; + *) + echo "postinst called with unknown trigger \`$2'">&2 + exit 1 + ;; + esac; + done; + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + diff --git a/debian/ca-certificates.postrm b/debian/ca-certificates.postrm new file mode 100644 index 0000000..11759fe --- /dev/null +++ b/debian/ca-certificates.postrm @@ -0,0 +1,65 @@ +#! /bin/sh +# postrm script for ca-certificates +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see /usr/share/doc/packaging-manual/ + +# Clear the debconf database as early as possible and signal debconf that +# we are done with it. +if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then + . /usr/share/debconf/confmodule + db_purge + db_stop +fi + +remove_dangling_symlinks() { + if ! [ -d /etc/ssl/certs ] + then + return + fi + echo -n "Removing dangling symlinks from /etc/ssl/certs... " + find /etc/ssl/certs -type l -print | while read h + do + test -f "$h" || rm -f "$h" + done + echo "done." +} + +case "$1" in + remove) + remove_dangling_symlinks + rmdir /usr/local/share/ca-certificates 2>/dev/null || true + ;; + + purge) + rm -f /etc/ssl/certs/ca-certificates.crt + remove_dangling_symlinks + rm -f /etc/ca-certificates.conf* + ;; + + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + + diff --git a/debian/changelog b/debian/changelog index 3503b78..7fe4498 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ca-certificates (20161130) UNRELEASED; urgency=medium + + [ Philipp Kern ] + * Add ca-certificates udeb package. Closes: #845456 + + -- Michael Shuler Wed, 30 Nov 2016 20:34:44 -0600 + ca-certificates (20161102) unstable; urgency=medium [ Michael Shuler ] diff --git a/debian/control b/debian/control index 86ad83c..4d0ec1f 100644 --- a/debian/control +++ b/debian/control @@ -6,7 +6,7 @@ Uploaders: Raphael Geissert , Thijs Kinkhorst , Christian Perrier Build-Depends: debhelper (>= 9), po-debconf -Build-Depends-Indep: python +Build-Depends-Indep: python, openssl Standards-Version: 3.9.8 Vcs-Git: https://anonscm.debian.org/git/collab-maint/ca-certificates.git Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git @@ -29,3 +29,15 @@ Description: Common CA certificates have in any way been audited for trustworthiness or RFC 3647 compliance. Full responsibility to assess them belongs to the local system administrator. + +Package: ca-certificates-udeb +Package-Type: udeb +Section: debian-installer +Architecture: all +Depends: ${misc:Depends} +Description: Common CA certificates - udeb + Contains the certificate authorities shipped with Mozilla's browser, + all enabled by default. + . + This package is for use in the installer environment only. + Do not install on a normal system. diff --git a/debian/dirs b/debian/dirs deleted file mode 100644 index b64bbd3..0000000 --- a/debian/dirs +++ /dev/null @@ -1,4 +0,0 @@ -etc/ssl/certs -usr/sbin -usr/share/ca-certificates/ -etc/ca-certificates/update.d diff --git a/debian/postinst b/debian/postinst deleted file mode 100644 index 21586bb..0000000 --- a/debian/postinst +++ /dev/null @@ -1,187 +0,0 @@ -#! /bin/sh -# postinst script for ca-certificates -# -# see: dh_installdeb(1) - -# summary of how this script can be called: -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see /usr/share/doc/packaging-manual/ -# -# quoting from the policy: -# Any necessary prompting should almost always be confined to the -# post-installation script, and should be protected with a conditional -# so that unnecessary prompting doesn't happen if a package's -# installation fails and the `postinst' is called with `abort-upgrade', -# `abort-remove' or `abort-deconfigure'. - -set -e - -each_value() { - echo "$1" |tr ',' '\n' | sed -e 's/^[[:space:]]*//' -} - -memberp() { - m="$1" - l="$2" - each_value "$l" | grep -q "^$m\$" -} - -delca() { - m="$1" - l="$2" - echo "$l" |sed -e 's|'"$m"', ||' -e 's|'"$m"'$||' -e 's/,[[:space:]]*,/, /' -e 's/^[[:space:]]*//' -e 's/,[[:space:]]*$//' -} - -case "$1" in - configure) - if [ ! -e /usr/local/share/ca-certificates ]; then - if mkdir -m $(stat -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then - chgrp $(stat -c %g /usr/local) /usr/local/share/ca-certificates - fi - # Handle upgrades and allow local admin to override: - # e.g. dpkg-statoverride --add root staff 2775 /usr/local/share/ca-certificates - elif ! dpkg-statoverride --list /usr/local/share/ca-certificates >/dev/null; then - chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates - chown $(stat -c %u /usr/local):$(stat -c %g /usr/local) /usr/local/share/ca-certificates - fi - - . /usr/share/debconf/confmodule - db_version 2.0 - db_capb multiselect - db_metaget ca-certificates/enable_crts choices - CERTS_AVAILABLE="$RET" - db_get ca-certificates/enable_crts - CERTS_ENABLED="$RET" - # XXX unmark seen for next configuration - db_fset ca-certificates/new_crts seen false - db_stop || true - if test -f /etc/ca-certificates.conf; then - # XXX: while in subshell? - while read line - do - if echo "$line" | grep -q '^#'; then - echo "$line" - else - case "$line" in - !*) ca=$(echo "$line" | sed -e 's/^!//');; - *) ca="$line";; - esac - if memberp "$ca" "$CERTS_ENABLED"; then - echo "$ca" - # CERTS_ENABLED=$(delca "$ca" "$CERTS_ENABLED") - elif memberp "$ca" "$CERTS_AVAILABLE" || - echo "$line" | grep -q '^!'; then - echo "!$ca" - elif [ -f /usr/share/ca-certificates/"$ca" ] || \ - [ -f /usr/local/share/ca-certificates/"$ca" ]; then - echo "$ca" - else - echo "!$ca" - fi - # CERTS_AVAILABLE=$(delca "$ca" "$CERTS_AVAILABLE") - fi - done < /etc/ca-certificates.conf > /etc/ca-certificates.conf.dpkg-new - if echo "$CERTS_ENABLED" | egrep -q "^([[:space:]]*,)*[[:space:]]*$"; then - : - else - each_value "$CERTS_ENABLED" | while read ca - do - if grep -q "^$ca" /etc/ca-certificates.conf.dpkg-new; then - : - else - echo "$ca" >> /etc/ca-certificates.conf.dpkg-new - fi - done - fi - each_value "$CERTS_AVAILABLE" | while read ca - do - if memberp "$ca" "$CERTS_ENABLED"; then - : - elif grep -q "^!$ca" /etc/ca-certificates.conf.dpkg-new; then - : - else - echo "!$ca" >> /etc/ca-certificates.conf.dpkg-new - fi - done - if cmp -s /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-new; then - rm -f /etc/ca-certificates.conf.dpkg-new - else - mv -f /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-old - mv /etc/ca-certificates.conf.dpkg-new /etc/ca-certificates.conf - fi - else - # new file - cat > /etc/ca-certificates.conf <> /etc/ca-certificates.conf - fi - # update /etc/ssl/certs without running the hooks - # fix bogus symlink to ca-certificates.crt on upgrades; see - # Debian #643667; drop after wheezy - if dpkg --compare-versions "$2" lt-nl 20111025; then - update-ca-certificates --hooksdir "" --fresh - else - update-ca-certificates --hooksdir "" - fi - # deferred update of /etc/ssl/certs including running the hooks - dpkg-trigger --no-await update-ca-certificates - ;; - - triggered) - for trigger in $2; do - case "$trigger" in - update-ca-certificates) - update-ca-certificates - ;; - update-ca-certificates-fresh) - update-ca-certificates --fresh - ;; - *) - echo "postinst called with unknown trigger \`$2'">&2 - exit 1 - ;; - esac; - done; - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 - - diff --git a/debian/postrm b/debian/postrm deleted file mode 100644 index 11759fe..0000000 --- a/debian/postrm +++ /dev/null @@ -1,65 +0,0 @@ -#! /bin/sh -# postrm script for ca-certificates -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `remove' -# * `purge' -# * `upgrade' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# * `disappear' overwrit>r> -# for details, see /usr/share/doc/packaging-manual/ - -# Clear the debconf database as early as possible and signal debconf that -# we are done with it. -if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then - . /usr/share/debconf/confmodule - db_purge - db_stop -fi - -remove_dangling_symlinks() { - if ! [ -d /etc/ssl/certs ] - then - return - fi - echo -n "Removing dangling symlinks from /etc/ssl/certs... " - find /etc/ssl/certs -type l -print | while read h - do - test -f "$h" || rm -f "$h" - done - echo "done." -} - -case "$1" in - remove) - remove_dangling_symlinks - rmdir /usr/local/share/ca-certificates 2>/dev/null || true - ;; - - purge) - rm -f /etc/ssl/certs/ca-certificates.crt - remove_dangling_symlinks - rm -f /etc/ca-certificates.conf* - ;; - - upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - - diff --git a/debian/rules b/debian/rules index fd4632b..a935300 100755 --- a/debian/rules +++ b/debian/rules @@ -17,7 +17,7 @@ build-arch: build-stamp build-indep: build-stamp -build-stamp: configure-stamp +build-stamp: configure-stamp dh_testdir # Add here commands to compile the package. @@ -56,16 +56,22 @@ install: build cd $(CURDIR)/debian; \ sed -e "s|#INITIAL_CERTS#|$$crts|" \ config.in > config) + # udeb handling + install -d -m 0755 "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs" + (cd mozilla; \ + $(MAKE) install CERTSDIR="$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs") + c_rehash -v "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs" # Build architecture-independent files here. binary-indep: build install dh_testdir dh_testroot + dh_link dh_installdebconf -n dh_installdocs dh_installexamples dh_installman sbin/update-ca-certificates.8 - dh_installchangelogs + dh_installchangelogs dh_compress -X examples dh_fixperms dh_installdeb -- cgit v1.2.1