Re: CVS commit: pkgsrc/security

[Greg Troxel <gdt%lexort.com@localhost>]

"Kimmo Suominen" <kim%netbsd.org@localhost> writes:

> Module Name:  pkgsrc
> Committed By: kim
> Date:         Sun May 31 15:53:44 UTC 2020
>
> Modified Files:
>       pkgsrc/security: Makefile
> Added Files:
>       pkgsrc/security/ca-certificates: DESCR INSTALL MESSAGE Makefile PLIST
>           distinfo
>       pkgsrc/security/ca-certificates/files: ca-certificates.conf

I wonder how and why this is different from mozilla-rootcerts.  I think
this is an obvious question, and that therefore DESCR should make that
clear.

Could you install a README instead of MESSAGE?  This is really just
regular how-to-use-this-package documentation and I don't think it
merits shouting at the user via MESSSAGE.



>
> Log Message:
> Add ca-certificates-20190110
>
> This package provides the certificates distributed by the Mozilla
> Project.
>
> It also provides a script, update-ca-certs, which can be used to manage
> a location that makes certificates usable by TLS implementations,
> including installing select certificates from this package.
>
>
> To generate a diff of this commit:
> cvs rdiff -u -r1.761 -r1.762 pkgsrc/security/Makefile
> cvs rdiff -u -r0 -r1.1 pkgsrc/security/ca-certificates/DESCR \
>     pkgsrc/security/ca-certificates/INSTALL \
>     pkgsrc/security/ca-certificates/MESSAGE \
>     pkgsrc/security/ca-certificates/Makefile \
>     pkgsrc/security/ca-certificates/PLIST \
>     pkgsrc/security/ca-certificates/distinfo
> cvs rdiff -u -r0 -r1.1 \
>     pkgsrc/security/ca-certificates/files/ca-certificates.conf
>
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
>
> Modified files:
>
> Index: pkgsrc/security/Makefile
> diff -u pkgsrc/security/Makefile:1.761 pkgsrc/security/Makefile:1.762
> --- pkgsrc/security/Makefile:1.761    Tue May 26 22:33:20 2020
> +++ pkgsrc/security/Makefile  Sun May 31 15:53:44 2020
> @@ -1,4 +1,4 @@
> -# $NetBSD: Makefile,v 1.761 2020/05/26 22:33:20 adam Exp $
> +# $NetBSD: Makefile,v 1.762 2020/05/31 15:53:44 kim Exp $
>  #
>  
>  COMMENT=     Security tools
> @@ -34,6 +34,7 @@ SUBDIR+=    bitstir
>  SUBDIR+=     boringssl
>  SUBDIR+=     botan
>  SUBDIR+=     botan-devel
> +SUBDIR+=     ca-certificates
>  SUBDIR+=     caff
>  SUBDIR+=     ccid
>  SUBDIR+=     cfs
>
> Added files:
>
> Index: pkgsrc/security/ca-certificates/DESCR
> diff -u /dev/null pkgsrc/security/ca-certificates/DESCR:1.1
> --- /dev/null Sun May 31 15:53:44 2020
> +++ pkgsrc/security/ca-certificates/DESCR     Sun May 31 15:53:44 2020
> @@ -0,0 +1,6 @@
> +This package provides the certificates distributed by the Mozilla
> +Project.
> +
> +It also provides a script, update-ca-certs, which can be used to manage
> +a location that makes certificates usable by TLS implementations,
> +including installing select certificates from this package.
> Index: pkgsrc/security/ca-certificates/INSTALL
> diff -u /dev/null pkgsrc/security/ca-certificates/INSTALL:1.1
> --- /dev/null Sun May 31 15:53:44 2020
> +++ pkgsrc/security/ca-certificates/INSTALL   Sun May 31 15:53:44 2020
> @@ -0,0 +1,7 @@
> +# $NetBSD: INSTALL,v 1.1 2020/05/31 15:53:44 kim Exp $
> +
> +case ${STAGE} in
> +POST-INSTALL)
> +     @PREFIX@/sbin/update-ca-certificates
> +     ;;
> +esac
> Index: pkgsrc/security/ca-certificates/MESSAGE
> diff -u /dev/null pkgsrc/security/ca-certificates/MESSAGE:1.1
> --- /dev/null Sun May 31 15:53:44 2020
> +++ pkgsrc/security/ca-certificates/MESSAGE   Sun May 31 15:53:44 2020
> @@ -0,0 +1,24 @@
> +===========================================================================
> +$NetBSD: MESSAGE,v 1.1 2020/05/31 15:53:44 kim Exp $
> +
> +Execute this command to install and rehash select CA root certificates
> +distributed by the Mozilla Project, so that they can be used by third
> +party applications using OpenSSL. It also creates a single file
> +certificate bundle in PEM format which can be used by applications using
> +GnuTLS.
> +
> +     # update-ca-certificates
> +
> +You can edit /etc/ca-certificates.conf to configure which certificates are
> +installed. Additionally any certificates in /usr/local/share/ca-certificates
> +will be installed.
> +
> +To mark these certificates as trusted for users of gnupg2, do
> +the following (assuming default PKG_SYSCONFBASE and a Bourne shell):
> +
> +     # mkdir -p /usr/pkg/etc/gnupg
> +     # cd /usr/pkg/etc/gnupg
> +     # for c in /etc/openssl/certs/*.pem; do
> +     > openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|'
> +     > done > trustlist.txt
> +===========================================================================
> Index: pkgsrc/security/ca-certificates/Makefile
> diff -u /dev/null pkgsrc/security/ca-certificates/Makefile:1.1
> --- /dev/null Sun May 31 15:53:44 2020
> +++ pkgsrc/security/ca-certificates/Makefile  Sun May 31 15:53:44 2020
> @@ -0,0 +1,68 @@
> +# $NetBSD: Makefile,v 1.1 2020/05/31 15:53:44 kim Exp $
> +
> +PKGNAME=     ca-certificates-20190110
> +DISTNAME=    ${PKGNAME:C/-([^-]*)$/_\1/}
> +CATEGORIES=  security
> +MASTER_SITES=        http://deb.debian.org/debian/pool/main/c/ca-certificates/
> +EXTRACT_SUFX=        .tar.xz
> +
> +MAINTAINER=  pkgsrc-users%NetBSD.org@localhost
> +HOMEPAGE=    https://packages.debian.org/source/sid/ca-certificates
> +COMMENT=     Root CA certificates from the Mozilla Project
> +LICENSE=     gnu-gpl-v2 AND mpl-2.0
> +
> +NO_CONFIGURE=                yes
> +PYTHON_FOR_BUILD_ONLY=       yes
> +
> +USE_TOOLS=   awk:run echo:run expr:run ln:run ls:run openssl:run rm:run mkdir:run
> +
> +WRKSRC=              ${WRKDIR}/${PKGNAME_NOREV}
> +DATADIR=     ${PREFIX}/share/${PKGBASE}
> +EGDIR=               ${PREFIX}/share/examples/${PKGBASE}
> +
> +# Set paths depending on whether we depend on builtin or pkgsrc
> +# openssl.  \todo Arguably, we should consider installing into both
> +# builtin and pkgsrc, if both exist, but this requires much more
> +# thought.
> +CHECK_BUILTIN.openssl=       yes
> +.include "../../security/openssl/builtin.mk"
> +CHECK_BUILTIN.openssl=       no
> +.if !empty(USE_BUILTIN.openssl:M[yY][eE][sS])
> +SSLDIR=              /etc/openssl
> +.else
> +SSLDIR=              ${PKG_SYSCONFDIR}/openssl
> +.endif
> +
> +SUBST_CLASSES=               conf paths
> +SUBST_MESSAGE.conf=  Adjusting configuration file.
> +SUBST_STAGE.conf=    post-build
> +SUBST_FILES.conf=    ca-certificates.conf
> +SUBST_SED.conf=              -e 's,^share/ca-certificates/,,'
> +SUBST_MESSAGE.paths= Replacing hard-coded paths.
> +SUBST_STAGE.paths=   post-build
> +SUBST_FILES.paths=   Makefile sbin/Makefile
> +SUBST_FILES.paths+=  ca-certificates.conf
> +SUBST_FILES.paths+=  sbin/update-ca-certificates sbin/update-ca-certificates.8
> +SUBST_SED.paths=     -e 's,/usr/sbin,${PREFIX}/sbin,g'
> +SUBST_SED.paths+=    -e 's,/etc/ca-certificates.conf,${PKG_SYSCONFDIR}/ca-certificates.conf,g'
> +SUBST_SED.paths+=    -e 's,/etc/ssl,${SSLDIR},g'
> +SUBST_SED.paths+=    -e 's,/usr/share/ca-certificates,${DATADIR},g'
> +
> +INSTALLATION_DIRS=   sbin ${DATADIR} ${EGDIR} share/man/man8
> +
> +CONF_FILES=          ${EGDIR}/ca-certificates.conf \
> +                     ${PKG_SYSCONFDIR}/ca-certificates.conf
> +
> +pre-build:
> +     @${CP} ${FILESDIR}/ca-certificates.conf ${WRKSRC}/
> +     @${GREP} '^share/ca-certificates/' ${FILESDIR}/../PLIST \
> +         >> ${WRKSRC}/ca-certificates.conf
> +
> +post-install:
> +     ${INSTALL_MAN} ${WRKSRC}/sbin/update-ca-certificates.8 \
> +         ${DESTDIR}${PREFIX}/share/man/man8/update-ca-certificates.8
> +     ${INSTALL_DATA} ${WRKSRC}/ca-certificates.conf \
> +         ${DESTDIR}${EGDIR}/ca-certificates.conf
> +
> +.include "../../lang/python/tool.mk"
> +.include "../../mk/bsd.pkg.mk"
> Index: pkgsrc/security/ca-certificates/PLIST
> diff -u /dev/null pkgsrc/security/ca-certificates/PLIST:1.1
> --- /dev/null Sun May 31 15:53:44 2020
> +++ pkgsrc/security/ca-certificates/PLIST     Sun May 31 15:53:44 2020
> @@ -0,0 +1,132 @@
> +@comment $NetBSD: PLIST,v 1.1 2020/05/31 15:53:44 kim Exp $
> +sbin/update-ca-certificates
> +share/ca-certificates/mozilla/ACCVRAIZ1.crt
> +share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt
> +share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
> +share/ca-certificates/mozilla/AddTrust_External_Root.crt
> +share/ca-certificates/mozilla/AffirmTrust_Commercial.crt
> +share/ca-certificates/mozilla/AffirmTrust_Networking.crt
> +share/ca-certificates/mozilla/AffirmTrust_Premium.crt
> +share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt
> +share/ca-certificates/mozilla/Amazon_Root_CA_1.crt
> +share/ca-certificates/mozilla/Amazon_Root_CA_2.crt
> +share/ca-certificates/mozilla/Amazon_Root_CA_3.crt
> +share/ca-certificates/mozilla/Amazon_Root_CA_4.crt
> +share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt
> +share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
> +share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
> +share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt
> +share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt
> +share/ca-certificates/mozilla/CA_Disig_Root_R2.crt
> +share/ca-certificates/mozilla/CFCA_EV_ROOT.crt
> +share/ca-certificates/mozilla/COMODO_Certification_Authority.crt
> +share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
> +share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
> +share/ca-certificates/mozilla/Certigna.crt
> +share/ca-certificates/mozilla/Certinomis_-_Root_CA.crt
> +share/ca-certificates/mozilla/Certplus_Class_2_Primary_CA.crt
> +share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt
> +share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt
> +share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt
> +share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
> +share/ca-certificates/mozilla/Cybertrust_Global_Root.crt
> +share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
> +share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
> +share/ca-certificates/mozilla/DST_Root_CA_X3.crt
> +share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt
> +share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
> +share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt
> +share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt
> +share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt
> +share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt
> +share/ca-certificates/mozilla/DigiCert_Global_Root_G3.crt
> +share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
> +share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt
> +share/ca-certificates/mozilla/E-Tugra_Certification_Authority.crt
> +share/ca-certificates/mozilla/EC-ACC.crt
> +share/ca-certificates/mozilla/EE_Certification_Centre_Root_CA.crt
> +share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
> +share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt
> +share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
> +share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G2.crt
> +share/ca-certificates/mozilla/GDCA_TrustAUTH_R5_ROOT.crt
> +share/ca-certificates/mozilla/GeoTrust_Global_CA.crt
> +share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt
> +share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
> +share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
> +share/ca-certificates/mozilla/GeoTrust_Universal_CA.crt
> +share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt
> +share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
> +share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
> +share/ca-certificates/mozilla/GlobalSign_Root_CA.crt
> +share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt
> +share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt
> +share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt
> +share/ca-certificates/mozilla/Global_Chambersign_Root_-_2008.crt
> +share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt
> +share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
> +share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
> +share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
> +share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
> +share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt
> +share/ca-certificates/mozilla/ISRG_Root_X1.crt
> +share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt
> +share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
> +share/ca-certificates/mozilla/Izenpe.com.crt
> +share/ca-certificates/mozilla/LuxTrust_Global_Root_2.crt
> +share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA_2009.crt
> +share/ca-certificates/mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
> +share/ca-certificates/mozilla/Network_Solutions_Certificate_Authority.crt
> +share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
> +share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt
> +share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt
> +share/ca-certificates/mozilla/QuoVadis_Root_CA.crt
> +share/ca-certificates/mozilla/QuoVadis_Root_CA_1_G3.crt
> +share/ca-certificates/mozilla/QuoVadis_Root_CA_2.crt
> +share/ca-certificates/mozilla/QuoVadis_Root_CA_2_G3.crt
> +share/ca-certificates/mozilla/QuoVadis_Root_CA_3.crt
> +share/ca-certificates/mozilla/QuoVadis_Root_CA_3_G3.crt
> +share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt
> +share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
> +share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_ECC.crt
> +share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_RSA.crt
> +share/ca-certificates/mozilla/SZAFIR_ROOT_CA2.crt
> +share/ca-certificates/mozilla/SecureSign_RootCA11.crt
> +share/ca-certificates/mozilla/SecureTrust_CA.crt
> +share/ca-certificates/mozilla/Secure_Global_CA.crt
> +share/ca-certificates/mozilla/Security_Communication_RootCA2.crt
> +share/ca-certificates/mozilla/Security_Communication_Root_CA.crt
> +share/ca-certificates/mozilla/Sonera_Class_2_Root_CA.crt
> +share/ca-certificates/mozilla/Staat_der_Nederlanden_EV_Root_CA.crt
> +share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
> +share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt
> +share/ca-certificates/mozilla/Starfield_Class_2_CA.crt
> +share/ca-certificates/mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
> +share/ca-certificates/mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt
> +share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt
> +share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt
> +share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_2.crt
> +share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_3.crt
> +share/ca-certificates/mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
> +share/ca-certificates/mozilla/TWCA_Global_Root_CA.crt
> +share/ca-certificates/mozilla/TWCA_Root_Certification_Authority.crt
> +share/ca-certificates/mozilla/Taiwan_GRCA.crt
> +share/ca-certificates/mozilla/TeliaSonera_Root_CA_v1.crt
> +share/ca-certificates/mozilla/TrustCor_ECA-1.crt
> +share/ca-certificates/mozilla/TrustCor_RootCert_CA-1.crt
> +share/ca-certificates/mozilla/TrustCor_RootCert_CA-2.crt
> +share/ca-certificates/mozilla/Trustis_FPS_Root_CA.crt
> +share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt
> +share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
> +share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
> +share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
> +share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt
> +share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
> +share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt
> +share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt
> +share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt
> +share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt
> +share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt
> +share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt
> +share/examples/ca-certificates/ca-certificates.conf
> +share/man/man8/update-ca-certificates.8
> Index: pkgsrc/security/ca-certificates/distinfo
> diff -u /dev/null pkgsrc/security/ca-certificates/distinfo:1.1
> --- /dev/null Sun May 31 15:53:44 2020
> +++ pkgsrc/security/ca-certificates/distinfo  Sun May 31 15:53:44 2020
> @@ -0,0 +1,6 @@
> +$NetBSD: distinfo,v 1.1 2020/05/31 15:53:44 kim Exp $
> +
> +SHA1 (ca-certificates_20190110.tar.xz) = 47d4584eae85fc905e4994766eb3930a8a84e2e1
> +RMD160 (ca-certificates_20190110.tar.xz) = cbf8f474fba527dc96413632ac5874385bd38e17
> +SHA512 (ca-certificates_20190110.tar.xz) = 9ce2661018edb120d0ef5bd3ed52c0f73f577d7607d135a31730549f5eb4176db4865cdb8bde77a78dc3efb8968846da5e72af8a833a9da2a8a7deb4f1560372
> +Size (ca-certificates_20190110.tar.xz) = 243472 bytes
>
> Index: pkgsrc/security/ca-certificates/files/ca-certificates.conf
> diff -u /dev/null pkgsrc/security/ca-certificates/files/ca-certificates.conf:1.1
> --- /dev/null Sun May 31 15:53:44 2020
> +++ pkgsrc/security/ca-certificates/files/ca-certificates.conf        Sun May 31 15:53:44 2020
> @@ -0,0 +1,8 @@
> +# $NetBSD: ca-certificates.conf,v 1.1 2020/05/31 15:53:44 kim Exp $
> +#
> +# This file lists certificates that update-ca-certificates(8) will
> +# select or deselect for installing in /etc/ssl/certs.
> +#
> +# A line beginning with # is a comment.
> +# A line beginning with ! deselects the matching certificate file.
> +#