Hello community,
here is the log from the commit of package ca-certificates for openSUSE:Factory checked in at 2013-07-03 10:11:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ca-certificates (Old)
and /work/SRC/openSUSE:Factory/.ca-certificates.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ca-certificates"
Changes:
--------
--- /work/SRC/openSUSE:Factory/ca-certificates/ca-certificates.changes 2013-06-25 17:20:12.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.ca-certificates.new/ca-certificates.changes 2013-07-03 10:11:38.000000000 +0200
@@ -1,0 +2,6 @@
+Thu Jun 27 16:17:51 UTC 2013 - lnussel@suse.de
+
+- disable generating ca-bundle for now again so people don't submit
+ new packages that use this file.
+
+-------------------------------------------------------------------
@@ -5,0 +12,5 @@
+
+-------------------------------------------------------------------
+Mon Jun 24 12:46:30 UTC 2013 - lnussel@suse.de
+
+- update manpage
Old:
----
ca-certificates-1_201306200949.tar.xz
New:
----
ca-certificates-1_201307011044.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ca-certificates.spec ++++++
--- /var/tmp/diff_new_pack.BydYCo/_old 2013-07-03 10:11:38.000000000 +0200
+++ /var/tmp/diff_new_pack.BydYCo/_new 2013-07-03 10:11:38.000000000 +0200
@@ -16,6 +16,12 @@
#
+# the ca bundle file was meant as compat option for e.g.
+# proprietary packages. Now that I see it abused in free software
+# packages that can be trivially patched to do the right thing I'm
+# disabling this for now again.
+%bcond_with cabundle
+
BuildRequires: openssl
BuildRequires: p11-kit-devel
@@ -23,7 +29,7 @@
%define ssletcdir %{_sysconfdir}/ssl
%define cabundle /var/lib/ca-certificates/ca-bundle.pem
%define sslcerts %{ssletcdir}/certs
-Version: 1_201306200949
+Version: 1_201307011044
Release: 0
Summary: Utilities for system wide CA certificate installation
License: GPL-2.0+
@@ -57,6 +63,9 @@
%build
%install
+%if %{without cabundle}
+rm -f certbundle.run
+%endif
%make_install
install -d m 755 %{buildroot}%{trustdir_cfg}/{anchors,blacklist}
install -d m 755 %{buildroot}%{trustdir_static}/{anchors,blacklist}
@@ -65,9 +74,11 @@
install -d m 755 %{buildroot}%{_prefix}/lib/ca-certificates/update.d
install -d m 755 %{buildroot}/var/lib/ca-certificates/pem
install -d m 755 %{buildroot}/var/lib/ca-certificates/openssl
+%if %{with cabundle}
install -D -m 644 /dev/null %{buildroot}/%{cabundle}
-install -D -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts
ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem
+%endif
+install -D -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts
%post
if [ -s /etc/ca-certificates.conf ]; then
@@ -104,8 +115,6 @@
%dir %{trustdir_static}/anchors
%dir %{trustdir_static}/blacklist
%dir /etc/ssl/certs
-%{ssletcdir}/ca-bundle.pem
-%ghost %{cabundle}
%ghost /var/lib/ca-certificates/java-cacerts
%dir /etc/ca-certificates
%dir /etc/ca-certificates/update.d
@@ -117,8 +126,13 @@
%{_sbindir}/update-ca-certificates
%{_mandir}/man8/update-ca-certificates.8*
%{_prefix}/lib/ca-certificates/update.d/java.run
-%{_prefix}/lib/ca-certificates/update.d/certbundle.run
%{_prefix}/lib/ca-certificates/update.d/etc_ssl.run
%{_prefix}/lib/ca-certificates/update.d/openssl.run
+#
+%if %{with cabundle}
+%{ssletcdir}/ca-bundle.pem
+%ghost %{cabundle}
+%{_prefix}/lib/ca-certificates/update.d/certbundle.run
+%endif
%changelog
++++++ ca-certificates-1_201306200949.tar.xz -> ca-certificates-1_201307011044.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ca-certificates-1_201306200949/update-ca-certificates.8 new/ca-certificates-1_201307011044/update-ca-certificates.8
--- old/ca-certificates-1_201306200949/update-ca-certificates.8 2013-06-20 09:49:53.000000000 +0200
+++ new/ca-certificates-1_201307011044/update-ca-certificates.8 2013-07-01 10:44:11.000000000 +0200
@@ -21,24 +21,22 @@
.B update-ca-certificates
.RI [ options ]
.SH DESCRIPTION
-\fBupdate-ca-certificates\fP updates the directory
-/etc/ssl/certs to hold SSL certificates and generates /etc/ssl/ca-bundle.pem,
-a concatenated single-file list of certificates.
+\fBupdate-ca-certificates\fP is intended to keep the certificate stores of
+various components in sync with the system CA certificates.
.PP
-It reads the file /etc/ca-certificates.conf. Each line gives a pathname of
-a CA certificate under /usr/share/ca-certificates that should be trusted.
-Lines that begin with "#" are comment lines and thus ignored.
-Lines that begin with "!" are deselected, causing the deactivation
-of the CA certificate in question. All certificates are implicitly
-trusted if no trusted certificates are listed.
+The canonical source of CA certificates is what p11-kit knows about.
+By default p11-kit looks into /usr/share/pki/anchors
+resp /etc/pki/trust/anchors but there could be other plugins that
+serve as source for certificates as well.
.PP
-Furthermore all certificates found below /usr/local/share/ca-certificates
-are also included as implicitly trusted.
+To blacklist certificates symlinks to the respective certificates
+can be placed in /etc/pki/trust/blacklist
.PP
-After populating /etc/ssl/certs \fBupdate-ca-certificates\fP invokes
+\fBupdate-ca-certificates\fP invokes
custom hooks in /usr/lib/ca-certificates/update.d/*.run and
-/etc/ca-certificates/update.d/*.run. The command line options used
-for invoking update-ca-certificates are passed to the hooks as well.
+/etc/ca-certificates/update.d/*.run to generate various certificate storages as
+used by differnt programs. The command line options used for invoking
+update-ca-certificates are passed to the hooks as well.
.SH OPTIONS
A summary of options is included below.
.TP
@@ -49,25 +47,19 @@
Be verbose. Output \fBc_rehash\fP.
.TP
.B \-f, \-\-fresh
-Fresh updates. Removes symlinks in /etc/ssl/certs directory and
-re-creates them from scratch.
+Fresh updates. Don't update stores incrementally but create from scratch.
.SH FILES
.TP
-.I /etc/ca-certificates.conf
-A configuration file.
+.I /usr/share/pki/trust/anchors
+Directory of CA certificate trust anchors.
.TP
-.I /etc/ssl/ca-bundle.pem
-A single-file version of all CA certificates. Use of this file is
-deprecated and should only be used as last resort by applications
-that cannot parse the /etc/ssl/certs directory.
-.TP
-.I /usr/share/ca-certificates
-Directory of CA certificates.
-.I /usr/local/share/ca-certificates
-Directory of local CA certificates.
+.I /usr/share/pki/trust/blacklist
+Directory of blacklisted CA certificates
+.TP
+.I /etc/pki/trust/anchors
+Directory of CA certificate trust anchors for use by the admin
+.TP
+.I /etc/pki/trust/anchors
+Directory of blacklisted CA certificates for use by the admin
.SH SEE ALSO
.BR c_rehash (1),
-.SH AUTHOR
-This manual page was written by Fumitoshi UKAI