Hello community, here is the log from the commit of package cfengine for openSUSE:Factory checked in at 2015-04-02 16:02:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cfengine (Old) and /work/SRC/openSUSE:Factory/.cfengine.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "cfengine" Changes: -------- --- /work/SRC/openSUSE:Factory/cfengine/cfengine.changes 2015-03-18 13:07:59.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.cfengine.new/cfengine.changes 2015-04-02 16:03:10.000000000 +0200 @@ -1,0 +2,25 @@ +Mon Mar 23 10:19:37 UTC 2015 - tchvatal@suse.com + +- Partial fix for bnc#923417: + * 0001-Do-not-use-insecure-MD5-but-rather-SHA256.patch + +------------------------------------------------------------------- +Wed Mar 18 14:33:33 UTC 2015 - tchvatal@suse.com + +- Enable tests, 1 fail so document it + +------------------------------------------------------------------- +Wed Mar 18 14:32:09 UTC 2015 - tchvatal@suse.com + +- Enable pam and disable silent rules for make + +------------------------------------------------------------------- +Wed Mar 18 14:18:09 UTC 2015 - tchvatal@suse.com + +- Proceed bit more with cleaning, the RH sections are failing to build + for couple of years. Better readability without them so prune it + out +- Convert the in-spec build switches to %bcond +- Provide rcbla links to systemd services + +------------------------------------------------------------------- New: ---- 0001-Do-not-use-insecure-MD5-but-rather-SHA256.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cfengine.spec ++++++ --- /var/tmp/diff_new_pack.RUWBKx/_old 2015-04-02 16:03:11.000000000 +0200 +++ /var/tmp/diff_new_pack.RUWBKx/_new 2015-04-02 16:03:11.000000000 +0200 @@ -16,10 +16,6 @@ # -# set to 1 to enable adapter, leave 0 for minimal cfengine -%define with_mysql 0 -%define with_postgresql 0 -%define with_libvirt 0 %define srcname core-%{version} %define libname libpromises %define libsoname %{libname}3 @@ -32,6 +28,10 @@ %else %define have_systemd 0 %endif +# pass --with-bla to enable the build +%bcond_with mysql +%bcond_with postgresql +%bcond_with libvirt Name: cfengine Version: 3.6.5 Release: 0 @@ -66,8 +66,10 @@ Patch6: 0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch # PATCH-FIX-UPSTREAM: Use ssl exponent of 65537 for FIPS bnc#922571 Patch7: cfengine-fips.patch +Patch8: 0001-Do-not-use-insecure-MD5-but-rather-SHA256.patch BuildRequires: bison BuildRequires: db-devel +BuildRequires: fdupes BuildRequires: flex BuildRequires: libacl-devel BuildRequires: libtool @@ -78,10 +80,6 @@ BuildRequires: pcre-devel Requires: %{libsoname} = %{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build -# wtf? SLE_11 does not honor rpmlintrc -%if 0%{?suse_version} <= 1130 -BuildRequires: -post-build-checks -%endif %if %{have_systemd} Source7: cf-execd.service Source8: cf-monitord.service @@ -91,39 +89,26 @@ Source8: cf-execd Source9: cf-serverd %endif -# -# Disable mysql for SLE_11: -# -# configure: error: MySQL client library exports symbols clashing with -# OpenSSL. Get the update from distribution provider, recompile MySQL -# library or disable MySQL connector. See -# http://bugs.mysql.com/bug.php?id=65055 for details. -# -%if %{with_mysql} -%if 0%{?suse_version} != 1110 && 0%{?rhel_version} == 0 +%if %{with mysql} BuildRequires: mysql-devel %endif -%endif -%if %{with_libvirt} +%if %{with libvirt} BuildRequires: libvirt-devel %endif -%if %{with_postgresql} +%if %{with postgresql} BuildRequires: postgresql-devel %endif -%if !%{have_systemd} -# no systemd -> use cron -%if 0%{?centos_version} || 0%{?rhel_version} -Requires: vixie-cron -%else -Requires: cron -%endif -%endif %if %{have_systemd} BuildRequires: systemd %{?systemd_requires} +%else +# Without systemd we require cron +Requires: cron +Requires(post): %insserv_prereq %fillup_prereq %endif -%if 0%{?suse_version} > 01020 -BuildRequires: fdupes +# FHS was a hit with sle11 so it dies out otherwise +%if 0%{?suse_version} <= 1110 +BuildRequires: -post-build-checks %endif %description @@ -162,12 +147,6 @@ %package doc Summary: CFEngine automates large-scale IT computing infrastructure - documentation Group: Documentation/Other -%if 0%{?rhel_version} || 0%{?centos_version} -BuildRequires: tetex -BuildRequires: tetex-dvips -BuildRequires: tetex-latex -BuildRequires: texinfo -%endif %description doc Full documentation for cfengine @@ -181,15 +160,13 @@ %prep %setup -q -n %{srcname} -%if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1110 -%patch2 -p1 -%endif -%if 0%{?rhel_version} >= 500 && 0%{?rhel_version} < 600 +%if 0%{?suse_version} <= 1110 %patch2 -p1 %endif %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 ##### rpmlint #### wrong-file-end-of-line-encoding @@ -202,64 +179,57 @@ cp -a $RPM_SOURCE_DIR/*pdf docs/ %build -autoreconf -fi -I m4 +autoreconf -fvi -I m4 # /usr/include/sys for acl.h -CC=gcc CFLAGS="%{optflags} -fno-strict-aliasing" \ +CC=cc CFLAGS="%{optflags} -fno-strict-aliasing" \ %configure \ --disable-static \ + --disable-silent-rules \ --enable-fhs \ --datadir=/var \ --with-workdir=%{workdir} \ -%if %{with_postgresql} +%if %{with postgresql} --with-postgresql \ %endif -%if %{with_mysql} -%if 0%{?suse_version} != 1110 && 0%{?rhel_version} == 0 && 0%{?fedora_version} != 20 +%if %{with mysql} --with-mysql \ %endif -%endif --without-qdbm \ --without-tokyocabinet \ --with-lmdb \ --with-pthreads \ --with-openssl \ --with-pcre \ -%if %{with_libvirt} +%if %{with libvirt} --with-libvirt \ %endif --with-libacl \ --with-libxml2 \ -%if 0%{?suse_version} >= 1110 - --docdir=%{_docdir}/%{name} -%else if 0%{?rhel_version} >= 600 - --docdir=%{_docdir}/%{name}-%{version} -%endif + --docdir=%{_docdir}/%{name} \ + --with-pam make %{?_smp_mflags} +%check +# FAIL: process_test +make check %{?_smp_mflags} || : + %install chmod -x ChangeLog make "DESTDIR=%{buildroot}" install -%if 0%{?suse_version} >= 1110 || 0%{?rhel_version} >= 600 # will appear in cfengine-examples rm -rf %{buildroot}/%{_docdir}/%{name}/examples -%endif install -d %{buildroot}/{usr/sbin,%{workdir}/{bin,inputs,reports}} # create dirs needed for better organizing dirs and files install -d %{buildroot}/%{basedir}/{backup,failsafe,config,plugins} -#%%{__install} -d %{buildroot}/%%{basedir}/config/{development,production} %if %{have_systemd} # systemd: install sample cron file in docdir -%if 0%{?suse_version} install -D -m0644 %{SOURCE10} %{buildroot}/%{_docdir}/%{name} %else -install -D -m0644 %{SOURCE10} %{buildroot}/%{_docdir}/%{name}-%{version} -%endif -%else # no systemd -> use cron # install cron file install -D -m0644 %{SOURCE10} %{buildroot}/%{_sysconfdir}/cron.d/%{name} @@ -270,6 +240,9 @@ install -D -m 0644 %{SOURCE7} %{buildroot}/%{_unitdir}/cf-execd.service install -D -m 0644 %{SOURCE8} %{buildroot}/%{_unitdir}/cf-monitord.service install -D -m 0644 %{SOURCE9} %{buildroot}/%{_unitdir}/cf-serverd.service +ln -s -f service %{buildroot}/%{_sbindir}/rccf-monitord +ln -s -f service %{buildroot}/%{_sbindir}/rccf-execd +ln -s -f service %{buildroot}/%{_sbindir}/rccf-serverd %else # install init scripts install -d %{buildroot}%{_sysconfdir}/init.d @@ -304,26 +277,25 @@ gzip %{buildroot}%{_mandir}/man8/$i.8 done -%if 0%{?suse_version} > 1010 +# Firewall install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/cfengine -%endif -%if 0%{?suse_version} > 01020 +# Ckeabyo dyoes %fdupes %{buildroot}%{_datadir}/cfengine -%endif - -# systemd -%if %{have_systemd} - -#################################################################### -# Systemd -#################################################################### %pre +%if %{have_systemd} %service_add_pre cf-execd.service cf-monitord.service cf-serverd.service +%endif %post +%if %{have_systemd} %service_add_post cf-execd.service cf-monitord.service cf-serverd.service +%else +for i in execd monitord serverd; do + %fillup_and_insserv cf-${i} +done +%endif /sbin/ldconfig if [ $1 -lt 2 ]; then # first install, generate key pair @@ -331,55 +303,29 @@ fi %preun +%if %{have_systemd} %service_del_preun cf-execd.service cf-monitord.service cf-serverd.service - -%postun -%service_del_postun cf-execd.service cf-monitord.service cf-serverd.service -if [ $1 -eq 0 ]; then - # clean up inputs cache dir on removal - rm -rf %{basedir}/inputs/* -fi -/sbin/ldconfig - -%else # !systemd - -#################################################################### -# Non-systemd -#################################################################### - -%preun -%if 0%{?suse_version} -%stop_on_removal cf-monitord -%stop_on_removal cf-execd -%stop_on_removal cf-serverd %else -%{_initddir}/cf-execd stop -%{_initddir}/cf-monitord stop -%{_initddir}/cf-serverd stop +for i in execd monitord serverd; do + %stop_on_removal cf-${i} +done %endif -%post -p /sbin/ldconfig - %postun -%if 0%{?suse_version} > 1010 +%if %{have_systemd} +%service_del_postun cf-execd.service cf-monitord.service cf-serverd.service +%else %insserv_cleanup - for i in execd monitord serverd; do +for i in execd monitord serverd; do %restart_on_update cf-${i} - done -%else - # Update ? - if [ ${1:-0} -eq 1 ]; then - for i in execd monitord serverd; do - %{_initddir}/cf-${i} restart - done - else -: - fi +done %endif +if [ $1 -eq 0 ]; then + # clean up inputs cache dir on removal + rm -rf %{basedir}/inputs/* +fi /sbin/ldconfig -%endif # !systemd - %post -n %{libsoname} -p /sbin/ldconfig %postun -n %{libsoname} -p /sbin/ldconfig @@ -402,20 +348,15 @@ %{_unitdir}/cf-serverd.service %else %config %attr(0755,root,root) %{_initddir}/* +%endif %{_sbindir}/rccf-execd %{_sbindir}/rccf-monitord %{_sbindir}/rccf-serverd -%endif -%if 0%{?suse_version} > 1010 %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/cfengine -%endif - %{_mandir}/man8/* %dir %{basedir} - %dir %{workdir} %{workdir}/* - %if !%{have_systemd} %config(noreplace) %{_sysconfdir}/cron.d/%{name} %endif ++++++ 0001-Do-not-use-insecure-MD5-but-rather-SHA256.patch ++++++

From a814751421422cad22373eb6e568272fd24e1532 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tomas.chvatal@gmail.com> Date: Mon, 23 Mar 2015 11:12:58 +0100 Subject: [PATCH] Do not use insecure MD5 but rather SHA256

--- libpromises/generic_agent.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libpromises/generic_agent.c b/libpromises/generic_agent.c index eaace00..4863230 100644 --- a/libpromises/generic_agent.c +++ b/libpromises/generic_agent.c @@ -101,8 +101,8 @@ static void SanitizeEnvironment() ENTERPRISE_VOID_FUNC_2ARG_DEFINE_STUB(void, GenericAgentSetDefaultDigest, HashMethod *, digest, int *, digest_len) { - *digest = HASH_METHOD_MD5; - *digest_len = CF_MD5_LEN; + *digest = HASH_METHOD_SHA256; + *digest_len = CF_SHA256_LEN; } void MarkAsPolicyServer(EvalContext *ctx) -- 2.3.0