[Pkg-sympa-commits] [sympa] 01/02: Add a patch to raise a warning instead of an error when the CA bundle file is not readable
Emmanuel Bouthenot
kolter at alioth.debian.org
Mon Oct 21 12:21:44 UTC 2013
This is an automated email from the git hooks/post-receive script.
kolter pushed a commit to branch debian/wheezy
in repository sympa.
commit 18f0b01b1f61671bad2525e44b4e478d861dbbb1
Author: Emmanuel Bouthenot <kolter at openics.org>
Date: Tue Jul 2 19:29:22 2013 +0000
Add a patch to raise a warning instead of an error when the CA bundle file is not readable
---
.../patches/2001_ca_bundle_check_as_warning.patch | 50 ++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 51 insertions(+)
diff --git a/debian/patches/2001_ca_bundle_check_as_warning.patch b/debian/patches/2001_ca_bundle_check_as_warning.patch
new file mode 100644
index 0000000..1d1d04c
--- /dev/null
+++ b/debian/patches/2001_ca_bundle_check_as_warning.patch
@@ -0,0 +1,50 @@
+Description: Raise a warning instead of an error when the CA bundle file is not readable.
+ For its internal usage (to make https request and verify smime mail signatures) Sympa
+ needs access to the Certificates Authorities installed on the system.
+
+ Certificates Authorities are available in the package ca-certificates and
+ this package also provides a single file with all the CA concatenated.
+ The location of this file is /etc/ssl/certs/ca-certificates.crt
+
+ Sympa package provides a symlink from /usr/share/sympa/default/ca-bundle.crt
+ to /etc/ssl/certs/ca-certificates.crt
+
+ Recently, to fix bug #537051 the ca-certificates package maintainer has
+ decided to replace the CA bundle generation
+ (/etc/ssl/certs/ca-certificates.crt) in the postinst by a trigger.
+
+ During installation of Sympa, if ca-certificates is not present, it is
+ installed as a Sympa dependency but the sympa postinst will always be
+ executed before the ca-certificates triggers.
+ It means that Sympa start will fail with an error because
+ /etc/ssl/certs/ca-certificates.crt does not exists (not yet generated by the
+ ca-certificates trigger).
+
+ The following patch tries to detect if the CA bundle configured in sympa is a
+ symlink to /etc/ssl/certs/ca-certificates.crt. In that case, a warning raised
+ instead of en error.
+
+ This is a purely Debian specific fix, which is quite ugly but it works.
+
+ A better patch will be very much appreciated.
+Author: Emmanuel Bouthenot <kolter at debian.org>
+Bug-Debian: http://bugs.debian.org/706965
+Forwarded: not-needed
+Last-Update: 2013-07-02
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/lib/Conf.pm
++++ b/src/lib/Conf.pm
+@@ -876,7 +876,11 @@
+
+ ## Check cafile and capath access
+ if (defined $Conf{'cafile'} && $Conf{'cafile'}) {
+- unless (-f $Conf{'cafile'} && -r $Conf{'cafile'}) {
++ my $debian_ca_bundle = '/etc/ssl/certs/ca-certificates.crt';
++ if (-l $Conf{'cafile'} && ! -r $Conf{'cafile'} && readlink($Conf{'cafile'}) == $debian_ca_bundle) {
++ &do_log('warning', 'cafile (%s) is a symlink to the Debian CA certificates bundle (%s) which is not yet installed yet (see #706965)', $Conf{'cafile'}, $debian_ca_bundle);
++ }
++ elsif (! -f $Conf{'cafile'} || ! -r $Conf{'cafile'}) {
+ &do_log('err', 'Cannot access cafile %s', $Conf{'cafile'});
+ unless (&List::send_notify_to_listmaster('cannot_access_cafile', $Conf{'domain'}, [$Conf{'cafile'}])) {
+ &do_log('err', 'Unable to send notify "cannot access cafile" to listmaster');
diff --git a/debian/patches/series b/debian/patches/series
index 7e00a1e..967a1c1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,6 +9,7 @@
1012_fix_manpages_typos_and_whatis_entries.patch
1013_fix_wording_sympa_wizard_manpage.patch
1014_fix_unknown_parameter_ldap_force_canonical_email.patch
+2001_ca_bundle_check_as_warning.patch
2002_wizard_drop_localedir.patch
#2003_sanitize_make_all.patch
2004_pg_create_db.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/sympa.git
More information about the Pkg-sympa-commits
mailing list