[Pkg-sympa-devel] Bug#717493: pu: package sympa/6.1.11~dfsg-5.1~deb7u1

Sun Sep 29 23:15:54 UTC 2013

Julien Cristau <jcristau at debian.org> (2013-07-21):
> On Sun, Jul 21, 2013 at 15:27:17 +0200, Andreas Beckmann wrote:
> 
> > On 2013-07-21 15:13, Adam D. Barratt wrote:
> > > Whichever solution was chosen, it looks like this bug is not fixed in
> > > unstable yet?
> > 
> > Yes, I wanted to write a sentence about this as well ...
> > 
> > If the release team considers adding a pre-depends in stable as
> > acceptable, I would first upload a NMU to sid (same patch, just omitting
> > the wheezy changelog entry) and later on to wheezy.
> > Instead of doing NMUs, maintainer uploads would be welcome of course!
> > 
> I think adding a pre-depends in stable would be worse than this bug.

Indeed.

To reduce user perplexity, I guess we could consider getting sympa to
catch this situation instead, which would reduce side effects. I think
something along the lines of this commit would go in a better direction
that adding a Pre-Depends:
  http://anonscm.debian.org/gitweb/?p=collab-maint/sympa.git;a=commitdiff;h=7ab6b9b7de9ec7cd27ebf2d8046f7ea227b583a6

(I'm attaching it for reference.)

Mentioning how to fix the issue would be even nicer.

Mraw,
KiBi.
-------------- next part --------------
Description: Raise a warning instead of an error when the CA bundle file is not readable.
  For its internal usage (to make https request and verify smime mail signatures) Sympa
  needs access to the Certificates Authorities installed on the system.

  Certificates Authorities are available in the package ca-certificates and
  this package also provides a single file with all the CA concatenated.
  The location of this file is /etc/ssl/certs/ca-certificates.crt

  Sympa package provides a symlink from /usr/share/sympa/default/ca-bundle.crt
  to /etc/ssl/certs/ca-certificates.crt

  Recently, to fix bug #537051 the ca-certificates package maintainer has
  decided to replace the CA bundle generation
  (/etc/ssl/certs/ca-certificates.crt) in the postinst by a trigger.

  During installation of Sympa, if ca-certificates is not present, it is
  installed as a Sympa dependency but the sympa postinst will always be
  executed before the ca-certificates triggers.
  It means that Sympa start will fail with an error because
  /etc/ssl/certs/ca-certificates.crt does not exists (not yet generated by the
  ca-certificates trigger).

  The following patch tries to detect if the CA bundle configured in sympa is a
  symlink to /etc/ssl/certs/ca-certificates.crt. In that case, a warning raised
  instead of en error.

  This is a purely Debian specific fix, which is quite ugly but it works.

  A better patch will be very much appreciated.
Author: Emmanuel Bouthenot <kolter at debian.org>
Bug-Debian: http://bugs.debian.org/706965
Forwarded: not-needed
Last-Update: 2013-07-02
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/

--- a/src/lib/Conf.pm
+++ b/src/lib/Conf.pm
@@ -920,7 +920,11 @@
 
     ## Check cafile and capath access
     if (defined $Conf{'cafile'} && $Conf{'cafile'}) {
-	unless (-f $Conf{'cafile'} && -r $Conf{'cafile'}) {
+	my $debian_ca_bundle = '/etc/ssl/certs/ca-certificates.crt';
+	if (-l $Conf{'cafile'} && ! -r $Conf{'cafile'} && readlink($Conf{'cafile'}) == $debian_ca_bundle) {
+		&do_log('warning', 'cafile (%s) is a symlink to the Debian CA certificates bundle (%s) which is not yet installed yet (see #706965)', $Conf{'cafile'}, $debian_ca_bundle);
+	}
+	elsif (! -f $Conf{'cafile'} || ! -r $Conf{'cafile'}) {
 	    &do_log('err', 'Cannot access cafile %s', $Conf{'cafile'});
 	    unless (&List::send_notify_to_listmaster('cannot_access_cafile', $Conf{'domain'}, [$Conf{'cafile'}])) {
 		&do_log('err', 'Unable to send notify "cannot access cafile" to listmaster');	
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-sympa-devel/attachments/20130930/8ff0aef0/attachment.sig>
