| Message ID | 20240724145319.1619444-1-troth@openavr.org |
|---|---|
| State | Accepted, archived |
| Commit | ce19168885a04b0d77e81c1fd1c4262b195a47d4 |
| Headers | show |
| Series | ca-certificates: update 20211016 -> 20240203 | expand |
This unfortunately made oe-core master before I had the chance to ask: how was the SRCREV determined? There is no '2024023' tag in the repo, so where did the tag and the hash come from? I'd appreciate if you send a followup patch including the relevant links as a comment just above SRCREV line for future reference/updates. Alex On Wed, 24 Jul 2024 at 16:53, Theodore A. Roth <troth@openavr.org> wrote: > > The 20240203 version is the same as used in Ubuntu >= 24.04 and Debian > Trixie (testing). > > Signed-off-by: Theodore A. Roth <troth@openavr.org> > Signed-off-by: Theodore A. Roth <theodore_roth@trimble.com> > --- > ...mozilla-certdata2pem.py-print-a-warning-for-e.patch | 10 +++++----- > ...ca-certificates-don-t-use-Debianisms-in-run-p.patch | 6 +++--- > ...ficates_20211016.bb => ca-certificates_20240203.bb} | 2 +- > 3 files changed, 9 insertions(+), 9 deletions(-) > rename meta/recipes-support/ca-certificates/{ca-certificates_20211016.bb => ca-certificates_20240203.bb} (98%) > > diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch > index 5c4a32f526..78898f5150 100644 > --- a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch > +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch > @@ -19,7 +19,7 @@ diff --git a/debian/changelog b/debian/changelog > index 531e4d0..4006509 100644 > --- a/debian/changelog > +++ b/debian/changelog > -@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low > +@@ -120,7 +120,6 @@ ca-certificates (20211004) unstable; urgency=low > - "Trustis FPS Root CA" > - "Staat der Nederlanden Root CA - G3" > * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) > @@ -37,9 +37,9 @@ index 4434b7a..5c6ba24 100644 > Build-Depends: debhelper-compat (= 13), po-debconf > -Build-Depends-Indep: python3, openssl, python3-cryptography > +Build-Depends-Indep: python3, openssl > - Standards-Version: 4.5.0.2 > + Standards-Version: 4.6.2 > + Rules-Requires-Root: no > Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git > - Vcs-Browser: https://salsa.debian.org/debian/ca-certificates > diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py > index ede23d4..7d796f1 100644 > --- a/mozilla/certdata2pem.py > @@ -66,8 +66,8 @@ index ede23d4..7d796f1 100644 > if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: > continue > - > -- cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) > -- if cert.not_valid_after < datetime.datetime.now(): > +- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE'])) > +- if cert.not_valid_after < datetime.datetime.utcnow(): > - print('!'*74) > - print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) > - print('!'*74) > diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch > index 4a8ae5f4b5..1feefeb96a 100644 > --- a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch > +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch > @@ -21,14 +21,14 @@ Index: git/sbin/update-ca-certificates > =================================================================== > --- git.orig/sbin/update-ca-certificates > +++ git/sbin/update-ca-certificates > -@@ -191,9 +191,7 @@ if [ -d "$HOOKSDIR" ] > +@@ -202,9 +202,7 @@ if [ -d "$HOOKSDIR" ] > then > > echo "Running hooks in $HOOKSDIR..." > - VERBOSE_ARG= > - [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose" > -- eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook > -+ eval run-parts --test "$HOOKSDIR" | while read hook > +- eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read -r hook > ++ eval run-parts --test "$HOOKSDIR" | while read -r hook > do > ( cat "$ADDED" > cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?." > diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb > similarity index 98% > rename from meta/recipes-support/ca-certificates/ca-certificates_20211016.bb > rename to meta/recipes-support/ca-certificates/ca-certificates_20240203.bb > index 99abe60613..b198ea77a9 100644 > --- a/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb > +++ b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb > @@ -14,7 +14,7 @@ DEPENDS:class-nativesdk = "openssl-native" > # Need rehash from openssl and run-parts from debianutils > PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" > > -SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8" > +SRCREV = "ee6e0484031314090a11c04ee82689acb73d7ad8" > > SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \ > file://0002-update-ca-certificates-use-SYSROOT.patch \ > -- > 2.34.1 >
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch index 5c4a32f526..78898f5150 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch @@ -19,7 +19,7 @@ diff --git a/debian/changelog b/debian/changelog index 531e4d0..4006509 100644 --- a/debian/changelog +++ b/debian/changelog -@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low +@@ -120,7 +120,6 @@ ca-certificates (20211004) unstable; urgency=low - "Trustis FPS Root CA" - "Staat der Nederlanden Root CA - G3" * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) @@ -37,9 +37,9 @@ index 4434b7a..5c6ba24 100644 Build-Depends: debhelper-compat (= 13), po-debconf -Build-Depends-Indep: python3, openssl, python3-cryptography +Build-Depends-Indep: python3, openssl - Standards-Version: 4.5.0.2 + Standards-Version: 4.6.2 + Rules-Requires-Root: no Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git - Vcs-Browser: https://salsa.debian.org/debian/ca-certificates diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py index ede23d4..7d796f1 100644 --- a/mozilla/certdata2pem.py @@ -66,8 +66,8 @@ index ede23d4..7d796f1 100644 if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: continue - -- cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) -- if cert.not_valid_after < datetime.datetime.now(): +- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE'])) +- if cert.not_valid_after < datetime.datetime.utcnow(): - print('!'*74) - print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) - print('!'*74) diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch index 4a8ae5f4b5..1feefeb96a 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch @@ -21,14 +21,14 @@ Index: git/sbin/update-ca-certificates =================================================================== --- git.orig/sbin/update-ca-certificates +++ git/sbin/update-ca-certificates -@@ -191,9 +191,7 @@ if [ -d "$HOOKSDIR" ] +@@ -202,9 +202,7 @@ if [ -d "$HOOKSDIR" ] then echo "Running hooks in $HOOKSDIR..." - VERBOSE_ARG= - [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose" -- eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook -+ eval run-parts --test "$HOOKSDIR" | while read hook +- eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read -r hook ++ eval run-parts --test "$HOOKSDIR" | while read -r hook do ( cat "$ADDED" cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?." diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb similarity index 98% rename from meta/recipes-support/ca-certificates/ca-certificates_20211016.bb rename to meta/recipes-support/ca-certificates/ca-certificates_20240203.bb index 99abe60613..b198ea77a9 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb +++ b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb @@ -14,7 +14,7 @@ DEPENDS:class-nativesdk = "openssl-native" # Need rehash from openssl and run-parts from debianutils PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" -SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8" +SRCREV = "ee6e0484031314090a11c04ee82689acb73d7ad8" SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \ file://0002-update-ca-certificates-use-SYSROOT.patch \