Message ID | 1389126590-25956-1-git-send-email-martin@barkynet.com |
---|---|
State | Superseded |
Headers | show |
Hi Martin, Thanks for the patch. A few comments below. On Tue, Jan 07, 2014 at 08:29:50PM +0000, Martin Bark wrote: > CA certificates used for SSL based applications. The package installs CA > certificates to /usr/share/ca-certificates and creates symbolic links under > /etc/ssl/certs. For example, the existing libcurl package will use these > certificates for https urls. Based on the debian ca-certifcates package. > > Signed-off-by: Martin Bark <martin@barkynet.com> [...] > +CA_CERTIFICATES_VERSION = 20130906 > +CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.gz > +CA_CERTIFICATES_SITE = ftp://ftp.debian.org/debian/pool/main/c/ca-certificates Please use $(BR2_DEBIAN_MIRROR). See package/at/at.mk, for example. > +CA_CERTIFICATES_DEPENDENCIES = host-openssl host-python > +CA_CERTIFICATES_LICENSE = GPLv2+ MPLv2.0 > +CA_CERTIFICATES_LICENSE_FILES = debian/copyright According to debian/copyright these licenses apply to the specific files listed there. You don't use any of these files as far as I can see. > +define CA_CERTIFICATES_BUILD_CMDS > + PATH=$(HOST_PATH) $(MAKE) -C $(@D) all > +endef > + > +define CA_CERTIFICATES_INSTALL_TARGET_CMDS > + $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates > + $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs > + $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) > + rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates > + > + #remove any existing certificates under /etc/ssl/certs > + rm -f $(TARGET_DIR)/etc/ssl/certs/* > + > + #generate symlinks to certificates under /etc/ssl/certs > + ( \ > + cd $(TARGET_DIR) ;\ > + for i in `find usr/share/ca-certificates -name "*.crt"` ; do \ > + ln -sf ../../../$$i etc/ssl/certs/`basename $${i%.crt}.pem` ;\ > + done ;\ > + ) > + > + #create symbolic links to the certificates by their hash values > + $(HOST_DIR)/usr/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs > +endef > + > +$(eval $(generic-package)) > -- baruch
Thanks for the feedback Baruch, I'll update to use $(BR2_DEBIAN_MIRROR) Although the files mentioned in debian/copying do not directly end up in the rootfs they are used. mozilla/certdata.txt is a big list of certificates and mozilla/certdata2pem.py is a python script which is run to split mozilla/certdata.txt into all the separate pem files that end up in the rootfs. Therefore i think this license info is valid. Please let me know what you think and I'll post a v2 patch Thanks Martin On 8 January 2014 04:52, Baruch Siach <baruch@tkos.co.il> wrote: > Hi Martin, > > Thanks for the patch. A few comments below. > > On Tue, Jan 07, 2014 at 08:29:50PM +0000, Martin Bark wrote: > > CA certificates used for SSL based applications. The package installs CA > > certificates to /usr/share/ca-certificates and creates symbolic links > under > > /etc/ssl/certs. For example, the existing libcurl package will use these > > certificates for https urls. Based on the debian ca-certifcates package. > > > > Signed-off-by: Martin Bark <martin@barkynet.com> > > [...] > > > +CA_CERTIFICATES_VERSION = 20130906 > > +CA_CERTIFICATES_SOURCE = > ca-certificates_$(CA_CERTIFICATES_VERSION).tar.gz > > +CA_CERTIFICATES_SITE = > ftp://ftp.debian.org/debian/pool/main/c/ca-certificates > > Please use $(BR2_DEBIAN_MIRROR). See package/at/at.mk, for example. > > > +CA_CERTIFICATES_DEPENDENCIES = host-openssl host-python > > +CA_CERTIFICATES_LICENSE = GPLv2+ MPLv2.0 > > +CA_CERTIFICATES_LICENSE_FILES = debian/copyright > > According to debian/copyright these licenses apply to the specific files > listed there. You don't use any of these files as far as I can see. > > > +define CA_CERTIFICATES_BUILD_CMDS > > + PATH=$(HOST_PATH) $(MAKE) -C $(@D) all > > +endef > > + > > +define CA_CERTIFICATES_INSTALL_TARGET_CMDS > > + $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates > > + $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs > > + $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) > > + rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates > > + > > + #remove any existing certificates under /etc/ssl/certs > > + rm -f $(TARGET_DIR)/etc/ssl/certs/* > > + > > + #generate symlinks to certificates under /etc/ssl/certs > > + ( \ > > + cd $(TARGET_DIR) ;\ > > + for i in `find usr/share/ca-certificates -name "*.crt"` ; do \ > > + ln -sf ../../../$$i etc/ssl/certs/`basename $${i%.crt}.pem` > ;\ > > + done ;\ > > + ) > > + > > + #create symbolic links to the certificates by their hash values > > + $(HOST_DIR)/usr/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs > > +endef > > + > > +$(eval $(generic-package)) > > -- > > baruch > > -- > http://baruch.siach.name/blog/ ~. .~ Tk Open > Systems > =}------------------------------------------------ooO--U--Ooo------------{= > - baruch@tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il - >
Hi Martin, On Wed, Jan 08, 2014 at 11:30:25AM +0000, Martin Bark wrote: > Thanks for the feedback Baruch, > > I'll update to use $(BR2_DEBIAN_MIRROR) > > Although the files mentioned in debian/copying do not directly end up in > the rootfs they are used. mozilla/certdata.txt is a big list of > certificates and mozilla/certdata2pem.py is a python script which is run to > split mozilla/certdata.txt into all the separate pem files that end up in > the rootfs. Therefore i think this license info is valid. I think you are right, but the string should indicate that. Something like CA_CERTIFICATES_LICENSE = GPLv2+ (script), MPLv2.0 (data) baruch > On 8 January 2014 04:52, Baruch Siach <baruch@tkos.co.il> wrote: > > Thanks for the patch. A few comments below. > > > > On Tue, Jan 07, 2014 at 08:29:50PM +0000, Martin Bark wrote: > > > CA certificates used for SSL based applications. The package installs CA > > > certificates to /usr/share/ca-certificates and creates symbolic links > > under > > > /etc/ssl/certs. For example, the existing libcurl package will use these > > > certificates for https urls. Based on the debian ca-certifcates package. > > > > > > Signed-off-by: Martin Bark <martin@barkynet.com> > > > > [...] > > > > > +CA_CERTIFICATES_VERSION = 20130906 > > > +CA_CERTIFICATES_SOURCE = > > ca-certificates_$(CA_CERTIFICATES_VERSION).tar.gz > > > +CA_CERTIFICATES_SITE = > > ftp://ftp.debian.org/debian/pool/main/c/ca-certificates > > > > Please use $(BR2_DEBIAN_MIRROR). See package/at/at.mk, for example. > > > > > +CA_CERTIFICATES_DEPENDENCIES = host-openssl host-python > > > +CA_CERTIFICATES_LICENSE = GPLv2+ MPLv2.0 > > > +CA_CERTIFICATES_LICENSE_FILES = debian/copyright > > > > According to debian/copyright these licenses apply to the specific files > > listed there. You don't use any of these files as far as I can see. > > > > > +define CA_CERTIFICATES_BUILD_CMDS > > > + PATH=$(HOST_PATH) $(MAKE) -C $(@D) all > > > +endef > > > + > > > +define CA_CERTIFICATES_INSTALL_TARGET_CMDS > > > + $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates > > > + $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs > > > + $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) > > > + rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates > > > + > > > + #remove any existing certificates under /etc/ssl/certs > > > + rm -f $(TARGET_DIR)/etc/ssl/certs/* > > > + > > > + #generate symlinks to certificates under /etc/ssl/certs > > > + ( \ > > > + cd $(TARGET_DIR) ;\ > > > + for i in `find usr/share/ca-certificates -name "*.crt"` ; do \ > > > + ln -sf ../../../$$i etc/ssl/certs/`basename $${i%.crt}.pem` > > ;\ > > > + done ;\ > > > + ) > > > + > > > + #create symbolic links to the certificates by their hash values > > > + $(HOST_DIR)/usr/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs > > > +endef > > > + > > > +$(eval $(generic-package)) > > > --
Baruch, I'll make that change and submit a v2 patch Thanks Martin On 8 January 2014 11:55, Baruch Siach <baruch@tkos.co.il> wrote: > Hi Martin, > > On Wed, Jan 08, 2014 at 11:30:25AM +0000, Martin Bark wrote: > > Thanks for the feedback Baruch, > > > > I'll update to use $(BR2_DEBIAN_MIRROR) > > > > Although the files mentioned in debian/copying do not directly end up in > > the rootfs they are used. mozilla/certdata.txt is a big list of > > certificates and mozilla/certdata2pem.py is a python script which is run > to > > split mozilla/certdata.txt into all the separate pem files that end up in > > the rootfs. Therefore i think this license info is valid. > > I think you are right, but the string should indicate that. Something like > > CA_CERTIFICATES_LICENSE = GPLv2+ (script), MPLv2.0 (data) > > baruch > > > On 8 January 2014 04:52, Baruch Siach <baruch@tkos.co.il> wrote: > > > Thanks for the patch. A few comments below. > > > > > > On Tue, Jan 07, 2014 at 08:29:50PM +0000, Martin Bark wrote: > > > > CA certificates used for SSL based applications. The package > installs CA > > > > certificates to /usr/share/ca-certificates and creates symbolic links > > > under > > > > /etc/ssl/certs. For example, the existing libcurl package will use > these > > > > certificates for https urls. Based on the debian ca-certifcates > package. > > > > > > > > Signed-off-by: Martin Bark <martin@barkynet.com> > > > > > > [...] > > > > > > > +CA_CERTIFICATES_VERSION = 20130906 > > > > +CA_CERTIFICATES_SOURCE = > > > ca-certificates_$(CA_CERTIFICATES_VERSION).tar.gz > > > > +CA_CERTIFICATES_SITE = > > > ftp://ftp.debian.org/debian/pool/main/c/ca-certificates > > > > > > Please use $(BR2_DEBIAN_MIRROR). See package/at/at.mk, for example. > > > > > > > +CA_CERTIFICATES_DEPENDENCIES = host-openssl host-python > > > > +CA_CERTIFICATES_LICENSE = GPLv2+ MPLv2.0 > > > > +CA_CERTIFICATES_LICENSE_FILES = debian/copyright > > > > > > According to debian/copyright these licenses apply to the specific > files > > > listed there. You don't use any of these files as far as I can see. > > > > > > > +define CA_CERTIFICATES_BUILD_CMDS > > > > + PATH=$(HOST_PATH) $(MAKE) -C $(@D) all > > > > +endef > > > > + > > > > +define CA_CERTIFICATES_INSTALL_TARGET_CMDS > > > > + $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates > > > > + $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs > > > > + $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) > > > > + rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates > > > > + > > > > + #remove any existing certificates under /etc/ssl/certs > > > > + rm -f $(TARGET_DIR)/etc/ssl/certs/* > > > > + > > > > + #generate symlinks to certificates under /etc/ssl/certs > > > > + ( \ > > > > + cd $(TARGET_DIR) ;\ > > > > + for i in `find usr/share/ca-certificates -name "*.crt"` ; do \ > > > > + ln -sf ../../../$$i etc/ssl/certs/`basename > $${i%.crt}.pem` > > > ;\ > > > > + done ;\ > > > > + ) > > > > + > > > > + #create symbolic links to the certificates by their hash values > > > > + $(HOST_DIR)/usr/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs > > > > +endef > > > > + > > > > +$(eval $(generic-package)) > > > > -- > > -- > http://baruch.siach.name/blog/ ~. .~ Tk Open > Systems > =}------------------------------------------------ooO--U--Ooo------------{= > - baruch@tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il - >
Dear Baruch Siach, On Wed, 8 Jan 2014 06:52:07 +0200, Baruch Siach wrote: > > +CA_CERTIFICATES_VERSION = 20130906 > > +CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.gz > > +CA_CERTIFICATES_SITE = ftp://ftp.debian.org/debian/pool/main/c/ca-certificates > > Please use $(BR2_DEBIAN_MIRROR). See package/at/at.mk, for example. No. We don't want to use BR2_DEBIAN_MIRROR. This should be removed. The problem with normal Debian mirrors is that files disappear after some time (when Debian packages are updated). Instead, we should use snapshot.debian.net everywhere. Thomas
diff --git a/package/Config.in b/package/Config.in index e502cde..28ad4f4 100644 --- a/package/Config.in +++ b/package/Config.in @@ -471,6 +471,7 @@ endmenu menu "Crypto" source "package/beecrypt/Config.in" +source "package/ca-certificates/Config.in" source "package/cryptodev/Config.in" source "package/gnutls/Config.in" source "package/libassuan/Config.in" diff --git a/package/ca-certificates/Config.in b/package/ca-certificates/Config.in new file mode 100644 index 0000000..0e52bc1 --- /dev/null +++ b/package/ca-certificates/Config.in @@ -0,0 +1,9 @@ +config BR2_PACKAGE_CA_CERTIFICATES + bool "CA Certificates" + help + This package includes PEM files of CA certificates to allow + SSL-based applications to check for the authenticity of SSL + connections. + + It includes, among others, certificate authorities used by the + Debian infrastructure and those shipped with Mozilla's browsers. diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk new file mode 100644 index 0000000..1035d2f --- /dev/null +++ b/package/ca-certificates/ca-certificates.mk @@ -0,0 +1,39 @@ +################################################################################ +# +# ca-certificates +# +################################################################################ + +CA_CERTIFICATES_VERSION = 20130906 +CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.gz +CA_CERTIFICATES_SITE = ftp://ftp.debian.org/debian/pool/main/c/ca-certificates +CA_CERTIFICATES_DEPENDENCIES = host-openssl host-python +CA_CERTIFICATES_LICENSE = GPLv2+ MPLv2.0 +CA_CERTIFICATES_LICENSE_FILES = debian/copyright + +define CA_CERTIFICATES_BUILD_CMDS + PATH=$(HOST_PATH) $(MAKE) -C $(@D) all +endef + +define CA_CERTIFICATES_INSTALL_TARGET_CMDS + $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates + $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs + $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) + rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates + + #remove any existing certificates under /etc/ssl/certs + rm -f $(TARGET_DIR)/etc/ssl/certs/* + + #generate symlinks to certificates under /etc/ssl/certs + ( \ + cd $(TARGET_DIR) ;\ + for i in `find usr/share/ca-certificates -name "*.crt"` ; do \ + ln -sf ../../../$$i etc/ssl/certs/`basename $${i%.crt}.pem` ;\ + done ;\ + ) + + #create symbolic links to the certificates by their hash values + $(HOST_DIR)/usr/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs +endef + +$(eval $(generic-package))
CA certificates used for SSL based applications. The package installs CA certificates to /usr/share/ca-certificates and creates symbolic links under /etc/ssl/certs. For example, the existing libcurl package will use these certificates for https urls. Based on the debian ca-certifcates package. Signed-off-by: Martin Bark <martin@barkynet.com> --- package/Config.in | 1 + package/ca-certificates/Config.in | 9 +++++++ package/ca-certificates/ca-certificates.mk | 39 ++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 package/ca-certificates/Config.in create mode 100644 package/ca-certificates/ca-certificates.mk