diff options
| author | Nicola Murino | 2018-09-09 18:38:27 +0200 |
|---|---|---|
| committer | Nicola Murino | 2018-09-09 18:38:27 +0200 |
| commit | 97cf525ad2a944163e1e28df9b983e802b1b109e (patch) | |
| tree | 40da4ecd944872801204198f213e8cae13d5e402 | |
| parent | 1c1f926f0c81baf98cac6c17777a851ca7754d94 (diff) | |
| download | aur-97cf525ad2a944163e1e28df9b983e802b1b109e.tar.gz | |
Update to 2.58.0-1
| -rw-r--r-- | .SRCINFO | 12 | ||||
| -rw-r--r-- | 0003-Use-the-GnuTLS-system-trust-by-default.patch | 348 | ||||
| -rw-r--r-- | 0004-meson-Only-run-gio-querymodules-if-it-s-found.patch | 43 | ||||
| -rw-r--r-- | PKGBUILD | 20 |
4 files changed, 9 insertions, 414 deletions
@@ -1,8 +1,6 @@ -# Generated by mksrcinfo v8 -# Wed May 30 09:26:34 UTC 2018 pkgbase = mingw-w64-glib-networking pkgdesc = Network-related GIO modules for glib (mingw-w64) - pkgver = 2.56.1 + pkgver = 2.58.0 pkgrel = 1 url = https://git.gnome.org/browse/glib-networking arch = any @@ -14,12 +12,8 @@ pkgbase = mingw-w64-glib-networking options = !buildflags options = !libtool options = staticlibs - source = https://download.gnome.org/sources/glib-networking/2.56/glib-networking-2.56.1.tar.xz - source = 0003-Use-the-GnuTLS-system-trust-by-default.patch - source = 0004-meson-Only-run-gio-querymodules-if-it-s-found.patch - sha256sums = df47b0e0a037d2dcf6b1846cbdf68dd4b3cc055e026bb40c4a55f19f29f635c8 - sha256sums = d54661751cd929be4894b6b671512b6d852378d52c0503ffb981949466b55dc8 - sha256sums = bc033e3c3ca803ab51e02290e551b161446e20d19fb8357701d9c82c4b5d175a + source = https://download.gnome.org/sources/glib-networking/2.58/glib-networking-2.58.0.tar.xz + sha256sums = bdfa0255e031b8ee003cc283002536b77ee76450105f1dc6ab066b9bf4330068 pkgname = mingw-w64-glib-networking diff --git a/0003-Use-the-GnuTLS-system-trust-by-default.patch b/0003-Use-the-GnuTLS-system-trust-by-default.patch deleted file mode 100644 index 8ab054926b4b..000000000000 --- a/0003-Use-the-GnuTLS-system-trust-by-default.patch +++ /dev/null @@ -1,348 +0,0 @@ -From 6c8ee5721428db1635bcc05044419038cbcf82ba Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro <mcatanzaro@igalia.com> -Date: Thu, 8 Feb 2018 22:02:06 -0600 -Subject: [PATCH 3/4] Use the GnuTLS system trust by default - -Get rid of the ca_certificates_path build flag. The default GTlsDatabase -will now use the GnuTLS system trust. GTlsFileDatabase now builds its -internal hash tables by iterating its gnutls_x509_trust_list_t, rather -than by parsing its certificate file manually. - -The find-ca-certificates script is removed, since it's no longer needed. - -There are some potential compatibility risks here: - - * The minimum required GnuTLS version is increased from 3.3.5 to 3.4. - - * If GnuTLS is not configured with a system trust, all certificate - verification using the default GTlsDatabase will fail. I noticed that - GNOME's flatpak runtime does not configure a system trust, so this - breaks HTTPS there. This is sad for Epiphany Technology Preview, but - we should do this anyway, and separately fix the GNOME runtime. - - * It was previously possible to configure glib-networking using - --without-ca-certificates to ensure the default GTlsDatabase is - empty (GNOME #727282). Apparently this was desirable on some embedded - systems, though I'm not sure why. Such configuration is still - possible by configuring GnuTLS with no system trust. Presumably, - anybody relying on this behavior will notice that the - --without-ca-certificates flag has disappeared during the build - system change and investigate, so this seems unproblematic. - - * The default GTlsDatabase is a GTlsFileDatabase, but it might not - actually correspond to a file anymore. This will be fixed in the next - commit. - - * If the anchors property of a GTlsFileDatabase is NULL, that - previously indicated an empty GTlsFileDatabase, but now indicates - that the system trust is used. This will also be fixed in the next - commit. - - * Certificate handles created using the default GTlsDatabase will be - different before and after this commit. This seems unlikely to cause - problems in practice, since a quick Debian codesearch reveals zero - applications using our certificate handles. But, if an application - were to rely on handles generated by previous versions of - glib-networking being valid in the new version, it would break. - -None of the above seem likely to cause practical issues, once -distributors ensure that GnuTLS is built properly, so I think we can -proceed. - -https://bugzilla.gnome.org/show_bug.cgi?id=753260 ---- - find-ca-certificates | 20 ----- - meson.build | 10 +-- - meson_options.txt | 1 - - tls/gnutls/gtlsbackend-gnutls.c | 6 +- - tls/gnutls/gtlsfiledatabase-gnutls.c | 117 +++++++++++++++------------ - 5 files changed, 66 insertions(+), 88 deletions(-) - delete mode 100755 find-ca-certificates - -diff --git a/find-ca-certificates b/find-ca-certificates -deleted file mode 100755 -index 4c5fd8f..0000000 ---- a/find-ca-certificates -+++ /dev/null -@@ -1,20 +0,0 @@ --#!/usr/bin/env python3 -- --import errno --import os --import sys -- --locations = [ '/etc/pki/tls/certs/ca-bundle.crt', -- '/etc/ssl/certs/ca-certificates.crt', -- '/etc/ssl/ca-bundle.pem' --] -- --if len(sys.argv) > 1: -- locations.insert(0, sys.argv[1]) -- --for location in locations: -- if os.path.isfile(location): -- sys.stdout.write(location) -- sys.exit(0) -- --sys.exit(errno.ENOENT) -diff --git a/meson.build b/meson.build -index c875331..5c2bb05 100644 ---- a/meson.build -+++ b/meson.build -@@ -64,14 +64,7 @@ if enable_gnome_proxy_support - endif - - # *** Checks for GnuTLS *** --gnutls_dep = dependency('gnutls', version: '>= 3.3.5', required: true) -- --msg = 'location of system Certificate Authority list: ' --res = run_command(join_paths(meson.source_root(), 'find-ca-certificates'), get_option('ca_certificates_path')) --assert(res.returncode() == 0, msg + ' could not find any CA certificate store. Use -Dca_certificates_path=PATH to set') --ca_certificates_path = res.stdout().strip() --message(msg + ca_certificates_path) --config_h.set_quoted('GTLS_SYSTEM_CA_FILE', ca_certificates_path, description: 'The system CA list') -+gnutls_dep = dependency('gnutls', version: '>= 3.4', required: true) - - # *** Checks for p11-kit *** - enable_pkcs11_support = get_option('pkcs11_support') -@@ -134,5 +127,4 @@ meson.add_install_script('meson_post_install.py', gio_module_dir) - output = '\n\n libproxy support: ' + enable_libproxy_support.to_string() + '\n' - output += ' GNOME proxy support: ' + enable_gnome_proxy_support.to_string() + '\n' - output += ' PKCS#11 support: ' + enable_pkcs11_support.to_string() + '\n' --output += ' TLS CA file: ' + ca_certificates_path + '\n' - message(output) -diff --git a/meson_options.txt b/meson_options.txt -index 8cf58ed..1e04d19 100644 ---- a/meson_options.txt -+++ b/meson_options.txt -@@ -1,6 +1,5 @@ - option('libproxy_support', type: 'boolean', value: true, description: 'support for libproxy proxy configration') - option('gnome_proxy_support', type: 'boolean', value: true, description: 'support for GNOME desktop proxy configuration') --option('ca_certificates_path', type: 'string', value: '', description: 'path to system Certificate Authority list') - option('pkcs11_support', type: 'boolean', value: true, description: 'support for PKCS#11 using p11-kit') - option('installed_tests', type: 'boolean', value: false, description: 'enable installed tests') - option('static_modules', type: 'boolean', value: false, description: 'build static modules') -diff --git a/tls/gnutls/gtlsbackend-gnutls.c b/tls/gnutls/gtlsbackend-gnutls.c -index 0a6b5d4..97502d3 100644 ---- a/tls/gnutls/gtlsbackend-gnutls.c -+++ b/tls/gnutls/gtlsbackend-gnutls.c -@@ -114,11 +114,7 @@ static GTlsDatabase* - g_tls_backend_gnutls_real_create_database (GTlsBackendGnutls *self, - GError **error) - { -- const gchar *anchor_file = NULL; --#ifdef GTLS_SYSTEM_CA_FILE -- anchor_file = GTLS_SYSTEM_CA_FILE; --#endif -- return g_tls_file_database_new (anchor_file, error); -+ return g_tls_file_database_new (NULL, error); - } - - static void -diff --git a/tls/gnutls/gtlsfiledatabase-gnutls.c b/tls/gnutls/gtlsfiledatabase-gnutls.c -index 5a5c965..3fb7b4a 100644 ---- a/tls/gnutls/gtlsfiledatabase-gnutls.c -+++ b/tls/gnutls/gtlsfiledatabase-gnutls.c -@@ -149,13 +149,24 @@ create_handle_for_certificate (const gchar *filename, - gchar *uri; - - /* -- * Here we create a URI that looks like: -+ * Here we create a URI that looks like - * file:///etc/ssl/certs/ca-certificates.crt#11b2641821252596420e468c275771f5e51022c121a17bd7a89a2f37b6336c8f -+ * or system-trust:#11b2641821252596420e468c275771f5e51022c121a17bd7a89a2f37b6336c8f. -+ * -+ * system-trust is a meaningless URI scheme; we just need some stable way to -+ * uniquely identify these certificates. - */ - -- uri_part = g_filename_to_uri (filename, NULL, NULL); -- if (!uri_part) -- return NULL; -+ if (filename) -+ { -+ uri_part = g_filename_to_uri (filename, NULL, NULL); -+ if (!uri_part) -+ return NULL; -+ } -+ else -+ { -+ uri_part = g_strdup ("system-trust:"); -+ } - - bookmark = g_compute_checksum_for_bytes (G_CHECKSUM_SHA256, der); - uri = g_strconcat (uri_part, "#", bookmark, NULL); -@@ -189,40 +200,29 @@ create_handles_array_unlocked (const gchar *filename, - return handles; - } - --static gboolean --load_anchor_file (const gchar *filename, -- GHashTable *subjects, -- GHashTable *issuers, -- GHashTable *complete, -- GError **error) -+static void -+initialize_tables (gnutls_x509_trust_list_t trust_list, -+ GHashTable *subjects, -+ GHashTable *issuers, -+ GHashTable *complete) - { -- GList *list, *l; -- gnutls_x509_crt_t cert; -+ gnutls_x509_trust_list_iter_t iter = NULL; -+ gnutls_x509_crt_t cert = NULL; - gnutls_datum_t dn; -- GBytes *der; -- GBytes *subject; -- GBytes *issuer; -+ GBytes *der = NULL; -+ GBytes *subject = NULL; -+ GBytes *issuer = NULL; - gint gerr; -- GError *my_error = NULL; -- -- list = g_tls_certificate_list_new_from_file (filename, &my_error); -- if (my_error) -- { -- g_propagate_error (error, my_error); -- return FALSE; -- } - -- for (l = list; l; l = l->next) -+ while ((gerr = gnutls_x509_trust_list_iter_get_ca (trust_list, &iter, &cert)) == 0) - { -- cert = g_tls_certificate_gnutls_get_cert (l->data); - gerr = gnutls_x509_crt_get_raw_dn (cert, &dn); - if (gerr < 0) - { - g_warning ("failed to get subject of anchor certificate: %s", - gnutls_strerror (gerr)); -- continue; -+ goto next; - } -- - subject = g_bytes_new_with_free_func (dn.data, dn.size, gnutls_free, dn.data); - - gerr = gnutls_x509_crt_get_raw_issuer_dn (cert, &dn); -@@ -230,13 +230,18 @@ load_anchor_file (const gchar *filename, - { - g_warning ("failed to get issuer of anchor certificate: %s", - gnutls_strerror (gerr)); -- continue; -+ goto next; - } -- - issuer = g_bytes_new_with_free_func (dn.data, dn.size, gnutls_free, dn.data); - -- der = g_tls_certificate_gnutls_get_bytes (l->data); -- g_return_val_if_fail (der != NULL, FALSE); -+ gerr = gnutls_x509_crt_export2 (cert, GNUTLS_X509_FMT_DER, &dn); -+ if (gerr < 0) -+ { -+ g_warning ("failed to get certificate DER: %s", -+ gnutls_strerror (gerr)); -+ goto next; -+ } -+ der = g_bytes_new_with_free_func (dn.data, dn.size, gnutls_free, dn.data); - - /* Three different ways of looking up same certificate */ - bytes_multi_table_insert (subjects, subject, der); -@@ -245,15 +250,12 @@ load_anchor_file (const gchar *filename, - g_hash_table_insert (complete, g_bytes_ref (der), - g_bytes_ref (der)); - -- g_bytes_unref (der); -- g_bytes_unref (subject); -- g_bytes_unref (issuer); -- -- g_object_unref (l->data); -+next: -+ g_clear_pointer (&der, g_bytes_unref); -+ g_clear_pointer (&subject, g_bytes_unref); -+ g_clear_pointer (&issuer, g_bytes_unref); -+ g_clear_pointer (&cert, gnutls_x509_crt_deinit); - } -- g_list_free (list); -- -- return TRUE; - } - - -@@ -267,11 +269,10 @@ g_tls_file_database_gnutls_finalize (GObject *object) - g_clear_pointer (&self->issuers, g_hash_table_destroy); - g_clear_pointer (&self->complete, g_hash_table_destroy); - g_clear_pointer (&self->handles, g_hash_table_destroy); -- if (self->anchor_filename) -- { -- g_free (self->anchor_filename); -- gnutls_x509_trust_list_deinit (self->trust_list, 1); -- } -+ g_clear_pointer (&self->anchor_filename, g_free); -+ -+ gnutls_x509_trust_list_deinit (self->trust_list, 1); -+ - g_mutex_clear (&self->mutex); - - G_OBJECT_CLASS (g_tls_file_database_gnutls_parent_class)->finalize (object); -@@ -303,6 +304,7 @@ g_tls_file_database_gnutls_set_property (GObject *object, - { - GTlsFileDatabaseGnutls *self = G_TLS_FILE_DATABASE_GNUTLS (object); - const char *anchor_path; -+ int gerr; - - switch (prop_id) - { -@@ -320,11 +322,24 @@ g_tls_file_database_gnutls_set_property (GObject *object, - g_free (self->anchor_filename); - gnutls_x509_trust_list_deinit (self->trust_list, 1); - } -+ - self->anchor_filename = g_strdup (anchor_path); - gnutls_x509_trust_list_init (&self->trust_list, 0); -- gnutls_x509_trust_list_add_trust_file (self->trust_list, -- anchor_path, NULL, -- GNUTLS_X509_FMT_PEM, 0, 0); -+ -+ if (self->anchor_filename) -+ { -+ gnutls_x509_trust_list_add_trust_file (self->trust_list, -+ anchor_path, NULL, -+ GNUTLS_X509_FMT_PEM, 0, 0); -+ } -+ else -+ { -+ gerr = gnutls_x509_trust_list_add_system_trust (self->trust_list, 0, 0); -+ if (gerr == GNUTLS_E_UNIMPLEMENTED_FEATURE) -+ g_warning ("Failed to load system trust store: gnutls_x509_trust_list_add_system_trust is not implemented for this platform"); -+ else if (gerr < 0) -+ g_warning ("Failed to load system trust store: %s", gnutls_strerror (gerr)); -+ } - break; - default: - G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); -@@ -641,7 +656,7 @@ g_tls_file_database_gnutls_initable_init (GInitable *initable, - { - GTlsFileDatabaseGnutls *self = G_TLS_FILE_DATABASE_GNUTLS (initable); - GHashTable *subjects, *issuers, *complete; -- gboolean result; -+ gboolean result = TRUE; - - if (g_cancellable_set_error_if_cancelled (cancellable, error)) - return FALSE; -@@ -653,11 +668,7 @@ g_tls_file_database_gnutls_initable_init (GInitable *initable, - (GDestroyNotify)g_bytes_unref, - (GDestroyNotify)g_bytes_unref); - -- if (self->anchor_filename) -- result = load_anchor_file (self->anchor_filename, subjects, issuers, -- complete, error); -- else -- result = TRUE; -+ initialize_tables (self->trust_list, subjects, issuers, complete); - - if (g_cancellable_set_error_if_cancelled (cancellable, error)) - result = FALSE; --- -2.17.0 - diff --git a/0004-meson-Only-run-gio-querymodules-if-it-s-found.patch b/0004-meson-Only-run-gio-querymodules-if-it-s-found.patch deleted file mode 100644 index 612dbfb72558..000000000000 --- a/0004-meson-Only-run-gio-querymodules-if-it-s-found.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 81e64a81ba808bc05aaa6f95eed47366bffa9ea9 Mon Sep 17 00:00:00 2001 -From: Nirbheek Chauhan <nirbheek@centricular.com> -Date: Wed, 9 May 2018 20:03:00 +0530 -Subject: [PATCH 4/4] meson: Only run gio-querymodules if it's found - -And run the correct one if it's found - -https://bugzilla.gnome.org/show_bug.cgi?id=795982 ---- - meson.build | 6 +++++- - meson_post_install.py | 2 +- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/meson.build b/meson.build -index 5c2bb05..c8a4666 100644 ---- a/meson.build -+++ b/meson.build -@@ -122,7 +122,11 @@ endif - subdir('tls/gnutls') - subdir('tls/tests') - --meson.add_install_script('meson_post_install.py', gio_module_dir) -+# Will automatically pick it up from the cross file if defined -+gio_querymodules = find_program('gio-querymodules', required : false) -+if gio_querymodules.found() -+ meson.add_install_script('meson_post_install.py', gio_querymodules.path(), gio_module_dir) -+endif - - output = '\n\n libproxy support: ' + enable_libproxy_support.to_string() + '\n' - output += ' GNOME proxy support: ' + enable_gnome_proxy_support.to_string() + '\n' -diff --git a/meson_post_install.py b/meson_post_install.py -index 3082d42..8960540 100644 ---- a/meson_post_install.py -+++ b/meson_post_install.py -@@ -6,4 +6,4 @@ import sys - - if not os.environ.get('DESTDIR'): - print('GIO module cache creation...') -- subprocess.call(['gio-querymodules', sys.argv[1]]) -+ subprocess.call([sys.argv[1], sys.argv[2]]) --- -2.17.0 - @@ -1,6 +1,6 @@ # Maintainer: drakkan <nicola.murino at gmail dot com> pkgname=mingw-w64-glib-networking -pkgver=2.56.1 +pkgver=2.58.0 pkgrel=1 pkgdesc="Network-related GIO modules for glib (mingw-w64)" arch=('any') @@ -8,23 +8,12 @@ url="https://git.gnome.org/browse/glib-networking" license=('LGPL2.1') depends=(mingw-w64-glib2 mingw-w64-gnutls) makedepends=(mingw-w64-meson) -source=("https://download.gnome.org/sources/glib-networking/${pkgver%.*}/glib-networking-${pkgver}.tar.xz" - "0003-Use-the-GnuTLS-system-trust-by-default.patch" - "0004-meson-Only-run-gio-querymodules-if-it-s-found.patch") +source=("https://download.gnome.org/sources/glib-networking/${pkgver%.*}/glib-networking-${pkgver}.tar.xz") options=(!strip !buildflags !libtool staticlibs) -sha256sums=('df47b0e0a037d2dcf6b1846cbdf68dd4b3cc055e026bb40c4a55f19f29f635c8' - 'd54661751cd929be4894b6b671512b6d852378d52c0503ffb981949466b55dc8' - 'bc033e3c3ca803ab51e02290e551b161446e20d19fb8357701d9c82c4b5d175a') +sha256sums=('bdfa0255e031b8ee003cc283002536b77ee76450105f1dc6ab066b9bf4330068') _architectures="i686-w64-mingw32 x86_64-w64-mingw32" -prepare() { - cd "$srcdir/glib-networking-$pkgver" - patch -Np1 -i ../"0003-Use-the-GnuTLS-system-trust-by-default.patch" - patch -Np1 -i ../"0004-meson-Only-run-gio-querymodules-if-it-s-found.patch" -} - - build() { for _arch in ${_architectures}; do mkdir -p "${srcdir}/glib-networking-${pkgver}/build-${_arch}" @@ -41,6 +30,9 @@ build() { package() { for _arch in ${_architectures}; do DESTDIR="${pkgdir}" ninja -C "${srcdir}/glib-networking-${pkgver}/build-${_arch}" install + + #FIXME: Ranlib (isn't meson supposed to do this?) + ${_arch}-gcc-ranlib ${pkgdir}/usr/${_arch}/lib/gio/modules/*.a done } |