diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest new file mode 100644 index 0000000000..b57272ae02 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -0,0 +1 @@ +DIST nss-3.15.5.tar.gz 6367893 SHA256 1442c85624b7de74c7745132a65aa0de47d280c4f01f293d111bc0b6d8271f43 SHA512 4db27ea98f17f1a5bc6f513455497945fc35957f573b3ac7e730b166fbe0e8fd741c188187c578faf361d969db63d83ff8ccf15ac2b8ca72a367f33a018695ca WHIRLPOOL c3c687ac53dca571d1c45bdf4a80e192ca58da07e06ef56de7ac9736480c97689dd12d14351860764b70a1d823092a1ddbc471328c4bae4a899edd0e331c8aee diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild new file mode 100644 index 0000000000..3b78ac4b7a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild @@ -0,0 +1,58 @@ +# Copyright 2014 The CoreOS Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) +inherit cros-tmpfiles python-any-r1 systemd + +RTM_NAME="NSS_${PV//./_}_RTM" +MY_PN="nss" +MY_P="${MY_PN}-${PV}" +S="${WORKDIR}" + +DESCRIPTION="Mozilla's CA Certificate Store" +HOMEPAGE="http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/" +SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${MY_P}.tar.gz" + +# NSS is licensed under the MPL, files/certdata2pem.py is GPL +LICENSE="MPL-2.0 GPL-2" +SLOT="0" +KEYWORDS="amd64" +IUSE="" + +RDEPEND="dev-libs/openssl + sys-apps/findutils" +DEPEND="${RDEPEND} + ${PYTHON_DEPS}" + +gen_tmpfiles() { + local certfile + echo "d /etc/ssl - - - - -" + echo "d /etc/ssl/certs - - - - -" + for certfile in "$@"; do + local l="/etc/ssl/certs/${certfile##*/}" + local p="../../../usr/share/${PN}/${certfile}" + echo "L ${l} - - - - ${p}" + done +} + +src_compile() { + local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt" + ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die + gen_tmpfiles mozilla/*.pem > ${PN}.conf || die +} + +src_install() { + insinto /usr/share/${PN} + doins -r mozilla + + dosbin "${FILESDIR}/update-ca-certificates" + systemd_dounit "${FILESDIR}/update-ca-certificates.service" + systemd_enable_service sysinit.target update-ca-certificates.service + systemd_dotmpfilesd ${PN}.conf + + # Setup initial links in /etc + dodir /etc/ssl/certs + tmpfiles_create + bash "${FILESDIR}/update-ca-certificates" "${D}/etc/ssl/certs" || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py new file mode 100644 index 0000000000..a54b723c0e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py @@ -0,0 +1,123 @@ +#!/usr/bin/python +# vim:set et sw=4: +# +# certdata2pem.py - splits certdata.txt into multiple files +# +# Copyright (C) 2009 Philipp Kern +# Copyright (C) 2014 The CoreOS Authors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +# USA. + +import base64 +import os.path +import re +import sys +import textwrap + +if len(sys.argv) != 3: + sys.stderr.write("Usage: certdata2pem.py certdata.txt output_dir\n") + sys.exit(1) + +certdata = sys.argv[1] +output_dir = sys.argv[2] +objects = [] + +# Dirty file parser. +in_data, in_multiline, in_obj = False, False, False +field, type, value, obj = None, None, None, dict() +for line in open(certdata, 'r'): + # Ignore the file header. + if not in_data: + if line.startswith('BEGINDATA'): + in_data = True + continue + # Ignore comment lines. + if line.startswith('#'): + continue + # Empty lines are significant if we are inside an object. + if in_obj and len(line.strip()) == 0: + objects.append(obj) + obj = dict() + in_obj = False + continue + if len(line.strip()) == 0: + continue + if in_multiline: + if not line.startswith('END'): + if type == 'MULTILINE_OCTAL': + line = line.strip() + for i in re.finditer(r'\\([0-3][0-7][0-7])', line): + value += chr(int(i.group(1), 8)) + else: + value += line + continue + obj[field] = value + in_multiline = False + continue + if line.startswith('CKA_CLASS'): + in_obj = True + line_parts = line.strip().split(' ', 2) + if len(line_parts) > 2: + field, type = line_parts[0:2] + value = ' '.join(line_parts[2:]) + elif len(line_parts) == 2: + field, type = line_parts + value = None + else: + raise NotImplementedError, 'line_parts < 2 not supported.' + if type == 'MULTILINE_OCTAL': + in_multiline = True + value = "" + continue + obj[field] = value +if len(obj.items()) > 0: + objects.append(obj) + +# Build up trust database. +trust = dict() +for obj in objects: + if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'): + continue + elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', + 'CKT_NSS_TRUSTED_DELEGATOR'): + trust[obj['CKA_LABEL']] = True + elif obj['CKA_TRUST_EMAIL_PROTECTION'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', + 'CKT_NSS_TRUSTED_DELEGATOR'): + trust[obj['CKA_LABEL']] = True + else: + print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ + (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'], + obj['CKA_TRUST_EMAIL_PROTECTION']) + +if not os.path.isdir(output_dir): + os.makedirs(output_dir) +os.chdir(output_dir) + +for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue + fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\ + .replace(')', '=')\ + .replace(',', '_') + '.pem' + fname = fname.decode('string_escape') + f = open(fname, 'w') + f.write("-----BEGIN CERTIFICATE-----\n") + f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) + f.write("\n-----END CERTIFICATE-----\n") + diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates new file mode 100644 index 0000000000..60840d89ff --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates @@ -0,0 +1,27 @@ +#!/bin/bash + +CERTSDIR="${1:-${ROOT}/etc/ssl/certs}" + +if [[ ! -w "${CERTSDIR}" ]]; then + echo "Error: SSL certificate directory ${CERTSDIR} isn't writable" >&2 + exit 1 +fi + +set -e + +echo "Pruning broken links in ${CERTSDIR}" +find -L "${CERTSDIR}" -type l -delete + +echo "Rehashing certificate files in ${CERTSDIR}" +c_rehash "${CERTSDIR}" + +CERTBUNDLE="${CERTSDIR}/ca-certificates.crt" +if [[ ! -e "${CERTBUNDLE}" || "${CERTSDIR}" -nt "${CERTBUNDLE}" ]]; then + echo "Recreating certificate bundle ${CERTBUNDLE}" + TEMPBUNDLE=$(mktemp "${CERTBUNDLE}.XXXXXXXXXX") + trap "rm -f '${CERTSDIR}/${TEMPBUNDLE}'" EXIT + # Use .0 instead of .pem to pull in only what c_rehash validated + cat "${CERTSDIR}"/*.0 > "${TEMPBUNDLE}" + mv -f "${TEMPBUNDLE}" "${CERTBUNDLE}" + trap - EXIT +fi diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service new file mode 100644 index 0000000000..63b05895d1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service @@ -0,0 +1,12 @@ +[Unit] +Description=Update CA Certificates in /etc/ssl/certs +# Since other services depend on the certificate store run this early +DefaultDependencies=no +Wants=systemd-tmpfiles-setup.service +After=systemd-tmpfiles-setup.service +Before=sysinit.target +ConditionPathIsReadWrite=/etc/ssl/certs + +[Service] +Type=oneshot +ExecStart=/usr/sbin/update-ca-certificates diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r158.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r159.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r158.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r159.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild index f0b69edfad..6bdbde0029 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild @@ -140,11 +140,6 @@ RDEPEND="${RDEPEND} sys-fs/squashfs-tools " -# Host dependency used by the chromeos-base/root-certificates ebuild -RDEPEND="${RDEPEND} - >=app-misc/ca-certificates-20090709-r6 - " - # Host dependencies that are needed for delta_generator. RDEPEND="${RDEPEND} coreos-base/update_engine diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/make.conf.common-target b/sdk_container/src/third_party/coreos-overlay/coreos/config/make.conf.common-target index d1f36d9f64..857480ab07 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/make.conf.common-target +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/make.conf.common-target @@ -35,15 +35,6 @@ PORTDIR_OVERLAY=" # of the ChromiumOS set. You can use "--select" to override this. EMERGE_DEFAULT_OPTS="--oneshot" -FETCHCOMMAND_GS="bash -c 'BOTO_CONFIG=/home/\${PORTAGE_USERNAME}/.boto gsutil cp \"${URI}\" \"${DISTDIR}/${FILE}\"'" -RESUMECOMMAND_GS="bash -c 'BOTO_CONFIG=/home/\${PORTAGE_USERNAME}/.boto gsutil cp \"${URI}\" \"${DISTDIR}/${FILE}\"'" - -FETCHCOMMAND='curl -y 30 -f --retry 9 -L --output \${DISTDIR}/\${FILE} \${URI}' -RESUMECOMMAND='curl -y 30 -f -C - --retry 9 -L --output \${DISTDIR}/\${FILE} \${URI}' - -# Print a checkpoint message every 10MB while archiving. -PORTAGE_BINPKG_TAR_OPTS="--checkpoint=1000" - # Since our portage comes from version control, we redirect distfiles. DISTDIR="/var/lib/portage/distfiles-target" diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 98a3216c36..06a52fde4e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -80,9 +80,6 @@ # Really really hoping this fixes our compile issues =dev-lang/python-2.7.6 ~amd64 -# Hopefully includes some certs folks have been missing -=app-misc/ca-certificates-20130906 ~amd64 - # Kills an annoying warning =app-admin/eselect-1.4 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask index 50234ab62f..f4a4e0090b 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask @@ -14,3 +14,7 @@ # Stick with python 2 for now >=dev-lang/python-3 + +# Require our ca-certificates package based directly on Mozilla's +# certificate store provided in NSS rather than the Gentoo/Debian package. +>=app-misc/ca-certificates-20000000 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/Manifest new file mode 100644 index 0000000000..cc446706b9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/Manifest @@ -0,0 +1,2 @@ +DIST tzcode2013d.tar.gz 138198 SHA256 2d9eb90c94644cddb74a490d1184ef9f88efcaa7a2b1bf88be0ee9eeeab707b6 SHA512 228648a2b7dd7f1e434c79e3a6d9cf7df04dfe22566a42c7ab8633a64953971df30c9e30eb28842ed22e10af99d03db9be59e7957f1fee0733a489166f77889a WHIRLPOOL 4604647c029a2a8cabfa886d93ed2c2ca4cdd7614dcb3225e73d8f526ce1921fe96977bf0bd472f55ea88916c3109c525a477e7610998be9e296ba29b66eb300 +DIST tzdata2013d.tar.gz 218918 SHA256 cd1c96f0676e0edceebc6a418a2222ffb05becb41180dd9f847b9c7cef303b04 SHA512 dc4220c8c2113d899b8901561a1335eb4de31881622fd78f2470c625689efe08d50575aeb927d688fd5d24739f1d64222d40221091ff25f9ad61a65f0ca039d0 WHIRLPOOL 3f71d25aaa22ae7bb56e23eda33a24250706450cf2af7bd0a70a80d9a54ab3d1d60e09530a87bd5f4b3fa013570eaa742a69b8cdae9b6cc42912d12938caf706 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/files/timezone-data-2013d-makefile.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/files/timezone-data-2013d-makefile.patch new file mode 100644 index 0000000000..eb52f87f60 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/files/timezone-data-2013d-makefile.patch @@ -0,0 +1,95 @@ + - Fix up default paths + - Support env DESTDIR / LDFLAGS / CFLAGS / CC + - Use awk instead of nawk + - Don't build/install libtz.a + - Don't install man-pages provided by sys-apps/man-pages + - Move zic zdump to sbin and tzselect to bin ala glibc + - Install posix zoneinfo into zoneinfo/posix/ instead of zoneinfo-posix/ ala glibc + - Install leaps zoneinfo into zoneinfo/right/ ala glibc + - Disable broken web test + - Make sure tzselect uses #!/bin/bash and not #!/bin/ksh + - Flags to the linking are passed as LDFLAGS, not LFLAGS + - LDFLAGS was missed for the 'date' target + +--- a/Makefile ++++ b/Makefile +@@ -46,5 +46,5 @@ + # Everything gets put in subdirectories of. . . + +-TOPDIR= /usr/local ++TOPDIR= $(DESTDIR)/usr + + # "Compiled" time zone information is placed in the "TZDIR" directory +@@ -52,5 +52,5 @@ + # Use an absolute path name for TZDIR unless you're just testing the software. + +-TZDIR= $(TOPDIR)/etc/zoneinfo ++TZDIR= $(TOPDIR)/share/zoneinfo + + # Types to try, as an alternative to time_t. int64_t should be first. +@@ -59,5 +59,5 @@ + # The "tzselect", "zic", and "zdump" commands get installed in. . . + +-ETCDIR= $(TOPDIR)/etc ++SBINDIR= $(TOPDIR)/sbin + + # If you "make INSTALL", the "date" command gets installed in. . . +@@ -67,5 +67,5 @@ + # Manual pages go in subdirectories of. . . + +-MANDIR= $(TOPDIR)/man ++MANDIR= $(TOPDIR)/share/man + + # Library functions are put in an archive in LIBDIR. +@@ -293,6 +293,8 @@ + ############################################################################### + +-cc= cc +-CC= $(cc) -DTZDIR=\"$(TZDIR)\" ++CC+= -DTZDIR=\"$(TZDIR)\" ++ifeq ($(NLS),1) ++CC += -DHAVE_GETTEXT=1 -DTZ_DOMAIN=\"libc\" ++endif + + TZCSRCS= zic.c localtime.c asctime.c scheck.c ialloc.c +@@ -335,11 +337,13 @@ + ALL: all date + +-install: all $(DATA) $(REDO) $(TZLIB) $(MANS) $(TABDATA) ++install: all $(DATA) $(REDO) $(MANS) $(TABDATA) + $(ZIC) -y $(YEARISTYPE) \ + -d $(TZDIR) -l $(LOCALTIME) -p $(POSIXRULES) + -rm -f $(TZDIR)/iso3166.tab $(TZDIR)/zone.tab + cp iso3166.tab zone.tab $(TZDIR)/. +- -mkdir $(TOPDIR) $(ETCDIR) +- cp tzselect zic zdump $(ETCDIR)/. ++ -mkdir $(TOPDIR) $(SBINDIR) ++ cp zic zdump $(SBINDIR)/. ++ -mkdir $(TOPDIR) $(BINDIR) ++ cp tzselect $(BINDIR)/. + -mkdir $(TOPDIR) $(MANDIR) \ + $(MANDIR)/man3 $(MANDIR)/man5 $(MANDIR)/man8 +@@ -351,6 +355,4 @@ + $(MANDIR)/man8/zic.8 + cp newctime.3 newtzset.3 $(MANDIR)/man3/. +- cp tzfile.5 $(MANDIR)/man5/. +- cp tzselect.8 zdump.8 zic.8 $(MANDIR)/man8/. + + INSTALL: ALL install date.1 +@@ -392,7 +394,7 @@ + # to using them, or vice versa. + other_two: zic leapseconds $(TDATA) +- $(ZIC) -y $(YEARISTYPE) -d $(TZDIR)-posix -L /dev/null $(TDATA) ++ $(ZIC) -y $(YEARISTYPE) -d $(TZDIR)/posix -L /dev/null $(TDATA) + $(ZIC) -y $(YEARISTYPE) \ +- -d $(TZDIR)-leaps -L leapseconds $(TDATA) ++ -d $(TZDIR)/right -L leapseconds $(TDATA) + + posix_right: posix_only other_two +@@ -422,5 +424,5 @@ + chmod +x $@ + +-check: check_character_set check_tables check_web ++check: check_character_set check_tables + + check_character_set: $(ENCHILADA) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/timezone-data-2013d.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/timezone-data-2013d.ebuild new file mode 100644 index 0000000000..f1c3e7de03 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/timezone-data-2013d.ebuild @@ -0,0 +1,61 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-libs/timezone-data/timezone-data-2013d.ebuild,v 1.4 2014/01/18 02:22:57 vapier Exp $ + +inherit eutils toolchain-funcs flag-o-matic + +code_ver=${PV} +data_ver=${PV} +DESCRIPTION="Timezone data (/usr/share/zoneinfo) and utilities (tzselect/zic/zdump)" +HOMEPAGE="http://www.iana.org/time-zones http://www.twinsun.com/tz/tz-link.htm" +SRC_URI="http://www.iana.org/time-zones/repository/releases/tzdata${data_ver}.tar.gz + http://www.iana.org/time-zones/repository/releases/tzcode${code_ver}.tar.gz + ftp://munnari.oz.au/pub/tzdata${data_ver}.tar.gz + ftp://munnari.oz.au/pub/tzcode${code_ver}.tar.gz" + +LICENSE="BSD public-domain" +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd" +IUSE="nls elibc_FreeBSD elibc_glibc" + +RDEPEND="!