From 83dfaeae34b89995b8c72c61d159f1b43488aa76 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Wed, 19 Feb 2014 13:37:07 -0800 Subject: [PATCH 1/3] fix(make.conf): Remove custom fetch and tar commands. Switch to portage's default (wget) for fetching. wget is nice and reports the URL it is downloading while curl does not. This makes understanding errors like '404' actually somewhat possible. The --checkpoint arg to tar didn't serve much of a useful purpose as far as I know besides adding to the build noise. Just drop it. --- .../coreos-overlay/coreos/config/make.conf.common-target | 9 --------- 1 file changed, 9 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/make.conf.common-target b/sdk_container/src/third_party/coreos-overlay/coreos/config/make.conf.common-target index d1f36d9f64..857480ab07 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/make.conf.common-target +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/make.conf.common-target @@ -35,15 +35,6 @@ PORTDIR_OVERLAY=" # of the ChromiumOS set. You can use "--select" to override this. EMERGE_DEFAULT_OPTS="--oneshot" -FETCHCOMMAND_GS="bash -c 'BOTO_CONFIG=/home/\${PORTAGE_USERNAME}/.boto gsutil cp \"${URI}\" \"${DISTDIR}/${FILE}\"'" -RESUMECOMMAND_GS="bash -c 'BOTO_CONFIG=/home/\${PORTAGE_USERNAME}/.boto gsutil cp \"${URI}\" \"${DISTDIR}/${FILE}\"'" - -FETCHCOMMAND='curl -y 30 -f --retry 9 -L --output \${DISTDIR}/\${FILE} \${URI}' -RESUMECOMMAND='curl -y 30 -f -C - --retry 9 -L --output \${DISTDIR}/\${FILE} \${URI}' - -# Print a checkpoint message every 10MB while archiving. -PORTAGE_BINPKG_TAR_OPTS="--checkpoint=1000" - # Since our portage comes from version control, we redirect distfiles. DISTDIR="/var/lib/portage/distfiles-target" From f1e075510b91a21f675b31f656535950e5f81d55 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Wed, 19 Feb 2014 13:48:58 -0800 Subject: [PATCH 2/3] add(sys-libs/timezone-data): Import latest stable timezone ebuild This is a copy of the current stable version from Gentoo but without the extra junk code to try to create /etc/localtime which we don't need. --- .../sys-libs/timezone-data/Manifest | 2 + .../files/timezone-data-2013d-makefile.patch | 95 +++++++++++++++++++ .../timezone-data/timezone-data-2013d.ebuild | 61 ++++++++++++ 3 files changed, 158 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/files/timezone-data-2013d-makefile.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/timezone-data-2013d.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/Manifest new file mode 100644 index 0000000000..cc446706b9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/Manifest @@ -0,0 +1,2 @@ +DIST tzcode2013d.tar.gz 138198 SHA256 2d9eb90c94644cddb74a490d1184ef9f88efcaa7a2b1bf88be0ee9eeeab707b6 SHA512 228648a2b7dd7f1e434c79e3a6d9cf7df04dfe22566a42c7ab8633a64953971df30c9e30eb28842ed22e10af99d03db9be59e7957f1fee0733a489166f77889a WHIRLPOOL 4604647c029a2a8cabfa886d93ed2c2ca4cdd7614dcb3225e73d8f526ce1921fe96977bf0bd472f55ea88916c3109c525a477e7610998be9e296ba29b66eb300 +DIST tzdata2013d.tar.gz 218918 SHA256 cd1c96f0676e0edceebc6a418a2222ffb05becb41180dd9f847b9c7cef303b04 SHA512 dc4220c8c2113d899b8901561a1335eb4de31881622fd78f2470c625689efe08d50575aeb927d688fd5d24739f1d64222d40221091ff25f9ad61a65f0ca039d0 WHIRLPOOL 3f71d25aaa22ae7bb56e23eda33a24250706450cf2af7bd0a70a80d9a54ab3d1d60e09530a87bd5f4b3fa013570eaa742a69b8cdae9b6cc42912d12938caf706 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/files/timezone-data-2013d-makefile.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/files/timezone-data-2013d-makefile.patch new file mode 100644 index 0000000000..eb52f87f60 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/files/timezone-data-2013d-makefile.patch @@ -0,0 +1,95 @@ + - Fix up default paths + - Support env DESTDIR / LDFLAGS / CFLAGS / CC + - Use awk instead of nawk + - Don't build/install libtz.a + - Don't install man-pages provided by sys-apps/man-pages + - Move zic zdump to sbin and tzselect to bin ala glibc + - Install posix zoneinfo into zoneinfo/posix/ instead of zoneinfo-posix/ ala glibc + - Install leaps zoneinfo into zoneinfo/right/ ala glibc + - Disable broken web test + - Make sure tzselect uses #!/bin/bash and not #!/bin/ksh + - Flags to the linking are passed as LDFLAGS, not LFLAGS + - LDFLAGS was missed for the 'date' target + +--- a/Makefile ++++ b/Makefile +@@ -46,5 +46,5 @@ + # Everything gets put in subdirectories of. . . + +-TOPDIR= /usr/local ++TOPDIR= $(DESTDIR)/usr + + # "Compiled" time zone information is placed in the "TZDIR" directory +@@ -52,5 +52,5 @@ + # Use an absolute path name for TZDIR unless you're just testing the software. + +-TZDIR= $(TOPDIR)/etc/zoneinfo ++TZDIR= $(TOPDIR)/share/zoneinfo + + # Types to try, as an alternative to time_t. int64_t should be first. +@@ -59,5 +59,5 @@ + # The "tzselect", "zic", and "zdump" commands get installed in. . . + +-ETCDIR= $(TOPDIR)/etc ++SBINDIR= $(TOPDIR)/sbin + + # If you "make INSTALL", the "date" command gets installed in. . . +@@ -67,5 +67,5 @@ + # Manual pages go in subdirectories of. . . + +-MANDIR= $(TOPDIR)/man ++MANDIR= $(TOPDIR)/share/man + + # Library functions are put in an archive in LIBDIR. +@@ -293,6 +293,8 @@ + ############################################################################### + +-cc= cc +-CC= $(cc) -DTZDIR=\"$(TZDIR)\" ++CC+= -DTZDIR=\"$(TZDIR)\" ++ifeq ($(NLS),1) ++CC += -DHAVE_GETTEXT=1 -DTZ_DOMAIN=\"libc\" ++endif + + TZCSRCS= zic.c localtime.c asctime.c scheck.c ialloc.c +@@ -335,11 +337,13 @@ + ALL: all date + +-install: all $(DATA) $(REDO) $(TZLIB) $(MANS) $(TABDATA) ++install: all $(DATA) $(REDO) $(MANS) $(TABDATA) + $(ZIC) -y $(YEARISTYPE) \ + -d $(TZDIR) -l $(LOCALTIME) -p $(POSIXRULES) + -rm -f $(TZDIR)/iso3166.tab $(TZDIR)/zone.tab + cp iso3166.tab zone.tab $(TZDIR)/. +- -mkdir $(TOPDIR) $(ETCDIR) +- cp tzselect zic zdump $(ETCDIR)/. ++ -mkdir $(TOPDIR) $(SBINDIR) ++ cp zic zdump $(SBINDIR)/. ++ -mkdir $(TOPDIR) $(BINDIR) ++ cp tzselect $(BINDIR)/. + -mkdir $(TOPDIR) $(MANDIR) \ + $(MANDIR)/man3 $(MANDIR)/man5 $(MANDIR)/man8 +@@ -351,6 +355,4 @@ + $(MANDIR)/man8/zic.8 + cp newctime.3 newtzset.3 $(MANDIR)/man3/. +- cp tzfile.5 $(MANDIR)/man5/. +- cp tzselect.8 zdump.8 zic.8 $(MANDIR)/man8/. + + INSTALL: ALL install date.1 +@@ -392,7 +394,7 @@ + # to using them, or vice versa. + other_two: zic leapseconds $(TDATA) +- $(ZIC) -y $(YEARISTYPE) -d $(TZDIR)-posix -L /dev/null $(TDATA) ++ $(ZIC) -y $(YEARISTYPE) -d $(TZDIR)/posix -L /dev/null $(TDATA) + $(ZIC) -y $(YEARISTYPE) \ +- -d $(TZDIR)-leaps -L leapseconds $(TDATA) ++ -d $(TZDIR)/right -L leapseconds $(TDATA) + + posix_right: posix_only other_two +@@ -422,5 +424,5 @@ + chmod +x $@ + +-check: check_character_set check_tables check_web ++check: check_character_set check_tables + + check_character_set: $(ENCHILADA) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/timezone-data-2013d.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/timezone-data-2013d.ebuild new file mode 100644 index 0000000000..f1c3e7de03 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/timezone-data/timezone-data-2013d.ebuild @@ -0,0 +1,61 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-libs/timezone-data/timezone-data-2013d.ebuild,v 1.4 2014/01/18 02:22:57 vapier Exp $ + +inherit eutils toolchain-funcs flag-o-matic + +code_ver=${PV} +data_ver=${PV} +DESCRIPTION="Timezone data (/usr/share/zoneinfo) and utilities (tzselect/zic/zdump)" +HOMEPAGE="http://www.iana.org/time-zones http://www.twinsun.com/tz/tz-link.htm" +SRC_URI="http://www.iana.org/time-zones/repository/releases/tzdata${data_ver}.tar.gz + http://www.iana.org/time-zones/repository/releases/tzcode${code_ver}.tar.gz + ftp://munnari.oz.au/pub/tzdata${data_ver}.tar.gz + ftp://munnari.oz.au/pub/tzcode${code_ver}.tar.gz" + +LICENSE="BSD public-domain" +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd" +IUSE="nls elibc_FreeBSD elibc_glibc" + +RDEPEND="! Date: Wed, 19 Feb 2014 17:10:13 -0800 Subject: [PATCH 3/3] add(app-misc/ca-certificates): Add new CA cert package. This package is based exclusively on the Mozilla certificate store distributed in their NSS library and adopts NSS's version accordingly. It replaces the previous Gentoo package which came directly from Debian. The Debian package package had a couple issues we didn't like: - Trusts the http://cacert.org root CA which isn't the worst thing in the world to do but seems like a really bad default policy to ship. - update-ca-certificates had a confusing configuration/hook scheme which seemed almost useful but completely obnoxious and useless to CoreOS at the same time. systemd-tmpfiles plus a simpler script does a better job for us. The python script certdata2pem.py came from Debian's source package ca-certificates_20130119 and modified slightly. It is only used at build-time to convert the file format used by NSS to PEM files. The old packages used dates as the version, this one uses the NSS library the certificate store came from as the version. This may cause an issue if packages from Gentoo depend on >=ca-certificates-20080809 or similar. Currently the only packages in Gentoo that do so are sci-misc/boinc and www-client/epiphany, neither of which will ever be needed in CoreOS so we should be OK. --- .../app-misc/ca-certificates/Manifest | 1 + .../ca-certificates-3.15.5.ebuild | 58 +++++++++ .../ca-certificates/files/certdata2pem.py | 123 ++++++++++++++++++ .../files/update-ca-certificates | 27 ++++ .../files/update-ca-certificates.service | 12 ++ ...ld => hard-host-depends-0.0.1-r159.ebuild} | 0 .../hard-host-depends-0.0.1.ebuild | 5 - .../coreos/base/package.accept_keywords | 3 - .../profiles/coreos/base/package.mask | 4 + 9 files changed, 225 insertions(+), 8 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py create mode 100644 sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates create mode 100644 sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service rename sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/{hard-host-depends-0.0.1-r158.ebuild => hard-host-depends-0.0.1-r159.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest new file mode 100644 index 0000000000..b57272ae02 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -0,0 +1 @@ +DIST nss-3.15.5.tar.gz 6367893 SHA256 1442c85624b7de74c7745132a65aa0de47d280c4f01f293d111bc0b6d8271f43 SHA512 4db27ea98f17f1a5bc6f513455497945fc35957f573b3ac7e730b166fbe0e8fd741c188187c578faf361d969db63d83ff8ccf15ac2b8ca72a367f33a018695ca WHIRLPOOL c3c687ac53dca571d1c45bdf4a80e192ca58da07e06ef56de7ac9736480c97689dd12d14351860764b70a1d823092a1ddbc471328c4bae4a899edd0e331c8aee diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild new file mode 100644 index 0000000000..3b78ac4b7a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild @@ -0,0 +1,58 @@ +# Copyright 2014 The CoreOS Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) +inherit cros-tmpfiles python-any-r1 systemd + +RTM_NAME="NSS_${PV//./_}_RTM" +MY_PN="nss" +MY_P="${MY_PN}-${PV}" +S="${WORKDIR}" + +DESCRIPTION="Mozilla's CA Certificate Store" +HOMEPAGE="http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/" +SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${MY_P}.tar.gz" + +# NSS is licensed under the MPL, files/certdata2pem.py is GPL +LICENSE="MPL-2.0 GPL-2" +SLOT="0" +KEYWORDS="amd64" +IUSE="" + +RDEPEND="dev-libs/openssl + sys-apps/findutils" +DEPEND="${RDEPEND} + ${PYTHON_DEPS}" + +gen_tmpfiles() { + local certfile + echo "d /etc/ssl - - - - -" + echo "d /etc/ssl/certs - - - - -" + for certfile in "$@"; do + local l="/etc/ssl/certs/${certfile##*/}" + local p="../../../usr/share/${PN}/${certfile}" + echo "L ${l} - - - - ${p}" + done +} + +src_compile() { + local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt" + ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die + gen_tmpfiles mozilla/*.pem > ${PN}.conf || die +} + +src_install() { + insinto /usr/share/${PN} + doins -r mozilla + + dosbin "${FILESDIR}/update-ca-certificates" + systemd_dounit "${FILESDIR}/update-ca-certificates.service" + systemd_enable_service sysinit.target update-ca-certificates.service + systemd_dotmpfilesd ${PN}.conf + + # Setup initial links in /etc + dodir /etc/ssl/certs + tmpfiles_create + bash "${FILESDIR}/update-ca-certificates" "${D}/etc/ssl/certs" || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py new file mode 100644 index 0000000000..a54b723c0e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py @@ -0,0 +1,123 @@ +#!/usr/bin/python +# vim:set et sw=4: +# +# certdata2pem.py - splits certdata.txt into multiple files +# +# Copyright (C) 2009 Philipp Kern +# Copyright (C) 2014 The CoreOS Authors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +# USA. + +import base64 +import os.path +import re +import sys +import textwrap + +if len(sys.argv) != 3: + sys.stderr.write("Usage: certdata2pem.py certdata.txt output_dir\n") + sys.exit(1) + +certdata = sys.argv[1] +output_dir = sys.argv[2] +objects = [] + +# Dirty file parser. +in_data, in_multiline, in_obj = False, False, False +field, type, value, obj = None, None, None, dict() +for line in open(certdata, 'r'): + # Ignore the file header. + if not in_data: + if line.startswith('BEGINDATA'): + in_data = True + continue + # Ignore comment lines. + if line.startswith('#'): + continue + # Empty lines are significant if we are inside an object. + if in_obj and len(line.strip()) == 0: + objects.append(obj) + obj = dict() + in_obj = False + continue + if len(line.strip()) == 0: + continue + if in_multiline: + if not line.startswith('END'): + if type == 'MULTILINE_OCTAL': + line = line.strip() + for i in re.finditer(r'\\([0-3][0-7][0-7])', line): + value += chr(int(i.group(1), 8)) + else: + value += line + continue + obj[field] = value + in_multiline = False + continue + if line.startswith('CKA_CLASS'): + in_obj = True + line_parts = line.strip().split(' ', 2) + if len(line_parts) > 2: + field, type = line_parts[0:2] + value = ' '.join(line_parts[2:]) + elif len(line_parts) == 2: + field, type = line_parts + value = None + else: + raise NotImplementedError, 'line_parts < 2 not supported.' + if type == 'MULTILINE_OCTAL': + in_multiline = True + value = "" + continue + obj[field] = value +if len(obj.items()) > 0: + objects.append(obj) + +# Build up trust database. +trust = dict() +for obj in objects: + if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'): + continue + elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', + 'CKT_NSS_TRUSTED_DELEGATOR'): + trust[obj['CKA_LABEL']] = True + elif obj['CKA_TRUST_EMAIL_PROTECTION'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', + 'CKT_NSS_TRUSTED_DELEGATOR'): + trust[obj['CKA_LABEL']] = True + else: + print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ + (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'], + obj['CKA_TRUST_EMAIL_PROTECTION']) + +if not os.path.isdir(output_dir): + os.makedirs(output_dir) +os.chdir(output_dir) + +for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue + fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\ + .replace(')', '=')\ + .replace(',', '_') + '.pem' + fname = fname.decode('string_escape') + f = open(fname, 'w') + f.write("-----BEGIN CERTIFICATE-----\n") + f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) + f.write("\n-----END CERTIFICATE-----\n") + diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates new file mode 100644 index 0000000000..60840d89ff --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates @@ -0,0 +1,27 @@ +#!/bin/bash + +CERTSDIR="${1:-${ROOT}/etc/ssl/certs}" + +if [[ ! -w "${CERTSDIR}" ]]; then + echo "Error: SSL certificate directory ${CERTSDIR} isn't writable" >&2 + exit 1 +fi + +set -e + +echo "Pruning broken links in ${CERTSDIR}" +find -L "${CERTSDIR}" -type l -delete + +echo "Rehashing certificate files in ${CERTSDIR}" +c_rehash "${CERTSDIR}" + +CERTBUNDLE="${CERTSDIR}/ca-certificates.crt" +if [[ ! -e "${CERTBUNDLE}" || "${CERTSDIR}" -nt "${CERTBUNDLE}" ]]; then + echo "Recreating certificate bundle ${CERTBUNDLE}" + TEMPBUNDLE=$(mktemp "${CERTBUNDLE}.XXXXXXXXXX") + trap "rm -f '${CERTSDIR}/${TEMPBUNDLE}'" EXIT + # Use .0 instead of .pem to pull in only what c_rehash validated + cat "${CERTSDIR}"/*.0 > "${TEMPBUNDLE}" + mv -f "${TEMPBUNDLE}" "${CERTBUNDLE}" + trap - EXIT +fi diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service new file mode 100644 index 0000000000..63b05895d1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service @@ -0,0 +1,12 @@ +[Unit] +Description=Update CA Certificates in /etc/ssl/certs +# Since other services depend on the certificate store run this early +DefaultDependencies=no +Wants=systemd-tmpfiles-setup.service +After=systemd-tmpfiles-setup.service +Before=sysinit.target +ConditionPathIsReadWrite=/etc/ssl/certs + +[Service] +Type=oneshot +ExecStart=/usr/sbin/update-ca-certificates diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r158.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r159.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r158.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r159.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild index f0b69edfad..6bdbde0029 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild @@ -140,11 +140,6 @@ RDEPEND="${RDEPEND} sys-fs/squashfs-tools " -# Host dependency used by the chromeos-base/root-certificates ebuild -RDEPEND="${RDEPEND} - >=app-misc/ca-certificates-20090709-r6 - " - # Host dependencies that are needed for delta_generator. RDEPEND="${RDEPEND} coreos-base/update_engine diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 98a3216c36..06a52fde4e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -80,9 +80,6 @@ # Really really hoping this fixes our compile issues =dev-lang/python-2.7.6 ~amd64 -# Hopefully includes some certs folks have been missing -=app-misc/ca-certificates-20130906 ~amd64 - # Kills an annoying warning =app-admin/eselect-1.4 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask index 50234ab62f..f4a4e0090b 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask @@ -14,3 +14,7 @@ # Stick with python 2 for now >=dev-lang/python-3 + +# Require our ca-certificates package based directly on Mozilla's +# certificate store provided in NSS rather than the Gentoo/Debian package. +>=app-misc/ca-certificates-20000000