This package is based exclusively on the Mozilla certificate store
distributed in their NSS library and adopts NSS's version accordingly.
It replaces the previous Gentoo package which came directly from Debian.
The Debian package package had a couple issues we didn't like:
- Trusts the http://cacert.org root CA which isn't the worst thing in
the world to do but seems like a really bad default policy to ship.
- update-ca-certificates had a confusing configuration/hook scheme
which seemed almost useful but completely obnoxious and useless to
CoreOS at the same time. systemd-tmpfiles plus a simpler script does
a better job for us.
The python script certdata2pem.py came from Debian's source package
ca-certificates_20130119 and modified slightly. It is only used at
build-time to convert the file format used by NSS to PEM files.
The old packages used dates as the version, this one uses the NSS
library the certificate store came from as the version. This may cause
an issue if packages from Gentoo depend on >=ca-certificates-20080809 or
similar. Currently the only packages in Gentoo that do so are
sci-misc/boinc and www-client/epiphany, neither of which will ever be
needed in CoreOS so we should be OK.
Switch to portage's default (wget) for fetching. wget is nice and
reports the URL it is downloading while curl does not. This makes
understanding errors like '404' actually somewhat possible.
The --checkpoint arg to tar didn't serve much of a useful purpose as far
as I know besides adding to the build noise. Just drop it.
- Add || die to commands without them to avoid missing errors.
- Symlink resolv.conf to /run on amd64-generic images again.
- Properly sed /etc/issue out of tmpfiles.
- Fix symlinks for mtab and sudo.
- Fix directory ordering in tmpfiles.
- Update groups, a few were missing or incorrect.
- Bump coreos-base/coreos revision.
This replaces the old Gentoo baselayout and coreos-base packages.
Changes include:
- Move nss data files from /etc to /usr/share/baselayout
- Enable nss-usrfiles module to use the new location.
- Move other misc files from /etc to /usr/share/baselayout, using
compatibility symlinks in /etc generated by tmpfiles.
- All base system directories can be generated by tmpfiles.
- No more /etc/gentoo-release
- Simplified code, doesn't bother trying to migrate lib symlinks and
simply fails if the existing filesystem is incorrect.
- In /usr images the `core` user's UID/GID is now 500 to keep us within
the reserved system UID/GID space. Eventually once the SDK switches
to this the `core` user will not conflict with the local developer's
account. It also makes it clearer what range people can use when
creating accounts in /usr images. No other UID/GIDs are changing.
- New eclass to let ebuilds run the equivalent of `tmpfiles --create`.
In the future this may be replaced by calling `tmpfiles` directly
once it has a `--root` argument but I haven't pushed those patches
upstream for review yet.
This simplifies the build process, we have no need for trousers or other
tpm related things from ChromeOS. Bump vboot_reference so it no longer
needs trousers as a build dependency.
Nmap itself is excluded, just want the basic network tools.
ncat is a netcat implementation with support for fun things like SSL.
In the future we could add nping but since we already include iputils
that is not quite as important as ncat.
The nmap ebuild includes a compile fix posted here:
https://bugs.gentoo.org/show_bug.cgi?id=501136
Symlinks out of /etc to /usr should generally be relative, that way they
work regardless of whether you are based at / or dealing with a new
chroot you haven't entered yet, or a build root like /build/amd64-usr
Namely the absolute links break cros_sdk which copies skel into home.
Also switch to /usr/share/skel since other packages may need install
things to that directory in the future.
If c10n fails etcd should not start, wait until it is known if there is
a cluster config to use or not. Also now c10n may not write out a
cluster config on ec2 if there isn't a need for one. Make this case
non-fatal and start up etcd as a master node.
Includes a few other changes which are either bug fixes or doc updates:
Brandon Philips (4):
bump(README): increase the version of the README to 0.3.0
fix(README): move contact closer to contributing
feat(scripts): use zip for windows and darwin
fix(server/v1): don't fail put on new v1 key
Brian Waldon (3):
doc(CompareAndDelete): Add missing CAD docs
doc(CompareAndSwap): clarify prevIndex in CAS
chore(gofmt): gofmt compare_and_delete_command.go
Jan-Erik Rediger (1):
Change token example to use returned value only
Michael Marineau (1):
add(server/v1/tests): Port many of the v2 HTTP handler tests to v1
TANABE Ken-ichi (2):
fix(mod/lock): Use dedicated channel to shutdown goroutine properly
fix(mod/lock): Use CreatedIndex in the first node to watch
