On Mon, Sep 30, 2013 at 01:15:54AM +0200, Cyril Brulebois wrote:
[...]
> To reduce user perplexity, I guess we could consider getting sympa to
> catch this situation instead, which would reduce side effects. I think
> something along the lines of this commit would go in a better direction
> that adding a Pre-Depends:
I fully agree.
I've prepared a pu upload (I hope It will be ok for the next point
release) which fixes this issue and another one (#720383).
About #720383, the fix is a one line patch.
Attached is the debdiff.
Regards,
M.
--
Emmanuel Bouthenot
mail: kolter@{openics,debian}.org gpg: 4096R/0x929D42C3
xmpp: kol...@im.openics.org irc: kolter@{freenode,oftc}
diff -Nru sympa-6.1.11~dfsg/debian/changelog sympa-6.1.11~dfsg/debian/changelog
--- sympa-6.1.11~dfsg/debian/changelog 2012-11-30 19:01:18.000000000 +0000
+++ sympa-6.1.11~dfsg/debian/changelog 2013-10-03 14:54:00.000000000 +0000
@@ -1,3 +1,11 @@
+sympa (6.1.11~dfsg-5+deb7u1) stable-proposed-updates; urgency=low
+
+ * Add a patch to raise a warning instead of an error when the CA
+ bundle file is not readable.
+ * Add a patch to fix CAS authentication issues (Closes: #720383)
+
+ -- Emmanuel Bouthenot <kol...@debian.org> Thu, 03 Oct 2013 19:54:58 +0000
+
sympa (6.1.11~dfsg-5) unstable; urgency=low
* Fix SQLite patch to avoid crash during installation from scratch and
diff -Nru sympa-6.1.11~dfsg/debian/patches/0001_fix_cas_authentication.patch
sympa-6.1.11~dfsg/debian/patches/0001_fix_cas_authentication.patch
--- sympa-6.1.11~dfsg/debian/patches/0001_fix_cas_authentication.patch
1970-01-01 00:00:00.000000000 +0000
+++ sympa-6.1.11~dfsg/debian/patches/0001_fix_cas_authentication.patch
2013-10-03 14:04:12.000000000 +0000
@@ -0,0 +1,18 @@
+Description: Fix CAS/LDAP authentication
+Author: F. PĂ©richon
+Origin: upstream,
https://sourcesup.renater.fr/scm/viewvc.php?view=revision&root=sympa&revision=7917
+Bug-Debian: http://bug.debian.org/720383
+Last-Update: 2013-10-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/wwsympa/Auth.pm
++++ b/wwsympa/Auth.pm
+@@ -330,7 +330,7 @@
+ filter => $filter,
+ scope => $ldap->{'ldap_scope'},
+ timeout => $ldap->{'ldap_timeout'},
+- attrs => $ldap->{'ldap_email_attribute'}
++ attrs =>
[$ldap->{'ldap_email_attribute'}],
+ );
+ my $count = $emails->count();
+
diff -Nru
sympa-6.1.11~dfsg/debian/patches/2001_ca_bundle_check_as_warning.patch
sympa-6.1.11~dfsg/debian/patches/2001_ca_bundle_check_as_warning.patch
--- sympa-6.1.11~dfsg/debian/patches/2001_ca_bundle_check_as_warning.patch
1970-01-01 00:00:00.000000000 +0000
+++ sympa-6.1.11~dfsg/debian/patches/2001_ca_bundle_check_as_warning.patch
2013-10-03 13:48:51.000000000 +0000
@@ -0,0 +1,50 @@
+Description: Raise a warning instead of an error when the CA bundle file is
not readable.
+ For its internal usage (to make https request and verify smime mail
signatures) Sympa
+ needs access to the Certificates Authorities installed on the system.
+
+ Certificates Authorities are available in the package ca-certificates and
+ this package also provides a single file with all the CA concatenated.
+ The location of this file is /etc/ssl/certs/ca-certificates.crt
+
+ Sympa package provides a symlink from /usr/share/sympa/default/ca-bundle.crt
+ to /etc/ssl/certs/ca-certificates.crt
+
+ Recently, to fix bug #537051 the ca-certificates package maintainer has
+ decided to replace the CA bundle generation
+ (/etc/ssl/certs/ca-certificates.crt) in the postinst by a trigger.
+
+ During installation of Sympa, if ca-certificates is not present, it is
+ installed as a Sympa dependency but the sympa postinst will always be
+ executed before the ca-certificates triggers.
+ It means that Sympa start will fail with an error because
+ /etc/ssl/certs/ca-certificates.crt does not exists (not yet generated by the
+ ca-certificates trigger).
+
+ The following patch tries to detect if the CA bundle configured in sympa is a
+ symlink to /etc/ssl/certs/ca-certificates.crt. In that case, a warning raised
+ instead of en error.
+
+ This is a purely Debian specific fix, which is quite ugly but it works.
+
+ A better patch will be very much appreciated.
+Author: Emmanuel Bouthenot <kol...@debian.org>
+Bug-Debian: http://bugs.debian.org/706965
+Forwarded: not-needed
+Last-Update: 2013-07-02
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/lib/Conf.pm
++++ b/src/lib/Conf.pm
+@@ -876,7 +876,11 @@
+
+ ## Check cafile and capath access
+ if (defined $Conf{'cafile'} && $Conf{'cafile'}) {
+- unless (-f $Conf{'cafile'} && -r $Conf{'cafile'}) {
++ my $debian_ca_bundle = '/etc/ssl/certs/ca-certificates.crt';
++ if (-l $Conf{'cafile'} && ! -r $Conf{'cafile'} &&
readlink($Conf{'cafile'}) == $debian_ca_bundle) {
++ &do_log('warning', 'cafile (%s) is a symlink to the Debian CA
certificates bundle (%s) which is not yet installed yet (see #706965)',
$Conf{'cafile'}, $debian_ca_bundle);
++ }
++ elsif (! -f $Conf{'cafile'} || ! -r $Conf{'cafile'}) {
+ &do_log('err', 'Cannot access cafile %s', $Conf{'cafile'});
+ unless (&List::send_notify_to_listmaster('cannot_access_cafile',
$Conf{'domain'}, [$Conf{'cafile'}])) {
+ &do_log('err', 'Unable to send notify "cannot access cafile" to
listmaster');
diff -Nru sympa-6.1.11~dfsg/debian/patches/series
sympa-6.1.11~dfsg/debian/patches/series
--- sympa-6.1.11~dfsg/debian/patches/series 2012-05-21 12:23:32.000000000
+0000
+++ sympa-6.1.11~dfsg/debian/patches/series 2013-10-03 13:58:31.000000000
+0000
@@ -1,3 +1,4 @@
+0001_fix_cas_authentication.patch
1002_mysql_default_charset_engine.patch
1004_wizard_support_batch_and_display_mode.patch
1005_wizard_emit_cmd_and_newline_when_dying.patch
@@ -9,6 +10,7 @@
1012_fix_manpages_typos_and_whatis_entries.patch
1013_fix_wording_sympa_wizard_manpage.patch
1014_fix_unknown_parameter_ldap_force_canonical_email.patch
+2001_ca_bundle_check_as_warning.patch
2002_wizard_drop_localedir.patch
#2003_sanitize_make_all.patch
2004_pg_create_db.patch
