Package: devscripts
Version: 2.15.3
Severity: important
Tags: patch
Control: block 784811 by -1
(x-d-cc: debian-boot@, please keep the list in the loop.)
Hi,
*.debian.org have a few tweaks for SSL certificates, and one needs to point
tools to /etc/ssl/ca-debian or /etc/ssl/ca-debian/ca-certificates.crt to be
able to validate *.debian.org certificates.
You'll find attached a patch which implements support for new configuration
options. Quoting the updated manpage:
| RMADISON_SSL_CA_FILE=FILE
| Use the specified CA file instead of the default CA bundle
| for curl/wget, passed as --cacert to curl, and as
| --ca-certificate to wget.
|
| RMADISON_SSL_CA_PATH=PATH
| Use the specified CA directory instead of the default CA
| bundle for curl/wget, passed as --capath to curl, and as
| --ca-directory to wget.
I've checked that setting either of those in ~d-i/.devscripts.conf on dillon
works:
| RMADISON_SSL_CA_PATH=/etc/ssl/ca-debian
| #RMADISON_SSL_CA_FILE=/etc/ssl/ca-debian/ca-certificates.crt
both with curl and with wget (I've cheated by changing the check on -x curl
to -x curly to test the wget code path).
I think it'd be worth implementing this in jessie as well. I /could/
maintain a patched rmadison binary to be used on dillon.debian.org for d-i
needs but…
Thanks for considering.
Mraw,
KiBi.
>From a7ebb9c92b2be32cb79fcce14b31ee17998035d4 Mon Sep 17 00:00:00 2001
From: Cyril Brulebois <k...@debian.org>
Date: Sat, 9 May 2015 04:47:12 +0200
Subject: [PATCH] Add support for RMADISON_SSL_CA_FILE and
RMADISON_SSL_CA_PATH.
With this, one can point to system-specific locations for CA-related
files, and pass them to curl/wget via the appropriate options.
Signed-off-by: Cyril Brulebois <k...@debian.org>
---
debian/changelog | 3 +++
scripts/rmadison.pl | 28 +++++++++++++++++++++++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 402b31f..eb709c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ devscripts (2.15.5) UNRELEASED; urgency=medium
* Update chdist bash-completion file with the architectures currently (as
of 2015-04-28) listed on buildd.debian.org and buildd.debian-ports.org.
(Closes: #783634)
+ * Add support for RMADISON_SSL_CA_FILE and RMADISON_SSL_CA_PATH, so that
+ one can point to system-specific locations for CA-related files, and pass
+ them to curl/wget via the appropriate options.
[ James McCoy ]
* wrap-and-sort:
diff --git a/scripts/rmadison.pl b/scripts/rmadison.pl
index 7b41d0c..8008256 100755
--- a/scripts/rmadison.pl
+++ b/scripts/rmadison.pl
@@ -95,6 +95,8 @@ EOT
my $params;
my $default_arch;
+my $ssl_ca_file;
+my $ssl_ca_path;
if (@ARGV and $ARGV[0] =~ /^--no-?conf$/) {
shift;
@@ -122,6 +124,10 @@ if (@ARGV and $ARGV[0] =~ /^--no-?conf$/) {
$default_url=$1;
} elsif ($envvar =~ /^RMADISON_ARCHITECTURE=(.*)$/) {
$default_arch=$1;
+ } elsif ($envvar =~ /^RMADISON_SSL_CA_FILE=(.*)$/) {
+ $ssl_ca_file=$1;
+ } elsif ($envvar =~ /^RMADISON_SSL_CA_PATH=(.*)$/) {
+ $ssl_ca_path=$1;
}
}
}
@@ -199,7 +205,17 @@ s/:.*// for (@ARGV);
foreach my $url (@url) {
print "$url:\n" if @url > 1;
$url = $url_map{$url} if $url_map{$url};
- my @cmd = -x "/usr/bin/curl" ? qw/curl -f -s -S -L/ : qw/wget -q -O -/;
+ my @cmd;
+ if ( -x "/usr/bin/curl" ) {
+ @cmd = qw/curl -f -s -S -L/;
+ push @cmd, "--cacert", $ssl_ca_file if $ssl_ca_file;
+ push @cmd, "--capath", $ssl_ca_path if $ssl_ca_path;
+
+ } else {
+ @cmd = qw/wget -q -O -/;
+ push @cmd, "--ca-certificate=$ssl_ca_file" if $ssl_ca_file;
+ push @cmd, "--ca-directory=$ssl_ca_path" if $ssl_ca_path;
+ }
system @cmd, $url . (($url =~ m/\?/)?'&':'?')."package=" . join("+", map { uri_escape($_) } @ARGV) . "&text=on&" . join ("&", @args);
$status = 1 if ($? >> 8 != 0);
}
@@ -330,6 +346,16 @@ Set the default architecture to use unless overridden by a command line option.
To run an unrestricted query when B<RMADISON_ARCHITECTURE> is set, use
B<--architecture='*'>.
+=item B<RMADISON_SSL_CA_FILE>=I<FILE>
+
+Use the specified CA file instead of the default CA bundle for curl/wget,
+passed as --cacert to curl, and as --ca-certificate to wget.
+
+=item B<RMADISON_SSL_CA_PATH>=I<PATH>
+
+Use the specified CA directory instead of the default CA bundle for curl/wget,
+passed as --capath to curl, and as --ca-directory to wget.
+
=back
=head1 NOTES
--
2.1.4
