20150426 (patches unapplied)

Imported using git-ubuntu import.

debian/NEWS

@@ -1,3 +1,30 @@
+ca-certificates (20150426) unstable; urgency=medium
+
+  Update Mozilla certificate authority bundle to version 2.4.
+    The following certificate authorities were added (+):
+    + "CFCA EV ROOT"
+    + "COMODO RSA Certification Authority"
+    + "Entrust Root Certification Authority - EC1"
+    + "Entrust Root Certification Authority - G2"
+    + "GlobalSign ECC Root CA - R4"
+    + "GlobalSign ECC Root CA - R5"
+    + "IdenTrust Commercial Root CA 1"
+    + "IdenTrust Public Sector Root CA 1"
+    + "S-TRUST Universal Root CA"
+    + "Staat der Nederlanden EV Root CA"
+    + "Staat der Nederlanden Root CA - G3"
+    + "USERTrust ECC Certification Authority"
+    + "USERTrust RSA Certification Authority"  Closes: #762709
+    The following certificate authorities were removed (-):
+    - "America Online Root Certification Authority 1"
+    - "America Online Root Certification Authority 2"
+    - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+    - "GTE CyberTrust Global Root"
+    - "Thawte Premium Server CA"
+    - "Thawte Server CA"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Sun, 26 Apr 2015 10:37:48 -0500
+
 ca-certificates (20140927) unstable; urgency=medium
 
   Update Mozilla Certificate Authority bundle to version 2.1.

debian/changelog

@@ -1,3 +1,42 @@
+ca-certificates (20150426) unstable; urgency=medium
+
+  * debian/postinst:
+    Set mode and group of /usr/local/share/ca-certificates based on current
+    /usr/local permissions and ownership.  Closes: #611501
+  * sbin/update-ca-certificates:
+    Allow customisation of the paths used by update-ca-certificates.
+    Add an option to set the certs in a directory to the defaults.
+    Thanks for the patches, Paul Wise.  Closes: #774059, #774201
+    Fix shellcheck warnings and a little indentation.
+  * sbin/update-ca-certificates.8:
+    Correct concatenated file name in man page from certificates.crt to
+    ca-certificates.crt.  Closes: #782230
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.4.
+    The following certificate authorities were added (+):
+    + "CFCA EV ROOT"
+    + "COMODO RSA Certification Authority"
+    + "Entrust Root Certification Authority - EC1"
+    + "Entrust Root Certification Authority - G2"
+    + "GlobalSign ECC Root CA - R4"
+    + "GlobalSign ECC Root CA - R5"
+    + "IdenTrust Commercial Root CA 1"
+    + "IdenTrust Public Sector Root CA 1"
+    + "S-TRUST Universal Root CA"
+    + "Staat der Nederlanden EV Root CA"
+    + "Staat der Nederlanden Root CA - G3"
+    + "USERTrust ECC Certification Authority"
+    + "USERTrust RSA Certification Authority"  Closes: #762709
+    The following certificate authorities were removed (-):
+    - "America Online Root Certification Authority 1"
+    - "America Online Root Certification Authority 2"
+    - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+    - "GTE CyberTrust Global Root"
+    - "Thawte Premium Server CA"
+    - "Thawte Server CA"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Sun, 26 Apr 2015 10:37:48 -0500
+
 ca-certificates (20141019) unstable; urgency=medium
 
   * debian/copyright:

debian/postinst

@@ -40,12 +40,9 @@ delca() {
 
 case "$1" in
     configure)
-        if [ ! -e /usr/local/share/ca-certificates ]
+        if [ ! -e /usr/local/share/ca-certificates ]; then
-        then
+            if mkdir -m $(stat -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then
-            if mkdir /usr/local/share/ca-certificates 2>/dev/null
+                chgrp $(stat -c %g /usr/local) /usr/local/share/ca-certificates
-            then
-                chown root:staff /usr/local/share/ca-certificates
-                chmod 2775 /usr/local/share/ca-certificates
             fi
         fi
 

mozilla/nssckbi.h

@@ -45,8 +45,8 @@
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 1
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 4
-#define NSS_BUILTINS_LIBRARY_VERSION "2.1"
+#define NSS_BUILTINS_LIBRARY_VERSION "2.4"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

sbin/update-ca-certificates

@@ -4,7 +4,7 @@
 #
 # Copyright (c) 2003 Fumitoshi UKAI <ukai@debian.or.jp>
 # Copyright (c) 2009 Philipp Kern <pkern@debian.org>
-# 
+#
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
@@ -23,6 +23,14 @@
 
 verbose=0
 fresh=0
+default=0
+CERTSCONF=/etc/ca-certificates.conf
+CERTSDIR=/usr/share/ca-certificates
+LOCALCERTSDIR=/usr/local/share/ca-certificates
+CERTBUNDLE=ca-certificates.crt
+ETCCERTSDIR=/etc/ssl/certs
+HOOKSDIR=/etc/ca-certificates/update.d
+
 while [ $# -gt 0 ];
 do
   case $1 in
@@ -30,6 +38,27 @@ do
       verbose=1;;
     --fresh|-f)
       fresh=1;;
+    --default|-d)
+      default=1
+      fresh=1;;
+    --certsconf)
+      shift
+      CERTSCONF="$1";;
+    --certsdir)
+      shift
+      CERTSDIR="$1";;
+    --localcertsdir)
+      shift
+      LOCALCERTSDIR="$1";;
+    --certbundle)
+      shift
+      CERTBUNDLE="$1";;
+    --etccertsdir)
+      shift
+      ETCCERTSDIR="$1";;
+    --hooksdir)
+      shift
+      HOOKSDIR="$1";;
     --help|-h|*)
       echo "$0: [--verbose] [--fresh]"
       exit;;
@@ -37,11 +66,10 @@ do
   shift
 done
 
-CERTSCONF=/etc/ca-certificates.conf
+if [ ! -s "$CERTSCONF" ]
-CERTSDIR=/usr/share/ca-certificates
+then
-LOCALCERTSDIR=/usr/local/share/ca-certificates
+  fresh=1
-CERTBUNDLE=ca-certificates.crt
+fi
-ETCCERTSDIR=/etc/ssl/certs
 
 cleanup() {
   rm -f "$TEMPBUNDLE"
@@ -67,7 +95,7 @@ add() {
   if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
   then
     ln -sf "$CERT" "$PEM"
-    echo +$PEM >> "$ADDED"
+    echo "+$PEM" >> "$ADDED"
   fi
   # Add trailing newline to certificate, if it is missing (#635570)
   sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
@@ -79,36 +107,44 @@ remove() {
   if test -L "$PEM"
   then
     rm -f "$PEM"
-    echo -$PEM >> "$REMOVED"
+    echo "-$PEM" >> "$REMOVED"
   fi
 }
 
-cd $ETCCERTSDIR
+cd "$ETCCERTSDIR"
 if [ "$fresh" = 1 ]; then
-  echo -n "Clearing symlinks in $ETCCERTSDIR..."
+  echo "Clearing symlinks in $ETCCERTSDIR..."
   find . -type l -print | while read symlink
   do
-    case $(readlink $symlink) in
+    case $(readlink "$symlink") in
-      $CERTSDIR*) rm -f $symlink;;
+      $CERTSDIR*) rm -f "$symlink";;
     esac
   done
   find . -type l -print | while read symlink
   do
-    test -f $symlink || rm -f $symlink
+    test -f "$symlink" || rm -f "$symlink"
   done
   echo "done."
 fi
 
-echo -n "Updating certificates in $ETCCERTSDIR... "
+echo "Updating certificates in $ETCCERTSDIR..."
+
+# Add default certificate authorities if requested
+if [ "$default" = 1 ]; then
+  find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt
+  do
+    add "$crt"
+  done
+fi
 
 # Handle certificates that should be removed.  This is an explicit act
 # by prefixing lines in the configuration files with exclamation marks (!).
-sed -n -e '/^$/d' -e 's/^!//p' $CERTSCONF | while read crt
+sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read crt
 do
   remove "$CERTSDIR/$crt"
 done
 
-sed -e '/^$/d' -e '/^#/d' -e '/^!/d' $CERTSCONF | while read crt
+sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read crt
 do
   if ! test -f "$CERTSDIR/$crt"
   then
@@ -151,16 +187,19 @@ mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
 
 echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
 
-HOOKSDIR=/etc/ca-certificates/update.d
+if [ -d "$HOOKSDIR" ]
-echo -n "Running hooks in $HOOKSDIR...."
+then
-VERBOSE_ARG=
+
-[ "$verbose" = 0 ] || VERBOSE_ARG=--verbose
+  echo "Running hooks in $HOOKSDIR..."
-eval run-parts $VERBOSE_ARG --test -- $HOOKSDIR | while read hook
+  VERBOSE_ARG=
-do
+  [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
-  ( cat $ADDED
+  eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
-    cat $REMOVED ) | $hook || echo E: $hook exited with code $?.
+  do
-done
+    ( cat "$ADDED"
-echo "done."
+      cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
+  done
+  echo "done."
+
+fi
 
 # vim:set et sw=2:
-

sbin/update-ca-certificates.8

@@ -16,7 +16,7 @@
 .\" .sp <n>    insert n+1 empty lines
 .\" for manpage-specific macros, see man(7)
 .SH NAME
-update-ca-certificates \- update /etc/ssl/certs and certificates.crt
+update-ca-certificates \- update /etc/ssl/certs and ca-certificates.crt
 .SH SYNOPSIS
 .B update-ca-certificates
 .RI [ options ]
@@ -26,7 +26,7 @@ This manual page documents briefly the
 command.
 .PP
 \fBupdate-ca-certificates\fP is a program that updates the directory
-/etc/ssl/certs to hold SSL certificates and generates certificates.crt,
+/etc/ssl/certs to hold SSL certificates and generates ca-certificates.crt,
 a concatenated single-file list of certificates.
 .PP
 It reads the file /etc/ca-certificates.conf. Each line gives a pathname of