| author | Alberto Bertogli
<albertito@blitiri.com.ar> 2017-07-30 17:21:29 UTC |
| committer | Alberto Bertogli
<albertito@blitiri.com.ar> 2017-07-31 20:51:43 UTC |
| parent | bd31df3c63f287c29aa5a2147185a5e88e3c6d44 |
| debian/changelog | +1 | -0 |
| debian/patches/series | +0 | -4 |
| debian/patches/upstream_scripts-Fix-kxd-add-client-key-missing-fi-and-wrong-.patch | +0 | -40 |
| debian/patches/upstream_tests-Use-LOGNAME-instead-of-os.getlogin.patch | +0 | -52 |
| debian/patches/upstream_tests-assert-negociated | +0 | -36 |
| debian/patches/upstream_tests_fix_ssl_validation_in_test_tricky | +0 | -69 |
diff --git a/debian/changelog b/debian/changelog index 7931c58..ceec1d6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ kxd (0.13+git20170730.6182dc8-1) UNRELEASED; urgency=medium * Update to current upstream + * Drop Debian patches that are no longer needed -- Alberto Bertogli <albertito@blitiri.com.ar> Sun, 30 Jul 2017 18:19:58 +0100 diff --git a/debian/patches/series b/debian/patches/series deleted file mode 100644 index d1abcc2..0000000 --- a/debian/patches/series +++ /dev/null @@ -1,4 +0,0 @@ -upstream_scripts-Fix-kxd-add-client-key-missing-fi-and-wrong-.patch -upstream_tests-Use-LOGNAME-instead-of-os.getlogin.patch -upstream_tests-assert-negociated -upstream_tests_fix_ssl_validation_in_test_tricky diff --git a/debian/patches/upstream_scripts-Fix-kxd-add-client-key-missing-fi-and-wrong-.patch b/debian/patches/upstream_scripts-Fix-kxd-add-client-key-missing-fi-and-wrong-.patch deleted file mode 100644 index 1f0a3ed..0000000 --- a/debian/patches/upstream_scripts-Fix-kxd-add-client-key-missing-fi-and-wrong-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Alberto Bertogli <albertito@blitiri.com.ar> -Date: Sun, 13 Jul 2014 14:31:23 +0100 -Subject: scripts: Fix kxd-add-client-key missing "fi" and wrong variable - -Somehow, scripts/kxd-add-client-key is missing a "fi" to close the "if" -statement, and uses $SERVER instead of $CLIENT in a couple of places. - -This patch fixes that. - -Thanks to Maximiliano Curia for reporting the issue. - -Signed-off-by: Alberto Bertogli <albertito@blitiri.com.ar> ---- - scripts/kxd-add-client-key | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/scripts/kxd-add-client-key b/scripts/kxd-add-client-key -index eff0d56..dbeb958 100755 ---- a/scripts/kxd-add-client-key -+++ b/scripts/kxd-add-client-key -@@ -5,7 +5,7 @@ set -e - CLIENT="$1" - KEYNAME="$2" - --if [ "$SERVER" = "" ] || [ "$KEYNAME" = "" ]; then -+if [ "$CLIENT" = "" ] || [ "$KEYNAME" = "" ]; then - echo " - Usage: kxd-add-client-key <client hostname> <key name> - -@@ -15,8 +15,9 @@ corresponding configuration (including a randomly generated key) in - /etc/kxd/data/<client hostname>/<key name>/. - " - exit 1 -+fi - --CONFIGPATH="/etc/kxd/data/$SERVER/$KEYNAME" -+CONFIGPATH="/etc/kxd/data/$CLIENT/$KEYNAME" - - echo "Creating directory ($CONFIGPATH)" - mkdir -p "$CONFIGPATH" diff --git a/debian/patches/upstream_tests-Use-LOGNAME-instead-of-os.getlogin.patch b/debian/patches/upstream_tests-Use-LOGNAME-instead-of-os.getlogin.patch deleted file mode 100644 index eae8827..0000000 --- a/debian/patches/upstream_tests-Use-LOGNAME-instead-of-os.getlogin.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Alberto Bertogli <albertito@blitiri.com.ar> -Date: Thu, 17 Jul 2014 23:38:40 +0100 -Subject: tests: Use $LOGNAME instead of os.getlogin() - -The tests use os.getlogin() to get the user they're running under, which is -used just for informational names to make troubleshooting easier. - -However, that function fails when the controlling terminal isn't a tty; this -is triggered for example by the Debian automated build process, which is how -this bug was originally reported (http://bugs.debian.org/755036). - -To fix that, we can just try to get $LOGNAME from the environment, and fall -back to "unknown" if missing, which is harmless. - -Signed-off-by: Alberto Bertogli <albertito@blitiri.com.ar> ---- - tests/run_tests | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/tests/run_tests b/tests/run_tests -index a967b3e..23bfadf 100755 ---- a/tests/run_tests -+++ b/tests/run_tests -@@ -48,6 +48,10 @@ DEVNULL = open("/dev/null", "w") - - TEMPDIR = "/does/not/exist" - -+# User the script is running as. Just informational, for troubleshooting -+# purposes, so we don't care if it's missing. -+LOGNAME = os.environ.get('LOGNAME', 'unknown') -+ - - def setUpModule(): # pylint: disable=invalid-name - if not os.path.isfile(BINS + "/kxd"): -@@ -90,7 +94,7 @@ class Config(object): - req_args = ["openssl", "req", "-new", "-batch", - "-subj", ("/commonName=*" + - "/organizationalUnitName=kxd-tests-%s:%s@%s" % ( -- self.name, os.getlogin(), platform.node())), -+ self.name, LOGNAME, platform.node())), - "-key", "%s/key.pem" % self.path] - if self_sign: - req_args.extend(["-x509", "-out", "%s/cert.pem" % self.path]) -@@ -127,7 +131,7 @@ class CA(object): - "-config", OPENSSL_CONF, - "-subj", ("/commonName=*" + - "/organizationalUnitName=kxd-tests-ca:%s@%s" % ( -- os.getlogin(), platform.node())), -+ LOGNAME, platform.node())), - "-extensions", "v3_ca", "-nodes", - "-keyout", "cakey.pem", - "-out", "cacert.pem"], diff --git a/debian/patches/upstream_tests-assert-negociated b/debian/patches/upstream_tests-assert-negociated deleted file mode 100644 index e29acad..0000000 --- a/debian/patches/upstream_tests-assert-negociated +++ /dev/null @@ -1,36 +0,0 @@ -From: Alberto Bertogli <albertito@blitiri.com.ar> -Date: Tue, 23 Aug 2016 09:50:56 +0200 -Subject: tests: Assert negotiated cipher secret size >= 128 bits - -Currently, the tests assert that the negotiated cipher secret size is > 128 -bits. Due to recent changes (probably in openssl), in Debian testing we end up -negotiating ECDHE-RSA-AES128-GCM-SHA256 which has a 128 bit key. - -That causes the test to fail. - -There's nothing wrong with 128 bit keys in this context, and probably the -original intention was to use >= but got stuck with > as it worked. - -While the value of this check is arguable, let's keep it for now, just -changing the check to >= so 128 bit secrets don't cause the test to fail. - -Signed-off-by: Alberto Bertogli <albertito@blitiri.com.ar> ---- - tests/run_tests | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tests/run_tests b/tests/run_tests -index 23bfadf..85531ee 100755 ---- a/tests/run_tests -+++ b/tests/run_tests -@@ -404,8 +404,8 @@ class TrickyRequests(TestCase): - certfile=self.client.cert_path()) - - # We don't check the cipher itself, as it depends on the environment, -- # but we should be using > 128 bit secrets. -- self.assertTrue(sock.cipher()[2] > 128) -+ # but we should be using >= 128 bit secrets. -+ self.assertTrue(sock.cipher()[2] >= 128) - - server_cert = ssl.DER_cert_to_PEM_cert( - sock.getpeercert(binary_form=True)) diff --git a/debian/patches/upstream_tests_fix_ssl_validation_in_test_tricky b/debian/patches/upstream_tests_fix_ssl_validation_in_test_tricky deleted file mode 100644 index 321dfa8..0000000 --- a/debian/patches/upstream_tests_fix_ssl_validation_in_test_tricky +++ /dev/null @@ -1,69 +0,0 @@ -From: Alberto Bertogli <albertito@blitiri.com.ar> -Date: Tue, 23 Aug 2016 09:50:56 +0200 -Subject: tests: Fix SSL validation in test_tricky - -test_tricky uses httplib to create a client, which used to not validate the -server certificate. - -Python 2.7.9 changes that, and now the test fail because the client cannot -validate the server. - -The problem is that to fix this, we need to use the new "context" parameter -which is not backwards-compatible. So we have to add a little version-specific -code to work around this. - -Signed-off-by: Alberto Bertogli <albertito@blitiri.com.ar> ---- - tests/run_tests | 23 +++++++++++++++++++---- - 1 file changed, 19 insertions(+), 4 deletions(-) - -diff --git a/tests/run_tests b/tests/run_tests -index 85531ee..81de253 100755 ---- a/tests/run_tests -+++ b/tests/run_tests -@@ -24,6 +24,7 @@ import shutil - import socket - import ssl - import subprocess -+import sys - import tempfile - import time - import unittest -@@ -376,9 +377,23 @@ class Multiples(TestCase): - class TrickyRequests(TestCase): - """Tests for tricky requests.""" - -+ def HTTPSConnection(self, host, port, key_file=None, cert_file=None): -+ # httplib.HTTPSConnection() wrapper that works with versions before -+ # and after Python 2.7.9, which introduced default server validation -+ # with no backwards-compatible way of turning it off. -+ if sys.hexversion < 0x2070900: -+ return httplib.HTTPSConnection( -+ host, port, key_file=key_file, cert_file=cert_file) -+ -+ # Get an SSL context that can validate our server certificate. -+ context = ssl.create_default_context(cafile=self.server.cert_path()) -+ return httplib.HTTPSConnection( -+ host, port, key_file=key_file, cert_file=cert_file, -+ context=context) -+ - def test_tricky(self): - # No local certificate. -- conn = httplib.HTTPSConnection("localhost", 19840) -+ conn = self.HTTPSConnection("localhost", 19840) - try: - conn.request("GET", "/v1/") - except ssl.SSLError as err: -@@ -387,9 +402,9 @@ class TrickyRequests(TestCase): - self.fail("Client call did not fail as expected") - - # Requests with '..'. -- conn = httplib.HTTPSConnection("localhost", 19840, -- key_file=self.client.key_path(), -- cert_file=self.client.cert_path()) -+ conn = self.HTTPSConnection("localhost", 19840, -+ key_file=self.client.key_path(), -+ cert_file=self.client.cert_path()) - conn.request("GET", "/v1/a/../b") - response = conn.getresponse() -