changes:
* New option --url for the LOOKUP command and dirmngr-client.
* The LOOKUP command does now also consults the local cache. New
option --cache-only for it and --local for dirmngr-client.
* Port to Windows completed.
* Improved certificate chain construction.
* Support loading of PEM encoded CRLs via HTTP.
* Client based trust anchors are now supported.
* Configured certificates with the suffix ".der" are now also used.
* Libgcrypt 1.4 is now required.
reviewed by John R. Shannon
pkgsrc notes:
I've left the build against a private libassuan with GNU-pth support
alone for now, just updated libassuan to 1.0.5. We might build
pkgsrc/libassuan against pkgsrc/pth at some point, but this needs
to be checked for side effects. (As this pkg doesn't export a library
which might propagate the pth dependency, the possibility of
pthread-pth conflicts should be limited. Other uses of libassuan
need to be checked.)
Beiing here, support DESTDIR.
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
* The option --ocsp-signer may now take a filename to allow several
certificates to be valid signers for the default responder.
* New option --ocsp-max-period and improved the OCSP time checks.
* New option --force-default-signer for dirmngr-client.
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
Dirmngr is a server for managing and downloading certificate
revocation lists (CRLs) for X.509 certificates and for downloading the
certificates themselves. Dirmngr also handles OCSP requests as an
alternative to CRLs. Dirmngr is either invoked internally by gpgsm
(from GnuPG-2) or when running as a system daemon through the
dirmngr-client tool.
* A couple of bug fixes for OCSP.
* OCSP does now make use of the responder ID and optionally included
certificates in the response to locate certificates.
* No more lost file descriptors when loading CRLs via HTTP.
* HTTP redirection for CRL and OCSP has been implemented.
* Man pages are now build and installed from the texinfo source.
Note, that you need to update libksba to version 1.0.0 for this
release.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
PKGLOCALEDIR and which install their locale files directly under
${PREFIX}/${PKGLOCALEDIR} and sort the PLIST file entries. From now
on, pkgsrc/mk/plist/plist-locale.awk will automatically handle
transforming the PLIST to refer to the correct locale directory.
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
package builds and works correctly. This approach was taken prior to
this change. The is a problem because pth installs pthread.h in
${LOCALBASE}/include. This causes problems for things like Ada tasking
that depend on native pthreads when also linking against libraries in
pkgsrc (eg., gmp).
This change solve the problem by building a static pth library locally
and linking against it.
Dirmngr is a server for managing and downloading certificate
revocation lists (CRLs) for X.509 certificates and for downloading the
certificates themselves. Dirmngr also handles OCSP requests as an
alternative to CRLs. Dirmngr is either invoked internaly by gpgsm
(from gnupg 1.9) or when running as a system daemon through the
dirmngr-client tool.
Whats new in this release
=========================
* New option --daemon to start dirmngr as a system daemon. This
switches to the use of different directories and also does
CRL signing certificate validation on its own.
* New tool dirmngr-client.
* New options: --ldap-wrapper-program, --http-wrapper-program,
--disable-ldap, --disable-http, --honor-http-proxy, --http-proxy,
--ldap-proxy, --only-ldap-proxy, --ignore-ldap-dp and
--ignore-http-dp.
* Uses an external ldap wrapper to cope with timeouts and general
LDAP problems.
* SIGHUP may be used to reread the configuration and to flush the
certificate cache.
* An authorithyKeyIdentifier in a CRL is now handled correctly.
- Refill the DESCR file.
- Remove BUILD_USES_MSGFMT; distfile ships with prebuilt .gmo files.
- Do not use GNU make as it's not needed.
- Use BUILDLINK_PREFIX.openldap instead of LOCALBASE to locate openldap.
- Register info file properly and fix a typo in its directory entry so
that it can be accessed.
- Patch configure instead of configure.ac, so we can drop the build
dependency on autoconf.
- Add missing dependencies on libiconv and gettext-lib.
- Sort USE_* and include sections alphabetically.
- Remove BUILDLINK_DEPENDS.* version overrides because the respective
buildlink3.mk files already pull in a newer version.
- Drop all logic to detect the actual gettext-lib version. This was wrong
because it relied on the version currently installed (thus having a good
chance to produce different results between systems), and because it's
not the way to go. Instead, simply include gettext-lib's buildlink3.mk
file, and let the builtin.mk machinery decide what to do.
- Also add the locale files to the PLIST.
certificate revocation lists (CRLs) for X.509
certificates and for downloading the certificates
themselves. DirMngr also handles OCSP requests as
an alternative to CRLs. DirMngr is usually invoked
by gpgsm and in general not used directly.
