Merge ~3v1n0/ubuntu/+source/sssd:ubuntu/focal into ubuntu/+source/sssd:ubuntu/focal-devel
Status: | Needs review |
---|---|
Proposed branch: | ~3v1n0/ubuntu/+source/sssd:ubuntu/focal |
Merge into: | ubuntu/+source/sssd:ubuntu/focal-devel |
Diff against target: |
500 lines (+357/-1) 9 files modified
debian/changelog (+35/-0) debian/control (+10/-1) debian/nss-database-pem-exporter/README.md (+13/-0) debian/nss-database-pem-exporter/nss-database-pem-exporter.c (+179/-0) debian/patches/series (+1/-0) debian/patches/test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch (+37/-0) debian/rules (+13/-0) debian/sssd-common.install (+1/-0) debian/sssd-common.postinst (+68/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Dimitri John Ledkov (community) | with logs | Approve | |
Sergio Durigan Junior (community) | Approve | ||
Review via email: mp+395411@code.launchpad.net |
This proposal supersedes a proposal from 2020-12-16.
Description of the change
* debian/control:
- Add missing (test) dependencies as per libcrypto usage (LP: #1905790)
- Update Maintainer to Ubuntu devs
* debian/rules: Compile using libcrypto as crypto backend (LP: #1905790)
* debian/
When upgrading from previous versions (that were compiled using the NSS
crypto backend) we need to migrate the trusted CA certificates that the
user may have added to the SSSD's NSS system database (that defaults to
/etc/pki/nssdb).
To do this, and not to introduce a new dependency on libnss3-tools
(which is not shipped by default, other than making the parsing not
working in some scenarios) I've added a small C tool that we compile and
install as part of the sssd-common package which is able to get all the
trusted CA certificates for a NSS database and export them in PEM
format.
The nss-database-
we now:
1. Read the SSSD settings
2. Convert all the certificates in the configured NSS databases
3. Store them all, appending them to the (new) default location
(/etc/
4. Disables the configured locations if pointing to NSS dbs (needed or
we'll leave the configuration with broken values).
At this point nss-database-
package that still depends on NSS libraries. (LP: #1905790)
* debian/patches:
- Get libsofthsm2 from right path for each architecture, this is now used
for real (wasn't before) to test p11k components with libcrypto and
p11-kit, also avoids a test build failure on armhf (LP: #1905790)
A PPA with the built packages is at https:/ /launchpad. net/~ci- train-ppa- service/ +archive/ ubuntu/ 4361/+packages