[SCM] eclipse - Powerful IDE written in java - Debian package. branch, maverick, updated. debian/3.5.2-6-5-g3117f4a
Benjamin Drung
bdrung-guest at alioth.debian.org
Tue Oct 19 23:18:59 UTC 2010
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "eclipse - Powerful IDE written in java - Debian package.".
The branch, maverick has been updated
via 3117f4ac09806cfecbb6646dd347b8e266687bd5 (commit)
via 80057d5fe42016a745494420a21fbec7d2440c49 (commit)
via e7c384be925c2e16437858f63047b55e9fa31d0f (commit)
via d204af835d431ddf9e14e69ed295e9fd77a4eec6 (commit)
from 1c787f5a3c181fc5549308fff9d44d4cf2bbea19 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3117f4ac09806cfecbb6646dd347b8e266687bd5
Author: Benjamin Drung <bdrung at ubuntu.com>
Date: Wed Oct 20 01:17:04 2010 +0200
Update Maintainer field.
commit 80057d5fe42016a745494420a21fbec7d2440c49
Author: Benjamin Drung <bdrung at ubuntu.com>
Date: Wed Oct 20 01:16:22 2010 +0200
Added NEWS entry about how to workaround #587657.
commit e7c384be925c2e16437858f63047b55e9fa31d0f
Author: Benjamin Drung <bdrung at ubuntu.com>
Date: Wed Oct 20 01:11:46 2010 +0200
Backported fix for finding root CA in keystore rather than from JAR. (LP: #655833)
commit d204af835d431ddf9e14e69ed295e9fd77a4eec6
Author: Benjamin Drung <bdrung at ubuntu.com>
Date: Wed Oct 20 01:09:39 2010 +0200
Update git-buildpackage configuration.
-----------------------------------------------------------------------
Summary of changes:
debian/NEWS | 15 ----
debian/changelog | 11 +++
debian/control | 3 +-
debian/eclipse-platform.NEWS | 39 ++++++++++
debian/gbp.conf | 4 +
debian/patches/bp-osgi-ignore-root-CA.patch | 77 ++++++++++++++++++++
debian/patches/series | 1 +
.../service/security/KeyStoreTrustEngine.java | 37 ++++++----
8 files changed, 157 insertions(+), 30 deletions(-)
diff --git a/debian/NEWS b/debian/NEWS
deleted file mode 100644
index bc09e60..0000000
--- a/debian/NEWS
+++ /dev/null
@@ -1,15 +0,0 @@
-eclipse (3.5.2-1) unstable; urgency=low
-
- In previous versions of eclipse (<< 3.5), it would extract shared
- libraries to users ~/.eclipse. This has been fixed in the 3.5
- series, but means that eclipse will have issues starting if you are
- upgrading from an eclipse older than 3.5. Removing or renaming
- ~/.eclipse fixes this at the cost of losing personal configuration.
-
- In 3.5 all the "choose a suitable JVM" code has been removed and
- instead eclipse now respect alternatives. Old configuration files
- for this purpose (including the user file ~/.eclipse/eclipserc) is
- now obsolete and will be silently ignored.
-
- -- Debian Orbital Alignment Team <pkg-java-maintainers at lists.alioth.debian.org> Thu, 18 Mar 2010 12:13:51 +0100
-
diff --git a/debian/changelog b/debian/changelog
index 2421ea8..c0bc163 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+eclipse (3.5.2-6ubuntu1.1) maverick-proposed; urgency=low
+
+ [ Thomas Watson ]
+ * Backported fix for finding root CA in keystore rather than from JAR.
+ (LP: #655833)
+
+ [ Benjamin Drung ]
+ * Added NEWS entry about how to workaround #587657.
+
+ -- Benjamin Drung <bdrung at ubuntu.com> Wed, 20 Oct 2010 01:15:47 +0200
+
eclipse (3.5.2-6ubuntu1) maverick; urgency=low
* debian/extra/eclipse:
diff --git a/debian/control b/debian/control
index 0464305..e31a1c6 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
Source: eclipse
Section: devel
Priority: optional
-Maintainer: Debian Orbital Alignment Team <pkg-java-maintainers at lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Orbital Alignment Team <pkg-java-maintainers at lists.alioth.debian.org>
Uploaders: Niels Thykier <niels at thykier.net>,
Benjamin Drung <bdrung at ubuntu.com>,
Adrian Perez <adrianperez-deb at ubuntu.com>,
diff --git a/debian/eclipse-platform.NEWS b/debian/eclipse-platform.NEWS
new file mode 100644
index 0000000..22d3289
--- /dev/null
+++ b/debian/eclipse-platform.NEWS
@@ -0,0 +1,39 @@
+eclipse-platform (3.5.2-6) unstable; urgency=low
+
+ The upgrade of eclipse may cause plugins to silently disappear.
+ The exact reason has yet to be determined and we are looking for
+ an automatic solution for this problem.
+
+ There are two known workarounds; one is two completely remove
+ ~/.eclipse and re-install all user plugins. The other is to
+ manually merge "bundles.info" from ~/.eclipse with the
+ "bundles.info" from /usr/lib/eclipse. This solution is slightly
+ more complicated, but appears to restore user installed plugins
+ without having to reinstall them.
+
+ For more information on how to merge the bundles.info files,
+ you may want to have a look at #587657[1].
+
+ Note: this issue may also affect plugins installed via packages
+ from repositories (such as the packages eclipse-emf and
+ eclipse-rse).
+
+ [1] http://bugs.debian.org/587657
+
+ -- Niels Thykier <niels at thykier.net> Mon, 13 Sep 2010 20:06:13 +0200
+
+eclipse-platform (3.5.2-1) unstable; urgency=low
+
+ In previous versions of eclipse (<< 3.5), it would extract shared
+ libraries to users ~/.eclipse. This has been fixed in the 3.5
+ series, but means that eclipse will have issues starting if you are
+ upgrading from an eclipse older than 3.5. Removing or renaming
+ ~/.eclipse fixes this at the cost of losing personal configuration.
+
+ In 3.5 all the "choose a suitable JVM" code has been removed and
+ instead eclipse now respect alternatives. Old configuration files
+ for this purpose (including the user file ~/.eclipse/eclipserc) is
+ now obsolete and will be silently ignored.
+
+ -- Debian Orbital Alignment Team <pkg-java-maintainers at lists.alioth.debian.org> Thu, 18 Mar 2010 12:13:51 +0100
+
diff --git a/debian/gbp.conf b/debian/gbp.conf
index a7cda7e..8e7facc 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,2 +1,6 @@
[DEFAULT]
compression=bzip2
+debian-branch = maverick
+
+[git-dch]
+meta = True
diff --git a/debian/patches/bp-osgi-ignore-root-CA.patch b/debian/patches/bp-osgi-ignore-root-CA.patch
new file mode 100644
index 0000000..ec0d4e0
--- /dev/null
+++ b/debian/patches/bp-osgi-ignore-root-CA.patch
@@ -0,0 +1,77 @@
+Description: If the root CA in a signed jar is invalid, check the cacerts
+ for an alternative/newer root CA.
+ .
+ This fixes the issue where signed jars has root CAs using MD2withRSA or
+ other weak signatures that are now automatically rejected by e.g. OpenJDK.
+Author: Thomas Watson <tjwatson at us.ibm.com>
+Bug-Ubuntu: https://launchpad.net/bugs/655833
+Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=309059
+Applied-Upstream: yes
+
+--- a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
++++ b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+@@ -101,27 +101,19 @@
+
+ try {
+ Certificate rootCert = null;
+-
+ KeyStore store = getKeyStore();
+ for (int i = 0; i < certChain.length; i++) {
+ if (certChain[i] instanceof X509Certificate) {
+- if (i == certChain.length - 1) { //this is the last certificate in the chain
++ if (i == certChain.length - 1) {
++ // this is the last certificate in the chain
++ // determine if we have a valid root
+ X509Certificate cert = (X509Certificate) certChain[i];
+ if (cert.getSubjectDN().equals(cert.getIssuerDN())) {
+- certChain[i].verify(certChain[i].getPublicKey());
+- rootCert = certChain[i]; // this is a self-signed certificate
++ cert.verify(cert.getPublicKey());
++ rootCert = cert; // this is a self-signed certificate
+ } else {
+ // try to find a parent, we have an incomplete chain
+- synchronized (store) {
+- for (Enumeration e = store.aliases(); e.hasMoreElements();) {
+- Certificate nextCert = store.getCertificate((String) e.nextElement());
+- if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+- cert.verify(nextCert.getPublicKey());
+- rootCert = nextCert;
+- break;
+- }
+- }
+- }
++ return findAlternativeRoot(cert, store);
+ }
+ } else {
+ X509Certificate nextX509Cert = (X509Certificate) certChain[i + 1];
+@@ -138,6 +130,10 @@
+ if (alias != null)
+ return store.getCertificate(alias);
+ }
++ // if we have reached the end and the last cert is not found to be a valid root CA
++ // then we need to back off the root CA and try to find an alternative
++ if (certChain.length > 1 && i == certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
++ return findAlternativeRoot((X509Certificate) certChain[i - 1], store);
+ }
+ }
+ } catch (KeyStoreException e) {
+@@ -149,6 +145,19 @@
+ return null;
+ }
+
++ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateException {
++ synchronized (store) {
++ for (Enumeration e = store.aliases(); e.hasMoreElements();) {
++ Certificate nextCert = store.getCertificate((String) e.nextElement());
++ if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
++ cert.verify(nextCert.getPublicKey());
++ return nextCert;
++ }
++ }
++ return null;
++ }
++ }
++
+ protected String doAddTrustAnchor(Certificate cert, String alias) throws IOException, GeneralSecurityException {
+ if (isReadOnly())
+ throw new IOException(SignedContentMessages.Default_Trust_Read_Only);
diff --git a/debian/patches/series b/debian/patches/series
index 7a10dc6..34831f5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ build-arch.patch
sat4j-version.patch
add-o.e.equinox.concurrent.patch
pdebuild-workspace.patch
+bp-osgi-ignore-root-CA.patch
diff --git a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
index cd3ca9e..96cd4f6 100644
--- a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+++ b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
@@ -101,27 +101,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
try {
Certificate rootCert = null;
-
KeyStore store = getKeyStore();
for (int i = 0; i < certChain.length; i++) {
if (certChain[i] instanceof X509Certificate) {
- if (i == certChain.length - 1) { //this is the last certificate in the chain
+ if (i == certChain.length - 1) {
+ // this is the last certificate in the chain
+ // determine if we have a valid root
X509Certificate cert = (X509Certificate) certChain[i];
if (cert.getSubjectDN().equals(cert.getIssuerDN())) {
- certChain[i].verify(certChain[i].getPublicKey());
- rootCert = certChain[i]; // this is a self-signed certificate
+ cert.verify(cert.getPublicKey());
+ rootCert = cert; // this is a self-signed certificate
} else {
// try to find a parent, we have an incomplete chain
- synchronized (store) {
- for (Enumeration e = store.aliases(); e.hasMoreElements();) {
- Certificate nextCert = store.getCertificate((String) e.nextElement());
- if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
- cert.verify(nextCert.getPublicKey());
- rootCert = nextCert;
- break;
- }
- }
- }
+ return findAlternativeRoot(cert, store);
}
} else {
X509Certificate nextX509Cert = (X509Certificate) certChain[i + 1];
@@ -138,6 +130,10 @@ public class KeyStoreTrustEngine extends TrustEngine {
if (alias != null)
return store.getCertificate(alias);
}
+ // if we have reached the end and the last cert is not found to be a valid root CA
+ // then we need to back off the root CA and try to find an alternative
+ if (certChain.length > 1 && i == certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
+ return findAlternativeRoot((X509Certificate) certChain[i - 1], store);
}
}
} catch (KeyStoreException e) {
@@ -149,6 +145,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
return null;
}
+ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateException {
+ synchronized (store) {
+ for (Enumeration e = store.aliases(); e.hasMoreElements();) {
+ Certificate nextCert = store.getCertificate((String) e.nextElement());
+ if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+ cert.verify(nextCert.getPublicKey());
+ return nextCert;
+ }
+ }
+ return null;
+ }
+ }
+
protected String doAddTrustAnchor(Certificate cert, String alias) throws IOException, GeneralSecurityException {
if (isReadOnly())
throw new IOException(SignedContentMessages.Default_Trust_Read_Only);
hooks/post-receive
--
eclipse - Powerful IDE written in java - Debian package.
More information about the pkg-java-commits
mailing list