[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master] 25 commits: Make JDK dependency dynamic

Timo Aaltonen gitlab at salsa.debian.org
Tue Sep 15 13:21:54 BST 2020 


Timo Aaltonen pushed to branch master at FreeIPA packaging / dogtag-pki


Commits:
54715f2e by Alexander Scheel at 2020-08-21T10:39:20-04:00
Make JDK dependency dynamic

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
10e9741a by Alexander Scheel at 2020-08-21T10:39:20-04:00
Add server dependency on jaxb-api

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f909302a by Alexander Scheel at 2020-08-21T10:39:20-04:00
Add JAXB Implementation dependency for JDK11+

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
ac264424 by Alexander Scheel at 2020-08-21T10:39:20-04:00
Add Jakarta Activation dependency for JDK11+

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1753780b by Alexander Scheel at 2020-08-21T11:14:11-04:00
Fix permissions when installing clone

When pkispawn runs, it executes as root. However, rarely is PKI
installed as root. The resulting permissions on ca.crt are 600,
preventing later pki-server migrate command from running, as it
runs as pkiuser, who doesn't have access to ca.crt. Fix the
permissions when we initially create ca.crt to be owned by pkiuser.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
12c5a338 by Timo Aaltonen at 2020-08-25T07:48:20+03:00
control: Fix pki-base-java openjdk depends, bump it to 11.

- - - - -
c6381d1d by Alexander Scheel at 2020-08-31T12:05:00-04:00
Update javax-activation paths for Debian

As reported by Timo on IRC.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9f9ef630 by Alexander Scheel at 2020-08-31T12:05:00-04:00
Migrate JAVA_HOME in instance configuration

When we upgrade from F32 to F33, we need to be able to upgrade JAVA_HOME
to set it to the new value. This value will also change on F32 (from a
JDK8-specific path to a generic path). This requires migration to happen
on subsystem start.

This means that the recommended way to configure JAVA_HOME to a value
OTHER then what's shipped in /usr/.../pki.conf becomes to set it in
/etc/.../pki.conf, and means that /etc/sysconfig/tomcat.conf gets
rewritten each time.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a4c9fbe5 by Alexander Scheel at 2020-08-31T12:05:00-04:00
Enforce JDK 8 source and bytecode everywhere

This will ensure that, as F33 and later releases happen, we'll continue
developing code compatible with RHEL 8 and F32.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0a085491 by Alexander Scheel at 2020-09-02T09:43:34-04:00
Move COPR to v10.9

Because v10.9 has been branched from master and a new COPR repo has been
created, we should use it instead of the v10.10/master branch COPR repo.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1fd3016c by Alexander Scheel at 2020-09-03T11:57:44-05:00
Keep JAVA_HOME in tomcat.conf

Despite the name tomcat.conf, this is also the main configuration file
loaded by instances. Instances (especially pkispawn) expect config to be
only the Tomcat configuration, despite loading configuration from the
environment as well. Eventually, we should migrate all of this to use
the global configuration rather than the per-instance configuration.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
dc495b0a by Alexander Scheel at 2020-09-11T12:57:12-04:00
Remove SSL configuration; rely on crypto-policies

When TLSv1.3 support landed in Fedora and RHEL, crypto-policies enabled
it everywhere including in FIPS mode. However, because we bounded the
range above by TLSv1.2, we wouldn't negotiate TLSv1.3 when communicating
with CA instances. crypto-policies should be the single source of truth
for these values, and we shouldn't limit ourselves artificially.
Instead, users should change crypto-policies to the correct policy for
their needs.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
24985cb8 by Alexander Scheel at 2020-09-11T12:57:12-04:00
Enable PHA in legacy SSLSocket

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
70f7b2b5 by Endi S. Dewata at 2020-09-11T16:39:37-04:00
Updated version number to 10.9.3

- - - - -
62123c49 by Endi S. Dewata at 2020-09-11T16:39:37-04:00
Add JAVA_VERSION for CMake

The RPM spec and CMake files have been modified to detect the
actual Java version used to build PKI and add the appropriate
libraries for that version.

- - - - -
12e21c54 by Endi S. Dewata at 2020-09-11T16:39:37-04:00
Fixed missing sslserver and subsystem certs

When installing an additional subsystem into an instance,
the deployment scriptlet has been modified to copy the
cert and request data for sslserver and subsystem certs
from the existing subsystem.

https://bugzilla.redhat.com/show_bug.cgi?id=1869893

- - - - -
e4a32051 by Endi S. Dewata at 2020-09-11T16:39:37-04:00
Added upgrade script to fix missing cert/request data

An upgrade script has been added to fix the missing sslserver
and subsystem cert/request data by copying it from another
subsystem.

https://bugzilla.redhat.com/show_bug.cgi?id=1869893

- - - - -
29b7d321 by Alexander Scheel at 2020-09-11T16:39:37-04:00
Update version number to v10.9.4

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b02cb739 by Timo Aaltonen at 2020-09-14T14:49:46+03:00
rules: Set P11_KIT_TRUST.

- - - - -
fdc06d60 by Timo Aaltonen at 2020-09-14T16:21:56+03:00
Merge branch 'upstream'

- - - - -
4ae1e57b by Timo Aaltonen at 2020-09-14T16:24:06+03:00
bump the version

- - - - -
1b728ae8 by Timo Aaltonen at 2020-09-14T20:56:17+03:00
add-more-deps.diff: Dropped, upstream.

- - - - -
8e539fc5 by Timo Aaltonen at 2020-09-15T15:13:02+03:00
fix-java11-dependencies.diff: Make sure the necessary directories are created before adding symlinks to jars.

- - - - -
c92092b6 by Timo Aaltonen at 2020-09-15T15:15:48+03:00
rules: Add more cruft to remove on dh_auto_clean.

- - - - -
d2424243 by Timo Aaltonen at 2020-09-15T15:18:04+03:00
revert-support-jdk8-jdk11-rpm-builds.diff: Dropped, fix PKI_JAVA_PATH instead.

- - - - -


30 changed files:

- .classpath
- .github/workflows/required-tests.yml
- CMakeLists.txt
- base/CMakeLists.txt
- base/common/CMakeLists.txt
- base/common/share/etc/pki.conf
- base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
- base/java-tools/src/com/netscape/cmstools/HttpClient.java
- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
- base/server/CMakeLists.txt
- base/server/python/pki/server/cli/migrate.py
- base/server/python/pki/server/deployment/scriptlets/configuration.py
- base/server/python/pki/server/deployment/scriptlets/security_databases.py
- base/server/share/conf/pki.policy
- base/server/share/lib/systemd/system/pki-tomcatd-nuxwdog at .service
- base/server/share/lib/systemd/system/pki-tomcatd at .service
- + base/server/upgrade/10.9.3/01-FixMissingCertAndRequestData.py
- cmake/Modules/Java.cmake
- debian/changelog
- debian/control
- − debian/patches/add-more-deps.diff
- + debian/patches/fix-java11-dependencies.diff
- + debian/patches/fix-pki-java-path.diff
- − debian/patches/revert-support-jdk8-jdk11-rpm-builds.diff
- debian/patches/series
- debian/rules
- pki.spec
- pom.xml
- scripts/compose_pki_test_package
- tests/dogtag/dev_java_tests/run_junit_tests.sh


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/07d31730a1644ed314b5a132d9cae247ce2c4e54...d2424243d77b68578e41ebf3b459ceb748ff7fce

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/07d31730a1644ed314b5a132d9cae247ce2c4e54...d2424243d77b68578e41ebf3b459ceb748ff7fce
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200915/5e4f86a0/attachment.html>

More information about the Pkg-freeipa-devel mailing list