[shibboleth-sp2] 06/12: Convert to gbp pq patch management
Russ Allbery
rra at stanford.edu
Mon Mar 17 08:20:17 UTC 2014
This is an automated email from the git hooks/post-receive script.
rra pushed a commit to branch master
in repository shibboleth-sp2.
commit 8200c3435dbd72cbbf6179e17cdb0b0f3346ff6f
Author: Russ Allbery <rra at debian.org>
Date: Sun Mar 16 16:43:08 2014 -0700
Convert to gbp pq patch management
Rather than commit changes directly, maintain all changes from
upstream as separate patches managed with gbp pq. This will make
feeding patches upstream easier.
---
debian/changelog | 1 +
.../patches/0001-Improve-shibd-init-script.patch | 196 +++++++++++++++++++++
.../0002-keygen-improvements-for-Debian.patch | 39 ++++
.../patches/0003-Avoid-libtool-silent-flag.patch | 24 +++
.../patches/0004-Shire-log-path-for-Debian.patch | 23 +++
.../0005-Default-native-logger-to-syslog.patch | 69 ++++++++
.../0006-Remove-WSTrust-schema-references.patch | 38 ++++
debian/patches/series | 6 +
debian/source/local-options | 1 -
debian/source/local-patch-header | 10 --
10 files changed, 396 insertions(+), 11 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 48ea4ec..76a1cb1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,7 @@ shibboleth-sp2 (2.5.3+dfsg-1) UNRELEASED; urgency=medium
* Remove unnecessary dh_installinit parameters. update-rc.d now uses
LSB headers exclusively and no longer pays attention to any runlevel
information on the command line.
+ * Convert all Debian patches to separate patch files managed via gbp pq.
* Update standards version to 3.9.5 (no changes required).
-- Russ Allbery <rra at debian.org> Sat, 17 Aug 2013 14:36:09 -0700
diff --git a/debian/patches/0001-Improve-shibd-init-script.patch b/debian/patches/0001-Improve-shibd-init-script.patch
new file mode 100644
index 0000000..915f463
--- /dev/null
+++ b/debian/patches/0001-Improve-shibd-init-script.patch
@@ -0,0 +1,196 @@
+From: Russ Allbery <rra at debian.org>
+Date: Sun, 16 Mar 2014 16:20:55 -0700
+Subject: Improve shibd init script
+
+Convert to use the LSB functions and be more formally correct
+about exit status, startup and shutdown checking, and so forth.
+Run shibd as the _shibd user and group if they can read the local
+private key. Add a status command.
+---
+ configs/shibd-debian.in | 143 ++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 115 insertions(+), 28 deletions(-)
+
+diff --git a/configs/shibd-debian.in b/configs/shibd-debian.in
+index 59f0995..0eefbb2 100644
+--- a/configs/shibd-debian.in
++++ b/configs/shibd-debian.in
+@@ -1,18 +1,20 @@
+ #! /bin/sh
+ ### BEGIN INIT INFO
+-# Provides: shibd
+-# Required-Start: $local_fs $remote_fs $network
+-# Required-Stop: $local_fs $remote_fs $network
+-# Default-Start: 2 3 4 5
+-# Default-Stop: 0 1 6
+-# Short-Description: Shibboleth 2 Service Provider Daemon
+-# Description: Starts the separate daemon used by the Shibboleth
+-# Apache module to manage sessions and to retrieve
+-# attributes from Shibboleth Identity Providers.
++# Provides: shibd
++# Required-Start: $local_fs $remote_fs $network
++# Required-Stop: $local_fs $remote_fs
++# Default-Start: 2 3 4 5
++# Default-Stop:
++# Short-Description: Shibboleth 2 Service Provider Daemon
++# Description: Starts the separate daemon used by the Shibboleth
++# Apache module to manage sessions and to retrieve
++# attributes from Shibboleth Identity Providers.
+ ### END INIT INFO
+ #
+ # Written by Quanah Gibson-Mount <quanah at stanford.edu>
+ # Modified by Lukas Haemmerle <lukas.haemmerle at switch.ch> for Shibboleth 2
++# Updated to use the LSB init functions by Russ Allbery <rra at debian.org>
++#
+ # Based on the dh-make template written by:
+ #
+ # Written by Miquel van Smoorenburg <miquels at cistron.nl>.
+@@ -29,6 +31,7 @@ DAEMON=@-PREFIX-@/sbin/$NAME
+ SCRIPTNAME=/etc/init.d/$NAME
+ PIDFILE=@-PKGRUNDIR-@/$NAME.pid
+ DAEMON_OPTS=""
++DAEMON_USER=_shibd
+
+ # Force removal of socket
+ DAEMON_OPTS="$DAEMON_OPTS -f"
+@@ -48,38 +51,122 @@ DAEMON_OPTS="$DAEMON_OPTS -w 30"
+ # Read configuration if it is present.
+ [ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+-# Get the setting of VERBOSE and other rcS variables.
+-[ -f /etc/default/rcS ] && . /etc/default/rcS
++# Load the VERBOSE setting and other rcS variables
++. /lib/init/vars.sh
++
++# Define LSB log_* functions.
++. /lib/lsb/init-functions
++
++prepare_environment () {
++ # Ensure @-PKGRUNDIR-@ exists. /var/run may be on a tmpfs file system.
++ [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@'
++
++ # If $DAEMON_USER is set, try to run shibd as that user. However,
++ # versions of the Debian package prior to 2.3+dfsg-1 ran shibd as root,
++ # and the local administrator may not have made the server's private key
++ # readable by $DAEMON_USER. We therefore test first by running shibd -t
++ # and looking for the error code indicating that the private key could not
++ # be read. If we get that error, we fall back on running shibd as root.
++ if [ -n "$DAEMON_USER" ]; then
++ DIAG=$(su -s $DAEMON $DAEMON_USER -- -t $DAEMON_OPTS 2>/dev/null)
++ if [ $? = 0 ] ; then
++ # openssl errstr 200100D (hex for 33558541) says:
++ # error:0200100D:system library:fopen:Permission denied
++ ERROR='ERROR OpenSSL : error code: 33558541 '
++ if echo "$DIAG" | fgrep -q "$ERROR" ; then
++ unset DAEMON_USER
++ log_warning_msg "$NAME: file permissions require running as" \
++ "root"
++ else
++ chown -Rh "$DAEMON_USER" '@-PKGRUNDIR-@' '@-PKGLOGDIR-@'
++ fi
++ else
++ unset DAEMON_USER
++ log_warning_msg "$NAME: unable to run config check as user" \
++ "$DAEMON_USER"
++ fi
++ unset DIAG
++ fi
++}
++
++# Start shibd.
++do_start () {
++ # Return
++ # 0 if daemon has been started
++ # 1 if daemon was already running
++ # 2 if daemon could not be started
++ start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
++ --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
++ || return 1
++ start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
++ --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS \
++ || return 2
++}
++
++# Stop shibd.
++do_stop () {
++ # Return
++ # 0 if daemon has been stopped
++ # 1 if daemon was already stopped
++ # 2 if daemon could not be stopped
++ # other if a failure occurred
++ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \
++ --pidfile $PIDFILE --name $NAME
++ RETVAL="$?"
++ return "$RETVAL"
++}
+
+ case "$1" in
+ start)
++ prepare_environment
++
+ # Don't start shibd if NO_START is set.
+ if [ "$NO_START" = 1 ] ; then
+- echo "Not starting $DESC (see /etc/default/$NAME)"
++ if [ "$VERBOSE" != no ] ; then
++ echo "Not starting $DESC (see /etc/default/$NAME)"
++ fi
+ exit 0
+ fi
+- echo -n "Starting $DESC: "
+- start-stop-daemon --start --quiet \
+- --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
+- echo "$NAME."
++ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
++ do_start
++ case "$?" in
++ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
++ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
++ esac
+ ;;
+ stop)
+- echo -n "Stopping $DESC: "
+- start-stop-daemon --stop --quiet --pidfile $PIDFILE \
+- --exec $DAEMON
+- echo "$NAME."
++ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
++ do_stop
++ case "$?" in
++ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
++ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
++ esac
+ ;;
+ restart|force-reload)
+- echo -n "Restarting $DESC: "
+- start-stop-daemon --stop --quiet --pidfile $PIDFILE \
+- --exec $DAEMON
+- sleep 1
+- start-stop-daemon --start --quiet \
+- --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
+- echo "$NAME."
++ prepare_environment
++
++ log_daemon_msg "Restarting $DESC" "$NAME"
++ do_stop
++ case "$?" in
++ 0|1)
++ do_start
++ case "$?" in
++ 0) log_end_msg 0 ;;
++ 1) log_end_msg 1 ;; # Old process is still running
++ *) log_end_msg 1 ;; # Failed to start
++ esac
++ ;;
++ *)
++ # Failed to stop
++ log_end_msg 1
++ ;;
++ esac
++ ;;
++status)
++ status_of_proc -p "$PIDFILE" "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ *)
+- echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
++ echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
+ exit 1
+ ;;
+ esac
diff --git a/debian/patches/0002-keygen-improvements-for-Debian.patch b/debian/patches/0002-keygen-improvements-for-Debian.patch
new file mode 100644
index 0000000..4c8c09d
--- /dev/null
+++ b/debian/patches/0002-keygen-improvements-for-Debian.patch
@@ -0,0 +1,39 @@
+From: Russ Allbery <rra at debian.org>
+Date: Sun, 16 Mar 2014 16:26:18 -0700
+Subject: keygen improvements for Debian
+
+Generate the key owned by _shibd to work with the Debian user
+configuration for the shibd daemon. Pass --fqdn to the hostname
+command when determining the default identity for better certificate
+names.
+---
+ configs/keygen.sh | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/configs/keygen.sh b/configs/keygen.sh
+index 4ee69f6..7787b63 100755
+--- a/configs/keygen.sh
++++ b/configs/keygen.sh
+@@ -1,5 +1,11 @@
+ #! /bin/sh
+
++# Defaults added for Debian. They can still be overridden by command-line
++# options.
++OUT=/etc/shibboleth
++USER=_shibd
++GROUP=_shibd
++
+ while getopts h:u:g:o:e:y:bf c
+ do
+ case $c in
+@@ -32,8 +38,9 @@ if [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
+ exit 0
+ fi
+
++# --fqdn flag added for Debian to generate better names for certificates.
+ if [ -z "$FQDN" ] ; then
+- FQDN=`hostname`
++ FQDN=`hostname --fqdn`
+ fi
+
+ if [ -z "$YEARS" ] ; then
diff --git a/debian/patches/0003-Avoid-libtool-silent-flag.patch b/debian/patches/0003-Avoid-libtool-silent-flag.patch
new file mode 100644
index 0000000..6ade3e1
--- /dev/null
+++ b/debian/patches/0003-Avoid-libtool-silent-flag.patch
@@ -0,0 +1,24 @@
+From: Russ Allbery <rra at debian.org>
+Date: Sun, 16 Mar 2014 16:30:53 -0700
+Subject: Avoid libtool --silent flag
+
+For Debian builds, we want to see all the compiler flags so that
+build log analysis has all available data. Disable adding --silent
+to the libtool flags in configure.ac.
+---
+ configure.ac | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 6c71412..2e17582 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1351,6 +1351,7 @@ if test -n "$APXS24_CC" && test "$APXS24_CC" != "$CC" ; then
+ echo "=================================================================="
+ fi
+
+-LIBTOOL="$LIBTOOL --silent"
++dnl Disabled on Debian since build log analysis wants verbose logs.
++dnl LIBTOOL="$LIBTOOL --silent"
+
+ AC_OUTPUT
diff --git a/debian/patches/0004-Shire-log-path-for-Debian.patch b/debian/patches/0004-Shire-log-path-for-Debian.patch
new file mode 100644
index 0000000..83c590c
--- /dev/null
+++ b/debian/patches/0004-Shire-log-path-for-Debian.patch
@@ -0,0 +1,23 @@
+From: Russ Allbery <rra at debian.org>
+Date: Sun, 16 Mar 2014 16:34:45 -0700
+Subject: Shire log path for Debian
+
+Change the Apache module log path to /var/log/apache2, used on
+Debian, from the Red Hat /var/log/httpd.
+---
+ configs/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configs/Makefile.am b/configs/Makefile.am
+index ee90def..841f9de 100644
+--- a/configs/Makefile.am
++++ b/configs/Makefile.am
+@@ -4,7 +4,7 @@ AUTOMAKE_OPTIONS = foreign
+
+ pkglibdir = ${libdir}/@PACKAGE_NAME@
+ pkglogdir = ${localstatedir}/log/@PACKAGE_NAME@
+-shirelogdir = ${localstatedir}/log/httpd
++shirelogdir = ${localstatedir}/log/apache2
+ pkgxmldir = $(datadir)/xml/@PACKAGE_NAME@
+ pkgwebdir = $(datadir)/@PACKAGE_NAME@
+ pkgrundir = $(localstatedir)/run/@PACKAGE_NAME@
diff --git a/debian/patches/0005-Default-native-logger-to-syslog.patch b/debian/patches/0005-Default-native-logger-to-syslog.patch
new file mode 100644
index 0000000..161f997
--- /dev/null
+++ b/debian/patches/0005-Default-native-logger-to-syslog.patch
@@ -0,0 +1,69 @@
+From: Russ Allbery <rra at debian.org>
+Date: Sun, 16 Mar 2014 16:35:39 -0700
+Subject: Default native logger to syslog
+
+Rather than generating a separate log in /var/log/apache2 by
+default, which needs permissions and rotation management, default
+the native.logger configuration to using syslog.
+---
+ configs/native.logger.in | 44 ++++++++++++++++++++++++++++++--------------
+ 1 file changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/configs/native.logger.in b/configs/native.logger.in
+index 52a90ae..5785d7e 100644
+--- a/configs/native.logger.in
++++ b/configs/native.logger.in
+@@ -1,5 +1,9 @@
+ # set overall behavior
+-log4j.rootCategory=INFO, native_log, warn_log
++#
++# Debian: remove warn_log. All logs go to syslog, so there's no need to
++# have multiple log destinations differentiated only by log threshold.
++#log4j.rootCategory=INFO, native_log, warn_log
++log4j.rootCategory=INFO, native_log
+
+ # fairly verbose for DEBUG, so generally leave at INFO
+ log4j.category.XMLTooling.XMLObject=INFO
+@@ -27,17 +31,29 @@ log4j.category.XMLTooling.libcurl=INFO
+
+ # define the appender
+
+-log4j.appender.native_log=org.apache.log4j.RollingFileAppender
+-log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log
+-log4j.appender.native_log.maxFileSize=1000000
+-log4j.appender.native_log.maxBackupIndex=10
+-log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+-log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
++# This is the default, but it's essentially useless under normal
++# circumstances since Apache doesn't have access to write to that
++# directory.
++#log4j.appender.native_log=org.apache.log4j.RollingFileAppender
++#log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log
++#log4j.appender.native_log.maxFileSize=1000000
++#log4j.appender.native_log.maxBackupIndex=10
++#log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
++#log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
++#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
++#log4j.appender.warn_log.fileName=@-SHIRELOGDIR-@/native_warn.log
++#log4j.appender.warn_log.maxFileSize=1000000
++#log4j.appender.warn_log.maxBackupIndex=10
++#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
++#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
++#log4j.appender.warn_log.threshold=WARN
+
+-log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+-log4j.appender.warn_log.fileName=@-SHIRELOGDIR-@/native_warn.log
+-log4j.appender.warn_log.maxFileSize=1000000
+-log4j.appender.warn_log.maxBackupIndex=10
+-log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+-log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+-log4j.appender.warn_log.threshold=WARN
++# Use syslog instead, since then at least the messages will go somewhere.
++# That facility is LOG_DAEMON, since log4cpp apparently doesn't recognize
++# symbolic log facilities.
++#
++# This is a Debian-specific change.
++log4j.appender.native_log=org.apache.log4j.LocalSyslogAppender
++log4j.appender.native_log.syslogName=shibboleth-sp
++log4j.appender.native_log.facility=3
++log4j.appender.native_log.layout=org.apache.log4j.BasicLayout
diff --git a/debian/patches/0006-Remove-WSTrust-schema-references.patch b/debian/patches/0006-Remove-WSTrust-schema-references.patch
new file mode 100644
index 0000000..6e4645f
--- /dev/null
+++ b/debian/patches/0006-Remove-WSTrust-schema-references.patch
@@ -0,0 +1,38 @@
+From: Russ Allbery <rra at debian.org>
+Date: Sun, 16 Mar 2014 16:41:25 -0700
+Subject: Remove WSTrust schema references
+
+The WSTrust schema is under a non-DFSG license and therefore isn't
+installed in the Debian package or included in the source package.
+Remove the references to it in the build system and schema catalog.
+---
+ schemas/Makefile.am | 3 +--
+ schemas/catalog.xml.in | 2 ++
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/schemas/Makefile.am b/schemas/Makefile.am
+index f8c246f..4ed2cd8 100644
+--- a/schemas/Makefile.am
++++ b/schemas/Makefile.am
+@@ -13,8 +13,7 @@ schemafiles = \
+ shibboleth-2.0-afp.xsd \
+ shibboleth-2.0-afp-mf-basic.xsd \
+ shibboleth-2.0-afp-mf-saml.xsd \
+- shibboleth-2.0-attribute-map.xsd \
+- WS-Trust.xsd
++ shibboleth-2.0-attribute-map.xsd
+
+ pkgxml_DATA = \
+ catalog.xml \
+diff --git a/schemas/catalog.xml.in b/schemas/catalog.xml.in
+index ca7c797..fbb3fe3 100644
+--- a/schemas/catalog.xml.in
++++ b/schemas/catalog.xml.in
+@@ -9,5 +9,7 @@
+ <system systemId="urn:mace:shibboleth:2.0:afp:mf:saml" uri="@-PKGXMLDIR-@/shibboleth-2.0-afp-mf-saml.xsd"/>
+ <system systemId="urn:mace:shibboleth:2.0:attribute-map" uri="@-PKGXMLDIR-@/shibboleth-2.0-attribute-map.xsd"/>
+ <system systemId="urn:mace:shibboleth:1.0" uri="@-PKGXMLDIR-@/shibboleth.xsd"/>
++ <!-- WS-Trust.xsd has been removed from the Debian package because of license problems
+ <system systemId="http://schemas.xmlsoap.org/ws/2005/02/trust" uri="@-PKGXMLDIR-@/WS-Trust.xsd"/>
++ -->
+ </catalog>
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..164c6a3
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,6 @@
+0001-Improve-shibd-init-script.patch
+0002-keygen-improvements-for-Debian.patch
+0003-Avoid-libtool-silent-flag.patch
+0004-Shire-log-path-for-Debian.patch
+0005-Default-native-logger-to-syslog.patch
+0006-Remove-WSTrust-schema-references.patch
diff --git a/debian/source/local-options b/debian/source/local-options
deleted file mode 100644
index 7423a2d..0000000
--- a/debian/source/local-options
+++ /dev/null
@@ -1 +0,0 @@
-single-debian-patch
diff --git a/debian/source/local-patch-header b/debian/source/local-patch-header
deleted file mode 100644
index 33c7800..0000000
--- a/debian/source/local-patch-header
+++ /dev/null
@@ -1,10 +0,0 @@
-Subject: Collected Debian patches for shibboleth-sp2
-Author: Russ Allbery <rra at debian.org>
-
-The packaging for shibboleth-sp2 is maintained in Git using multiple
-branches for fixes, which makes it complex to separate the changes
-into individual patches. They are therefore all included in a single
-Debian patch.
-
-For full commit history and separated commits, see the packaging Git
-repository.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list