update from 2019.1

rootcerts.spec

@@ -1,5 +1,9 @@
-%bcond_with bootstrap
-%bcond_without java
+# don't make useless debug packages
+%define _enable_debug_packages %{nil}
+%define debug_package %{nil}
+
+# _without = java enabled, _with = java disabled
+%bcond_with java
 
 %define pkidir %{_sysconfdir}/pki
 %define catrustdir %{_sysconfdir}/pki/ca-trust
@@ -12,13 +16,17 @@
 
 Summary:	Bundle of CA Root Certificates
 Name:		rootcerts
+# <mrl> Use this versioning style in order to be easily backportable.
+# Note that the release is the last two digits on the version.
+# All BuildRequires for rootcerts should be done this way:
+# BuildRequires: rootcerts >= 0:20070402.00, for example
+# - NEVER specifying the %%{release}
 Epoch:		1
-# *** Important:  update BOTH Source0 and Source1 when newer than date below
-Version:	20200909.00
-Release:	1.vsos0
+Version:	20200910.00
+Release:	1
 License:	GPL
-Group:		Security
-URL:		https://fedoraproject.org/wiki/CA-Certificates
+Group:		System/Servers
+URL:		%{disturl}
 # For Source0, the NSS commit trunk version of this file is here:
 # https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
 # See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
@@ -29,7 +37,7 @@ URL:		https://fedoraproject.org/wiki/CA-Certificates
 # or the Mozilla development commit trunk:
 # https://hg.mozilla.org/mozilla-central/log/default/security/nss/lib/ckfw/builtins/certdata.txt
 # Ideally, it should correspond to the version shipped in the NSS release we are using
-Source0:	certdata-%{version}.txt
+Source0:	https://hg.mozilla.org/releases/mozilla-release/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
 # Similarly, Source1 comes from:
 # https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
 # Check the log to see if it needs to be updated:
@@ -42,24 +50,29 @@ Source5:	ca-legacy.conf
 Source6:	ca-legacy
 Source9:	ca-legacy.8.txt
 Source10:	update-ca-trust.8.txt
+BuildRequires:	python3
+BuildRequires:	openssl
+BuildRequires:	nss
+BuildRequires:	automake
+BuildRequires:	libtool
+%if %{with java}
+BuildRequires:	java-devel
+BuildRequires:	javapackages-tools
+%endif
+BuildRequires:	docbook-xsl
+BuildRequires:	asciidoc
+BuildRequires:	xsltproc
 Requires(post):	coreutils
 Requires(post):	p11-kit
 Requires(post):	p11-kit-trust
-BuildRequires:	perl
-BuildRequires:	openssl
-%if %{without bootstrap}
-BuildRequires:	nss
-%endif
-%if %with java
-BuildRequires:	javapackages-tools
-BuildRequires:	java-devel
-%endif
-BuildRequires:	asciidoc
-BuildRequires:	xsltproc 
-
 BuildArch:	noarch
 Provides:	ca-certificates
 
+# update-ca-trust (provided by rootcerts, called by %%post script)
+# calls /usr/bin/p11-kit, which in turn calls /usr/bin/trust
+Requires(post):	p11-kit p11-kit-trust
+Requires:	p11-kit p11-kit-trust
+
 %description
 This is a bundle of X.509 certificates of public Certificate
 Authorities (CA). These were automatically extracted from Mozilla's
@@ -68,7 +81,7 @@ in both plain text and PEM format and therefore can be directly used
 with an Apache/mod_ssl webserver for SSL client authentication. Just
 configure this file as the SSLCACertificateFile.
 
-%if %with java
+%if %{with java}
 %package java
 Summary:	Bundle of CA Root Certificates for Java
 Group:		Development/Java
@@ -84,7 +97,6 @@ mkdir -p %{name}/certs/legacy-default
 mkdir %{name}/certs/legacy-disable
 mkdir %{name}/java
 
-
 %build
 pushd %{name}/certs
  cp %{SOURCE0} certdata.txt
@@ -108,12 +120,12 @@ EOF
  ) > %{p11_format_bundle}
 
  touch %{legacy_default_bundle}
- NUM_LEGACY_DEFAULT=`find certs/legacy-default -type f | wc -l`
+ NUM_LEGACY_DEFAULT=$(find certs/legacy-default -type f | wc -l)
  if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then
-     for f in certs/legacy-default/*.crt; do 
+     for f in certs/legacy-default/*.crt; do
        echo "processing $f"
-       tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
-       alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
+       tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f)
+       alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g')
        targs=""
        if [ -n "$tbits" ]; then
           for t in $tbits; do
@@ -128,12 +140,12 @@ EOF
  fi
 
  touch %{legacy_disable_bundle}
- NUM_LEGACY_DISABLE=`find certs/legacy-disable -type f | wc -l`
+ NUM_LEGACY_DISABLE=$(find certs/legacy-disable -type f | wc -l)
  if [ $NUM_LEGACY_DISABLE -ne 0 ]; then
-     for f in certs/legacy-disable/*.crt; do 
+     for f in certs/legacy-disable/*.crt; do
        echo "processing $f"
-       tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
-       alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
+       tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f)
+       alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g')
        targs=""
        if [ -n "$tbits" ]; then
           for t in $tbits; do
@@ -147,9 +159,9 @@ EOF
      done
  fi
 
- P11FILES=`find certs -name \*.tmp-p11-kit | wc -l`
+ P11FILES=$(find certs -name \*.tmp-p11-kit | wc -l)
  if [ $P11FILES -ne 0 ]; then
-   for p in certs/*.tmp-p11-kit; do 
+   for p in certs/*.tmp-p11-kit; do
      cat "$p" >> %{p11_format_bundle}
    done
  fi
@@ -166,7 +178,6 @@ cp %{SOURCE9} %{name}/ca-legacy.8.txt
 asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
 xsltproc --nonet -o %{name}/ca-legacy.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
 
-
 %install
 mkdir -p -m 755 %{buildroot}%{pkidir}/java
 mkdir -p -m 755 %{buildroot}%{catrustdir}/source
@@ -219,6 +230,7 @@ EOF
 # be compatible with Debian/Ubuntu SSL paths
 # fix #58107 (also used by dovecot default config)
 install -d %{buildroot}%{_sysconfdir}/ssl
+
 for d in certs private; do
     ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
 done
@@ -245,23 +257,17 @@ ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
     %{buildroot}%{pkidir}/tls/certs/%{classic_tls_bundle}
 ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
     %{buildroot}%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
-%if %with java
+%if %{with java}
 ln -s %{catrustdir}/extracted/%{java_bundle} \
     %{buildroot}%{pkidir}/%{java_bundle}
 %endif
 
 %post
-if [ -x %{_bindir}/ln ]; then
-%{_bindir}/ca-legacy install
-%{_bindir}/update-ca-trust
-fi
-
-%posttrans
 %{_bindir}/ca-legacy install
 %{_bindir}/update-ca-trust
 
-%files 
-%doc README 
+%files
+%doc README
 %dir %{catrustdir}/source
 %dir %{catrustdir}/source/anchors
 %dir %{catrustdir}/source/blacklist
@@ -292,8 +298,10 @@ fi
 %ghost %{catrustdir}/extracted/%{java_bundle}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
 
-%if %with java
+
+%if %{with java}
 %files java
 %dir %{_sysconfdir}/pki/java
 %config(noreplace) %{_sysconfdir}/pki/java/cacerts
 %endif
+

trust-fixes

@@ -0,0 +1 @@
+