Accepting request 221008 from Printing

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/221008
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=115

cups-0003-systemd-secure-cups.service-unit-file.patch

@@ -0,0 +1,16 @@
+--- data/cups.service.in.orig	2014-01-29 13:57:17.000000000 +0100
++++ data/cups.service.in	2014-01-29 14:14:54.000000000 +0100
+@@ -1,10 +1,10 @@
+ [Unit]
+ Description=CUPS Printing Service
++After=network.target
+ 
+ [Service]
+ ExecStart=@sbindir@/cupsd -f
+ 
+ [Install]
+-Alias=cupsd.service
+-Also=cups.socket cups.path
+-WantedBy=printer.target
++WantedBy=multi-user.target
++

cups-1.5-additional_policies.patch

@@ -1,10 +1,9 @@
---- conf/cupsd.conf.in.orig	2010-12-09 22:24:51.000000000 +0100
-+++ conf/cupsd.conf.in	2011-10-05 13:51:39.000000000 +0200
-@@ -138,3 +138,25 @@ WebInterface @CUPS_WEBIF@
- #
- # End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $".
- #
-+
+--- conf/cupsd.conf.in.orig	2014-01-29 14:31:32.000000000 +0100
++++ conf/cupsd.conf.in	2014-01-29 15:20:30.000000000 +0100
+@@ -136,6 +136,39 @@ WebInterface @CUPS_WEBIF@
+   </Limit>
+ </Policy>
+ 
 +# The policy below is added by SUSE during build of our cups package.
 +# The policy 'allowallforanybody' is totally open and insecure and therefore
 +# it can only be used within an internal network where only trused users exist
@@ -17,12 +16,27 @@
 +# For documentation regarding 'Managing Operation Policies' see
 +# http://www.cups.org/documentation.php/doc-1.5/policies.html
 +<Policy allowallforanybody>
-+  <Limit All>
++  # Allow anybody to access job's private values:
++  JobPrivateAccess all
++  # Make none of the job values to be private:
++  JobPrivateValues none
++  # Allow anybody to access subscription's private values:
++  SubscriptionPrivateAccess all
++  # Make none of the subscription values to be private:
++  SubscriptionPrivateValues none
++  # Allow anybody to do all IPP operations:
++  # Currently the IPP operations Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document
++  # must be additionally exlicitly specified because those IPP operations are not included
++  # in the "All" wildcard value - otherwise cupsd prints error messages of the form
++  # "No limit for Validate-Job defined in policy allowallforanybody and no suitable template found."
++  <Limit All Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document>
 +    Order deny,allow
 +    Allow from all
 +  </Limit>
 +</Policy>
 +# Explicitly set the CUPS 'default' policy to be used by default:
 +DefaultPolicy default
-+# End of additions by SUSE.
 +
+ #
+ # End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $".
+ #

cups.changes

@@ -1,3 +1,38 @@
+-------------------------------------------------------------------
+Wed Jan 29 14:27:52 CET 2014 - jsmeix@suse.de
+
+- cups-0003-systemd-secure-cups.service-unit-file.patch changes
+  the cups.service systemd unit file to be more secure and
+  to let the cupsd again work as it did all the time for printing
+  in a network (bnc#857372 in particular comment #61 therein).
+- cups-1.5-additional_policies.patch was updated to avoid
+  cupsd warning messages of the form "No limit for ... defined
+  in policy allowallforanybody and no suitable template found"
+  (bnc#857372 in particular comment #48 therein).
+
+-------------------------------------------------------------------
+Fri Jan 10 11:51:41 CET 2014 - jsmeix@suse.de
+
+- Fix how to use CUPS' own fonts (bnc#856731). In ancient times
+  (see the below entry dated "Thu Aug 16 17:05:19 CEST 2001")
+  there was the idea to deviate from CUPS upstream and save
+  some disk space and do not install CUPS' own fonts.
+  CUPS' own fonts were removed and the CUPS font
+  directory was replaced by a symbolic link
+  /usr/share/cups/fonts -> ../ghostscript/fonts
+  because at that times the Ghostscript fonts had been the same
+  as CUPS' own fonts. In any case such a link is a fragile
+  non-future-proof interference because when either the Ghostscript
+  fonts or CUPS' own fonts change, linking them as same is wrong.
+  Since a long time the Ghostscript fonts do no longer work
+  for CUPS' particular needs but nobody noticed it until now.
+  But it is not possible with RPM to replace a directory by a
+  symbolic link or vice versa. This means /usr/share/cups/fonts
+  must stay forever as a symbolic link and the only way out is
+  to move CUPS' own fonts to an artificial surrogate directory
+  /usr/share/cups/CUPSfonts and have the symbolic link now
+  /usr/share/cups/fonts -> /usr/share/cups/CUPSfonts
+
 -------------------------------------------------------------------
 Wed Jan  8 16:07:44 CET 2014 - jsmeix@suse.de
 

cups.spec

@@ -15,7 +15,6 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
-
 Name:           cups
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
@@ -183,9 +182,16 @@ Patch109:       str4190.patch
 # Patch110 avoids any possible busy loop in cups-polld in case of unusual issues
 # by sleeping interval seconds see https://bugzilla.novell.com/show_bug.cgi?id=828228
 Patch110:       cups-polld_avoid_busy_loop.patch
-# Patch111 fixes the systemd cups.socket file so that systemd listens only on localhost
-# (i.e. where the cupsd itself listens by default). Patch111 must be applied on top of Patch105.
+# Patch111 fixes the cups.socket systemd unit file from Patch105 to be more secure
+# so that systemd listens only on localhost (i.e. where the cupsd itself listens by default)
+# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c24
+# Patch111 must be applied on top of Patch105.
 Patch111:       cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch
+# Patch112 changes the cups.service systemd unit file from Patch105 to be more secure
+# and to let the cupsd again work as it did all the time for printing in a network
+# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61
+# Patch111 must be applied on top of Patch105.
+Patch112:       cups-0003-systemd-secure-cups.service-unit-file.patch
 # Install into this non-root directory (required when norootforbuild is used):
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -332,9 +338,16 @@ printer drivers for CUPS.
 %patch109
 # Patch110 avoids any possible busy loop in cups-polld
 %patch110
-# Patch111 fixes the systemd cups.socket file so that systemd listens only on localhost
-# (i.e. where the cupsd itself listens by default). Patch111 must be applied on top of Patch105.
+# Patch111 fixes the cups.socket systemd unit file from Patch105 to be more secure
+# so that systemd listens only on localhost (i.e. where the cupsd itself listens by default)
+# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c24
+# Patch111 must be applied on top of Patch105.
 %patch111
+# Patch112 changes the cups.service systemd unit file from Patch105 to be more secure
+# and to let the cupsd again work as it did all the time for printing in a network
+# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61
+# Patch111 must be applied on top of Patch105.
+%patch112
 
 %build
 # Disable SILENT run of make so that make runs verbose as usual:
@@ -384,6 +397,28 @@ make %{?_smp_mflags} CXX=g++
 %install
 make BUILDROOT=$RPM_BUILD_ROOT install
 install -d -m755 $RPM_BUILD_ROOT/etc/init.d
+# Use CUPS' own fonts (i.e. make CUPS work again in compliance with upstream).
+# In ancient times (see the RPM changelog entry dated "Thu Aug 16 17:05:19 CEST 2001")
+# there was the general opinion it would be a great idea to deviate from CUPS upstream
+# and save some disk space and do not install CUPS' own fonts in CUPS' own font directory.
+# Therefore CUPS' own fonts were removed and the CUPS font directory was replaced
+# by a symbolic link /usr/share/cups/fonts -> ../ghostscript/fonts
+# because at that times the Ghostscript fonts had been the same as CUPS' own fonts.
+# In any case such a link is a fragile non-future-proof interference because when either
+# the Ghostscript fonts or CUPS' own fonts change, linking them as same is wrong.
+# Meanwhile (I don't know exactly since when but since a long time) the Ghostscript fonts
+# do no longer work for CUPS' particular needs (CUPS has its own fonts because it needs them).
+# Nobody noticed it until 2014 via https://bugzilla.novell.com/show_bug.cgi?id=856731
+# But it is not possible with RPM to replace a directory by a symbolic link or vice versa
+# see https://bugzilla.novell.com/show_bug.cgi?id=856731#c7
+# and https://bugzilla.novell.com/show_bug.cgi?id=856731#c8
+# This means /usr/share/cups/fonts must stay forever as a symbolic link
+# and the only way out is to move CUPS' own fonts to an artificial
+# surrogate directory /usr/share/cups/CUPSfonts and have the
+# symbolic link /usr/share/cups/fonts -> /usr/share/cups/CUPSfonts:
+pushd $RPM_BUILD_ROOT/usr/share/cups/
+mv fonts CUPSfonts && ln -s CUPSfonts fonts
+popd
 # Source101: cups.init
 install -m755 %{SOURCE101} $RPM_BUILD_ROOT/etc/init.d/cups
 ln -sf ../../etc/init.d/cups $RPM_BUILD_ROOT/usr/sbin/rccups
@@ -452,8 +487,15 @@ grep -q '^# Sample configuration ' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.con
 sed -i -e 's/^# Sample configuration /# Configuration /' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf
 grep -q '^# Sample configuration ' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf.default
 sed -i -e 's/^# Sample configuration /# Default configuration /' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf.default
-
+# systemd stuff:
 %if 0%{?have_systemd}
+# move the installed cups.socket and cups.path into a documentation directory
+# so that experienced admins can make their own individual systemd unit files
+# for socket activation and/or path activation as they need it for their particular cases
+# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61
+mkdir $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd
+mv $RPM_BUILD_ROOT/%{_unitdir}/cups.path $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd/cups.path
+mv $RPM_BUILD_ROOT/%{_unitdir}/cups.socket $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd/cups.socket
 # install /usr/lib/tmpfiles.d/cups.conf
 mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
 cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/cups.conf <<EOF
@@ -464,7 +506,17 @@ d /var/spool/cups/tmp - - - 30d
 EOF
 %endif
 # Run fdupes:
-%fdupes $RPM_BUILD_ROOT
+# The RPM macro fdupes runs /usr/bin/fdupes that links files with identical content.
+# Never run fdupes carelessly over the whole buildroot directory
+# because in older openSUSE and SLE11 versions fdupes
+# links files with different owner, group, or permissions
+# see https://bugzilla.novell.com/show_bug.cgi?id=784670
+# and even in current openSUSE versions fdupes links across sub-package boundaries,
+# compare https://bugzilla.novell.com/show_bug.cgi?id=784869
+# so that fdupes can only run for specific directories where linking files is safe.
+# Using fdupes -s, which will create symlinks that are easier to grasp for rpm and
+# rpmlint will give a "dangling symlink" error if the file and link ended up in different packages:
+%fdupes -s $RPM_BUILD_ROOT/%{_datadir}/cups
 
 %pre
 /usr/sbin/groupadd -g 71 -o -r ntadmin 2>/dev/null || :
@@ -610,9 +662,7 @@ exit 0
 %{_datadir}/cups/
 %exclude %{_datadir}/cups/ppdc/
 %if 0%{?have_systemd}
-%{_unitdir}/cups.path
 %{_unitdir}/cups.service
-%{_unitdir}/cups.socket
 %{_tmpfilesdir}/cups.conf
 %endif