Accepting request 974922 from server:dns

update to 1.15.0 and switching to sysuser OBS-URL: https://build.opensuse.org/request/show/974922 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/unbound?expand=0&rev=54
2022-05-06 16:58:52 +00:00 · 2022-05-06 16:58:52 +00:00 · 95050f9df7
commit 95050f9df7
parent c56d63a28a cdd3f40e20
7 changed files with 147 additions and 86 deletions
--- a/libunbound-devel-mini.changes
+++ b/libunbound-devel-mini.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Apr 19 15:46:25 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- spec-cleaner
+- update to 1.15.0 
+
 -------------------------------------------------------------------
 Thu Dec  9 11:14:33 UTC 2021 - Michael Ströder <michael@stroeder.com>

--- a/libunbound-devel-mini.spec
+++ b/libunbound-devel-mini.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libunbound-devel-mini
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,19 +16,28 @@
 #


+%define ldns_version 1.6.16
 %bcond_without python
 %bcond_without munin
 %bcond_without hardened_build
-
-%define ldns_version 1.6.16
-
 #
 Name:           libunbound-devel-mini
-Version:        1.14.0
+Version:        1.15.0
 Release:        0
+Summary:        Just a devel package for build loops
+License:        BSD-3-Clause
+Group:          Productivity/Networking/DNS/Servers
+#
+URL:            https://www.unbound.net/
+Source:         https://www.unbound.net/downloads/unbound-%{version}.tar.gz
+Source1:        libunbound-devel-mini-rpmlintrc
+Source5:        root.key
+Source6:        dlv.isc.org.key
+# From http://data.iana.org/root-anchors/icannbundle.pem
+Source12:       icannbundle.pem
+Source13:       root.anchor
 #
 #
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  flex
 BuildRequires:  ldns-devel >= %{ldns_version}
 BuildRequires:  libevent-devel
@ -39,19 +48,6 @@ Requires:       this-is-only-for-build-envs
 Conflicts:      libunbound8
 Conflicts:      unbound-devel
 Provides:       libunbound-devel = %{version}-%{release}
-#
-URL:            https://www.unbound.net/
-Source:         https://www.unbound.net/downloads/unbound-%{version}.tar.gz
-Source1:        libunbound-devel-mini-rpmlintrc
-Source5:        root.key
-Source6:        dlv.isc.org.key
-# From http://data.iana.org/root-anchors/icannbundle.pem
-Source12:       icannbundle.pem
-Source13:       root.anchor
-
-Summary:        Just a devel package for build loops
-License:        BSD-3-Clause
-Group:          Productivity/Networking/DNS/Servers

 %description
 Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@ -65,7 +61,7 @@ DNSSEC (secure DNS) validation and stub-resolvers (that do not run
 as a server, but are linked into an application) are easily possible.

 %prep
-%setup -n unbound-%version
+%setup -q -n unbound-%{version}

 %build
 export CFLAGS="%{optflags}"
@ -90,7 +86,7 @@ export CXXFLAGS="%{optflags}"
  --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \
  --disable-explicit-port-randomisation

-make %{?_smp_mflags}
+%make_build

 %install
 %make_install
@ -98,13 +94,12 @@ rm -rf %{buildroot}%{_mandir} %{buildroot}%{_libdir}/*.la

 %check
 # it currently fails in the ldns unit test. which is weird as both come from the same project
-make check ||:
+%make_build check ||:

 %post   -p /sbin/ldconfig
 %postun -p /sbin/ldconfig

 %files
-%defattr(-,root,root,-)
 %{_libdir}/libunbound.so.*
 %{_includedir}/unbound.h
 %{_includedir}/unbound-event.h
--- a/unbound-1.14.0.tar.gz
+++ b/unbound-1.14.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6ef91cbf02d5299eab39328c0857393de7b4885a2fe7233ddfe3c124ff5a89c8
-size 6152326
--- a/unbound-1.15.0.tar.gz
+++ b/unbound-1.15.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a480dc6c8937447b98d161fe911ffc76cfaffa2da18788781314e81339f1126f
+size 6163470
--- a/unbound.changes
+++ b/unbound.changes
@ -1,3 +1,108 @@
+-------------------------------------------------------------------
+Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- drop python2 packages
+- update to 1.15.0:
+  This release has bug fixes for crashes that happened on heavy network
+  usage. The default for the aggressive-nsec option has changed, it is now
+  enabled.
+
+  The ratelimit logic had to be reworked for the crash fixes. As a result,
+  there are new options to control the behaviour of ratelimiting.
+  The ratelimit-backoff and ip-ratelimit-backoff options can be used to
+  control how severe the backoff is when the ratelimit is exceeded.
+
+  The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for
+  NXDOMAIN answers from RPZ. That is used by some clients to detect that
+  the domain is externally blocked. The RPZ option for-downstream can be
+  used like for auth zones, this allows the RPZ zone information to be queried.
+  That can be useful for monitoring scripts.
+
+  Features
+  - Fix #596: unset the RA bit when a query is blocked by an unbound
+    RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
+    signal that a domain is externally blocked to clients when it
+    is blocked with NXDOMAIN by unsetting RA.
+  - Add rpz: for-downstream: yesno option, where the RPZ zone is
+    authoritatively answered for, so the RPZ zone contents can be
+    checked with DNS queries directed at the RPZ zone.
+  - Merge PR #616: Update ratelimit logic. It also introduces
+    ratelimit-backoff and ip-ratelimit-backoff configuration options.
+  - Change aggressive-nsec default to yes.
+
+  Bug Fixes
+  - Fix compile warning for if_nametoindex on windows 64bit.
+  - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
+    warnings in rpz.
+  - Fix validator debug output about DS support, print correct algorithm.
+  - Add code similar to fix for ldns for tab between strings, for
+    consistency, the test case was not broken.
+  - Allow local-data for classes other than IN to inherit a configured
+    local-zone's type if possible, instead of defaulting to type
+    transparent as per the implicit rule.
+  - Fix to pick up other class local zone information before unlock.
+  - Add missing configure flags for optional features in the
+    documentation.
+  - Fix Unbound capitalization in the documentation.
+  - Fix #591: Unbound-anchor manpage links to non-existent license file.
+  - contrib/aaaa-filter-iterator.patch file renewed diff content to
+    apply cleanly to the current coderepo for the current code version.
+  - Fix to add test for rpz-signal-nxdomain-ra.
+  - Fix #596: only unset RA when NXDOMAIN is signalled.
+  - Fix that RPZ does not set RD flag on replies, it should be copied
+    from the query.
+  - Fix for #596: fix that rpz return message is returned and not just
+    the rcode from the iterator return path. This fixes signal unset RA
+    after a CNAME.
+  - Fix unit tests for rpz now that the AA flag returns successfully from
+    the iterator loop.
+  - Fix for #596: add unit test for nsdname trigger and signal unset RA.
+  - Fix for #596: add unit test for nsip trigger and signal unset RA.
+  - Fix #598: Fix unbound-checkconf fatal error: module conf
+    'respip dns64 validator iterator' is not known to work.
+  - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
+    triggered operation.
+  - Merge #600 from pemensik: Change file mode before changing file
+    owner.
+  - Fix prematurely terminated TCP queries when a reply has the same ID.
+  - For #602: Allow the module-config "subnetcache validator cachedb
+    iterator".
+  - Fix EDNS to upstream where the same option could be attached
+    more than once.
+  - Add a region to serviced_query for allocations.
+  - For dnstap, do not wakeupnow right there. Instead zero the timer to
+    force the wakeup callback asap.
+  - Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
+  - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
+    serviced_udp_callback.
+  - Merge PR #612: TCP race condition.
+  - Test for NSID in SERVFAIL response due to DNSSEC bogus.
+  - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
+    document.
+  - Fix tls-* and ssl-* documented alternate syntax to also be available
+    through remote-control and unbound-checkconf.
+  - Better cleanup on failed DoT/DoH listening socket creation.
+  - iana portlist update.
+  - Fix review comment for use-after-free when failing to send UDP out.
+  - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
+    internals.
+  - Merge PR #532 from Shchelk: Fix: buffer overflow bug.
+  - Merge PR #617: Update stub/forward-host notation to accept port and
+    tls-auth-name.
+  - Update stream_ssl.tdir test to also use the new forward-host
+    notation.
+  - Fix header comment for doxygen for authextstrtoaddr.
+  - please clang analyzer for loop in test code.
+  - Fix docker splint test to use more portable uname.
+  - Update contrib/aaaa-filter-iterator.patch with diff for current
+    software version.
+  - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. 
+
+-------------------------------------------------------------------
+Fri Dec 31 23:18:09 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
+
+- Change to systemd-sysusers
+
 -------------------------------------------------------------------
 Thu Dec  9 11:14:33 UTC 2021 - Michael Ströder <michael@stroeder.com>

--- a/unbound.spec
+++ b/unbound.spec
@ -1,7 +1,7 @@
 #
 # spec file for package unbound
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -21,42 +21,32 @@
  %define _fillupdir /var/adm/fillup-templates
 %endif

-%bcond_without python2
 %bcond_without python3
 %bcond_without munin
 %bcond_without hardened_build
 %bcond_without dnstap
 %bcond_without systemd

-#
 %define _sharedstatedir /var/lib/
 %define ldns_version 1.6.16

-#
 %define piddir /run

 Name:           unbound
-Version:        1.14.0
+Version:        1.15.0
 Release:        0
-#
-#
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  flex
 BuildRequires:  ldns-devel >= %{ldns_version}
 BuildRequires:  libevent-devel
 BuildRequires:  libexpat-devel
 BuildRequires:  libsodium-devel
 BuildRequires:  openssl-devel
+BuildRequires:  sysuser-tools
 %if %{with dnstap}
 BuildRequires:  libfstrm-devel
 BuildRequires:  libprotobuf-c-devel >= 1.0.0
 BuildRequires:  protobuf-c >= 1.0.0
 %endif
-%if %{with python2}
-BuildRequires:  python-rpm-macros
-BuildRequires:  python2-devel
-BuildRequires:  swig
-%endif
 %if %{with python3}
 BuildRequires:  python-rpm-macros
 BuildRequires:  python3-devel
@ -64,7 +54,6 @@ BuildRequires:  swig
 %endif
 # needed for dns over https
 BuildRequires:  pkgconfig(libnghttp2)
-
 Requires:       ldns >= %{ldns_version}
 # until we figured something else out for the unbound-anchor part in the systemd unit file
 Requires:       sudo
@ -72,7 +61,6 @@ Requires:       sudo
 BuildRequires:  pkgconfig(libsystemd)
 %{?systemd_requires}
 %endif
-#
 URL:            https://www.unbound.net/
 Source:         https://www.unbound.net/downloads/unbound-%{version}.tar.gz
 Source1:        unbound.service
@ -93,6 +81,7 @@ Source14:       unbound.sysconfig
 Source15:       unbound-anchor.timer
 Source16:       unbound-munin.README
 Source18:       unbound-anchor.service
+Source19:       unbound.sysusers

 Summary:        Validating, recursive, and caching DNS(SEC) resolver
 License:        BSD-3-Clause
@ -155,7 +144,7 @@ This package holds the development files to work with libunbound.
 #
 Summary:        Unbound Anchor cert management tools
 Group:          Productivity/Networking/DNS/Servers
-Requires(pre):  shadow
+%sysusers_requires

 %description anchor
 Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@ -176,27 +165,11 @@ Unbound is a validating, recursive, and caching DNS(SEC) resolver.
 This package holds the Python modules and extensions for unbound.
 %endif

-%if %{with python2}
-%package -n python2-unbound
-Summary:        Python modules and extensions for unbound
-Group:          Applications/System
-Requires:       %{libname} = %{version}
-
-%description -n python2-unbound
-Unbound is a validating, recursive, and caching DNS(SEC) resolver.
-
-This package holds the Python modules and extensions for unbound.
-%endif
-
 %prep
 %setup
-%if %{with python2}
-pushd ..
-cp -pr %{name}-%{version} p2
-popd
-%endif

 %build
+%sysusers_generate_pre %{SOURCE19} anchor unbound.conf
 export CFLAGS="%{optflags}"
 export CXXFLAGS="%{optflags}"

@ -257,12 +230,6 @@ popd
 make %{?_smp_mflags} all streamtcp

 %install
-%if %{with python2}
-pushd ../p2
-%make_install
-popd
-%endif
-
 %make_install

 install -d -m 0750                %{buildroot}/var/lib/unbound
@ -323,18 +290,15 @@ install -m 0640 -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8

+# sysusers.d
+install -Dm0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/unbound.conf
+
 %check
 # it currently fails in the ldns unit test. which is weird as both come from the same project
 make check ||:

-%pre anchor
-%if %{with systemd}
+%pre anchor -f anchor.pre
 %service_add_pre  unbound-anchor.service unbound-anchor.timer
-%endif
-getent group unbound >/dev/null || groupadd -r unbound
-getent passwd unbound >/dev/null || \
-	useradd -g unbound -s /bin/false -r -c "unbound caching DNS server" \
-	-d /var/lib/unbound unbound

 %if %{with systemd}
 %pre
@ -382,8 +346,8 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %postun -n %{libname} -p /sbin/ldconfig

 %files
-%defattr(-,root,root,-)
-%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES
+%license doc/LICENSE
+%doc doc/README doc/CREDITS doc/FEATURES
 %attr(0755,unbound,unbound) %ghost %dir %{piddir}/%{name}
 %attr(0640,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
 %dir %attr(-,root,unbound)                     %{_sysconfdir}/%{name}/keys.d
@ -420,23 +384,13 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :

 %if %{with python3}
 %files -n python3-unbound
-%defattr(-,root,root,-)
 %{python3_sitearch}/*
 %doc libunbound/python/examples/*
 %doc pythonmod/examples/*
 %endif

-%if %{with python2}
-%files -n python2-unbound
-%defattr(-,root,root,-)
-%{python2_sitearch}/*
-%doc ../p2/libunbound/python/examples/*
-%doc ../p2/pythonmod/examples/*
-%endif
-
 %if %{with munin}
 %files munin
-%defattr(-,root,root,-)
 %dir               %{_sysconfdir}/munin/
 %dir               %{_sysconfdir}/munin/plugin-conf.d/
 %config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
@ -447,7 +401,6 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %endif

 %files devel
-%defattr(-,root,root,-)
 %{_includedir}/unbound.h
 %{_includedir}/unbound-event.h
 %{_libdir}/libunbound.so
@ -457,12 +410,12 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %{_mandir}/man3/ub_*.3*

 %files anchor
-%defattr(-,root,root,-)
 %dir %{_sysconfdir}/%{name}/
 %{_sbindir}/unbound-anchor
 %config %{_sysconfdir}/%{name}/icannbundle.pem
 %{_unitdir}/unbound-anchor.timer
 %{_unitdir}/unbound-anchor.service
+%{_sysusersdir}/unbound.conf
 %dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name}
 %attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
 %attr(0644,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
--- a/unbound.sysusers
+++ b/unbound.sysusers
@ -0,0 +1,2 @@
+#Type Name    ID GECOS                        Home directory   Shell
+u     unbound -  "unbound caching DNS server" /var/lib/unbound -