- Change the mechanism to use system-wide CA certificates:

+ on openSUSE, use the (new) upstream ca_certs_locater mechanism and don't ship a private copy of Mozilla's CA certs file + on SLES, regenerate cacerts.txt from /etc/ssl/certs when httplib2 is installed and/or openssl-certs is installed/updated OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-httplib2?expand=0&rev=38
2013-07-03 08:20:25 +00:00 · 2013-07-03 08:20:25 +00:00 · f1d9144b77
commit f1d9144b77
parent 5808412e1a
6 changed files with 100 additions and 54 deletions
--- a/ca_certs_locater.py
+++ b/ca_certs_locater.py
@ -0,0 +1,22 @@
 #
 # httplib2 system SSL certificate bundle locator for openSUSE / SLES.
 # openSUSE has /etc/ssl/ca-bundle.pem (from package ca-certificates) but on
 # SLES, it's only individual files (from openssl-certs)
 #
 # Author: Sascha Peilicke <speilicke@suse.com>
 #
 def get():
    for line in open("/etc/SuSE-release"):
        if "SUSE Linux Enterprise Server" in line:
            # Python-2.x doesn't support loading from a directory containing
            # PEM files, thus we have to use a bundle created by hand (and
            # refreshed with updates of either httpli2 or openssl-certs).
            return "ca-bundle.pem"
        else:
            return "/etc/ssl/ca-bundle.pem"
 if __name__ == "__main__":
    print get()
--- a/certbundle.run
+++ b/certbundle.run
@ -0,0 +1,43 @@
 #!/bin/bash
 # vim: syntax=sh
 shopt -s nullglob
 cafile=${1:-/etc/ssl/ca-bundle.pem}
 cadir="/etc/ssl/certs"
 for i in "$@"; do
 	if [ "$i" = "-f" ]; then
 		fresh=1
 	elif [ "$i" = "-v" ]; then
 		verbose=1
 	fi
 done
 if [ -z "$fresh" -a "$cafile" -nt "$cadir" ]; then
 	exit 0
 fi
 echo "creating $cafile ..."
 cat > "$cafile.new" <<EOF
 #
 # automatically created by $0. Do not edit!
 #
 # Use of this file is deprecated and should only be used as last
 # resort by applications that cannot parse the $cadir directory.
 # You should avoid hardcoding any paths in applications anyways though.
 # Use e.g.
 # SSL_CTX_set_default_verify_paths() instead.
 #
 EOF
 for i in "$cadir"/*.pem; do
 	# only include certificates trusted for server auth
 	if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
 		trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
 		case "$trust" in
 			*serverAuth*) ;;
 			*) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;;
 		esac
 	fi
 	openssl x509 -in "$i"
 done >> "$cafile.new"
 mv "$cafile.new" "$cafile"
--- a/httplib2-use-system-certs.patch
+++ b/httplib2-use-system-certs.patch
@ -1,46 +0,0 @@
 diff -ruN a/python2/httplib2/__init__.py b/python2/httplib2/__init__.py
 --- a/python2/httplib2/__init__.py	2013-03-06 21:45:31.000000000 +0100
 +++ b/python2/httplib2/__init__.py	2013-03-22 14:02:09.458410128 +0100
@@ -184,15 +184,8 @@
 # requesting that URI again.
 DEFAULT_MAX_REDIRECTS = 5
 -try:
 -    # Users can optionally provide a module that tells us where the CA_CERTS
 -    # are located.
 -    import ca_certs_locater
 -    CA_CERTS = ca_certs_locater.get()
 -except ImportError:
 -    # Default CA certificates file bundled with httplib2.
 -    CA_CERTS = os.path.join(
 -        os.path.dirname(os.path.abspath(__file__ )), "cacerts.txt")
 +# Default CA certificates file bundled with httplib2.
 +CA_CERTS = '/etc/ssl/ca-bundle.pem'
 # Which headers are hop-by-hop headers by default
 HOP_BY_HOP = ['connection', 'keep-alive', 'proxy-authenticate', 'proxy-authorization', 'te', 'trailers', 'transfer-encoding', 'upgrade']
 diff -ruN a/python3/httplib2/__init__.py b/python3/httplib2/__init__.py
 --- a/python3/httplib2/__init__.py	2013-03-06 21:45:31.000000000 +0100
 +++ b/python3/httplib2/__init__.py	2013-03-22 14:01:51.270409717 +0100
@@ -124,8 +124,8 @@
 HOP_BY_HOP = ['connection', 'keep-alive', 'proxy-authenticate', 'proxy-authorization', 'te', 'trailers', 'transfer-encoding', 'upgrade']
 # Default CA certificates file bundled with httplib2.
 -CA_CERTS = os.path.join(
 -        os.path.dirname(os.path.abspath(__file__ )), "cacerts.txt")
 +CA_CERTS = '/etc/ssl/ca-bundle.pem'
 +        
 def _get_end2end_headers(response):
     hopbyhop = list(HOP_BY_HOP)
 diff -ruN a/setup.py b/setup.py
 --- a/setup.py	2013-03-06 21:45:31.000000000 +0100
 +++ b/setup.py	2013-03-22 14:02:33.031410660 +0100
@@ -62,7 +62,6 @@
         """,
         package_dir=pkgdir,
         packages=['httplib2'],
 -        package_data={'httplib2': ['*.txt']},
         classifiers=[
         'Development Status :: 4 - Beta',
         'Environment :: Web Environment',
--- a/pre_checkin.sh
+++ b/pre_checkin.sh
@ -1,4 +0,0 @@
 #!/bin/sh
 sed 's,^\(Name: *\)python-,\1python3-,;s,^\(Requires: *\)python-,\1python3-,;s,^\(BuildRequires: *\)python-,\1python3-,;s,python setup.py,python3 setup.py,;s,python_sitelib,python3_sitelib,;s,python_sitearch,python3_sitearch,' python-httplib2.spec > python3-httplib2.spec
 cp python-httplib2.changes python3-httplib2.changes
--- a/python-httplib2.changes
+++ b/python-httplib2.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Thu Jun 20 11:48:15 UTC 2013 - speilicke@suse.com
 - Change the mechanism to use system-wide CA certificates:
  + on openSUSE, use the (new) upstream ca_certs_locater mechanism
    and don't ship a private copy of Mozilla's CA certs file
  + on SLES, regenerate cacerts.txt from /etc/ssl/certs when
    httplib2 is installed and/or openssl-certs is installed/updated
 -------------------------------------------------------------------
 Thu May  2 10:23:29 UTC 2013 - speilicke@suse.com
--- a/python-httplib2.spec
+++ b/python-httplib2.spec
@ -25,9 +25,10 @@ License:        MIT and Apache-2.0 and (MPL-1.1 or GPL-2.0+ or LGPL-2.1+)
 Group:          Development/Libraries/Python
 Source:         http://pypi.python.org/packages/source/h/httplib2/httplib2-%{version}.tar.gz
 # PATCH-FIX-OPENSUSE: Don't ship private copy of Mozilla NSS certs, use system certs instead (bnc#761162)
-Patch0:         httplib2-use-system-certs.patch
+Source1:        ca_certs_locater.py
 Source2:        certbundle.run
 # PATCH-FIX-UPSTREAM: speilicke@suse.com -- SSL certificate hostname mismatch is checked only once
-Patch1:         httplib2-bnc-818100.patch
+Patch0:         httplib2-bnc-818100.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  python-devel
 # Test requirements (for ssl module):
@ -50,20 +51,41 @@ left out of other HTTP libraries.
 %prep
 %setup -q -n httplib2-%{version}
 %patch0 -p1
 %patch1 -p1
 %build
 python setup.py build
 %install
 python setup.py install --prefix=%{_prefix} --root=%{buildroot}
 # NOTE(saschpe): On SLES, there's no /etc/ssl/ca-bundle.pem, thus
 # we have to generate a private copy (and refresh it occasionally)
 %if 0%{?sles_version}
 install -m 0755 %{SOURCE2} %{buildroot}%{python_sitelib}/httplib2/
 %else
 install -m 0644 %{SOURCE1} %{buildroot}%{python_sitelib}/httplib2/
 rm %{buildroot}%{python_sitelib}/httplib2/cacerts.txt
 %endif
 #%%check
 #python python2/httplib2test.py
 %if 0%{?sles_version}
 %post
 %{python_sitelib}/httplib2/certbundle.run %{python_sitelib}/httplib2/cacerts.txt
 %triggerin -- openssl-certs
 %{python_sitelib}/httplib2/certbundle.run %{python_sitelib}/httplib2/cacerts.txt
 %endif
 %files
 %defattr(-,root,root)
 %doc README
-%{python_sitelib}/*
+%{python_sitelib}/httplib2-%{version}-py%{py_ver}.egg-info
 %dir %{python_sitelib}/httplib2
 %{python_sitelib}/httplib2/*.py*
 %if 0%{?sles_version}
 %{python_sitelib}/httplib2/certbundle.run
 %ghost %{python_sitelib}/httplib2/cacerts.txt
 %endif
 %changelog