[freeipa/f17] Update to 2.2.0 beta1, fix shell escaping to work with dogtag 9.0.18.

rcritten rcritten at fedoraproject.org
Mon Mar 19 21:12:40 UTC 2012 

commit 37328834276f49643d53fe10d58155fafac3b685
Author: Rob Crittenden <rcritten at redhat.com>
Date:   Mon Mar 19 14:30:56 2012 -0400

    Update to 2.2.0 beta1, fix shell escaping to work with dogtag 9.0.18.
    
    - Update to upstream 2.2.0 beta 1 (2.1.90.rc1)
    - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18.
    - Add Conflicts on mod_ssl
    - Update minimum n-v-r of 389-ds-base to 1.2.10.4
    - Update minimum n-v-r of sssd to 1.8.0
    - Update minimum n-v-r of slapi-nis to 0.38
    - Update minimum n-v-r of pki-* to 9.0.18
    - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1
    - Update conflicts on bind to < 9.9.0-1
    - Drop requires on krb5-server-ldap
    - Add patch to remove escaping arguments to pkisilent

 .gitignore                       |    1 +
 freeipa-2.1.90-shellescape.patch |   33 +++++++++++++++++
 freeipa.spec                     |   71 +++++++++++++++++++++++++++-----------
 sources                          |    2 +-
 4 files changed, 86 insertions(+), 21 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e26dc56..ce998d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@
 /freeipa-2.1.3-wait_for_socket.patch.gz
 /freeipa-2.1.4.tar.gz
 /freeipa-2.1.90.pre1.tar.gz
+/freeipa-2.1.90.rc1.tar.gz
diff --git a/freeipa-2.1.90-shellescape.patch b/freeipa-2.1.90-shellescape.patch
new file mode 100644
index 0000000..6077ca0
--- /dev/null
+++ b/freeipa-2.1.90-shellescape.patch
@@ -0,0 +1,33 @@
+From 3bce02b17edfbdf90ecdac2f9643e28eb20a170a Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten at redhat.com>
+Date: Tue, 13 Mar 2012 21:53:06 -0400
+Subject: [PATCH] No longer shell escape the DM password when calling
+ pkisilent.
+
+pkisilent was modified to handle escaping characters itself in
+BZ https://bugzilla.redhat.com/show_bug.cgi?id=769388
+
+This removes the workaround from ticket 1636.
+
+https://fedorahosted.org/freeipa/ticket/2529
+---
+ ipaserver/install/cainstance.py |    3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 6012ae1c7a00a87522fc0778f2cb355a3924d805..894e1951fa0c6f1a0f235cce0520c275724f227d 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -659,9 +659,6 @@ class CAInstance(service.Service):
+                 args.append("-clone")
+                 args.append("false")
+ 
+-            # pkisilent does not escape the arguments before passing them to shell
+-            args[2:] = [ipautil.shell_quote(i) for i in args[2:]]
+-
+             # Define the things we don't want logged
+             nolog = (self.admin_password, self.dm_password,)
+ 
+-- 
+1.7.6
+
diff --git a/freeipa.spec b/freeipa.spec
index 6d23c3b..0c95feb 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -11,24 +11,22 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 %endif
 %global POLICYCOREUTILSVER 1.33.12-1
 %global gettext_domain ipa
-%global VERSION 2.1.90.pre1
+%global VERSION 2.1.90.rc1
 
 Name:           freeipa
 Version:        2.1.90
-Release:        0.1%{?dist}
+Release:        0.2%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
 License:        GPLv3+
 URL:            http://www.freeipa.org/
-Source0:        freeipa-%{VERSION}.tar.gz
-Patch7:         freeipa-2.1.4-inifiles-support.patch
-Patch8:         freeipa-2.1.4-python-ldap-2.4.6-support.patch
-Patch9:         freeipa-2.1.4-upgrade-systemd.patch
+Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
+Patch10:        freeipa-2.1.90-shellescape.patch
 BuildRoot:      %{_tmppath}/%{name}-%{VERSION}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.2.10-0.6.a6
+BuildRequires:  389-ds-base-devel >= 1.2.10.4
 BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
@@ -61,6 +59,8 @@ BuildRequires:  python-rhsm
 BuildRequires:  pyOpenSSL
 BuildRequires:  pylint
 BuildRequires:  libipa_hbac-python
+BuildRequires:  python-memcached
+BuildRequires:  sssd >= 1.8.0
 
 %description
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -76,31 +76,32 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-server-selinux = %{version}-%{release}
-Requires(pre): 389-ds-base >= 1.2.10-0.8.a7
+Requires(pre): 389-ds-base >= 1.2.10.4
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
 Requires: krb5-server >= 1.10-2
-Requires: krb5-server-ldap
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd
 Requires: mod_wsgi
-Requires: mod_auth_kerb
+Requires: mod_auth_kerb >= 5.4-9
 Requires: mod_nss >= 1.0.8-10
 Requires: python-ldap
 Requires: python-krbV
 Requires: acl
 Requires: python-pyasn1 >= 0.0.9a
+Requires: memcached
+Requires: python-memcached
 Requires: systemd-units >= 36-3
 Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= 3.10.0-82
 Requires(post): selinux-policy-base
-Requires: slapi-nis >= 0.36
-Requires: pki-ca >= 9.0.17
-Requires: pki-silent >= 9.0.17
+Requires: slapi-nis >= 0.38
+Requires: pki-ca >= 9.0.18
+Requires: pki-silent >= 9.0.18
 # Only tomcat6 greater than this version provides proper systemd support
 Requires: tomcat6 >= 6.0.32-17
 Requires: dogtag-pki-common-theme
@@ -114,8 +115,12 @@ Requires(postun): python systemd-units
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
 # that work for us.
-Conflicts: bind-dyndb-ldap < 1.0.0-0.1.b1
-Conflicts: bind < 9.8.1-1
+Conflicts: bind-dyndb-ldap < 1.1.0-0.9.b1
+Conflicts: bind < 9.9.0-1
+
+# mod_proxy provides a single API to communicate over SSL. If mod_ssl
+# is even loaded into Apache then it grabs this interface.
+Conflicts: mod_ssl
 
 Obsoletes: ipa-server >= 1.0
 
@@ -159,7 +164,7 @@ Requires: pam_krb5
 Requires: wget
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
-Requires: sssd >= 1.6.2
+Requires: sssd >= 1.8.0
 Requires: certmonger >= 0.26
 Requires: nss-tools
 Requires: bind-utils
@@ -218,9 +223,7 @@ package.
 
 %prep
 %setup -n freeipa-%{VERSION} -q
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
+%patch10 -p1
 
 %build
 export CFLAGS="$CFLAGS %{optflags}"
@@ -303,7 +306,17 @@ mkdir -p %{buildroot}%{_initrddir}
 mkdir -p %{buildroot}%{_unitdir}
 install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
 mkdir -p %{buildroot}%{_libexecdir}
+install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
 install -m 755 init/systemd/freeipa-systemd-upgrade %{buildroot}%{_libexecdir}/freeipa-systemd-upgrade
+
+mkdir -p %{buildroot}%{_initrddir}
+mkdir %{buildroot}%{_sysconfdir}/sysconfig/
+install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
+mkdir -p %{buildroot}%{_localstatedir}/run/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
+
+mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
+install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfiles.d/ipa.conf
 %endif
 
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/
@@ -419,8 +432,12 @@ fi
 %{_sbindir}/ipa-upgradeconfig
 %{_sbindir}/ipa-compliance
 %{_sysconfdir}/cron.d/ipa-compliance
+%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
+%config %{_sysconfdir}/tmpfiles.d/ipa.conf
 # Use systemd scheme
 %attr(644,root,root) %{_unitdir}/ipa.service
+%attr(644,root,root) %{_unitdir}/ipa_memcached.service
 %{_libexecdir}/freeipa-systemd-upgrade
 %dir %{python_sitelib}/ipaserver
 %{python_sitelib}/ipaserver/*
@@ -438,10 +455,11 @@ fi
 %{_usr}/share/ipa/migration/error.html
 %{_usr}/share/ipa/migration/index.html
 %{_usr}/share/ipa/migration/invalid.html
-%{_usr}/share/ipa/migration/ipa_migration.css
 %{_usr}/share/ipa/migration/migration.py*
 %dir %{_usr}/share/ipa/ui
 %{_usr}/share/ipa/ui/index.html
+%{_usr}/share/ipa/ui/login.html
+%{_usr}/share/ipa/ui/logout.html
 %{_usr}/share/ipa/ui/*.ico
 %{_usr}/share/ipa/ui/*.css
 %{_usr}/share/ipa/ui/*.js
@@ -556,6 +574,19 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Mon Mar 19 2012 Rob Crittenden <rcritten at redhat.com> - 2.1.90-0.2
+- Update to upstream 2.2.0 beta 1 (2.1.90.rc1)
+- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18.
+- Add Conflicts on mod_ssl
+- Update minimum n-v-r of 389-ds-base to 1.2.10.4
+- Update minimum n-v-r of sssd to 1.8.0
+- Update minimum n-v-r of slapi-nis to 0.38
+- Update minimum n-v-r of pki-* to 9.0.18
+- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1
+- Update conflicts on bind to < 9.9.0-1
+- Drop requires on krb5-server-ldap
+- Add patch to remove escaping arguments to pkisilent
+
 * Mon Feb 06 2012 Rob Crittenden <rcritten at redhat.com> - 2.1.90-0.1
 - Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)
 
diff --git a/sources b/sources
index 664d51b..ba551e2 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-c0d9c3bbc2ba603d14f97098fe11057d  freeipa-2.1.90.pre1.tar.gz
+cca14e87c51ea081564dda7e15775d46  freeipa-2.1.90.rc1.tar.gz

More information about the scm-commits mailing list