Received: by mail.netbsd.org (Postfix, from userid 605)
	id C9DA384D72; Mon,  8 Jun 2020 09:55:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id 5175D84D6E
	for <pkgsrc-changes@NetBSD.org>; Mon,  8 Jun 2020 09:55:38 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id Rdb4WCGN9wTb for <pkgsrc-changes@netbsd.org>;
	Mon,  8 Jun 2020 09:55:37 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
	by mail.netbsd.org (Postfix) with ESMTP id 3EE7E84D3A
	for <pkgsrc-changes@NetBSD.org>; Mon,  8 Jun 2020 09:55:37 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id 32D95FB27; Mon,  8 Jun 2020 09:55:37 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1591610137203900"
MIME-Version: 1.0
Date: Mon, 8 Jun 2020 09:55:37 +0000
From: "Kimmo Suominen" <kim@netbsd.org>
Subject: CVS commit: pkgsrc/security/ca-certificates
To: pkgsrc-changes@NetBSD.org
Reply-To: kim@netbsd.org
X-Mailer: log_accum
Message-Id: <20200608095537.32D95FB27@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: pkgsrc-changes.NetBSD.org
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_1591610137203900
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	kim
Date:		Mon Jun  8 09:55:37 UTC 2020

Modified Files:
	pkgsrc/security/ca-certificates: DESCR Makefile PLIST distinfo
Added Files:
	pkgsrc/security/ca-certificates/files: README.pkgsrc
Removed Files:
	pkgsrc/security/ca-certificates: MESSAGE

Log Message:
Upgrade to 20200601

* Update Mozilla certificate authority bundle to version 2.40.
* Add distrusted Symantec CA list to blacklist for explicit removal.
* Blacklist expired root certificate, "AddTrust External Root".

The following certificate authorities were added (+):
+ "Certigna Root CA"
+ "emSign ECC Root CA - C3"
+ "emSign ECC Root CA - G3"
+ "emSign Root CA - C1"
+ "emSign Root CA - G1"
+ "Entrust Root Certification Authority - G4"
+ "GTS Root R1"
+ "GTS Root R2"
+ "GTS Root R3"
+ "GTS Root R4"
+ "Hongkong Post Root CA 3"
+ "UCA Extended Validation Root"
+ "UCA Global G2 Root"

The following certificate authorities were removed (-):
- "AddTrust External Root"
- "Certinomis - Root CA"
- "Certplus Class 2 Primary CA"
- "Deutsche Telekom Root CA 2"
- "GeoTrust Global CA"
- "GeoTrust Primary Certification Authority"
- "GeoTrust Primary Certification Authority - G2"
- "GeoTrust Primary Certification Authority - G3"
- "GeoTrust Universal CA"
- "thawte Primary Root CA"
- "thawte Primary Root CA - G2"
- "thawte Primary Root CA - G3"
- "VeriSign Class 3 Public Primary Certification Authority - G4"
- "VeriSign Class 3 Public Primary Certification Authority - G5"
- "VeriSign Universal Root Certification Authority"

Changes for pkgsrc packaging:
* Add README.pkgsrc, replacing MESSAGE.
* Improve DESCR to better describe the functionality of the package.
* Install changelog and README.source from the distribution package.


To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/ca-certificates/DESCR \
    pkgsrc/security/ca-certificates/Makefile \
    pkgsrc/security/ca-certificates/PLIST \
    pkgsrc/security/ca-certificates/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/security/ca-certificates/MESSAGE
cvs rdiff -u -r0 -r1.1 pkgsrc/security/ca-certificates/files/README.pkgsrc

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1591610137203900
Content-Disposition: inline
Content-Length: 11997
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/ca-certificates/DESCR
diff -u pkgsrc/security/ca-certificates/DESCR:1.1 pkgsrc/security/ca-certificates/DESCR:1.2
--- pkgsrc/security/ca-certificates/DESCR:1.1	Sun May 31 15:53:44 2020
+++ pkgsrc/security/ca-certificates/DESCR	Mon Jun  8 09:55:36 2020
@@ -1,6 +1,7 @@
 This package provides the certificates distributed by the Mozilla
-Project.
+Project and will, by default, install certificates trusted by the
+Mozilla Project in the system certificate store.
 
-It also provides a script, update-ca-certs, which can be used to manage
-a location that makes certificates usable by TLS implementations,
-including installing select certificates from this package.
+The sysadmin can configure the list of trusted certificates and also
+add local certificates as needed by editing ca-certificates.conf and
+re-running update-ca-certificates.
Index: pkgsrc/security/ca-certificates/Makefile
diff -u pkgsrc/security/ca-certificates/Makefile:1.1 pkgsrc/security/ca-certificates/Makefile:1.2
--- pkgsrc/security/ca-certificates/Makefile:1.1	Sun May 31 15:53:44 2020
+++ pkgsrc/security/ca-certificates/Makefile	Mon Jun  8 09:55:36 2020
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.1 2020/05/31 15:53:44 kim Exp $
+# $NetBSD: Makefile,v 1.2 2020/06/08 09:55:36 kim Exp $
 
-PKGNAME=	ca-certificates-20190110
+PKGNAME=	ca-certificates-20200601
 DISTNAME=	${PKGNAME:C/-([^-]*)$/_\1/}
 CATEGORIES=	security
 MASTER_SITES=	http://deb.debian.org/debian/pool/main/c/ca-certificates/
@@ -14,11 +14,13 @@ LICENSE=	gnu-gpl-v2 AND mpl-2.0
 NO_CONFIGURE=		yes
 PYTHON_FOR_BUILD_ONLY=	yes
 
-USE_TOOLS=	awk:run echo:run expr:run ln:run ls:run openssl:run rm:run mkdir:run
+USE_TOOLS=	echo:run find:run ln:run openssl:run rm:run sed:run sort:run wc:run
 
 WRKSRC=		${WRKDIR}/${PKGNAME_NOREV}
 DATADIR=	${PREFIX}/share/${PKGBASE}
+DOCDIR=		${PREFIX}/share/doc/${PKGBASE}
 EGDIR=		${PREFIX}/share/examples/${PKGBASE}
+MANDIR=		${PREFIX}/share/man/man8
 
 # Set paths depending on whether we depend on builtin or pkgsrc
 # openssl.  \todo Arguably, we should consider installing into both
@@ -43,26 +45,37 @@ SUBST_STAGE.paths=	post-build
 SUBST_FILES.paths=	Makefile sbin/Makefile
 SUBST_FILES.paths+=	ca-certificates.conf
 SUBST_FILES.paths+=	sbin/update-ca-certificates sbin/update-ca-certificates.8
+SUBST_FILES.paths+=	README.pkgsrc
 SUBST_SED.paths=	-e 's,/usr/sbin,${PREFIX}/sbin,g'
 SUBST_SED.paths+=	-e 's,/etc/ca-certificates.conf,${PKG_SYSCONFDIR}/ca-certificates.conf,g'
 SUBST_SED.paths+=	-e 's,/etc/ssl,${SSLDIR},g'
 SUBST_SED.paths+=	-e 's,/usr/share/ca-certificates,${DATADIR},g'
 
-INSTALLATION_DIRS=	sbin ${DATADIR} ${EGDIR} share/man/man8
+INSTALLATION_DIRS=	sbin ${DATADIR} ${DOCDIR} ${EGDIR} ${MANDIR}
 
 CONF_FILES=		${EGDIR}/ca-certificates.conf \
 			${PKG_SYSCONFDIR}/ca-certificates.conf
 
 pre-build:
-	@${CP} ${FILESDIR}/ca-certificates.conf ${WRKSRC}/
+	@${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/README.pkgsrc ${WRKSRC}/
 	@${GREP} '^share/ca-certificates/' ${FILESDIR}/../PLIST \
 	    >> ${WRKSRC}/ca-certificates.conf
 
+post-extract:
+	${MV} ${WRKDIR}/work ${WRKSRC}
+
 post-install:
-	${INSTALL_MAN} ${WRKSRC}/sbin/update-ca-certificates.8 \
-	    ${DESTDIR}${PREFIX}/share/man/man8/update-ca-certificates.8
-	${INSTALL_DATA} ${WRKSRC}/ca-certificates.conf \
-	    ${DESTDIR}${EGDIR}/ca-certificates.conf
+	${INSTALL_MAN} \
+	    ${WRKSRC}/sbin/update-ca-certificates.8 \
+	    ${DESTDIR}${MANDIR}/
+	${INSTALL_DATA} \
+	    ${WRKSRC}/README.pkgsrc \
+	    ${WRKSRC}/debian/README.source \
+	    ${WRKSRC}/debian/changelog \
+	    ${DESTDIR}${DOCDIR}/
+	${INSTALL_DATA} \
+	    ${WRKSRC}/ca-certificates.conf \
+	    ${DESTDIR}${EGDIR}/
 
 .include "../../lang/python/tool.mk"
 .include "../../mk/bsd.pkg.mk"
Index: pkgsrc/security/ca-certificates/PLIST
diff -u pkgsrc/security/ca-certificates/PLIST:1.1 pkgsrc/security/ca-certificates/PLIST:1.2
--- pkgsrc/security/ca-certificates/PLIST:1.1	Sun May 31 15:53:44 2020
+++ pkgsrc/security/ca-certificates/PLIST	Mon Jun  8 09:55:36 2020
@@ -1,9 +1,8 @@
-@comment $NetBSD: PLIST,v 1.1 2020/05/31 15:53:44 kim Exp $
+@comment $NetBSD: PLIST,v 1.2 2020/06/08 09:55:36 kim Exp $
 sbin/update-ca-certificates
 share/ca-certificates/mozilla/ACCVRAIZ1.crt
 share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt
 share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
-share/ca-certificates/mozilla/AddTrust_External_Root.crt
 share/ca-certificates/mozilla/AffirmTrust_Commercial.crt
 share/ca-certificates/mozilla/AffirmTrust_Networking.crt
 share/ca-certificates/mozilla/AffirmTrust_Premium.crt
@@ -23,8 +22,7 @@ share/ca-certificates/mozilla/COMODO_Cer
 share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
 share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
 share/ca-certificates/mozilla/Certigna.crt
-share/ca-certificates/mozilla/Certinomis_-_Root_CA.crt
-share/ca-certificates/mozilla/Certplus_Class_2_Primary_CA.crt
+share/ca-certificates/mozilla/Certigna_Root_CA.crt
 share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt
 share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt
 share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt
@@ -33,7 +31,6 @@ share/ca-certificates/mozilla/Cybertrust
 share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
 share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
 share/ca-certificates/mozilla/DST_Root_CA_X3.crt
-share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt
 share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
 share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt
 share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt
@@ -49,12 +46,12 @@ share/ca-certificates/mozilla/Entrust.ne
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G2.crt
+share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G4.crt
 share/ca-certificates/mozilla/GDCA_TrustAUTH_R5_ROOT.crt
-share/ca-certificates/mozilla/GeoTrust_Global_CA.crt
-share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt
-share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
-share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
-share/ca-certificates/mozilla/GeoTrust_Universal_CA.crt
+share/ca-certificates/mozilla/GTS_Root_R1.crt
+share/ca-certificates/mozilla/GTS_Root_R2.crt
+share/ca-certificates/mozilla/GTS_Root_R3.crt
+share/ca-certificates/mozilla/GTS_Root_R4.crt
 share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt
 share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
 share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
@@ -69,6 +66,7 @@ share/ca-certificates/mozilla/Hellenic_A
 share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
 share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
 share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt
+share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt
 share/ca-certificates/mozilla/ISRG_Root_X1.crt
 share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt
 share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
@@ -116,17 +114,20 @@ share/ca-certificates/mozilla/TrustCor_E
 share/ca-certificates/mozilla/TrustCor_RootCert_CA-1.crt
 share/ca-certificates/mozilla/TrustCor_RootCert_CA-2.crt
 share/ca-certificates/mozilla/Trustis_FPS_Root_CA.crt
+share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt
+share/ca-certificates/mozilla/UCA_Global_G2_Root.crt
 share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt
 share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
-share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
-share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
-share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt
 share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
 share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt
 share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt
 share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt
-share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt
-share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt
-share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt
+share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_C3.crt
+share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_G3.crt
+share/ca-certificates/mozilla/emSign_Root_CA_-_C1.crt
+share/ca-certificates/mozilla/emSign_Root_CA_-_G1.crt
+share/doc/ca-certificates/README.pkgsrc
+share/doc/ca-certificates/README.source
+share/doc/ca-certificates/changelog
 share/examples/ca-certificates/ca-certificates.conf
 share/man/man8/update-ca-certificates.8
Index: pkgsrc/security/ca-certificates/distinfo
diff -u pkgsrc/security/ca-certificates/distinfo:1.1 pkgsrc/security/ca-certificates/distinfo:1.2
--- pkgsrc/security/ca-certificates/distinfo:1.1	Sun May 31 15:53:44 2020
+++ pkgsrc/security/ca-certificates/distinfo	Mon Jun  8 09:55:36 2020
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.1 2020/05/31 15:53:44 kim Exp $
+$NetBSD: distinfo,v 1.2 2020/06/08 09:55:36 kim Exp $
 
-SHA1 (ca-certificates_20190110.tar.xz) = 47d4584eae85fc905e4994766eb3930a8a84e2e1
-RMD160 (ca-certificates_20190110.tar.xz) = cbf8f474fba527dc96413632ac5874385bd38e17
-SHA512 (ca-certificates_20190110.tar.xz) = 9ce2661018edb120d0ef5bd3ed52c0f73f577d7607d135a31730549f5eb4176db4865cdb8bde77a78dc3efb8968846da5e72af8a833a9da2a8a7deb4f1560372
-Size (ca-certificates_20190110.tar.xz) = 243472 bytes
+SHA1 (ca-certificates_20200601.tar.xz) = f17235bc9c3aec538065a655681815c242a6d7d5
+RMD160 (ca-certificates_20200601.tar.xz) = a9f1f232f46ecb06c53d5d814c29d3b9aca88323
+SHA512 (ca-certificates_20200601.tar.xz) = 7bfd3122430be0a46bd10dcb0e0664561d1e0b2656b9f37677d89f71a1dcb0e668c25ffe08412888125fa9a53ee8245a4b3fc1004c419a159766665b1241113c
+Size (ca-certificates_20200601.tar.xz) = 245668 bytes

Added files:

Index: pkgsrc/security/ca-certificates/files/README.pkgsrc
diff -u /dev/null pkgsrc/security/ca-certificates/files/README.pkgsrc:1.1
--- /dev/null	Mon Jun  8 09:55:37 2020
+++ pkgsrc/security/ca-certificates/files/README.pkgsrc	Mon Jun  8 09:55:37 2020
@@ -0,0 +1,36 @@
+$NetBSD: README.pkgsrc,v 1.1 2020/06/08 09:55:37 kim Exp $
+
+This package provides the certificates distributed by the Mozilla
+Project and will, by default, install certificates trusted by the
+Mozilla Project in the system certificate store (/etc/ssl),
+so that they can be used by third party applications using OpenSSL.
+
+Edit /etc/ca-certificates.conf to further configure which
+certificates are installed.
+
+To install local certificate authorities to be implicitly trusted,
+place the certificate files in /usr/local/share/ca-certificates/
+as single files ending with ".crt".
+
+After changing the configuration and adding local certificates run this
+command to install and rehash the certificates:
+
+    # /usr/sbin/update-ca-certificates
+
+After removing local certificates run this command to remove dangling
+symlinks from /etc/ssl/certs:
+
+    # /usr/sbin/update-ca-certificates --fresh
+
+The update-ca-certificates tool also creates a single file certificate
+bundle in PEM format in /etc/ssl/certs/ca-certificates.crt
+which can be used by applications using GnuTLS.
+
+To mark the installed certificates as trusted for users of gnupg2 do
+the following (assuming default PKG_SYSCONFBASE and a Bourne shell):
+
+    # mkdir -p /usr/pkg/etc/gnupg
+    # cd /usr/pkg/etc/gnupg
+    # for c in /etc/ssl/certs/*.pem; do
+    > openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|'
+    > done > trustlist.txt


--_----------=_1591610137203900--