Bump version and sync with ABS

1 year ago · 3c189d6b48
6 changed files with 182 additions and 71 deletions
--- a/.SRCINFO
+++ b/.SRCINFO
@ -1,6 +1,6 @@
 pkgbase = gnupg-scdaemon-shared-access
 	pkgdesc = This package adds shared-access option that uses PCSC_SHARE_SHARED for pcsc_connect in scdaemon when using pcsc backend for smartcard access
-	pkgver = 2.2.20
+	pkgver = 2.2.21
 	pkgrel = 1
 	url = https://www.gnupg.org/
 	install = install
@ -25,22 +25,26 @@ pkgbase = gnupg-scdaemon-shared-access
 	optdepends = pcsclite: scdaemon
 	provides = gnupg
 	provides = dirmngr
-	provides = gnupg=2.2.20
-	provides = gnupg2=2.2.20
+	provides = gnupg=2.2.21
+	provides = gnupg2=2.2.21
 	conflicts = gnupg
 	conflicts = dirmngr
 	conflicts = gnupg2
-	source = https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.20.tar.bz2
-	source = https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.20.tar.bz2.sig
-	source = self-sigs-only.patch
+	source = https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.21.tar.bz2
+	source = https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.21.tar.bz2.sig
+	source = drop-import-clean.patch
+	source = avoid-beta-warning.patch
+	source = do-not-rebuild-defsincdate.patch
 	source = scdaemon_shared-access.patch
 	validpgpkeys = D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
 	validpgpkeys = 46CC730865BB5C78EBABADCF04376F3EE0856959
 	validpgpkeys = 031EC2536E580D8EA286A9F22071B08A33BD3F06
 	validpgpkeys = D238EA65D64C67ED4C3073F28A861B1C7EFD60D9
-	sha256sums = 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30
+	sha256sums = 61e83278fb5fa7336658a8b73ab26f379d41275bb1c7c6e694dd9f9a6e8e76ec
 	sha256sums = SKIP
-	sha256sums = 0130c43321c16f53ab2290833007212f8a26b1b73bd4edc2b2b1c9db2b2d0218
+	sha256sums = 02d375f0045f56f7dd82bacdb5ce559afd52ded8b75f6b2673c39ec666e81abc
+	sha256sums = 22fdf9490fad477f225e731c417867d9e7571ac654944e8be63a1fbaccd5c62d
+	sha256sums = bb4dcba0328af6271ccfe992a64d8daa9f0a691ba52978491647f1dea05675ee
 	sha256sums = aa46b372830dd8ed355a86a1677c50c6be8178f847c09b7291f47a1dc3ea02dc

 pkgname = gnupg-scdaemon-shared-access
--- a/24
+++ b/24
@ -6,7 +6,7 @@

 _pkgname=gnupg
 pkgname=gnupg-scdaemon-shared-access
-pkgver=2.2.20
+pkgver=2.2.21
 pkgrel=1
 pkgdesc='This package adds shared-access option that uses PCSC_SHARE_SHARED for pcsc_connect in scdaemon when using pcsc backend for smartcard access'
 url='https://www.gnupg.org/'
@ -24,11 +24,15 @@ validpgpkeys=('D8692123C4065DEA5E0F3AB5249B39D24F25E3B6'
              '031EC2536E580D8EA286A9F22071B08A33BD3F06'
              'D238EA65D64C67ED4C3073F28A861B1C7EFD60D9')
 source=("https://gnupg.org/ftp/gcrypt/${_pkgname}/${_pkgname}-${pkgver}.tar.bz2"{,.sig}
-        "self-sigs-only.patch"
+        'drop-import-clean.patch'
+        'avoid-beta-warning.patch'
+        'do-not-rebuild-defsincdate.patch'
        "scdaemon_shared-access.patch")
-sha256sums=('04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30'
+sha256sums=('61e83278fb5fa7336658a8b73ab26f379d41275bb1c7c6e694dd9f9a6e8e76ec'
            'SKIP'
-            '0130c43321c16f53ab2290833007212f8a26b1b73bd4edc2b2b1c9db2b2d0218'
+            '02d375f0045f56f7dd82bacdb5ce559afd52ded8b75f6b2673c39ec666e81abc'
+            '22fdf9490fad477f225e731c417867d9e7571ac654944e8be63a1fbaccd5c62d'
+            'bb4dcba0328af6271ccfe992a64d8daa9f0a691ba52978491647f1dea05675ee'
            'aa46b372830dd8ed355a86a1677c50c6be8178f847c09b7291f47a1dc3ea02dc')

 install=install
@ -38,9 +42,15 @@ provides=('gnupg' 'dirmngr' "gnupg=${pkgver}" "gnupg2=${pkgver}")

 prepare() {
 	cd "${srcdir}/${_pkgname}-${pkgver}"
-	sed '/noinst_SCRIPTS = gpg-zip/c sbin_SCRIPTS += gpg-zip' -i tools/Makefile.in
-	patch -R -p1 -i ../self-sigs-only.patch
-	patch -p1 -t -N < "${srcdir}/scdaemon_shared-access.patch"
+	patch -p1 -i ../scdaemon_shared-access.patch
+	patch -p1 -i ../avoid-beta-warning.patch
+	patch -p1 -i ../drop-import-clean.patch
+
+	# improve reproducibility
+	patch -p1 -i ../do-not-rebuild-defsincdate.patch
+	rm doc/gnupg.info*
+
+	./autogen.sh
 }

 build() {
--- a/avoid-beta-warning.patch
+++ b/avoid-beta-warning.patch
@ -0,0 +1,56 @@
+From 114ab3037de3b0f9b35cf023b64c8a9b76070065 Mon Sep 17 00:00:00 2001
+From: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
+Date: Tue, 14 Apr 2015 10:02:31 -0400
+Subject: [PATCH 6/7] avoid beta warning
+
+avoid self-describing as a beta
+
+Using autoreconf against the source as distributed in tarball form
+invariably results in a package that thinks it's a "beta" package,
+which produces the "THIS IS A DEVELOPMENT VERSION" warning string.
+
+since we use dh_autoreconf, i need this patch to avoid producing
+builds that announce themselves as DEVELOPMENT VERSIONs.
+
+See discussion at:
+
+ http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html
+---
+ autogen.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/autogen.sh b/autogen.sh
+index b23855061..9b86d3ff9 100755
+--- a/autogen.sh
+++ b/autogen.sh
+@@ -229,24 +229,24 @@ if [ "$myhost" = "find-version" ]; then
+     esac
+ 
+     beta=no
+-    if [ -e .git ]; then
+    if false; then
+       ingit=yes
+       tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null)
+       tmp=$(echo "$tmp" | sed s/^"$package"//)
+       if [ -n "$tmp" ]; then
+           tmp=$(echo "$tmp" | sed s/^"$package"//  \
+                 | awk -F- '$3!=0 && $3 !~ /^beta/ {print"-beta"$3}')
+       else
+           tmp=$(git describe --match "${matchstr2}" --long 2>/dev/null \
+                 | awk -F- '$4!=0{print"-beta"$4}')
+       fi
+       [ -n "$tmp" ] && beta=yes
+       rev=$(git rev-parse --short HEAD | tr -d '\n\r')
+       rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null)))
+     else
+       ingit=no
+-      beta=yes
+-      tmp="-unknown"
+      beta=no
+      tmp=""
+       rev="0000000"
+       rvd="0"
+     fi
+-- 
+2.27.0
+
--- a/do-not-rebuild-defsincdate.patch
+++ b/do-not-rebuild-defsincdate.patch
@ -0,0 +1,43 @@
+From 3e8ff68502bf5de333db7213d9e27e0b9e8cc36e Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Mon, 29 Aug 2016 12:34:42 -0400
+Subject: [PATCH 7/7] avoid regenerating defsincdate (use shipped file)
+
+upstream ships doc/defsincdate in its tarballs.  but doc/Makefile.am
+tries to rewrite doc/defsincdate if it notices that any of the files
+have been modified more recently, and it does so assuming that we're
+running from a git repo.
+
+However, we'd rather ship the documents cleanly without regenerating
+defsincdate -- we don't have a git repo available (debian builds from
+upstream tarballs) and any changes to the texinfo files (e.g. from
+debian/patches/) might result in different dates on the files than we
+expect after they're applied by dpkg or quilt or whatever, which makes
+the datestamp unreproducible.
+---
+ doc/Makefile.am | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index d47d83ede..c0a81b0b9 100644
+--- a/doc/Makefile.am
+++ b/doc/Makefile.am
+@@ -177,15 +177,6 @@
+ 
+ dist-hook: defsincdate
+ 
+-defsincdate: $(gnupg_TEXINFOS)
+-	: >defsincdate ; \
+-	if test -e $(top_srcdir)/.git; then \
+-	  (cd $(srcdir) && git log -1 --format='%ct' \
+-               -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \
+-        elif test x"$SOURCE_DATE_EPOCH" != x; then   \
+-	   echo "$SOURCE_DATE_EPOCH" >>defsincdate ; \
+-	fi
+-
+ defs.inc : defsincdate Makefile mkdefsinc
+ 	incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \
+ 	./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \
+-- 
+2.27.0
+
--- a/drop-import-clean.patch
+++ b/drop-import-clean.patch
@ -0,0 +1,54 @@
+From 1690a464b28fa24ce82189a9bf5d7ce9b44804b8 Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Mon, 15 Jul 2019 16:24:35 -0400
+Subject: [PATCH 3/7] gpg: drop import-clean from default keyserver import
+ options
+
+* g10/gpg.c (main): drop IMPORT_CLEAN from the
+default opt.keyserver_options.import_options
+* doc/gpg.texi: reflect this change in the documentation
+
+Given that SELF_SIGS_ONLY is already set, it's not clear what
+additional benefit IMPORT_CLEAN provides.  Furthermore, IMPORT_CLEAN
+means that receiving an OpenPGP certificate from a keyserver will
+potentially delete data that is otherwise held in the local keyring,
+which is surprising to users who expect retrieval from the keyservers
+to be purely additive.
+
+GnuPG-Bug-Id: 4628
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ doc/gpg.texi | 2 +-
+ g10/gpg.c    | 3 +--
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index 4870441d4..551459a74 100644
+--- a/doc/gpg.texi
+++ b/doc/gpg.texi
+@@ -1963,7 +1963,7 @@ are available for all keyserver types, some common options are:
+ 
+ @end table
+ 
+-The default list of options is: "self-sigs-only, import-clean,
+The default list of options is: "self-sigs-only,
+ repair-keys, repair-pks-subkey-bug, export-attributes,
+ honor-pka-record".
+ 
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 68cc22041..fa2bcfa5e 100644
+--- a/g10/gpg.c
+++ b/g10/gpg.c
+@@ -2397,8 +2397,7 @@ main (int argc, char **argv)
+     opt.export_options = EXPORT_ATTRIBUTES;
+     opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
+ 					    | IMPORT_REPAIR_PKS_SUBKEY_BUG
+-                                            | IMPORT_SELF_SIGS_ONLY
+-                                            | IMPORT_CLEAN);
+                                            | IMPORT_SELF_SIGS_ONLY);
+     opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
+     opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
+     opt.verify_options = (LIST_SHOW_UID_VALIDITY
+-- 
+2.27.0
+
--- a/self-sigs-only.patch
+++ b/self-sigs-only.patch
@ -1,56 +0,0 @@
-From: Werner Koch <wk@gnupg.org>
-Date: Thu, 4 Jul 2019 13:45:39 +0000 (+0200)
-Subject: gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
-X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=23c978640812d123eaffd4108744bdfcf48f7c93
-
-gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
-
-* g10/gpg.c (main): Change default.
--
-
-Due to the DoS attack on the keyeservers we do not anymore default to
-import key signatures.  That makes the keyserver unsuable for getting
-keys for the WoT but it still allows to retriev keys - even if that
-takes long to download the large keyblocks.
-
-To revert to the old behavior add
-
-  keyserver-optiions  no-self-sigs-only,no-import-clean
-
-to gpg.conf.
-
-GnuPG-bug-id: 4607
-Signed-off-by: Werner Koch <wk@gnupg.org>
---
-
-diff --git a/doc/gpg.texi b/doc/gpg.texi
-index 8feab8218..9513a4e0f 100644
--- a/doc/gpg.texi
-+++ b/doc/gpg.texi
-@@ -1917,6 +1917,11 @@ are available for all keyserver types, some common options are:
- 
- @end table
- 
-+The default list of options is: "self-sigs-only, import-clean,
-+repair-keys, repair-pks-subkey-bug, export-attributes,
-+honor-pka-record".
-+
-+
- @item --completes-needed @var{n}
- @opindex compliant-needed
- Number of completely trusted users to introduce a new
-diff --git a/g10/gpg.c b/g10/gpg.c
-index 66e47dde5..0bbe72394 100644
--- a/g10/gpg.c
-+++ b/g10/gpg.c
-@@ -2424,7 +2424,9 @@ main (int argc, char **argv)
-     opt.import_options = IMPORT_REPAIR_KEYS;
-     opt.export_options = EXPORT_ATTRIBUTES;
-     opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
-					    | IMPORT_REPAIR_PKS_SUBKEY_BUG);
-+					    | IMPORT_REPAIR_PKS_SUBKEY_BUG
-+                                            | IMPORT_SELF_SIGS_ONLY
-+                                            | IMPORT_CLEAN);
-     opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
-     opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
-     opt.verify_options = (LIST_SHOW_UID_VALIDITY