diff options
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 271 | ||||
| -rw-r--r-- | debian/compat | 1 | ||||
| -rw-r--r-- | debian/control | 74 | ||||
| -rw-r--r-- | debian/copyright | 179 | ||||
| -rw-r--r-- | debian/keytab-backend.dirs | 2 | ||||
| -rw-r--r-- | debian/keytab-backend.docs | 2 | ||||
| -rw-r--r-- | debian/keytab-backend.install | 6 | ||||
| -rwxr-xr-x | debian/rules | 35 | ||||
| -rw-r--r-- | debian/source/format | 1 | ||||
| -rw-r--r-- | debian/source/local-options | 1 | ||||
| -rw-r--r-- | debian/source/local-patch-header | 16 | ||||
| -rw-r--r-- | debian/source/options | 1 | ||||
| -rw-r--r-- | debian/upstream/signing-key.asc | 113 | ||||
| -rw-r--r-- | debian/wallet-client.docs | 2 | ||||
| -rw-r--r-- | debian/wallet-client.install | 4 | ||||
| -rw-r--r-- | debian/wallet-server.dirs | 1 | ||||
| -rw-r--r-- | debian/wallet-server.docs | 8 | ||||
| -rw-r--r-- | debian/wallet-server.examples | 4 | ||||
| -rw-r--r-- | debian/wallet-server.install | 12 | ||||
| -rw-r--r-- | debian/watch | 3 |
20 files changed, 736 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..cfc4123 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,271 @@ +wallet (1.1-1) UNRELEASED; urgency=medium + + * New upstream release. + - New object type, duo, which creates a UNIX integration with the Duo + Security cloud multifactor authentication service. + - The owner and getacl commands now return the name of the ACL. + - The date passed to expires can be any date format understood by + Date::Parse. + - wallet-rekey now works properly with keytabs containing multiple + principals and does not store new principals in a separate file + first. + - Fix setting enctype restrictions on keytab objects and populate the + reference table for valid enctypes on database creation. + - Fix Wallet::Config documentation of ldap_map_principal. + - Generate a long, random password when creating new principals in the + Heimdal KDC to avoid problems with password quality checks. + - Remove erroneous foreign key constraints between the object history + and objects table, an incorrect linkage in the ACL history table, + and add indices for object type, name, and ACL. + - Use DateTime objects uniformly in the database layer. + - ACL renames are now recorded in the ACL history. + - Fix wallet-backend parsing of the expires command to expect only one + argument. + - Fix ordering of table drops during wallet-admin destroy to honor + foreign key reference constraints. + - The initial ADMIN ACL creation is no longer documented in history. + * Document in the wallet-server package description that a DBD::* module + and corresponding DateTime::Format::* module are required. (There + isn't a way to fully represent the required dependency.) + * Rebuild Autoconf and Automake files during the build. + * Define AUTOMATED_TESTING to enable some additional Perl tests. + * Adjust debian/rules for the new Module::Build Perl build system. + * Drop now-unneeded dh_builddeb override for xz compression. + * Enable uscan verification of the GnuPG signatures on upstream + releases in debian/watch. + * Update standards version to 3.9.5 (no changes required). + + -- Russ Allbery <rra@debian.org> Wed, 16 Jul 2014 13:51:23 -0700 + +wallet (1.0-5) unstable; urgency=low + + * Cherry-pick upstream commit to randomize the password used for initial + Kerberos principal creation when talking to a Heimdal KDC. + + -- Russ Allbery <rra@debian.org> Thu, 09 Jan 2014 14:05:19 -0800 + +wallet (1.0-4) unstable; urgency=low + + * Cherry-pick upstream commit to fix wallet-rekey when used with keytabs + that contain multiple principals. + * Cherry-pick upstream commit to fix the skipped test count for the + ldap-attr verifier test. + * Add libauthen-sasl-perl and libnet-ldap-perl to Build-Depends for the + test suite. + + -- Russ Allbery <rra@debian.org> Mon, 06 Jan 2014 21:27:50 -0800 + +wallet (1.0-3) unstable; urgency=low + + * Cherry-pick upstream commits to fix ACL history entries with + PostgreSQL, an incorrect foreign key constraint for the object + history, and bugs in handling of enctype restrictions for keytabs. + * Move the DateTime::Format::* Perl modules for various databases to + Depends from Recommends and add the Pg and MySQL versions as + alternatives. + + -- Russ Allbery <rra@debian.org> Tue, 05 Nov 2013 13:17:51 -0800 + +wallet (1.0-2) unstable; urgency=low + + * Cherry-pick upstream commits to fix the t/admin.t test with the + squeeze version of DBIx::Class. + + -- Russ Allbery <rra@debian.org> Fri, 29 Mar 2013 13:58:42 -0700 + +wallet (1.0-1) unstable; urgency=low + + * New upstream release. + - New wallet-admin upgrade command to upgrade the schema to the latest + version. This should be run manually after upgrading the server. + - Owners of wallet objects are now allowed to destroy them by default. + - New ACL type ldap-attr to check whether the caller has an attribute + in an LDAP directory (needs libauthen-sasl-perl and libnet-ldap-perl + and only works with GSS-API binds). + - New object type wa-keyring to store WebAuth keyrings (needs + libwebauth-perl). + - New acl check command that returns whether the named ACL exists. + - New comments field for objects and wallet commands to set and + retrieve it. + * Switch to xz compression for the upstream and Debian tarballs and + binary packages. + * Update debhelper compatibility level to V9. + - Enable all hardening build flags. + - Enable parallel builds. + * Check for any files left uninstalled by dh_install. + * Tag all packages as Multi-Arch: foreign. + * Move single-debian-patch to local-options and patch-header to + local-patch-header so that they only apply to the packages I build and + NMUs get regular version-numbered patches. + * Convert debian/copyright to copyright-format 1.0. + * Update standards version to 3.9.4. + - Indicate the Debian packaging branch in the Vcs-Git header. + + -- Russ Allbery <rra@debian.org> Wed, 27 Mar 2013 20:06:21 -0700 + +wallet (0.12-1) unstable; urgency=low + + * New upstream release. + - New wallet-rekey client program to rekey a keytab. + - New ACL type krb5-regex for the server. + - New objects unused wallet-report report. + - New acls duplicate wallet-report report. + - Add a help command to wallet-report. + * Don't install wallet-summary in /usr/sbin in the wallet-server package + and instead install it in /usr/share/doc/wallet-server/examples. This + program is Stanford-specific and would require extensive changes for + other sites. + * Install the other contrib scripts except convert-srvtab-db to the + examples directory for wallet-server. + * Switch to 3.0 (quilt) source format. Force a single Debian patch and + include a custom patch header explaining that it is a rollup of any + fixes cherry-picked from upstream and breaking those patches out + separately would be work for no gain. + * Update standards version to 3.9.1 (no changes required). + + -- Russ Allbery <rra@debian.org> Wed, 25 Aug 2010 18:49:48 -0700 + +wallet (0.11-1) unstable; urgency=low + + * New upstream release. + - Verify that deleted ACLs are not referenced. + - Add Wallet::Config verify_acl_name function to check ACL names. + - Add audit command to wallet-report to check for naming violations. + - Add acl unused report to wallet-report. + + -- Russ Allbery <rra@debian.org> Mon, 08 Mar 2010 10:59:00 -0800 + +wallet (0.10-1) unstable; urgency=low + + * New upstream release. + - Add support for Heimdal KDCs as well as MIT Kerberos KDCs. New + mandatory configuration setting KEYTAB_KRBTYPE which must be set to + either MIT or Heimdal. + - Remove kaserver synchronization support and kasetkey. + - wallet -S now generates a srvtab based on the DES key of the keytab + and does not enable synchronization. No synchronization targets are + supported now. + - The wallet client and wallet-backend server can now handle store of + files containing nuls provided that the server uses remctl 2.14 and + the remctl configuration is updated to use stdin=last. + - Correctly store data that begins with a dash. + - Do not log the data passed to store. + - New wallet-report script and multiple additional database reports. + - Report ACL names as well as numbers in object history. + * Update debhelper compatibility level to V7. + - Use debhelper rule minimization with overrides. + - Add ${misc:Depends} to dependencies. + * Clarify in long description that keytab-backend is only needed for MIT + Kerberos. + * Move wallet-server's dependency on krb5-user to Recommends, since it's + only needed for keytab support, and allow libheimdal-kadm5-perl as an + alternative. + * Recommend remctl-server 2.14 or later for improved store support. + * Add Homepage, Vcs-Git, and Vcs-Browser control fields. + * Add a watch file. + * Update standards version to 3.8.4 (no changes required). + + -- Russ Allbery <rra@debian.org> Sun, 21 Feb 2010 21:13:40 -0800 + +wallet (0.9-1) unstable; urgency=low + + * New upstream release. + - The wallet client now supports -f and stdin for store. + - kasetkey supports enable, disable, and examine. + - Stop setting Stanford-specific server defaults. + * The test suite no longer needs libio-string-perl. + * Use a separate stamp file for configure and install and use touch $@ + to create stamp files. + * Update debhelper compatibility level to V5 (no changes required). + + -- Russ Allbery <rra@debian.org> Thu, 24 Apr 2008 16:09:19 -0700 + +wallet (0.8-1) unstable; urgency=low + + * New upstream version. + - Fix protocol mismatch between client and server. + - Add file object support to the wallet server. + - Correctly handle empty objects in the wallet client. + - Add -q flag to wallet-backend to suppress syslog logging. + - Add class registration to the wallet-admin utility. + - Updated design documentation. + + -- Russ Allbery <rra@debian.org> Wed, 13 Feb 2008 13:59:06 -0800 + +wallet (0.7-1) unstable; urgency=low + + * New upstream version. + - Add exists and autocreate wallet server interfaces. + - Implement autocreation on the client instead of the server. + - Make create once again an ADMIN-only function. + - Always generate the srvtab from the newly downloaded keys. + - Pass kadmin.local ktadd its options in the correct order. + - Check naming policy before checking default ACLs. + - Work around a bug in Net::Remctl with explicit undef arguments. + - Correctly enable syslog logging in wallet-backend. + - Fix the remctl configuration for keytab-backend. + * Create /var/lib/keytabs in the keytab-backend package. + + -- Russ Allbery <rra@debian.org> Fri, 08 Feb 2008 11:22:54 -0800 + +wallet (0.6-1) unstable; urgency=low + + * New upstream version. + - Safer handling of file creation with -f in the client. + - The client can get configuration from krb5.conf. + - Support get in the client without -f. + - Client support for merging keys into an existing keytab. + - New client -u option to obtain new Kerberos credentials. + - New wallet-admin command-line utility for the server. + - The server supports enforcing a local object naming policy. + - New wallet-report script (currently Stanford-specific). + * Change hard-coded wallet server to wallet.stanford.edu. + * Add --enable-reduced-depends to configure to eliminate unnecessary + shared library dependencies. + + -- Russ Allbery <rra@debian.org> Mon, 28 Jan 2008 15:17:25 -0800 + +wallet (0.5-2) unstable; urgency=low + + * Hard-code lsdb-new.stanford.edu as the wallet server name for the time + being. + + -- Russ Allbery <rra@debian.org> Mon, 17 Dec 2007 21:17:08 -0800 + +wallet (0.5-1) unstable; urgency=low + + * New upstream release. + - Allow more valid arguments to wallet-backend. + - Load Perl modules for object types and ACL verifiers properly. + - Correctly implement clearing attribute values. + - Fix keytab principal validation to allow periods. + - When writing files from the client, remove old backup files. + - Check default creation ACLs before the ADMIN ACL. + + -- Russ Allbery <rra@debian.org> Thu, 06 Dec 2007 22:26:55 -0800 + +wallet (0.4-1) unstable; urgency=low + + * New upstream release. + - Globally cache ACL verifiers. + - Add the netdb-root ACL verifier, which requires root instances. + - Determine object and ACL scheme classes from the database. + - Coding style fixes and cleanup. + * Update debian/copyright using the information from LICENSE. + * Update standards version to 3.7.3 (no changes required). + + -- Russ Allbery <rra@debian.org> Wed, 05 Dec 2007 17:01:20 -0800 + +wallet (0.3-1) unstable; urgency=low + + * New upstream release. + * Initial packaging of all components of wallet. + + -- Russ Allbery <rra@debian.org> Fri, 30 Nov 2007 20:30:30 -0800 + +wallet (0.1-1) unstable; urgency=low + + * Initial release building only kasetkey. + + -- Russ Allbery <rra@debian.org> Thu, 8 Mar 2007 16:07:05 -0800 + diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..0b5838c --- /dev/null +++ b/debian/control @@ -0,0 +1,74 @@ +Source: wallet +Section: net +Priority: extra +Maintainer: Russ Allbery <rra@debian.org> +Build-Depends: debhelper (>= 9), dh-autoreconf, libauthen-sasl-perl, + libdatetime-perl, libdatetime-format-sqlite-perl, libdbd-sqlite3-perl, + libdbi-perl, libdbix-class-perl, libheimdal-kadm5-perl, libkrb5-dev, + libnet-dns-perl, libnet-duo-perl, libnet-ldap-perl, libremctl-dev, + libsql-translator-perl, libtest-minimumversion-perl, libtest-pod-perl, + libtest-strict-perl, libtimedate-perl, libwebauth-perl, perl, sqlite3 +Standards-Version: 3.9.5 +Homepage: http://www.eyrie.org/~eagle/software/wallet/ +Vcs-Git: git://git.eyrie.org/kerberos/wallet.git -b debian +Vcs-Browser: http://git.eyrie.org/?p=kerberos/wallet.git + +Package: keytab-backend +Architecture: all +Multi-Arch: foreign +Depends: ${misc:Depends}, ${perl:Depends}, krb5-admin-server, perl, + remctl-server +Description: Provide existing MIT Kerberos keytabs via remctl + keytab-backend is a service that runs under remctld and allows + authenticated clients to download Kerberos keytabs from an MIT Kerberos + KDC without changing the key stored in the Kerberos KDC. It must run on + the same host as the Kerberos KDC and uses kadmin.local to extract the + existing key. It applies additional ACLs to limit which keys may be + extracted in this way. This interface is not needed for Heimdal. + +Package: wallet-client +Architecture: any +Multi-Arch: foreign +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Kerberos-authenticated secure data management client + The wallet is a system for managing secure data, authorization rules to + retrieve or change that data, and audit rules for documenting actions + taken on that data. Objects of various types may be stored in the + wallet or generated on request and retrieved by authorized users. The + wallet tracks ACLs, metadata, and trace information. It uses Kerberos + authentication. One of the object types it supports is Kerberos keytabs, + making it suitable as a user-accessible front-end to Kerberos kadmind + with richer ACL and metadata operations. + . + This package contains the wallet client, which talks to a remote wallet + server to store, download, and manage objects. + +Package: wallet-server +Architecture: all +Multi-Arch: foreign +Depends: ${misc:Depends}, ${perl:Depends}, + libdatetime-format-sqlite-perl | libdatetime-format-mysql-perl | + libdatetime-format-pg-perl, + libdbd-sqlite3-perl | libdbd-mysql-perl | libdbd-pg-perl, + libdbix-class-perl, libdatetime-perl, libsql-translator-perl, + libtimedate-perl, remctl-server +Recommends: krb5-user | libheimdal-kadm5-perl, remctl-server (>= 2.14) +Suggests: libauthen-sasl-perl, libnet-duo-perl, libnet-ldap-perl, + libnet-remctl-perl, libwebauth-perl (>= 4.4.0) +Description: Kerberos-authenticated secure data management server + The wallet is a system for managing secure data, authorization rules to + retrieve or change that data, and audit rules for documenting actions + taken on that data. Objects of various types may be stored in the + wallet or generated on request and retrieved by authorized users. The + wallet tracks ACLs, metadata, and trace information. It uses Kerberos + authentication. One of the object types it supports is Kerberos keytabs, + making it suitable as a user-accessible front-end to Kerberos kadmind + with richer ACL and metadata operations. + . + This package contains the wallet server, which runs under remctl, + maintains the database of object metadata and secure objects, and + responds to requests from the wallet client. + . + This package requires a DBD::* module (libdbd-*-perl) and corresponding + DateTime::Format::* module (libdatetime-format-*-perl) for the same + underlying database driver. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..17576f5 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,179 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Contact: Russ Allbery <eagle@eyrie.org> +Source: http://www.eyrie.org/~eagle/software/wallet/ +Copyright: 2006-2010, 2012-2014 + The Board of Trustees of the Leland Stanford Junior University +License: Expat + +Files: * +Copyright: 2000-2002, 2004-2014 Russ Allbery <eagle@eyrie.org> + 2001-2014 The Board of Trustees of the Leland Stanford Junior University +License: Expat + +Files: Makefile.in +Copyright: 1994-2013 Free Software Foundation, Inc. + 2006-2008, 2010, 2013-2014 + The Board of Trustees of the Leland Stanford Junior University +License: FSF-unlimited and Expat + +Files: aclocal.m4 +Copyright: 1996-2013 Free Software Foundation, Inc. +License: FSF-unlimited + +Files: build-aux/ar-lib build-aux/compile build-aux/depcomp + build-aux/missing +Copyright: 1996-2013 Free Software Foundation, Inc. +License: GPL-2+ with Autoconf exception or Expat + +Files: build-aux/install-sh +Copyright: 1994 X Consortium +License: X11 + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to permit + persons to whom the Software is furnished to do so, subject to the + following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR + OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, + ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. + . + Except as contained in this notice, the name of the X Consortium shall + not be used in advertising or otherwise to promote the sale, use or other + dealings in this Software without prior written authorization from the X + Consortium. + +Files: client/wallet-rekey.1 client/wallet-rekey.pod client/wallet.1 + client/wallet.pod docs/design docs/design-acl docs/design-api + docs/netdb-role-api docs/notes docs/objects-and-schemes docs/setup + docs/stanford-naming perl/t/data/README tests/HOWTO tests/config/README +Copyright: 2006-2014 + The Board of Trustees of the Leland Stanford Junior University + 2010 Russ Allbery <eagle@eyrie.org> +License: all-permissive + Copying and distribution of this file, with or without modification, are + permitted in any medium without royalty provided the copyright notice and + this notice are preserved. This file is offered as-is, without any + warranty. + +Files: configure +Copyright: 1992-1996, 1998-2012 Free Software Foundation, Inc. +License: FSF-configure + This script is free software; the Free Software Foundation gives unlimited + permission to copy, distribute and modify it. + +Files: m4/gssapi.m4 m4/krb5-config.m4 m4/krb5.m4 m4/lib-depends.m4 + m4/lib-pathname.m4 m4/remctl.m4 m4/snprintf.m4 m4/vamacros.m4 +Copyright: 2005-2014 + The Board of Trustees of the Leland Stanford Junior University +License: unlimited + This file is free software; the authors give unlimited permission to copy + and/or distribute it, with or without modifications, as long as this + notice is preserved. + +Files: portable/asprintf.c portable/dummy.c portable/krb5-extra.c + portable/krb5.h portable/macros.h portable/mkstemp.c + portable/reallocarray.c portable/setenv.c portable/stdbool.h + portable/strlcat.c portable/strlcpy.c portable/system.h portable/uio.h + tests/portable/asprintf-t.c tests/portable/mkstemp-t.c + tests/portable/setenv-t.c tests/portable/strlcat-t.c + tests/portable/strlcpy-t.c util/macros.h +Copyright: no copyright notice, see License +License: rra-public-domain + The authors hereby relinquish any claim to any copyright that they may + have in this work, whether granted under contract or by operation of law + or international treaty, and hereby commit to the public, at large, that + they shall not, at any time in the future, seek to enforce any copyright + in this work against any person or entity, or prevent any person or + entity from copying, publishing, distributing or creating derivative + works of this work. + +Files: portable/snprintf.c tests/portable/snprintf-t.c +Copyright: 1995 Patrick Powell + 2000-2006 Russ Allbery <eagle@eyrie.org> + 2001 Hrvoje Niksic + 2009-2010 The Board of Trustees of the Leland Stanford Junior University +License: Powell-snprintf + This code is based on code written by Patrick Powell (papowell@astart.com) + It may be used for any purpose as long as this notice remains intact + on all source code distributions + +Files: util/messages.c util/messages.h util/xmalloc.c util/xmalloc.h +Copyright: 1991, 1994-2003 The Internet Software Consortium and Rich Salz + 2004-2006 Internet Systems Consortium, Inc. + 2008-2010, 2012-2014 + The Board of Trustees of the Leland Stanford Junior University +License: ISC + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY + SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to permit + persons to whom the Software is furnished to do so, subject to the + following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT + OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR + THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: FSF-unlimited + This file is free software; the Free Software Foundation gives unlimited + permission to copy and/or distribute it, with or without modifications, as + long as this notice is preserved. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY, to the extent permitted by law; without even the + implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +License: GPL-2+ with Autoconf exception + This file is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2 of the License, or (at your + option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program. If not, see <http://www.gnu.org/licenses/>. + . + As a special exception to the GNU General Public License, if you + distribute this file as part of a program that contains a configuration + script generated by Autoconf, you may include it under the same + distribution terms that you use for the rest of that program. +Comment: The option described in the license has been accepted and these + files are distributed under the same terms as the package as a whole, as + described at the top of this file. You can find the GPL version 2 in + /usr/share/common-licenses/GPL-2 on Debian systems. + diff --git a/debian/keytab-backend.dirs b/debian/keytab-backend.dirs new file mode 100644 index 0000000..c601e1a --- /dev/null +++ b/debian/keytab-backend.dirs @@ -0,0 +1,2 @@ +/etc/remctl/acl +/var/lib/keytabs diff --git a/debian/keytab-backend.docs b/debian/keytab-backend.docs new file mode 100644 index 0000000..724e084 --- /dev/null +++ b/debian/keytab-backend.docs @@ -0,0 +1,2 @@ +README +TODO diff --git a/debian/keytab-backend.install b/debian/keytab-backend.install new file mode 100644 index 0000000..666b71c --- /dev/null +++ b/debian/keytab-backend.install @@ -0,0 +1,6 @@ +debian/tmp/etc/remctl/acl/keytab +debian/tmp/usr/sbin/keytab-backend +debian/tmp/usr/share/man/man8/keytab-backend.8 + +config/allow-extract etc/krb5kdc +config/keytab etc/remctl/conf.d diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..1d2f446 --- /dev/null +++ b/debian/rules @@ -0,0 +1,35 @@ +#!/usr/bin/make -f + +# Add hardening build flags. +export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow,+pie + +# The additional flags to pass to Build.PL, picked up by the upstream build +# system. +export WALLET_PERL_FLAGS := --installdirs vendor --create_packlist 0 + +# Enable some additional Perl tests. +export AUTOMATED_TESTING = 1 + +%: + dh $@ --parallel --with autoreconf + +override_dh_auto_configure: + dh_auto_configure --parallel -- --enable-reduced-depends + +# Install the remctl configuration as part of the build. +override_dh_auto_install: + dh_auto_install + install -d debian/tmp/etc/remctl/acl + install -m 0644 config/keytab.acl debian/tmp/etc/remctl/acl/keytab + install -m 0644 config/wallet-report.acl \ + debian/tmp/etc/remctl/acl/wallet-report + +# Override install to check for missing installed files. +override_dh_install: + dh_install --fail-missing + +override_dh_installchangelogs: + dh_installchangelogs NEWS + +override_dh_compress: + dh_compress -X examples diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/local-options b/debian/source/local-options new file mode 100644 index 0000000..7423a2d --- /dev/null +++ b/debian/source/local-options @@ -0,0 +1 @@ +single-debian-patch diff --git a/debian/source/local-patch-header b/debian/source/local-patch-header new file mode 100644 index 0000000..7aa2307 --- /dev/null +++ b/debian/source/local-patch-header @@ -0,0 +1,16 @@ +Subject: Collected Debian patches for wallet +Author: Russ Allbery <rra@debian.org> + +Since I am also upstream for this package, there will normally not be any +patches to apply to the upstream source. However, occasionally I'll pull +up specific upstream commits prior to making an upstream release. When +this happens, this patch will collect all of those modifications. + +I use Git to maintain both the upstream source and the Debian packages, +and generating individual patches rather than using git cherry-pick takes +extra work for no gain. Since I'm also upstream, there's no need to +separate the patches for later upstream submission. Hence, I take this +approach with a unified patch when it's necessary. + +For full commit history and separated commits, see the upstream Git +repsitory. diff --git a/debian/source/options b/debian/source/options new file mode 100644 index 0000000..b7bc1f2 --- /dev/null +++ b/debian/source/options @@ -0,0 +1 @@ +compression = "xz" diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 0000000..8d9f841 --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,113 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBEofRrIBEADCOmbclGLGH2uSCQSM3xkvEwdB52ps8bMnrzujnsgjfw7crs8l +DUjfcOxOVsLlgClntMxaVx764j1IXYF9smAheFfbWD/06gS+lkeuOjYSa1GEfmZG +aqZbhfs5EZRKu1BynfrTRlj2L0XPcYcHM8tUTJsr7t4f7CWw1hmnZpm/vshj3xOG +MfEXe1t3nJAEIQi3AcCPrT2QP/PvkT0oglIpw6l0+gQnPwLZoc3OCnP7io0TPY96 +ZPpSlsPVgYpEvQSkygoNTjTOtuLJYyv7EpHBF0SU3xRs/73t5F5a28gQPIMMACw6 +CxhOvqqfFfKfOmm4xInwL7jmDz6UxSONzUNLh7T8OAGcGQx9rRDdssuw5krN3jhy +0VfHpeXij0H5nVdxTbfNusflxPBMFfqV9z1aiY/bklqbcA+GfOBSXoXkGvixi1qk +k3ZaddDQIBl5yv951EkVAelNwzABVKMeIi8RkpVdBVONj3+2Yg5+6oF9KfZc++KM +eUXmPIESNaz2YEmN5VEnHBhqHs4v+rUzAZXJo0g3lv5hMEsoqCxu+w4uVR7e+AbT +dIHnydQxCNkG31ywslUZPR9QP92NleIqgXY/nL1eDXBb9EGoxBSHD99KgavFB+xp ++dgmzpo8UzOpVM+1xvTAOLHZ+jwW9hGCx1ALpKvWI2qYeW3j+N3LsyGI5wARAQAB +tB9SdXNzIEFsbGJlcnkgPHJyYUBzdGFuZm9yZC5lZHU+iQJABBMBCAAqAhsDAh4B +AheABQsJCAcDBRUKCQgLBRYCAwEAAhkBBQJQVi5bBQkL2oIVAAoJENFdMTiCAEFz +O3oP/R6sfLszTVD7xx3s6IrOW+zqsFArCoOOpuMPEUW7UnJ2DWnAer3WD9QrIX3b +BfQr+0Y9bToh1zhDuGf3h8RJQP/TTzsiAaK3mGhJ8pKTZs9T3Ct5k591CdTWpmJT +Wj9PVwi5OH4SxOKy2MwvAA3AL1bZRKa26mIF/1VohI2XdoyyV+B2WWWYIyDu5bTd +uC8jEkJay7hazLArl36RWRmQAgZegBzom4O/T7CjQWxC4E5vFGXTH6kRdsK15cV9 +wJTnE1X2v4r+k2x/Y6RLMApFSE/tcO6a4ocoWYPDlECknxI6Ir2qtA9wDEPBqr75 +6msqx3S7M0GwQuO7KCT6fXZyKQQHSRepDivkDJLS3tTyrnX4clcirqfhYkMYL9UX +S2qpbtD1fFYu9zVQegTr5ElG3Oje4qNTKbB4Wj1Q6M9VutNtgMu33MoNtNUOeCOG +ZBVXO3sULPl/vqhbDzKNotg9dpafntWkrV8/k5z6O1kf16Cl9lPvizvn0mBjjTbo +m/p/jW/p613wYnMk5cry13quu/bROD4XWS6NaF7vxT6ykqaOFXUL2STidA9PAThg +bg5eBZpE7KKDb3xgl9HSudJ7mN1/x/6kidXJQqKPQPuAF1yrGxgGiUpLmA9uPTcF +fE4ws9w84uM2GYBdiIWa9hm0s/YIxndRoTMwP/4Wk+ibDyK5tB1SdXNzIEFsbGJl +cnkgPHJyYUBkZWJpYW4ub3JnPokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMB +AAIeAQIXgAUCUFYuZwUJC9qCFQAKCRDRXTE4ggBBc00ED/4959TDsiL/6FHj7VRC +eFdLAAF7fBTisV2cSgvRByp05oOwAvyffJeBsRQvzdGiqxHQ4AYt48WbE7YkpIQN +fUJkmr80GUn8M3SKTe+S0hV2LkixwdwHvx85pY4hbmsNjMimx02a3zqqrY23MOZe +v6zXae1bIUzpik+G+MLdSMh2WmFHcLJud9BxijZbsAiUVDSEpOttSZEkkHqdXkjb +Enkpqmox6RkLImvZRbP11nCIUSIYKrBE8043TX4JrPOcCa7tXx1LZwcT0z6R+SH0 +k6kCxChfNGYC7PCEkF4HnBi/b+SeL/Hljluvpw56OUF0ja+bGPSrjip2HxATQ2La +pB2f6ZwMFAjgP2eijB5Z/wC0UFBBaOGjH6lM0AP7q5aHZe46algmESTycrhicV9b +hyk3mD7ZTeHmAVox8OFNRr3NJU2q7JpjY2zPN2S0Gl4ReW9oZ35SfvnzWa/63hnF +v21qZkX3yULyVXNezoEAWYlcuEzJ3PB1KyeQ2ZcK0FJdO/sEcj1sJ9YgznJzAjIR +8RRjZL56Cybli6kyzEsBOFahZCNuSvBUSG+D/pXGWeRiLvOaW9DuA5xd3+NO09Ky +jd1CS6YaTVpNVIY9GmhJfG45Hpf2w03GFk3Te0h8Lx4S/JMkNtJNYLq00UWkCDHN +JcahI+3odu9XQ2C46dKMZ1n8IrQqUnVzcyBBbGxiZXJ5IDxlYWdsZUB3aW5kbG9y +ZC5zdGFuZm9yZC5lZHU+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4B +AheABQJQVi5nBQkL2oIVAAoJENFdMTiCAEFz2WAP/1FPnGwIoeZYgogaHYZtemUV +1UfGPfWw5GCNzGuPmdppfQJ2Jhvrwl8Os/b18VfeETbct3s7tntyGyJgWLfje5y0 +fJ7GB1xbGzHujhA9aEG48Tu6BAda9v4SP4QfWr8TbwUVKRuNprvIIapBcEtovVu0 +eHH6KH0MWokoGImQARpYkT2RB2YD7XA2U9x5S2Rp4NJDnLwDIiNu/jfURE6EYnZa +MY2tbmFJaFEAkLuv9Pt2Cj3KKw4HHsi2kz4LjdI1st3YJUKxFK/J0fEzrIT5wcL2 +zGLGfGHHB//JV6Us25+9uVkkwUuIi7WvWVe80LRM4mpK2yn1TSsYy6xGO6wMWwDU +MrYTRqiIc5dwege7egzMOC9RAP92Imx4CH9rzPBzXJGxLBAqmNFznJ4APH2XCb/v +GM1R+I8y5o4Bk5BY0Vr4e1HLz+EwcgdjTLeIweZUjZ/mtVDG2W7xLTHHh83L3sbx +O+5fHNdxmIaRqVuGz/VcoJHA+KWIWkjzU3Nrctc4xZh2qff/pon9cn1Y/nwZj7OO +GWXIQvMK2cnQYzHbp6bF/ux++qwxmhdaa3OEXEQugRQ260Tpzq2JkLiNVMQ/ZdbB +1uNProrzUeP7bFJQ9ypLjVfr+u/Ujdoh2F6QfX6DXyuX0kZ3TsOebr1imTkVJE8e +i9QFuM37jzlBL+47+L5ttB5SdXNzIEFsbGJlcnkgPGVhZ2xlQGV5cmllLm9yZz6J +Aj0EEwEIACcCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlBWLmcFCQvaghUA +CgkQ0V0xOIIAQXMtug//WFg2jVKNPxU3fy0c6+V4qG1gL29R27SZTQtRMkpc3Sc/ +5j8eXfikqCwbIvemMGN/NamG6Qo3UPMfTN+3ddZzV6TAWnCqTsBTMwmSztzEOwmX +wWen//8AeKhIp53xe7CaQaevAqW6WE88GcnYfZM1zCvt3dnoI5fnvkPsG5CFc1rq +WYIxaws8Jo2eJPu5Tl9wvqcaMcNYMQ6iLKdqWM9Z4wihfe7hXqk2aPAArEldX532 +wwmcWKaksxcC8+tkJxcJTKBLHGuSQr/+jYSsjhEzKqKnGwulLuzQQk3rjVfC1ScA +s/tru4UKZpzF1CoYeq3DA1yvH6lwWmhHN4uANa1snuLDfMY++j/C/4PBqpz4/6tH +ArUMdUcsA2s+Q+nU1ZNHgJSeuiIOxHu2IwddkVm1fFDi7sqvlyYeEKLXbl1+zji2 +aa16jHcVYoVQamWr5IzUwSElq64oAqmaQv79TPCQ/XJRZoM2bUa+NJK9yzSNkmO+ +S0aS8fiec+WqXCp9H1wLTba2Ueya1a/kPjBNO2R5MTPDOr0Mh1S94moM5APxIIVM +W+dcLIJqgtsDC0PIfq4T6EkQo3TFJwlw+CEYR/luDaBN6pXuQxzZSVZuOrqGRX8d +XLD3kzDm9qCo9D/rvuwkQ8vhbdbVreojLrLmm6hr5KaOKhB7DlhyKQXqnvhrXXe5 +Ag0ESh9K6gEQALZuDF62F028dT9/ChFHuJN+vH7Qwb4PQG960gXxe9n7FQ4nfVuB +R953ismuJlckDN5RJ6gu0iXDAi5lXxEswynk+YGz8MeIfWRFuNcOzHEFa2Z6XFbV +k3+LVVPVHTvx2CD8t/4ZjeSJgDp4UWb6+jVPtHbUPaC9hKsZ1SKbORJA/eXyReLw +DPKlCuyxu+EbMqLOOCl082NOjzItu1WlKhliky4eSJxXZ3ad8C/BroxMj+3+QsMs +o/zafmpRFeGLc/7t8Sa+uUve7+k5gfubclHNG9J1paGLHGVKiKuP6x3qjDqV8LTz +jlclbPG0nUfAqRtLPbPR5AeqViY1JBHv+Xub/3bSWUtMOan97QdkfeakWmIbmVEg +W0n43gnklHIqJX69cUgF0HZdVKiJpyMl3rQF2NbYDMzzzzVjZ0lOqMukDh+Asl5W +46ayM9MDldn6rQZYizTjvY5Qpv9N5bWbJxI3dnr2YszCpeCvgNS7feCg9YIga5JS +nMX4Knn3Mk6JritKKm9m252jKroJpwJFYTjx6w8q126UaNr0iH+6/ZcVYq1eXP3C +rDDphy7d19C4foWib0KnjQg9z9VMbVD3mb1rv4Pq7tN8mFGgGt3MQIrmxigbCwgE +rniLOx8J7i/gozFyYhAOkM8zqBgIQCaWYei/SkYhr+eKMu75VWnJPrsHABEBAAGJ +AiUEGAEIAA8CGwwFAlBWLnoFCQvafgwACgkQ0V0xOIIAQXM9Sw/+Kjl8GIQVNr1v +ianJSu/EflOWwBRCqPYtmVupHWSx1z59SkfgDrLdfWUvIwelL6tTVzfBqACpuyme +YMnTdEJeBgjMlqc80PzP2fI+COmCjTa/d34oUkIbT5vewLofTGMxIJSFZCAReuXl +yU/c6hvmwi8Z6P9y7XNvA4LHFlcwAYgPKkPu9V03JwOKFelNzvz95HlG07wilWqk +w9zlfeiZFBGTj9G4F5diDYtxdk+8SwwJjjtRiQQXkRj9pPePyDq6RzVvTybTvNZl +YCouJrDBRfO7Jn3IIerYdfliYuqdAoyCv4+RK4K8ZJm/Z+rc9YzkG6OAXrGxnqFO +6/izQLQXaKGpH4nYstl9U/7A3N/177uZSJ/rzJVUJI5L5+ZZXhRFaU8swMybySgG +p9wlSoc3+GboX7f9afU3CLSi6Vu957dVx6ta6E7C4HPGo6bP9IfgPu7P+oDt+YNr +i43gWIz+vDzT1xG0WagXDYeg75m4w7Uuh/bcaHniaRi+7ZcdsWV4z11e9RjMuP2q +1QDI12R5Tbzr+9+s8bMLInagr3B9PHohQl1o+V5PcjV9y3I6MXHLshWcXyx7Tdgy +cZNPsbDkQZi6mwYfdHhHleVdQMfIakKgRASEZuHBiwunsuZyC+rS8ijiileEu7B0 +TST1E+kdatVrcKgWBG6Al6BmQvHhHDS5AQ0ETJP4JAEIAMAX+3WIpAzDwNrBrP4Z +KvVnxWHznj4AdnDjnDBaOlovWUUQThWqgNdzpngcM8almlJd/kp6gWNHQ/lI4Pro +1Y+XwJQiNjt/IMAVc1zWf7/eUdztW3+4i7ZMMEYDrgiXTPWvijKFOOzl2NmntBSh +aJPtQXItamem8h5KyCD4yt8w3khLGTpcVEUpKGkHa/9uanCXiGWdXnCms37ejy5r +k2l46g18pj7dAHbJfEMqSJkjS2uHvNPZdVRqGuiAopdozf1FVMA0pkuiKRI/7je7 +z825Q1xRkE8jRUBdPjZ3/I6wdq2w/vB1LBr3wV6listhedbXhwmND98bCSs5juoS +9q0AEQEAAYkDRAQYAQgADwIbAgUCUjdJ1gUJB4SFKAEpwF0gBBkBCAAGBQJMk/gk +AAoJEH2AMVxXNt51KgEIAL/Sq5MU+dwz6h5JQQ7IgN+eWf8Ze/PW3dqFBBRbJAHs +lxqCIrXbNkuok2wkwYs807vJdVaONVPQCLhxjY71B0cKxZQG/Gml4kQImvyCXgby +PZLlrgK1+cut0Lf0zdXSVV1Zu9rNi6m2FkngGEsA9JWyfp33h/QC0/3HpWJO2Qko +kAdIPHURSQTbAVZEU5zO0UnFC690PUVx6ySvXXDwm30IwrgMYSPXfdxdYkp9yf/l +d64GUV2VHSLVLloscMItBRM/oGI/zzmmeBrU2xqRfQ9ZUdTs1jW2wxNLJbBTwXRC +/6jVdCw/130XWYdnBFs38eWKDsz/ng/EmAvdIR5C9pMJENFdMTiCAEFzAUwQAJ2y +g5nEQyOBEFKU+Ku4Wxs5TeFgUvcD+Z/tqzfX+i9lXxVFb4wUbGGBrO9762KfpINg +AgPwJQcOO1kPoipNTsFBXUMei8U13TQDOvQ22gC8wSdhQttwv9MXMrBfXJkmYL8E +JlsBhxAikguUsIFyg2GiHY7jIODnfi3KLwYflnz0iTguG2d0/kygUcX7Mvlskjxv +SizESAo1nf+ohC1i57vM6grKVt5nqdrTefZGPUzbF3lRjmXWr/R4GrhJLVqAUoTc +tWRX00nLfDkTcmirVz4AAdRxKEe8fcU7138b27bkiCwmLDFB2PiN/ww6S/lK1tyd +Lvvbjgm3BjIGMZN3UESN5jpeL4oTN5HKUk69CX3sUKx4I52h4BzdNcRl2lp+e6/f +5emLaO5WEeg/L7Ob5SmgDZnamusBoT2LxJpCT3cPkutwGfkmFIjrS85QcXxaLc5m +/BmDcjo7sGJ7Q2pzPu/N8qCRlPmNf4YnQnjZXLVio35G7gVCHx5+Si8VkORbHDdF +nVeFzKnt6cvCTHJ2OroosJWBDYLrlj/fi+XTaubBEgp/eP8YjOxoSvrNhWb0MZvw +FR80wC9gtO5TKfaH68U2bYjC+PwFDaGQ4OuanXi0jhYy6nWE0OnXJWKYLnPtdJGx +yH1VEQ5feTYgY2jG+XDcQWmoPemXd8Pmpc1UVjR3 +=V0LZ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/wallet-client.docs b/debian/wallet-client.docs new file mode 100644 index 0000000..724e084 --- /dev/null +++ b/debian/wallet-client.docs @@ -0,0 +1,2 @@ +README +TODO diff --git a/debian/wallet-client.install b/debian/wallet-client.install new file mode 100644 index 0000000..2940357 --- /dev/null +++ b/debian/wallet-client.install @@ -0,0 +1,4 @@ +debian/tmp/usr/bin/wallet +debian/tmp/usr/bin/wallet-rekey +debian/tmp/usr/share/man/man1/wallet.1 +debian/tmp/usr/share/man/man1/wallet-rekey.1 diff --git a/debian/wallet-server.dirs b/debian/wallet-server.dirs new file mode 100644 index 0000000..0e856f2 --- /dev/null +++ b/debian/wallet-server.dirs @@ -0,0 +1 @@ +/etc/wallet diff --git a/debian/wallet-server.docs b/debian/wallet-server.docs new file mode 100644 index 0000000..ceecb82 --- /dev/null +++ b/debian/wallet-server.docs @@ -0,0 +1,8 @@ +README +TODO +docs/design +docs/design-acl +docs/design-api +docs/netdb-role-api +docs/notes +docs/setup diff --git a/debian/wallet-server.examples b/debian/wallet-server.examples new file mode 100644 index 0000000..bb13c59 --- /dev/null +++ b/debian/wallet-server.examples @@ -0,0 +1,4 @@ +contrib/used-principals +contrib/wallet-contacts +contrib/wallet-summary +contrib/wallet-unknown-hosts diff --git a/debian/wallet-server.install b/debian/wallet-server.install new file mode 100644 index 0000000..dfc1d6e --- /dev/null +++ b/debian/wallet-server.install @@ -0,0 +1,12 @@ +debian/tmp/etc/remctl/acl/wallet-report +debian/tmp/usr/sbin/wallet-admin +debian/tmp/usr/sbin/wallet-backend +debian/tmp/usr/sbin/wallet-report +debian/tmp/usr/share/man/man3/*.3pm +debian/tmp/usr/share/man/man8/wallet-admin.8 +debian/tmp/usr/share/man/man8/wallet-backend.8 +debian/tmp/usr/share/man/man8/wallet-report.8 +debian/tmp/usr/share/perl5 +debian/tmp/usr/share/wallet + +config/wallet etc/remctl/conf.d diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..ec0f630 --- /dev/null +++ b/debian/watch @@ -0,0 +1,3 @@ +version=3 +opts=pgpsigurlmangle=s/$/.asc/ \ + http://archives.eyrie.org/software/kerberos/wallet-(.*)\.tar\.gz |