Rework "Honor --sysconfdir and --localstatedir in stunnel.conf-sample.in"
Hi, I took the liberty of reworking the patch presented in http://www.stunnel.org/pipermail/stunnel-users/2010-July/002711.html to fix the issues raised in http://www.stunnel.org/pipermail/stunnel-users/2010-August/002719.html The main reason why the substitution didn't work is because it should not be done during configure-time but inside the Makefile as described in the Autoconf manual http://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.69/html... The patch is attached to this email or you can browse the patch at https://github.com/dago/stunnel/compare/master...sysconfdir The patch is against 5.18b3 (is there a public repo available to make patches?) It would be great if the change could be applied. Best regards -- Dago
Hi, I took the liberty of reworking the patch presented in http://www.stunnel.org/pipermail/stunnel-users/2010-July/002711.html to fix the issues raised in http://www.stunnel.org/pipermail/stunnel-users/2010-August/002719.html The patch is available at https://buildfarm.opencsw.org/source/xref/opencsw/csw/mgar/pkg/stunnel/trunk... or you can browse the patch more nicely at https://github.com/dago/stunnel/compare/master...sysconfdir (I posted yesterday with the patch inline but it didn’t went through as the patch is rather big due to a rename) The main reason why the substitution didn't work in the previous patch is because the substitution should not be done during configure-time but inside the Makefile as described in the Autoconf manual http://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.69/html... The patch is against 5.18b3 (is there a public repo available to make patches?) It would be great if the change could be applied. Best regards -- Dago -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01.06.2015 10:01, Dagobert Michelsen wrote:
The patch is available at https://buildfarm.opencsw.org/source/xref/opencsw/csw/mgar/pkg/stunnel/trunk...
or you can browse the patch more nicely at
Thank you very much for your work. There are a few issues with the patch I hopefully fixed: 1. It does not include the newly created .in files in the tarball. "make distcheck" is a great tool to diagnose this kind of issues. 2. The last rule for "stunnel.pod" creates recursive dependency. 3. "CApath = /etc/ssl/certs" is supposed to point to the OS trusted certificate store, and not something installed locally.
is there a public repo available to make patches?
No, there isn't.
It would be great if the change could be applied.
It will be included in the next release. Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVbEl6AAoJEC78f/DUFuAUIWkP/0FGKP4EYRwxBCn3iWhFZ2Q+ syxlP45LUiHmRPJNM97NdHsUL2EOLEZRz3rm1+qlQ5mdlSwmhp0NUXrE0d5mXbmy 6jMF9PotUTaWEig7EQsLVbn+fWoF9pz7bYBOILt289J9o7JyfjZgSaNkJB9apD7p w3ZdWp2nM6LmDEKcSt8ZfQ29WM1KCD+etX0HkL1BOA99ohF9pmwLAfml/tP6exnR hBIyRCo7fQ8eYVV8ltfJ34gXuVqiUZxrtEToJL5+K8jbRqEg+XBhtGBZC1xaDHiF /RBAesH+1mW8vuxzBBv3dCy1dktPsJ88kPaLmiX7shcKV2Vps2FdmW6vMYvIQdCQ hm1L4FEt5unarPGX1RxXcHsyq2gMCsdKFV6HDUhScg0msskQmt7eynba7YZz+uM1 KnJMDab0yRuUoTikPqZld+RbG/lEGD2sveFLj1CJUb8BWzboOlkP7XQKgMfWoc+u hJwmUIf3QsQTh+f8rOqSrdJOUs89iNBVBhChwTKSGMs0Mewy3Acf2osp8+pRJSvF gISNOnbfj5e5uB9U9e3gXacZYSpZuEchAyMFlKu8T3qJa2d7zC3VC9ELDAvdf7lh zAIc4NU1nw+lstrFNKC+dmgHcqncUi995RJZS3L2236byoue3UdxJQuI2+b2l3Dz 5h1ZKJJq7VWMbr4o92kE =moB6 -----END PGP SIGNATURE-----
Hi Mike, Am 01.06.2015 um 14:00 schrieb Michal Trojnara <Michal.Trojnara@mirt.net>:
On 01.06.2015 10:01, Dagobert Michelsen wrote:
The patch is available at https://buildfarm.opencsw.org/source/xref/opencsw/csw/mgar/pkg/stunnel/trunk...
or you can browse the patch more nicely at
Thank you very much for your work. There are a few issues with the patch I hopefully fixed: 1. It does not include the newly created .in files in the tarball. "make distcheck" is a great tool to diagnose this kind of issues.
This was intended as I didn’t want to clutter up the patch with generated files you will most certainly regenerate anyway before release. I can inclide them next time if it helps.
2. The last rule for "stunnel.pod" creates recursive dependency.
Ah, good catch.
3. "CApath = /etc/ssl/certs" is supposed to point to the OS trusted certificate store, and not something installed locally.
This was somewhat intended. As I did the patch for OpenCSW we are shipping basically our own userland to Solaris which also has a different certstore. I understand that this should not go to /usr/local/etc by default, but that also means I need another way to customize it. I’ll look how this is done in other projects and propose a patch.
It would be great if the change could be applied.
It will be included in the next release.
Cool :-) Best regards — Dago -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01.06.2015 14:35, Dagobert Michelsen wrote:
1. It does not include the newly created .in files in the tarball. "make distcheck" is a great tool to diagnose this kind of issues.
This was intended as I didn’t want to clutter up the patch with generated files you will most certainly regenerate anyway before release. I can inclide them next time if it helps.
My comment was not about the content of the files, but about the rules to include them in the tarballs. Makefile.am not only controls the result of "make" and "make install", but also "make dist". Your patch produces makefiles that generate uninstallable source tarballs.
3. "CApath = /etc/ssl/certs" is supposed to point to the OS trusted certificate store, and not something installed locally.
This was somewhat intended. As I did the patch for OpenCSW we are shipping basically our own userland to Solaris which also has a different certstore. I understand that this should not go to /usr/local/etc by default, but that also means I need another way to customize it. I’ll look how this is done in other projects and propose a patch.
I see your point. /etc/ssl/certs is probably the best default for most modern distros. Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVbFPWAAoJEC78f/DUFuAUsIoQAKkiN+6Q1HwMvD6FwpG7epuH pI2G+940QUvK1bikSTzCnXMylAbQNh/O4WQZLmL2IIW5dylMN66ygKebMKQlS9OJ xQLwOqRCycRqf6oOLMEry3499fczOw3EDCvsjdlrN8mbhWDVMij0UVeTosYM5kGi cIp8Y4rWpq4jsXojvb1+dbWnDasNEQV+aoHQuq7sKYpVqUCryn0q0kdUNWC8zFX0 ENUcL9t2ui87ztN2OJSU7FzsOW5U5jajBgNZ5/5503m0KfLO2ReMCI/jONp9ZhP7 L9D4nDgKymuiF6YLis1CEXPheDkjqom2JNoNJhIflpXtpNhOL204nbzbkfwM455/ ub+tgLrZ5iD4QDDrk0I/XhP33m87eec20QQ17wX/UXfJdVvs8nODeBPSkmN6Lw/b 4AGdsVGxO5Z+7YxGCsSoHk0+mp8QNJnEVHfeC3FOCLOSRj/X/hxx/CkFORWcACSd va1t7PY8RPtfUKqDpqrjEYzK5UVvSVf5zjewsNsV9cHf3mZs5bqaT8Fp63FhxLGM U35Ccf6LlnV8tUQvha/CY3tGQNLVwrvVLhHlFiUaRc9n51fsHK72+Rf3+N3Jar8h PsPmAH83u5qBrLhi9oeRCd1BC0BQJWHarfrInQA/yq4LyY2N4JcW0dXkyN6Ui+1k YaF8VYPZsRwsYNfCtbmD =szY8 -----END PGP SIGNATURE-----
Hi Mike, Am 01.06.2015 um 14:45 schrieb Michal Trojnara <Michal.Trojnara@mirt.net>:
On 01.06.2015 14:35, Dagobert Michelsen wrote:
1. It does not include the newly created .in files in the tarball. "make distcheck" is a great tool to diagnose this kind of issues.
This was intended as I didn’t want to clutter up the patch with generated files you will most certainly regenerate anyway before release. I can inclide them next time if it helps.
My comment was not about the content of the files, but about the rules to include them in the tarballs. Makefile.am not only controls the result of "make" and "make install", but also "make dist". Your patch produces makefiles that generate uninstallable source tarballs.
I see, next time I'll run distcheck.
3. "CApath = /etc/ssl/certs" is supposed to point to the OS trusted certificate store, and not something installed locally.
This was somewhat intended. As I did the patch for OpenCSW we are shipping basically our own userland to Solaris which also has a different certstore. I understand that this should not go to /usr/local/etc by default, but that also means I need another way to customize it. I’ll look how this is done in other projects and propose a patch.
I see your point. /etc/ssl/certs is probably the best default for most modern distros.
Would it be possible to include something like —with-ca-bundle=<file> —with-ca-path=<path> as implemented in Curl? https://github.com/bagder/curl/blob/master/acinclude.m4#L2553 Best regards — Dago -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01.06.2015 16:07, Dagobert Michelsen wrote:
Would it be possible to include something like —with-ca-bundle=<file> —with-ca-path=<path> as implemented in Curl? https://github.com/bagder/curl/blob/master/acinclude.m4#L2553
It's definitely feasible, although adding a ./configure option seems to be an overkill for something that (in case of stunnel) is only used to generate a configuration example... Please take a look at stunnel-5.18b4. It includes the -sysconfdir / - --localstatedir stuff and the new "include" configuration file option. Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVbG6fAAoJEC78f/DUFuAUdxMQAKsp6ME6KZvRenGALo42Auii C/AX2F9LITRR4IoaDVxWwTOtpyMUfY/q6FMmQ9nzai2oTWiYigUsT4+YjmMskP9j gzWpYaKnqwtO7RTvMY7K0V+M7N8egBWutH1uO6U2dRyy4WTlk63I7qv9P0uPIVRA yPr043Isa0FpRDSEzb5H/DiSsULt4It60ttYVgwfD1/51toqLLEMc6IfUWDWetwr llRAnF7MEBVGENjgmIBPtPwylS2XgEQiYZjD9ky18lZUdQo52BRH32Jw+MiYedHr u+vExDPIdZOwIgScGKZxsIC4iobC3VbfRIMQmIKuZoQS6R126c5eOJZ90EQOxbpC asv+1ktdYefdKP0oMTd/le0hk8LvFpOc5Ro4G6cbksdPfUgjY0QJfLNa4OgA41wg 6JYxEPtePa1PX7rxvSsKiWh1R58+WPvjHr0iP+4RWyT3rLOqazUPGGa3Dv66o86G Jsz5H1Uc53Zj6u+27PxFNDfNBP0HO433yrRkMO/s8T2CC0iK6ta7Lr5MLYWSF6AE yd/93AhhFuWUS6BkBDWkubpO69D1YmWBdPx0dmZJQk2oDxq/mGWXycAnORRLIeAV 2KfOcDO5aDCwQczh+iJnCet4ygixYDfCI+YZ30yHGgRdyDeggW/E/YADGHUfU1Q+ B/cEZG3BTQkdRLnxTr/o =0EW6 -----END PGP SIGNATURE-----
participants (2)
-
Dagobert Michelsen -
Michal Trojnara