updpkg: nginx-mainline-boringssl 1.11.10-1

2017-03-05 13:43:05 +08:00 · 2017-03-05 13:43:05 +08:00 · 355bbbc91a
commit 355bbbc91a
parent 7cf70007f7
8 changed files with 175 additions and 176 deletions
--- a/.SRCINFO
+++ b/.SRCINFO
@ -1,54 +1,40 @@
-# Generated by mksrcinfo v8
-# Sun Apr 24 05:51:34 UTC 2016
 pkgbase = nginx-mainline-boringssl
-	pkgdesc = lightweight HTTP server, statically linked against BoringSSL.
-	pkgver = 1.9.15
+	pkgdesc = Lightweight HTTP server and IMAP/POP3 proxy server, mainline release
+	pkgver = 1.11.10
 	pkgrel = 1
-	url = http://nginx.org
+	url = https://nginx.org
+	install = nginx.install
 	arch = i686
 	arch = x86_64
 	license = custom
-	makedepends = libxslt
-	makedepends = gd
-	makedepends = git
-	makedepends = cmake
+	makedepends = hardening-wrapper
 	depends = pcre
 	depends = zlib
-	depends = pam
-	depends = gd
-	depends = hardening-wrapper
-	depends = libxslt
-	depends = go
+	depends = openssl
+	depends = geoip
 	provides = nginx
 	conflicts = nginx
-	conflicts = nginx-libressl
-	conflicts = nginx-unstable
-	conflicts = nginx-svn
-	conflicts = nginx-devel
-	conflicts = nginx-custom-dev
-	conflicts = nginx-full
-	backup = etc/nginx/nginx.conf
-	backup = etc/nginx/koi-win
-	backup = etc/nginx/koi-utf
-	backup = etc/nginx/win-utf
-	backup = etc/nginx/mime.types
 	backup = etc/nginx/fastcgi.conf
 	backup = etc/nginx/fastcgi_params
+	backup = etc/nginx/koi-win
+	backup = etc/nginx/koi-utf
+	backup = etc/nginx/mime.types
+	backup = etc/nginx/nginx.conf
 	backup = etc/nginx/scgi_params
 	backup = etc/nginx/uwsgi_params
+	backup = etc/nginx/win-utf
 	backup = etc/logrotate.d/nginx
-	source = nginx.conf
-	source = nginx.logrotate
-	source = nginx.service
-	source = http://nginx.org/download/nginx-1.9.15.tar.gz
-	source = openssl.patch
+	source = https://nginx.org/download/nginx-1.11.10.tar.gz
+	source = https://nginx.org/download/nginx-1.11.10.tar.gz.asc
 	source = git+https://boringssl.googlesource.com/boringssl
-	sha256sums = 8d8e314da10411b29157066ea313fc080a145d2075df0c99a1d500ffc7e8b7d1
-	sha256sums = adcf6507abb2d4edbc50bd92f498ba297927eed0460d71633df94f79637aa786
-	sha256sums = 225228970d779e1403ba4314e3cd8d0d7d16f8c6d48d7a22f8384db040eb0bdf
-	sha256sums = cc89b277cc03f403c0b746d60aa5943cdecf59ae48278f8cb7e2df0cbdb6dac3
-	sha256sums = dc1ea1a0323759d49a7dc2c6173811bda319c36aa4a14b775d6f589fe9c6a4c2
-	sha256sums = SKIP
+	source = service
+	source = logrotate
+	validpgpkeys = B0F4253373F8F6F510D42178520A9993A1C052F8
+	md5sums = 6fb10f579055d27a2240d51c7d85c190
+	md5sums = SKIP
+	md5sums = SKIP
+	md5sums = ce9a06bcaf66ec4a3c4eb59b636e0dfd
+	md5sums = d6a6d4d819f03a675bacdfabd25aa37e

 pkgname = nginx-mainline-boringssl

--- a/201
+++ b/201
@ -1,120 +1,139 @@
-#base on aur/nginx-mainline-libressl
-
-_pkgname="nginx"
-_user="www"
-_group="www"
-_doc_root="/usr/share/${_pkgname}/http"
-_sysconf_path="etc"
-_conf_path="${_sysconf_path}/${_pkgname}"
-_tmp_path="/var/spool/${_pkgname}"
-_pid_path="/run"
-_lock_path="/var/lock"
-_log_path="/var/log/${_pkgname}"
-
+# $Id: PKGBUILD 289024 2017-02-15 21:13:17Z bpiotrowski $
+# Maintainer:  Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
+# Contributor: Sébastien Luttringer
+# Contributor: Drew DeVault
+# Contributor: Kasei Wang <cnsdwpc at gmail.com>

 pkgname=nginx-mainline-boringssl
-pkgver=1.9.15
+pkgver=1.11.10
 pkgrel=1
-pkgdesc="lightweight HTTP server, statically linked against BoringSSL."
+pkgdesc='Lightweight HTTP server and IMAP/POP3 proxy server, mainline release'
 arch=('i686' 'x86_64')
-
-depends=('pcre' 'zlib' 'pam' 'gd' 'hardening-wrapper' 'libxslt' 'go')
-makedepends=(
-	'libxslt'
-	'gd'
-	'git'
-	'cmake'
-)
-
-url="http://nginx.org"
+url='https://nginx.org'
 license=('custom')
-conflicts=('nginx' 'nginx-libressl' 'nginx-unstable' 'nginx-svn' 'nginx-devel' 'nginx-custom-dev' 'nginx-full') 
+depends=('pcre' 'zlib' 'openssl' 'geoip')
+makedepends=('hardening-wrapper')
+backup=('etc/nginx/fastcgi.conf'
+        'etc/nginx/fastcgi_params'
+        'etc/nginx/koi-win'
+        'etc/nginx/koi-utf'
+        'etc/nginx/mime.types'
+        'etc/nginx/nginx.conf'
+        'etc/nginx/scgi_params'
+        'etc/nginx/uwsgi_params'
+        'etc/nginx/win-utf'
+        'etc/logrotate.d/nginx')
+install=nginx.install
 provides=('nginx')
-backup=("${_conf_path}/nginx.conf"
-	"${_conf_path}/koi-win"
-	"${_conf_path}/koi-utf"
-	"${_conf_path}/win-utf"
-	"${_conf_path}/mime.types"
-	"${_conf_path}/fastcgi.conf"
-	"${_conf_path}/fastcgi_params"
-	"${_conf_path}/scgi_params"
-	"${_conf_path}/uwsgi_params"
-	"etc/logrotate.d/nginx")
-
-source=( "nginx.conf"
-		"nginx.logrotate"
-		"nginx.service"
-		"http://nginx.org/download/nginx-$pkgver.tar.gz"
-		"openssl.patch"
+conflicts=('nginx')
+source=($url/download/nginx-$pkgver.tar.gz{,.asc}
        "git+https://boringssl.googlesource.com/boringssl"
+        "service"
+        "logrotate")
+validpgpkeys=('B0F4253373F8F6F510D42178520A9993A1C052F8') # Maxim Dounin <mdounin@mdounin.ru>
+md5sums=('6fb10f579055d27a2240d51c7d85c190'
+         'SKIP'
+         'SKIP'
+         'ce9a06bcaf66ec4a3c4eb59b636e0dfd'
+         'd6a6d4d819f03a675bacdfabd25aa37e')
+
+_common_flags=(
+  --with-pcre-jit
+  --with-file-aio
+  --with-http_addition_module
+  --with-http_auth_request_module
+  --with-http_dav_module
+  --with-http_degradation_module
+  --with-http_flv_module
+  --with-http_geoip_module
+  --with-http_gunzip_module
+  --with-http_gzip_static_module
+  --with-http_mp4_module
+  --with-http_realip_module
+  --with-http_secure_link_module
+  --with-http_slice_module
+  --with-http_ssl_module
+  --with-http_stub_status_module
+  --with-http_sub_module
+  --with-http_v2_module
+  --with-mail
+  --with-mail_ssl_module
+  --with-stream
+  --with-stream_ssl_module
+  --with-threads
 )

-sha256sums=('8d8e314da10411b29157066ea313fc080a145d2075df0c99a1d500ffc7e8b7d1'
-            'adcf6507abb2d4edbc50bd92f498ba297927eed0460d71633df94f79637aa786'
-            '225228970d779e1403ba4314e3cd8d0d7d16f8c6d48d7a22f8384db040eb0bdf'
-            'cc89b277cc03f403c0b746d60aa5943cdecf59ae48278f8cb7e2df0cbdb6dac3'
-            'dc1ea1a0323759d49a7dc2c6173811bda319c36aa4a14b775d6f589fe9c6a4c2'
-            'SKIP')
+_mainline_flags=(
+  --with-stream_ssl_preread_module
+  --with-stream_geoip_module
+  --with-stream_realip_module
+)

 build() {
-	local _src_dir="${srcdir}/${_pkgname}-${pkgver}"
+  export CXXFLAGS="$CXXFLAGS -fPIC"

-	export CFLAGS="-Wno-error -fPIC"
  cd ${srcdir}/boringssl
  mkdir build && cd build && cmake ../ && make && cd ${srcdir}/boringssl
  mkdir -p .openssl/lib && cd .openssl && ln -s ../include . && cd ../
  cp ${srcdir}/boringssl/build/crypto/libcrypto.a ${srcdir}/boringssl/build/ssl/libssl.a .openssl/lib && cd ..

-	cd $_src_dir
-
+  cd ${srcdir}/$provides-$pkgver
  ./configure \
-		--prefix="/${_conf_path}" \
-		--conf-path="/${_conf_path}/nginx.conf" \
-		--sbin-path="/usr/bin/${_pkgname}" \
-		--pid-path="${_pid_path}/${_pkgname}.pid" \
-		--lock-path=${_pid_path}/${_pkgname}.lock \
-		--http-client-body-temp-path=${_tmp_path}/client_body_temp \
-		--http-proxy-temp-path=${_tmp_path}/proxy_temp \
-		--http-fastcgi-temp-path=${_tmp_path}/fastcgi_temp \
-		--http-uwsgi-temp-path=${_tmp_path}/uwsgi_temp \
-		--http-scgi-temp-path=${_tmp_path}scgi_temp \
-		--http-log-path=${_log_path}/access.log \
-		--error-log-path=${_log_path}/error.log \
-		--user=${_user} \
-		--group=${_group} \
-		--with-ipv6 \
-		--with-openssl=../boringssl \
-		--with-threads \
-		--with-http_ssl_module \
-		--with-http_gzip_static_module \
-		--with-http_realip_module \
-		--with-http_v2_module \
-		--with-file-aio \
-		--with-pcre-jit \
-		--with-stream
+    --prefix=/etc/nginx \
+    --conf-path=/etc/nginx/nginx.conf \
+    --sbin-path=/usr/bin/nginx \
+    --pid-path=/run/nginx.pid \
+    --lock-path=/run/lock/nginx.lock \
+    --user=http \
+    --group=http \
+    --http-log-path=/var/log/nginx/access.log \
+    --error-log-path=stderr \
+    --http-client-body-temp-path=/var/lib/nginx/client-body \
+    --http-proxy-temp-path=/var/lib/nginx/proxy \
+    --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
+    --http-scgi-temp-path=/var/lib/nginx/scgi \
+    --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
+    --with-openssl=${srcdir}/boringssl \
+    ${_common_flags[@]} \
+    ${_mainline_flags[@]}

  touch ${srcdir}/boringssl/.openssl/include/openssl/ssl.h
-	patch -p0 < ../openssl.patch
-
  make
 }

 package() {
-	cd "${srcdir}/${_pkgname}-${pkgver}"
-	make DESTDIR="$pkgdir/" install
+  cd $provides-$pkgver
+  make DESTDIR="$pkgdir" install

-	sed -i -e "s/\<user\s\+\w\+;/user $_user;/g" ${pkgdir}/$_conf_path/nginx.conf
-	mkdir -p ${pkgdir}/$_conf_path/sites-available/
+  sed -e 's|\<user\s\+\w\+;|user html;|g' \
+    -e '44s|html|/usr/share/nginx/html|' \
+    -e '54s|html|/usr/share/nginx/html|' \
+    -i "$pkgdir"/etc/nginx/nginx.conf

-	install -d "${pkgdir}/${_tmp_path}"
-	install -d "${pkgdir}/${_doc_root}"
+  rm "$pkgdir"/etc/nginx/*.default

-	mv "${pkgdir}/${_conf_path}/html/"* "${pkgdir}/${_doc_root}"
-	rm -rf "${pkgdir}/${_conf_path}/html"
+  install -d "$pkgdir"/var/lib/nginx
+  install -dm700 "$pkgdir"/var/lib/nginx/proxy

-	install -D -m644 "${srcdir}/nginx.logrotate" "${pkgdir}/etc/logrotate.d/${_pkgname}"
-	install -D -m644 "${srcdir}/nginx.conf" "${pkgdir}/etc/conf.d/${_pkgname}"
-	install -D -m644 "${srcdir}/nginx.service" "${pkgdir}/usr/lib/systemd/system/nginx.service"
-	install -D -m644 "LICENSE" "${pkgdir}/usr/share/licenses/${_pkgname}/LICENSE"
-	install -D -m644 "man/nginx.8" "${pkgdir}/usr/share/man/man8/nginx.8"
+  chmod 755 "$pkgdir"/var/log/nginx
+  chown root:root "$pkgdir"/var/log/nginx
+
+  install -d "$pkgdir"/usr/share/nginx
+  mv "$pkgdir"/etc/nginx/html/ "$pkgdir"/usr/share/nginx
+
+  install -Dm644 ../logrotate "$pkgdir"/etc/logrotate.d/nginx
+  install -Dm644 ../service "$pkgdir"/usr/lib/systemd/system/nginx.service
+  install -Dm644 LICENSE "$pkgdir"/usr/share/licenses/$provides/LICENSE
+
+  rmdir "$pkgdir"/run
+
+  install -d "$pkgdir"/usr/share/man/man8/
+  gzip -9c man/nginx.8 > "$pkgdir"/usr/share/man/man8/nginx.8.gz
+
+  for i in ftdetect indent syntax; do
+    install -Dm644 contrib/vim/${i}/nginx.vim \
+      "${pkgdir}/usr/share/vim/vimfiles/${i}/nginx.vim"
+  done
 }
+
+# vim:set ts=2 sw=2 et:
--- a/10
+++ b/10
@ -0,0 +1,10 @@
+/var/log/nginx/*log {
+	missingok
+	notifempty
+	create 640 http log
+	sharedscripts
+	compress
+	postrotate
+		test ! -r /var/run/nginx.pid || kill -USR1 `cat /var/run/nginx.pid`
+	endscript
+}
--- a/nginx.install
+++ b/nginx.install
@ -0,0 +1,12 @@
+post_upgrade() {
+  if (( $(vercmp $2 1.11.8-2) < 0)); then
+    chown root:root var/log/nginx
+  fi
+
+  if (( $(vercmp $2 1.11.9-2) < 0 )); then
+    chmod 755 var/log/nginx
+    echo ':: Security notice:'
+    echo '     - When additional log directories are used in /var/log/nginx make sure they'
+    echo '       are owned by root:root and have 755 set as permission to mitigate CVE-2016-1247'
+  fi
+}
--- a/nginx.logrotate
+++ b/nginx.logrotate
@ -1,8 +0,0 @@
-	/var/log/nginx/*log {
-		daily
-		create 640 http log
-		compress
-		postrotate
-			[ ! -f /run/nginx.pid ] || kill -USR1 `cat /run/nginx.pid`
-		endscript
-	}
--- a/nginx.service
+++ b/nginx.service
@ -1,18 +0,0 @@
-[Unit]
-Description=A high performance web server and a reverse proxy server
-After=network.target
-
-[Service]
-Type=forking
-PIDFile=/run/nginx.pid
-PrivateDevices=yes
-SyslogLevel=err
-
-ExecStartPre=/usr/bin/nginx -t -q -g 'pid /run/nginx.pid; error_log stderr;'
-ExecStart=/usr/bin/nginx -g 'pid /run/nginx.pid; error_log stderr;'
-ExecReload=/usr/bin/kill -HUP $MAINPID
-KillSignal=SIGQUIT
-KillMode=mixed
-
-[Install]
-WantedBy=multi-user.target
--- a/openssl.patch
+++ b/openssl.patch
@ -1,16 +0,0 @@
--- src/event/ngx_event_openssl.c	2016-01-10 02:38:56.405000000 +0000
-+++ src/event/ngx_event_openssl.c.mod	2016-01-10 02:40:10.388000000 +0000
-@@ -1909,13 +1909,11 @@
- 
-             /* handshake failures */
-         if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC                        /*  103 */
-            || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG                  /*  129 */
-             || n == SSL_R_DIGEST_CHECK_FAILED                        /*  149 */
-             || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST              /*  151 */
-             || n == SSL_R_EXCESSIVE_MESSAGE_SIZE                     /*  152 */
-             || n == SSL_R_LENGTH_MISMATCH                            /*  159 */
-             || n == SSL_R_NO_CIPHERS_PASSED                          /*  182 */
-            || n == SSL_R_NO_CIPHERS_SPECIFIED                       /*  183 */
-             || n == SSL_R_NO_COMPRESSION_SPECIFIED                   /*  187 */
-             || n == SSL_R_NO_SHARED_CIPHER                           /*  193 */
-             || n == SSL_R_RECORD_LENGTH_MISMATCH                     /*  213 */
--- a/14
+++ b/14
@ -0,0 +1,14 @@
+[Unit]
+Description=A high performance web server and a reverse proxy server
+After=syslog.target network.target
+
+[Service]
+Type=forking
+PIDFile=/run/nginx.pid
+ExecStartPre=/usr/bin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
+ExecStart=/usr/bin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
+ExecReload=/usr/bin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
+ExecStop=/usr/bin/nginx -g 'pid /run/nginx.pid;' -s quit
+
+[Install]
+WantedBy=multi-user.target