gnu: geary: Upgrade to 40.0
* gnu/packages/gnome.scm (geary): Upgrade to 40.0. Signed-off-by: Ludovic Courtès <ludo@gnu.org>master
Vivien Kraus
Ludovic Courtès
parent
86f031e877
commit
d9e3c1b0b3
|
|
@ -1111,7 +1111,6 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/gdm-elogind-support.patch \
|
||||
%D%/packages/patches/gdm-remove-hardcoded-xwayland-path.patch \
|
||||
%D%/packages/patches/gdm-wayland-session-wrapper-from-env.patch \
|
||||
%D%/packages/patches/geary-CVE-2020-24661.patch \
|
||||
%D%/packages/patches/genimage-mke2fs-test.patch \
|
||||
%D%/packages/patches/geoclue-config.patch \
|
||||
%D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
|
||||
|
|
|
|||
|
|
@ -140,6 +140,7 @@
|
|||
#:use-module (gnu packages inkscape)
|
||||
#:use-module (gnu packages iso-codes)
|
||||
#:use-module (gnu packages kerberos)
|
||||
#:use-module (gnu packages language)
|
||||
#:use-module (gnu packages libcanberra)
|
||||
#:use-module (gnu packages libffi)
|
||||
#:use-module (gnu packages libunistring)
|
||||
|
|
@ -11742,34 +11743,46 @@ these services on the Guix System.")
|
|||
(define-public geary
|
||||
(package
|
||||
(name "geary")
|
||||
(version "3.34.1")
|
||||
(version "40.0")
|
||||
(source (origin
|
||||
(method git-fetch)
|
||||
(uri (git-reference
|
||||
(url "https://gitlab.gnome.org/GNOME/geary")
|
||||
(commit version)))
|
||||
(url "https://gitlab.gnome.org/GNOME/geary.git")
|
||||
(commit (string-append "gnome-" version))))
|
||||
(file-name (git-file-name name version))
|
||||
(sha256
|
||||
(base32
|
||||
"01cc921kyh3zxz07biqbdzkjgmdcc36kwjyajm4y382a75cl5zg7"))
|
||||
(patches (search-patches "geary-CVE-2020-24661.patch"))))
|
||||
"04hvw86r8sczvjm1z3ls5y5y5h6nyfb648rjkfx05ib00mqq5v1x"))))
|
||||
(build-system meson-build-system)
|
||||
(arguments
|
||||
`(#:glib-or-gtk? #t
|
||||
#:configure-flags
|
||||
'("-Dprofile=release")
|
||||
#:phases (modify-phases %standard-phases
|
||||
(add-after 'unpack 'disable-failing-tests
|
||||
(lambda _
|
||||
(substitute* "test/meson.build"
|
||||
(("test\\('client-tests', geary_test_client_bin\\)")
|
||||
""))
|
||||
#t))
|
||||
(substitute* "test/test-client.vala"
|
||||
(("client.add_suite\\(new Application.CertificateManagerTest\\(\\).suite\\);")
|
||||
""))))
|
||||
(add-after 'unpack 'generate-vapis
|
||||
(lambda* (#:key inputs #:allow-other-keys)
|
||||
;; It’s not possible to generate the GMime vapi, because
|
||||
;; there’s custom metadata that gmime didn’t
|
||||
;; install. Thus, the vapi should be built and installed
|
||||
;; with gmime.
|
||||
(define gmime
|
||||
(assoc-ref inputs "gmime"))
|
||||
(copy-file (string-append gmime "/share/vala/vapi/gmime-3.0.vapi")
|
||||
"bindings/vapi/gmime-3.0.vapi")))
|
||||
(add-after 'unpack 'disable-postinstall-script
|
||||
(lambda _
|
||||
(substitute* "meson.build"
|
||||
(("meson.add_install_script\\(\
|
||||
join_paths\\('build-aux', 'post_install.py'\\)\\)")
|
||||
""))
|
||||
#t))
|
||||
(substitute* "build-aux/post_install.py"
|
||||
(("gtk-update-icon-cache")
|
||||
"true"))))
|
||||
(add-before 'check 'setup-home
|
||||
(lambda _
|
||||
;; Tests require a writable HOME.
|
||||
(setenv "HOME" (getcwd))))
|
||||
(add-before 'check 'setup-xvfb
|
||||
(lambda _
|
||||
(system "Xvfb :1 &")
|
||||
|
|
@ -11780,28 +11793,33 @@ join_paths\\('build-aux', 'post_install.py'\\)\\)")
|
|||
("folks" ,folks)
|
||||
("gcr" ,gcr)
|
||||
("glib" ,glib)
|
||||
("gmime" ,gmime-2.6)
|
||||
("gmime" ,gmime)
|
||||
("gnome-online-accounts:lib"
|
||||
,gnome-online-accounts "lib")
|
||||
("gsettings-desktop-schemas" ,gsettings-desktop-schemas)
|
||||
("gspell" ,gspell)
|
||||
("gsound" ,gsound)
|
||||
("gtk+" ,gtk+)
|
||||
("iso-codes" ,iso-codes)
|
||||
("json-glib" ,json-glib)
|
||||
("libcanberra" ,libcanberra)
|
||||
("libgee" ,libgee)
|
||||
("libhandy" ,libhandy-0.0)
|
||||
("libhandy" ,libhandy)
|
||||
("libpeas" ,libpeas)
|
||||
("libsecret" ,libsecret)
|
||||
("libstemmer" ,libstemmer)
|
||||
("libunwind" ,libunwind)
|
||||
("sqlite" ,sqlite)
|
||||
("webkitgtk" ,webkitgtk)
|
||||
("webkitgtk" ,webkitgtk-with-libsoup2)
|
||||
("ytnef" ,ytnef)))
|
||||
(native-inputs
|
||||
`(("appstream-glib" ,appstream-glib)
|
||||
("cmake-minimal" ,cmake-minimal)
|
||||
("desktop-file-utils" ,desktop-file-utils)
|
||||
("gettext" ,gettext-minimal)
|
||||
("glib" ,glib)
|
||||
("glib:bin" ,glib "bin")
|
||||
("gmime" ,gmime)
|
||||
("gobject-introspection" ,gobject-introspection)
|
||||
("itstool" ,itstool)
|
||||
("libarchive" ,libarchive)
|
||||
|
|
|
|||
|
|
@ -1,133 +0,0 @@
|
|||
From d4e86dc91e1d8a940dc40872fe94ef9ac0fed1b5 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Gratton <mike@vee.net>
|
||||
Date: Tue, 25 Aug 2020 03:54:09 +0000
|
||||
Subject: [PATCH] Merge branch 'mjog/866-self-signed-certificates' into
|
||||
'mainline'
|
||||
|
||||
Fix invalid certificate pinning when GCR support is unavailable
|
||||
|
||||
Closes #866
|
||||
|
||||
See merge request GNOME/geary!529
|
||||
|
||||
(cherry picked from commit 423a55b00f1dc6bee9dc17e67c0aea6f42387a77)
|
||||
|
||||
5088adfe Application.CertificateManager: Rename some methods for clarity
|
||||
0d957559 Application.CertificateManager: Check locally pinned certs for equality
|
||||
---
|
||||
.../application-certificate-manager.vala | 44 +++++++++----------
|
||||
1 file changed, 22 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/src/client/application/application-certificate-manager.vala b/src/client/application/application-certificate-manager.vala
|
||||
index 4881d73c0..65f6af4fa 100644
|
||||
--- a/src/client/application/application-certificate-manager.vala
|
||||
+++ b/src/client/application/application-certificate-manager.vala
|
||||
@@ -381,8 +381,8 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
|
||||
GLib.TlsCertificateFlags ret = this.parent.verify_chain(
|
||||
chain, purpose, identity, interaction, flags, cancellable
|
||||
);
|
||||
- if (should_verify(ret, purpose, identity) &&
|
||||
- verify(chain, identity, cancellable)) {
|
||||
+ if (check_pinned(ret, purpose, identity) &&
|
||||
+ is_pinned(chain, identity, cancellable)) {
|
||||
ret = 0;
|
||||
}
|
||||
return ret;
|
||||
@@ -399,16 +399,16 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
|
||||
GLib.TlsCertificateFlags ret = yield this.parent.verify_chain_async(
|
||||
chain, purpose, identity, interaction, flags, cancellable
|
||||
);
|
||||
- if (should_verify(ret, purpose, identity) &&
|
||||
- yield verify_async(chain, identity, cancellable)) {
|
||||
+ if (check_pinned(ret, purpose, identity) &&
|
||||
+ yield is_pinned_async(chain, identity, cancellable)) {
|
||||
ret = 0;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
- private inline bool should_verify(GLib.TlsCertificateFlags parent_ret,
|
||||
- string purpose,
|
||||
- GLib.SocketConnectable? identity) {
|
||||
+ private inline bool check_pinned(GLib.TlsCertificateFlags parent_ret,
|
||||
+ string purpose,
|
||||
+ GLib.SocketConnectable? identity) {
|
||||
// If the parent didn't verify, check for a locally pinned
|
||||
// cert if it looks like we should, but always reject revoked
|
||||
// certs
|
||||
@@ -420,22 +420,22 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
|
||||
);
|
||||
}
|
||||
|
||||
- private bool verify(GLib.TlsCertificate chain,
|
||||
- GLib.SocketConnectable identity,
|
||||
- GLib.Cancellable? cancellable)
|
||||
+ private bool is_pinned(GLib.TlsCertificate chain,
|
||||
+ GLib.SocketConnectable identity,
|
||||
+ GLib.Cancellable? cancellable)
|
||||
throws GLib.Error {
|
||||
- bool is_verified = false;
|
||||
+ bool is_pinned = false;
|
||||
string id = to_name(identity);
|
||||
TrustContext? context = null;
|
||||
lock (this.pinned_certs) {
|
||||
context = this.pinned_certs.get(id);
|
||||
if (context != null) {
|
||||
- is_verified = true;
|
||||
+ is_pinned = context.certificate.is_same(chain);
|
||||
} else {
|
||||
// Cert not found in memory, check with GCR if
|
||||
// enabled.
|
||||
if (this.use_gcr) {
|
||||
- is_verified = gcr_trust_is_certificate_pinned(
|
||||
+ is_pinned = gcr_trust_is_certificate_pinned(
|
||||
new Gcr.SimpleCertificate(chain.certificate.data),
|
||||
GLib.TlsDatabase.PURPOSE_AUTHENTICATE_SERVER,
|
||||
id,
|
||||
@@ -443,7 +443,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
|
||||
);
|
||||
}
|
||||
|
||||
- if (!is_verified) {
|
||||
+ if (!is_pinned) {
|
||||
// Cert is not pinned in memory or in GCR, so look
|
||||
// for it on disk. Do this even if GCR support is
|
||||
// enabled, since if the cert was previously saved
|
||||
@@ -453,7 +453,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
|
||||
this.store_dir, id, cancellable
|
||||
);
|
||||
this.pinned_certs.set(id, context);
|
||||
- is_verified = true;
|
||||
+ is_pinned = context.certificate.is_same(chain);
|
||||
} catch (GLib.IOError.NOT_FOUND err) {
|
||||
// Cert was not found saved, so it not pinned
|
||||
} catch (GLib.Error err) {
|
||||
@@ -465,18 +465,18 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
|
||||
}
|
||||
}
|
||||
}
|
||||
- return is_verified;
|
||||
+ return is_pinned;
|
||||
}
|
||||
|
||||
- private async bool verify_async(GLib.TlsCertificate chain,
|
||||
- GLib.SocketConnectable identity,
|
||||
- GLib.Cancellable? cancellable)
|
||||
+ private async bool is_pinned_async(GLib.TlsCertificate chain,
|
||||
+ GLib.SocketConnectable identity,
|
||||
+ GLib.Cancellable? cancellable)
|
||||
throws GLib.Error {
|
||||
- bool is_valid = false;
|
||||
+ bool pinned = false;
|
||||
yield Geary.Nonblocking.Concurrent.global.schedule_async(() => {
|
||||
- is_valid = verify(chain, identity, cancellable);
|
||||
+ pinned = is_pinned(chain, identity, cancellable);
|
||||
}, cancellable);
|
||||
- return is_valid;
|
||||
+ return pinned;
|
||||
}
|
||||
|
||||
private TrustContext? lookup_id(string id) {
|
||||
--
|
||||
GitLab
|
||||
|
||||
Reference in New Issue