diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2024-02-26 09:31:05 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2024-02-26 09:31:05 +0000 |
| commit | 699d545bb869821cb271bc4a69ba7829c6b8bf54 (patch) | |
| tree | 1e1218857ec860dc60cf4b76228db48d4300fe66 | |
| parent | a2c4db0b4cced5d4485e2568a0d93463102e6f54 (diff) | |
| parent | d52397763f1ffc1c46d0b41bf5a7d78a7d6f1ae3 (diff) | |
merge: certdata: switch to upstream nss releases
certdata.txt is currently obtained from mozilla-central, the monorepo
that mozilla uses. The file is part of a seperate project (NSS) that
regularly gets imported in that repo.
Instead of obtaining it through the monorepo, we can directly obtain it
from NSS releases. The advantage of that is that it is clearer what
version of certdata.txt we are actually using.
An additional benefit is that we can use automation to make sure it is
updated whenever a new release is made.
See merge request alpine/ca-certificates!7
| -rw-r--r-- | .gitlab-ci.yml | 11 | ||||
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | renovate.json | 31 |
3 files changed, 45 insertions, 1 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..7c92a1f --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,11 @@ +stages: + - verify + +verify-certdata: + stage: verify + script: + - apk add --no-cache curl make git + - make update + - > + git diff --quiet certdata.txt || { echo "certdata.txt not up-to-date, please run make update and commit that"; exit 1; } + tags: [docker-alpine, x86_64] @@ -1,5 +1,7 @@ PERL := perl +NSS_VERSION := NSS_3_92_RTM + all: update-ca-certificates c_rehash certdata.stamp update-ca-certificates: update-ca.c @@ -36,6 +38,6 @@ clean: # https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt update: - curl https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt > certdata.txt + curl https://hg.mozilla.org/projects/nss/raw-file/$(NSS_VERSION)/lib/ckfw/builtins/certdata.txt > certdata.txt .PHONY: install clean update diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..3293239 --- /dev/null +++ b/renovate.json @@ -0,0 +1,31 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "semanticCommits": "disabled", + "commitMessagePrefix": "certdata:", + "commitMessageAction": "update", + "customManagers": [ + { + "customType": "regex", + "fileMatch": ["Makefile"], + "matchStrings": ["NSS_VERSION := (?<currentValue>.+?)\\s"], + "datasourceTemplate": "custom.nss", + "versioningTemplate": "regex:NSS_(?<major>\\d+)_(?<minor>\\d+)(_(?<patch>\\d+))?_RTM", + "depNameTemplate": "nss" + } + ], + "customDatasources": { + "nss": { + "defaultRegistryUrlTemplate": "https://ftp.mozilla.org/pub/security/nss/releases/", + "format": "html" + } + }, + "packageRules": [ + { + "matchPackageNames": ["nss"], + "extractVersion": "(?<version>NSS(_\\d+)+_RTM)/", + "postUpgradeTasks": { + "commands": ["make update"] + } + } + ] +} |