Fix 0008-Don-t-provide-openssl-s_client-as-an-option-for-ssl... news

Fix README.Debian news entry for
0008-Don-t-provide-openssl-s_client-as-an-option-for-ssl-.patch

diff --cc debian/.git-dpm
index de7734cd4d1cd5d747976cf1795abb3a6e358f17,0000000000000000000000000000000000000000..717aabd62a635160c97e7b615917e4076aeafb3a
mode 100644,000000..100644
--- 1/debian/.git-dpm
--- /dev/null
+++ b/debian/.git-dpm
@@@ -1,8 -1,0 +1,8 @@@
- 148e25aece584e7b96dbbdfc0d2e9975a44b617e
- 148e25aece584e7b96dbbdfc0d2e9975a44b617e
 +# see git-dpm(1) from git-dpm package
++47583d9d9a27fe9fa4fe96a932501497dc27af56
++47583d9d9a27fe9fa4fe96a932501497dc27af56
 +09a20fd582947ca08f0e80bc5353ae8abfe1e5ed
 +09a20fd582947ca08f0e80bc5353ae8abfe1e5ed
 +emacs25_25.2+1.orig.tar.xz
 +655de53b3ee88f19a7c85005636fa8851a6f71b1
 +23189972

diff --cc debian/patches/0008-Don-t-provide-openssl-s_client-as-an-option-for-ssl-.patch
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..c891f755d8bec5e9c0075c12ba617a9d78cabf7c
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/patches/0008-Don-t-provide-openssl-s_client-as-an-option-for-ssl-.patch
@@@ -1,0 -1,0 +1,64 @@@
++From 47583d9d9a27fe9fa4fe96a932501497dc27af56 Mon Sep 17 00:00:00 2001
++From: Rob Browning <rlb@defaultvalue.org>
++Date: Sat, 22 Apr 2017 12:02:00 -0500
++Subject: Don't provide openssl s_client as an option for ssl connections
++
++openssl s_client is no longer a default for ssl connections
++
++"s_client is a debug tool, it does not set up a secure connection, it
++ignores all errors and just continues.  It also doesn't do checks it
++should be doing.  This is all documented behaviour." -- Kurt Roeckx
++
++Bug-Debian: https://bugs.debian.org/766397
++---
++ lisp/net/tls.el | 15 +++++----------
++ 1 file changed, 5 insertions(+), 10 deletions(-)
++
++diff --git a/lisp/net/tls.el b/lisp/net/tls.el
++index 2273d1345d5..91a3f0b5739 100644
++--- a/lisp/net/tls.el
+++++ b/lisp/net/tls.el
++@@ -78,8 +78,7 @@ tls-end-of-info
++ 
++ (defcustom tls-program
++   '("gnutls-cli --x509cafile %t -p %p %h"
++-    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
++-    "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+++    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
++   "List of strings containing commands to start TLS stream to a host.
++ Each entry in the list is tried until a connection is successful.
++ %h is replaced with the server hostname, %p with the port to
++@@ -94,20 +93,17 @@ tls-program
++   '(choice
++     (const :tag "Default list of commands"
++         ("gnutls-cli --x509cafile %t -p %p %h"
++-         "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
++-         "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof"))
+++         "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"))
++     (list :tag "Choose commands"
++        :value
++        ("gnutls-cli --x509cafile %t -p %p %h"
++-        "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
++-        "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+++        "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
++        (set :inline t
++             ;; FIXME: add brief `:tag "..."' descriptions.
++             ;; (repeat :inline t :tag "Other" (string))
++             ;; No trust check:
++             (const "gnutls-cli --insecure -p %p %h")
++-            (const "gnutls-cli --insecure -p %p %h --protocols ssl3")
++-            (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
+++            (const "gnutls-cli --insecure -p %p %h --protocols ssl3"))
++        (repeat :inline t :tag "Other" (string)))
++     (list :tag "List of commands"
++        (repeat :tag "Command" (string))))
++@@ -138,8 +134,7 @@ tls-checktrust
++ 
++ \(setq tls-program
++       \\='(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\"
++-     \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"
++-     \"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))"
+++     \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"))"
++   :type '(choice (const :tag "Always" t)
++               (const :tag "Never" nil)
++               (const :tag "Ask" ask))

diff --cc debian/patches/series
index ca3af0e4315abd980580a9c50a13936a2946d947,0000000000000000000000000000000000000000..0945aeefcb512bcb01cf4bb77dde17f04fb792a1
mode 100644,000000..100644
--- 1/debian/patches/series
--- /dev/null
+++ b/debian/patches/series
@@@ -1,8 -1,0 +1,8 @@@
- 0008-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch
 +0001-Prefer-usr-share-info-emacs-MAJORVERSION.patch
 +0002-Run-debian-startup-and-set-debian-emacs-flavor.patch
 +0003-Remove-files-that-appear-to-be-incompatible-with-the.patch
 +0004-Adjust-documentation-references-for-Debian.patch
 +0005-Modify-the-output-of-version-to-indicate-Debian-modi.patch
 +0006-Don-t-try-to-build-src-macuvs.h-via-IVD_Sequences.tx.patch
 +0007-Kill-gpg-agent-in-package-test.el-to-avoid-a-race.patch
++0008-Don-t-provide-openssl-s_client-as-an-option-for-ssl-.patch