From 1662ed79d9304100f76a8c863424c1d0abbca6d1 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Mon, 14 Dec 2020 11:47:25 +0100
Subject: 1.2.3 for EL-8

---
 cgit.spec | 240 ++++++++++++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 187 insertions(+), 53 deletions(-)

(limited to 'cgit.spec')

diff --git a/cgit.spec b/cgit.spec
index 6a66d71..035daf0 100644
--- a/cgit.spec
+++ b/cgit.spec
@@ -8,62 +8,114 @@
 # Please preserve changelog entries
 #
 
-
 # Review bug: https://bugzilla.redhat.com/479723
 
-%global gitver      2.10.2
+# Defaults
+%global gitver      2.25.1
 %global cachedir    %{_localstatedir}/cache/%{name}
 %global filterdir   %{_libexecdir}/%{name}/filters
 %global scriptdir   %{_localstatedir}/www/cgi-bin
 %global cgitdata    %{_datadir}/%{name}
 
-%global syntax_highlight 1
+# GPG signing key fingerprints
+%global gpg_cgit    AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
+%global gpg_git     96E07AF25771955980DAD10020D04E5A713660A7
+
+# Disable automatic compilation of *.py files outside of python sitelib,
+# the *.py files in cgit are not importable python modules
+%global _python_bytecompile_extra 0
+
+# Settings for Fedora and EL > 7
+%if 0%{?fedora} || 0%{?rhel} > 7
+%global use_perl_interpreter    1
+%else
+%global use_perl_interpreter    0
+%endif
 
-# Temporarily -- in epel-7-ppc64 is not highlight package currently, #1117261
-%if 0%{?rhel} == 7
-%ifarch ppc64
-%global syntax_highlight 0
+# The highlight package is only available in EL7+ on ppc64le and x86_64
+%if 0%{?rhel} >= 7 && ! ( "%{_arch}" == "ppc64le" || "%{_arch}" == "x86_64" )
+%bcond_with     highlight
+%else
+%bcond_without  highlight
 %endif
+
+# Older epel lacks httpd-filesystem
+%if 0%{?fedora} || 0%{?rhel} > 7
+%bcond_without  httpd_filesystem
+%else
+%bcond_with     httpd_filesystem
 %endif
 
 Name:           cgit
-Version:        1.1
-Release:        11%{?dist}
+Version:        1.2.3
+Release:        3%{?dist}
 Summary:        A fast web interface for git
 
-Group:          Development/Tools
 License:        GPLv2
 URL:            https://git.zx2c4.com/cgit/
 Source0:        https://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.xz
-Source1:        https://www.kernel.org/pub/software/scm/git//git-%{gitver}.tar.xz
+Source1:        https://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.xz
 Source2:        cgitrc
 Source3:        README.SELinux
 
-# https://git.zx2c4.com/cgit/commit/?id=53efaf30b
-Patch0:         0001-clone-fix-directory-traversal.patch
+# Jason A. Donenfeld's key is used to sign cgit releases.
+#https://www.zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc
+Source90:       gpgkey-%{gpg_cgit}.asc
+
+# Junio C Hamano's key is used to sign git releases.  It can be found in the
+# junio-gpg-pub tag within git.
+#
+# (Note that the tagged blob in git contains a version of the key with an
+# expired signing subkey.  The subkey expiration has been extended on the
+# public keyservers, but the blob in git has not been updated.)
+#
+# https://git.kernel.org/cgit/git/git.git/tag/?h=junio-gpg-pub
+# https://git.kernel.org/cgit/git/git.git/blob/?h=junio-gpg-pub&id=7214aea37915ee2c4f6369eb9dea520aec7d855b
+# https://src.fedoraproject.org/rpms/git/raw/master/f/gpgkey-junio.asc
+Source91:       gpgkey-%{gpg_git}.asc
+
+# Tarball signatures
+Source92:        https://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.asc
+Source93:        https://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.sign
+
+# All supported releases use highlight version 3.
+Patch0:         cgit-0.9.1-highlightv3.patch
+# see https://lists.zx2c4.com/pipermail/cgit/2020-August/004508.html
+Patch1:         cgit-oldtar.patch
 
 # Security guys might try to repoquery for this.
 Provides:       bundled(git) = %gitver
 
-%if %{syntax_highlight}
-# All supported releases use hightlight version 3.
-Patch1:         cgit-0.9.1-highlightv3.patch
+%if %{with highlight}
 BuildRequires:  highlight
 %endif
 
 BuildRequires:  asciidoc
 BuildRequires:  gcc
-%if 0%{?fedora} || 0%{?rhel} >= 6
+BuildRequires:  gnupg2
 BuildRequires:  libcurl-devel
-%else
-BuildRequires:  curl-devel
-%endif
 BuildRequires:  openssl-devel
 BuildRequires:  lua-devel
 BuildRequires:  make
+BuildRequires:  zlib-devel
 
-%if 0%{?fedora}
-# just to be able to install httpd configuration correctly, FC21+
+# Test dependencies
+BuildRequires:  gettext
+BuildRequires:  lzip
+%if %{use_perl_interpreter}
+BuildRequires:  perl-interpreter
+%else
+BuildRequires:  perl
+%endif
+BuildRequires:  perl(ExtUtils::MakeMaker)
+BuildRequires:  strace
+BuildRequires:  tidy
+BuildRequires:  unzip
+BuildRequires:  xz
+BuildRequires:  zstd
+
+%if %{with httpd_filesystem}
+# httpd-filesystem provides the basic apache directory layout
 Requires:       httpd-filesystem
 %endif
 Requires:       webserver
@@ -73,28 +125,47 @@ Requires:       webserver
 Cgit is a fast web interface for git.  It uses caching to increase performance.
 
 %prep
-%setup -q -a 1
-%patch0 -p1
-%if %{syntax_highlight}
-%patch1 -p1
-%endif
+# Verify GPG signatures
+#
+# Create a temp dir for gpg to ensure we don't use any existing keyrings or
+# configuration
+gpghome="$(mktemp -qd)"
+# Both cgit and git sign the uncompressed tarballs.  Uncompress the sources and
+# verify them using the respective signing keys
+verify_source() {
+    local src=$1 key=$2 ext=$3 tar
+    tar=${src/%.xz/}
+    xz -dc $src > $tar
+    gpg2 --dearmor --quiet --batch --yes $key >/dev/null
+    gpgv2 --homedir "$gpghome" --quiet --keyring $key.gpg $tar$ext $tar
+    rm -f $key.gpg $tar
+}
+verify_source %{SOURCE0} %{SOURCE90} .asc
+verify_source %{SOURCE1} %{SOURCE91} .sign
+rm -rf "$gpghome"
+
+# Ensure a blank line follows autosetup, el6 chokes otherwise
+# https://bugzilla.redhat.com/1310704
+%autosetup -a 1 -p1
 
 # setup the git dir
 rm -rf git
 mv git-%{gitver} git
 
+# add README.SELinux
+cp -p %{SOURCE3} .
+
 # Use the same options for every invocation of 'make'.
 # Otherwise it will rebuild in %%install due to flags changes.
 cat << \EOF > cgit.conf
 V = 1
 CFLAGS = %{optflags}
 LDFLAGS = %{?__global_ldflags}
-DESTDIR = %{buildroot}
-INSTALL = install -p
 CACHE_ROOT = %{cachedir}
 CGIT_SCRIPT_PATH = %{scriptdir}
 CGIT_SCRIPT_NAME = cgit
 CGIT_DATA_PATH = %{cgitdata}
+COPYTREE = %{__cp} -rp
 docdir = %{docdir}
 filterdir = %{filterdir}
 prefix = %{_prefix}
@@ -107,20 +178,17 @@ CFLAGS = %{optflags}
 LDFLAGS = %{?__global_ldflags}
 EOF
 
-# I tried to use matchpathcon, but we would need to require
-# selinux-policy-targeted probably.
+# remove env shebang's from filter scripts
+grep -rl '#!.*/env' filters/ | xargs -r sed -Ei 's@^(.+/)env (.+)$@\1\2@'
 
-build_dist=%{?fedora:fedora}%{?rhel:rhel}
-build_ver=%{?fedora}%{?rhel}
-
-cgit_context=git_sys_content_t
-sed -e "s|@CGIT_CONTEXT@|$cgit_context|g" \
-    %{SOURCE3} > README.SELinux
+# remove execute permissions from contrib file
+find contrib -type f | xargs -r chmod -x
 
+# default httpd config
 cat > httpd.conf <<EOF
 Alias /cgit-data /usr/share/cgit
 ScriptAlias /cgit /var/www/cgi-bin/cgit
-%if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
+%if 0%{?fedora} || 0%{?rhel} >= 7
 <Directory "/usr/share/cgit">
     Require all granted
 </Directory>
@@ -129,32 +197,31 @@ EOF
 
 
 %build
-make %{?_smp_mflags}
-
-# Something in the a2x chain doesn't like running in parallel. :/
-make -j1 doc-man doc-html
+%make_build all doc-man doc-html
 
-%if %{syntax_highlight}
-# el5 highlight doesn't know --print-style
+%if %{with highlight}
 highlight --print-style --style-outfile=stdout >> cgit.css
 %endif
 
 
 %install
-make DESTDIR=%{buildroot} install install-man
+%make_install install install-man
 install -d -m0755 %{buildroot}%{_sysconfdir}/httpd/conf.d
 install -p -m0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/cgitrc
 install -p -m0644 httpd.conf %{buildroot}%{_sysconfdir}/httpd/conf.d/cgit.conf
 install -d -m0755 %{buildroot}%{cachedir}
 
 
+%check
+make test
+
 
 %files
-%doc COPYING README* *.html
+%doc README* contrib *.html
+%license COPYING
 %config(noreplace) %{_sysconfdir}/cgitrc
-%if 0%{?rhel} && 0%{?rhel} <= 7
-# Keep those two httpd-owned directories listed here until httpd-filesystem
-# becomes part of EPEL.  See rhbz#1138599 for more details.
+%if ! %{with httpd_filesystem}
+# own httpd config dirs on systems without httpd-filesystem
 %dir %{_sysconfdir}/httpd
 %dir %{_sysconfdir}/httpd/conf.d
 %endif
@@ -162,16 +229,71 @@ install -d -m0755 %{buildroot}%{cachedir}
 %dir %attr(-,apache,root) %{cachedir}
 %{cgitdata}
 %{filterdir}
+# exclude byte-compiled python files (relevant on Fedora < 29 and RHEL < 8)
+%exclude %{filterdir}/*.py[co]
 %{scriptdir}/*
 %{_mandir}/man*/*
 
 
 %changelog
-* Fri Aug 24 2018 Remi Collet <remi@remirepo.net> - 1.1-11
-- rebuild for remirepo, synced with EPEL-7:
+* Mon Dec 14 2020 Remi Collet <remi@remirepo.net> - 1.2.3-3
+- rebuild for remirepo, synced with rawhide
+- add patch for EL-8
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Apr 02 2020 Björn Esser <besser82@fedoraproject.org> - 1.2.3-2
+- Fix string quoting for rpm >= 4.16
+
+* Sat Mar 14 2020 Todd Zullinger <tmz@pobox.com> - 1.2.3-1
+- update to 1.2.3
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Jan 14 2020 Todd Zullinger <tmz@pobox.com> - 1.2.2-1
+- update to 1.2.2
+- adjust highlight requirement conditional for EL-7+
+
+* Fri Aug 02 2019 Todd Zullinger <tmz@pobox.com> - 1.2.1-5
+- add missing zlib-devel BuildRequires, fixes FTBFS (#1737005)
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
-* Fri Aug 03 2018 Todd Zullinger <tmz@pobox.com> - 1.1-11
-- Fix directory traversal vulnerability
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Aug 10 2018 Todd Zullinger <tmz@pobox.com> - 1.2.1-2
+- use git's default, collision-detecting SHA1 implementation
+- verify upstream GPG signatures in %%prep
+
+* Fri Aug 03 2018 Todd Zullinger <tmz@pobox.com> - 1.2.1-1
+- Update to 1.2.1, fixes directory traversal vulnerability
+
+* Fri Jul 13 2018 Todd Zullinger <tmz@pobox.com> - 1.2-1
+- Update to 1.2
+- Include contrib dir in docs
+- Update example cgtirc settings
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jun 15 2018 Todd Zullinger <tmz@pobox.com> - 1.1-11
+- disable automatic compilation of *.py files outside of python sitelib
+- use %%bcond_(with|without) to toggle highlight
+- use %%autosetup macro
+- drop crufty curl-devel conditional
+- fix parallel make issues in docs
+- simplify README.SELinux install
+- use %%bcond_(with|without) to handle httpd-filesystem
+- avoid libcrypto.so requires
+- run test suite in %%check
+
+* Mon Jun 04 2018 Todd Zullinger <tmz@pobox.com>
+- make config: drop redundant DESTDIR/INSTALL, add COPYTREE
+- remove env shebang's from filter scripts
 
 * Sun Feb 18 2018 Todd Zullinger <tmz@pobox.com> - 1.1-10
 - Use https for source URLs
@@ -180,6 +302,18 @@ install -d -m0755 %{buildroot}%{cachedir}
 - Drop obsolete %%{buildroot} cleanup
 - Add gcc and make BuildRequires
 
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Sun Jul 30 2017 Florian Weimer <fweimer@redhat.com> - 1.1-7
+- Rebuild with binutils fix for ppc64le (#1475636)
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
 * Mon Jul 24 2017 Todd Zullinger <tmz@pobox.com> - 1.1-5
 - Require webserver on all dists (#1468839)
 
-- 
cgit