Package unbound: Specfile

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
%def_disable static

Name: unbound
Version: 1.19.1
Release: alt1
License: BSD
Url: http://unbound.net/
Source: %name-%version.tar
Summary: Validating, recursive, and caching DNS resolver
Group: System/Servers

%define _chrootdir %_localstatedir/%name
%define with_python 0

Requires(pre): chrooted
Requires(pre): lib%name = %version-%release

Provides: %name-chroot(%_chrootdir)

BuildRequires: /proc flex gcc-c++ libssl-devel libexpat-devel libevent-devel
BuildRequires: pkgconfig(libsystemd)
%if %with_python == 2
BuildRequires: python-devel swig
%endif
%if %with_python == 3
BuildRequires(pre): rpm-build-python3
BuildRequires: python3-devel swig
%endif

%description
Unbound is a validating, recursive, and caching DNS resolver.

The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.

Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.

%package control
Summary: Unbound remote server control
Group: System/Configuration/Other

%description control
Unbound-control performs remote administration on  the  unbound(8)  DNS
server.   It  reads the configuration file, contacts the unbound server
over SSL sends the command and displays the result.

%package -n lib%name
Summary: Library for %name
Group: System/Libraries

%description -n lib%name
This package contains shared libraries used by %name's daemons
and clients.

%package -n lib%name-devel-static
Summary: Static library for %name
Group: System/Libraries
Obsoletes: lib%name-static

%description -n lib%name-devel-static
This package contains static libraries used by %name's daemons
and clients.

%package -n lib%name-devel
Summary: Development package that includes the %name header files
Group: Development/C
Requires: lib%name = %version-%release

%description -n lib%name-devel
The devel package contains the include files

%if %with_python == 2
%package -n python-module-%name
Summary: Python modules and extensions for unbound
Group: Development/Python

%description -n python-module-%name
Python modules and extensions for unbound
%endif

%if %with_python == 3
%package -n python3-module-%name
Summary: Python3 modules and extensions for unbound
Group: Development/Python3

%description -n python3-module-%name
Python3 modules and extensions for unbound
%endif

%prep
%setup

%build
# configure with /var/unbound/unbound.conf so that all default chroot,
# pidfile and config file are in /var/unbound, ready for chroot jail set up.
#
# This is a build using libldns builtin version, the resulting binaries
# do not require libldns and this package does not have version dependencies.
# Could be smaller using a dependency on libldns (use --with-ldns=).
%autoreconf

%configure \
	    %{subst_enable static} \
	    --enable-pie \
	    --enable-relro-now \
	    --disable-rpath \
	    --with-pthreads \
	    --with-conf-file=%_chrootdir/unbound.conf \
	    --with-pidfile=/run/%name/%name.pid \
	    --with-username=_%name \
	    --enable-systemd \
	    --with-libevent \
	    --with-ssl \
	    --enable-subnet \
	    --enable-tfo-client \
	    --enable-tfo-server \
%if %with_python
	    PYTHON_VERSION=%with_python \
	    --with-pythonmodule --with-pyunbound \
%endif
	    --enable-sha2
%make

subst 's|# auto-trust-anchor-file:|auto-trust-anchor-file:|g' doc/example.conf

%install
%make DESTDIR=%buildroot install
install -d -m 0775 %buildroot%_localstatedir/%name
install -d -m 0755 %buildroot%_initdir
install -d -m 0755 %buildroot%_sysconfdir/cron.d
install -m 0755 %name.init %buildroot%_initdir/unbound
install -p -m 0644 unbound.cron.d  %buildroot%_sysconfdir/cron.d/unbound-anchor
install -p -m 0644 icannbundle.pem %buildroot%_localstatedir/%name/icannbundle.pem
# add symbolic link from /etc/unbound/unbound.conf -> /var/lib/unbound/unbound.conf
ln -s ..%_chrootdir %buildroot%_sysconfdir/%name

#systemd services
install -D -p -m 0644 contrib/unbound.service %buildroot%_unitdir/unbound.service
install -D -p -m 0644 unbound-keygen.service %buildroot%_unitdir/unbound-keygen.service
install -D -p -m 0644 unbound-anchor.service %buildroot%_unitdir/unbound-anchor.service
install -D -p -m 0644 unbound-anchor.timer %buildroot%_unitdir/unbound-anchor.timer

# Install tmpfiles.d config
install -D -m 0644 tmpfiles-unbound.conf %buildroot%_tmpfilesdir/unbound.conf

# Install directories for easier config file drop in
mkdir -p %buildroot%_chrootdir/{keys.d,conf.d,local.d}
install -p example.com.key %buildroot%_chrootdir/keys.d/
install -p example.com.conf %buildroot%_chrootdir/conf.d/
install -p block-example.com.conf %buildroot%_chrootdir/local.d/
touch %buildroot%_chrootdir/root.key

%if %with_python
rm -f %buildroot%python_sitelibdir/*.la
rm -f %buildroot%python3_sitelibdir/*.la
%endif

%check
%make check

%pre -n lib%name
/usr/sbin/groupadd -r -f _%name
/usr/sbin/useradd -r -g _%name -d %_chrootdir -s /dev/null -n -c "Domain Name Server" _%name >/dev/null 2>&1 ||:

%post
%post_service %name

%preun
%preun_service %name
%files
%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES doc/Changelog
%_initdir/%name
%_unitdir/unbound.service
%_unitdir/unbound-keygen.service
%_tmpfilesdir/*
%config(noreplace) %_chrootdir/unbound.conf
%attr(0755,root,_%name) %dir %_chrootdir/keys.d
%attr(0755,root,_%name) %dir %_chrootdir/conf.d
%attr(0755,root,_%name) %dir %_chrootdir/local.d
%attr(0664,root,_%name) %config(noreplace) %_chrootdir/keys.d/*.key
%attr(0664,root,_%name) %config(noreplace) %_chrootdir/conf.d/*.conf
%attr(0664,root,_%name) %config(noreplace) %_chrootdir/local.d/*.conf
%_sysconfdir/%name
%_sbindir/*
%_man1dir/*
%_man5dir/*
%_man8dir/*


%exclude %_sbindir/unbound-anchor
%exclude %_sbindir/unbound-control
%exclude %_man8dir/unbound-control.8.*
%exclude %_man8dir/unbound-anchor*

%files control
%_sbindir/unbound-control
%_man8dir/unbound-control.8.*

%files -n lib%name
%attr(1775,root,_%name) %dir %_localstatedir/%name
%attr(644,_%name,_%name) %ghost %_chrootdir/root.key
%config(noreplace) %_sysconfdir/cron.d/unbound-anchor
%_unitdir/unbound-anchor.service
%_unitdir/unbound-anchor.timer
%config(noreplace) %_localstatedir/%name/icannbundle.pem
%_libdir/libunbound*so.*
%exclude %_libdir/libunbound.so
%_sbindir/unbound-anchor
%_man8dir/unbound-anchor*
%_man3dir/*

%if_enabled static
%files -n lib%name-devel-static
%_libdir/libunbound.a
%endif

%files -n lib%name-devel
%_includedir/*
%_libdir/libunbound.so
%_libdir/pkgconfig/*

%if %with_python == 2
%files -n python-module-%name
%python_sitelibdir/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif

%if %with_python == 3
%files -n python3-module-%name
%python3_sitelibdir/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif

%changelog
* Fri Feb 16 2024 Alexei Takaseev <taf@altlinux.org> 1.19.1-alt1
- 1.19.1 (Fixes CVE-2023-50387, CVE-2023-50868) (ALT #49432)

* Fri Nov 10 2023 Alexei Takaseev <taf@altlinux.org> 1.19.0-alt1
- 1.19.0

* Tue Sep 05 2023 Alexei Takaseev <taf@altlinux.org> 1.18.0-alt1
- 1.18.0
- Drop patch unbound-1.17.1-openssl3-fix.patch fixed in upstream

* Tue Aug 01 2023 L.A. Kostis <lakostis@altlinux.ru> 1.17.1-alt1.1
- Added patch to ignore eof while reading in openssl >= 3.

* Fri Jan 13 2023 Alexei Takaseev <taf@altlinux.org> 1.17.1-alt1
- 1.17.1

* Fri Oct 14 2022 Alexei Takaseev <taf@altlinux.org> 1.17.0-alt1
- 1.17.0

* Thu Sep 22 2022 Alexei Takaseev <taf@altlinux.org> 1.16.3-alt1
- 1.16.3
- (Fixes CVE-2022-30698, CVE-2022-30699, CVE-2022-3204)

* Tue Jul 12 2022 Alexei Takaseev <taf@altlinux.org> 1.16.1-alt1
- 1.16.1

* Fri Jun 03 2022 Alexei Takaseev <taf@altlinux.org> 1.16.0-alt1
- 1.16.0

* Sat Feb 19 2022 Alexei Takaseev <taf@altlinux.org> 1.15.0-alt1
- 1.15.0

* Tue Dec 14 2021 Alexei Takaseev <taf@altlinux.org> 1.14.0-alt1
- 1.14.0

* Fri Aug 13 2021 Alexei Takaseev <taf@altlinux.org> 1.13.2-alt1
- 1.13.2

* Thu Feb 11 2021 Alexei Takaseev <taf@altlinux.org> 1.13.1-alt1
- 1.13.1

* Fri Dec 04 2020 Alexei Takaseev <taf@altlinux.org> 1.13.0-alt1
- 1.13.0 (Fixes CVE-2020-28935)

* Fri Oct 09 2020 Alexei Takaseev <taf@altlinux.org> 1.12.0-alt2
- Add lost contrib/unbound.service.in

* Fri Oct 09 2020 Alexei Takaseev <taf@altlinux.org> 1.12.0-alt1
- 1.12.0

* Tue Jul 28 2020 Alexei Takaseev <taf@altlinux.org> 1.11.0-alt1
- 1.11.0

* Fri May 22 2020 Alexei Takaseev <taf@altlinux.org> 1.10.2-alt1
- 1.10.2
- (Fixes CVE-2020-12662, CVE-2020-12663)

* Tue Feb 25 2020 Alexey Shabalin <shaba@altlinux.org> 1.9.6-alt3
- update systemd unit for run without pidfile

* Tue Feb 18 2020 Alexey Shabalin <shaba@altlinux.org> 1.9.6-alt2
- build unbound without python
- build with systemd support
- update unbound-anchor cron config
- add unbound-anchor.timer
- disable build static libs
- update configure options:
  + --enable-pie
  + --enable-relro-now
  + --disable-rpath
  + --with-ssl
  + --enable-tfo-client
  + --enable-tfo-server
  + --enable-subnet
- cleanup BR:

* Fri Dec 13 2019 Alexei Takaseev <taf@altlinux.org> 1.9.6-alt1
- 1.9.6 (Fixes CVE-2019-18934)

* Fri Oct 04 2019 Alexei Takaseev <taf@altlinux.org> 1.9.4-alt1
- 1.9.4 (Fixes CVE-2019-16866)

* Thu Aug 29 2019 Alexei Takaseev <taf@altlinux.org> 1.9.3-alt1
- 1.9.3

* Mon Jun 17 2019 Alexei Takaseev <taf@altlinux.org> 1.9.2-alt1
- 1.9.2

* Thu Mar 14 2019 Alexei Takaseev <taf@altlinux.org> 1.9.1-alt1
- 1.9.1

* Thu Feb 07 2019 Alexei Takaseev <taf@altlinux.org> 1.9.0-alt1
- 1.9.0

* Wed Dec 12 2018 Alexei Takaseev <taf@altlinux.org> 1.8.3-alt1
- 1.8.3

* Wed Dec 05 2018 Alexei Takaseev <taf@altlinux.org> 1.8.2-alt1
- 1.8.2

* Fri Nov 02 2018 Andrey Savchenko <bircoph@altlinux.org> 1.8.1-alt2
- Set proper anchor file permissions in the cron job, otherwise
  unbound will on run-time fail because it can't update theanchor
  after a cron job run.

* Tue Oct 09 2018 Alexei Takaseev <taf@altlinux.org> 1.8.1-alt1
- 1.8.1

* Tue Sep 11 2018 Alexei Takaseev <taf@altlinux.org> 1.8.0-alt1
- 1.8.0

* Wed Aug 29 2018 Grigory Ustinov <grenka@altlinux.org> 1.7.3-alt1.1
- NMU: Rebuild with new openssl 1.1.0.

* Fri Jun 22 2018 Alexei Takaseev <taf@altlinux.org> 1.7.3-alt1
- 1.7.3

* Wed Jun 13 2018 Alexei Takaseev <taf@altlinux.org> 1.7.2-alt1
- 1.7.2

* Thu Jun 07 2018 Alexei Takaseev <taf@altlinux.org> 1.7.1-alt2
- Fix permission to /var/lib/unbound/root.key (ALT#35001)
- Move create _unbound user to libunbound subpackage

* Fri May 04 2018 Alexei Takaseev <taf@altlinux.org> 1.7.1-alt1
- 1.7.1

* Fri Mar 23 2018 Alexei Takaseev <taf@altlinux.org> 1.7.0-alt1
- 1.7.0
- New version (closes: #34122)
- Add lost libunbound.so and libunbound.pc to libunbound-devel
- Set libunbound-devel arch-depended
- Move unbound-control-setup.8 from unbound-control to unbound
- Fixed CVE-2017-15105

* Wed Nov 30 2016 Valentin Rosavitskiy <valintinr@altlinux.org> 1.5.10-alt1
- New version

* Wed Jun 29 2016 Valentin Rosavitskiy <valintinr@altlinux.org> 1.5.9-alt1
- New version, see Changelog
- Removed /sbin/restorecon (not real, something old) from unbound-keygen.service

* Tue May 10 2016 Valentin Rosavitskiy <valintinr@altlinux.org> 1.5.8-alt2
- Added Changelog file (ALT 32079)

* Fri May 06 2016 Valentin Rosavitskiy <valintinr@altlinux.org> 1.5.8-alt1
- New version, see Changelog

* Mon Feb 29 2016 Valentin Rosavitskiy <valintinr@altlinux.org> 1.5.7-alt1
- New version, see Changelog

* Mon Aug 31 2015 Valentin Rosavitskiy <valintinr@altlinux.org> 1.5.4-alt1
- New version, see Changelog

* Mon Apr 27 2015 Valentin Rosavitskiy <valintinr@altlinux.org> 1.5.3-alt1
- New version, see Changelog

* Thu Dec 18 2014 Valentin Rosavitskiy <valintinr@altlinux.org> 1.5.1-alt1
- New version, see Changelog

* Tue Nov 04 2014 Valentin Rosavitskiy <valintinr@altlinux.org> 1.4.22-alt1
- New version, see Changelog

* Sat Nov 01 2014 Valentin Rosavitskiy <valintinr@altlinux.org> 1.4.21-alt2
- Some repocop warning fixed, taked package also

* Mon Oct 07 2013 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.21-alt1
- 1.4.21

* Mon Aug 05 2013 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.20-alt1
- 1.4.20
- Add support for systemd. Fixed (ALT #26351) in case if started by systemd
- Add addon folders %_chrootdir/{keys.d,conf.d,local.d}
- Move link /etc/unbound.conf to /etc/unbound/unbound.conf

* Sat Feb 09 2013 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.19-alt1
- 1.4.19
- Move %_sbindir/unbound-anchor to lib%name subpackage
- Add %_sysconfdir/cron.monthly/unbound-anchor
- Add %_localstatedir/%name/icannbundle.pem

* Wed Sep 12 2012 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.18-alt1
- 1.4.18

* Sun Jul 08 2012 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.17-alt1
- 1.4.17

* Fri Feb 03 2012 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.16-alt1
- 1.4.16

* Fri Dec 23 2011 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.14-alt1
- 1.4.14
- Fix for VU#209659 CVE-2011-4528

* Thu Sep 29 2011 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.13-alt1
- 1.4.13
- Add python-module-unbound subpackage

* Fri Jul 22 2011 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.12-alt1
- 1.4.12

* Sun Jul 03 2011 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.11-alt1
- 1.4.11

* Wed Jun 01 2011 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.10-alt1
- 1.4.10
- Fix assertion failure when unbound generates an empty error reply
  in response to a query, CVE-2011-1922 VU#531342

* Sat Apr 16 2011 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.9-alt1
- 1.4.9

* Mon Feb 07 2011 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.8-alt4
- Rebuild with new libevent
- Fix init script
- Make devel subpackage noarch

* Thu Feb 03 2011 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.8-alt3
- Use libevent1.4
- Fix init script

* Thu Feb 03 2011 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.8-alt2
- Fix init script

* Thu Feb 03 2011 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.8-alt1
- 1.4.8
- Build with libevent
- Update init for run unbound-anchor
- Enable by default auto-trust-anchor-file for DNSSEC

* Sat Nov 13 2010 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.7-alt1
- 1.4.7

* Fri Aug 27 2010 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.6-alt1
- 1.4.6
- Add make test and update BuildRequires

* Tue Jun 22 2010 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.5-alt1
- 1.4.5

* Fri May 14 2010 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.4-alt1
- 1.4.4

* Sun Apr 04 2010 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.3-alt1
- 1.4.3

* Sun Jan 03 2010 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.1-alt1
- 1.4.1

* Mon Dec 14 2009 Slava Dubrovskiy <dubrsl@altlinux.org> 1.4.0-alt1
- 1.4.0

* Wed Nov 18 2009 Slava Dubrovskiy <dubrsl@altlinux.org> 1.3.4-alt1
- 1.3.4

* Sat Aug 15 2009 Slava Dubrovskiy <dubrsl@altlinux.ru> 1.3.3-alt1
- 1.3.3

* Tue Jun 16 2009 Vladimir V. Kamarzin <vvk@altlinux.org> 1.3.0-alt1
- 1.3.0

* Thu Mar 26 2009 Vladimir V. Kamarzin <vvk@altlinux.org> 1.2.1-alt1
- 1.2.1
- Build without --enable-debug

* Thu Nov 13 2008 Slava Dubrovskiy <dubrsl@altlinux.org> 1.0.2-alt2
- Rename subpackage lib%name-static to lib%name-devel-static (http://www.altlinux.org/Drafts/SharedLibs)

* Mon Sep 15 2008 Slava Dubrovskiy <dubrsl@altlinux.org> 1.0.2-alt1
- New version

* Sat Aug 09 2008 ALT QA Team Robot <qa-robot@altlinux.org> 1.0.1-alt1.1
- Automated rebuild due to libcrypto.so.6 -> libcrypto.so.7 soname change.

* Thu Aug 07 2008 Slava Dubrovskiy <dubrsl@altlinux.ru> 1.0.1-alt1
- This version features bugfixes, a couple of fixes for looking up corner cases
  (badly operated domains), and a cleanup of code for config file reading.

* Fri May 30 2008 Slava Dubrovskiy <dubrsl@altlinux.ru> 1.0.0-alt2
- Change owner of %_localstatedir/%name to root and add sticky bit
- Change default username to _%name

* Sun May 25 2008 Slava Dubrovskiy <dubrsl@altlinux.ru> 1.0.0-alt1
- Build for ALT