[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#860425: marked as done (unblock: emacs24/24.5+1-10)

Your message dated Sat, 22 Apr 2017 18:24:00 +0000
with message-id <96aaf7d4-fe09-1e4b-62d4-e509434df9cf@thykier.net>
and subject line Re: Bug#860425: unblock: emacs24/24.5+1-9
has caused the Debian Bug report #860425,
regarding unblock: emacs24/24.5+1-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860425: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860425
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package emacs24

This upload is intended to fix the SSL problems detailed in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816063

One way to see the difference is to save this code (from the bug report)
to a file test-ssl.el:

  (require 'cl)

  (let ((bad-hosts
         (cl-loop for bad
               in `("https://wrong.host.badssl.com/";
                    "https://self-signed.badssl.com/";)
               if (condition-case e
                      (url-retrieve bad (lambda (retrieved) t))
                    (error nil))
               collect bad)))
    (if bad-hosts
        (error (format "tls misconfigured; retrieved %s ok"
                       bad-hosts))
      (url-retrieve "https://badssl.com";
                    (lambda (retrieved) t))))

and then run

  emacs24 -Q -l test-ssl.el

with -8 and then -9.  You should see "tls misconfigured; retrieved
... ok" without the fix.


diff -Nru emacs24-24.5+1/debian/.git-dpm emacs24-24.5+1/debian/.git-dpm
--- emacs24-24.5+1/debian/.git-dpm	2017-01-22 14:32:37.000000000 -0600
+++ emacs24-24.5+1/debian/.git-dpm	2017-04-10 18:30:21.000000000 -0500
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-95bb76711c2b6fa889d47d59b4173949e9a57200
-95bb76711c2b6fa889d47d59b4173949e9a57200
+d715dfdb5101dfbd1a83b2958ced6f3bd757ab92
+d715dfdb5101dfbd1a83b2958ced6f3bd757ab92
 62bc68f777c532a970566625e315d68bf0ab4eee
 62bc68f777c532a970566625e315d68bf0ab4eee
 emacs24_24.5+1.orig.tar.bz2
diff -Nru emacs24-24.5+1/debian/changelog emacs24-24.5+1/debian/changelog
--- emacs24-24.5+1/debian/changelog	2017-01-22 14:32:37.000000000 -0600
+++ emacs24-24.5+1/debian/changelog	2017-04-16 10:07:37.000000000 -0500
@@ -1,3 +1,21 @@
+emacs24 (24.5+1-9) unstable; urgency=medium
+
+  * Improve gnutls security.  Remove --insecure and specify a trustfile.
+    Add these upstream patches to fix the problem:
+      0024-Remove-insecure-from-gnutls-cli-invocation.patch
+      0025-Refactor-out-gnutls-trustfiles.patch
+      0026-Make-tls.el-use-trustfiles-by-default.patch
+    Partially addresses #816063.
+
+  * Stop using libgnutls.  Add a dependency on gnutls-cli, configure
+    --without-gnutls, and remove the corresponding build dependency so
+    the patches that were just added to improve SSL security will take
+    effect by default.  Thanks to Nathaniel Smith for reporting the
+    problem and Antoine Beaupre for providing code to reproduce
+    it. (Closes: 816063)
+
+ -- Rob Browning <rlb@defaultvalue.org>  Sun, 16 Apr 2017 10:07:37 -0500
+
 emacs24 (24.5+1-8) unstable; urgency=medium
 
   * Configure with REL_ALLOC=no to fix crashes.  Thanks to Santiago
diff -Nru emacs24-24.5+1/debian/control emacs24-24.5+1/debian/control
--- emacs24-24.5+1/debian/control	2017-01-22 14:32:37.000000000 -0600
+++ emacs24-24.5+1/debian/control	2017-04-16 10:07:37.000000000 -0500
@@ -10,7 +10,7 @@
  libgpm-dev [linux-any], libdbus-1-dev,
  autoconf, automake, autotools-dev, dpkg-dev (>> 1.10.0), quilt (>= 0.42),
  debhelper (>= 9), libxaw7-dev, sharutils, imagemagick, libgtk-3-dev,
- libgnutls28-dev, libxml2-dev, libselinux1-dev [linux-any], libmagick++-dev,
+ libxml2-dev, libselinux1-dev [linux-any], libmagick++-dev,
  libgconf2-dev, libasound2-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64],
  libacl1-dev,
  zlib1g-dev
@@ -92,6 +92,7 @@
 Package: emacs24-bin-common
 Architecture: any
 Depends: emacs24-common (= ${source:Version}), ${shlibs:Depends}, ${misc:Depends}
+  gnutls-bin
 Description: GNU Emacs editor's shared, architecture dependent files
  GNU Emacs is the extensible self-documenting text editor.
  This package contains the architecture dependent infrastructure
diff -Nru emacs24-24.5+1/debian/control.in emacs24-24.5+1/debian/control.in
--- emacs24-24.5+1/debian/control.in	2017-01-22 14:32:37.000000000 -0600
+++ emacs24-24.5+1/debian/control.in	2017-04-16 10:06:33.000000000 -0500
@@ -10,7 +10,7 @@
  libgpm-dev [linux-any], libdbus-1-dev,
  autoconf, automake, autotools-dev, dpkg-dev (>> 1.10.0), quilt (>= 0.42),
  debhelper (>= 9), libxaw7-dev, sharutils, imagemagick, libgtk-3-dev,
- libgnutls28-dev, libxml2-dev, libselinux1-dev [linux-any], libmagick++-dev,
+ libxml2-dev, libselinux1-dev [linux-any], libmagick++-dev,
  libgconf2-dev, libasound2-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64],
  libacl1-dev,
  zlib1g-dev
@@ -92,6 +92,7 @@
 Package: @DEB_FLAVOR@-bin-common
 Architecture: any
 Depends: @DEB_FLAVOR@-common (= ${source:Version}), ${shlibs:Depends}, ${misc:Depends}
+  gnutls-bin
 Description: GNU Emacs editor's shared, architecture dependent files
  GNU Emacs is the extensible self-documenting text editor.
  This package contains the architecture dependent infrastructure
diff -Nru emacs24-24.5+1/debian/patches/0001-Prefer-usr-share-info-emacs-24-over-usr-share-info.patch emacs24-24.5+1/debian/patches/0001-Prefer-usr-share-info-emacs-24-over-usr-share-info.patch
--- emacs24-24.5+1/debian/patches/0001-Prefer-usr-share-info-emacs-24-over-usr-share-info.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0001-Prefer-usr-share-info-emacs-24-over-usr-share-info.patch	2017-04-10 18:30:21.000000000 -0500
@@ -13,7 +13,7 @@
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/lisp/info.el b/lisp/info.el
-index 84c0879..2e78620 100644
+index 84c0879060f..2e786208380 100644
 --- a/lisp/info.el
 +++ b/lisp/info.el
 @@ -211,7 +211,8 @@ A header-line does not scroll with the rest of the buffer."
diff -Nru emacs24-24.5+1/debian/patches/0002-Run-debian-startup-and-set-debian-emacs-flavor.patch emacs24-24.5+1/debian/patches/0002-Run-debian-startup-and-set-debian-emacs-flavor.patch
--- emacs24-24.5+1/debian/patches/0002-Run-debian-startup-and-set-debian-emacs-flavor.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0002-Run-debian-startup-and-set-debian-emacs-flavor.patch	2017-04-10 18:30:21.000000000 -0500
@@ -15,7 +15,7 @@
  1 file changed, 19 insertions(+), 2 deletions(-)
 
 diff --git a/lisp/startup.el b/lisp/startup.el
-index c0c52f1..cf7f2e3 100644
+index c0c52f11bb1..cf7f2e39044 100644
 --- a/lisp/startup.el
 +++ b/lisp/startup.el
 @@ -436,6 +436,10 @@ as a list.")
diff -Nru emacs24-24.5+1/debian/patches/0003-Remove-files-that-appear-to-be-incompatible-with-the.patch emacs24-24.5+1/debian/patches/0003-Remove-files-that-appear-to-be-incompatible-with-the.patch
--- emacs24-24.5+1/debian/patches/0003-Remove-files-that-appear-to-be-incompatible-with-the.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0003-Remove-files-that-appear-to-be-incompatible-with-the.patch	2017-04-10 18:30:21.000000000 -0500
@@ -31,7 +31,7 @@
  6 files changed, 35 insertions(+), 747 deletions(-)
 
 diff --git a/Makefile.in b/Makefile.in
-index 4987cf6..c8e3b0e 100644
+index 4987cf6bd4c..c8e3b0e8eb8 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -147,7 +147,9 @@ man1dir=$(mandir)/man1
@@ -156,7 +156,7 @@
  
  $(UNINSTALL_DOC):
 diff --git a/admin/update_autogen b/admin/update_autogen
-index 0513d07..5b3709d 100755
+index 0513d078db1..5b3709dac2d 100755
 --- a/admin/update_autogen
 +++ b/admin/update_autogen
 @@ -263,8 +263,7 @@ info_dir ()
@@ -170,7 +170,7 @@
              ## FIXME do not ignore w32 if OS is w32.
              case $file in
 diff --git a/build-aux/make-info-dir b/build-aux/make-info-dir
-index 5b37cd6..f63c6c67 100755
+index 5b37cd6fd0f..f63c6c672d0 100755
 --- a/build-aux/make-info-dir
 +++ b/build-aux/make-info-dir
 @@ -76,8 +76,7 @@ for topic in "Texinfo documentation system" "Emacs" "Emacs lisp" \
@@ -184,7 +184,7 @@
          ## FIXME do not ignore w32 if OS is w32.
          case $file in
 diff --git a/configure.ac b/configure.ac
-index 4291453..bdc76bc 100644
+index 4291453535b..bdc76bca3db 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -5117,11 +5117,11 @@ dnl This will work, but you get a config.status that is not quite right
@@ -203,7 +203,7 @@
  
  dnl test/ is not present in release tarfiles.
 diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in
-index 1644833..6918775 100644
+index 1644833d2b9..69187750d1d 100644
 --- a/doc/misc/Makefile.in
 +++ b/doc/misc/Makefile.in
 @@ -57,18 +57,14 @@ INSTALL_DATA = @INSTALL_DATA@
@@ -938,7 +938,7 @@
  
  mostlyclean:
 diff --git a/lisp/help.el b/lisp/help.el
-index 80eb308..d009747 100644
+index 80eb308f67b..d0097472a1d 100644
 --- a/lisp/help.el
 +++ b/lisp/help.el
 @@ -287,6 +287,14 @@ If that doesn't give a function, return nil."
diff -Nru emacs24-24.5+1/debian/patches/0004-Adjust-documentation-references-for-Debian.patch emacs24-24.5+1/debian/patches/0004-Adjust-documentation-references-for-Debian.patch
--- emacs24-24.5+1/debian/patches/0004-Adjust-documentation-references-for-Debian.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0004-Adjust-documentation-references-for-Debian.patch	2017-04-10 18:30:21.000000000 -0500
@@ -12,7 +12,7 @@
  1 file changed, 5 insertions(+)
 
 diff --git a/etc/NEWS b/etc/NEWS
-index 7d9e1f0..5e3b3b7 100644
+index 7d9e1f0d83f..5e3b3b746a2 100644
 --- a/etc/NEWS
 +++ b/etc/NEWS
 @@ -14,6 +14,11 @@ and NEWS.1-17 for changes in older Emacs versions.
diff -Nru emacs24-24.5+1/debian/patches/0005-Modify-the-output-of-version-to-indicate-Debian-modi.patch emacs24-24.5+1/debian/patches/0005-Modify-the-output-of-version-to-indicate-Debian-modi.patch
--- emacs24-24.5+1/debian/patches/0005-Modify-the-output-of-version-to-indicate-Debian-modi.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0005-Modify-the-output-of-version-to-indicate-Debian-modi.patch	2017-04-10 18:30:21.000000000 -0500
@@ -12,7 +12,7 @@
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/lisp/version.el b/lisp/version.el
-index 75763b3..a7cf191 100644
+index 75763b3f682..a7cf1917683 100644
 --- a/lisp/version.el
 +++ b/lisp/version.el
 @@ -56,8 +56,8 @@ to the system configuration; look at `system-configuration' instead."
diff -Nru emacs24-24.5+1/debian/patches/0006-Look-for-NEWS-in-order-to-find-etc-rather-than-GNU.patch emacs24-24.5+1/debian/patches/0006-Look-for-NEWS-in-order-to-find-etc-rather-than-GNU.patch
--- emacs24-24.5+1/debian/patches/0006-Look-for-NEWS-in-order-to-find-etc-rather-than-GNU.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0006-Look-for-NEWS-in-order-to-find-etc-rather-than-GNU.patch	2017-04-10 18:30:21.000000000 -0500
@@ -19,7 +19,7 @@
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/src/callproc.c b/src/callproc.c
-index 6328ba8..78b707b 100644
+index 6328ba8349c..78b707bab9d 100644
 --- a/src/callproc.c
 +++ b/src/callproc.c
 @@ -1633,13 +1633,13 @@ init_callproc (void)
diff -Nru emacs24-24.5+1/debian/patches/0007-Don-t-try-to-build-src-macuvs.h-via-IVD_Sequences.tx.patch emacs24-24.5+1/debian/patches/0007-Don-t-try-to-build-src-macuvs.h-via-IVD_Sequences.tx.patch
--- emacs24-24.5+1/debian/patches/0007-Don-t-try-to-build-src-macuvs.h-via-IVD_Sequences.tx.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0007-Don-t-try-to-build-src-macuvs.h-via-IVD_Sequences.tx.patch	2017-04-10 18:30:21.000000000 -0500
@@ -10,7 +10,7 @@
  1 file changed, 1 insertion(+), 7 deletions(-)
 
 diff --git a/admin/unidata/Makefile.in b/admin/unidata/Makefile.in
-index 9781cd5..c73e2b5 100644
+index 9781cd5f273..c73e2b58f31 100644
 --- a/admin/unidata/Makefile.in
 +++ b/admin/unidata/Makefile.in
 @@ -33,12 +33,7 @@ emacs = "${EMACS}" -batch --no-site-file --no-site-lisp
diff -Nru emacs24-24.5+1/debian/patches/0008-Emacs-won-t-assume-grep-supports-GREP_OPTIONS.patch emacs24-24.5+1/debian/patches/0008-Emacs-won-t-assume-grep-supports-GREP_OPTIONS.patch
--- emacs24-24.5+1/debian/patches/0008-Emacs-won-t-assume-grep-supports-GREP_OPTIONS.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0008-Emacs-won-t-assume-grep-supports-GREP_OPTIONS.patch	2017-04-10 18:30:21.000000000 -0500
@@ -24,7 +24,7 @@
  2 files changed, 21 insertions(+), 10 deletions(-)
 
 diff --git a/lisp/ChangeLog b/lisp/ChangeLog
-index eb31d5f..7345c6a 100644
+index eb31d5fc2fe..7345c6ac5b5 100644
 --- a/lisp/ChangeLog
 +++ b/lisp/ChangeLog
 @@ -1165,6 +1165,16 @@
@@ -45,7 +45,7 @@
  
  	* image.el (image-multi-frame-p): Fix thinko - do not force
 diff --git a/lisp/progmodes/grep.el b/lisp/progmodes/grep.el
-index d4caf48..0e8c214 100644
+index d4caf48e089..0e8c214aafb 100644
 --- a/lisp/progmodes/grep.el
 +++ b/lisp/progmodes/grep.el
 @@ -77,11 +77,10 @@ in grep buffers, so if you have globally disabled font-lock-mode,
diff -Nru emacs24-24.5+1/debian/patches/0009-Emacs-should-no-longer-hang-during-large-yanks.patch emacs24-24.5+1/debian/patches/0009-Emacs-should-no-longer-hang-during-large-yanks.patch
--- emacs24-24.5+1/debian/patches/0009-Emacs-should-no-longer-hang-during-large-yanks.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0009-Emacs-should-no-longer-hang-during-large-yanks.patch	2017-04-10 18:30:21.000000000 -0500
@@ -38,7 +38,7 @@
  4 files changed, 2 insertions(+), 13 deletions(-)
 
 diff --git a/src/dispextern.h b/src/dispextern.h
-index 239c442..cf3d1ec 100644
+index 239c4425646..cf3d1ecaf9c 100644
 --- a/src/dispextern.h
 +++ b/src/dispextern.h
 @@ -3349,7 +3349,6 @@ void unrequest_sigio (void);
@@ -50,7 +50,7 @@
  /* Defined in xfaces.c.  */
  
 diff --git a/src/emacs.c b/src/emacs.c
-index 9b78a70..b5d3ab4 100644
+index 9b78a70428e..b5d3ab46a00 100644
 --- a/src/emacs.c
 +++ b/src/emacs.c
 @@ -2028,7 +2028,6 @@ shut_down_emacs (int sig, Lisp_Object stuff)
@@ -62,7 +62,7 @@
    /* Do this only if terminating normally, we want glyph matrices
       etc. in a core dump.  */
 diff --git a/src/keyboard.c b/src/keyboard.c
-index 945019e..77af44a 100644
+index 945019e8418..77af44a7d46 100644
 --- a/src/keyboard.c
 +++ b/src/keyboard.c
 @@ -3663,8 +3663,7 @@ kbd_buffer_store_event_hold (register struct input_event *event,
@@ -84,7 +84,7 @@
      }
  #endif	/* subprocesses */
 diff --git a/src/sysdep.c b/src/sysdep.c
-index 01692c2..4b4801d 100644
+index 01692c2d214..4b4801d58c9 100644
 --- a/src/sysdep.c
 +++ b/src/sysdep.c
 @@ -649,15 +649,6 @@ unrequest_sigio (void)
diff -Nru emacs24-24.5+1/debian/patches/0010-ELF-unexec-Correct-section-header-index.patch emacs24-24.5+1/debian/patches/0010-ELF-unexec-Correct-section-header-index.patch
--- emacs24-24.5+1/debian/patches/0010-ELF-unexec-Correct-section-header-index.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0010-ELF-unexec-Correct-section-header-index.patch	2017-04-10 18:30:21.000000000 -0500
@@ -28,7 +28,7 @@
  1 file changed, 8 insertions(+), 8 deletions(-)
 
 diff --git a/src/unexelf.c b/src/unexelf.c
-index 59e2725..d4a36f8 100644
+index 59e2725ba20..d4a36f84cb1 100644
 --- a/src/unexelf.c
 +++ b/src/unexelf.c
 @@ -1016,12 +1016,12 @@ temacs:
diff -Nru emacs24-24.5+1/debian/patches/0011-ELF-unexec-Tidy-code.patch emacs24-24.5+1/debian/patches/0011-ELF-unexec-Tidy-code.patch
--- emacs24-24.5+1/debian/patches/0011-ELF-unexec-Tidy-code.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0011-ELF-unexec-Tidy-code.patch	2017-04-10 18:30:21.000000000 -0500
@@ -26,7 +26,7 @@
  1 file changed, 96 insertions(+), 114 deletions(-)
 
 diff --git a/src/unexelf.c b/src/unexelf.c
-index d4a36f8..f7465cb 100644
+index d4a36f84cb1..f7465cbeeba 100644
 --- a/src/unexelf.c
 +++ b/src/unexelf.c
 @@ -813,20 +813,11 @@ unexec (const char *new_name, const char *old_name)
diff -Nru emacs24-24.5+1/debian/patches/0012-ELF-unexec-Merge-Alpha-and-MIPS-COFF-debug-handling.patch emacs24-24.5+1/debian/patches/0012-ELF-unexec-Merge-Alpha-and-MIPS-COFF-debug-handling.patch
--- emacs24-24.5+1/debian/patches/0012-ELF-unexec-Merge-Alpha-and-MIPS-COFF-debug-handling.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0012-ELF-unexec-Merge-Alpha-and-MIPS-COFF-debug-handling.patch	2017-04-10 18:30:21.000000000 -0500
@@ -25,7 +25,7 @@
  1 file changed, 29 insertions(+), 67 deletions(-)
 
 diff --git a/src/unexelf.c b/src/unexelf.c
-index f7465cb..07c2ebe 100644
+index f7465cbeeba..07c2ebec04e 100644
 --- a/src/unexelf.c
 +++ b/src/unexelf.c
 @@ -660,9 +660,6 @@ unexec (const char *new_name, const char *old_name)
diff -Nru emacs24-24.5+1/debian/patches/0013-ELF-unexec-Symbol-table-patching.patch emacs24-24.5+1/debian/patches/0013-ELF-unexec-Symbol-table-patching.patch
--- emacs24-24.5+1/debian/patches/0013-ELF-unexec-Symbol-table-patching.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0013-ELF-unexec-Symbol-table-patching.patch	2017-04-10 18:30:21.000000000 -0500
@@ -22,7 +22,7 @@
  1 file changed, 5 insertions(+), 4 deletions(-)
 
 diff --git a/src/unexelf.c b/src/unexelf.c
-index 07c2ebe..010ecd3 100644
+index 07c2ebec04e..010ecd31b85 100644
 --- a/src/unexelf.c
 +++ b/src/unexelf.c
 @@ -1119,7 +1119,7 @@ temacs:
diff -Nru emacs24-24.5+1/debian/patches/0014-ELF-unexec-_OBJC_-symbols-in-bss-sections.patch emacs24-24.5+1/debian/patches/0014-ELF-unexec-_OBJC_-symbols-in-bss-sections.patch
--- emacs24-24.5+1/debian/patches/0014-ELF-unexec-_OBJC_-symbols-in-bss-sections.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0014-ELF-unexec-_OBJC_-symbols-in-bss-sections.patch	2017-04-10 18:30:21.000000000 -0500
@@ -26,7 +26,7 @@
  1 file changed, 18 insertions(+), 13 deletions(-)
 
 diff --git a/src/unexelf.c b/src/unexelf.c
-index 010ecd3..58f0ad0 100644
+index 010ecd31b85..58f0ad0bb2c 100644
 --- a/src/unexelf.c
 +++ b/src/unexelf.c
 @@ -1177,20 +1177,25 @@ temacs:
diff -Nru emacs24-24.5+1/debian/patches/0015-ELF-unexec-R_-_NONE-relocs.patch emacs24-24.5+1/debian/patches/0015-ELF-unexec-R_-_NONE-relocs.patch
--- emacs24-24.5+1/debian/patches/0015-ELF-unexec-R_-_NONE-relocs.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0015-ELF-unexec-R_-_NONE-relocs.patch	2017-04-10 18:30:21.000000000 -0500
@@ -23,7 +23,7 @@
  1 file changed, 7 insertions(+), 7 deletions(-)
 
 diff --git a/src/unexelf.c b/src/unexelf.c
-index 58f0ad0..1d9387e 100644
+index 58f0ad0bb2c..1d9387e534c 100644
 --- a/src/unexelf.c
 +++ b/src/unexelf.c
 @@ -1203,7 +1203,7 @@ temacs:
diff -Nru emacs24-24.5+1/debian/patches/0016-ELF-unexec-Drive-from-PT_LOAD-header-rather-than-sec.patch emacs24-24.5+1/debian/patches/0016-ELF-unexec-Drive-from-PT_LOAD-header-rather-than-sec.patch
--- emacs24-24.5+1/debian/patches/0016-ELF-unexec-Drive-from-PT_LOAD-header-rather-than-sec.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0016-ELF-unexec-Drive-from-PT_LOAD-header-rather-than-sec.patch	2017-04-10 18:30:21.000000000 -0500
@@ -48,7 +48,7 @@
  1 file changed, 77 insertions(+), 213 deletions(-)
 
 diff --git a/src/unexelf.c b/src/unexelf.c
-index 1d9387e..c659f3e 100644
+index 1d9387e534c..c659f3ed280 100644
 --- a/src/unexelf.c
 +++ b/src/unexelf.c
 @@ -535,29 +535,6 @@ verify ((! TYPE_SIGNED (ElfW (Half))
diff -Nru emacs24-24.5+1/debian/patches/0017-ELF-unexec-Don-t-insert-a-new-section.patch emacs24-24.5+1/debian/patches/0017-ELF-unexec-Don-t-insert-a-new-section.patch
--- emacs24-24.5+1/debian/patches/0017-ELF-unexec-Don-t-insert-a-new-section.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0017-ELF-unexec-Don-t-insert-a-new-section.patch	2017-04-10 18:30:21.000000000 -0500
@@ -41,7 +41,7 @@
  1 file changed, 50 insertions(+), 474 deletions(-)
 
 diff --git a/src/unexelf.c b/src/unexelf.c
-index c659f3e..9279c76 100644
+index c659f3ed280..9279c760d6f 100644
 --- a/src/unexelf.c
 +++ b/src/unexelf.c
 @@ -40,347 +40,6 @@ what you give them.   Help stamp out software-hoarding!  */
diff -Nru emacs24-24.5+1/debian/patches/0018-src-unexelf.c-NEW_PROGRAM_H-Remove-unused-macro-Bug-.patch emacs24-24.5+1/debian/patches/0018-src-unexelf.c-NEW_PROGRAM_H-Remove-unused-macro-Bug-.patch
--- emacs24-24.5+1/debian/patches/0018-src-unexelf.c-NEW_PROGRAM_H-Remove-unused-macro-Bug-.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0018-src-unexelf.c-NEW_PROGRAM_H-Remove-unused-macro-Bug-.patch	2017-04-10 18:30:21.000000000 -0500
@@ -18,7 +18,7 @@
  1 file changed, 1 insertion(+), 3 deletions(-)
 
 diff --git a/src/unexelf.c b/src/unexelf.c
-index 9279c76..f2462d1 100644
+index 9279c760d6f..f2462d1e85e 100644
 --- a/src/unexelf.c
 +++ b/src/unexelf.c
 @@ -208,8 +208,6 @@ entry_address (void *section_h, ptrdiff_t idx, ptrdiff_t entsize)
diff -Nru emacs24-24.5+1/debian/patches/0019-ELF-unexec-align-section-header.patch emacs24-24.5+1/debian/patches/0019-ELF-unexec-align-section-header.patch
--- emacs24-24.5+1/debian/patches/0019-ELF-unexec-align-section-header.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0019-ELF-unexec-align-section-header.patch	2017-04-10 18:30:21.000000000 -0500
@@ -27,7 +27,7 @@
  1 file changed, 8 insertions(+), 3 deletions(-)
 
 diff --git a/src/unexelf.c b/src/unexelf.c
-index f2462d1..c69be0d 100644
+index f2462d1e85e..c69be0dfdc0 100644
 --- a/src/unexelf.c
 +++ b/src/unexelf.c
 @@ -247,7 +247,7 @@ unexec (const char *new_name, const char *old_name)
diff -Nru emacs24-24.5+1/debian/patches/0020-Emacs-should-show-GTK-icons-again.patch emacs24-24.5+1/debian/patches/0020-Emacs-should-show-GTK-icons-again.patch
--- emacs24-24.5+1/debian/patches/0020-Emacs-should-show-GTK-icons-again.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0020-Emacs-should-show-GTK-icons-again.patch	2017-04-10 18:30:21.000000000 -0500
@@ -54,7 +54,7 @@
  7 files changed, 155 insertions(+), 378 deletions(-)
 
 diff --git a/lisp/ChangeLog b/lisp/ChangeLog
-index 7345c6a..102461e 100644
+index 7345c6ac5b5..102461ebc88 100644
 --- a/lisp/ChangeLog
 +++ b/lisp/ChangeLog
 @@ -1,3 +1,9 @@
@@ -68,7 +68,7 @@
  
  	* Version 24.5 released.
 diff --git a/lisp/term/x-win.el b/lisp/term/x-win.el
-index ca0ae3b..7a41d32 100644
+index ca0ae3bd9e2..7a41d328542 100644
 --- a/lisp/term/x-win.el
 +++ b/lisp/term/x-win.el
 @@ -1475,47 +1475,47 @@ This returns an error if any Emacs frames are X frames, or always under W32."
@@ -172,7 +172,7 @@
  
  (defcustom icon-map-list '(x-gtk-stock-map)
 diff --git a/src/ChangeLog b/src/ChangeLog
-index f95a763..1ad3dfe 100644
+index f95a7631737..1ad3dfe1fe5 100644
 --- a/src/ChangeLog
 +++ b/src/ChangeLog
 @@ -1,3 +1,34 @@
@@ -211,7 +211,7 @@
  
  	* Version 24.5 released.
 diff --git a/src/gtkutil.c b/src/gtkutil.c
-index eddd2b5..68709ed 100644
+index eddd2b535db..68709edfbc2 100644
 --- a/src/gtkutil.c
 +++ b/src/gtkutil.c
 @@ -92,6 +92,16 @@ along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.  */
@@ -869,7 +869,7 @@
      xg_menu_item_cb_list.prev = xg_menu_item_cb_list.next = 0;
  
 diff --git a/src/gtkutil.h b/src/gtkutil.h
-index 5176be6..37d2900 100644
+index 5176be61f86..37d290069c1 100644
 --- a/src/gtkutil.h
 +++ b/src/gtkutil.h
 @@ -107,8 +107,6 @@ extern void xg_update_frame_menubar (struct frame *f);
@@ -882,7 +882,7 @@
  
  extern void xg_create_scroll_bar (struct frame *f,
 diff --git a/src/xmenu.c b/src/xmenu.c
-index 53683c7..77fc4ef 100644
+index 53683c708f1..77fc4ef2956 100644
 --- a/src/xmenu.c
 +++ b/src/xmenu.c
 @@ -793,12 +793,6 @@ set_frame_menubar (struct frame *f, bool first_time, bool deep_p)
@@ -899,7 +899,7 @@
      {
        /* Make a widget-value tree representing the entire menu trees.  */
 diff --git a/src/xterm.h b/src/xterm.h
-index 4683a4c..1fb3f0a 100644
+index 4683a4c7877..1fb3f0aad9e 100644
 --- a/src/xterm.h
 +++ b/src/xterm.h
 @@ -491,10 +491,6 @@ struct x_output
diff -Nru emacs24-24.5+1/debian/patches/0021-Emacs-should-work-with-gcc-5.2-and-newer.patch emacs24-24.5+1/debian/patches/0021-Emacs-should-work-with-gcc-5.2-and-newer.patch
--- emacs24-24.5+1/debian/patches/0021-Emacs-should-work-with-gcc-5.2-and-newer.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0021-Emacs-should-work-with-gcc-5.2-and-newer.patch	2017-04-10 18:30:21.000000000 -0500
@@ -24,7 +24,7 @@
  1 file changed, 47 insertions(+)
 
 diff --git a/src/gmalloc.c b/src/gmalloc.c
-index cfd39be..9f93b62 100644
+index cfd39be2bb3..9f93b62df93 100644
 --- a/src/gmalloc.c
 +++ b/src/gmalloc.c
 @@ -49,6 +49,17 @@ extern "C"
diff -Nru emacs24-24.5+1/debian/patches/0022-Emacs-should-work-with-glibc-2.24-on-ppc64.patch emacs24-24.5+1/debian/patches/0022-Emacs-should-work-with-glibc-2.24-on-ppc64.patch
--- emacs24-24.5+1/debian/patches/0022-Emacs-should-work-with-glibc-2.24-on-ppc64.patch	2017-01-22 12:05:25.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0022-Emacs-should-work-with-glibc-2.24-on-ppc64.patch	2017-04-10 18:30:21.000000000 -0500
@@ -30,7 +30,7 @@
  3 files changed, 26 insertions(+), 26 deletions(-)
 
 diff --git a/admin/CPP-DEFINES b/admin/CPP-DEFINES
-index e475b42..ef35513 100644
+index e475b422500..ef355135d8a 100644
 --- a/admin/CPP-DEFINES
 +++ b/admin/CPP-DEFINES
 @@ -244,7 +244,7 @@ HAVE_NET_IF_DL_H
@@ -43,7 +43,7 @@
  HAVE_PNG_H
  HAVE_POSIX_MEMALIGN
 diff --git a/configure.ac b/configure.ac
-index bdc76bc..18387d8 100644
+index bdc76bca3db..18387d84ec5 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -1478,15 +1478,17 @@ AC_CHECK_HEADERS_ONCE(
@@ -74,7 +74,7 @@
  
  dnl On Solaris 8 there's a compilation warning for term.h because
 diff --git a/src/emacs.c b/src/emacs.c
-index b5d3ab4..eda439a 100644
+index b5d3ab46a00..eda439ac6b1 100644
 --- a/src/emacs.c
 +++ b/src/emacs.c
 @@ -99,7 +99,7 @@ extern void moncontrol (int mode);
diff -Nru emacs24-24.5+1/debian/patches/0023-Emacs-should-no-longer-hang-when-loading-TRAMP.patch emacs24-24.5+1/debian/patches/0023-Emacs-should-no-longer-hang-when-loading-TRAMP.patch
--- emacs24-24.5+1/debian/patches/0023-Emacs-should-no-longer-hang-when-loading-TRAMP.patch	2017-01-22 14:32:37.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0023-Emacs-should-no-longer-hang-when-loading-TRAMP.patch	2017-04-10 18:30:21.000000000 -0500
@@ -21,7 +21,7 @@
  5 files changed, 89 insertions(+), 53 deletions(-)
 
 diff --git a/lisp/net/tramp-adb.el b/lisp/net/tramp-adb.el
-index f5e2019..cf1e05e 100644
+index f5e201985f9..cf1e05e4d65 100644
 --- a/lisp/net/tramp-adb.el
 +++ b/lisp/net/tramp-adb.el
 @@ -38,6 +38,7 @@
@@ -41,7 +41,7 @@
    "^\\(?:[[:digit:]]*|?\\)?\\(?:[[:alnum:]]*@[[:alnum:]]*[^#\\$]*\\)?[#\\$][[:space:]]"
    "Regexp used as prompt in almquist shell."
 diff --git a/lisp/net/tramp-gvfs.el b/lisp/net/tramp-gvfs.el
-index 1ea52eb..5988a28 100644
+index 1ea52eb670d..5988a284c6e 100644
 --- a/lisp/net/tramp-gvfs.el
 +++ b/lisp/net/tramp-gvfs.el
 @@ -127,6 +127,7 @@
@@ -61,7 +61,7 @@
    "Defines seconds since last bluetooth device discovery before rescanning.
  A value of 0 would require an immediate discovery during hostname
 diff --git a/lisp/net/tramp-sh.el b/lisp/net/tramp-sh.el
-index bd7aec9..0e30bfe 100644
+index bd7aec98f79..0e30bfe08ed 100644
 --- a/lisp/net/tramp-sh.el
 +++ b/lisp/net/tramp-sh.el
 @@ -40,6 +40,7 @@
@@ -202,7 +202,7 @@
  		     (process-adaptive-read-buffering nil)
  		     (coding-system-for-read nil)
 diff --git a/lisp/net/tramp-smb.el b/lisp/net/tramp-smb.el
-index d5fe17f..14360b9 100644
+index d5fe17f0939..14360b96fe6 100644
 --- a/lisp/net/tramp-smb.el
 +++ b/lisp/net/tramp-smb.el
 @@ -70,17 +70,20 @@
@@ -251,7 +251,7 @@
    "Command switch used together with `tramp-smb-winexe-shell-command'.
  This can be used to disable echo etc."
 diff --git a/lisp/net/tramp.el b/lisp/net/tramp.el
-index 79242a4..10bb769 100644
+index 79242a46755..10bb76983aa 100644
 --- a/lisp/net/tramp.el
 +++ b/lisp/net/tramp.el
 @@ -73,6 +73,7 @@
diff -Nru emacs24-24.5+1/debian/patches/0024-Remove-insecure-from-gnutls-cli-invocation.patch emacs24-24.5+1/debian/patches/0024-Remove-insecure-from-gnutls-cli-invocation.patch
--- emacs24-24.5+1/debian/patches/0024-Remove-insecure-from-gnutls-cli-invocation.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0024-Remove-insecure-from-gnutls-cli-invocation.patch	2017-04-10 18:30:21.000000000 -0500
@@ -0,0 +1,66 @@
+From 235ecd401864645d6c14d0aa381af6a86f94a00c Mon Sep 17 00:00:00 2001
+From: Lars Ingebrigtsen <larsi@gnus.org>
+Date: Tue, 29 Dec 2015 14:30:53 +0100
+Subject: Remove --insecure from gnutls-cli invocation
+
+Emacs should now use secure TLS connections by default.
+
+The following upstream patch has been added:
+
+  Remove --insecure from gnutls-cli invocation
+
+  * tls.el (tls-program): Default to using secure TLS
+  connections (bug#19284).
+
+Origin: backport, commit:ad9aaa460e2fa446b08124bd8df846e1471c030b
+Bug: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=19284
+Bug-Debian: https://bugs.debian.org/816063
+Forwarded: not-needed
+---
+ lisp/net/tls.el | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/lisp/net/tls.el b/lisp/net/tls.el
+index 9e02945225e..1475f03cb0e 100644
+--- a/lisp/net/tls.el
++++ b/lisp/net/tls.el
+@@ -74,8 +74,8 @@ and `gnutls-cli' (version 2.0.1) output."
+   :type 'regexp
+   :group 'tls)
+ 
+-(defcustom tls-program '("gnutls-cli --insecure -p %p %h"
+-			 "gnutls-cli --insecure -p %p %h --protocols ssl3"
++(defcustom tls-program '("gnutls-cli -p %p %h"
++			 "gnutls-cli -p %p %h --protocols ssl3"
+ 			 "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+   "List of strings containing commands to start TLS stream to a host.
+ Each entry in the list is tried until a connection is successful.
+@@ -89,13 +89,13 @@ successful negotiation."
+   :type
+   '(choice
+     (const :tag "Default list of commands"
+-	   ("gnutls-cli --insecure -p %p %h"
+-	    "gnutls-cli --insecure -p %p %h --protocols ssl3"
++	   ("gnutls-cli -p %p %h"
++	    "gnutls-cli -p %p %h --protocols ssl3"
+ 	    "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
+     (list :tag "Choose commands"
+ 	  :value
+-	  ("gnutls-cli --insecure -p %p %h"
+-	   "gnutls-cli --insecure -p %p %h --protocols ssl3"
++	  ("gnutls-cli -p %p %h"
++	   "gnutls-cli -p %p %h --protocols ssl3"
+ 	   "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+ 	  (set :inline t
+ 	       ;; FIXME: add brief `:tag "..."' descriptions.
+@@ -105,8 +105,8 @@ successful negotiation."
+ 	       (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3")
+ 	       (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof")
+ 	       ;; No trust check:
+-	       (const "gnutls-cli --insecure -p %p %h")
+-	       (const "gnutls-cli --insecure -p %p %h --protocols ssl3")
++	       (const "gnutls-cli -p %p %h")
++	       (const "gnutls-cli -p %p %h --protocols ssl3")
+ 	       (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
+ 	  (repeat :inline t :tag "Other" (string)))
+     (list :tag "List of commands"
diff -Nru emacs24-24.5+1/debian/patches/0025-Refactor-out-gnutls-trustfiles.patch emacs24-24.5+1/debian/patches/0025-Refactor-out-gnutls-trustfiles.patch
--- emacs24-24.5+1/debian/patches/0025-Refactor-out-gnutls-trustfiles.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0025-Refactor-out-gnutls-trustfiles.patch	2017-04-10 18:30:21.000000000 -0500
@@ -0,0 +1,54 @@
+From 9ca1f6e83aa65507f6f6c178821d5079ddc88bb5 Mon Sep 17 00:00:00 2001
+From: Lars Ingebrigtsen <larsi@gnus.org>
+Date: Tue, 29 Dec 2015 14:39:53 +0100
+Subject: Refactor out gnutls-trustfiles
+
+Emacs should now specify a TLS trustfile.
+
+This upstream patch has been added [1/2]:
+
+  Refactor out gnutls-trustfiles
+
+  * lisp/net/gnutls.el (gnutls-trustfiles): Refactor out for reuse by tls.el.
+
+Origin: backport, commit:1ba1e35fbed820ec9d9e1dafbe150f88f29342d8
+Bug: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=19284
+Bug-Debian: https://bugs.debian.org/816063
+Forwarded: not-needed
+---
+ lisp/net/gnutls.el | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
+index 0593c1f29e3..de0b1b3d08f 100644
+--- a/lisp/net/gnutls.el
++++ b/lisp/net/gnutls.el
+@@ -189,12 +189,7 @@ here's a recent version of the list.
+ It must be omitted, a number, or nil; if omitted or nil it
+ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
+   (let* ((type (or type 'gnutls-x509pki))
+-         (trustfiles (or trustfiles
+-                         (delq nil
+-                               (mapcar (lambda (f) (and f (file-exists-p f) f))
+-                                       (if (functionp gnutls-trustfiles)
+-                                           (funcall gnutls-trustfiles)
+-                                         gnutls-trustfiles)))))
++         (trustfiles (or trustfiles (gnutls-trustfiles)))
+          (priority-string (or priority-string
+                               (cond
+                                ((eq type 'gnutls-anon)
+@@ -245,6 +240,14 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
+ 
+     process))
+ 
++(defun gnutls-trustfiles ()
++  "Return a list of usable trustfiles."
++  (delq nil
++        (mapcar (lambda (f) (and f (file-exists-p f) f))
++                (if (functionp gnutls-trustfiles)
++                    (funcall gnutls-trustfiles)
++                  gnutls-trustfiles))))
++
+ (declare-function gnutls-error-string "gnutls.c" (error))
+ 
+ (defun gnutls-message-maybe (doit format &rest params)
diff -Nru emacs24-24.5+1/debian/patches/0026-Make-tls.el-use-trustfiles-by-default.patch emacs24-24.5+1/debian/patches/0026-Make-tls.el-use-trustfiles-by-default.patch
--- emacs24-24.5+1/debian/patches/0026-Make-tls.el-use-trustfiles-by-default.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0026-Make-tls.el-use-trustfiles-by-default.patch	2017-04-10 18:30:21.000000000 -0500
@@ -0,0 +1,90 @@
+From a3951c32e009143b12d90ea0b219b9019a0102c5 Mon Sep 17 00:00:00 2001
+From: Lars Ingebrigtsen <larsi@gnus.org>
+Date: Tue, 29 Dec 2015 14:46:20 +0100
+Subject: Make tls.el use trustfiles by default
+
+Emacs should now specify a TLS trustfile.
+
+This upstream patch has been added [2/2]:
+
+  Make tls.el use trustfiles by default
+
+  * lisp/net/tls.el (tls-program): Add a certfile by default (bug#21227).
+  (open-tls-stream): Insert the trustfile by looking at
+  `gnutls-trustfiles'.
+
+Origin: backport, commit:de5c44fe8811b07eaad6ab5fc53d498e465a43d4
+Bug: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21227
+Bug-Debian: https://bugs.debian.org/816063
+Forwarded: not-needed
+---
+ lisp/net/tls.el | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/lisp/net/tls.el b/lisp/net/tls.el
+index 1475f03cb0e..68a3ff6ae0a 100644
+--- a/lisp/net/tls.el
++++ b/lisp/net/tls.el
+@@ -44,6 +44,8 @@
+ 
+ ;;; Code:
+ 
++(require 'gnutls)
++
+ (autoload 'format-spec "format-spec")
+ (autoload 'format-spec-make "format-spec")
+ 
+@@ -74,9 +76,10 @@ and `gnutls-cli' (version 2.0.1) output."
+   :type 'regexp
+   :group 'tls)
+ 
+-(defcustom tls-program '("gnutls-cli -p %p %h"
+-			 "gnutls-cli -p %p %h --protocols ssl3"
+-			 "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
++(defcustom tls-program
++  '("gnutls-cli --x509cafile %t -p %p %h"
++    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
++    "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+   "List of strings containing commands to start TLS stream to a host.
+ Each entry in the list is tried until a connection is successful.
+ %h is replaced with server hostname, %p with port to connect to.
+@@ -89,24 +92,20 @@ successful negotiation."
+   :type
+   '(choice
+     (const :tag "Default list of commands"
+-	   ("gnutls-cli -p %p %h"
+-	    "gnutls-cli -p %p %h --protocols ssl3"
+-	    "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
++	   ("gnutls-cli --x509cafile %t -p %p %h"
++	    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
++	    "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof"))
+     (list :tag "Choose commands"
+ 	  :value
+-	  ("gnutls-cli -p %p %h"
+-	   "gnutls-cli -p %p %h --protocols ssl3"
++	  ("gnutls-cli --x509cafile %t -p %p %h"
++	   "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
+ 	   "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+ 	  (set :inline t
+ 	       ;; FIXME: add brief `:tag "..."' descriptions.
+ 	       ;; (repeat :inline t :tag "Other" (string))
+-	       ;; See `tls-checktrust':
+-	       (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h")
+-	       (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3")
+-	       (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof")
+ 	       ;; No trust check:
+-	       (const "gnutls-cli -p %p %h")
+-	       (const "gnutls-cli -p %p %h --protocols ssl3")
++	       (const "gnutls-cli --insecure -p %p %h")
++	       (const "gnutls-cli --insecure -p %p %h --protocols ssl3")
+ 	       (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
+ 	  (repeat :inline t :tag "Other" (string)))
+     (list :tag "List of commands"
+@@ -227,6 +226,7 @@ Fourth arg PORT is an integer specifying a port to connect to."
+ 	       (format-spec
+ 		cmd
+ 		(format-spec-make
++                 ?t (car (gnutls-trustfiles))
+ 		 ?h host
+ 		 ?p (if (integerp port)
+ 			(int-to-string port)
diff -Nru emacs24-24.5+1/debian/patches/series emacs24-24.5+1/debian/patches/series
--- emacs24-24.5+1/debian/patches/series	2017-01-22 14:32:37.000000000 -0600
+++ emacs24-24.5+1/debian/patches/series	2017-04-10 18:30:21.000000000 -0500
@@ -21,3 +21,6 @@
 0021-Emacs-should-work-with-gcc-5.2-and-newer.patch
 0022-Emacs-should-work-with-glibc-2.24-on-ppc64.patch
 0023-Emacs-should-no-longer-hang-when-loading-TRAMP.patch
+0024-Remove-insecure-from-gnutls-cli-invocation.patch
+0025-Refactor-out-gnutls-trustfiles.patch
+0026-Make-tls.el-use-trustfiles-by-default.patch
diff -Nru emacs24-24.5+1/debian/rules emacs24-24.5+1/debian/rules
--- emacs24-24.5+1/debian/rules	2017-01-22 14:32:37.000000000 -0600
+++ emacs24-24.5+1/debian/rules	2017-04-16 10:06:33.000000000 -0500
@@ -315,6 +315,7 @@
 confflags += --mandir=/usr/share/man
 confflags += --with-pop=yes
 confflags += --enable-locallisppath=$(local_lpath)
+confflags += --without-gnutls
 
 # x configure flags
 confflags_x := $(confflags) 

unblock emacs24/24.5+1-9

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

--- End Message ---
--- Begin Message --- 
Niels Thykier:
> Control: tags -1 confirmed moreinfo
> 


Hi,


> Rob Browning:
>> Niels Thykier <niels@thykier.net> writes:
>>
>>> Rob Browning:
>>
>>> Ok.  Is there any easy way to figure this out?  I am ready to consider
>>> additionally targeted fixes for non-deterministic build failures.
>>
>> I suspect both of those fixes may be appropriate.  I'll see what I can
>> come up with.
>>
> 
> Ok, given this and that the current diff is trivially reviewable, please
> go ahead with the upload to unstable and notify us via this bug once it
> has been built on all release architectures (by removing the moreinfo
> tag). ...
> 

I ended up unblocking emacs24/24.5+1-9 already (which is why I will
close this bug now).  That said, I would still be happy to consider
additional fixes we talked about and plus a fix for #860858. :)

Please go ahead with the upload and let us know once it has happened. :)

Thanks,
~Niels

--- End Message ---
Reply to: