From fb4c39d76441f02439c0747262453ad43c166e34 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Wed, 6 Apr 2022 17:45:04 +0200 Subject: [PATCH] Silence rpmlint false positives capi.so is only useful on Windows, it does not matter that it does not have dependency information. The invalid URL warnings are expected for packages with hobbled source code archives. We explicitly allow the use of SSL_CTX_set_cipher_list in the openssl(1) binary. (cherry picked from commit 82a6212c47f483fb27a34555ca6b0d61af8521ce) Signed-off-by: Clemens Lang --- openssl.rpmlintrc | 9 +++++++++ openssl.spec | 4 ++++ 2 files changed, 13 insertions(+) create mode 100644 openssl.rpmlintrc diff --git a/openssl.rpmlintrc b/openssl.rpmlintrc new file mode 100644 index 0000000..3539843 --- /dev/null +++ b/openssl.rpmlintrc @@ -0,0 +1,9 @@ +# capi.so is a dummy only used on Windows, it doesn't need dependency information +addFilter("E: shared-lib(rary)?-without-dependency-information /usr/lib64/engines-3/capi.so") + +# The sources are hobbled and thus not a valid URL. That's expected. +addFilter("W: invalid-url Source0: openssl-[0-9\\.]+-hobbled.tar.gz") + +# Technically this warning is correct, but in the case of the openssl binary we +# want to allow SSL_CTX_set_cipher_list +addFilter("W: crypto-policy-non-compliance-openssl /usr/bin/openssl SSL_CTX_set_cipher_list") diff --git a/openssl.spec b/openssl.spec index f94d698..9a95353 100644 --- a/openssl.spec +++ b/openssl.spec @@ -24,6 +24,7 @@ Source: openssl-%{version}-hobbled.tar.gz Source1: hobble-openssl Source2: Makefile.certificate Source3: genpatches +Source4: openssl.rpmlintrc Source6: make-dummy-cert Source7: renew-dummy-cert Source9: configuration-switch.h @@ -388,6 +389,9 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Apr 07 2022 Clemens Lang - 1:3.0.2-2 +- Silence a few rpmlint false positives. + * Thu Apr 07 2022 Clemens Lang - 1:3.0.2-2 - Allow disabling SHA1 signature creation and verification. Set rh-allow-sha1-signatures = no to disable.