From: Alberto Leiva Popper Date: Fri, 30 Dec 2022 21:57:09 +0000 (-0600) Subject: Initialize the debian branch X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a1a8f790f748db5112ee58feff9700cf315d27e;p=thirdparty%2FFORT-validator.git Initialize the debian branch --- diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 00000000..3ad38d80 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,347 @@ +fort (1.5.4-1) unstable; urgency=medium + + * New upstream release + + -- Alberto Leiva Popper Tue, 13 Dec 2022 16:59:44 -0500 + +fort (1.5.3-1) unstable; urgency=medium + + * New upstream release + + -- Alberto Leiva Popper Mon, 08 Nov 2021 22:33:28 -0500 + +fort (1.5.2-1) unstable; urgency=medium + + * New upstream release + + -- Alberto Leiva Popper Tue, 19 Oct 2021 15:39:43 -0500 + +fort (1.5.1-1) unstable; urgency=medium + + * New upstream release + + -- Alberto Leiva Popper Fri, 06 Aug 2021 17:00:00 -0500 + +fort (1.5.0-1) UNRELEASED; urgency=medium + + * New upstream release. + * Add 'RestartForceExitStatus' service setting. + * Set service type as 'simple' instead of 'exec'. + + -- Francisco Moreno Tue, 15 Dec 2020 17:11:21 -0600 + +fort (1.4.2-1) UNRELEASED; urgency=medium + + * New upstream release + + -- Francisco Moreno Tue, 20 Oct 2020 18:14:29 -0500 + +fort (1.4.1-1) UNRELEASED; urgency=medium + + * New upstream release + + -- Francisco Moreno Mon, 28 Sep 2020 12:11:43 -0500 + +fort (1.4.0-1) UNRELEASED; urgency=medium + + * Bug fix: Some XML parsing and validation errors where printed straight to + stderr, now they're printed to the configured "validation-log.output". + * Bug fix: The protocol part of an URI only was only valid in lowercase, now + the case is ignored. + + * Update: RTR server can bind to multiple IPs. + * Update: Deprecate all "rrdp.*" arguments, renaming them to "http.*". The new + arguments are "http.enabled", "http.priority", "http.retry.count" and + "http.retry.interval". They apply for each outgoing http request. + * Update: The 4 TALs now include an HTTPs URI. + * Update: HTTPS requests are now preferred by default over RSYNC requests, + this applies only where both of the options are present. + * Update: New incidences for stale manifests ("incid-mft-stale") and stale + CRLs ("incid-crl-stale"). + + -- Francisco Moreno Tue, 04 Aug 2020 17:03:28 -0500 + +fort (1.3.0-1) UNRELEASED; urgency=medium + + * Bug fix: Minimize function calls and processing once a fork is made to + execute rsync, related to github issue #35. + + * Update: Separate the validation messages from the operation messages, each + log type has its own configuration arguments. + * Update: Include a configurable syslog facility for each log type, useful + when syslog is utilized. + * Update: Add new argument 'stale-repository-period'. When a repository URI + can't be reached, the validator will log the error messages at the + operation log after 'stale-repository-period' seconds had elapsed since the + first error fetching the repository URI. + * Update: Work with local files if a repository can't be synced. + + -- Francisco Moreno Tue, 30 Jun 2020 18:48:18 -0500 + +fort (1.2.1-1) UNRELEASED; urgency=medium + + * Bug fix: Add broken pipe (SIGPIPE) signal handler, this avoids a sudden + death when the socket is still alive at the server but closed at the client + side. + * Bug fix: Don't hold the DB lock when the SLURM is being loaded. + * Bug fix: Specific for CentOS7 libcurl: check for time condition met/unmet + (whenever the HTTP header "If-Modified-Since" is sent) when requesting RRDP + update notification files. + * Bug fix: Stop sending PDUs on reset exchange error. + * Bug fix: Fix GCC 10 compiling error and warnings (solves github issue #32). + + * Update: Add capability 'CAP_NET_BIND_SERVICE' to this package in order to + bind the RTR server to port 323 by default. + * Update: Wait for client connections at '--server.port' until the first + validation cycle is done. + * Update: Update internal PDU logs. + * Update: SLURM upgrades: + -Improve loading process, use an internal cache when a SLURM file is being + loaded. + -Don't discard the loaded SLURM if there's an error applying it. + -Calculate SLURM file(s) checksum and compare it with its previous one to + avoid loading each SLURM at every validation cycle if there aren't + updates. + -Stop doing unnecessary validations, since they aren't part of the + RFC 8416: duplicated elements at the same file, covered prefixes at the + same file. + * Update: Add new incidences related to manifests processing (solves github + issue #28) + * Update: Internal improvements resultant from a code review. + + -- Francisco Moreno Fri, 24 Apr 2020 13:25:47 -0500 + +fort (1.2.0-1) UNRELEASED; urgency=medium + + * Bug fix: Solve github issue #9 "Use previous valid SLURM configuration on + SLURM error": whenever there's an error processing the SLURM, apply the last + valid SLURM version. + * Bug fix: If an empty value was sent to arguments that expect paths + (eg. 'fort --tal='), this was treated as valid; now this isn't allowed. + * Bug fix: rsync execution logs didn't logged to syslog, now they do. + * Bug fix: Allow reuse server address/port on restart. + * Bug fix: Try to fetch the trust anchor certificate from another URI whenever + the previous TAL URI wasn't fetched due to an error. + * Bug fix: Standard output wasn't flushed when the console logs where piped, + now it is flushed. + + * Update: Support RRDP (solves github issue #20). + * Update: Support HTTPS URIs in TALs (solves github issue #19). + * Update: Add new incidence 'incid-obj-not-der-encoded' to validate signed + objects DER encoding. + * Update: Log additional information on start/end of a validation cycle, the + information is printed at log level 'info': + -When a client starts/ends a connection, or when the connection is killed + (print its address and an internal ID). + -When a new validation cycle is started and finished (includes number of + valid Prefixes and Router Keys, current/new serial number, and real + execution time). + * Update: Add setup script to ease ARINs TAL download, explicitly accepting + their RPA. The script does the following: + -Invites to agree ARIN RPA and downloads ARIN's TAL. + -Downloads the rest of the TALS from github repository. + -Creates a local repository directory, and an example configuration file. + * Update: Create 'examples' directory: + -Move 'tal' directory to this new directory. + -Add a valid configuration file. + -Add a valid SLURM file. + * Update: Validate configuration args 'slurm' and 'tal' during startup. + * Update: Configuration arg 'sync-strategy' will be deprecated, log a warning + if it's set. + * Update: New configuration arguments added: + -'work-offline': Disables outgoing requests to work only with local files + from 'local-repository'. + -'http.user-agent': User-Agent header set at HTTP requests. + -'http.connect-timeout': Timeout in seconds for the connect phase at HTTP + requests. + -'http.transfer-timeout': Maximum allowed time that an HTTP request can + take. + -'http.idle-timeout': Maximum idle time during an HTTP request. + -'http.ca-path': Directory where CA certs to verify peers are found. + -'rrdp.enabled': Enables RRDP files processing. + -'rrdp.priority': Priority to use this protocol whenever a CA has another + option to access the repository files. + -'rrdp.retry.count': Maximum number of retries on requests error. + -'rrdp.retry.interval': Interval (in seconds) between each retry. + -'rsync.enabled': Enables RSYNC execution. + -'rsync.priority': Priority to use this protocol whenever a CA has another + option to access the repository files. + -'rsync.strategy': Synchronization download strategy (replaces + 'sync-strategy'). + -'rsync.retry.count': Maximum number of retries whenever there's an + execution error. + .'rsync.retry.interval': Interval (in seconds) between each retry. + -'asn1-decode-max-stack': indicates the max stack size that can be utilized + when decoding ASN1 objects (mainly to avoid a stack overflow). + * Update: Add '--timeout' parameter to rsync default arguments. + * Update: Set 'root-except-ta' default value to 'rsync.strategy'. + * Update: Update unit tests. + + * Docs: Indicate full RFC 8182 and RFC 8630 compliance. + * Docs: Add docs for new configuration parameters (at web docs module + 'Program arguments' and user man). + * Docs: Add the usage of the setup script at Installation module, as well as + the new dependencies of 'libcurl' and 'libxml2'. + * Docs: Add new section 'Routers', contains a basic explanation of data + exchange with routers. + * Docs: Update Incidences module to include DER encoding validation + ('incid-obj-not-der-encoded'). + * Docs: Update RFC compliance of RFC 6488 to 100%. + * Docs: Update READMEs to use relative paths instead of always use master + URLs. + * Docs: Replace '2019' year refs to '2020'. + + -- Francisco Moreno Fri, 07 Feb 2020 15:42:51 -0600 + +fort (1.1.3-1) UNRELEASED; urgency=medium + + * Bug fix: Don't update valid prefixes and router keys database if one of the + root certificates had a communication error (rsync) or a processing error. + + -- Francisco Moreno Wed, 04 Dec 2019 12:47:21 -0600 + +fort (1.1.2-1) UNRELEASED; urgency=medium + + * Update: Add missing 2-Clause BSD licence to /src/asn1/asn1c/ code. + * Update: Add 'log.output' and 'log.level' configuration parameters. + * Update: Allow debug log without the need to recompile from source. + * Update: Remove '' references. + + * Docs: Update Logging and Program Arguments modules to explain new + configuration parameters. + + -- Francisco Moreno Thu, 07 Nov 2019 12:08:07 -0600 + +fort (1.1.1-1) UNRELEASED; urgency=medium + + * Bug fix: Validate 'output.bgpsec' path, check if the path is writable + during configuration checks. + * Bug fix: Fix bad PDU exchange when the ROAs/Router Keys DB was empty, an + End of Data was being sent when a Reset Query PDU was received. + + * Update: Add missing validation from RFC 7935 section 3 (subjectPublicKey + modulus and exponent). + * Update: Use type 'blksize_t' () instead of '__blksize_t' + () to avoid a specific compilation error on Alpine Linux. + + -- Francisco Moreno Thu, 31 Oct 2019 10:10:34 -0600 + +fort (1.1.0-1) UNRELEASED; urgency=medium + + * Update: Create a thread to rsync and validate each TAL, trying to improve + execution time. + * Update: Support RTR version 1: + -RTR version negotiation. + -Validate version during PDU exchange. + -Implement new PDU error "Unexpected Protocol Version". + -Implement new PDU type "Router Key". + -Add timing parameters to "End of Data PDU". + * Update: Support BGPsec EE certificates (validate and consider for deltas) + accordingly to RFC 8209 and 8608. + * Update: Update configuration parameters: + -Rename 'server.validation-interval' to 'server.interval.validation'. + -Add 'server.interval.refresh', 'server.interval.retry', and + 'server.interval.expire' args to use at RTR version 1 "End of Data PDU". + -Add "output.bgpsec' (similar to 'output.roa') to print valid Router Keys, + the information is printed as base64url encoded strings. + * Update: Support BGPsec filters and assertions at SLURM files. + * Update: Use syslog when running in server mode, print at console otherwise. + * Update: Update unit tests. + + * Docs: Indicate full RFC 8209 compliance. + * Docs: Add RFCs compliance (they were missing): 6810, 8210, 8416, 8608, 8630. + * Docs: Update SLURM module with BGPsec assertions and filters support, as + well as some examples. + * Docs: Update Usage module: + -Rename to 'Program Arguments'. + -Updated configuration property ('server.validation-interval' is now + 'server.interval.validation'). + -New properties ('server.interval.refresh', 'server.interval.retry', + 'server.interval.expire', and 'output.bgpsec'). + -Show which 'output.roa' headers are printed. + * Docs: Use the same layout at home (landing page) to avoid multiple clicks + in order to reach the docs. + * Docs: Use a similar configuration file as example at web docs and user man. + * Docs: Add Logging module to explain how the logs work. + * Docs: Update root README with basic information about the project. + * Docs: Update user man: indicate RTR version 1 support, and add the same + updates as in the web docs. + + -- Francisco Moreno Mon, 14 Oct 2019 12:02:10 -0500 + +fort (1.0.0-1) UNRELEASED; urgency=medium + + * Bug fix: Solved github issue #11 "ROAs, MFTs and CAs created with revoked + certs are valids". + * Bug fix: Solved github issue #12 "Programming error when a ROA without + prefixes is validated". + * Bug fix: Solved github issue #13 "Wrong "serial number X is not unique" + error is displayed when an MFT expired error happens". + * Bug fix: Solved github issue #14 "FORT using server mode cannot be + interrupted on OpenBSD with SIGINT signal (Control+C)". + * Bug fix: The whole set of multiple SLURM files wasn't rejected in overlap + cases (RFC 8416 section 4.2). + * Bug fix: Validate "server.port" numeric value, since the function + "getaddrinfo" is a bit lax with numeric values (it takes into account only + the 16 rightmost bits). + * Bug fix: Log the configured "server.address" instead of always log "any" as + the server address. + * Bug fix: Validate "output.roa" file path at initialization. + * Bug fix: LibreSSL couldn't decode base64 text with line breaks where at + least one line had more than 80 chars. + * Bug fix: Remove invalid memory release when a TAL wasn't successfully + loaded. + * Bug fix: Some files needed by the unit tests were not exporting. + * Bug fix: Join each client thread when the connection is terminated. + * Bug fix: Avoid memory leak caused by X509_VERIFY_PARAM. + * Bug fix: Patch bad initialization of CRL stack. + * Bug fix: SLURM filters weren't correctly applied when an asn and prefix + were set, only the asn was taken into account to filter VRPs. + * Bug fix: SLURM filters of covering prefixes were ignored; e.g. if a prefix + X covered ROA prefix Y, the ROA prefix wasn't filtered. + + * Update: In case of a SLURM error, log the JSON element with the error + instead of logging the element number. + * Update: Log a warning when a configuration path ("slurm", "tal") contains 0 + expected files (extensions ".slurm", ".tal"). + * Update: Configuration property "maximum-certificate-depth" now has a + minimum allowed value of 5 to allow a regular validation using RIR TALs. + * Update: The incidence "Signed Object's hash algorithm has NULL object as + parameters" now has the ID "incid-hashalg-has-params", and by default it + has an action of "ignore". + * Update: Update information displayed by "--help" at "--tal" and "--slurm" + flags. + * Update: Show ROA eContent in debug mode. + * Update: Retry file download when there's an error related to a manifest + file. + * Update: Set compiler optimization level ("-O") from "0" to "2". + * Display RTR server info when successfully binded. + * Log property name on value error (for unsigned integer values). + * Remove compile warning '_BSD_SOURCE and _SVID_SOURCE are deprecated'. + * Log custom incidences on initialization. + + * Docs: Indicate current support for 64 bits OSs. 32 bit archs MAY present + the 2038 Year Problem. + * Docs: Add installation steps for: CentOS 7, Fedora 30, openSUSE Leap, + FreeBSD 12, Slackware current release (as of 2019-08-12) + * Docs: Add minimum dependencies version required: Openssl >= 1.1.0, + GCC >= 4.9. + * Docs: Update incidences section, now the registered incidence has a + distinct ID and a default action of "ignore". + * Docs: Update link to "UINT_MAX" definition at usage section. + * Docs: Use path "/tmp/fort/" at multiple examples (man, web docs). + + -- Francisco Moreno Mon, 26 Aug 2019 12:01:33 -0500 + +fort (0.0.2-1) UNRELEASED; urgency=medium + + * libcmscodec dependency removed + * Lintian bugs purged + + -- Alberto Leiva Popper Fri, 14 Jun 2019 17:54:20 -0500 + +fort (0.0.1-1) UNRELEASED; urgency=medium + + * Initial release + + -- Alberto Leiva Popper Wed, 05 Jun 2019 17:01:16 -0500 diff --git a/debian/config.json b/debian/config.json new file mode 100644 index 00000000..a0fcb42e --- /dev/null +++ b/debian/config.json @@ -0,0 +1,11 @@ +{ + "tal": "/etc/fort/tal", + "local-repository": "/var/lib/fort", + "slurm": "/etc/fort/slurm/", + "server": { + "port": "323" + }, + "log": { + "output": "syslog" + } +} diff --git a/debian/control b/debian/control new file mode 100644 index 00000000..d64314bc --- /dev/null +++ b/debian/control @@ -0,0 +1,33 @@ +Source: fort +Maintainer: FORT Validator +Uploaders: Alberto Leiva Popper +Section: net +Priority: optional +Build-Depends: debhelper-compat (= 11), + debhelper (>= 11), + pkg-config, + libcurl4-openssl-dev, + libjansson-dev, + libssl-dev, + libxml2-dev, +Standards-Version: 4.5.1 +Rules-Requires-Root: no +Homepage: https://nicmx.github.io/FORT-validator +Vcs-Git: https://github.com/NICMx/FORT-validator.git -b debian +Vcs-Browser: https://github.com/NICMx/FORT-validator + +Package: fort +Architecture: any +Multi-Arch: foreign +Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, rsync, + libcurl4, libxml2, +Description: RPKI Relying Party and RTR server + Regularly downloads and validates RPKI repositories. Serves resulting + Route Origin Attestations (ROAs) and BGPsec Router Keys to routers. + . + A ROA is a digitally signed object that asserts that an AS is + authorized to originate routes to a given set of IP prefixes, and + similarly, a Router Key asserts that every AS on a given AS path has + explicitly authorized the advertisement of a route to the subsequent AS + in the path. + diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 00000000..e077cd6f --- /dev/null +++ b/debian/copyright @@ -0,0 +1,56 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: fort +Source: https://github.com/NICMx/FORT-validator + +Files: * +Copyright: 2022 NIC Mexico +License: MIT + +Files: src/asn1/asn1c/* +Copyright: 2003-2013 Lev Walkin +License: BSD-2-clause + +Files: debian/* +Copyright: 2022 Alberto Leiva Popper +License: MIT + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. diff --git a/debian/fort.dirs b/debian/fort.dirs new file mode 100644 index 00000000..f477978d --- /dev/null +++ b/debian/fort.dirs @@ -0,0 +1,2 @@ +/etc/fort/slurm/ +/var/lib/fort/ diff --git a/debian/fort.install b/debian/fort.install new file mode 100644 index 00000000..08b6f716 --- /dev/null +++ b/debian/fort.install @@ -0,0 +1,7 @@ +debian/config.json /etc/fort +examples/tal/afrinic.tal /etc/fort/tal +examples/tal/apnic.tal /etc/fort/tal +examples/tal/lacnic.tal /etc/fort/tal +examples/tal/ripe-ncc.tal /etc/fort/tal +examples/config.json /etc/fort/examples +examples/demo.slurm /etc/fort/examples diff --git a/debian/fort.postinst b/debian/fort.postinst new file mode 100644 index 00000000..c40339ad --- /dev/null +++ b/debian/fort.postinst @@ -0,0 +1,19 @@ +#!/bin/sh -e + +create_user() { + local username='fort' + + if id $username > /dev/null 2>&1; then return; fi + + adduser --system --no-create-home --home /var/lib/fort --group \ + --disabled-password --gecos "FORT validator" $username +} + +case "$1" in +configure) + create_user "$@" + ;; +esac + +#DEBHELPER# + diff --git a/debian/fort.postrm b/debian/fort.postrm new file mode 100644 index 00000000..7d6c6aa6 --- /dev/null +++ b/debian/fort.postrm @@ -0,0 +1,15 @@ +#!/bin/sh -e + +clean_var() { + echo "Deleting the fort repository..." + rm -rf /var/lib/fort/ +} + +case "$1" in + purge) + clean_var "$@" + ;; +esac + +#DEBHELPER# + diff --git a/debian/fort.service b/debian/fort.service new file mode 100644 index 00000000..f9560659 --- /dev/null +++ b/debian/fort.service @@ -0,0 +1,21 @@ +# This is a systemd unit configuration file. +# As of now, it is the only file needed to connect Fort and systemd. +# Turns Fort into a service. + +[Unit] +Description=FORT RPKI validator +Documentation=man:fort(8) +Documentation=https://nicmx.github.io/FORT-validator/ +After=network.target + +[Service] +ExecStart=/usr/bin/fort --configuration-file /etc/fort/config.json +Type=simple +# This user is created during postinst. +User=fort +Group=fort +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target diff --git a/debian/patches/program_defaults b/debian/patches/program_defaults new file mode 100644 index 00000000..fb54d436 --- /dev/null +++ b/debian/patches/program_defaults @@ -0,0 +1,119 @@ +Description: Mimic patches from Marco D'itri debian packaging + These are almost the same updates from fort-validator package, trying to + simplify the migration from this package to that package. +Origin: https://salsa.debian.org/md/fort-validator/-/tree/master/debian/patches +--- a/man/fort.8 ++++ b/man/fort.8 +@@ -225,6 +225,8 @@ The TAL ("Trust Anchor Locator") is a te + its public key. (See RFC 8630.) + .RE + .P ++By default, the path is \fI/etc/tals\fR. ++.P + + .BR \-r ", " \-\-local-repository=\fIDIRECTORY\fR + .RS 4 +@@ -251,7 +253,7 @@ Fort's entire validation process operate + Because rsync uses delta encoding, you’re advised to keep this cache around. It + significantly speeds up subsequent validation cycles. + .P +-By default, the path is \fI/tmp/fort/repository\fR. ++By default, the path is \fI/var/lib/fort\fR. + .RE + .P + +@@ -1196,30 +1198,30 @@ By default, it has a value of \fI43200\f + .P + + .SH EXAMPLES +-.B fort \-\-init-tals \-\-tal=/tmp/tal ++.B fort \-\-init-tals \-\-tal=/etc/tals + .RS 4 + Download the 5 RIR TALs into the specified directory. ARIN TAL will be + downloaded only if the user accepts ARIN's RPA. + .RE + .P + +-.B fort \-t /tmp/tal \-r /tmp/repository \-\-server.port=9323 ++.B fort \-t /etc/tals \-r /var/lib/fort \-\-server.port=9323 + .RS 4 + Run FORT with all the default values, using a custom TALs directory, a + custom repository directory as well, and binding the RTR server to port 9323. + .RE + .P + +-.B fort \-t /tmp/tal \-r /tmp/repository \-\-mode=standalone \-\-output.roa=- ++.B fort \-t /etc/tals \-r /var/lib/fort \-\-mode=standalone \-\-output.roa=- + .RS 4 + Run FORT as standalone and output ROAs CSV to the console. + .RE + .P + + .nf +-\fBfort \-t /tmp/tal \-r /tmp/repository \\ ++\fBfort \-t /etc/tals \-r /var/lib/fort \\ + \-\-mode=standalone \\ +- \-\-slurm=/tmp/myslurm.slurm\fR ++ \-\-slurm=/etc/fort/slurm/\fR + .fi + .RS 4 + Run FORT as standalone and using a SLURM file. +@@ -1233,7 +1235,7 @@ Run FORT using the JSON configuration fi + .P + + .nf +-\fBfort \-t /tmp/tal \-r /tmp/repository \\ ++\fBfort \-t /etc/tals \-r /var/lib/fort \\ + \-\-server.address=::1 \-\-server.port=9323 \\ + \-\-server.interval.validation=1800 \\ + \-\-output.roa=/tmp/roas.csv\fR +@@ -1251,14 +1253,14 @@ to a specific value: + .nf + + { +- "tal": "/tmp/fort/tal/", +- "local-repository": "/tmp/fort/repository/", ++ "tal": "/etc/tals/", ++ "local-repository": "/var/lib/fort/", + "work-offline": false, + "shuffle-uris": true, + "maximum-certificate-depth": 32, + "mode": "server", + "daemon": false, +- "slurm": "/tmp/fort/test.slurm", ++ "slurm": "/etc/fort/slurm/", + "server": { + "address": [ + "192.0.2.1", +--- a/src/config.c ++++ b/src/config.c +@@ -983,13 +983,17 @@ set_default_values(void) + rpki_config.server.interval.expire = 7200; + rpki_config.server.deltas_lifetime = 2; + +- rpki_config.tal = NULL; ++ rpki_config.tal = strdup("/etc/tals"); ++ if (rpki_config.tal == NULL) { ++ error = pr_enomem(); ++ goto revert_port; ++ } + rpki_config.slurm = NULL; + +- rpki_config.local_repository = strdup("/tmp/fort/repository"); ++ rpki_config.local_repository = strdup("/var/lib/fort"); + if (rpki_config.local_repository == NULL) { + error = pr_enomem(); +- goto revert_port; ++ goto revert_tal; + } + + rpki_config.sync_strategy = RSYNC_ROOT_EXCEPT_TA; +@@ -1096,6 +1100,8 @@ revert_rsync_program: + free(rpki_config.rsync.program); + revert_repository: + free(rpki_config.local_repository); ++revert_tal: ++ free(rpki_config.tal); + revert_port: + free(rpki_config.server.port); + revert_address: diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..951d83dd --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +program_defaults diff --git a/debian/rules b/debian/rules new file mode 100755 index 00000000..10809251 --- /dev/null +++ b/debian/rules @@ -0,0 +1,26 @@ +#!/usr/bin/make -f + +# See debhelper(7) +# output every command that modifies files on the build system. +export DH_VERBOSE = 1 + +# see ENVIRONMENT in dpkg-buildflags(1) +# package maintainers to append CFLAGS +export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic +# package maintainers to append LDFLAGS +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + +# see FEATURE AREAS in dpkg-buildflags(1) +export DEB_BUILD_MAINT_OPTIONS=hardening=+all + +D := $(CURDIR)/debian/fort + +%: + dh $@ + +execute_after_dh_install: + printf 'Signature: 8a477f597d28d172789f06886806bc55' > $D/var/lib/fort/CACHEDIR.TAG + +override_dh_installsystemd: + dh_installsystemd --name fort + diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 00000000..163aaf8d --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/watch b/debian/watch new file mode 100644 index 00000000..3d56eba8 --- /dev/null +++ b/debian/watch @@ -0,0 +1,2 @@ +version=4 +opts=pgpsigurlmangle=s/$/.asc/ https://github.com/NICMx/FORT-validator/releases https://github.com/NICMx/FORT-validator/releases/download/v\d+\.\d+\.\d+/@PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@