Bug#638682: Higher severity

To: Joerg Jaspert <joerg@ganneff.de>, 638682@bugs.debian.org
Subject: Bug#638682: Higher severity
From: Mehdi Dogguy <mehdi@dogguy.org>
Date: Tue, 22 May 2012 14:19:46 +0200
Message-id: <[🔎] 4FBB8462.1080103@dogguy.org>
Reply-to: Mehdi Dogguy <mehdi@dogguy.org>, 638682@bugs.debian.org
In-reply-to: <[🔎] 87396vi274.fsf@gkar.ganneff.de>
References: <[🔎] 87396vi274.fsf@gkar.ganneff.de>

tags 638682 + patch
thanks

On 20/05/12 12:20, Joerg Jaspert wrote:


at some point in the future we want to change to only use the "new"
InRelease file. Which debootstrap currently does not support.

This is not RC, so i set it to important only, but if we can have
debootstrap additionally deal with InRelease short after wheezy, it
would be nice.


It would be even nicer if we could get it in Wheezy so that we can use
it once Wheezy if released. Please find attached a preliminary patch
that adds support for InRelease files in debootstrap. Using the proposed
patch, I've been able to create "unstable" and "squeeze" chroots. It
makes debootstrap check for InRelease files first since they are
supposed to be the default some time in the future. Comments are welcome!

The patch can make use of "gpg" to extract the signed data from the
InRelease file. I'm not sure it is necessary since the rest works just
fine if given an InRelease file instead of a Release file. I kept that
part commented in the patch and leave this decision to the maintainer
since it would add a strong dependency on gnupg… which doesn't seem
necessary.

Regards,

--
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/

>From 89531acfb77c9b7bc5aca57c361c48dd63465a5d Mon Sep 17 00:00:00 2001
From: Mehdi Dogguy <mehdi@debian.org>
Date: Tue, 22 May 2012 12:18:31 +0200
Subject: [PATCH] Add support for InRelease files (Closes: #638682)

---
 debian/changelog |    7 ++++
 functions        |   93 ++++++++++++++++++++++++++++++++++++------------------
 2 files changed, 70 insertions(+), 30 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 904f437..d437191 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debootstrap (1.0.40+nmu1) UNRELEASED; urgency=low
+
+  * Non-maintainer upload.
+  * Add support for InRelease files (Closes: #638682)
+
+ -- Mehdi Dogguy <mehdi@debian.org>  Tue, 22 May 2012 12:16:57 +0200
+
 debootstrap (1.0.40) unstable; urgency=low
 
   [ Joey Hess ]
diff --git a/functions b/functions
index ad7b211..89312af 100644
--- a/functions
+++ b/functions
@@ -480,57 +480,90 @@ get_release_checksum () {
 		done | head -n 1
 }
 
+extract_release_components () {
+	local reldest="$1"; shift
+	TMPCOMPONENTS="$(sed -n 's/Components: *//p' "$reldest")"
+	for c in $TMPCOMPONENTS ; do
+		eval "
+		case \"\$c\" in
+		    $USE_COMPONENTS)
+			COMPONENTS=\"\$COMPONENTS \$c\"
+			;;
+		esac
+		"
+	done
+	COMPONENTS="$(echo $COMPONENTS)"
+	if [ -z "$COMPONENTS" ]; then
+		mv "$reldest" "$reldest.malformed"
+		error 1 INVALIDREL "Invalid Release file, no valid components"
+	fi
+}
+
 download_release_sig () {
 	local m1="$1"
 	local reldest="$2"
-	local relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
+	local relsigdest="$3"
+	local release_file_variant="$4"
 
 	if [ -n "$KEYRING" ] && [ -z "$DISABLE_KEYRING" ]; then
-		progress 0 100 DOWNRELSIG "Downloading Release file signature"
-		progress_next 50
-		get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
-			error 1 NOGETRELSIG "Failed getting release signature file %s" \
-			"$m1/dists/$SUITE/Release.gpg"
-		progress 50 100 DOWNRELSIG "Downloading Release file signature"
+		if [ "$release_file_variant" != "IN" ]; then
+			progress 0 100 DOWNRELSIG "Downloading Release file signature"
+			progress_next 50
+			get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
+				error 1 NOGETRELSIG "Failed getting release signature file %s" \
+				"$m1/dists/$SUITE/Release.gpg"
+			progress 50 100 DOWNRELSIG "Downloading Release file signature"
+		fi
 
 		info RELEASESIG "Checking Release signature"
-		# Don't worry about the exit status from gpgv; parsing the output will
-		# take care of that.
-		(gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
-		 "$relsigdest" "$reldest" || true) | read_gpg_status
+		if [ "$release_file_variant" = "IN" ]; then
+			(gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
+			 "$relsigdest" || true) | read_gpg_status
+		else
+			# Don't worry about the exit status from gpgv; parsing the output will
+			# take care of that.
+			(gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
+			 "$relsigdest" "$reldest" || true) | read_gpg_status
+		fi
 		progress 100 100 DOWNRELSIG "Downloading Release file signature"
 	elif [ -z "$DISABLE_KEYRING" ] && [ -n "$KEYRING_WANTED" ]; then
 		warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
 	fi
+	if [ "$release_file_variant" = "IN" ]; then
+		# In both cases, we have to extract a Release file from the InRelease file
+		mv "$relsigdest" "$reldest"
+		# We redirect the output of gpg to /dev/null as it is useless at this stage
+		#if ! gpg --version >/dev/null 2>&1; then
+		#	error 1 NEEDGPGV "gnupg not installed, but required for InRelease extraction"
+		#else
+		#	(gpg --output "$reldest" --keyring "$KEYRING" --ignore-time-conflict \
+		#	 "$relsigdest" || true ) 2>/dev/null
+		#fi
+	fi
 }
 
 download_release_indices () {
 	local m1="${MIRRORS%% *}"
 	local reldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release")"
+	local inreldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/InRelease")"
+	local relsigdest
+	local release_file_variant="IN"
 	progress 0 100 DOWNREL "Downloading Release file"
 	progress_next 100
-	get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
-		error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
-
-	TMPCOMPONENTS="$(sed -n 's/Components: *//p' "$reldest")"
-	for c in $TMPCOMPONENTS ; do
-		eval "
-		case \"\$c\" in
-		    $USE_COMPONENTS)
-			COMPONENTS=\"\$COMPONENTS \$c\"
-			;;
-		esac
-		"
-	done
-	COMPONENTS="$(echo $COMPONENTS)"
-
-	if [ -z "$COMPONENTS" ]; then
-		mv "$reldest" "$reldest.malformed"
-		error 1 INVALIDREL "Invalid Release file, no valid components"
+        if get "$m1/dists/$SUITE/InRelease" "$inreldest" nocache; then
+		extract_release_components $inreldest
+		relsigdest="$inreldest"
+	else
+		warning RETRIEVING "Failed to retrieve InRelease"
+		get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
+			error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
+		release_file_variant="GPG"
+		relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
+		extract_release_components $reldest
 	fi
 	progress 100 100 DOWNREL "Downloading Release file"
 
-	download_release_sig "$m1" "$reldest"
+	download_release_sig "$m1" "$reldest" "$relsigdest" "$release_file_variant"
 
 	local totalpkgs=0
 	for c in $COMPONENTS; do
-- 
1.7.10

Reply to:

Follow-Ups:
- Processed: Re: Bug#638682: Higher severity
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#638682: Higher severity
  - From: Joey Hess <joeyh@debian.org>

References:
- Bug#638682: Higher severity
  - From: Joerg Jaspert <joerg@ganneff.de>

Prev by Date: Re: Bug#673839: Building an udeb binary
Next by Date: Processed: Re: Bug#638682: Higher severity
Previous by thread: Processed: Higher severity
Next by thread: Processed: Re: Bug#638682: Higher severity
Index(es):
- Date
- Thread