[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#638682: Higher severity

Mehdi Dogguy wrote:
> The patch can make use of "gpg" to extract the signed data from the
> InRelease file. I'm not sure it is necessary since the rest works just
> fine if given an InRelease file instead of a Release file. I kept that
> part commented in the patch and leave this decision to the maintainer
> since it would add a strong dependency on gnupg… which doesn't seem
> necessary.

debootstrap runs inside d-i which does not have gpg, only gpgv.
It cannot use gpg. 

> +	if [ "$release_file_variant" = "IN" ]; then
> +		# In both cases, we have to extract a Release file from the InRelease file

Says both cases, but only runs in for the inRelease case?

> +		# We redirect the output of gpg to /dev/null as it is useless at this stage
> +		#if ! gpg --version >/dev/null 2>&1; then
> +		#	error 1 NEEDGPGV "gnupg not installed, but required for InRelease extraction"
> +		#else
> +		#	(gpg --output "$reldest" --keyring "$KEYRING" --ignore-time-conflict \
> +		#	 "$relsigdest" || true ) 2>/dev/null
> +		#fi

I'd be inclined to remove this dead code.

> -	if [ -z "$COMPONENTS" ]; then
> -		mv "$reldest" "$reldest.malformed"
> -		error 1 INVALIDREL "Invalid Release file, no valid components"
> +        if get "$m1/dists/$SUITE/InRelease" "$inreldest" nocache; then

The above line is wrongly indented.

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: