debootstrap upload dropping InRelease handling ?
Hi -boot, -release and Julien,
as far as I read the flow of bugs on -boot, debootstrap is still affected by
#703889 which really needs fixing for a sane Wheezy. The patches stacked on
the debootstrap git repository (which drop the InRelease handling, as was done
in apt, attached) look sane to me. I have tested the patched debootstrap in
the two usual situations (d-i context, normal context) and it just worked, so
I'm in favour of pushing this to sid ASAP: it can't really be worse than now,
and we can still fix any breakage afterwards.
I do volunteer to upload debootstrap "as is on the git repository" to help
getting this fixed soon (if that helps); please comment.
Please
OdyX
From 56cd612223507d9744224ec4d7c0aa9c06cc9985 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 25 Mar 2013 14:31:44 +0100
Subject: [PATCH] Disable InRelease support.
gpgv won't give us back the signed data, and full gpg is not available
inside d-i (closes: #703889).
---
debian/changelog | 7 +++++++
debian/control | 4 ++--
functions | 47 +++++++++++++----------------------------------
3 files changed, 22 insertions(+), 36 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 97d9789..8dc903e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debootstrap (1.0.48) UNRELEASED; urgency=low
+
+ * Disable InRelease support. gpgv won't give us back the signed data, and
+ full gpg is not available inside d-i (closes: #703889).
+
+ -- Julien Cristau <jcristau@debian.org> Mon, 25 Mar 2013 14:16:19 +0100
+
debootstrap (1.0.47) unstable; urgency=low
* Team upload
diff --git a/debian/control b/debian/control
index 41af2df..0894e08 100644
--- a/debian/control
+++ b/debian/control
@@ -10,8 +10,8 @@ Vcs-Git: git://git.debian.org/d-i/debootstrap.git
Package: debootstrap
Architecture: all
-Depends: ${misc:Depends}, wget, gnupg
-Recommends: ${keyring}
+Depends: ${misc:Depends}, wget
+Recommends: gnupg, ${keyring}
Description: Bootstrap a basic Debian system
debootstrap is used to create a Debian base system from scratch,
without requiring the availability of dpkg or apt. It does this by
diff --git a/functions b/functions
index 1dc0f87..068aa06 100644
--- a/functions
+++ b/functions
@@ -503,60 +503,39 @@ download_release_sig () {
local m1="$1"
local reldest="$2"
local relsigdest="$3"
- local release_file_variant="$4"
if [ -n "$KEYRING" ] && [ -z "$DISABLE_KEYRING" ]; then
- if [ "$release_file_variant" != "IN" ]; then
- progress 0 100 DOWNRELSIG "Downloading Release file signature"
- progress_next 50
- get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
- error 1 NOGETRELSIG "Failed getting release signature file %s" \
- "$m1/dists/$SUITE/Release.gpg"
- progress 50 100 DOWNRELSIG "Downloading Release file signature"
- fi
+ progress 0 100 DOWNRELSIG "Downloading Release file signature"
+ progress_next 50
+ get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
+ error 1 NOGETRELSIG "Failed getting release signature file %s" \
+ "$m1/dists/$SUITE/Release.gpg"
+ progress 50 100 DOWNRELSIG "Downloading Release file signature"
info RELEASESIG "Checking Release signature"
# Don't worry about the exit status from gpgv; parsing the output will
# take care of that.
- if [ "$release_file_variant" = "IN" ]; then
- (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
- "$relsigdest" || true) | read_gpg_status
- else
- (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
- "$relsigdest" "$reldest" || true) | read_gpg_status
- fi
+ (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
+ "$relsigdest" "$reldest" || true) | read_gpg_status
progress 100 100 DOWNRELSIG "Downloading Release file signature"
elif [ -z "$DISABLE_KEYRING" ] && [ -n "$KEYRING_WANTED" ]; then
warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
fi
- if [ "$release_file_variant" = "IN" ]; then
- rm -f $reldest
- gpg --output "$reldest" --decrypt --keyring "$KEYRING" --ignore-time-conflict "$relsigdest"
- fi
}
download_release_indices () {
local m1="${MIRRORS%% *}"
local reldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release")"
- local inreldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/InRelease")"
local relsigdest
- local release_file_variant="IN"
progress 0 100 DOWNREL "Downloading Release file"
progress_next 100
- if get "$m1/dists/$SUITE/InRelease" "$inreldest" nocache; then
- extract_release_components $inreldest
- relsigdest="$inreldest"
- else
- info RETRIEVING "Failed to retrieve InRelease"
- get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
- error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
- release_file_variant="GPG"
- relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
- extract_release_components $reldest
- fi
+ get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
+ error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
+ relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
+ extract_release_components $reldest
progress 100 100 DOWNREL "Downloading Release file"
- download_release_sig "$m1" "$reldest" "$relsigdest" "$release_file_variant"
+ download_release_sig "$m1" "$reldest" "$relsigdest"
local totalpkgs=0
for c in $COMPONENTS; do
--
1.7.2.5
From 4b40f90ddbe5ce9ee74aec781abb5419e9b43918 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 25 Mar 2013 15:20:31 +0100
Subject: [PATCH] Move extract_release_components to after signature verification.
Suggested by Ansgar Burchardt.
---
debian/changelog | 2 ++
functions | 3 ++-
2 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 8dc903e..1449609 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ debootstrap (1.0.48) UNRELEASED; urgency=low
* Disable InRelease support. gpgv won't give us back the signed data, and
full gpg is not available inside d-i (closes: #703889).
+ * Move extract_release_components to after signature verification.
+ Suggested by Ansgar Burchardt.
-- Julien Cristau <jcristau@debian.org> Mon, 25 Mar 2013 14:16:19 +0100
diff --git a/functions b/functions
index 068aa06..2dc777d 100644
--- a/functions
+++ b/functions
@@ -532,11 +532,12 @@ download_release_indices () {
get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
- extract_release_components $reldest
progress 100 100 DOWNREL "Downloading Release file"
download_release_sig "$m1" "$reldest" "$relsigdest"
+ extract_release_components $reldest
+
local totalpkgs=0
for c in $COMPONENTS; do
local subpath="$c/binary-$ARCH/Packages"
--
1.7.2.5
Reply to: