debootstrap upload dropping InRelease handling ?

To: Julien Cristau <jcristau@debian.org>, debian-boot@lists.debian.org, debian-release@lists.debian.org
Subject: debootstrap upload dropping InRelease handling ?
From: "Didier 'OdyX' Raboud" <odyx@debian.org>
Date: Thu, 4 Apr 2013 10:29:48 +0200
Message-id: <201304041029.48247.odyx@debian.org>

Hi -boot, -release and Julien,

as far as I read the flow of bugs on -boot, debootstrap is still affected by 
#703889 which really needs fixing for a sane Wheezy. The patches stacked on 
the debootstrap git repository (which drop the InRelease handling, as was done 
in apt, attached) look sane to me. I have tested the patched debootstrap in 
the two usual situations (d-i context, normal context) and it just worked, so 
I'm in favour of pushing this to sid ASAP: it can't really be worse than now, 
and we can still fix any breakage afterwards.

I do volunteer to upload debootstrap "as is on the git repository" to help 
getting this fixed soon (if that helps); please comment.

Please 

OdyX

From 56cd612223507d9744224ec4d7c0aa9c06cc9985 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 25 Mar 2013 14:31:44 +0100
Subject: [PATCH] Disable InRelease support.

gpgv won't give us back the signed data, and full gpg is not available
inside d-i (closes: #703889).
---
 debian/changelog |    7 +++++++
 debian/control   |    4 ++--
 functions        |   47 +++++++++++++----------------------------------
 3 files changed, 22 insertions(+), 36 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 97d9789..8dc903e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debootstrap (1.0.48) UNRELEASED; urgency=low
+
+  * Disable InRelease support.  gpgv won't give us back the signed data, and
+    full gpg is not available inside d-i (closes: #703889).
+
+ -- Julien Cristau <jcristau@debian.org>  Mon, 25 Mar 2013 14:16:19 +0100
+
 debootstrap (1.0.47) unstable; urgency=low
 
   * Team upload
diff --git a/debian/control b/debian/control
index 41af2df..0894e08 100644
--- a/debian/control
+++ b/debian/control
@@ -10,8 +10,8 @@ Vcs-Git: git://git.debian.org/d-i/debootstrap.git
 
 Package: debootstrap
 Architecture: all
-Depends: ${misc:Depends}, wget, gnupg
-Recommends: ${keyring}
+Depends: ${misc:Depends}, wget
+Recommends: gnupg, ${keyring}
 Description: Bootstrap a basic Debian system
  debootstrap is used to create a Debian base system from scratch,
  without requiring the availability of dpkg or apt. It does this by
diff --git a/functions b/functions
index 1dc0f87..068aa06 100644
--- a/functions
+++ b/functions
@@ -503,60 +503,39 @@ download_release_sig () {
 	local m1="$1"
 	local reldest="$2"
 	local relsigdest="$3"
-	local release_file_variant="$4"
 
 	if [ -n "$KEYRING" ] && [ -z "$DISABLE_KEYRING" ]; then
-		if [ "$release_file_variant" != "IN" ]; then
-			progress 0 100 DOWNRELSIG "Downloading Release file signature"
-			progress_next 50
-			get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
-				error 1 NOGETRELSIG "Failed getting release signature file %s" \
-				"$m1/dists/$SUITE/Release.gpg"
-			progress 50 100 DOWNRELSIG "Downloading Release file signature"
-		fi
+		progress 0 100 DOWNRELSIG "Downloading Release file signature"
+		progress_next 50
+		get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
+			error 1 NOGETRELSIG "Failed getting release signature file %s" \
+			"$m1/dists/$SUITE/Release.gpg"
+		progress 50 100 DOWNRELSIG "Downloading Release file signature"
 
 		info RELEASESIG "Checking Release signature"
 		# Don't worry about the exit status from gpgv; parsing the output will
 		# take care of that.
-		if [ "$release_file_variant" = "IN" ]; then
-			(gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
-			 "$relsigdest" || true) | read_gpg_status
-		else
-			(gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
-			 "$relsigdest" "$reldest" || true) | read_gpg_status
-		fi
+		(gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
+		 "$relsigdest" "$reldest" || true) | read_gpg_status
 		progress 100 100 DOWNRELSIG "Downloading Release file signature"
 	elif [ -z "$DISABLE_KEYRING" ] && [ -n "$KEYRING_WANTED" ]; then
 		warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
 	fi
-	if [ "$release_file_variant" = "IN" ]; then
-		rm -f $reldest
-                gpg --output "$reldest" --decrypt --keyring "$KEYRING" --ignore-time-conflict "$relsigdest"
-	fi
 }
 
 download_release_indices () {
 	local m1="${MIRRORS%% *}"
 	local reldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release")"
-	local inreldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/InRelease")"
 	local relsigdest
-	local release_file_variant="IN"
 	progress 0 100 DOWNREL "Downloading Release file"
 	progress_next 100
-	if get "$m1/dists/$SUITE/InRelease" "$inreldest" nocache; then
-		extract_release_components $inreldest
-		relsigdest="$inreldest"
-	else
-		info RETRIEVING "Failed to retrieve InRelease"
-		get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
-			error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
-		release_file_variant="GPG"
-		relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
-		extract_release_components $reldest
-	fi
+	get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
+		error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
+	relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
+	extract_release_components $reldest
 	progress 100 100 DOWNREL "Downloading Release file"
 
-	download_release_sig "$m1" "$reldest" "$relsigdest" "$release_file_variant"
+	download_release_sig "$m1" "$reldest" "$relsigdest"
 
 	local totalpkgs=0
 	for c in $COMPONENTS; do
-- 
1.7.2.5

From 4b40f90ddbe5ce9ee74aec781abb5419e9b43918 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 25 Mar 2013 15:20:31 +0100
Subject: [PATCH] Move extract_release_components to after signature verification.

Suggested by Ansgar Burchardt.
---
 debian/changelog |    2 ++
 functions        |    3 ++-
 2 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 8dc903e..1449609 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ debootstrap (1.0.48) UNRELEASED; urgency=low
 
   * Disable InRelease support.  gpgv won't give us back the signed data, and
     full gpg is not available inside d-i (closes: #703889).
+  * Move extract_release_components to after signature verification.
+    Suggested by Ansgar Burchardt.
 
  -- Julien Cristau <jcristau@debian.org>  Mon, 25 Mar 2013 14:16:19 +0100
 
diff --git a/functions b/functions
index 068aa06..2dc777d 100644
--- a/functions
+++ b/functions
@@ -532,11 +532,12 @@ download_release_indices () {
 	get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
 		error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
 	relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
-	extract_release_components $reldest
 	progress 100 100 DOWNREL "Downloading Release file"
 
 	download_release_sig "$m1" "$reldest" "$relsigdest"
 
+	extract_release_components $reldest
+
 	local totalpkgs=0
 	for c in $COMPONENTS; do
 		local subpath="$c/binary-$ARCH/Packages"
-- 
1.7.2.5

Reply to:

Follow-Ups:
- Re: debootstrap upload dropping InRelease handling ?
  - From: Christian PERRIER <bubulle@debian.org>

Prev by Date: Processed: Re: Bug#704635: [Wheezy] Package authentication issue during base installation: BusyBox
Next by Date: Bug#684128: down the memory hole
Previous by thread: Bug#704635: marked as done ([Wheezy] Package authentication issue during base installation: BusyBox)
Next by thread: Re: debootstrap upload dropping InRelease handling ?
Index(es):
- Date
- Thread