Bug#819586: debian-installer-netboot-images: unhelpful handling of GPG errors

To: submit@bugs.debian.org
Subject: Bug#819586: debian-installer-netboot-images: unhelpful handling of GPG errors
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Wed, 30 Mar 2016 21:14:24 +0100
Message-id: <[🔎] 1459368864.2441.199.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 819586@bugs.debian.org

Source: debian-installer-netboot-images
Version: 20120712
Severity: serious
Justification: silently ignores failures, creating broken packages

Hi,

Whilst preparing the dini uploads for the upcoming point releases, on
debdiffing the binary packages against the previous versions I noticed
that one of them seemed to have lost all of its files and had an
Installed-Size of 32.

Checking the build log, I found that this was due to one of the Release
file checks failing with:

gpgv: BAD signature from "Debian Archive Automatic Signing Key
(7.0/wheezy) <ftpmaster@debian.org>"

(This appears to have been an issue with a particular mirror, fwiw.)

The checks in get-images.sh do:

if gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg $RELEASE_FILE.gpg $RELEASE_FILE ; then
	get_di_built_using $1
	get_installer $1
fi

Whilst a failure to verify the Release signature does mean that we don't
attempt to build an image using untrusted inputs, the package build
continues with no sign of a problem having occurred until the binary
packages are examined.

Regards,

Adam

Reply to:

Prev by Date: Processing of debian-installer-netboot-images_20150422+deb8u3.b1_amd64.changes
Next by Date: Re: Simultaneous EFI and Legacy bootloader installation
Previous by thread: Processing of debian-installer-netboot-images_20150422+deb8u3.b1_amd64.changes
Next by thread: debian-installer-netboot-images_20150422+deb8u3.b1_amd64.changes ACCEPTED into proposed-updates->stable-new
Index(es):
- Date
- Thread