Re: Updated GnuPG::Interface

To: gregor herrmann <gregoa@debian.org>
Cc: debian-perl@lists.debian.org
Subject: Re: Updated GnuPG::Interface
From: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu, 23 Jul 2020 23:55:06 +1200
Message-id: <[🔎] be115b3a509bccbf3a4679df280697fc65f60baa.camel@etc.gen.nz>
In-reply-to: <[🔎] 20200721172924.GH31775@jadzia.comodo.priv.at>
References: <[🔎] e69708b9bc4f7cb849301c2e48811ad06d637074.camel@etc.gen.nz> <[🔎] 20200705135716.GD31775@jadzia.comodo.priv.at> <[🔎] c7c528a62fa7fb50edf66b4533466aa0b0c294a8.camel@etc.gen.nz> <[🔎] 20200721172924.GH31775@jadzia.comodo.priv.at>

On Tue, 2020-07-21 at 19:29 +0200, gregor herrmann wrote:
> On Tue, 21 Jul 2020 19:02:12 +1200, Andrew Ruthven wrote:
> 
> > I've pushed a commit to libgnupg-interface-perl which resolves this
> > behaviour. We also now test libgnupg-interface-perl against both
> > versions of GnuPG.
> > 
> > If someone could please review and (hopefully) upload the package,
> > that'd be much appreciated.
> 
> Looks good to me in general.
> 
> Some thoughts:
> 
> - Does this also fix #964878?

Sadly no it doesn't. Bug #964878 is caused because monkeysphere-
validation-agent uses -T. GnuPG::Interface tries to use $ENV{PATH} -
which hasn't been untainted - to find gpg.

We have two options here. Either
patch /usr/share/perl5/Crypt/Monkeysphere/MSVA.pm in msva-perl to use
the full path to /usr/bin/gpg when GnuPG::Interface. Or we modify
GnuPG::Interface to use the full path instead of just running "gpg".

I'm leaning towards the later as otherwise we'll be playing whack-a-
mole for any other Perl programs that use Taint. Thoughts?

I'm happy to prepare that patch.

> - Could you forward the relevant patches upstream (to the CPAN RT
>   issue)? Then we can wait a bit and see if there are reactions
>   before uploading.

I already have. ;) No response from upstream for the first one which I
uploaded 5 days ago.

Fix for RT4 breakage: https://rt.cpan.org/Ticket/Display.html?id=133021
Fix for below warning: https://rt.cpan.org/Ticket/Display.html?d=133039

> - The tests throw some warnings:
> 
> Can't exec "gnupg": No such file or directory at /build/libgnupg-
> interface-perl-1.00/blib/lib/GnuPG/Interface.pm line 343.
> Use of uninitialized value $a in split at /build/libgnupg-interface-
> perl-1.00/blib/lib/GnuPG/Interface.pm line 829, <GEN5> line 1.
> Use of uninitialized value $a in split at /build/libgnupg-interface-
> perl-1.00/blib/lib/GnuPG/Interface.pm line 829, <GEN5> line 1.
> 
>   (So the same for gpg2 and gpg1). Is this expected/harmless/…?

It is harmless, but I agree it is off putting. I have added a patch
which causes these warnings to be suppressed.

> - Not sure if CALL is the nicest possible name for the env var but
>   that's bikeshedding territory :)

I am open to suggestions, but since it is the string to be passed in to
the call parameter, it seemed reasonable to me.

Cheers,
Andrew

-- 
Andrew Ruthven, Wellington, New Zealand
andrew@etc.gen.nz              |
Catalyst Cloud:                | This space intentionally left blank
   https://catalystcloud.nz    |

Reply to:

Follow-Ups:
- Re: Updated GnuPG::Interface
  - From: Andrew Ruthven <andrew@etc.gen.nz>
- Re: Updated GnuPG::Interface
  - From: gregor herrmann <gregoa@debian.org>

References:
- Updated GnuPG::Interface
  - From: Andrew Ruthven <andrew@etc.gen.nz>
- Re: Updated GnuPG::Interface
  - From: gregor herrmann <gregoa@debian.org>
- Re: Updated GnuPG::Interface
  - From: Andrew Ruthven <andrew@etc.gen.nz>
- Re: Updated GnuPG::Interface
  - From: gregor herrmann <gregoa@debian.org>

Prev by Date: Re: ripit: Unescaped left brace in regex will be fatal in Perl 5.32
Next by Date: Re: Updated GnuPG::Interface
Previous by thread: Re: Updated GnuPG::Interface
Next by thread: Re: Updated GnuPG::Interface
Index(es):
- Date
- Thread