Bug#775717: unblock: weboob/1.0-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release team,
The package weboob has been marked for autoremoval because of a RC which
reports that weboob applications don't ask user before accepting a new
modules repository's keyring:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774838
To fix it, I've applied a patch from upstream to let user accept or not
the keyring of a new repository after displaying him the fingerprint of the
keyring.
Please unblock package weboob to allow it to re-enter jessie.
diff -Nru weboob-1.0/debian/changelog weboob-1.0/debian/changelog
--- weboob-1.0/debian/changelog 2014-12-10 10:05:31.000000000 +0100
+++ weboob-1.0/debian/changelog 2015-01-18 19:56:20.000000000 +0100
@@ -1,3 +1,11 @@
+weboob (1.0-3) unstable; urgency=medium
+
+ *debian/patches/0004-prompt-user-to-accept-an-untrusted-keyring.patch:
+ prompt user to accept an untrusted keyring when updating repositories
+ (Closes: #774838).
+
+ -- Romain Bignon <romain@symlink.me> Sun, 18 Jan 2015 16:07:58 +0100
+
weboob (1.0-2) unstable; urgency=low
* debian/patches/0003-fix-compatibility-with-a-patch-introduced-by-768611.patch:
diff -Nru weboob-1.0/debian/patches/0004-prompt-user-to-accept-an-untrusted-keyring.patch weboob-1.0/debian/patches/0004-prompt-user-to-accept-an-untrusted-keyring.patch
--- weboob-1.0/debian/patches/0004-prompt-user-to-accept-an-untrusted-keyring.patch 1970-01-01 01:00:00.000000000 +0100
+++ weboob-1.0/debian/patches/0004-prompt-user-to-accept-an-untrusted-keyring.patch 2015-01-18 19:56:20.000000000 +0100
@@ -0,0 +1,183 @@
+From: Romain Bignon <romain@budget-insight.com>
+Date: Fri, 16 Jan 2015 12:21:51 +0100
+Subject: prompt user to accept an untrusted keyring
+
+---
+ weboob/applications/weboobcfg/weboobcfg.py | 3 ++-
+ weboob/core/repositories.py | 25 ++++++++++++++++---------
+ weboob/tools/application/console.py | 20 +++++++++++++++++---
+ weboob/tools/application/qt/backendcfg.py | 5 +++++
+ 4 files changed, 40 insertions(+), 13 deletions(-)
+
+diff --git a/weboob/applications/weboobcfg/weboobcfg.py b/weboob/applications/weboobcfg/weboobcfg.py
+index 822325c..3c4e96b 100644
+--- a/weboob/applications/weboobcfg/weboobcfg.py
++++ b/weboob/applications/weboobcfg/weboobcfg.py
+@@ -25,6 +25,7 @@ import re
+ from weboob.capabilities.account import CapAccount
+ from weboob.core.modules import ModuleLoadError
+ from weboob.tools.application.repl import ReplApplication
++from weboob.tools.application.console import ConsoleProgress
+ from weboob.tools.ordereddict import OrderedDict
+
+
+@@ -261,4 +262,4 @@ class WeboobCfg(ReplApplication):
+
+ Update weboob.
+ """
+- self.weboob.update()
++ self.weboob.update(ConsoleProgress(self))
+diff --git a/weboob/core/repositories.py b/weboob/core/repositories.py
+index dbf7448..89ff23f 100644
+--- a/weboob/core/repositories.py
++++ b/weboob/core/repositories.py
+@@ -26,6 +26,7 @@ import re
+ import sys
+ import os
+ import subprocess
++import hashlib
+ from datetime import datetime
+ from contextlib import closing
+ from compileall import compile_dir
+@@ -180,7 +181,7 @@ class Repository(object):
+ # Save the repository index in ~/.weboob/repositories/
+ self.save(repo_path, private=True)
+
+- def retrieve_keyring(self, browser, keyring_path):
++ def retrieve_keyring(self, browser, keyring_path, progress):
+ # ignore local
+ if self.local:
+ return
+@@ -202,11 +203,11 @@ class Repository(object):
+ if keyring.exists():
+ if not keyring.is_valid(keyring_data, sig_data):
+ raise InvalidSignature('the keyring itself')
+- print('The keyring was updated (and validated by the previous one).')
+- else:
+- print('First time saving the keyring, blindly accepted.')
++ progress.progress(0.0, 'The keyring was updated (and validated by the previous one).')
++ elif not progress.prompt('The repository %s isn\'t trusted yet.\nFingerprint of keyring is %s\nAre you sure you want to continue?' % (self.url, hashlib.sha1(keyring_data).hexdigest())):
++ raise RepositoryUnavailable('Repository not trusted')
+ keyring.save(keyring_data, self.key_update)
+- print(keyring)
++ progress.progress(0.0, str(keyring))
+
+ def parse_index(self, fp):
+ """
+@@ -378,6 +379,9 @@ class IProgress(object):
+ def error(self, message):
+ raise NotImplementedError()
+
++ def prompt(self, message):
++ raise NotImplementedError()
++
+ def __repr__(self):
+ return '<%s>' % self.__class__.__name__
+
+@@ -389,6 +393,10 @@ class PrintProgress(IProgress):
+ def error(self, message):
+ print('ERROR: %s' % message, file=sys.stderr)
+
++ def prompt(self, message):
++ print('%s (Y/n): *** ASSUMING YES ***' % message)
++ return True
++
+
+ class ModuleInstallError(Exception):
+ pass
+@@ -579,7 +587,7 @@ class Repositories(object):
+ try:
+ repository.retrieve_index(self.browser, repo_path)
+ if gpgv:
+- repository.retrieve_keyring(self.browser, keyring_path)
++ repository.retrieve_keyring(self.browser, keyring_path, progress)
+ else:
+ progress.error('Cannot find gpgv to check for repository authenticity.\n'
+ 'You should install GPG for better security.')
+@@ -610,7 +618,7 @@ class Repositories(object):
+ :param progress: observer object.
+ :type progress: :class:`IProgress`
+ """
+- self.update_repositories()
++ self.update_repositories(progress)
+
+ to_update = []
+ for name, info in self.get_all_modules_info().iteritems():
+@@ -792,8 +800,7 @@ class Keyring(object):
+
+ def __str__(self):
+ if self.exists():
+- with open(self.vpath, 'r') as f:
+- import hashlib
++ with open(self.path, 'r') as f:
+ h = hashlib.sha1(f.read()).hexdigest()
+ return 'Keyring version %s, checksum %s' % (self.version, h)
+ return 'NO KEYRING'
+diff --git a/weboob/tools/application/console.py b/weboob/tools/application/console.py
+index 35c9cf9..5e9e892 100644
+--- a/weboob/tools/application/console.py
++++ b/weboob/tools/application/console.py
+@@ -31,7 +31,7 @@ from weboob.capabilities import UserError
+ from weboob.capabilities.account import CapAccount, Account, AccountRegisterError
+ from weboob.core.backendscfg import BackendAlreadyExists
+ from weboob.core.modules import ModuleLoadError
+-from weboob.core.repositories import ModuleInstallError
++from weboob.core.repositories import ModuleInstallError, IProgress
+ from weboob.exceptions import BrowserUnavailable, BrowserIncorrectPassword, BrowserForbidden, BrowserSSLError
+ from weboob.tools.value import Value, ValueBool, ValueFloat, ValueInt, ValueBackendPassword
+ from weboob.tools.misc import to_unicode
+@@ -55,6 +55,20 @@ class BackendNotFound(Exception):
+ pass
+
+
++class ConsoleProgress(IProgress):
++ def __init__(self, app):
++ self.app = app
++
++ def progress(self, percent, message):
++ self.app.stdout.write('=== [%3.0f%%] %s\n' % (percent*100, message))
++
++ def error(self, message):
++ self.app.stderr.write('ERROR: %s\n' % message)
++
++ def prompt(self, message):
++ return self.app.ask(message, default=True)
++
++
+ class ConsoleApplication(Application):
+ """
+ Base application class for CLI applications.
+@@ -288,7 +302,7 @@ class ConsoleApplication(Application):
+
+ def install_module(self, name):
+ try:
+- self.weboob.repositories.install(name)
++ self.weboob.repositories.install(name, ConsoleProgress(self))
+ except ModuleInstallError as e:
+ print('Unable to install module "%s": %s' % (name, e), file=self.stderr)
+ return False
+@@ -562,7 +576,7 @@ class ConsoleApplication(Application):
+
+ minfo = self.weboob.repositories.get_module_info(backend.NAME)
+ if minfo and not minfo.is_local():
+- self.weboob.repositories.update_repositories()
++ self.weboob.repositories.update_repositories(ConsoleProgress(self))
+
+ # minfo of the new available module
+ minfo = self.weboob.repositories.get_module_info(backend.NAME)
+diff --git a/weboob/tools/application/qt/backendcfg.py b/weboob/tools/application/qt/backendcfg.py
+index fc5531a..0b8db78 100644
+--- a/weboob/tools/application/qt/backendcfg.py
++++ b/weboob/tools/application/qt/backendcfg.py
+@@ -80,6 +80,11 @@ class ProgressDialog(IProgress, QProgressDialog):
+ def error(self, message):
+ QMessageBox.critical(self, self.tr('Error'), '%s' % message, QMessageBox.Ok)
+
++ def prompt(self, message):
++ reply = QMessageBox.question(self, '', unicode(message), QMessageBox.Yes|QMessageBox.No)
++
++ return reply == QMessageBox.Yes
++
+
+ class BackendCfg(QDialog):
+ def __init__(self, weboob, caps=None, parent=None):
diff -Nru weboob-1.0/debian/patches/series weboob-1.0/debian/patches/series
--- weboob-1.0/debian/patches/series 2014-12-10 10:05:31.000000000 +0100
+++ weboob-1.0/debian/patches/series 2015-01-18 19:56:20.000000000 +0100
@@ -1,3 +1,4 @@
0001-Set-copyright-in-applications.patch
0002-fix-StatusField-to-be-a-BaseObject.patch
0003-fix-compatibility-with-a-patch-introduced-by-768611.patch
+0004-prompt-user-to-accept-an-untrusted-keyring.patch
unblock weboob/1.0-3
Regards,
Romain
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: