debootstrap upload dropping InRelease handling ?

Didier 'OdyX' Raboud Thu, 04 Apr 2013 01:30:20 -0700

Hi -boot, -release and Julien,

as far as I read the flow of bugs on -boot, debootstrap is still affected by 
#703889 which really needs fixing for a sane Wheezy. The patches stacked on 
the debootstrap git repository (which drop the InRelease handling, as was done 
in apt, attached) look sane to me. I have tested the patched debootstrap in 
the two usual situations (d-i context, normal context) and it just worked, so 
I'm in favour of pushing this to sid ASAP: it can't really be worse than now, 
and we can still fix any breakage afterwards.


I do volunteer to upload debootstrap "as is on the git repository" to help 
getting this fixed soon (if that helps); please comment.

Please 

OdyX

From 56cd612223507d9744224ec4d7c0aa9c06cc9985 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcris...@debian.org>
Date: Mon, 25 Mar 2013 14:31:44 +0100
Subject: [PATCH] Disable InRelease support.

gpgv won't give us back the signed data, and full gpg is not available
inside d-i (closes: #703889).
---
 debian/changelog |    7 +++++++
 debian/control   |    4 ++--
 functions        |   47 +++++++++++++----------------------------------
 3 files changed, 22 insertions(+), 36 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 97d9789..8dc903e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debootstrap (1.0.48) UNRELEASED; urgency=low
+
+  * Disable InRelease support.  gpgv won't give us back the signed data, and
+    full gpg is not available inside d-i (closes: #703889).
+
+ -- Julien Cristau <jcris...@debian.org>  Mon, 25 Mar 2013 14:16:19 +0100
+
 debootstrap (1.0.47) unstable; urgency=low
 
   * Team upload
diff --git a/debian/control b/debian/control
index 41af2df..0894e08 100644
--- a/debian/control
+++ b/debian/control
@@ -10,8 +10,8 @@ Vcs-Git: git://git.debian.org/d-i/debootstrap.git
 
 Package: debootstrap
 Architecture: all
-Depends: ${misc:Depends}, wget, gnupg
-Recommends: ${keyring}
+Depends: ${misc:Depends}, wget
+Recommends: gnupg, ${keyring}
 Description: Bootstrap a basic Debian system
  debootstrap is used to create a Debian base system from scratch,
  without requiring the availability of dpkg or apt. It does this by
diff --git a/functions b/functions
index 1dc0f87..068aa06 100644
--- a/functions
+++ b/functions
@@ -503,60 +503,39 @@ download_release_sig () {
        local m1="$1"
        local reldest="$2"
        local relsigdest="$3"
-       local release_file_variant="$4"
 
        if [ -n "$KEYRING" ] && [ -z "$DISABLE_KEYRING" ]; then
-               if [ "$release_file_variant" != "IN" ]; then
-                       progress 0 100 DOWNRELSIG "Downloading Release file 
signature"
-                       progress_next 50
-                       get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" 
nocache ||
-                               error 1 NOGETRELSIG "Failed getting release 
signature file %s" \
-                               "$m1/dists/$SUITE/Release.gpg"
-                       progress 50 100 DOWNRELSIG "Downloading Release file 
signature"
-               fi
+               progress 0 100 DOWNRELSIG "Downloading Release file signature"
+               progress_next 50
+               get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
+                       error 1 NOGETRELSIG "Failed getting release signature 
file %s" \
+                       "$m1/dists/$SUITE/Release.gpg"
+               progress 50 100 DOWNRELSIG "Downloading Release file signature"
 
                info RELEASESIG "Checking Release signature"
                # Don't worry about the exit status from gpgv; parsing the 
output will
                # take care of that.
-               if [ "$release_file_variant" = "IN" ]; then
-                       (gpgv --status-fd 1 --keyring "$KEYRING" 
--ignore-time-conflict \
-                        "$relsigdest" || true) | read_gpg_status
-               else
-                       (gpgv --status-fd 1 --keyring "$KEYRING" 
--ignore-time-conflict \
-                        "$relsigdest" "$reldest" || true) | read_gpg_status
-               fi
+               (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict 
\
+                "$relsigdest" "$reldest" || true) | read_gpg_status
                progress 100 100 DOWNRELSIG "Downloading Release file signature"
        elif [ -z "$DISABLE_KEYRING" ] && [ -n "$KEYRING_WANTED" ]; then
                warning KEYRING "Cannot check Release signature; keyring file 
not available %s" "$KEYRING_WANTED"
        fi
-       if [ "$release_file_variant" = "IN" ]; then
-               rm -f $reldest
-                gpg --output "$reldest" --decrypt --keyring "$KEYRING" 
--ignore-time-conflict "$relsigdest"
-       fi
 }
 
 download_release_indices () {
        local m1="${MIRRORS%% *}"
        local reldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" 
"dists/$SUITE/Release")"
-       local inreldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" 
"dists/$SUITE/InRelease")"
        local relsigdest
-       local release_file_variant="IN"
        progress 0 100 DOWNREL "Downloading Release file"
        progress_next 100
-       if get "$m1/dists/$SUITE/InRelease" "$inreldest" nocache; then
-               extract_release_components $inreldest
-               relsigdest="$inreldest"
-       else
-               info RETRIEVING "Failed to retrieve InRelease"
-               get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
-                       error 1 NOGETREL "Failed getting release file %s" 
"$m1/dists/$SUITE/Release"
-               release_file_variant="GPG"
-               relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" 
"dists/$SUITE/Release.gpg")"
-               extract_release_components $reldest
-       fi
+       get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
+               error 1 NOGETREL "Failed getting release file %s" 
"$m1/dists/$SUITE/Release"
+       relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" 
"dists/$SUITE/Release.gpg")"
+       extract_release_components $reldest
        progress 100 100 DOWNREL "Downloading Release file"
 
-       download_release_sig "$m1" "$reldest" "$relsigdest" 
"$release_file_variant"
+       download_release_sig "$m1" "$reldest" "$relsigdest"
 
        local totalpkgs=0
        for c in $COMPONENTS; do
-- 
1.7.2.5

From 4b40f90ddbe5ce9ee74aec781abb5419e9b43918 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcris...@debian.org>
Date: Mon, 25 Mar 2013 15:20:31 +0100
Subject: [PATCH] Move extract_release_components to after signature 
verification.

Suggested by Ansgar Burchardt.
---
 debian/changelog |    2 ++
 functions        |    3 ++-
 2 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 8dc903e..1449609 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ debootstrap (1.0.48) UNRELEASED; urgency=low
 
   * Disable InRelease support.  gpgv won't give us back the signed data, and
     full gpg is not available inside d-i (closes: #703889).
+  * Move extract_release_components to after signature verification.
+    Suggested by Ansgar Burchardt.
 
  -- Julien Cristau <jcris...@debian.org>  Mon, 25 Mar 2013 14:16:19 +0100
 
diff --git a/functions b/functions
index 068aa06..2dc777d 100644
--- a/functions
+++ b/functions
@@ -532,11 +532,12 @@ download_release_indices () {
        get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
                error 1 NOGETREL "Failed getting release file %s" 
"$m1/dists/$SUITE/Release"
        relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" 
"dists/$SUITE/Release.gpg")"
-       extract_release_components $reldest
        progress 100 100 DOWNREL "Downloading Release file"
 
        download_release_sig "$m1" "$reldest" "$relsigdest"
 
+       extract_release_components $reldest
+
        local totalpkgs=0
        for c in $COMPONENTS; do
                local subpath="$c/binary-$ARCH/Packages"
-- 
1.7.2.5

debootstrap upload dropping InRelease handling ?

Reply via email to