Hi all, And thanks for getting in touch with us.
Daniel Kahn Gillmor <d...@fifthhorseman.net> (2015-08-11): > i believe the installer relies on gpgv for archive manifest signature > verification. we have gpgv-udeb for that purpose, i think. That's the idea, yeah. Grepping through all of our packages → see the results below my signature; that's basically base-installer and net-retriever which depend on gpgv-udeb. For the record, last time we've seen changes in gpgv, that was in: https://lists.debian.org/debian-boot/2014/01/msg00129.html which eventually led to: #753985. Skimming through it again, it seems win32-loader was somewhat affected as well. Adding Didier in the loop explicitly just to be on the safe side. > It's likely that at some point (i'm hoping before stretch) we'll want > to move most of our GnuPG reliance to the 2.1 branch, since that will > allow us to take advantage of stronger, smaller, faster cryptography > and will also help to keep our tools aligned with where upstream's > main development focus is. > > As a result, i'd like to consider moving the gpgv udeb over to the > gnupg2 package sometime soon. ACK. > gpgv2 has more dependencies than gpgv, though: > > gpgv2 Depends: libbz2-1.0, libc6 (>= 2.14), libgcrypt20 (>= 1.6.1), > libgpg-error0 (>= 1.14), libksba8 (>= 1.2.0), zlib1g (>= 1:1.1.4) > > gpgv Depends: libbz2-1.0, libc6 (>= 2.14), zlib1g (>= 1:1.1.4) > > so we're talking about adding three dependencies as udebs: > > libgcrypt20, libgpg-error0, libksba8 > > Of these three dependencies: > > * gpg-error is simple/small/trivial: i don't think it's particularly > objectionable, and there's already a udeb for it. It's already used in d-i as a dependency of libgcrypt20-udeb… > * libgcrypt is the actively-developed crypto library that the we want > to rely on instead what's effectively an embedded stripped-down copy > in gpgv, so i think this is an actively good dependency to add. > libgcrypt also already has a udeb. … which in turn is pulled through libcryptsetup4-udeb (itself needed by cryptsetup-udeb). We moved to it from libgcrypt11-udeb a while ago (during the jessie release cycle if memory serves). > * libksba8 is the X.509 and CMS support library used by GnuPG. we > probably don't strictly need this for the installer (our archive > signatures use OpenPGP signatures and not CMS). I can work on a > stripped-down build of gpgv2 that doesn't have this dependency if we > think that would be useful for minimizing the installer. > Alternately, I can work with pkg-gnutls to add a udeb for libksba > (we've already discussed the possibility of transferring the libksba > from pkg-gnutls to pkg-gnupg) If having a build for the installer (without libksba8 support, and possibly with strong optimization options, see the thread I mentioned earlier) is feasible, that would be preferred to having an extra udeb pulled just for a feature we're not going to use anyway. It's not absolutely mandatory, so if you're having issued unentangling gpgv-udeb from libksba8 in the 2.1 branch, please say so and we'll reconsider. > let me know if you have any concerns, preferences, or questions about > this work, and if you have specific time windows that it would be good > to aim for. I'm currently aiming at a release in the next few days, but feel free to prepare stealing gpgv-udeb in experimental, and ping back this thread once it's available there. After some testing by the installer team, it can go to unstable and migrate to testing when it's ready. I'll then adjust the freeze file to point at the new source package for further block-udeb sessions. Mraw, KiBi. ==================================================================================================================================== kibi@wodi:~/debian-installer/packages$ for i in base-installer net-retriever; do echo $i; echo $i|sed 's/./=/g'; (cd $i; ack gpgv); echo; echo; done base-installer ============== debian/control 19:Depends: ${shlibs:Depends}, mounted-partitions, created-fstab, base-installer, debootstrap-udeb (>= 1.0.7), gpgv-udeb, debian-archive-keyring-udeb, archdetect debian/bootstrap-base.postinst 84: if type gpgv >/dev/null; then 89: warning "gpgv not found, not authenticating archive" debian/bootstrap-base/DEBIAN/postinst 84: if type gpgv >/dev/null; then 89: warning "gpgv not found, not authenticating archive" debian/bootstrap-base/DEBIAN/control 8:Depends: libc6-udeb (>= 2.19), libdebconfclient0-udeb, libdebian-installer4-udeb (>= 0.97), mounted-partitions, created-fstab, base-installer, debootstrap-udeb (>= 1.0.7), gpgv-udeb, debian-archive-keyring-udeb, archdetect debian/changelog 1299: * Depend on gpgv-udeb, which has apparently never really been pulled in 2363: * If gpgv and a keyring are installed, enable debootstrap's Release 2451: - Make apt-get use gpgv --ignore-time-conflict to avoid validation debian/base-installer/usr/lib/base-installer/library.sh 166:Acquire::gpgv::Options { "--ignore-time-conflict"; }; library.sh 166:Acquire::gpgv::Options { "--ignore-time-conflict"; }; net-retriever ============= debian/control 14:Depends: ${misc:Depends}, choose-mirror, configured-network, di-utils (>= 1.58), gpgv-udeb, debian-archive-keyring-udeb debian/changelog 338: * Depend on gpgv-udeb, which has apparently never really been pulled in 463: * Use log-output for gpgv call. 531: - Check signature of Release file if gpgv and a keyring are installed. debian/net-retriever/usr/lib/debian-installer/retriever/net-retriever 178: # If gpgv and a keyring are installed, authentication is 180: if type gpgv >/dev/null && [ -f "$keyring" ]; then 188: gpgv --status-fd 1 --keyring "$keyring" \ 195: log "Not verifying Release signature: gpgv not available" debian/net-retriever/DEBIAN/control 6:Depends: cdebconf-udeb, choose-mirror, configured-network, di-utils (>= 1.58), gpgv-udeb, debian-archive-keyring-udeb net-retriever 114: # If gpgv and a keyring are installed, authentication is 116: if type gpgv >/dev/null && [ -f "$keyring" ]; then 124: gpgv --status-fd 1 --keyring "$keyring" \ 131: log "Not verifying Release signature: gpgv not available"
signature.asc
Description: Digital signature
