Your message dated Sat, 31 Aug 2024 12:10:46 +0000
with message-id <e1skmwi-00gptf...@coccia.debian.org>
and subject line Close 1003188
has caused the Debian Bug report #1003188,
regarding bullseye-pu: package mmdebstrap/0.7.5-2.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1003188: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003188
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jo...@debian.org
[ Reason ]
Currently, when a user happens to have an ASCII armored key in
/etc/apt/trusted.gpg.d, running mmdebstrap without any special options
will not work. See #1003175 for details.
The problem is fixed in unstable and testing, starting with 0.8.0-1.
[ Impact ]
Users will either have to remove an ASCII armored key from their
/etc/apt/trusted.gpg.d or supply keys to mmdebstrap manually. But either
is unlikely to happen because the error message does not give a clue
about the actual cause of the problem.
[ Tests ]
Me and two users checked that the attached debdiff fixed the
problem. If desired, I can also add a test from the upstream project
to the debdiff but that would double its size. Essentially, the change
is already well tested upstream.
[ Risks ]
In the worst case, GPG key autodetection breaks and one has to pass the
keyring material to mmdebstrap manually. This is what users with ASCII
armored keys in /etc/apt/trusted.gpg.d already have to do today without
this patch.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
GPG is called with --show-keys instead of with --list-keys. The latter
requires "public keyring v4" key material while the former also allows
ASCII armored keys.
[ Other info ]
This is my first upload to a stable release, so stupid mistakes can be
hiding anywhere.
Thanks!
cheers, josch
diff -Nru mmdebstrap-0.7.5/debian/changelog mmdebstrap-0.7.5/debian/changelog
--- mmdebstrap-0.7.5/debian/changelog 2021-05-07 17:30:39.000000000 +0200
+++ mmdebstrap-0.7.5/debian/changelog 2022-01-05 16:05:13.000000000 +0100
@@ -1,3 +1,10 @@
+mmdebstrap (0.7.5-2.2+deb11u1) bullseye; urgency=medium
+
+ * Do not error out with ASCII armored keyrings in /etc/apt/trusted.gpg.d
+ (closes: #1003175)
+
+ -- Johannes Schauer Marin Rodrigues <jo...@debian.org> Wed, 05 Jan 2022
16:05:13 +0100
+
mmdebstrap (0.7.5-2.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru
mmdebstrap-0.7.5/debian/patches/0001-Do-not-use-gpg-trust-model-always.patch
mmdebstrap-0.7.5/debian/patches/0001-Do-not-use-gpg-trust-model-always.patch
---
mmdebstrap-0.7.5/debian/patches/0001-Do-not-use-gpg-trust-model-always.patch
1970-01-01 01:00:00.000000000 +0100
+++
mmdebstrap-0.7.5/debian/patches/0001-Do-not-use-gpg-trust-model-always.patch
2022-01-05 16:04:09.000000000 +0100
@@ -0,0 +1,23 @@
+From 91d8be5f9c204f0ee8d524eb1382934e608a9d43 Mon Sep 17 00:00:00 2001
+From: Johannes Schauer Marin Rodrigues <jo...@mister-muffin.de>
+Date: Thu, 26 Aug 2021 07:58:27 +0200
+Subject: [PATCH] Do not use gpg --trust-model=always
+
+ - gpg will not create a trustdb when running with --update-trustdb with
+ --trust-model=always:
+ gpg: no need for a trustdb update with 'always' trust model
+ - subsequent gpg calls will fail because there is no trustdb in GPGHOME
+---
+ mmdebstrap | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/mmdebstrap
++++ b/mmdebstrap
+@@ -4861,7 +4861,6 @@ sub main() {
+ '--ignore-time-conflict', '--no-options',
+ '--no-default-keyring', '--homedir',
+ $gpghome, '--no-auto-check-trustdb',
+- '--trust-model', 'always'
+ );
+ my ($ret, $message);
+ {
diff -Nru
mmdebstrap-0.7.5/debian/patches/0001-gpg-handle-ASCII-armored-keyrings-as-well.patch
mmdebstrap-0.7.5/debian/patches/0001-gpg-handle-ASCII-armored-keyrings-as-well.patch
---
mmdebstrap-0.7.5/debian/patches/0001-gpg-handle-ASCII-armored-keyrings-as-well.patch
1970-01-01 01:00:00.000000000 +0100
+++
mmdebstrap-0.7.5/debian/patches/0001-gpg-handle-ASCII-armored-keyrings-as-well.patch
2022-01-05 16:05:13.000000000 +0100
@@ -0,0 +1,75 @@
+From ccd4b5c163d322045c92f734f43bb5e1945fa774 Mon Sep 17 00:00:00 2001
+From: Konstantin Demin <rockdri...@gmail.com>
+Date: Thu, 15 Apr 2021 03:00:39 +0300
+Subject: [PATCH] gpg: handle ASCII-armored keyrings as well
+
+gpg command "--list-keys" requires input files to be passed with
+option "--keyring" and each file must match type "public keyring v4"
+while gpg command "--show-keys" doesn't require extra options and
+handles also ASCII-armored public keyrings as well.
+
+Signed-off-by: Konstantin Demin <rockdri...@gmail.com>
+---
+ mmdebstrap | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/mmdebstrap
++++ b/mmdebstrap
+@@ -4880,30 +4880,37 @@ sub main() {
+ . " signed-by value";
+ last;
+ }
++ # initialize gpg trustdb with empty one
++ {
++ `@gpgcmd --update-trustdb >/dev/null 2>/dev/null`;
++ $? == 0 or error "gpg failed to initialize trustdb: $?";
++ }
+ # find all the fingerprints of the keys apt currently
+ # knows about
+- my @keyringopts = ();
++ my @keyrings = ();
+ opendir my $dh, "$options->{apttrustedparts}"
+ or error "cannot read $options->{apttrustedparts}";
+ while (my $filename = readdir $dh) {
+ if ($filename !~ /\.(asc|gpg)$/) {
+ next;
+ }
+- push @keyringopts, '--keyring',
+- "$options->{apttrustedparts}/$filename";
++ $filename = "$options->{apttrustedparts}/$filename";
++ # skip empty keyrings
++ -s "$filename" || next;
++ push @keyrings, "$filename";
+ }
+ closedir $dh;
+- if (-e $options->{apttrusted}) {
+- push @keyringopts, '--keyring', $options->{apttrusted};
++ if (-s $options->{apttrusted}) {
++ push @keyrings, $options->{apttrusted};
+ }
+ my @aptfingerprints = ();
+- if (scalar @keyringopts == 0) {
++ if (scalar @keyrings == 0) {
+ $signedby = " [signed-by=\"$keyring\"]";
+ last;
+ }
+ {
+- open my $fh, '-|', @gpgcmd, @keyringopts, '--with-colons',
+- '--list-keys' // error "failed to fork(): $!";
++ open(my $fh, '-|', @gpgcmd, '--with-colons',
'--show-keys',
++ @keyrings) // error "failed to fork(): $!";
+ while (my $line = <$fh>) {
+ if ($line !~ /^fpr:::::::::([^:]+):/) {
+ next;
+@@ -4924,9 +4931,8 @@ sub main() {
+ # the case
+ my @suitefingerprints = ();
+ {
+- open my $fh, '-|', @gpgcmd, '--keyring', $keyring,
+- '--with-colons',
+- '--list-keys' // error "failed to fork(): $!";
++ open(my $fh, '-|', @gpgcmd, '--with-colons',
'--show-keys',
++ $keyring) // error "failed to fork(): $!";
+ while (my $line = <$fh>) {
+ if ($line !~ /^fpr:::::::::([^:]+):/) {
+ next;
diff -Nru mmdebstrap-0.7.5/debian/patches/series
mmdebstrap-0.7.5/debian/patches/series
--- mmdebstrap-0.7.5/debian/patches/series 2021-05-07 17:30:39.000000000
+0200
+++ mmdebstrap-0.7.5/debian/patches/series 2022-01-05 16:03:59.000000000
+0100
@@ -1,2 +1,4 @@
0001-also-run-unshare-with-propagation-unchanged-in-root-.patch
Pass-extended-attributes-excluding-system-to-tar2sqf.patch
+0001-gpg-handle-ASCII-armored-keyrings-as-well.patch
+0001-Do-not-use-gpg-trust-model-always.patch
--- End Message ---
--- Begin Message ---
As this package was not uploaded in time for the final point release of
bullseye (11.11), the request is now closed.
--- End Message ---
