Re: [RFC v1 0/3] Fix additional apt repos with foreign keys

[Henning Schild <henning.schild@siemens.com>]

Am Tue, 26 Feb 2019 14:48:41 +0100
schrieb "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>:

> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
> 
> This patch series fixes problems when adding a additional repos
> which need different gpg keys for authentication.
> 
> The patches are designed to make the existing 'API', i.e. bitbake
> variables work, not to solve the remaining design problems.
> 
> On basis of this series, we should discuss how to further proceed
> since there should be a destinction wether we change the bootstrapping
> apt source or if we change the apt source for additional packages.
> 
> If we change the bootstrapping apt source, we already need keys
> installed in the build environment to do the first debootstrap.
> 
> If we only want additional packages in the target rootfs, we only
> need to add keys inside the target chroot.
> 
> Currently this is not possible and requires additional bitbake
> variables, i.e. APT_KEYS_TARGET_PKGS, or APT_KEYS_TARGET_BOOTSTRAP.

I think it is useful to establish the trust twice and forget about
extra variables. People might want to bootstrap from "new/unknown"
mirrors, like i.e. the cache.
So use the variables we know to establish trust on the guy running
debootstrap and inside the chroots. That is two "apt-key" like in
your current patches.
But i would argue that you should play with "apt-key --keyring <file>".
The goal would be to create a keyring just for that one debootstrap
call, which you will remove/distrust later. For people not using docker
that will prevent "messing with the host". 

> Also the reason for the option I delete in patch 3 is unclear to me.
> This way we could never add additional repositories.

Good catch. That pattern is used in a few places, assuming that
isar-apt is the only repo that could have possibly changed. Maybe that
whole pattern should be revised and we go for plain "apt-get update"

Henning

> Andreas Reichel (3):
>   Fix path to user gpg-keys
>   Refactor gpg code to use apt code
>   Use all source lists in target root apt
> 
>  meta/classes/isar-bootstrap-helper.bbclass    | 14 ++++++++----
>  .../isar-bootstrap/isar-bootstrap.inc         | 22
> +++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-)
>