From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6665315485307895808
X-Received: by 2002:a05:600c:21d4:: with SMTP id x20mr765232wmj.25.1551894193060;
        Wed, 06 Mar 2019 09:43:13 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a1c:b641:: with SMTP id g62ls315983wmf.11.canary-gmail; Wed,
 06 Mar 2019 09:43:12 -0800 (PST)
X-Google-Smtp-Source: APXvYqzcmMdP92TaRExeQd5qdtHeHjQaD+ruXoyl0fQ2aQDILhlPOs1Ndd2YXijrfLNGCSYJBOMi
X-Received: by 2002:a1c:a846:: with SMTP id r67mr792321wme.18.1551894192639;
        Wed, 06 Mar 2019 09:43:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551894192; cv=none;
        d=google.com; s=arc-20160816;
        b=InvcKvLHO9MsO7InQbfhcqw0uSJr2pFtq4Qh45oeb4JKAcALXtaw1rxFEVsIQgenna
         PE69zYq/AaCHA/AbcWNRSqhBJOos8dvtEMyNiKXDuNaEZQEzVn8PhPKcO1l1dctlr3mI
         9yjXgI7QAUyYC08V5htCiZnkXA7NM+ezwO50bQXi7MbMnLgWp0qkEnwVn5XvKs2B/6cS
         owoHD2+1UliUUlFW7qr6TBRnb3kqp/9Z9J9qaoALVfxc/dcNkegJgvbYBLVlp3wWMb9e
         0D+n/pcVGU53OTf39kJT7CIJGvKBvokbzk9HpWUeUopXS5Wm/+r3eU+aSXDHwFg89U9W
         +iQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=/T9AkVYr1USIQdF3mq1r9HI1u0hrpTrQEhJQTf5A5RU=;
        b=kA9n3R7FRCZVWlnLQuPG5zp7VHo86YyixD894Su3xSyOcc1icUNv0MktDOf3kOVlwR
         AMd0ES59dL2TwQ/QNLP1EnK2A+4kkchuCaCfRVmDnAJ1x252OAOWJKzPwBHGGqp04/xs
         qtE9ZJbldleMyJlfUB9kkym97rjv6RJ+CSY3L3o6TyGqMT90+ZZ0vSMrDRC2bQe4NMOw
         21AiUd1tRAaZ/nF/9JoVLxD4kbwsV4Xs2pBbn918HAjISmE17HUrUVvvh7/jsjWROxic
         iiSAO1BRhs3MYYZs1Ii6GKWqLg/Jk6WiuWf8IO5C4Q2rTxorprIP5uHaa1tpXJjjX8WD
         oVkw==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from david.siemens.de (david.siemens.de. [192.35.17.14])
        by gmr-mx.google.com with ESMTPS id c24si129060wml.0.2019.03.06.09.43.12
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 06 Mar 2019 09:43:12 -0800 (PST)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
	by david.siemens.de (8.15.2/8.15.2) with ESMTPS id x26HhCHQ027970
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
	for <isar-users@googlegroups.com>; Wed, 6 Mar 2019 18:43:12 +0100
Received: from md1za8fc.ad001.siemens.net ([139.25.69.211])
	by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x26HhBGj027783;
	Wed, 6 Mar 2019 18:43:12 +0100
Date: Wed, 6 Mar 2019 18:43:11 +0100
From: Henning Schild <henning.schild@siemens.com>
To: "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>
Cc: <isar-users@googlegroups.com>
Subject: Re: [PATCH v3 6/6] If we use a custom keyring debootstrap may fall
 to https
Message-ID: <20190306184311.0ffb1069@md1za8fc.ad001.siemens.net>
In-Reply-To: <20190306162619.826-7-andreas.reichel.ext@siemens.com>
References: <20190306162619.826-1-andreas.reichel.ext@siemens.com>
	<20190306162619.826-7-andreas.reichel.ext@siemens.com>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: eFO3o0hujZdU

Am Wed, 6 Mar 2019 17:26:18 +0100
schrieb "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>:

> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
> 
> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891009
> 
> So if we have something in aptkeyring, append https-support to
> OVERRIDES.
> 
> Furthermore, the conditional append for https-support was missing
> in qemuamd64-stretch.conf, thus, remove this from all the distros
> and put it into the isar-bootstrap.inc.
> 
> Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
> ---
>  meta-isar/conf/multiconfig/qemuamd64-buster.conf    |  1 -
>  meta-isar/conf/multiconfig/qemuamd64-jessie.conf    |  1 -
>  meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 11 +++++++++++
>  3 files changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/meta-isar/conf/multiconfig/qemuamd64-buster.conf
> b/meta-isar/conf/multiconfig/qemuamd64-buster.conf index
> 63df75c..da90993 100644 ---
> a/meta-isar/conf/multiconfig/qemuamd64-buster.conf +++
> b/meta-isar/conf/multiconfig/qemuamd64-buster.conf @@ -18,4 +18,3 @@
> QEMU_MACHINE ?= "q35" QEMU_CPU ?= ""
>  QEMU_DISK_ARGS ?= "-hda ##ROOTFS_IMAGE##
> -bios /usr/local/share/ovmf/OVMF.fd" 
> -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = "
> apt-transport-https ca-certificates" diff --git
> a/meta-isar/conf/multiconfig/qemuamd64-jessie.conf
> b/meta-isar/conf/multiconfig/qemuamd64-jessie.conf index
> d1335ff..42c71df 100644 ---
> a/meta-isar/conf/multiconfig/qemuamd64-jessie.conf +++
> b/meta-isar/conf/multiconfig/qemuamd64-jessie.conf @@ -15,4 +15,3 @@
> QEMU_MACHINE ?= "pc" QEMU_CPU ?= "" QEMU_DISK_ARGS ?= "-hda
> ##ROOTFS_IMAGE##" 
> -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = "
> apt-transport-https ca-certificates" diff --git
> a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index
> 8002a53..64cefc6 100644 ---
> a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++
> b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -25,6 +25,7
> @@ BASEAPTSRCS = "${WORKDIR}/base-apt-sources" APTKEYFILES = ""
> DEPLOY_ISAR_BOOTSTRAP ?= "" DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales
> gnupg2" +DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = "
> apt-transport-https ca-certificates" 
>  DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org
> file:///${REPO_BASE_DIR} \n" if
> bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }"
> @@ -41,6 +42,12 @@ python () { if own_pub_key:
>              aptkeys += own_pub_key.split()
>  
> +    if len(aptkeys) > 0:
> +        # debootstrap falls back to https if there is no
> +        # 'reliable' keyring, whatever that means, but it happened
> +        # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891009
> +        d.setVar("HAVE_CUSTOM_APT_KEYS", "True")

Why this indirection and the new variable? Can you not just check
len(aptkeys) where you check HAVE_CUSTOM_APT_KEYS?

In fact you probably want to look at DISTRO_APT_KEYS, which seems to be
the source feeding all the other variables. Whatever you come up with
in v3 4/6.

>      for key in aptkeys:
>          d.appendVar("SRC_URI", " %s" % key)
>          fetcher = bb.fetch2.Fetch([key], d)
> @@ -150,6 +157,10 @@ def get_distro_have_https_source(d,
> is_host=False): return any(source[2].startswith("https://") for
> source in generate_distro_sources(d, is_host)) 
>  def get_distro_needs_https_support(d, is_host=False):
> +    apt_keys = d.getVar("HAVE_CUSTOM_APT_KEYS", False)
> +    if apt_keys:
> +        return "https-support"
> +

Reusing the OVERRIDE seems like a good idea to avoid double adding the
packages. So gnupg implies https but does not add the packages again.
But i think i would do something like

get_gnupg_overrides() 
 ret = "gnupg"
 # blabla bug
 ret += " https-support"

Henning

>      if get_distro_have_https_source(d, is_host):
>          return "https-support"
>      else: