From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6665315485307895808 X-Received: by 2002:a1c:7910:: with SMTP id l16mr955932wme.8.1551950187256; Thu, 07 Mar 2019 01:16:27 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:adf:dc0e:: with SMTP id t14ls1010675wri.6.gmail; Thu, 07 Mar 2019 01:16:26 -0800 (PST) X-Google-Smtp-Source: APXvYqzivliHrlqKdlSTKzpBtljkCyhTOwHtFdbJH4bMLz+e8H9toAfJa6QjXRq783UQsZdUSPh0 X-Received: by 2002:adf:fb91:: with SMTP id a17mr534149wrr.1.1551950186867; Thu, 07 Mar 2019 01:16:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551950186; cv=none; d=google.com; s=arc-20160816; b=IHxxbhYGF7LTZ2kHxRjbfWj7F3p8m62UiEGc7BazIlwREGSLGGPLgMgZGXfj86xJjs NVlxQyf72xeSyLGkG4leJUrzKq/5U6e1yAQSslGgTJDruaqV/K3KTA8fA/2jjrw4YfT1 2nT3I1OHfmFoqXpdKUNbF8YrrdYhNNsb5ZgdiolFhk0p5H7uy++ZIfU0eu47qf/47zac frItLOVcksNMORbFcHWhjHz9IQlUX13WfEUF7fg3CzixmyLXu0qD9tx6bwC9dlxqU/3A bFjnlv1qplMamMFb9prfJx9uuF6udanInBFBmkpmGj6JGB6AKxYfKoqlyRArzfKz37/3 3JGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:content-description :mime-version:references:message-id:subject:cc:to:from:date; bh=dugxlLYXbrS7M2MPLgNcvsM2zTts/StV0J43BJbID04=; b=RSF5BUlOFnlPwVCsksMdZroSRfZIlmRfPSlZCazOrkK6TtEI/diXVgZm7vaWQZM8up Bc/gMurCxZpkYT0W0rrbXJcqwfPE2g7i5GHG+XGsBBKdD/MugOAyZvpo3I6mRWWUrs3L 92DWpuPKmcdV5GB+ZEHuChllxqJZS5uy9r9BhlmItwQqjWvdFiYDHjR8poPFJrTpMiGV FSZeVV9Fj4/p8FlUr68fQhRib+AVc6CvTLsXfHT9buk+EYYQVz0LXF66VyrmNxo/ALZ6 u0foR7+SMvPN+hhoil8D3y9+6KbiIkwPPA1EkHIJoSj+AK7RLCGrD5WiiMBPhcArleqE zYLQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of andreas.reichel.ext@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=andreas.reichel.ext@siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id o184si175185wma.0.2019.03.07.01.16.26 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Mar 2019 01:16:26 -0800 (PST) Received-SPF: pass (google.com: domain of andreas.reichel.ext@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of andreas.reichel.ext@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=andreas.reichel.ext@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id x279GQ5R020237 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 7 Mar 2019 10:16:26 +0100 Received: from iiotirae (golem.ppmd.siemens.net [139.25.69.17]) by mail1.sbs.de (8.15.2/8.15.2) with SMTP id x279GQW8031636; Thu, 7 Mar 2019 10:16:26 +0100 Date: Thu, 7 Mar 2019 10:14:39 +0100 From: Andreas Reichel To: Henning Schild Cc: isar-users@googlegroups.com Subject: Re: [PATCH v3 6/6] If we use a custom keyring debootstrap may fall to https Message-ID: <20190307091438.GB10773@iiotirae> References: <20190306162619.826-1-andreas.reichel.ext@siemens.com> <20190306162619.826-7-andreas.reichel.ext@siemens.com> <20190306184311.0ffb1069@md1za8fc.ad001.siemens.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: message Content-Disposition: inline In-Reply-To: <20190306184311.0ffb1069@md1za8fc.ad001.siemens.net> User-Agent: Mutt/1.11.3 (2019-02-01) X-TUID: KprG4fEEXHiP On Wed, Mar 06, 2019 at 06:43:11PM +0100, Henning Schild wrote: > Am Wed, 6 Mar 2019 17:26:18 +0100 > schrieb "[ext] Andreas J. Reichel" : > > > From: Andreas Reichel > > > > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891009 > > > > So if we have something in aptkeyring, append https-support to > > OVERRIDES. > > > > Furthermore, the conditional append for https-support was missing > > in qemuamd64-stretch.conf, thus, remove this from all the distros > > and put it into the isar-bootstrap.inc. > > > > Signed-off-by: Andreas Reichel > > --- > > meta-isar/conf/multiconfig/qemuamd64-buster.conf | 1 - > > meta-isar/conf/multiconfig/qemuamd64-jessie.conf | 1 - > > meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 11 +++++++++++ > > 3 files changed, 11 insertions(+), 2 deletions(-) > > > > diff --git a/meta-isar/conf/multiconfig/qemuamd64-buster.conf > > b/meta-isar/conf/multiconfig/qemuamd64-buster.conf index > > 63df75c..da90993 100644 --- > > a/meta-isar/conf/multiconfig/qemuamd64-buster.conf +++ > > b/meta-isar/conf/multiconfig/qemuamd64-buster.conf @@ -18,4 +18,3 @@ > > QEMU_MACHINE ?= "q35" QEMU_CPU ?= "" > > QEMU_DISK_ARGS ?= "-hda ##ROOTFS_IMAGE## > > -bios /usr/local/share/ovmf/OVMF.fd" > > -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = " > > apt-transport-https ca-certificates" diff --git > > a/meta-isar/conf/multiconfig/qemuamd64-jessie.conf > > b/meta-isar/conf/multiconfig/qemuamd64-jessie.conf index > > d1335ff..42c71df 100644 --- > > a/meta-isar/conf/multiconfig/qemuamd64-jessie.conf +++ > > b/meta-isar/conf/multiconfig/qemuamd64-jessie.conf @@ -15,4 +15,3 @@ > > QEMU_MACHINE ?= "pc" QEMU_CPU ?= "" QEMU_DISK_ARGS ?= "-hda > > ##ROOTFS_IMAGE##" > > -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = " > > apt-transport-https ca-certificates" diff --git > > a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index > > 8002a53..64cefc6 100644 --- > > a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ > > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -25,6 +25,7 > > @@ BASEAPTSRCS = "${WORKDIR}/base-apt-sources" APTKEYFILES = "" > > DEPLOY_ISAR_BOOTSTRAP ?= "" DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales > > gnupg2" +DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = " > > apt-transport-https ca-certificates" > > DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org > > file:///${REPO_BASE_DIR} \n" if > > bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }" > > @@ -41,6 +42,12 @@ python () { if own_pub_key: > > aptkeys += own_pub_key.split() > > > > + if len(aptkeys) > 0: > > + # debootstrap falls back to https if there is no > > + # 'reliable' keyring, whatever that means, but it happened > > + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891009 > > + d.setVar("HAVE_CUSTOM_APT_KEYS", "True") > > Why this indirection and the new variable? Can you not just check > len(aptkeys) where you check HAVE_CUSTOM_APT_KEYS? Because aptkeys is a local variable. And we don't want that to be global. > > In fact you probably want to look at DISTRO_APT_KEYS, which seems to be > the source feeding all the other variables. Whatever you come up with > in v3 4/6. Not quite, becase we have DISTRO_APT_KEYS as well as BASE_REPO_KEY. Both can contain several keys and feed aptkeys. (That's why I introduced aptkeys, to remove the duplicate code in the keyring generation.) > > > for key in aptkeys: > > d.appendVar("SRC_URI", " %s" % key) > > fetcher = bb.fetch2.Fetch([key], d) > > @@ -150,6 +157,10 @@ def get_distro_have_https_source(d, > > is_host=False): return any(source[2].startswith("https://") for > > source in generate_distro_sources(d, is_host)) > > def get_distro_needs_https_support(d, is_host=False): > > + apt_keys = d.getVar("HAVE_CUSTOM_APT_KEYS", False) > > + if apt_keys: > > + return "https-support" > > + > > Reusing the OVERRIDE seems like a good idea to avoid double adding the > packages. So gnupg implies https but does not add the packages again. > But i think i would do something like > > get_gnupg_overrides() > ret = "gnupg" > # blabla bug > ret += " https-support" > Sure. That makes sense, but I would like to keep the https-support part in the other function, because that is there to tell all cases where the image needs https-support, no matter wether apt-keys or https sources... Gnupg then should go into a new function analog to the other one like 'get_distro_needs_gnupg_support' to enable a new gnupg OVERRIDE> Andreas > Henning > > > if get_distro_have_https_source(d, is_host): > > return "https-support" > > else: > -- Andreas Reichel Dipl.-Phys. (Univ.) Software Consultant Andreas.Reichel@tngtech.com, +49-174-3180074 TNG Technology Consulting GmbH, Betastr. 13a, 85774 Unterfoehring Geschaeftsfuehrer: Henrik Klagges, Dr. Robert Dahlke, Gerhard Mueller Sitz: Unterfoehring * Amtsgericht Muenchen * HRB 135082