From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6665315485307895808
X-Received: by 2002:adf:dc0c:: with SMTP id t12mr636201wri.15.1551969717739;
        Thu, 07 Mar 2019 06:41:57 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a1c:f107:: with SMTP id p7ls74536wmh.6.canary-gmail; Thu, 07
 Mar 2019 06:41:57 -0800 (PST)
X-Google-Smtp-Source: APXvYqycBrJjxKizvYgvGxbBa+wElXqEyS8+8mLF7APos2ARKKtzs3AB+bwtE3+9SPp+FDbiw2L2
X-Received: by 2002:a1c:a702:: with SMTP id q2mr1104928wme.0.1551969717457;
        Thu, 07 Mar 2019 06:41:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551969717; cv=none;
        d=google.com; s=arc-20160816;
        b=BMA2XE5Y1ZhCnRSS5dWvGpaChw5ivjGXXVGCy8rJiQb771VTxAZad+CUf+fGeBjwSD
         c6mJlF0PA5hY5HgfbVMtxS2yQCSygoC5ku5Qr7cUAt2KWefXdI0i2xufRDs1SdCFQ/74
         rxAxwYtuX/9UBsWGZMWBTMK2J+Ute3dM3aGv2tn1qW7by3qbeXsFWSELHvH9Tk2a9HSK
         Z9UYbLkldhFvm48HZL7fGJxqXJhJELPg+lbXAYOSU13ySG/g/7HObjY5YXRoHFKCN+IO
         XAKeJiucxM8ElRqm01eRfSdzZK8iNAWLOi3QpwzLCTl0CF8Q+2JbYq1nJdFYJZc6h4GO
         nduQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=E/mwrpIEsWMLYmFRsz/jZWUp7Lfesp8rgvzD5La06pw=;
        b=tpDfp5KHN9oH5FVnpl94XgtI/x8v+AmdJHp9/6PI9Mb1TGkqk4Hfumr1LRIjII4BFO
         kKLFdviTEC56+FdDfa/JvZzmrY68/j/XJEdBGUFlEDFbZmVzXayFHYnKeDkLf4IeSL3V
         cfz/QgvaecwJH5DJgtanhjIyb+H5i6ZsO4Zjk6tbLpOR6ZyZKDRjtMOkhGDYrIDwzdkE
         Laa09EQ4+5DYfAwKI+uDe8xBTxAHAXt763bVsy2BVuFBuqHfo3FUOYKbFs7rZbJdjrTw
         dk3zlwSxX4cimMzzp1DQfMaP/zAfFvLa4mmonLGT9Ec4FzKxmGMUBeXfghTp9fm11qdt
         WXkQ==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28])
        by gmr-mx.google.com with ESMTPS id m1si300312wrj.4.2019.03.07.06.41.57
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 07 Mar 2019 06:41:57 -0800 (PST)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66])
	by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id x27EfuVc026434
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
	for <isar-users@googlegroups.com>; Thu, 7 Mar 2019 15:41:57 +0100
Received: from md1za8fc.ad001.siemens.net ([139.25.69.211])
	by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x27EfuMt012988;
	Thu, 7 Mar 2019 15:41:56 +0100
Date: Thu, 7 Mar 2019 15:41:56 +0100
From: Henning Schild <henning.schild@siemens.com>
To: Andreas Reichel <andreas.reichel.ext@siemens.com>
Cc: <isar-users@googlegroups.com>
Subject: Re: [PATCH v3 6/6] If we use a custom keyring debootstrap may fall
 to https
Message-ID: <20190307154156.3e8bc434@md1za8fc.ad001.siemens.net>
In-Reply-To: <20190307091438.GB10773@iiotirae>
References: <20190306162619.826-1-andreas.reichel.ext@siemens.com>
	<20190306162619.826-7-andreas.reichel.ext@siemens.com>
	<20190306184311.0ffb1069@md1za8fc.ad001.siemens.net>
	<20190307091438.GB10773@iiotirae>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: gb7RhYd2h+8w

Am Thu, 7 Mar 2019 10:14:39 +0100
schrieb Andreas Reichel <andreas.reichel.ext@siemens.com>:

> On Wed, Mar 06, 2019 at 06:43:11PM +0100, Henning Schild wrote:
> > Am Wed, 6 Mar 2019 17:26:18 +0100
> > schrieb "[ext] Andreas J. Reichel"
> > <andreas.reichel.ext@siemens.com>: 
> > > From: Andreas Reichel <andreas.reichel.ext@siemens.com>
> > > 
> > > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891009
> > > 
> > > So if we have something in aptkeyring, append https-support to
> > > OVERRIDES.
> > > 
> > > Furthermore, the conditional append for https-support was missing
> > > in qemuamd64-stretch.conf, thus, remove this from all the distros
> > > and put it into the isar-bootstrap.inc.
> > > 
> > > Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
> > > ---
> > >  meta-isar/conf/multiconfig/qemuamd64-buster.conf    |  1 -
> > >  meta-isar/conf/multiconfig/qemuamd64-jessie.conf    |  1 -
> > >  meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 11
> > > +++++++++++ 3 files changed, 11 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/meta-isar/conf/multiconfig/qemuamd64-buster.conf
> > > b/meta-isar/conf/multiconfig/qemuamd64-buster.conf index
> > > 63df75c..da90993 100644 ---
> > > a/meta-isar/conf/multiconfig/qemuamd64-buster.conf +++
> > > b/meta-isar/conf/multiconfig/qemuamd64-buster.conf @@ -18,4 +18,3
> > > @@ QEMU_MACHINE ?= "q35" QEMU_CPU ?= ""
> > >  QEMU_DISK_ARGS ?= "-hda ##ROOTFS_IMAGE##
> > > -bios /usr/local/share/ovmf/OVMF.fd" 
> > > -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = "
> > > apt-transport-https ca-certificates" diff --git
> > > a/meta-isar/conf/multiconfig/qemuamd64-jessie.conf
> > > b/meta-isar/conf/multiconfig/qemuamd64-jessie.conf index
> > > d1335ff..42c71df 100644 ---
> > > a/meta-isar/conf/multiconfig/qemuamd64-jessie.conf +++
> > > b/meta-isar/conf/multiconfig/qemuamd64-jessie.conf @@ -15,4 +15,3
> > > @@ QEMU_MACHINE ?= "pc" QEMU_CPU ?= "" QEMU_DISK_ARGS ?= "-hda
> > > ##ROOTFS_IMAGE##" 
> > > -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = "
> > > apt-transport-https ca-certificates" diff --git
> > > a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> > > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index
> > > 8002a53..64cefc6 100644 ---
> > > a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++
> > > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -25,6
> > > +25,7 @@ BASEAPTSRCS = "${WORKDIR}/base-apt-sources" APTKEYFILES
> > > = "" DEPLOY_ISAR_BOOTSTRAP ?= "" DISTRO_BOOTSTRAP_BASE_PACKAGES =
> > > "locales gnupg2"
> > > +DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = "
> > > apt-transport-https ca-certificates" DISTRO_APT_PREMIRRORS ?=
> > > "${@ "http://ftp\.(\S+\.)?debian.org file:///${REPO_BASE_DIR} \n"
> > > if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO'))
> > > else "" }" @@ -41,6 +42,12 @@ python () { if own_pub_key:
> > >              aptkeys += own_pub_key.split()
> > >  
> > > +    if len(aptkeys) > 0:
> > > +        # debootstrap falls back to https if there is no
> > > +        # 'reliable' keyring, whatever that means, but it
> > > happened
> > > +        #
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891009
> > > +        d.setVar("HAVE_CUSTOM_APT_KEYS", "True")  
> > 
> > Why this indirection and the new variable? Can you not just check
> > len(aptkeys) where you check HAVE_CUSTOM_APT_KEYS?  
> Because aptkeys is a local variable. And we don't want that to be
> global.
> 
> > 
> > In fact you probably want to look at DISTRO_APT_KEYS, which seems
> > to be the source feeding all the other variables. Whatever you come
> > up with in v3 4/6.  
> Not quite, becase we have DISTRO_APT_KEYS as well as BASE_REPO_KEY.
> Both can contain several keys and feed aptkeys. (That's why I
> introduced aptkeys, to remove the duplicate code in the keyring
> generation.)

That is not your fault. But DISTRO_APT_KEYS should simply always have
BASE_REPO_KEY appended by default, which gets you back to one variable
that lists all repo keys. Remotes and the cache.

Henning

> >   
> > >      for key in aptkeys:
> > >          d.appendVar("SRC_URI", " %s" % key)
> > >          fetcher = bb.fetch2.Fetch([key], d)
> > > @@ -150,6 +157,10 @@ def get_distro_have_https_source(d,
> > > is_host=False): return any(source[2].startswith("https://") for
> > > source in generate_distro_sources(d, is_host)) 
> > >  def get_distro_needs_https_support(d, is_host=False):
> > > +    apt_keys = d.getVar("HAVE_CUSTOM_APT_KEYS", False)
> > > +    if apt_keys:
> > > +        return "https-support"
> > > +  
> > 
> > Reusing the OVERRIDE seems like a good idea to avoid double adding
> > the packages. So gnupg implies https but does not add the packages
> > again. But i think i would do something like
> > 
> > get_gnupg_overrides() 
> >  ret = "gnupg"
> >  # blabla bug
> >  ret += " https-support"
> >   
> Sure. That makes sense, but I would like to keep the https-support
> part in the other function, because that is there to tell all cases
> where the image needs https-support, no matter wether apt-keys or
> https sources...
> 
> Gnupg then should go into a new function analog to the other one like
> 'get_distro_needs_gnupg_support' to enable a new gnupg OVERRIDE>
> 
> Andreas
> > Henning
> >   
> > >      if get_distro_have_https_source(d, is_host):
> > >          return "https-support"
> > >      else:  
> >   
>