From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6665315485307895808
X-Received: by 2002:a19:fc05:: with SMTP id a5mr844271lfi.5.1551970494754;
        Thu, 07 Mar 2019 06:54:54 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a2e:4788:: with SMTP id u130ls742645lja.14.gmail; Thu, 07
 Mar 2019 06:54:54 -0800 (PST)
X-Google-Smtp-Source: APXvYqxpkr98wPrYjGLrpxlG4IPhN12cEegpm1uhI+2BUsXYv7HBln4JV+E5qCSovzR/2pAfZcRq
X-Received: by 2002:a2e:8852:: with SMTP id z18mr707939ljj.18.1551970494202;
        Thu, 07 Mar 2019 06:54:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551970494; cv=none;
        d=google.com; s=arc-20160816;
        b=WN6Ph/1HVJLB0hWvBQzgBYBE1/UNLKEWLyS9qLWrh+Ah1xKR0csAElp0pfI6+vJvo7
         ddGb7/clcdsIuXj14bkc87bxK5kKvkZIZo1M40ldTgrGJns7VYS7dNZmt1mMK1J1yC3X
         I5Zcq8FCzX3NcsNEb2bpVeI4nUC43u7MEEPEZ/Dcbfdpfey0eWE8nUk+Id8iVDVcLNRh
         cCe6vezikfg+YJXlYX/LLL3mB/67KdYR7/v2XVl36TvrA3eDm0LwmJUgwZkETC1V+wxD
         q/itqqedPvbJE/IPBohDEDNgWpMyONfh9MOWdw57ta8YxZICBQRTkJVehmXGSD5IYsdz
         n4jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=ncJrQSfe4ADSOyeabyTW0bVUX1p0kmrsGtFpAWpZZug=;
        b=PFjRqaPfehh0NIT1lHbJ6l3gAWtMakv7Ol6osF3ZISGOx+ZczrZbLGbl2+O/OZVyua
         TEOeVP7lt9eBUyBW8ZkpTIbjdzOrZ9SxwxJvRoINSpQSmLrNQ5TnQDfqJTlSmiZHFBDb
         vg56stzWnlFgypGHxBfXQrCqJzrhxGJuKqR3bHdDOSOywCHREJVR4jbP0tUNnvvJJXsb
         nx97YSUWbxc2MEbhjN+tITLfA1gldlWSKW4jjAf7EIBk1IytGdtkx7zA+lad8zYzbAeT
         5M9R4YrYzc54B48ProySq887aEnEYsns4KztD9wr3cU8RtIYUc7kueo+eniPyzo5Dwz/
         PKpg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40])
        by gmr-mx.google.com with ESMTPS id k13si214135lja.5.2019.03.07.06.54.54
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 07 Mar 2019 06:54:54 -0800 (PST)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
	by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id x27Esr9I003113
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
	for <isar-users@googlegroups.com>; Thu, 7 Mar 2019 15:54:53 +0100
Received: from md1za8fc.ad001.siemens.net ([139.25.69.211])
	by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x27EsrEh028088;
	Thu, 7 Mar 2019 15:54:53 +0100
Date: Thu, 7 Mar 2019 15:54:52 +0100
From: Henning Schild <henning.schild@siemens.com>
To: "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>
Cc: <isar-users@googlegroups.com>
Subject: Re: [PATCH v4 6/6] If we use a custom keyring debootstrap may fall
 to https
Message-ID: <20190307155452.7bbea360@md1za8fc.ad001.siemens.net>
In-Reply-To: <20190307142304.14508-7-andreas.reichel.ext@siemens.com>
References: <20190307142304.14508-1-andreas.reichel.ext@siemens.com>
	<20190307142304.14508-7-andreas.reichel.ext@siemens.com>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: J2ePgiNeoTaN

Am Thu, 7 Mar 2019 15:23:04 +0100
schrieb "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>:

> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
> 
> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891009
> 
> So if we have something in aptkeyring, append https-support to
> OVERRIDES.
> 
> Furthermore, the conditional append for https-support was missing
> in qemuamd64-stretch.conf, thus, remove this from all the distros
> and put it into the isar-bootstrap.inc.
> 
> Furthermore, packages are comma-, not space-separated.
> 
> Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
> ---
>  meta-isar/conf/multiconfig/qemuamd64-buster.conf    |  1 -
>  meta-isar/conf/multiconfig/qemuamd64-jessie.conf    |  1 -
>  meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 11 +++++++++++
>  3 files changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/meta-isar/conf/multiconfig/qemuamd64-buster.conf
> b/meta-isar/conf/multiconfig/qemuamd64-buster.conf index
> 63df75c..da90993 100644 ---
> a/meta-isar/conf/multiconfig/qemuamd64-buster.conf +++
> b/meta-isar/conf/multiconfig/qemuamd64-buster.conf @@ -18,4 +18,3 @@
> QEMU_MACHINE ?= "q35" QEMU_CPU ?= ""
>  QEMU_DISK_ARGS ?= "-hda ##ROOTFS_IMAGE##
> -bios /usr/local/share/ovmf/OVMF.fd" 
> -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = "
> apt-transport-https ca-certificates" diff --git
> a/meta-isar/conf/multiconfig/qemuamd64-jessie.conf
> b/meta-isar/conf/multiconfig/qemuamd64-jessie.conf index
> d1335ff..42c71df 100644 ---
> a/meta-isar/conf/multiconfig/qemuamd64-jessie.conf +++
> b/meta-isar/conf/multiconfig/qemuamd64-jessie.conf @@ -15,4 +15,3 @@
> QEMU_MACHINE ?= "pc" QEMU_CPU ?= "" QEMU_DISK_ARGS ?= "-hda
> ##ROOTFS_IMAGE##" 
> -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = "
> apt-transport-https ca-certificates" diff --git
> a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index
> 2fb5c5b..4c10633 100644 ---
> a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++
> b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -26,6 +26,7
> @@ APTKEYFILES = "" DEPLOY_ISAR_BOOTSTRAP ?= ""
> DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales"
> DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg2"
> +DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support =
> ",apt-transport-https,ca-certificates" DISTRO_APT_PREMIRRORS ?= "${@
> "http://ftp\.(\S+\.)?debian.org  file:///${REPO_BASE_DIR} \n" if
> bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }"
> @@ -42,6 +43,12 @@ python () { if own_pub_key:
>              aptkeys += own_pub_key.split()
>  
> +    if len(aptkeys) > 0:
> +        # debootstrap falls back to https if there is no
> +        # 'reliable' keyring, whatever that means, but it happened
> +        # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891009
> +        d.setVar("HAVE_CUSTOM_APT_KEYS", "True")
> +
>      for key in aptkeys:
>          d.appendVar("SRC_URI", " %s" % key)
>          fetcher = bb.fetch2.Fetch([key], d)
> @@ -151,6 +158,10 @@ def get_distro_have_https_source(d,
> is_host=False): return any(source[2].startswith("https://") for
> source in generate_distro_sources(d, is_host)) 
>  def get_distro_needs_https_support(d, is_host=False):

As i said somewhere else. Something like 
get_distro_overrides
Could be a nice place to just deal with both in one function. So even
having that weird implication to https, we have it all in one place.

Right now we have to such functions depending on keys, otherwise we
would have two functions returning "https-support"

Henning

> +    apt_keys = d.getVar("HAVE_CUSTOM_APT_KEYS", False)
> +    if apt_keys:
> +        return "https-support"
> +
>      if get_distro_have_https_source(d, is_host):
>          return "https-support"
>      else: