Re: [PATCH v8 1/7] Revert "isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS"

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: "Maxim Yu. Osipov" <mosipov@ilbers.de>
To: "Andreas J. Reichel" <andreas.reichel.ext@siemens.com>,
	isar-users@googlegroups.com
Subject: Re: [PATCH v8 1/7] Revert "isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS"
Date: Mon, 25 Mar 2019 12:20:10 +0100	[thread overview]
Message-ID: <948fa832-67d1-37d1-02b0-7120ab7546d4@ilbers.de> (raw)
In-Reply-To: <20190321151526.12001-2-andreas.reichel.ext@siemens.com>

Hi Andreas,

On 3/21/19 4:15 PM, Andreas J. Reichel wrote:
> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
> 
> This reverts commit af983a13b6f4cee5d4af5e5cf6318231e02775c9.
> 
> This commit broke usage of remote keys, where they usually come from.
> If fetching "http://example.com/dir1/dir2/key", the file is fetched
> into the subdir WORKDIR/dir1/dir2/, which breaks with this code.
> However it succeeds with absolute paths.
> We do not want to guess where the downloaded file will be. This does
> not work anymore if the key is downloaded from remote with a URL.
> Furthermore, a user could specify "subdir" as fetcher parameter
> or other things, which break this.

In general it's better to avoid reverting the patches.

I disagree with the statement that "commit af983a13  broke usage of 
remote keys" - I wrote you a month ago (see forwarded email below) that 
this patch doesn't break Raspbian build  - the key is put also under 
downloads (DL_DIR) directory:

I've build the current 'master' for target 
multiconfig:rpi-jessie:isar-image-base.

Sorry for copy-paste ;):

<<<<
isar/build$ find -name raspbian.public.key
./downloads/raspbian.public.key
./tmp/work/raspbian-jessie-armhf/isar-bootstrap-target/raspbian.public.key
 >>>

So I don't accept this patch.

Regards,
Maxim.


-------- Forwarded Message --------
Subject: Re: [PATCH 0/1] Fix remote key fetching apt keyring
Date: Wed, 20 Feb 2019 12:58:09 +0100
From: Maxim Yu. Osipov <mosipov@ilbers.de>
Organization: ilbers GmbH
To: Jan Kiszka <jan.kiszka@siemens.com>, [ext] Andreas J. Reichel 
<andreas.reichel.ext@siemens.com>, isar-users@googlegroups.com, Baurzhan 
Ismagulov <ibr@ilbers.de>

On 2/20/19 12:27 PM, Jan Kiszka wrote:
 > On 20.02.19 12:21, [ext] Andreas J. Reichel wrote:
 >> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
 >>
 >> Since my last mail was not answered, but this is an important topic,
 >> here is a patch that shows what the problem is.
 >>
 >> If we fetch the user apt key from remote, we need the basename,
 >> if we fetch it locally we need the absolute path...
 >>
 >> While this might not be the best way to fix this, it works as good
 >> as the rest of this code...
 >>
 >> At least it fixes Isar again up to adding the key to the keyring.
 >>
 >> But this still does not fix the next problem with the docker-ce key:
 >>
 >> | I: Running command: debootstrap --arch arm64 --foreign --verbose
 >> --variant=minbase --include=locales --components=main,contrib,non-free
 >> --keyring
 >> 
/build/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/apt-keyring.gpg 

 >> stretch
 >> 
/build/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/rootfs 
http://ftp.debian.org/debian
 >>
 >> | I: Retrieving InRelease
 >> | I: Retrieving Release
 >> | I: Retrieving Release.gpg
 >> | I: Checking Release signature
 >> | E: Release signed by unknown key (key id EF0F382A1A7B6500)
 >>
 >> So something additionally must be done. Since I am not an expert on
 >> debian keyring/debootstrap and dpkg signing I will try to find a
 >> solution but maybe somebody has a good idea already?
 >>
 >
 > Baurzhan, Maxim, any idea?

Strange...I thought that commit af983a13 fixes the reported problem
When testing my patch signing base-apt I've tried both - remote keys 
(used by Raspberry Pi target) and local key.



> 
> This is really fixed in a follow-up commit.
> 
> Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
> ---
>   meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> index c1b571a..2910eea 100644
> --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> @@ -40,8 +40,9 @@ python () {
>           d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
>           for key in distro_apt_keys.split():
>               url = urlparse(key)
> -            d.appendVar("SRC_URI", " " + key)
> -            d.appendVar("APTKEYFILES", " " + wd + url.path)
> +            filename = os.path.basename(url.path)
> +            d.appendVar("SRC_URI", " %s" % key)
> +            d.appendVar("APTKEYFILES", " %s" % filename)
>       if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')):
>           own_pub_key = d.getVar("BASE_REPO_KEY", False)
>           if own_pub_key:
> 


-- 
Maxim Osipov
ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn
Germany
+49 (151) 6517 6917
mosipov@ilbers.de
http://ilbers.de/
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov

next prev parent reply	other threads:[~2019-03-25 11:20 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-21 15:15 [PATCH v8 0/7] Fix usage of additional apt keys and repos Andreas J. Reichel
2019-03-21 15:15 ` [PATCH v8 1/7] Revert "isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS" Andreas J. Reichel
2019-03-25 11:20   ` Maxim Yu. Osipov [this message]
2019-04-15 11:11     ` Andreas Reichel
2019-04-16  4:54       ` Maxim Yu. Osipov
2019-04-16  8:12         ` Henning Schild
2019-04-22 13:56           ` Maxim Yu. Osipov
2019-03-21 15:15 ` [PATCH v8 2/7] Remove duplicate code from apt-keyring generation Andreas J. Reichel
2019-03-21 15:15 ` [PATCH v8 3/7] Fix fetched key location in apt-keyring generator Andreas J. Reichel
2019-03-21 15:15 ` [PATCH v8 4/7] Use apt-key to generate keyrings Andreas J. Reichel
2019-03-21 15:15 ` [PATCH v8 5/7] If we use a custom keyring debootstrap may fall to https Andreas J. Reichel
2019-03-21 15:15 ` [PATCH v8 6/7] raspbian-jessie: Use DISTRO_BOOTSTRAP_KEYS Andreas J. Reichel
2019-03-21 15:15 ` [PATCH v8 7/7] docs: Update user_manual.md Andreas J. Reichel
2019-03-25 10:19 ` [PATCH v8 0/7] Fix usage of additional apt keys and repos Andreas Reichel
2019-03-25 10:35   ` Maxim Yu. Osipov
2019-03-25 11:28     ` Andreas Reichel
2019-03-25 11:39       ` Maxim Yu. Osipov
2019-04-12 12:52         ` Henning Schild
2019-04-15 13:14           ` Andreas Reichel
2019-07-09 11:04             ` Henning Schild

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=948fa832-67d1-37d1-02b0-7120ab7546d4@ilbers.de \
    --to=mosipov@ilbers.de \
    --cc=andreas.reichel.ext@siemens.com \
    --cc=isar-users@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox