[buildd-tools-devel] Bug#837188: sbuild: Signing the dummy release file and SBUILD_BUILD_DEPENDS_{SECRET|PUBLIC}_KEY seem deprecated

Guilhem Moulin guilhem at guilhem.org
Fri Sep 9 22:04:19 UTC 2016 

Package: sbuild
Version: 0.71.0-2
Severity: normal

Dear Maintainer,

#833547/#834898 have been fixed by adding a call to ‘gpgconf --kill
gpg-agent’.  I was wondering whether access to private key material from
inside the chroot is required at all?  Sbuild::ResolverBase reads

    # Sign the release file
    # This will only be done if the sbuild keys are present.
    # Once squeeze is not supported anymore, we want to never sign the
    # dummy repository anymore but instead make use of apt's support for
    # [trusted=yes] in wheezy and later.
    # On hosts that include apt 1.3~exp1 or newer (Debian squeeze or later)
    # the gnupg package will no longer be installed because apt doesn't depend
    # on it anymore.

After installing sbuild on sid, the directory ‘/var/lib/sbuild/apt-keys’
is left empty, thus sbuild doesn't sign the dummy Release file and apt
trusts it regardless thanks to the [trusted=yes] option.

However when *upgrading* sbuild from an older version, the key pair
‘/var/lib/sbuild/apt-keys/sbuild-key.{pub,sec}’, which was created for
compatibility with apt <1.3~exp1, is still used for signing the Release
file.  This code path seems obsolete to me as squeeze reached end of LTS
in February 2016.  Furthermore since signing the dummy Release file is
AFAICT currently the only reason why sbuild requires access to private
key material (hence spawns a gpg-agent(1) process with GnuPG 2.1.x) from
inside the chroot, removing ‘/var/lib/sbuild/apt-keys’ and
‘SBUILD_BUILD_DEPENDS_{SECRET|PUBLIC}_KEY’ should also remove the need
for the ‘gpgconf --kill gpg-agent’ workaround.

Thanks!
Cheers,
-- 
Guilhem.

PS: Adding the GnuPG maintainers to X-Debbugs-Cc at dkg's request.


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sbuild depends on:
ii  adduser         3.115
ii  apt-utils       1.3~rc4
ii  libsbuild-perl  0.71.0-2
pn  perl:any        <none>

Versions of packages sbuild recommends:
ii  debootstrap  1.0.82

Versions of packages sbuild suggests:
pn  autopkgtest  <none>
ii  deborphan    1.7.28.8-0.3
ii  wget         1.18-2+b1

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20160910/d387f918/attachment.sig>

More information about the Buildd-tools-devel mailing list