Bug#835075: [PATCH] use fake-pinentry (Closes: #835075)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Sep 6 14:56:15 UTC 2016 

Hi Gregor--

Thanks for the followup!

On Sat 2016-09-03 03:58:34 -0400, gregor herrmann wrote:
> 1) After the build finishes there are 6 instances of gpg-agent
>   running. In my cowbuilder setup this doesn't cause any issues and
>   they time out after some time (1 minute I guess).

right, those processes should time out after their temporary home
directories are removed.  I'm working with upstream on making that
timeout happen faster than a 1 minute delay, but it's not done yet.

> 2) autopkgtests initially failed with:
>
> t/30.inline-decrypt.t .... 
> 1..5
> ok 1 - An object of class 'MIME::Entity' isa 'MIME::Entity'
> gpg: keybox '/tmp/autopkgtest.n6im1C/autopkgtest_tmp/smoke7NpYaR/mgtrYHsk/pubring.kbx' created
> gpg: /tmp/autopkgtest.n6im1C/autopkgtest_tmp/smoke7NpYaR/mgtrYHsk/trustdb.gpg: trustdb created
> gpg: key 49539D60EFEA4EAD marked as ultimately trusted
> gpg: key 49539D60EFEA4EAD: public key "Mail::GnuPG Test Key <mail at gnupg.dom>" imported
> gpg: key 49539D60EFEA4EAD/49539D60EFEA4EAD: error sending to agent: No pinentry
> gpg: error building skey array: No pinentry
> [..]

Sounds like autopkgtests needs to also use fake-pinentry.pl, as you
pointed out in (4) ;)

Once this changeset is included upstream, we won't need the "chmod +x" any
longer.

> 3) This is in schroot-on-lvm. And here unmounting fails because of the
>    running gpg-agents leaving my schroot/lvm setup in a sad state.

right, but this is a different issue, related to gpg-agent not.
terminating rapidly enough when its socket is removed (same as (1)).
I'm happy to track this as an issue, but it is a different issue than
835075.

> Alltogether I think we need to think a bit more about this gpg-agent
> thing, currently this seems a bit too fragile to me.
>
> Another question is if we could have a fake-pinentry in some central
> place (gnupg binary package?) to be used from all packages instead of
> adding it everywhere?

I am happy to ship something like fake-pinentry.pl (a pinentry that
always returns "passphrase" and gamely accepts anything else) in a
separate package, or even in gnupg as /usr/lib/gnupg/fake-pinentry, but
it seems more important for me to get these fixes upstreamed.

I could even ship upstream's ./tests/openpgp/fake-pinentry.c there,
though i worry that it now has too many features, which might actually
encourage people to try to use it in non-dev environments; i think that
would be a bad outcome.

Also, for language-specific libraries like lib*-perl, upstream will want
this stuff to work on all platforms, and we can't guarantee that any
gnupg binary package on other platforms will ship a fake-pinentry.

So i think we should go ahead with this patch, as well as submitting it
upstream.  I'm happy to try to replicate it on the other lib*-perl
gnupg-related packages too if you're ok with this.

Regards,

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20160906/1a55295a/attachment.sig>

More information about the pkg-perl-maintainers mailing list