gpgv udebs

Cyril Brulebois kibi at debian.org
Wed Aug 12 00:39:23 UTC 2015 

Hi all,

And thanks for getting in touch with us.

Daniel Kahn Gillmor <dkg at fifthhorseman.net> (2015-08-11):
> i believe the installer relies on gpgv for archive manifest signature
> verification.  we have gpgv-udeb for that purpose, i think.

That's the idea, yeah. Grepping through all of our packages → see the
results below my signature; that's basically base-installer and
net-retriever which depend on gpgv-udeb.

For the record, last time we've seen changes in gpgv, that was in:
  https://lists.debian.org/debian-boot/2014/01/msg00129.html

which eventually led to: #753985. Skimming through it again, it seems
win32-loader was somewhat affected as well. Adding Didier in the loop
explicitly just to be on the safe side.

> It's likely that at some point (i'm hoping before stretch) we'll want
> to move most of our GnuPG reliance to the 2.1 branch, since that will
> allow us to take advantage of stronger, smaller, faster cryptography
> and will also help to keep our tools aligned with where upstream's
> main development focus is.
> 
> As a result, i'd like to consider moving the gpgv udeb over to the
> gnupg2 package sometime soon.

ACK.

> gpgv2 has more dependencies than gpgv, though:
> 
> gpgv2 Depends: libbz2-1.0, libc6 (>= 2.14), libgcrypt20 (>= 1.6.1), libgpg-error0 (>= 1.14), libksba8 (>= 1.2.0), zlib1g (>= 1:1.1.4)
> 
>  gpgv Depends: libbz2-1.0, libc6 (>= 2.14), zlib1g (>= 1:1.1.4)
> 
> so we're talking about adding three dependencies as udebs:
> 
>   libgcrypt20, libgpg-error0, libksba8
> 
> Of these three dependencies:
> 
>  * gpg-error is simple/small/trivial: i don't think it's particularly
>    objectionable, and there's already a udeb for it.

It's already used in d-i as a dependency of libgcrypt20-udeb…

>  * libgcrypt is the actively-developed crypto library that the we want
>    to rely on instead what's effectively an embedded stripped-down copy
>    in gpgv, so i think this is an actively good dependency to add.
>    libgcrypt also already has a udeb.

… which in turn is pulled through libcryptsetup4-udeb (itself needed by
cryptsetup-udeb). We moved to it from libgcrypt11-udeb a while ago
(during the jessie release cycle if memory serves).

>  * libksba8 is the X.509 and CMS support library used by GnuPG.  we
>    probably don't strictly need this for the installer (our archive
>    signatures use OpenPGP signatures and not CMS).  I can work on a
>    stripped-down build of gpgv2 that doesn't have this dependency if we
>    think that would be useful for minimizing the installer.
>    Alternately, I can work with pkg-gnutls to add a udeb for libksba
>    (we've already discussed the possibility of transferring the libksba
>    from pkg-gnutls to pkg-gnupg)

If having a build for the installer (without libksba8 support, and
possibly with strong optimization options, see the thread I mentioned
earlier) is feasible, that would be preferred to having an extra udeb
pulled just for a feature we're not going to use anyway. It's not
absolutely mandatory, so if you're having issued unentangling gpgv-udeb
from libksba8 in the 2.1 branch, please say so and we'll reconsider.

> let me know if you have any concerns, preferences, or questions about
> this work, and if you have specific time windows that it would be good
> to aim for.

I'm currently aiming at a release in the next few days, but feel free to
prepare stealing gpgv-udeb in experimental, and ping back this thread
once it's available there. After some testing by the installer team, it
can go to unstable and migrate to testing when it's ready. I'll then
adjust the freeze file to point at the new source package for further
block-udeb sessions.


Mraw,
KiBi.


====================================================================================================================================

kibi at wodi:~/debian-installer/packages$ for i in base-installer net-retriever; do echo $i; echo $i|sed 's/./=/g'; (cd $i; ack gpgv); echo; echo; done
base-installer
==============
debian/control
19:Depends: ${shlibs:Depends}, mounted-partitions, created-fstab, base-installer, debootstrap-udeb (>= 1.0.7), gpgv-udeb, debian-archive-keyring-udeb, archdetect

debian/bootstrap-base.postinst
84:		if type gpgv >/dev/null; then
89:			warning "gpgv not found, not authenticating archive"

debian/bootstrap-base/DEBIAN/postinst
84:		if type gpgv >/dev/null; then
89:			warning "gpgv not found, not authenticating archive"

debian/bootstrap-base/DEBIAN/control
8:Depends: libc6-udeb (>= 2.19), libdebconfclient0-udeb, libdebian-installer4-udeb (>= 0.97), mounted-partitions, created-fstab, base-installer, debootstrap-udeb (>= 1.0.7), gpgv-udeb, debian-archive-keyring-udeb, archdetect

debian/changelog
1299:  * Depend on gpgv-udeb, which has apparently never really been pulled in
2363:  * If gpgv and a keyring are installed, enable debootstrap's Release
2451:    - Make apt-get use gpgv --ignore-time-conflict to avoid validation

debian/base-installer/usr/lib/base-installer/library.sh
166:Acquire::gpgv::Options { "--ignore-time-conflict"; };

library.sh
166:Acquire::gpgv::Options { "--ignore-time-conflict"; };


net-retriever
=============
debian/control
14:Depends: ${misc:Depends}, choose-mirror, configured-network, di-utils (>= 1.58), gpgv-udeb, debian-archive-keyring-udeb

debian/changelog
338:  * Depend on gpgv-udeb, which has apparently never really been pulled in
463:  * Use log-output for gpgv call.
531:    - Check signature of Release file if gpgv and a keyring are installed.

debian/net-retriever/usr/lib/debian-installer/retriever/net-retriever
178:			# If gpgv and a keyring are installed, authentication is
180:			if type gpgv >/dev/null && [ -f "$keyring" ]; then
188:					     gpgv --status-fd 1 --keyring "$keyring" \
195:			    log "Not verifying Release signature: gpgv not available"

debian/net-retriever/DEBIAN/control
6:Depends: cdebconf-udeb, choose-mirror, configured-network, di-utils (>= 1.58), gpgv-udeb, debian-archive-keyring-udeb

net-retriever
114:	# If gpgv and a keyring are installed, authentication is
116:	if type gpgv >/dev/null && [ -f "$keyring" ]; then
124:			     gpgv --status-fd 1 --keyring "$keyring" \
131:		log "Not verifying Release signature: gpgv not available"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20150812/9c8af4d5/attachment-0001.sig>

More information about the Pkg-gnutls-maint mailing list