[buildd-tools-devel] Bug#607945: Bug#607945: Bug#607945: sbuild: can haz I entropy?

Thu Dec 30 17:09:57 UTC 2010

On Wed, Dec 29, 2010 at 03:52:59PM +0000, Roger Leigh wrote:
> On Fri, Dec 24, 2010 at 08:56:31PM +0100, Cyril Brulebois wrote:
> > Dear Santa Claus,
> > 
> > can I haz entropy plz? sbuild seems to need it suddenly, which comes
> > like a big unpleasant surprise:
> > | Check arch
> > | ──────────
> > |
> > | dpkg-deb: building package `sbuild-build-depends-core-dummy' in
> > | `/tmp/resolver-PVdljw/apt_archive/sbuild-build-depends-core-dummy.deb'.
> > | Generating GPG local archive signing key...
> > |
> > | Not enough random bytes available.  Please do some other work to give
> > | the OS a chance to collect more entropy! (Need 277 more bytes)
> > 
> > It's a bit late in the Christmas gift release process, but hopefully
> > you'll make it in time.
> 
> Only just got back from the family, but I'll try for New Year!
> 
> 
> This is a one-time only event.  Once the key is generated (which you
> can do with "sbuild-update -k" on another system or outside a
> package build at your leisure) the same key will be used for all
> subsequent builds.
> 
> The current strategy is to allow you to generate your own key and
> put it in place.  If you haven't done that, it will autogenerate one
> the first time it's needed.  For buildds, you'll probably want to
> generate one elsewhere and copy it cover.  Note this is in the
> release notes (NEWS.gz) for release 0.60.6.
> 
> If you have any thoughts on how we can do this better, that would be
> great.  apt and aptitude want the local archive signing, so we do it
> for that.  If using the "internal" resolver, no key is needed.

One alternative possibility would be to simply never autogenerate
keys, and skip the build if a GPG key wasn't already present.  This
would then require the user to generate a key by hand with
"sbuild-update -k".  While this would prevent the entropy issues
you ran into, it would inconvenience most users on whose systems the
autogeneration works.

In the interim, I've added a more prominent notice in sbuild 0.60.8;
we notify the user much more clearly that GPG key generation is taking
place.  While this doesn't fix the problem, it does at least make it
clearer as to what's going on.

It's an unfortunate circumstance that requires this.  The APT resolver
won't work correctly unless installing the dependency package from an
archive (or else it will consider removal of the dependency package as
a valid solution), which requires us to set up a local archive.  This
then requires the archive to be signed or else we have security issues
(APT::Get::AllowUnauthenticated=true would disable checking of all
repos).  If there's a way around this, I would definitely be happy to
consider it.  Ideally, apt-get would be as flexible as aptitude in
installing the dummy package, but at the moment it isn't.

Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20101230/3c11b09a/attachment.pgp>