[buildd-tools-devel] Bug#607945: Bug#607945: Bug#607945: Bug#607945: sbuild: can haz I entropy?

Roger Leigh rleigh at codelibre.net
Thu Dec 30 18:33:48 UTC 2010 

On Thu, Dec 30, 2010 at 07:24:20PM +0100, Cyril Brulebois wrote:
> Roger Leigh <rleigh at codelibre.net> (30/12/2010):
> > > Per host.  It's stored in /var/lib/sbuild/apt-keys .
> > 
> > Note that if there's a reason to do it per-chroot, we can do that.
> > I couldn't envisage any security issues in sharing this key between
> > chroots, but if there are it's a simple change.
> 
> Was just wondering whether this might make sense to move key creation
> to sbuild's install time (openssh-server's style). Might be, if/when
> the default resolver gets changed.
> 
> (“make sense” as in “can be thought of if it's per-host, and not if
> it's per-chroot”; other considerations left aside.)

I did consider triggering this in the postinst.  I was concerned that
this could break package installation on systems with scarce entropy
by blocking package installation indefinitely.  Since this is currently
an optional feature, I opted to allow generation when required.

After squeeze, I'd like to look at moving to the apt resolver (having
more consistent/predicatable behaviour than aptitude).  If we do make
this change, then we can consider generating at install time given that
it's required for sbuild to work.  We now have tested the apt resolver
quite extensively and the main blocker is making sure it behaves
completely consistently for a given package set and base chroot to
ensure reproducibility.  Now we have clean cloned chroots for building,
the main issue of inconsistent builds in dirty chroots is now basically
a non-issue providing we use cloned chroot across the board.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20101230/bb4efff9/attachment.pgp>

More information about the Buildd-tools-devel mailing list