[buildd-tools-devel] [GIT] sbuild branch master updated. release/sbuild-0.69.0-19-g956fc29
Johannes Schauer
josch at moszumanska.debian.org
Fri Jul 1 06:11:14 UTC 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "sbuild".
The branch, master has been updated
via 956fc29b2e297e20f1ab9a9ddb80ae8fa04c3370 (commit)
via 3aa506b5cd2921c5c3349ddfdeff096f818815a8 (commit)
via 0d997aefa37288e0b6bc984e326b00bbd59823dd (commit)
via ca66503b58ba8b46d98de4f25942670e010f4959 (commit)
from 49f73182c0bc987da0d2e96585fa12ab0b07c93d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 956fc29b2e297e20f1ab9a9ddb80ae8fa04c3370
Author: Johannes 'josch' Schauer <josch at mister-muffin.de>
Date: Thu Jun 30 21:18:28 2016 +0200
Use armored ASCII GPG key pairs instead of the GPG binary format and support GPG 2.x inside the chroot
The GPG binary key format is not guaranteed to be compatible between
different versions of GPG. For example the 2.x format is incompatible
with the 1.x format and the other way round. Still, key pairs might be
generated with GPG 1.x outside the chroot and will be used with GPG 2.x
inside the chroot or the other way round. Thus, a solution is needed
which allows GPG 1.x key pairs to be used by GPG 2.x and the other way
round. One solution is the one implemented by this commit and was
proposed by Daniel Kahn Gillmor in #debian-gnupg (Thanks!!). Instead of
using the binary format, `sbuild-update --keygen` will now export the
key pair in armored ASCII format and GPG inside the chroot will import
the key pair. Since the armored ASCII key format is independent of the
GPG version generating or importing it, it doesn't matter which
combination of GPG is installed on the machine running `sbuild-update
--keygen` or inside the chroot. Thus, no limitations are created when
sbuild is to work on the same host with chroots containing different GPG
versions (for example of the 1.x and 2.x versions).
To implement this new handling of GPG key pairs, the
SBUILD_BUILD_DEPENDS_SECRET_KEY_ARMORED and
SBUILD_BUILD_DEPENDS_PUBLIC_KEY_ARMORED configuration options are
introduced by this commit and they deprecate the
SBUILD_BUILD_DEPENDS_SECRET_KEY and SBUILD_BUILD_DEPENDS_PUBLIC_KEY
option pair.
Sbuild will still be able to work with the old binary format for a
while. It will just not be able to handle chroots with an incompatible
GPG version until `sbuild-update --keygen` has been re-run on the host
to create the armored ASCII keys.
Furthermore, this commit adds support for GPG 2.x inside the chroot.
Those GPG versions will start a gpg-agent process once gpg is run. If
that process is not cleaned up before the chroot is exited, then closing
the chroot might fail because gpg-agent will still have open file
descriptors and thus unmounting filesystems might fail. Thus, if the
gpgconf executable exists, `gpgconf --kill gpg-agent` will be executed
to clean up any remaining gpg-agent processes after operations involving
gpg.
commit 3aa506b5cd2921c5c3349ddfdeff096f818815a8
Author: Johannes 'josch' Schauer <josch at mister-muffin.de>
Date: Thu Jun 30 21:17:39 2016 +0200
lib/Sbuild/Chroot.pm: add can_run() function to allow checking whether a program can be executed inside the chroot
commit 0d997aefa37288e0b6bc984e326b00bbd59823dd
Author: Johannes 'josch' Schauer <josch at mister-muffin.de>
Date: Thu Jun 30 21:16:01 2016 +0200
lib/Sbuild/Chroot.pm: escape special shell characters in get_read_file_handle() and get_write_file_handle()
commit ca66503b58ba8b46d98de4f25942670e010f4959
Author: Johannes 'josch' Schauer <josch at mister-muffin.de>
Date: Fri Jun 17 08:27:09 2016 +0200
lib/Sbuild/ResolverBase.pm: The generate_keys() function is not useful anymore.
It used to instruct users of missing keypairs and how to generate and
where to put them. But now that signing of the internal repository is
optional, this function was only executed when the keypairs were known
to exist, making this function essentially a no-op.
-----------------------------------------------------------------------
Summary of changes:
lib/Sbuild/Chroot.pm | 35 ++++++++++-
lib/Sbuild/ChrootSetup.pm | 35 +++++++++--
lib/Sbuild/Conf.pm | 18 +++++-
lib/Sbuild/ResolverBase.pm | 149 ++++++++++++++++++++++++++++++---------------
4 files changed, 178 insertions(+), 59 deletions(-)
hooks/post-receive
--
sbuild
More information about the Buildd-tools-devel
mailing list