Your message dated Mon, 13 Jun 2005 11:02:27 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#313383: fixed in debootstrap 0.3.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Jun 2005 11:16:02 +0000
>From [EMAIL PROTECTED] Mon Jun 13 04:16:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from master.debian.org [146.82.138.7]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DhmvC-0006cp-00; Mon, 13 Jun 2005 04:16:02 -0700
Received: from cjwatson by master.debian.org with local (Exim 3.35 1 (Debian))
id 1DhmvB-0000gc-00; Mon, 13 Jun 2005 06:16:01 -0500
Date: Mon, 13 Jun 2005 06:16:01 -0500
From: Colin Watson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: debootstrap: Release.gpg validation support
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="d6Gm4EdcadzBjdND"
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Sender: Colin Watson <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
OUR_MTA_MSGID autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: debootstrap
Version: 0.2.45
Severity: wishlist
Attached is the Ubuntu patch for Release.gpg validation, extracted from
0.2.45ubuntu21 and 0.2.45ubuntu24. I haven't checked it against 0.3 at
all yet, I'm afraid ...
* Suppress untrue "Validating" messages.
* Add --keyring option, allowing verification of Release.gpg against a
given keyring.
Cheers,
--
Colin Watson [EMAIL PROTECTED]
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="keyring.diff"
diff -Nru /tmp/PDJcbO6IKy/debootstrap-0.2.45ubuntu20/debootstrap
/tmp/qvTUmOvpKj/debootstrap-0.2.45ubuntu21/debootstrap
--- /tmp/PDJcbO6IKy/debootstrap-0.2.45ubuntu20/debootstrap 2004-12-30
16:48:11.000000000 +0000
+++ /tmp/qvTUmOvpKj/debootstrap-0.2.45ubuntu21/debootstrap 2005-01-17
13:07:18.000000000 +0000
@@ -18,6 +18,7 @@
LANG=C
USE_COMPONENTS=main
VARIANT=""
+KEYRING=""
DEBCONF_ADMIN_EMAIL=""
export LANG USE_COMPONENTS DEBCONF_ADMIN_EMAIL
@@ -51,6 +52,7 @@
archive
--variant=X use variant X of the bootstrap scripts
(currently supported variants: buildd)
+ --keyring=K check Release files against keyring K
EOF
}
@@ -130,6 +132,13 @@
VARIANT="$(echo "$1" | cut -f2 -d"=")"
shift 1
;;
+ --keyring*)
+ if ! gpgv --version >/dev/null 2>&1; then
+ error 1 NEEDGPGV "gpgv not installed, but required by --keyring option"
+ fi
+ KEYRING="$(echo "$1" | cut -f2 -d"=")"
+ shift 1
+ ;;
*)
break
;;
diff -Nru /tmp/PDJcbO6IKy/debootstrap-0.2.45ubuntu20/functions
/tmp/qvTUmOvpKj/debootstrap-0.2.45ubuntu21/functions
--- /tmp/PDJcbO6IKy/debootstrap-0.2.45ubuntu20/functions 2004-12-30
16:48:11.000000000 +0000
+++ /tmp/qvTUmOvpKj/debootstrap-0.2.45ubuntu21/functions 2005-01-17
16:55:40.000000000 +0000
@@ -213,8 +213,9 @@
fi
if [ -e "$2" ]; then
- info VALIDATING "Validating %s" "$displayname"
- if [ "$3" = "" ] || check_md5 $2 $3 $4; then
+ if [ "$3" = "" ] || \
+ (info VALIDATING "Validating %s" "$displayname"
+ check_md5 $2 $3 $4); then
return 0
else
rm -f "$2"
@@ -243,8 +244,9 @@
info RETRIEVING "Retrieving %s" "$displayname"
if ! just_get "$from" "$dest"; then continue; fi
- info VALIDATING "Validating %s" "$displayname"
- if [ "$md5" = "" ] || check_md5 $dest $md5 $siz; then
+ if [ "$md5" = "" ] || \
+ (info VALIDATING "Validating %s" "$displayname"
+ check_md5 $dest $md5 $siz); then
case "$typ" in
"gz") gunzip "$dest" ;;
"bz2") bunzip2 "$dest" ;;
@@ -356,6 +358,52 @@
esac
}
+######################################################## signature checking
+
+read_gpg_status () {
+ badsig=
+ nopubkey=
+ validsig=
+ while read prefix keyword keyid rest; do
+ [ "$prefix" = '[GNUPG:]' ] || continue
+ case $keyword in
+ BADSIG) badsig="$keyid" ;;
+ NO_PUBKEY) nopubkey="$keyid" ;;
+ VALIDSIG) validsig="$keyid" ;;
+ esac
+ done
+ if [ "$validsig" ]; then
+ return 0
+ elif [ "$badsig" ]; then
+ error 1 BADRELSIG "Invalid Release signature (key id %s)" "$badsig"
+ elif [ "$nopubkey" ]; then
+ error 1 UNKNOWNRELSIG "Release signed by unknown key (key id %s)" \
+ "$nopubkey"
+ else
+ error 1 SIGCHECK "Error executing gpgv to check Release signature"
+ fi
+}
+
+download_valid_sig () {
+ local m1="$1"
+ local reldest="$2"
+ local relsigdest="$TARGET/$($DLDEST rel $SUITE $m1 dists/$SUITE/Release.gpg)"
+ if [ "$KEYRING" ]; then
+ progress 0 100 DOWNRELSIG "Downloading Release file signature"
+ progress_next 50
+ get "$m1/dists/$SUITE/Release.gpg" $relsigdest ||
+ error 1 NOGETRELSIG "Failed getting release signature file %s" \
+ "$m1/dists/$SUITE/Release.gpg"
+ progress 50 100 DOWNRELSIG "Downloading Release file signature"
+ info VALIDATING "Validating %s" "${relsigdest##*/}"
+ # Don't worry about the exit status from gpgv; parsing the output will
+ # take care of that.
+ (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
+ "$relsigdest" "$reldest" || true) | read_gpg_status
+ progress 100 100 DOWNRELSIG "Downloading Release file signature"
+ fi
+}
+
################################################################## download
get_release_md5 () {
@@ -391,6 +439,8 @@
fi
progress 100 100 DOWNREL "Downloading Release file"
+ download_valid_sig "$m1" "$reldest"
+
local totalpkgs=0
for c in $COMPONENTS; do
local subpath="$c/binary-$ARCH/Packages"
--d6Gm4EdcadzBjdND--
---------------------------------------
Received: (at 313383-close) by bugs.debian.org; 13 Jun 2005 15:25:26 +0000
>From [EMAIL PROTECTED] Mon Jun 13 08:25:26 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DhqYI-0001Ym-00; Mon, 13 Jun 2005 08:08:38 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DhqSJ-0001B1-00; Mon, 13 Jun 2005 11:02:27 -0400
From: Anthony Towns <[email protected]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#313383: fixed in debootstrap 0.3.1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 13 Jun 2005 11:02:27 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 8
Source: debootstrap
Source-Version: 0.3.1
We believe that the bug you reported is fixed in the latest version of
debootstrap, which is due to be installed in the Debian FTP archive:
debootstrap-udeb_0.3.1_i386.udeb
to pool/main/d/debootstrap/debootstrap-udeb_0.3.1_i386.udeb
debootstrap_0.3.1.dsc
to pool/main/d/debootstrap/debootstrap_0.3.1.dsc
debootstrap_0.3.1.tar.gz
to pool/main/d/debootstrap/debootstrap_0.3.1.tar.gz
debootstrap_0.3.1_all.deb
to pool/main/d/debootstrap/debootstrap_0.3.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anthony Towns <[email protected]> (supplier of updated debootstrap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 14 Jun 2005 00:22:55 +1000
Source: debootstrap
Binary: debootstrap-udeb debootstrap
Architecture: source all i386
Version: 0.3.1
Distribution: unstable
Urgency: low
Maintainer: Anthony Towns <[EMAIL PROTECTED]>
Changed-By: Anthony Towns <[email protected]>
Description:
debootstrap - Bootstrap a basic Debian system
debootstrap-udeb - Bootstrap the Debian system (udeb)
Closes: 88984 122465 131552 193134 229314 231109 244563 313383
Changes:
debootstrap (0.3.1) unstable; urgency=low
.
* sid script updated:
- Determine base dynamically (Priority: required for required packages,
Priority: important for base packages, Build-Essential: yes for buildd
variant base). (Closes: Bug#88984, Bug#193134)
- Use fine grained dpkg progress display, thanks again to Colin Watson.
(Closes: Bug#229314, Bug#231109, Bug#244563)
.
* dpkg output (etc) goes to /var/log/bootstrap.log in the target, rather
than stdout. This is probably difficult for frontends to capture
at present.
.
* Parsing of Packages file sped up. (Yay!)
.
* debootstrap.deb now arch: all (Closes: Bug#122465, Bug#131552)
- perl implementation of pkgdetails used by preference
- devices.tar.gz reduced to minimal set of devices; frontends should
setup udev or supply their own devices or similar in future
- /usr/lib/debootstrap/arch not shipped
- none of the above applies to udebs yet; though the devices.tar.gz
change will eventually
.
* Support for verifying based on Release.gpg files (--keyring). Thanks
to Colin Watson. (Closes: Bug#313383)
Files:
67fe34603f916b068328a43ea307bc2b 600 admin - debootstrap_0.3.1.dsc
af3295b21eca76c07a91cb23a9b85474 44137 admin - debootstrap_0.3.1.tar.gz
3aa4644988c6fc61806fa47b06c8bca6 48704 debian-installer required
debootstrap-udeb_0.3.1_i386.udeb
b481cd5274c77d36988beec3936b6175 39994 admin extra debootstrap_0.3.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iEYEARECAAYFAkKtmiUACgkQOxe8dCpOPqrf5QCfXFesLw/e6p7hQGA1hL0y8Ys1
krkAoJ/b+Yb4tJ/V5h/GPKJjH/k5I/sh
=QmOC
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
