debian-cd

Merge lp:~laney/debian-cd/focal into lp:~ubuntu-cdimage/debian-cd/ubun3

  1. focal
  2. Merge into ubun3
Proposed by Iain Lane
Status: Merged
Merged at revision: 2074
Proposed branch: lp:~laney/debian-cd/focal
Merge into: lp:~ubuntu-cdimage/debian-cd/ubun3
Diff against target: 150 lines (+84/-11)
3 files modified
CONF.sh (+3/-6)
Makefile (+79/-0)
tools/add_secured (+2/-5)
To merge this branch: bzr merge lp:~laney/debian-cd/focal
Reviewer Review Type Date Requested Status
Steve Langasek Approve
Review via email: mp+386318@code.launchpad.net

This proposal supersedes a proposal from 2020-06-24.

Description of the change

Various fixes to make debian-cd work on focal (ancientminister, new cdimage host). I tried to retain compatibility with xenial (nusakan) - the changes have been tested there in isolation but I've not actually pulled an updated debian-cd to test them end-to-end.

Mainly gpg and some apt-related changes.

I could split this up into logical MPs if you want (but bzr...).

To post a comment you must log in.
Revision history for this message
Iain Lane (laney) wrote : Posted in a previous version of this proposal

This and https://code.launchpad.net/~ubuntu-cdimage/ubuntu-cdimage/focal/+merge/386317 depend on each other

Revision history for this message
Iain Lane (laney) wrote : Posted in a previous version of this proposal

NO. Wrong target branch.

Revision history for this message
Steve Langasek (vorlon) :
review: Needs Information
Revision history for this message
Iain Lane (laney) :
lp:~laney/debian-cd/focal updated
2072. By Iain Lane

Makefile: Handle the keyring being present in -security/-updates/-proposed

This is a bit involved, since we need to find the newest one and use that.

Revision history for this message
Iain Lane (laney) wrote :

Ok, now it handles updates/security/proposed if they're enabled.

(I'm just trying a build of xenial and will reply again if that fails.)

lp:~laney/debian-cd/focal updated
2073. By Iain Lane

Makefile: Print when extracting the keyring

Useful for debugging when reading the logs later

2074. By Iain Lane

Makefile: Make keyrings from /usr/share/keyrings/ available too

Old versions of ubuntu-keyring shipped keys here. In case of collisions, we
prefer ones from trusted.gpg.d.

Revision history for this message
Steve Langasek (vorlon) wrote :

Approved, provided it actually works :)

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'CONF.sh'
2--- CONF.sh 2020-05-28 18:25:34 +0000
3+++ CONF.sh 2020-06-25 13:29:16 +0000
4@@ -15,8 +15,7 @@
5 #unset LOCAL || true
6 #unset LOCALDEBS || true
7 unset SECURED || true
8-unset SECRET_KEYRING || true
9-unset PUBLIC_KEYRING || true
10+unset GPG_HOMEDIR || true
11 unset SIGNING_KEYID || true
12 unset SECURITY || true
13 unset BOOTDIR || true
14@@ -408,13 +407,11 @@
15 case $DIST in
16 warty) ;;
17 hoary|breezy|dapper|edgy|feisty|gutsy|hardy|intrepid|jaunty|karmic|lucid|maverick|natty|oneiric|precise|quantal|raring|saucy|trusty|utopic|vivid|wily)
18- export SECRET_KEYRING=$CDIMAGE_ROOT/secret/dot-gnupg/secring.gpg
19- export PUBLIC_KEYRING=$CDIMAGE_ROOT/secret/dot-gnupg/pubring.gpg
20+ export GPG_HOMEDIR=$CDIMAGE_ROOT/secret/dot-gnupg/
21 export SIGNING_KEYID=C5986B4F1257FFA86632CBA746181433FBB75451
22 ;;
23 *)
24- export SECRET_KEYRING=$CDIMAGE_ROOT/secret/dot-gnupg/secring.gpg
25- export PUBLIC_KEYRING=$CDIMAGE_ROOT/secret/dot-gnupg/pubring.gpg
26+ export GPG_HOMEDIR=$CDIMAGE_ROOT/secret/dot-gnupg/
27 export SIGNING_KEYID=843938DF228D22F7B3742BC0D94AA3F0EFE21092
28 ;;
29 esac
30
31=== modified file 'Makefile'
32--- Makefile 2020-04-14 08:35:21 +0000
33+++ Makefile 2020-06-25 13:29:16 +0000
34@@ -89,6 +89,9 @@
35 ifndef HOOK
36 HOOK=$(BASEDIR)/tools/$(CODENAME).hook
37 endif
38+ifndef ARCHIVE_KEYRING_PACKAGE
39+ARCHIVE_KEYRING_PACKAGE=ubuntu-keyring
40+endif
41 ifneq "$(wildcard $(MIRROR)/dists/$(DI_CODENAME)/main/disks-$(ARCH))" ""
42 ifndef BOOTDISKS
43 export BOOTDISKS=$(MIRROR)/dists/$(DI_CODENAME)/main/disks-$(ARCH)
44@@ -377,12 +380,88 @@
45
46 ## STATUS and APT ##
47
48+# Some series (< xenial) don't have xz indices
49+INDEX_EXTENSION=xz
50+INDEX_DECOMPRESSOR=xzcat
51+INDICES=$(wildcard $(MIRROR)/dists/$(CODENAME)*/*/binary-$(ARCH)/Packages.$(INDEX_EXTENSION))
52+
53+ifeq (,$(INDICES))
54+INDEX_EXTENSION=gz
55+INDEX_DECOMPRESSOR=zcat
56+endif # $(INDICES)
57+
58+FIND_VERSION_FILENAME=$(shell $(INDEX_DECOMPRESSOR) $(MIRROR)/dists/$(CODENAME)$(1)/main/binary-$(ARCH)/Packages.$(INDEX_EXTENSION) | grep-dctrl -n -X -FPackage -sVersion,Filename $(ARCHIVE_KEYRING_PACKAGE))
59+VERSION_GT=$(shell dpkg --compare-version $(1) gt $(2) && echo yes)
60+
61+ifeq (1,$(PROPOSED))
62+PROPOSED_VERSION_FILENAME=$(call FIND_VERSION_FILENAME,-proposed)
63+KEYRING_VERSION=$(firstword $(PROPOSED_VERSION_FILENAME))
64+KEYRING_FILENAME=$(lastword $(PROPOSED_VERSION_FILENAME))
65+endif # $(PROPOSED)
66+
67+ifeq (1,$(UPDATES))
68+UPDATES_VERSION_FILENAME=$(call FIND_VERSION_FILENAME,-updates)
69+UPDATES_VERSION=$(firstword $(UPDATES_VERSION_FILENAME))
70+
71+ifneq (,$(UPDATES_VERSION))
72+ifneq (,$(KEYRING_VERSION))
73+ifeq (yes,$(call VERSION_GT,$(UPDATES_VERSION),$(KEYRING_VERSION)))
74+KEYRING_VERSION=$(UPDATES_VERSION)
75+KEYRING_FILENAME=$(lastword $(UPDATES_VERSION_FILENAME))
76+endif # $(VERSION_GT)
77+else # $(KEYRING_VERSION)
78+KEYRING_VERSION=$(UPDATES_VERSION)
79+KEYRING_FILENAME=$(lastword $(UPDATES_VERSION_FILENAME))
80+endif # $(KEYRING_VERSION)
81+endif # $(UPDATES_VERSION)
82+
83+endif # $(UPDATES)
84+
85+# SECURITY isn't a bool, it's a string pointing to the security mirror
86+ifneq (,$(SECURITY))
87+SECURITY_VERSION_FILENAME=$(call FIND_VERSION_FILENAME,-security)
88+SECURITY_VERSION=$(firstword $(SECURITY_VERSION_FILENAME))
89+
90+ifneq (,$(SECURITY_VERSION))
91+ifneq (,$(KEYRING_VERSION))
92+ifeq (yes,$(call VERSION_GT,$(SECURITY_VERSION),$(KEYRING_VERSION)))
93+KEYRING_VERSION=$(SECURITY_VERSION)
94+KEYRING_FILENAME=$(lastword $(SECURITY_VERSION_FILENAME))
95+endif # $(VERSION_GT)
96+else # $(KEYRING_VERSION)
97+KEYRING_VERSION=$(SECURITY_VERSION)
98+KEYRING_FILENAME=$(lastword $(SECURITY_VERSION_FILENAME))
99+endif # $(KEYRING_VERSION)
100+endif # $(SECURITY_VERSION)
101+
102+endif # $(SECURITY)
103+
104+# We don't have a -security, -proposed or -updates keyring. Use the one in release.
105+ifeq ($(KEYRING_FILENAME),)
106+KEYRING_FILENAME=$(lastword $(call FIND_VERSION_FILENAME))
107+endif # $(KEYRING_FILENAME)
108+
109 # Regenerate the status file with only packages that
110 # are of priority standard or higher
111 status: init $(ADIR)/status
112 $(ADIR)/status:
113 @echo "Generating a fake status file for apt-get and apt-cache..."
114 :> $(ADIR)/status
115+ @echo "Setting up archive-keyring"
116+ $(Q)mkdir -p $(TDIR)/archive-keyring
117+ @echo "Will extract $(MIRROR)/$(KEYRING_FILENAME) to $(TDIR)/archive-keyring"
118+ $(Q)dpkg -x $(MIRROR)/$(KEYRING_FILENAME) $(TDIR)/archive-keyring
119+ $(Q)mkdir -p $(ADIR)/apt/trusted.gpg.d
120+ $(Q)for file in $(TDIR)/archive-keyring/etc/apt/trusted.gpg.d/*; do \
121+ if [ -e $$file ]; then \
122+ ln -s $$file $(ADIR)/apt/trusted.gpg.d/$$(basename $$file); \
123+ fi; \
124+ done
125+ $(Q)for file in $(TDIR)/archive-keyring/usr/share/keyrings/*; do \
126+ if [ -e $$file ] && ! [ -e $(ADIR)/apt/trusted.gpg.d/$$(basename $$file) ]; then \
127+ ln -s $$file $(ADIR)/apt/trusted.gpg.d/$$(basename $$file); \
128+ fi; \
129+ done
130 # Updating the apt database
131 $(Q)$(apt) update
132 #
133
134=== modified file 'tools/add_secured'
135--- tools/add_secured 2020-06-21 00:34:07 +0000
136+++ tools/add_secured 2020-06-25 13:29:16 +0000
137@@ -8,11 +8,8 @@
138 # Complete the "Release" file if it exists
139
140 sign_release () {
141- if [ "$SECRET_KEYRING" ] && [ "$SIGNING_KEYID" ]; then
142- GPGKEYRINGOPTS="--secret-keyring $SECRET_KEYRING"
143- if [ "$PUBLIC_KEYRING" ]; then
144- GPGKEYRINGOPTS="$GPGKEYRINGOPTS --keyring $PUBLIC_KEYRING"
145- fi
146+ if [ "$GPG_HOMEDIR" ] && [ "$SIGNING_KEYID" ]; then
147+ GPGKEYRINGOPTS="--homedir $GPG_HOMEDIR"
148 gpg $GPGKEYRINGOPTS --default-key "$SIGNING_KEYID" \
149 --no-options --batch --no-tty --armour \
150 --digest-algo SHA512 --detach-sign < "$1" > "$1.gpg"

Subscribers

People subscribed via source and target branches