Merge lp:~laney/debian-cd/focal into lp:~ubuntu-cdimage/debian-cd/ubun3

Proposed by Iain Lane on 2020-06-24
Status: Merged
Merged at revision: 2074
Proposed branch: lp:~laney/debian-cd/focal
Merge into: lp:~ubuntu-cdimage/debian-cd/ubun3
Diff against target: 150 lines (+84/-11)
3 files modified
CONF.sh (+3/-6)
Makefile (+79/-0)
tools/add_secured (+2/-5)
To merge this branch: bzr merge lp:~laney/debian-cd/focal
Reviewer Review Type Date Requested Status
Steve Langasek 2020-06-24 Approve on 2020-06-25
Review via email: mp+386318@code.launchpad.net

This proposal supersedes a proposal from 2020-06-24.

Description of the change

Various fixes to make debian-cd work on focal (ancientminister, new cdimage host). I tried to retain compatibility with xenial (nusakan) - the changes have been tested there in isolation but I've not actually pulled an updated debian-cd to test them end-to-end.

Mainly gpg and some apt-related changes.

I could split this up into logical MPs if you want (but bzr...).

To post a comment you must log in.
Iain Lane (laney) wrote : Posted in a previous version of this proposal
Iain Lane (laney) wrote : Posted in a previous version of this proposal

NO. Wrong target branch.

Steve Langasek (vorlon) :
review: Needs Information
Iain Lane (laney) :
lp:~laney/debian-cd/focal updated on 2020-06-25
2072. By Iain Lane on 2020-06-25

Makefile: Handle the keyring being present in -security/-updates/-proposed

This is a bit involved, since we need to find the newest one and use that.

Iain Lane (laney) wrote :

Ok, now it handles updates/security/proposed if they're enabled.

(I'm just trying a build of xenial and will reply again if that fails.)

lp:~laney/debian-cd/focal updated on 2020-06-25
2073. By Iain Lane on 2020-06-25

Makefile: Print when extracting the keyring

Useful for debugging when reading the logs later

2074. By Iain Lane on 2020-06-25

Makefile: Make keyrings from /usr/share/keyrings/ available too

Old versions of ubuntu-keyring shipped keys here. In case of collisions, we
prefer ones from trusted.gpg.d.

Steve Langasek (vorlon) wrote :

Approved, provided it actually works :)

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'CONF.sh'
--- CONF.sh 2020-05-28 18:25:34 +0000
+++ CONF.sh 2020-06-25 13:29:16 +0000
@@ -15,8 +15,7 @@
15#unset LOCAL || true15#unset LOCAL || true
16#unset LOCALDEBS || true16#unset LOCALDEBS || true
17unset SECURED || true17unset SECURED || true
18unset SECRET_KEYRING || true18unset GPG_HOMEDIR || true
19unset PUBLIC_KEYRING || true
20unset SIGNING_KEYID || true19unset SIGNING_KEYID || true
21unset SECURITY || true20unset SECURITY || true
22unset BOOTDIR || true21unset BOOTDIR || true
@@ -408,13 +407,11 @@
408case $DIST in407case $DIST in
409 warty) ;;408 warty) ;;
410 hoary|breezy|dapper|edgy|feisty|gutsy|hardy|intrepid|jaunty|karmic|lucid|maverick|natty|oneiric|precise|quantal|raring|saucy|trusty|utopic|vivid|wily)409 hoary|breezy|dapper|edgy|feisty|gutsy|hardy|intrepid|jaunty|karmic|lucid|maverick|natty|oneiric|precise|quantal|raring|saucy|trusty|utopic|vivid|wily)
411 export SECRET_KEYRING=$CDIMAGE_ROOT/secret/dot-gnupg/secring.gpg410 export GPG_HOMEDIR=$CDIMAGE_ROOT/secret/dot-gnupg/
412 export PUBLIC_KEYRING=$CDIMAGE_ROOT/secret/dot-gnupg/pubring.gpg
413 export SIGNING_KEYID=C5986B4F1257FFA86632CBA746181433FBB75451411 export SIGNING_KEYID=C5986B4F1257FFA86632CBA746181433FBB75451
414 ;;412 ;;
415 *)413 *)
416 export SECRET_KEYRING=$CDIMAGE_ROOT/secret/dot-gnupg/secring.gpg414 export GPG_HOMEDIR=$CDIMAGE_ROOT/secret/dot-gnupg/
417 export PUBLIC_KEYRING=$CDIMAGE_ROOT/secret/dot-gnupg/pubring.gpg
418 export SIGNING_KEYID=843938DF228D22F7B3742BC0D94AA3F0EFE21092415 export SIGNING_KEYID=843938DF228D22F7B3742BC0D94AA3F0EFE21092
419 ;;416 ;;
420esac417esac
421418
=== modified file 'Makefile'
--- Makefile 2020-04-14 08:35:21 +0000
+++ Makefile 2020-06-25 13:29:16 +0000
@@ -89,6 +89,9 @@
89ifndef HOOK89ifndef HOOK
90HOOK=$(BASEDIR)/tools/$(CODENAME).hook90HOOK=$(BASEDIR)/tools/$(CODENAME).hook
91endif91endif
92ifndef ARCHIVE_KEYRING_PACKAGE
93ARCHIVE_KEYRING_PACKAGE=ubuntu-keyring
94endif
92ifneq "$(wildcard $(MIRROR)/dists/$(DI_CODENAME)/main/disks-$(ARCH))" ""95ifneq "$(wildcard $(MIRROR)/dists/$(DI_CODENAME)/main/disks-$(ARCH))" ""
93ifndef BOOTDISKS96ifndef BOOTDISKS
94export BOOTDISKS=$(MIRROR)/dists/$(DI_CODENAME)/main/disks-$(ARCH)97export BOOTDISKS=$(MIRROR)/dists/$(DI_CODENAME)/main/disks-$(ARCH)
@@ -377,12 +380,88 @@
377380
378## STATUS and APT ##381## STATUS and APT ##
379382
383# Some series (< xenial) don't have xz indices
384INDEX_EXTENSION=xz
385INDEX_DECOMPRESSOR=xzcat
386INDICES=$(wildcard $(MIRROR)/dists/$(CODENAME)*/*/binary-$(ARCH)/Packages.$(INDEX_EXTENSION))
387
388ifeq (,$(INDICES))
389INDEX_EXTENSION=gz
390INDEX_DECOMPRESSOR=zcat
391endif # $(INDICES)
392
393FIND_VERSION_FILENAME=$(shell $(INDEX_DECOMPRESSOR) $(MIRROR)/dists/$(CODENAME)$(1)/main/binary-$(ARCH)/Packages.$(INDEX_EXTENSION) | grep-dctrl -n -X -FPackage -sVersion,Filename $(ARCHIVE_KEYRING_PACKAGE))
394VERSION_GT=$(shell dpkg --compare-version $(1) gt $(2) && echo yes)
395
396ifeq (1,$(PROPOSED))
397PROPOSED_VERSION_FILENAME=$(call FIND_VERSION_FILENAME,-proposed)
398KEYRING_VERSION=$(firstword $(PROPOSED_VERSION_FILENAME))
399KEYRING_FILENAME=$(lastword $(PROPOSED_VERSION_FILENAME))
400endif # $(PROPOSED)
401
402ifeq (1,$(UPDATES))
403UPDATES_VERSION_FILENAME=$(call FIND_VERSION_FILENAME,-updates)
404UPDATES_VERSION=$(firstword $(UPDATES_VERSION_FILENAME))
405
406ifneq (,$(UPDATES_VERSION))
407ifneq (,$(KEYRING_VERSION))
408ifeq (yes,$(call VERSION_GT,$(UPDATES_VERSION),$(KEYRING_VERSION)))
409KEYRING_VERSION=$(UPDATES_VERSION)
410KEYRING_FILENAME=$(lastword $(UPDATES_VERSION_FILENAME))
411endif # $(VERSION_GT)
412else # $(KEYRING_VERSION)
413KEYRING_VERSION=$(UPDATES_VERSION)
414KEYRING_FILENAME=$(lastword $(UPDATES_VERSION_FILENAME))
415endif # $(KEYRING_VERSION)
416endif # $(UPDATES_VERSION)
417
418endif # $(UPDATES)
419
420# SECURITY isn't a bool, it's a string pointing to the security mirror
421ifneq (,$(SECURITY))
422SECURITY_VERSION_FILENAME=$(call FIND_VERSION_FILENAME,-security)
423SECURITY_VERSION=$(firstword $(SECURITY_VERSION_FILENAME))
424
425ifneq (,$(SECURITY_VERSION))
426ifneq (,$(KEYRING_VERSION))
427ifeq (yes,$(call VERSION_GT,$(SECURITY_VERSION),$(KEYRING_VERSION)))
428KEYRING_VERSION=$(SECURITY_VERSION)
429KEYRING_FILENAME=$(lastword $(SECURITY_VERSION_FILENAME))
430endif # $(VERSION_GT)
431else # $(KEYRING_VERSION)
432KEYRING_VERSION=$(SECURITY_VERSION)
433KEYRING_FILENAME=$(lastword $(SECURITY_VERSION_FILENAME))
434endif # $(KEYRING_VERSION)
435endif # $(SECURITY_VERSION)
436
437endif # $(SECURITY)
438
439# We don't have a -security, -proposed or -updates keyring. Use the one in release.
440ifeq ($(KEYRING_FILENAME),)
441KEYRING_FILENAME=$(lastword $(call FIND_VERSION_FILENAME))
442endif # $(KEYRING_FILENAME)
443
380# Regenerate the status file with only packages that444# Regenerate the status file with only packages that
381# are of priority standard or higher445# are of priority standard or higher
382status: init $(ADIR)/status446status: init $(ADIR)/status
383$(ADIR)/status:447$(ADIR)/status:
384 @echo "Generating a fake status file for apt-get and apt-cache..."448 @echo "Generating a fake status file for apt-get and apt-cache..."
385 :> $(ADIR)/status449 :> $(ADIR)/status
450 @echo "Setting up archive-keyring"
451 $(Q)mkdir -p $(TDIR)/archive-keyring
452 @echo "Will extract $(MIRROR)/$(KEYRING_FILENAME) to $(TDIR)/archive-keyring"
453 $(Q)dpkg -x $(MIRROR)/$(KEYRING_FILENAME) $(TDIR)/archive-keyring
454 $(Q)mkdir -p $(ADIR)/apt/trusted.gpg.d
455 $(Q)for file in $(TDIR)/archive-keyring/etc/apt/trusted.gpg.d/*; do \
456 if [ -e $$file ]; then \
457 ln -s $$file $(ADIR)/apt/trusted.gpg.d/$$(basename $$file); \
458 fi; \
459 done
460 $(Q)for file in $(TDIR)/archive-keyring/usr/share/keyrings/*; do \
461 if [ -e $$file ] && ! [ -e $(ADIR)/apt/trusted.gpg.d/$$(basename $$file) ]; then \
462 ln -s $$file $(ADIR)/apt/trusted.gpg.d/$$(basename $$file); \
463 fi; \
464 done
386 # Updating the apt database465 # Updating the apt database
387 $(Q)$(apt) update466 $(Q)$(apt) update
388 #467 #
389468
=== modified file 'tools/add_secured'
--- tools/add_secured 2020-06-21 00:34:07 +0000
+++ tools/add_secured 2020-06-25 13:29:16 +0000
@@ -8,11 +8,8 @@
8# Complete the "Release" file if it exists8# Complete the "Release" file if it exists
99
10sign_release () {10sign_release () {
11 if [ "$SECRET_KEYRING" ] && [ "$SIGNING_KEYID" ]; then11 if [ "$GPG_HOMEDIR" ] && [ "$SIGNING_KEYID" ]; then
12 GPGKEYRINGOPTS="--secret-keyring $SECRET_KEYRING"12 GPGKEYRINGOPTS="--homedir $GPG_HOMEDIR"
13 if [ "$PUBLIC_KEYRING" ]; then
14 GPGKEYRINGOPTS="$GPGKEYRINGOPTS --keyring $PUBLIC_KEYRING"
15 fi
16 gpg $GPGKEYRINGOPTS --default-key "$SIGNING_KEYID" \13 gpg $GPGKEYRINGOPTS --default-key "$SIGNING_KEYID" \
17 --no-options --batch --no-tty --armour \14 --no-options --batch --no-tty --armour \
18 --digest-algo SHA512 --detach-sign < "$1" > "$1.gpg"15 --digest-algo SHA512 --detach-sign < "$1" > "$1.gpg"

Subscribers

People subscribed via source and target branches