Merge lp:~stub/charm-helpers/fix-configure_sources into lp:charm-helpers
Proposed by
Stuart Bishop
Status: | Merged | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Merged at revision: | 196 | ||||||||||||
Proposed branch: | lp:~stub/charm-helpers/fix-configure_sources | ||||||||||||
Merge into: | lp:charm-helpers | ||||||||||||
Diff against target: |
118 lines (+64/-21) 2 files modified
charmhelpers/fetch/__init__.py (+17/-3) tests/fetch/test_fetch.py (+47/-18) |
||||||||||||
To merge this branch: | bzr merge lp:~stub/charm-helpers/fix-configure_sources | ||||||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
David Britton (community) | Approve | ||
Review via email: mp+226684@code.launchpad.net |
Description of the change
fetch.add_source() is blindly retrieving a key by GPG key id from a remote keyserver, which is in most cases insecure.
This branch addresses this security problem by allowing add_source() to accept a full GPG key, rather than just a GPG key id. This is Bug #1341527.
I've also fixed Bug #1269718 while I'm here. I elected to raise an exception rather than log an error and continue, as other parts of the code where already raising exceptions when invalid sources are requested.
To post a comment you must log in.
That is a great addition to the mechanism IMO.
Could you please add a short docstring to the function explaining what the key parameter should be like? Example:
"""This function adds an entry to the sources.list file.
@param source: The archive's URL. Example: "http:// archive. ubuntu. com"
@param key: The GPG key to verify the archive packages with. Can be either a
key ID or a full public key block. If only the key ID is specified the
key will be fetched from the network via HKP."""