simplestreams

Merge lp:~xnox/simplestreams/sensible-default-keyring into lp:simplestreams

  1. sensible-default-keyring
  2. Merge into trunk
Proposed by Dimitri John Ledkov
Status: Rejected
Rejected by: Scott Moser
Proposed branch: lp:~xnox/simplestreams/sensible-default-keyring
Merge into: lp:simplestreams
Diff against target: 55 lines (+8/-4)
4 files modified
bin/sstream-mirror (+2/-1)
bin/sstream-query (+2/-1)
bin/sstream-sync (+2/-1)
tools/sstream-mirror-glance (+2/-1)
To merge this branch: bzr merge lp:~xnox/simplestreams/sensible-default-keyring
Reviewer Review Type Date Requested Status
Scott Moser (community) Needs Fixing
Michał Sawicz (community) Approve
Server Team CI bot continuous-integration Needs Fixing
Review via email: mp+340835@code.launchpad.net

Description of the change

Use sensible default for the cloud image keyring.

Now included in ubuntu-keyring, and available on all systems.

To post a comment you must log in.
Revision history for this message
Michał Sawicz (saviq) wrote :

If doing this, should mirror_url default to http://cloud-images.ubuntu.com/releases?

After all, any mirror other than cloud-images will not sign its streams with the keyring being made default?

review: Needs Information
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

We could default to that too. But an exact rsync mirror of cloud-images.ubuntu.com on the internal network, will still be signed with the same key, as long as it is not modified.

That's how our mirror networks work.... if you mirror it exactly, all signatures remain valid.

Revision history for this message
Server Team CI bot (server-team-bot) wrote :

FAILED: Continuous integration, rev:460
https://jenkins.ubuntu.com/server/job/simplestreams-ci/52/
Executed test runs:
    FAILURE: https://jenkins.ubuntu.com/server/job/simplestreams-ci/nodes=metal-amd64/52/console
    FAILURE: https://jenkins.ubuntu.com/server/job/simplestreams-ci/nodes=metal-arm64/52/console
    FAILURE: https://jenkins.ubuntu.com/server/job/simplestreams-ci/nodes=metal-ppc64el/52/console
    FAILURE: https://jenkins.ubuntu.com/server/job/simplestreams-ci/nodes=metal-s390x/52/console

Click here to trigger a rebuild:
https://jenkins.ubuntu.com/server/job/simplestreams-ci/52/rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
Michał Sawicz (saviq) wrote :

Fine by me, then.

review: Approve
Revision history for this message
Scott Moser (smoser) wrote :

The issue is that your default is very much not always sensible.

While the client (at least for you) might be primarily used to read data
from http://cloud-images.ubuntu.com/ which is signed by a key that is
in the keyring that youv'e given, that is not the only data that it
can read.

The behavior right now is
 a.) default to letting gpg use its default keyring (~/.gnupg or
 $GNUPGHOME)
 b.) allow user to provide a keyring

I do agree that it is annoying to have to provide a keyring path,
but I don't think that your solution is generally correct.

Here are some other signed streams that are not signed by a key
in the cloud-images keyring:
   http://streams.canonical.com/juju/tools/
   http://download.cirros-cloud.net/

If you set the default to the provided keyring, you will actually
break a user that has added the identities to their ~/.gnugp
that signed those streams.

So to fix this right, possibly we could have default keyring
based on the input url?

review: Needs Fixing
Revision history for this message
Scott Moser (smoser) wrote :

Hi.
We've moved simplestreams from bzr on launchpad to git on launchpad.
I'm going to mark this merge proposal as Rejected based only on
the fact that it is a bzr based merge proposal.

Please feel free to re-submit the merge proposal using the launchpad git.
Hopefully the cloud-init doc at
 http://cloudinit.readthedocs.io/en/latest/topics/hacking.html
should give you an idea on how to do that.

Unmerged revisions

460. By Dimitri John Ledkov

Have a sensible default for the simplestreams keyring, now shipped by all ubuntu systems.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'bin/sstream-mirror'
2--- bin/sstream-mirror 2015-10-29 18:21:50 +0000
3+++ bin/sstream-mirror 2018-03-06 10:59:23 +0000
4@@ -82,7 +82,8 @@
5 parser.add_argument('--log-file', default=sys.stderr,
6 type=argparse.FileType('w'))
7
8- parser.add_argument('--keyring', action='store', default=None,
9+ parser.add_argument('--keyring', action='store',
10+ default='/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg',
11 help='keyring to be specified to gpg via --keyring')
12 parser.add_argument('--no-verify', '-U', action='store_false',
13 dest='verify', default=True,
14
15=== modified file 'bin/sstream-query'
16--- bin/sstream-query 2016-11-28 14:54:35 +0000
17+++ bin/sstream-query 2018-03-06 10:59:23 +0000
18@@ -98,7 +98,8 @@
19 parser.add_argument('--log-file', default=sys.stderr,
20 type=argparse.FileType('w'))
21
22- parser.add_argument('--keyring', action='store', default=None,
23+ parser.add_argument('--keyring', action='store',
24+ default='/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg',
25 help='keyring to be specified to gpg via --keyring')
26 parser.add_argument('--no-verify', '-U', action='store_false',
27 dest='verify', default=True,
28
29=== modified file 'bin/sstream-sync'
30--- bin/sstream-sync 2016-11-28 14:54:35 +0000
31+++ bin/sstream-sync 2018-03-06 10:59:23 +0000
32@@ -85,7 +85,8 @@
33 parser.add_argument('--log-file', default=sys.stderr,
34 type=argparse.FileType('w'))
35
36- parser.add_argument('--keyring', action='store', default=None,
37+ parser.add_argument('--keyring', action='store',
38+ default='/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg',
39 help='keyring to be specified to gpg via --keyring')
40 parser.add_argument('--no-verify', '-U', action='store_false',
41 dest='verify', default=True,
42
43=== modified file 'tools/sstream-mirror-glance'
44--- tools/sstream-mirror-glance 2016-08-04 14:34:49 +0000
45+++ tools/sstream-mirror-glance 2018-03-06 10:59:23 +0000
46@@ -94,7 +94,8 @@
47 parser.add_argument('--log-file', default=sys.stderr,
48 type=argparse.FileType('w'))
49
50- parser.add_argument('--keyring', action='store', default=None,
51+ parser.add_argument('--keyring', action='store',
52+ default='/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg',
53 help='The keyring for gpg --keyring')
54
55 parser.add_argument('source_mirror')

Subscribers

People subscribed via source and target branches