Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.2.2 2015-12-19T22:04:34Z 2015-12-19T22:04:34Z David Kalnischkies david@kalnischkies.de 2015-12-18T11:35:43Z urn:sha1:803491dc568d2994745c3c4359f68053f7261658 The presents (even of an empty) secring.gpg is indication enough for gpg2 to tigger the migration code which not only produces a bunch of output on each apt-key call, but also takes a while to complete as an agent needs to be started and all that. We workaround the first part by forcing the migration to happen always in a call we forced into silence, but that leaves us with an agent to start all the time – with a bit of reordering we can make it so that we do not explicitly create the secring, but let gpg create it if needed, which prevents the migration from being triggered and we have at least a bit less of a need for an agent. Changes - even to public only keyrings - still require one, but such actions are infrequent in comparison to verification calls, so that should be a net improvement. 2015-12-19T22:04:34Z David Kalnischkies david@kalnischkies.de 2015-12-17T16:41:11Z urn:sha1:bc8f83a5afd858206efe518c31bbb1ac948a39a3 apt-key creates internally a script (since ~1.1) which it will call to avoid dealing with an array of different options in the code itself, but while writing this script it wraps the values in "", which will cause the shell to evaluate its content upon execution. To make 'use' of this either set a absolute gpg command or TMPDIR to something as interesting as: "/tmp/This is fü\$\$ing cràzy, \$(man man | head -n1 | cut -d' ' -f1)\$!" If such paths can be encountered in reality is a different question… 2015-12-06T23:09:10Z David Kalnischkies david@kalnischkies.de 2015-12-06T23:09:10Z urn:sha1:e23ee4c21c6d8045ab020526aa864a48dc16ddd9 In e75e5879 'replace "which" with "command -v" for portability' I missed that command -v isn't actually required to be available in debian, so for the 5 files we are using it: Two (abicheck/run_abi_test & test/integration/framework) are called in environments were I believe sh is at least dash or 'better' as the first one is "interactive" for apt developers and the later is sourced by ~200 tests in the same directory run by hand and ci-services – for the later we have pulled some uglier hacks for worser things already, so if there should actually end up needing something more compatible we will notice eventually (and the later actually had a command -v call for some time already and nobody came running). debian/rules and debian/apt.cron.daily I switched back to which as that is more or less debian-specific or at least highly non-critical. That leaves cmdline/apt-key.in with a bunch of calls where I will implement that functionality in shell as this is relatively short-lived as it is used to detect wget (for net-update, which Michael wants to revive and in that process will properly use apt-helper instead of wget) and to detect gpg vs. gpg2 systems, where the earlier is supposed to go away in the longrun (or the later, but by replacing the earlier…). [and this gpg/gpg2 detection is new in sid, so I have some sympathy for that being a problem now.] Thanks: Jakub Wilk for pointing out #747320 2015-12-06T13:46:11Z David Kalnischkies david@kalnischkies.de 2015-12-06T13:46:11Z urn:sha1:804419029ab1b969c8d2dedb9b3443225058521f After e75e5879 the reason for an implicit dependency on debianutils (which is essential for debian, but likely not on other systems) was just two uses of run-parts, which can be replaced with the a lot more portable find-piped-into-sort duo. 2015-12-06T13:03:35Z David Kalnischkies david@kalnischkies.de 2015-12-06T13:03:35Z urn:sha1:e75e5879c0e8d232a2e8f045685beeb8c965aba4 which is a debian specific tool packaged in debianutils (essential) while command is a shell builtin defined by POSIX. Closes: 807144 Thanks: Mingye Wang for the suggestion. 2015-09-14T13:22:19Z David Kalnischkies david@kalnischkies.de 2015-09-13T20:16:32Z urn:sha1:fecfbf2e4cbb71d20364306baf6aa7886c5f3ecd Filenames we get could include spaces, but also the tmpdir we work in and the failures we print in return a very generic and unhelpful… Properly supporting spaces is a bit painful as we constructed gpg command before, which is now moved to (multilevel) calls to temporary scripts instead. 2015-08-27T09:27:44Z David Kalnischkies david@kalnischkies.de 2015-08-22T14:22:08Z urn:sha1:3a8776a37af38127fb04565959e8e0e449eb04a4 Reported-By: codespell 2015-08-10T15:25:26Z David Kalnischkies david@kalnischkies.de 2015-07-07T09:46:39Z urn:sha1:25f2731928f0b571f7521d7d7a7e301499d0f6ee If all keyrings are simple keyrings we can merge the keyrings with cat rather than doing a detour over gpg --export | --import (see #790665), which means 'apt-key verify' can do without gpg and just use gpgv as before the merging change. We declare this gpgv usage explicit now in the dependencies. This isn't a new dependency as gnupg as well as debian-archive-keyring depend on and we used it before unconditionally, just that we didn't declare it. The handling of the merged keyring needs to be slightly different as our merged keyring can end up containing the same key multiple times, but at least currently gpg does remove only the first occurrence with --delete-keys, so we move the handling to a if one is gone, all are gone rather than an (implicit) quid pro quo or even no effect. Thanks: Daniel Kahn Gillmor for the suggestion 2015-08-10T15:25:26Z David Kalnischkies david@kalnischkies.de 2015-07-06T19:15:45Z urn:sha1:f14cde2ca702f72415486bf5c310208a7c500e9c The output of gpg slightly changes in 2.1 which breaks the testcase, but the real problem is that this branch introduces a new default keyring format (which is called keybox) and mixing it with simple keyrings (the previous default format) has various problems like failing in the keybox to keyring import (#790665) or [older] gpgv versions not being able to deal with keyboxes (and newer versions as well currently: https://bugs.gnupg.org/gnupg/issue2025). We fix this by being a bit more careful in who creates keyrings (aka: we do it or we take a simple keyring as base) to ensure we always have a keyring instead of a keybox. This way we can ensure that any version combination of gpv/gpgv2 and gnupg/gnupg2 without doing explicit version checks and use the same code for all of them. Closes: 781042 2015-08-10T15:25:26Z David Kalnischkies david@kalnischkies.de 2015-07-06T14:44:01Z urn:sha1:c1642be522a9d9cf5a4a9f2dd8794cfaf0264fb5 It is sometimes handy to know how apt-key exactly called gpg, so adding a pair of options to be able to see this if wanted is added. Two are needed as some commands output is redirected to /dev/null, while sfor others stdout is piped into another gpg call so in both cases you wouldn't see all and hence you can choose. Git-Dch: Ignore