[Bug 367666] New: Build Service OSC to auto download PGP keys for projects. /
https://bugzilla.novell.com/show_bug.cgi?id=367666 Summary: Build Service OSC to auto download PGP keys for projects./ Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: BuildService AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: gerberb@zenez.com QAContact: adrian@novell.com Found By: Other I keep getting a gpg failure on local build because the gpg key is not on my system. I would like osc to download keys. The problem is that the BS has gpg keys that are not found on the public key servers. I would like them download and either auto installed or allow me to install them. I do not like to use the --no-verify for a local build. Most packages the keys are available but it is a real pain to get the ones that do not exist. Thanks, Boyd Lynn Gerber gerberb@zenez.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 Cyril Hrubis <chrubis@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |poeml@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c1 Peter Poeml <poeml@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |adrian@novell.com --- Comment #1 from Peter Poeml <poeml@novell.com> 2008-03-06 10:31:49 MST --- Adrian, you had some thoughts on this. Could you please document them here? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User adrian@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c2 Adrian Schröter <adrian@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|adrian@novell.com | --- Comment #2 from Adrian Schröter <adrian@novell.com> 2008-03-07 00:18:24 MST --- osc can get the keys either via the repos (located in repodata/repomd.xml.key) or via api calls. One aspect is that installing packages also to a build root hosted within chroot (not XEN) is almost as insecure as installing it into the system (regarding attacks by intention, not bugs happen by accident). So in any case, osc should point the user to this and ask if he anyway want to start the build by trusting these further repos, which are obviously not yet accepted in his system rpm database. Afterwards, osc could either import the keys into the system wide rpm database or finding some way to tell rpm running in the build script to use an additional key (or keyring). A complete different (alternative) option would be to support XEN, qemu or any other virtualisation builds better on packager workstations. qemu should be easily doable in the build script (maybe I do this these days), it would slow down the build, but makes it hopefully secure in a way that the trust aspect becomes less important. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User adrian@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c3 Adrian Schröter <adrian@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@novell.com --- Comment #3 from Adrian Schröter <adrian@novell.com> 2008-03-07 01:49:15 MST --- Adding Ludwig as build script and security expert in one person :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c4 --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2008-03-07 02:14:18 MST --- The build script itself doesn't care about signatures, It just assumes that everything it gets is already verified. So all the magic is done by osc. It should just behave like e.g. zypper. Ie download the key, show the fingerprint and ask the user whether to trust it. qemu does not protect against intentionally malicious code either. I already have qemu (and uml) support in lbuild nevertheless though. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c5 --- Comment #5 from Peter Poeml <poeml@novell.com> 2008-03-07 02:24:00 MST --- osc can download the key, and suggest how to import it. It can't import it itself, because it doesn't run as roo. I can't find any documentation how to download keys right now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c6 --- Comment #6 from Ludwig Nussel <lnussel@novell.com> 2008-03-07 02:42:41 MST --- You can even get around the need for root at all by using a temporary rpm database (rpm --dbpath /tmp/something) for all keys. Has the additional advantage the the local installation still wouldn't trust those keys. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c7 --- Comment #7 from Peter Poeml <poeml@novell.com> 2008-03-07 02:45:16 MST --- But then osc would not have the system rpm keys. And it would need to download the missing keys again and again, or store them in its own keychain. But I don't think that osc wants to manage its own keychain. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c8 Peter Poeml <poeml@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |gerberb@zenez.com --- Comment #8 from Peter Poeml <poeml@novell.com> 2008-03-31 04:17:39 MST --- Please provide documentation about downloading of keys on https://api.opensuse.org/apidocs/. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c9 Peter Poeml <poeml@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |poeml@novell.com AssignedTo|poeml@novell.com |abauer@novell.com Status|NEEDINFO |NEW Info Provider|gerberb@zenez.com | --- Comment #9 from Peter Poeml <poeml@novell.com> 2008-05-20 01:07:39 MST --- Andreas, I assume that this is handled by you? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User gerberb@zenez.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c10 --- Comment #10 from Boyd Gerber <gerberb@zenez.com> 2008-05-20 08:25:07 MST --- I do not know what other information I need to give. The GPG/PGP signatures are not available. We really need them. What information can I provide? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User abauer@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c11 --- Comment #11 from Andreas Bauer <abauer@novell.com> 2008-05-20 08:46:37 MST --- You don't need to provide more information. I need to update the apidocs so that peter can start to implement requests for it in osc. This is on my plan for today, as is other stuff. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User abauer@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c12 Andreas Bauer <abauer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |abauer@novell.com AssignedTo|abauer@novell.com |poeml@novell.com --- Comment #12 from Andreas Bauer <abauer@novell.com> 2008-05-20 09:12:29 MST --- docs are updated, https://api.opensuse.org/apidocs#13 reassigning to peter -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c13 Peter Poeml <poeml@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |abauer@novell.com --- Comment #13 from Peter Poeml <poeml@novell.com> 2008-05-20 11:21:11 MST --- The bug should be needinfo to abauer@novell.com. Seems I didn't set the "person:" field of needinfo correctly. Done it now. Sorry. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c14 Peter Poeml <poeml@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|abauer@novell.com | --- Comment #14 from Peter Poeml <poeml@novell.com> 2008-05-20 11:23:32 MST --- Oh. I had not read all mails yet. It's already done. Reassigning to me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User froh@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c15 Susanne Oberhauser <froh@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |froh@novell.com --- Comment #15 from Susanne Oberhauser <froh@novell.com> 2008-08-20 01:26:31 MDT --- would a local keyserver e.g. on d.o.o. be a good alternative? http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028058.html -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 Peter Poeml <poeml@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 Peter Poeml <poeml@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User adrian@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c16 Adrian Schröter <adrian@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #16 from Adrian Schröter <adrian@novell.com> 2009-02-20 07:09:17 MST --- svn code of osc does support now kvm/xen builds. It does skip the verification in this case since the system gets secured by the VM. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=367666 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=367666#c17 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #17 from Ludwig Nussel <lnussel@novell.com> 2009-02-20 07:24:32 MST --- which is totally unrelated to the problem. Verification ensures that the download mirror actually gave you the packages you were expecting. Whether or not you trust those packages to not to stupid things in your chroot is a different story. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com