[opensuse-packaging] Usage of gpg_verify in .spec files
Hi geeko packagers, Please note that we are receiving a new version of gpg (2.1.0) in Factory probably rather soon... One thing to note is that the current version of %gpg_verify passes --gpg2 to the command, which is no longer understood. There are obviously two ways to fix it: - Fix %gpg_verify to no longer pass --gpg; surely simple, but I don't prefer the solution - Remove the gpg_verify commands from the .spec files; In fact, usage of gpg_verify has been deprecated in favor of the obs service source_validator (which runs at each osc ci call or you can call it using osc service lr source_validator). As we already have implicit verification of the signatures there, it is of no use to verify the signature during build again. Which is also the reason why option one is not that appealing. Can I please ask the package maintainers to work with us and eliminate this wherever it is still used in Factory? Thanks a lot! -- Dimstar / Dominique Leuenberger <dimstar@opensuse.org> -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Hi, I am not entirely happy with removing it from the build. But I have to agree that it makes some sense with the source validator enforcing it these days. FWIW, I am fixing gpg-offline, which you did not bother to do. Ciao, Marcus On Sat, Nov 15, 2014 at 03:25:17PM +0100, Dimstar / Dominique Leuenberger wrote:
Hi geeko packagers,
Please note that we are receiving a new version of gpg (2.1.0) in Factory probably rather soon...
One thing to note is that the current version of %gpg_verify passes --gpg2 to the command, which is no longer understood.
There are obviously two ways to fix it: - Fix %gpg_verify to no longer pass --gpg; surely simple, but I don't prefer the solution - Remove the gpg_verify commands from the .spec files;
In fact, usage of gpg_verify has been deprecated in favor of the obs service source_validator (which runs at each osc ci call or you can call it using osc service lr source_validator).
As we already have implicit verification of the signatures there, it is of no use to verify the signature during build again. Which is also the reason why option one is not that appealing.
Can I please ask the package maintainers to work with us and eliminate this wherever it is still used in Factory?
Thanks a lot!
-- Dimstar / Dominique Leuenberger <dimstar@opensuse.org>
-- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Sat, 15 Nov 2014 15:25, Dimstar / Dominique Leuenberger wrote:
Hi geeko packagers,
Please note that we are receiving a new version of gpg (2.1.0) in Factory probably rather soon...
One thing to note is that the current version of %gpg_verify passes --gpg2 to the command, which is no longer understood.
There are obviously two ways to fix it: - Fix %gpg_verify to no longer pass --gpg; surely simple, but I don't prefer the solution - Remove the gpg_verify commands from the .spec files;
In fact, usage of gpg_verify has been deprecated in favor of the obs service source_validator (which runs at each osc ci call or you can call it using osc service lr source_validator).
As we already have implicit verification of the signatures there, it is of no use to verify the signature during build again. Which is also the reason why option one is not that appealing.
Can I please ask the package maintainers to work with us and eliminate this wherever it is still used in Factory?
Thanks a lot!
Hi Dominique, please include the information since which version (%suse_version) source_validator is valid to use in spec-file [sample-code] if %suse_version > [last_non_source_validator_version] use_of_source_validator else use_of_gpg_verify fi [/sample-code] Thanks - Yamaban. -- "Sane? What is that? Can you eat it?" -- a student after a night of coding for a semester-project. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Sat, 2014-11-15 at 15:38 +0100, Yamaban wrote:
Hi Dominique, please include the information since which version (%suse_version) source_validator is valid to use in spec-file
[sample-code] if %suse_version > [last_non_source_validator_version] use_of_source_validator else use_of_gpg_verify fi [/sample-code]
AS the source validator is not in the .spec file, it doesn't really matter; if you have a recent version of it on your system, it will happen when you do 'osc ci' According to the changelog of obs-service-source_validator, this feature was added in January 2013; so not entirely a new thing. And package you forward to Factory will be tested by factory-auto, which does have a recent enough version of osc and would do the test in any case. Cheers, Dominique -- Dimstar / Dominique Leuenberger <dimstar@opensuse.org> -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Marcus, On Sat, 2014-11-15 at 15:38 +0100, Marcus Meissner wrote:
Hi,
I am not entirely happy with removing it from the build.
What advantage do you see compared to the test happening once when you check it in? (or when submitted to Factory, the test runs again). The sig won't become invalid on any subsequent checks without changes.
But I have to agree that it makes some sense with the source validator enforcing it these days.
Right - that's the idea here
FWIW, I am fixing gpg-offline, which you did not bother to do.
sure, fixing it was option 1, which i listed. The few fixes I submitted are for ring packages; there is likely more breaking in Factory. if gpg_verify is now fixed already, we'll just hide them all (of course the fix is still a good thing - I would just not do it in a rush - fixes coming from you are of course not excluded from being accepted) Cheers, Domoinique -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Sat, Nov 15, 2014 at 03:48:57PM +0100, Dimstar / Dominique Leuenberger wrote:
Marcus,
On Sat, 2014-11-15 at 15:38 +0100, Marcus Meissner wrote:
Hi,
I am not entirely happy with removing it from the build.
What advantage do you see compared to the test happening once when you check it in? (or when submitted to Factory, the test runs again). The sig won't become invalid on any subsequent checks without changes.
The chance that the tarball is later modified (and the signature checking would not be changed) is small.
But I have to agree that it makes some sense with the source validator enforcing it these days.
Right - that's the idea here
FWIW, I am fixing gpg-offline, which you did not bother to do.
sure, fixing it was option 1, which i listed. The few fixes I submitted are for ring packages; there is likely more breaking in Factory. if gpg_verify is now fixed already, we'll just hide them all (of course the fix is still a good thing - I would just not do it in a rush - fixes coming from you are of course not excluded from being accepted)
Avoiding failing builds is priority 1. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
El 15/11/14 a las 11:25, Dimstar / Dominique Leuenberger escribió: y option one is not that appealing.
Can I please ask the package maintainers to work with us and eliminate this wherever it is still used in Factory?
What about making the %gpg_verify macro a no-op and move on to something else ? -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Sunday 2014-11-16 21:29, Cristian Rodríguez wrote:
El 15/11/14 a las 11:25, Dimstar / Dominique Leuenberger escribió: y option one is not that appealing.
Can I please ask the package maintainers to work with us and eliminate this wherever it is still used in Factory?
What about making the %gpg_verify macro a no-op and move on to something else ?
By the time you discussed this, we could have removed them already. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (5)
-
Cristian Rodríguez
-
Dimstar / Dominique Leuenberger
-
Jan Engelhardt
-
Marcus Meissner
-
Yamaban