Hi! [ Sorry, as mentioned on IRC I only noticed the reply when I checked on the web UI, due to the missing CC. :) ]
On Mon, 2025-04-07 at 11:00:59 -0600, Gunnar Wolf wrote: > I have applied patches 0001, 0002 and 0003 to our working tree, and should > include them by the next keyring push. But, of course, patch 0004 is the > most significative of them all. Perfect thanks! > I reviewed it, and find the renaming/editing thorough. However, due to the > indirect uses, I would like a further review of the code. I see your patch > is taking care of providing the symlinks in the packages only, but not in > the generated output/ directory we push to keyring.debian.org; given the > way this system is used (keys are used via rsync), I think adding symlinks > there would be enough (but I don't want to create that wide breakage > without another pair of eyes confirming so!). As mentioned on IRC as well, this was the part I initially mentioned I had concerns with. And thanks for pointing out the omission in the output directory. I've now reworked a bit the build system, and created those symlinks there as well. I've not switched to copying them into the packaging, because AFAIR debhelper might turn them into actual files on copy (?), so left the dh_link handling as is. (Updated patches attached, with the last patch stats summary trimmed and patch compressed again.) As you mentioned, having more eyes on this from the Keyring Team, and probably from DSA might be best, before merging and deploying this to avoid potentially obvious breakage. (I'm still happy to rework or change anything here or elsewhere that might be necessary! :) > Anyway, it would be even better (of course, it would be a future step) to > get a listing of what actually uses the keyrings, and push to update said > programs as well. Yes, this was on my plan, but in my mind, only after this change hits the archive, and then ideally I'd only start sending such patches after the Debian trixie release, so that no versioned dependency is required. For the filesystem part through the .deb packages this seems easier to deal with. My concern has been with the rsync side, where I'm not sure how such a deprecation process can be handled (if this was an HTTP thing, then a permanent redirect would be an obvious solution, f.ex.). Perhaps an announcement with a timeline would be enough (dunno)? Thanks, Guillem
From a8f16c5f4f58c161a51bd37cb24a0cca5b4deb89 Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Thu, 10 Apr 2025 03:43:37 +0200 Subject: [PATCH 1/3] Remove duplicate debian-keyring.gpg from Makefile pre-requisite This keyring is listed twice in the Makefile target pre-requisites. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 76675fde..087c020d 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,7 @@ output/README: README output/changelog: debian/changelog cp debian/changelog output/ -output/openpgpkey: output/keyrings/debian-keyring.gpg output/keyrings/debian-keyring.gpg output/keyrings/debian-nonupload.gpg output/keyrings/debian-role-keys.gpg +output/openpgpkey: output/keyrings/debian-keyring.gpg output/keyrings/debian-nonupload.gpg output/keyrings/debian-role-keys.gpg cd output && ../scripts/update-keyrings build-wkd debian.org keyrings/debian-keyring.gpg keyrings/debian-nonupload.gpg keyrings/debian-role-keys.gpg test: all -- 2.49.0
From 0af88233385af5cda32256c309430d7373266aa5 Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Thu, 10 Apr 2025 03:50:06 +0200 Subject: [PATCH 2/3] Refactor Makefile targets Use variables to track the output files, and a single rule for all keyring generation. This makes it both more obvious what each target is acting on, and easier to update in a single place. --- Makefile | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/Makefile b/Makefile index 087c020d..40a5f941 100644 --- a/Makefile +++ b/Makefile @@ -1,21 +1,28 @@ -all: output/keyrings/debian-keyring.gpg output/keyrings/debian-maintainers.gpg output/keyrings/debian-nonupload.gpg output/keyrings/debian-role-keys.gpg output/keyrings/emeritus-keyring.gpg output/sha512sums.txt output/README output/changelog +OUTPUT_MEMBER_KEYRINGS := \ + output/keyrings/debian-keyring.gpg \ + output/keyrings/debian-nonupload.gpg \ + output/keyrings/debian-role-keys.gpg \ + # EOL -output/keyrings/debian-keyring.gpg: debian-keyring-gpg debian-keyring-gpg/0x* - cat debian-keyring-gpg/0x* > output/keyrings/debian-keyring.gpg +OUTPUT_KEYRINGS := \ + $(OUTPUT_MEMBER_KEYRINGS) \ + output/keyrings/debian-maintainers.gpg \ + output/keyrings/emeritus-keyring.gpg \ + # EOL -output/keyrings/debian-maintainers.gpg: debian-maintainers-gpg debian-maintainers-gpg/0x* - cat debian-maintainers-gpg/0x* > output/keyrings/debian-maintainers.gpg +OUTPUT_FILES := \ + $(OUTPUT_KEYRINGS) \ + output/sha512sums.txt \ + output/README \ + output/changelog \ + # EOL -output/keyrings/debian-nonupload.gpg: debian-nonupload-gpg debian-nonupload-gpg/0x* - cat debian-nonupload-gpg/0x* > output/keyrings/debian-nonupload.gpg +all: $(OUTPUT_FILES) -output/keyrings/debian-role-keys.gpg: debian-role-keys-gpg debian-role-keys-gpg/0x* - cat debian-role-keys-gpg/0x* > output/keyrings/debian-role-keys.gpg +output/keyrings/%.gpg: %-gpg %-gpg/0x* + cat $*-gpg/0x* > $@ -output/keyrings/emeritus-keyring.gpg: emeritus-keyring-gpg emeritus-keyring-gpg/0x* - cat emeritus-keyring-gpg/0x* > output/keyrings/emeritus-keyring.gpg - -output/sha512sums.txt: output/keyrings/debian-keyring.gpg output/keyrings/debian-maintainers.gpg output/keyrings/debian-nonupload.gpg output/keyrings/debian-role-keys.gpg output/keyrings/emeritus-keyring.gpg +output/sha512sums.txt: $(OUTPUT_KEYRINGS) cd output; sha512sum keyrings/* > sha512sums.txt output/README: README @@ -24,7 +31,7 @@ output/README: README output/changelog: debian/changelog cp debian/changelog output/ -output/openpgpkey: output/keyrings/debian-keyring.gpg output/keyrings/debian-nonupload.gpg output/keyrings/debian-role-keys.gpg +output/openpgpkey: $(OUTPUT_MEMBER_KEYRINGS) cd output && ../scripts/update-keyrings build-wkd debian.org keyrings/debian-keyring.gpg keyrings/debian-nonupload.gpg keyrings/debian-role-keys.gpg test: all -- 2.49.0
binrmX9Vindps.bin
Description: application/xz
