Hi! On Mon, 2025-04-21 at 22:00:09 +0100, Adam D. Barratt wrote: > On Mon, 2025-04-21 at 13:39 -0600, Gunnar Wolf wrote: > > I am writing to you to help us decide whether it is pertinent to do a > > move right now, or whether we should wait for you to implement > > anything. > > > > Bug #1101418 (for which you have been Cc:d already) requests renaming > > the Debian keyrings from *.gpg to *.pgp > [...] > > Guillem kindly prepared some patches to do this, and after some > > discussion, added the creation of some symlinks. The result of the > > patch in question will be that the keyrings published in > > kaufmann.debian.org will be renamed from *.gpg to *.pgp, and that > > symlinks will be created preserving the original names; in the > > future, we might work towards removing the ymlinks. > > > > We need input from DSA to make sure we can perform this change. some > > specific points we discussed on IRC are: > > > > - ftp-master processing > > - Email address to db.debian.org > > - vote.debian.org > > - Validation of mails sent to signed-only lists > > > > But, of course, other subsystems might also need it. We believe > > everything will work transparently if rsync is properly set to mirror > > symlinks. > > This is primarily my personal thoughts rather than an official DSA ack.
Thanks for the context on how this all ties together! I tried to look into this, but having no access to the systems involved made it a bit hard to follow what stuff was doing what or when, etc. > To start from the beginning, as it were, the method by which debian.org > systems receive updated keyrings is userdir-ldap. The script which > pulls the current active keyrings from keyring.d.o to db.d.o (so that > they can be deployed by ud-ldap) is > https://salsa.debian.org/dsa-team/mirror/dsa-misc/-/blob/master/scripts/sync-keyring?ref_type=heads > > That script runs from cron every 15 minutes on the db.d.o host. > > This appears to be the primary point at which rsync's behaviour with > respect to symlinks is relevant. The various copy steps each use > rsync's "-a" option, so should preserve the symlinks. Ok, that sounds good then. :) > The final stage of the sync - to "keyring-final" - copies only the > files listed in sha512sums.txt, so you would need to ensure that both > the .gpg and .pgp files / symlinks are included there. Ah! Ok, I had changed the sha512sums.txt call to only list the *.pgp, so that would break stuff. Attached an amended patch (the last one in the previous series), to restore doing the digest on all files under «output/keyrings/*» as was being done before. > userdir-ldap maintains its own list of keyrings which are deployed to > those hosts requesting them (e.g. ftp-master). While the keyrings are > copied from db.d.o to each host via rsync, the preparation of the rsync > source area uses Python's shutil.copy(), so AFAICS would follow the new > symlinks and continue to deploy *.gpg to var/lib/misc/thishost/ on > relevant hosts as real files. That should mean that things would > continue to work, but does mean that the rename would *not* propagate > to client hosts. Ah, then this would seem to be safe to deploy now, and the file types problem could be fixed later on. I have had several changes for userdir-ldap pending submission, but not this one about shutil.copy(), thanks. Will see how to improve that, and then send patches for userdir-ldap to DSA (I think I already sent out patches for userdir-ldap-cgi). I think though, the other related patch I sent for dsa-puppet, might self-heal the symlinks? Also, (I'm not sure whether I mentioned this before, besides Gunnar), something I noticed while trying to make sense how this all works was that: * At least on usper.debian.org, the /srv/keyring.debian.org/keyrings/ directory contains a non-symlink debian-maintainer.gpg file (missing final «s»). * On keyring.debian.org there's an extra-keys.pgp leftover(?) file, perhaps as part of some old transition? $ rsync keyring.debian.org::keyrings/keyrings/ drwxrwsr-x 4,096 2025/03/23 20:19:28 . -rw-rw-r-- 30,705,085 2025/03/23 20:18:27 debian-keyring.gpg -rw-rw-r-- 2,950,971 2025/03/23 20:18:27 debian-maintainers.gpg -rw-rw-r-- 1,076,680 2025/03/23 20:18:27 debian-nonupload.gpg -rw-rw-r-- 26,383 2025/03/23 20:18:27 debian-role-keys.gpg -rw-rw-r-- 2,722,836 2025/03/23 20:18:27 emeritus-keyring.gpg -rw-rw-r-- 25,015 2018/05/21 19:22:45 extra-keys.pgp Thanks, Guillem
bines2W5hcddj.bin
Description: application/xz
