Bug#738489: marked as done (hash-slinger: tlsa and openpgpkey scripts break on non-existent files (root.key, dlv.isc.org.key, ca-bundle.crt))

[Debian Bug Tracking System]

Your message dated Wed, 07 Jan 2015 12:18:59 +0000
with message-id <e1y8pzj-000131...@franck.debian.org>
and subject line Bug#738489: fixed in hash-slinger 2.6-1
has caused the Debian Bug report #738489,
regarding hash-slinger: tlsa and openpgpkey scripts break on non-existent files 
(root.key, dlv.isc.org.key, ca-bundle.crt)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
738489: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738489
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: hash-slinger
Version: 2.5-1
Severity: normal

Dear Maintainer,

I'm having difficulty getting the scripts to run with errors like:

$ tlsa www.fedoraproject.org
[1391984661] libunbound[18958:0] error: error opening file 
/etc/unbound/root.key: No such file or directory
[1391984661] libunbound[18958:0] error: error reading trusted-keys-file: 
/etc/unbound/root.key
[1391984661] libunbound[18958:0] error: validator: error in trustanchors config
[1391984661] libunbound[18958:0] error: validator: could not apply 
configuration settings.
[1391984661] libunbound[18958:0] error: module init for module validator failed
Unable to resolve www.fedoraproject.org.: Unsuccesful lookup or no data 
returned for rrtype 1.
[1391984661] libunbound[18958:0] error: error opening file 
/etc/unbound/root.key: No such file or directory
[1391984661] libunbound[18958:0] error: error reading trusted-keys-file: 
/etc/unbound/root.key
[1391984661] libunbound[18958:0] error: validator: error in trustanchors config
[1391984661] libunbound[18958:0] error: validator: could not apply 
configuration settings.
[1391984661] libunbound[18958:0] error: module init for module validator failed
Unable to resolve www.fedoraproject.org.: Unsuccesful lookup or no data 
returned for rrtype 28.

$ openpgpkey --verify p...@nohats.ca
/var/lib/unbound/root.anchor is not a file. Unable to use it as rootanchor

$ openpgpkey --rootanchor=/var/lib/unbound/root.key --verify p...@nohats.ca
[1391984798] libunbound[18970:0] error: error opening file 
/var/lib/unbound/root.anchor: No such file or directory
[1391984798] libunbound[18970:0] error: error reading trust-anchor-file: 
/var/lib/unbound/root.anchor
[1391984798] libunbound[18970:0] error: validator: error in trustanchors config
[1391984798] libunbound[18970:0] error: validator: could not apply 
configuration settings.
[1391984798] libunbound[18970:0] error: module init for module validator failed
Unsuccesful lookup or no data returned for rrtype 65280.

Looks like the problem is with hard-coded paths.

tlsa has the following code:

  ROOTKEY="/etc/unbound/root.key"
  DLVKEY="/etc/unbound/dlv.isc.org.key"
  CAFILE='/etc/pki/tls/certs/ca-bundle.crt'

openpgpkey has the following code:

  parser.add_argument('--rootanchor', action='store', 
default='/var/lib/unbound/root.anchor', help='Location of the unbound 
compatible DNSSEC root.anchor (default: /var/lib/unbound/root.anchor)')

  rootanchor = "/var/lib/unbound/root.anchor"
  dlvkey = "/etc/unbound/dlv.isc.org.key"

These paths are incorrect and they're not obviously fixable (at least
not to me!):

  * /var/lib/unbound/root.key
    Generated by unbound postinst.  Perhaps depend on package
    unbound-anchor and execute unbound-anchor in the postinst of this
    package?

  * dlv.isc.org.key
    I'm confused, I thought DLV was a temporary measure while DNSSEC
    wasn't adopted by the root zones.  Downloaded the file from
    https://www.isc.org/downloads/bind/dlv/

  * /etc/ssl/certs/ca-certificates.crt
    Depend on ca-certificates package?

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages hash-slinger depends on:
ii  libpython2.7-stdlib [python-argparse]  2.7.6-5
ii  openssh-client                         1:6.4p1-2
ii  python                                 2.7.5-5
ii  python-dnspython                       1.11.1-1
ii  python-gnupg                           0.3.5-2
ii  python-ipaddr                          2.1.10-1
ii  python-m2crypto                        0.21.1-3
ii  python-unbound                         1.4.21-1

hash-slinger recommends no packages.

hash-slinger suggests no packages.

-- no debconf information

-- 
Gerald Turner                                Encrypted mail preferred!
0xEC942276FDB8716D  CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D

pgpN5sxcA9wA7.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: hash-slinger
Source-Version: 2.6-1

We believe that the bug you reported is fixed in the latest version of
hash-slinger, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 738...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ond...@debian.org> (supplier of updated hash-slinger package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Jan 2015 10:40:58 +0100
Source: hash-slinger
Binary: hash-slinger
Architecture: source
Version: 2.6-1
Distribution: unstable
Urgency: medium
Maintainer: Ondřej Surý <ond...@debian.org>
Changed-By: Ondřej Surý <ond...@debian.org>
Description:
 hash-slinger - tools to generate special DNS records
Closes: 738489
Changes:
 hash-slinger (2.6-1) unstable; urgency=medium
 .
   * New upstream version 2.6
    - openpgpkey: Added --fetch option to fetch a public key from DNS [Paul]
    - openpgpkey: Update rrtype from private use to IANA allocation (#61) [Paul]
    - openpgpkey: Remove no longer needed --rrtype option [Paul]
    - openpgpkey: Ignore uft-8/iso-8859-1 encoding errors in keyring data [Paul]
    - openpgpkey: Add --uid option to override id check in received key data 
[Paul]
    - openpgpkey: fix 0x99 (') character problems in base64 [Paul]
    - openpgpkey: Fix OPENPGPKEY native base64 output to be correct [Paul]
    - sshfp: Support for RFC 6594 [Gerald Turner]
    - sshfp: Support for draft-moonesamy-sshfp-ed25519-01 [Gerald Turner]
    - tlsa: New option --rootkey and --dlvkey [Paul]
    - tlsa: Try to find rootkey in various locations in achor or key format 
[Paul]
    - tlsa: abort unsupported STARTTLS on port 25 (rhbz#1010276) [Paul]
    - ipseckey: new command for generating RFC-4025 IPSECKEY records [Paul]
   * Import patches to fix default paths to root.key and modify them to use
     root.key from dns-root-data package (Closes: #738489) (Courtesy of
     Gerald Turner)
   * Add git-import-orig configuration to not import upstream debian/
     directory
Checksums-Sha1:
 5f2ba6ab242e900e683665d7ea619c8bddb7057e 1939 hash-slinger_2.6-1.dsc
 22fdd6c64bcc7fd2418ba62118f73adfbeaa3a8d 34864 hash-slinger_2.6.orig.tar.gz
 e5b580f0e3cc1874334ec3108550166d295318b2 4584 hash-slinger_2.6-1.debian.tar.xz
Checksums-Sha256:
 1004c8d65d91ded46326109a0d56bcfe0567b6cef5f6f585d17faa979219f48d 1939 
hash-slinger_2.6-1.dsc
 121143efea136958ad6a42cb0a8fa80d95b1e4fc45632019d8f07a534d6efab2 34864 
hash-slinger_2.6.orig.tar.gz
 81bfc0516552b76e4025f42dd4b4314a5802424d08b8b43738ae7dbbdd352c58 4584 
hash-slinger_2.6-1.debian.tar.xz
Files:
 4cc1d063cb7f184e04768782391228bf 1939 utils extra hash-slinger_2.6-1.dsc
 9ddea4e6b3df7412213a3a8d33673fab 34864 utils extra hash-slinger_2.6.orig.tar.gz
 fdbdc8cd0aae7d271fb3f2df3fb9a96c 4584 utils extra 
hash-slinger_2.6-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUrR7iXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHTxEQALF1bx2tdJYkZbnfMUvdvN9K
dxo0Z5M3lKoMJLfiUwzoiKIV+m/WOSCOvYd0kQ5on5MMppumEe6YYzKwdSDu7hIX
HIgHMQhQ57myJ5dHzxxtuygLvssLLohInylnA3wJG/sCTdsxd+PqsuXyviDmrugd
TEcMzWGecdOw77Xvf75VCuY/kS2QiayA27nDo2s1BwqA+OZii6IJUDqCJGhRrLwg
zSNyPCYtPjv2/4DmHtu25eOnsJ9JrTaGxd9Rx7RVzDwj8z5nSHz0q/0kNrlRHRgU
R1pw16I/6kHYJclRaiIMlceGEZJWkoWlWQkwTUDP8LYNxNahgPbcGdO2Bnei7/bY
F+ZxAyObBQu785ziKvTV7f3e9XOMBIneQMdWuZ7XMSCIYcJZwSNZTYQDb3WjViJg
yMiyA/LfFqQSsu4xIwAyS3tIMS1FlvMRqWLT3yxSadHye4pJW96h0sOReg2Dx8hQ
47uJAysh+vwHVl/kNZH9p9/Xcgn9J7E1yVXBmwamJDlh97XFOCmlYivhQPOx/Py2
X6J6BC9/fRGNhF7nV66hikUhKsVLzFqDVE2Mj6G2jhWCpZlGTlKLskEgpp8VoUbc
BxYZnCbMFGH/SRrDdC7HWLhA8wL2gSMEg+Bh0lKtd6FBDI4uz9uLk4pIXN3S6C7P
wCKsPq5gC4eH/6MtKV3I
=iSM5
-----END PGP SIGNATURE-----

--- End Message ---