Hi,

Quoting Guilhem Moulin (2016-09-10 00:04:19)
> #833547/#834898 have been fixed by adding a call to ‘gpgconf --kill
> gpg-agent’.  I was wondering whether access to private key material from
> inside the chroot is required at all?  Sbuild::ResolverBase reads
> 
>     # Sign the release file
>     # This will only be done if the sbuild keys are present.
>     # Once squeeze is not supported anymore, we want to never sign the
>     # dummy repository anymore but instead make use of apt's support for
>     # [trusted=yes] in wheezy and later.
>     # On hosts that include apt 1.3~exp1 or newer (Debian squeeze or later)
>     # the gnupg package will no longer be installed because apt doesn't depend
>     # on it anymore.
> 
> After installing sbuild on sid, the directory ‘/var/lib/sbuild/apt-keys’
> is left empty, thus sbuild doesn't sign the dummy Release file and apt
> trusts it regardless thanks to the [trusted=yes] option.
> 
> However when *upgrading* sbuild from an older version, the key pair
> ‘/var/lib/sbuild/apt-keys/sbuild-key.{pub,sec}’, which was created for
> compatibility with apt <1.3~exp1, is still used for signing the Release
> file.  This code path seems obsolete to me as squeeze reached end of LTS
> in February 2016.  Furthermore since signing the dummy Release file is
> AFAICT currently the only reason why sbuild requires access to private
> key material (hence spawns a gpg-agent(1) process with GnuPG 2.1.x) from
> inside the chroot, removing ‘/var/lib/sbuild/apt-keys’ and
> ‘SBUILD_BUILD_DEPENDS_{SECRET|PUBLIC}_KEY’ should also remove the need
> for the ‘gpgconf --kill gpg-agent’ workaround.

I do not see any bug here. You are just describing the current situation.
Please describe the problem you are experiencing.

Thanks!

cheers, josch

Attachment: signature.asc
Description: signature

Reply via email to