Bug#607945: [buildd-tools-devel] Bug#607945: Bug#607945: Bug#607945: sbuild: can haz I entropy?

[Modestas Vainius]

Hello,

On ketvirtadienis 30 Gruodis 2010 20:33:48 Roger Leigh wrote:
> On Thu, Dec 30, 2010 at 07:24:20PM +0100, Cyril Brulebois wrote:
> > Roger Leigh  (30/12/2010):
> > > > Per host.  It's stored in /var/lib/sbuild/apt-keys .
> > > 
> > > Note that if there's a reason to do it per-chroot, we can do that.
> > > I couldn't envisage any security issues in sharing this key between
> > > chroots, but if there are it's a simple change.
> > 
> > Was just wondering whether this might make sense to move key creation
> > to sbuild's install time (openssh-server's style). Might be, if/when
> > the default resolver gets changed.
> > 
> > (“make sense” as in “can be thought of if it's per-host, and not if
> > it's per-chroot”; other considerations left aside.)
> 
> I did consider triggering this in the postinst.  I was concerned that
> this could break package installation on systems with scarce entropy
> by blocking package installation indefinitely.  Since this is currently
> an optional feature, I opted to allow generation when required.
> 
> After squeeze, I'd like to look at moving to the apt resolver (having
> more consistent/predicatable behaviour than aptitude). 

Oh, that's a myth with deep history apparently. Could you point me to a single 
case where (modern) aptitude resolver failed recently? With current safeguards 
in place, it should be very reliable and thanks to it, experimental is no 
longer a PITA making many people (including me) happy.

As long as apt-get does not consider dependencies from non-default sources, it 
won't be an option for non-unstable buildds. And apt-get resolver is not 
configurable at all (don't know about that new stuff in apt/experimental 
though).

P.S. This does not mean I advocate aptitude as default resolver. I'm just 
acting a role of mythbuster, someone has to :)

-- 
Modestas Vainius 


signature.asc
Description: This is a digitally signed message part.

Bug#607945: [buildd-tools-devel] Bug#607945: Bug#607945: Bug#607945: sbuild: can haz I entropy?

[Roger Leigh]

On Thu, Dec 30, 2010 at 07:24:20PM +0100, Cyril Brulebois wrote:
> Roger Leigh  (30/12/2010):
> > > Per host.  It's stored in /var/lib/sbuild/apt-keys .
> > 
> > Note that if there's a reason to do it per-chroot, we can do that.
> > I couldn't envisage any security issues in sharing this key between
> > chroots, but if there are it's a simple change.
> 
> Was just wondering whether this might make sense to move key creation
> to sbuild's install time (openssh-server's style). Might be, if/when
> the default resolver gets changed.
> 
> (“make sense” as in “can be thought of if it's per-host, and not if
> it's per-chroot”; other considerations left aside.)

I did consider triggering this in the postinst.  I was concerned that
this could break package installation on systems with scarce entropy
by blocking package installation indefinitely.  Since this is currently
an optional feature, I opted to allow generation when required.

After squeeze, I'd like to look at moving to the apt resolver (having
more consistent/predicatable behaviour than aptitude).  If we do make
this change, then we can consider generating at install time given that
it's required for sbuild to work.  We now have tested the apt resolver
quite extensively and the main blocker is making sure it behaves
completely consistently for a given package set and base chroot to
ensure reproducibility.  Now we have clean cloned chroots for building,
the main issue of inconsistent builds in dirty chroots is now basically
a non-issue providing we use cloned chroot across the board.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?   http://gutenprint.sourceforge.net/
   `-GPG Public Key: 0x25BFB848   Please GPG sign your mail.


signature.asc
Description: Digital signature

Bug#607945: [buildd-tools-devel] Bug#607945: Bug#607945: Bug#607945: sbuild: can haz I entropy?

[Cyril Brulebois]

Roger Leigh  (30/12/2010):
> > Per host.  It's stored in /var/lib/sbuild/apt-keys .
> 
> Note that if there's a reason to do it per-chroot, we can do that.
> I couldn't envisage any security issues in sharing this key between
> chroots, but if there are it's a simple change.

Was just wondering whether this might make sense to move key creation
to sbuild's install time (openssh-server's style). Might be, if/when
the default resolver gets changed.

(“make sense” as in “can be thought of if it's per-host, and not if
it's per-chroot”; other considerations left aside.)

> > Also, as discussed on IRC, we will solve this by bailing out with
> > an error when the key is absent.  This will require the user to
> > generate a key.
> 
> Fixed in commit fb790792.  Is this OK for you?

Not tested yet, but sounds sensible.

KiBi.


signature.asc
Description: Digital signature

Bug#607945: [buildd-tools-devel] Bug#607945: Bug#607945: Bug#607945: sbuild: can haz I entropy?

[Roger Leigh]

tags 607945 + patch fixed-upstream pending
thanks

On Thu, Dec 30, 2010 at 05:39:26PM +, Roger Leigh wrote:
> On Thu, Dec 30, 2010 at 06:21:31PM +0100, Cyril Brulebois wrote:
> > Roger Leigh  (29/12/2010):
> > > This is a one-time only event.  Once the key is generated (which you
> > > can do with "sbuild-update -k" on another system or outside a
> > > package build at your leisure) the same key will be used for all
> > > subsequent builds.
> > 
> > One-time.. per host? Or per chroot?
> 
> Per host.  It's stored in /var/lib/sbuild/apt-keys .

Note that if there's a reason to do it per-chroot, we can do that.  I
couldn't envisage any security issues in sharing this key between
chroots, but if there are it's a simple change.

> Also, as discussed on IRC, we will solve this by bailing out with an
> error when the key is absent.  This will require the user to generate
> a key.

Fixed in commit fb790792.  Is this OK for you?


Regards,
Roger


commit fb790792a9433d469fa808f6613bdc0bf1f3ee21
Author: Roger Leigh 
Date:   Thu Dec 30 17:53:15 2010 +

Sbuild::ResolverBase: Don't automatically generate archive signing key

If the local archive signing key is not present, do not automatically
generate it.  This can cause issues on systems with scarce entropy.
Print an error message plus instructions on how to generate the key.

diff --git a/lib/Sbuild/ResolverBase.pm b/lib/Sbuild/ResolverBase.pm
index ca2052b..16a6356 100644
--- a/lib/Sbuild/ResolverBase.pm
+++ b/lib/Sbuild/ResolverBase.pm
@@ -758,17 +758,15 @@ sub generate_keys {
 return 1;
 }
 
-my $host = $self->get('Host');
-
-$self->log("Generating GPG local archive signing key...\n");
-if (Sbuild::ChrootSetup::generate_keys($host, $self->get('Config'))) {
-   # Since apt-distupgrade was requested specifically, fail on
-   # error when not in buildd mode.
-   $self->log("Generating gpg keys failed\n");
-   return 0;
-}
-
-return 1;
+$self->log_error("Local archive GPG signing key not found\n");
+$self->log_info("Please generate a key with 'sbuild-update --keygen'\n");
+$self->log_info("Note that on machines with scarce entropy, you may wish ".
+   "to generate the key with this command on another machine ".
+   "and copy the public and private keypair to '" .
+   $self->get_conf('SBUILD_BUILD_DEPENDS_PUBLIC_KEY')
+   ."' and '".
+   $self->get_conf('SBUILD_BUILD_DEPENDS_SECRET_KEY') ."'\n");
+return 0;
 }
 
 # Function that runs apt-ftparchive


-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?   http://gutenprint.sourceforge.net/
   `-GPG Public Key: 0x25BFB848   Please GPG sign your mail.


signature.asc
Description: Digital signature

Bug#607945: [buildd-tools-devel] Bug#607945: Bug#607945: sbuild: can haz I entropy?

[Roger Leigh]

On Thu, Dec 30, 2010 at 06:21:31PM +0100, Cyril Brulebois wrote:
> Roger Leigh  (29/12/2010):
> > This is a one-time only event.  Once the key is generated (which you
> > can do with "sbuild-update -k" on another system or outside a
> > package build at your leisure) the same key will be used for all
> > subsequent builds.
> 
> One-time.. per host? Or per chroot?

Per host.  It's stored in /var/lib/sbuild/apt-keys .

> > The current strategy is to allow you to generate your own key and
> > put it in place.  If you haven't done that, it will autogenerate one
> > the first time it's needed.  For buildds, you'll probably want to
> > generate one elsewhere and copy it cover.  Note this is in the
> > release notes (NEWS.gz) for release 0.60.6.
> 
> Which apt-listchanges doesn't show, so..

It's in the upstream changelog and NEWS.

> > If you have any thoughts on how we can do this better, that would be
> > great.  apt and aptitude want the local archive signing, so we do it
> > for that.  If using the "internal" resolver, no key is needed.
> 
> Since you changed the default (which is another story, sigh), I'm not
> using the internal resolver anymore.

As mentioned on IRC, the default has *not* been changed.

Also, as discussed on IRC, we will solve this by bailing out with an
error when the key is absent.  This will require the user to generate
a key.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?   http://gutenprint.sourceforge.net/
   `-GPG Public Key: 0x25BFB848   Please GPG sign your mail.


signature.asc
Description: Digital signature

Bug#607945: [buildd-tools-devel] Bug#607945: sbuild: can haz I entropy?

[Cyril Brulebois]

severity 607945 important
thanks

Cyril Brulebois  (30/12/2010):
> Since you changed the default (which is another story, sigh), I'm
> not using the internal resolver anymore.

Sorry, that's untrue. I thought I had all reinstalled after having
purged the packages, but there was some ~/.sbuildrc in the way.

Downgrading severity accordingly.

KiBi.



signature.asc
Description: Digital signature

Bug#607945: [buildd-tools-devel] Bug#607945: sbuild: can haz I entropy?

[Cyril Brulebois]

Roger Leigh  (29/12/2010):
> This is a one-time only event.  Once the key is generated (which you
> can do with "sbuild-update -k" on another system or outside a
> package build at your leisure) the same key will be used for all
> subsequent builds.

One-time.. per host? Or per chroot?

> The current strategy is to allow you to generate your own key and
> put it in place.  If you haven't done that, it will autogenerate one
> the first time it's needed.  For buildds, you'll probably want to
> generate one elsewhere and copy it cover.  Note this is in the
> release notes (NEWS.gz) for release 0.60.6.

Which apt-listchanges doesn't show, so..

> If you have any thoughts on how we can do this better, that would be
> great.  apt and aptitude want the local archive signing, so we do it
> for that.  If using the "internal" resolver, no key is needed.

Since you changed the default (which is another story, sigh), I'm not
using the internal resolver anymore.

KiBi.


signature.asc
Description: Digital signature

Bug#607945: [buildd-tools-devel] Bug#607945: Bug#607945: sbuild: can haz I entropy?

[Roger Leigh]

On Wed, Dec 29, 2010 at 03:52:59PM +, Roger Leigh wrote:
> On Fri, Dec 24, 2010 at 08:56:31PM +0100, Cyril Brulebois wrote:
> > Dear Santa Claus,
> > 
> > can I haz entropy plz? sbuild seems to need it suddenly, which comes
> > like a big unpleasant surprise:
> > | Check arch
> > | ──
> > |
> > | dpkg-deb: building package `sbuild-build-depends-core-dummy' in
> > | `/tmp/resolver-PVdljw/apt_archive/sbuild-build-depends-core-dummy.deb'.
> > | Generating GPG local archive signing key...
> > |
> > | Not enough random bytes available.  Please do some other work to give
> > | the OS a chance to collect more entropy! (Need 277 more bytes)
> > 
> > It's a bit late in the Christmas gift release process, but hopefully
> > you'll make it in time.
> 
> Only just got back from the family, but I'll try for New Year!
> 
> 
> This is a one-time only event.  Once the key is generated (which you
> can do with "sbuild-update -k" on another system or outside a
> package build at your leisure) the same key will be used for all
> subsequent builds.
> 
> The current strategy is to allow you to generate your own key and
> put it in place.  If you haven't done that, it will autogenerate one
> the first time it's needed.  For buildds, you'll probably want to
> generate one elsewhere and copy it cover.  Note this is in the
> release notes (NEWS.gz) for release 0.60.6.
> 
> If you have any thoughts on how we can do this better, that would be
> great.  apt and aptitude want the local archive signing, so we do it
> for that.  If using the "internal" resolver, no key is needed.

One alternative possibility would be to simply never autogenerate
keys, and skip the build if a GPG key wasn't already present.  This
would then require the user to generate a key by hand with
"sbuild-update -k".  While this would prevent the entropy issues
you ran into, it would inconvenience most users on whose systems the
autogeneration works.

In the interim, I've added a more prominent notice in sbuild 0.60.8;
we notify the user much more clearly that GPG key generation is taking
place.  While this doesn't fix the problem, it does at least make it
clearer as to what's going on.

It's an unfortunate circumstance that requires this.  The APT resolver
won't work correctly unless installing the dependency package from an
archive (or else it will consider removal of the dependency package as
a valid solution), which requires us to set up a local archive.  This
then requires the archive to be signed or else we have security issues
(APT::Get::AllowUnauthenticated=true would disable checking of all
repos).  If there's a way around this, I would definitely be happy to
consider it.  Ideally, apt-get would be as flexible as aptitude in
installing the dummy package, but at the moment it isn't.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?   http://gutenprint.sourceforge.net/
   `-GPG Public Key: 0x25BFB848   Please GPG sign your mail.


signature.asc
Description: Digital signature

Bug#607945: [buildd-tools-devel] Bug#607945: sbuild: can haz I entropy?

[Roger Leigh]

On Fri, Dec 24, 2010 at 08:56:31PM +0100, Cyril Brulebois wrote:
> Dear Santa Claus,
> 
> can I haz entropy plz? sbuild seems to need it suddenly, which comes
> like a big unpleasant surprise:
> | Check arch
> | ──
> |
> | dpkg-deb: building package `sbuild-build-depends-core-dummy' in
> | `/tmp/resolver-PVdljw/apt_archive/sbuild-build-depends-core-dummy.deb'.
> | Generating GPG local archive signing key...
> |
> | Not enough random bytes available.  Please do some other work to give
> | the OS a chance to collect more entropy! (Need 277 more bytes)
> 
> It's a bit late in the Christmas gift release process, but hopefully
> you'll make it in time.

Only just got back from the family, but I'll try for New Year!


This is a one-time only event.  Once the key is generated (which you
can do with "sbuild-update -k" on another system or outside a
package build at your leisure) the same key will be used for all
subsequent builds.

The current strategy is to allow you to generate your own key and
put it in place.  If you haven't done that, it will autogenerate one
the first time it's needed.  For buildds, you'll probably want to
generate one elsewhere and copy it cover.  Note this is in the
release notes (NEWS.gz) for release 0.60.6.

If you have any thoughts on how we can do this better, that would be
great.  apt and aptitude want the local archive signing, so we do it
for that.  If using the "internal" resolver, no key is needed.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?   http://gutenprint.sourceforge.net/
   `-GPG Public Key: 0x25BFB848   Please GPG sign your mail.


signature.asc
Description: Digital signature

Bug#607945: sbuild: can haz I entropy?

[Cyril Brulebois]

Package: sbuild
Version: 0.60.7-1
Severity: serious
Justification: buildds usually lack mice to play with to generate entropy.

Dear Santa Claus,

can I haz entropy plz? sbuild seems to need it suddenly, which comes
like a big unpleasant surprise:
| Check arch
| ──
|
| dpkg-deb: building package `sbuild-build-depends-core-dummy' in
| `/tmp/resolver-PVdljw/apt_archive/sbuild-build-depends-core-dummy.deb'.
| Generating GPG local archive signing key...
|
| Not enough random bytes available.  Please do some other work to give
| the OS a chance to collect more entropy! (Need 277 more bytes)

It's a bit late in the Christmas gift release process, but hopefully
you'll make it in time.

Thank you!

KiBi.

-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sbuild depends on:
ii  adduser   3.112+nmu2 add and remove users and groups
ii  libsbuild-perl0.60.7-1   Tool for building Debian binary pa
ii  perl  5.10.1-16  Larry Wall's Practical Extraction 
ii  perl-modules  5.10.1-16  Core Perl modules

Versions of packages sbuild recommends:
ii  debootstrap   1.0.26 Bootstrap a basic Debian system
ii  fakeroot  1.14.5-1   Gives a fake root environment

Versions of packages sbuild suggests:
ii  deborphan 1.7.28.3   program that can find unused packa
ii  wget  1.12-2.1   retrieves files from the web

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org