Bug#846311: dput: please use python-gpg instead of python-gpgme

2016-12-20 Thread Ben Finney 
On 01-Dec-2016, Ben Finney wrote:
> The ‘python-gpg’ package doesn't seem to be in Debian Stretch yet, so
> I'll need to wait before assessing this.

I have uploaded ‘dput’ version “0.11.1” to the ‘experimental’ suite.
This incorporates the changes DKG proposed on this bug report.

Please try some corner cases – e.g. strange GnuPG keys that will cause
different responses from key verification – using this version of
‘dput’ to see whether it is suitable for a new version targeted to
‘unstable’.

-- 
 \   “A poet more than thirty years old is simply an overgrown |
  `\ child.” —Henry L. Mencken |
_o__)  |
Ben Finney 


signature.asc
Description: PGP signature

Bug#846311: dput: please use python-gpg instead of python-gpgme

2016-12-05 Thread Daniel Kahn Gillmor 
On Wed 2016-11-30 15:00:37 -0500, Ben Finney wrote:
> I agree, though I took the ‘pyme’ name as a pretty poor sign of fit
> with the Python ecosystem. When I looked at that library the interface
> was terribly low-level – a thin wrapper around the C-style library –
> and the ‘gpgme’ library was a much more Pythonic approach.

The GnuPG developers took the pyme codebase, adopted it, improved it,
added a natively-pythonic layer above the C-style library, and renamed
it to "gpg".  This was released in gpgme 1.8.0, and was discussed
heavily on the gnupg-devel mailing list.

It is blocked from transition into stretch at the moment for
thoroughly-unrelated reasons (see https://bugs.debian.org/846232).  It
is worthwhile to update the version of dput in sid to use the package
that is maintained by upstream, rather than tying it to the
less-maintained python-gpgme.

thanks for reading up on this and for maintaining dput!

--dkg


signature.asc
Description: PGP signature

Bug#846311: dput: please use python-gpg instead of python-gpgme

2016-11-30 Thread Ben Finney 
On 30-Nov-2016, Daniel Kahn Gillmor wrote:

> Thanks for resolving #835598 by switching to a python wrapper of
> gpgme. Alas, the ecosystem for using gpg from python is a cluttered
> one and it's easy to settle on a problematic choice.

Thanks for wading into the clutter :-)

> The "gpg" python module is maintained by the upstream maintainers of
> GPGME and is now released with each new version of GPGME.

Is this the library installed as ‘pyme’? (A terrible name, IMO, since
it needlessly tells the Python programmer that they're using a Python
library, and omits the most important part: that this is a library for
GnuPG.)

If the library is renamed ‘gpg’ that must be quite recent. Where can I
read more about that?

> It makes more sense to rely in a consolidated way on the active
> upstream maintainers where possible.

I agree, though I took the ‘pyme’ name as a pretty poor sign of fit
with the Python ecosystem. When I looked at that library the interface
was terribly low-level – a thin wrapper around the C-style library –
and the ‘gpgme’ library was a much more Pythonic approach.

If that has changed, I was unaware of it last month.

> The attached cleanup/migration patch is mostly cleanup of the very
> extensive test suite to more closely match how python-gpg maps to the
> GPGME interface.

Thank you for working with the code base and making sure to update the
tests.

The ‘python-gpg’ package doesn't seem to be in Debian Stretch yet, so
I'll need to wait before assessing this. How new is that package?

-- 
 \   “From the moment I picked your book up until I laid it down I |
  `\was convulsed with laughter. Someday I intend reading it.” |
_o__)—Groucho Marx |
Ben Finney 


signature.asc
Description: PGP signature

Bug#846311: dput: please use python-gpg instead of python-gpgme

2016-11-29 Thread Daniel Kahn Gillmor 
Package: dput
Version: 0.11.0
Severity: normal
Tags: patch

Thanks for resolving #835598 by switching to a python wrapper of
gpgme.  Alas, the ecosystem for using gpg from python is a cluttered
one and it's easy to settle on a problematic choice.

The "gpg" python module is maintained by the upstream maintainers of
GPGME and is now released with each new version of GPGME.  The "gpgme"
python module is maintained by a third party, and has lagged behind
gpgme development, including having difficulty working with newer
versions of GnuPG itself.

It makes more sense to rely in a consolidated way on the active
upstream maintainers where possible.

The attached cleanup/migration patch is mostly cleanup of the very
extensive test suite to more closely match how python-gpg maps to the
GPGME interface.

I've also pushed it to the use-upstream-maintained-gpg-python-module
branch on https://anonscm.debian.org/git/collab-maint/dput.git should
you prefer to pull it directly from there.

Regards,

--dkg

-- System Information:
Debian Release: stretch/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From 0826424165d542e8d1248f94f07efd55840871a8 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor 
Date: Wed, 23 Nov 2016 17:52:35 -0500
Subject: [PATCH] Convert from "gpgme" python module to "gpg" python module

The "gpg" python module is maintained by the upstream maintainers of
GPGME and is now released with each new version of GPGME.  The "gpgme"
python module is maintained externally, and has lagged behind gpgme
development.

It makes more sense to rely in a consolidated way on the active
upstream maintainers where possible.
---
 debian/control  |   2 +-
 debian/pydist-overrides |   5 --
 dput/crypto.py  |  29 +
 dput/dput.py|   2 +-
 setup.py|   4 +-
 test/test_crypto.py | 161 +---
 test/test_dput.py   |   4 +-
 7 files changed, 103 insertions(+), 104 deletions(-)
 delete mode 100644 debian/pydist-overrides

diff --git a/debian/control b/debian/control
index 3b3310b..bae5b9e 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,7 @@ Build-Depends-Indep:
 python-testscenarios,
 python-httpretty,
 python-debian,
-python-gpgme,
+python-gpg,
 python-setuptools,
 python (>= 2.7),
 debconf-utils (>= 1.1.1),
diff --git a/debian/pydist-overrides b/debian/pydist-overrides
deleted file mode 100644
index 704af8e..000
--- a/debian/pydist-overrides
+++ /dev/null
@@ -1,5 +0,0 @@
-# debian/pydist-overrides
-# Mapping from distribution name to Debian package name.
-# Documentation: ‘/usr/share/doc/dh-python/README.PyDist’.
-
-pygpgme python-gpgme; PEP386
diff --git a/dput/crypto.py b/dput/crypto.py
index c527eda..f84f195 100644
--- a/dput/crypto.py
+++ b/dput/crypto.py
@@ -13,13 +13,13 @@ from __future__ import (absolute_import, unicode_literals)
 
 import sys
 
-import gpgme
+import gpg,gpg.results
 
 
 def characterise_signature(signature):
 """ Make a phrase characterising a GnuPG signature.
 
-:param signature: A `gpgme.Signature` instance.
+:param signature: A `gpg.results.Signature` instance.
 :return: A simple text phrase characterising the `signature`.
 
 * If the signature is valid, the result is "valid".
@@ -29,11 +29,11 @@ def characterise_signature(signature):
 
 """
 text = "UNKNOWN"
-if (signature.summary & gpgme.SIGSUM_VALID):
+if (signature.summary & gpg.constants.SIGSUM_VALID):
 text = "valid"
-elif (signature.summary & gpgme.SIGSUM_RED):
+elif (signature.summary & gpg.constants.SIGSUM_RED):
 text = "bad"
-elif (signature.summary & gpgme.SIGSUM_GREEN):
+elif (signature.summary & gpg.constants.SIGSUM_GREEN):
 text = "good"
 
 return text
@@ -42,7 +42,7 @@ def characterise_signature(signature):
 def describe_signature(signature):
 """ Make a message describing a GnuPG signature.
 
-:param signature: A `gpgme.Signature` instance.
+:param signature: A `gpg.result.Signature` instance.
 :return: A text description of the salient points of the
 `signature`.
 
@@ -65,26 +65,25 @@ def check_file_signature(infile):
 
 :param infile: The file containing a signed message.
 :return: ``None``.
-:raise gpgme.GpgmeError: When the signature verification fails.
+:raise gpg.errors.GPGMEError: When the signature verification fails.
 
 The `infile` is a file-like object, open for reading, that
 contains a