rrq | two nuggets: yes the tar is repacked, and debsign (using gpg) always offers new and different signatures | 01:09 |
---|---|---|
rrq | either one helps in destroying a natural idea of "sameness" between builds | 01:12 |
rrq | though it's all in the meta data | 01:13 |
rrq | (including that dpkg-genbuildinfo also makes a new Build-Date setting) | 01:14 |
Centurion_Dan | rrq: I think that I can patch dak so that for signed files, it verifies then strips the signature, and uses the checksum | 02:17 |
rrq | I was thinking, maybe even the source build for an existing version should be refused? why check if same? | 02:35 |
rrq | (and then the test when adding won't be exercised) | 02:36 |
rrq | I suppose that'd require a different "button" to promote a build package into a new distribution | 02:37 |
rrq | a built package | 02:37 |
rrq | anyhow, the "same build" test also needs to ignore the .buildinfo difference in the .changes file | 02:48 |
rrq | and the subsequent .changes difference in the .dsc file | 02:49 |
Centurion_Dan | yeah that'd require a different workflow. Typically we should only ever need to run the build once for a given source package, but with random jenkins failures and buildhost differences etc that's not really feasible for us now. | 02:50 |
Centurion_Dan | The way dak handles any file uploaded - dsc.s binary debs etc, is if they already match what's in daks database for the given type, package name, version, architecture that dak accepts the upload but doesn't do anything with the file because it knows it's the same. | 02:50 |
rrq | I suppose the test should only look at all checksums in .changes except for the .dsc and .buildinfo lines | 02:53 |
Centurion_Dan | So if we make sure that for any signed files that dak verifies and then strips the sig (`gpg --decrypt` will do this) to generate the checksums used in daks database, then this problem goes away (and also paves the way for signed debs too) | 02:53 |
rrq | (sorry I "talked" over you...) I suppose the test should only look at all checksums in .changes except for the .dsc and .buildinfo lines | 02:54 |
rrq | and also verify that the signing is good | 02:55 |
Centurion_Dan | the .changes and .buildinfo are really informational, and with some enhancement to dak would make dak capable of recording reproducibility of a package directly in the archive. | 02:55 |
rrq | and .buildinfo isn't preserved as an artifact in jenkins | 02:57 |
rrq | so, either way it's good to fix the test so it can recognize sameness of repreated builds | 02:59 |
rrq | (repeated) | 02:59 |
Centurion_Dan | So when there are multiple uploads of the same package version built using different hosts and on different suites should still produce the same core source and binary packages, dak can record the package as being reproducible and stash the individual .changes and .buildinfo records foreach upload along for post processing. | 03:00 |
Centurion_Dan | yes. | 03:00 |
rrq | I'm not a pythin wizz but sighting the source, it also looked like an isolated point of edit; though maybe it should be isolated into it a function (separate from the process logic) | 03:04 |
rrq | can't even spell it :) | 03:04 |
Centurion_Dan | As a part of the fix, I'll have to build an upgrade process that makes dak process all the fingerprinted files, and change the stored checksum into the stripped checksum. | 03:06 |
Centurion_Dan | I'm getting reasonable at python. | 03:06 |
Centurion_Dan | It won't be that one check - it should be generalised across every file that dak stores a fingerprint for. | 03:07 |
* rrq thinks: yes, right, good. | 03:11 | |
Centurion_Dan | I think this will likely be a very useful patch for debian too. | 03:11 |
Centurion_Dan | because it would enable dak to handle signed debs - a commonly complained about risk. | 03:12 |
rrq | then possibly do content-only comparison of the source tar (eg using diffoscope)? though a slightly different patch item. | 03:15 |
rrq | or just like: "diff <(tar -Oxf A/udptap_0.1.5.tar.xz) <(tar -Oxf B/udptap_0.1.5.tar.xz)" | 03:47 |
Centurion_Dan | the apt-pkg python lib has a module that helpfully will provide a view of the file with the clearsigning stripped out. | 05:21 |
Centurion_Dan | rrq: ^ | 05:21 |
Centurion_Dan | I'm just toying with it to see how if it actually does the gpg checks and how it errors out. This could turn out to be a trivial patch afterall - for the fix atleast. | 05:22 |
Centurion_Dan | Then I have to figure out how to update all the stored fingerprints to ensure they are regenerated from the files sans any gpg-signatures detail. | 05:24 |
rrq | would be a rerun of dpkg-genchanges | 05:28 |
rrq | with a -ffile that excludes .buildinfo perhaps | 05:31 |
Centurion_Dan | It would mean walking the entire dak database to read every file record grab the file and then update it's fingerprints to always be stripped. I probably also should extend the database to also record whether the file was gpg clearsigned. | 05:32 |
Centurion_Dan | there's a shed load of development going on in dak upstream to deal with signed binaries for secureboot purposes so I'm reticent to do any upgrades, and will leave that until later. | 05:35 |
Centurion_Dan | I think I'll setup a local copy of dak with a clone of the database and archive to play with. | 05:35 |
rrq | yes, that's safest. hmm with binaries signed non-repeatably one can't use shasum to check sameness. this seems to be calling for an shasum-ignore-signing utility | 05:41 |
* rrq loitering far outside his comfort zone | 05:43 | |
Centurion_Dan | I'm always pushing the boundaries ;-) | 05:52 |
rrq | afk | 06:08 |
fsmithred | tell debdog to use auto.mirror.devuan.org with jessie installer isos. those isos don't have the newer key so they won't work with pkgmaster or deb.devuan.org | 16:58 |
fsmithred | wrong channel, I think. Sorry. | 17:02 |
golinux | auto.mirror.devuan.org is the address on the iso and recommended on the website for jessie. After it's installed other addresses work. | 17:30 |
fsmithred | after you install the new keyring | 17:32 |
fsmithred | I can't find the install guides | 17:33 |
golinux | They are on the download page | 17:33 |
fsmithred | Now you can open the appropriate guide below to walk you through the installation process! | 17:33 |
fsmithred | that is at the bottom of a page | 17:33 |
fsmithred | https://devuan.org/os/documentation/install-guides/start-here.html#installing | 17:34 |
amesser | golinux, fsmithred: I have prepared a policykit package with modified pkexec. I have tested and as far as I can judge, scrollbars are not hidding anymore in synaptic. You can get it from here for a try: https://git.devuan.org/amesser/policykit-1/tree/sandbox/pkexec-pass-gtk-vars | 20:12 |
golinux | amesser: No .deb? | 21:14 |
fsmithred | golinux, there are a bunch of debs. I'll send you the ones you need | 21:19 |
fsmithred | are you using elogind in beowulf? | 21:20 |
golinux | I think so. Using slim | 21:20 |
fsmithred | and btw, it works here, too. | 21:20 |
golinux | Fantastic. | 21:20 |
fsmithred | nslim needs cos | 21:21 |
golinux | Send whatever I need over and I' | 21:21 |
fsmithred | slim needs consolekit | 21:21 |
fsmithred | and thre's no ck in beowulf yet | 21:21 |
fsmithred | so... | 21:21 |
fsmithred | please cheeck what you have | 21:21 |
golinux | Give me a sec | 21:21 |
fsmithred | was it upgrade from ascii? | 21:21 |
golinux | Do you have a list of what I need to search for? | 21:21 |
fsmithred | dpkg -l | grep consolekit | 21:22 |
fsmithred | and tell me a version | 21:22 |
golinux | Installed from the mini.iso | 21:22 |
golinux | Hmmmm . . . haven't been there is a while | 21:22 |
golinux | Just great! ot found! | 21:24 |
golinux | Because the USB 3.0 controller state is part of the saved VM state, the VM cannot be started. To fix this problem, either install the 'Oracle VM VirtualBox Extension Pack' or disable USB 3.0 support in the VM settings (VERR_NOT_FOUND). | 21:24 |
golinux | WTF? It worked the last time that I booted it. | 21:24 |
golinux | ascii VM is getting the same error. | 21:25 |
golinux | brb | 21:26 |
fsmithred | time for a swim. bbiab | 21:47 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!