#archlinux32 | Logs for 2024-11-28
Back
[00:08:30] <bill-auger> ok, i just verified starting with archlinux32-keyring 202409 and 202401 - it appers to be a general problem - probably every user of arch32 and parabola i686 will need to do this manual intervention - besides a bug report, this probably justifies a news alert also
[00:29:10] <bill-auger> KitsuWhooa: i dont know if you can handle this problem; but it should not go unnoticed - could you rebuild the keyring package and sign it with your key?
[00:34:21] <bill-auger> or could you post a news alert referencing a bug report (does not exist yet) with a solution (i can provide that)
[00:34:22] <bill-auger> if not, at least try to ensure that abaumann learns about it somehow
[01:24:12] <morriset> bill-auger: As per your suggestion. Bug report open --> FS#365
[01:40:39] <bill-auger> thanks - as promised, i added the solution
[02:22:04] <KillerWasp> bill-auger: �"...that apparently was not user-error;..."�, I don't know if i should be flattered or offended.
[02:38:28] <morriset> bill-auger: OK. I was able to upgrade the system. Thank you
[03:10:28] -!- morriset has quit [Quit: Leaving]
[03:21:49] <bill-auger> KitsuWhooa: well, the first bug report about anything could always be user-error - once someone else confirms the same problem, it was probably not user-error - or if it was, it could be a documentatio bug
[03:23:45] <bill-auger> especially keyring problems - it is often that only one user has the problem
[03:24:38] <bill-auger> sry KillerWasp i meant - TAB habit always gets me between you two
[03:33:26] -!- drathir_tor has quit [Ping timeout: 260 seconds]
[03:40:33] -!- drathir_tor has joined #archlinux32
[06:43:03] -!- drathir_tor has quit [Ping timeout: 260 seconds]
[07:09:04] -!- abaumann has joined #archlinux32
[07:09:04] <buildmaster> Hi abaumann!
[07:09:04] <buildmaster> !rq abaumann
[07:09:05] <phrik> buildmaster: <abaumann> it usually automatically fails. :-)
[07:09:13] <abaumann> thanks bill-auger
[07:09:17] <abaumann> thanks morriset
[07:09:34] <abaumann> I'll make a link from the news page to FS32#365
[07:12:42] <abaumann> What I not quite get is, that my key has been refreshed and added to the keyring before it expired (both signing and master key)?
[07:12:47] * abaumann shrugs
[07:13:15] <abaumann> mmh. I have to find a really old vm to verify this..
[07:13:49] <abaumann> ..usually my vms and containers are too up-to-date. So maybe the problem didn't happen then, but happens now after my key expired.
[07:13:57] <abaumann> ah. yes.
[07:14:27] <abaumann> the keyring has to be replaced in a sensible period, otherwise if updates are older, they try to update with the now expired key.
[07:15:15] <abaumann> KitsuWhooa: you were right to alert early all time long :-)
[07:15:42] <abaumann> I'm sorry about the situation. I only have very little time to do anything on Arch32 currently..
[07:29:40] <abaumann> mmh. a lot of builds are failing..
[07:37:33] -!- drathir_tor has joined #archlinux32
[09:06:24] -!- abaumann has quit [Quit: leaving]
[09:18:11] -!- drathir_tor has quit [Ping timeout: 260 seconds]
[09:26:12] -!- drathir_tor has joined #archlinux32
[11:32:50] -!- drathir_tor has quit [Remote host closed the connection]
[11:33:23] -!- drathir_tor has joined #archlinux32
[12:08:51] -!- mavchatz has joined #archlinux32
[12:09:33] -!- mvchtz has quit [Ping timeout: 245 seconds]
[12:25:05] -!- mavchatz has quit [Quit: WeeChat 4.1.1]
[12:42:26] -!- mvchtz has joined #archlinux32
[13:52:38] -!- johancb has joined #archlinux32
[14:00:45] -!- mvchtz has quit [Ping timeout: 260 seconds]
[14:07:02] -!- mvchtz has joined #archlinux32
[14:08:03] -!- johancb has quit [Remote host closed the connection]
[15:00:36] -!- drathir_tor has quit [Ping timeout: 260 seconds]
[15:02:05] -!- drathir_tor has joined #archlinux32
[15:45:50] -!- mvchtz has quit [Quit: WeeChat 4.1.1]
[15:46:06] -!- drathir_tor has quit [Ping timeout: 260 seconds]
[15:46:52] -!- drathir_tor has joined #archlinux32
[15:50:21] -!- bdju has quit [Ping timeout: 252 seconds]
[15:51:44] -!- bdju has joined #archlinux32
[15:53:24] <KillerWasp> btw, with 'pacman-key --refresh' i can see several errors with the keys, maybe the list of key need a check and cleaning.
[16:12:33] -!- mvchtz has joined #archlinux32
[17:21:58] -!- Perdu has parted #archlinux32
[17:54:11] <bill-auger> abaumann: we have had this problem for many years - i finally nailed it down about 2 years ago
[17:54:24] <bill-auger> the diagnosis appear to be this: that `gpg --check-trustdb` command runs on every keyring install/upgrade, per '.install' hooks; but normally it does nothing - gpg decides if the update should actually be performed based on a schedule - the trick is to force it to always update (with `--yes`) - i expect that no one will have this same old problem again
[17:54:53] <bill-auger> and i was right - we have not that problem since - this is the fix
[17:55:06] <bill-auger> https://git.parabola.nu
[17:55:08] <phrik> Title: 9002-pacman-key-updatedb.patch « pacman « libre - abslibre.git - Parabola package recipes (Arch Build System Libre) (at git.parabola.nu)
[18:06:10] <bill-auger> but your situation is more complicated becuase the expired key is the key that signed the keyring package, so you created a chicken-and-egg problem
[18:06:54] <bill-auger> it works for us becuase the keyring package is signed by autobuilder - autobuilder's is in the keyring but never exipres
[18:08:26] <bill-auger> so you need both of those to prevent it from happening again - apply that patch to pacman, and start signing the keyring packages with a key that is both in the keyring and never expires
[18:12:53] <KitsuWhooa> yeah, the package was supposed to have gone out a long time ago
[18:13:04] <KitsuWhooa> my builders are all currently down, so I can't push a new keyring with my key
[18:13:18] <KitsuWhooa> either way, I've been screeching for months to get a new keyring package out
[18:13:34] <KitsuWhooa> AEC3AF00, a master key, is about to expire too
[18:13:51] <KitsuWhooa> and I am sure that's going to cause more headaches
[18:14:24] <KitsuWhooa> only thing I can think of is manually download the keyring package, sign it with my key, and overwrite the existing one in the mirrors
[18:14:38] <KitsuWhooa> but it'll have the same pkgver/pkrel
[18:19:01] <bill-auger> ive tried that - it doesn work - you need to rebuild the package too
[18:20:17] <bill-auger> i think it is the Packager in the metadata which causes pacman to reject anyone else's signature
[18:22:44] <KitsuWhooa> Ah
[18:25:55] <bill-auger> if you can rebuild he keyring package and sign it, that would solve the immediate problem but only for the keyring package - manual intervention would still be required; becuase they will still get errors from abaumann's key
[18:25:55] <bill-auger> instead, you could put out a new pacman with that patch applied - users would need to install that new pacman first, then re-install the existing keyring package, then upgrade
[18:27:33] <bill-auger> nope sry that was too optimistic - on second though, im pretty sure you would need to do both
[18:30:11] <bill-auger> you could do both now because your key is not exipred; but the same problem would happen again if a keyring package gets singed by a key that expired before users installed the new keyring package with the updated key
[18:30:33] <KitsuWhooa> I am aware that it'll happen in the future
[18:30:39] <KitsuWhooa> isn't this an issue with upstream arch too?
[18:30:48] <KitsuWhooa> if you leave your system out of date for too long, you won't be able to install the new keyring
[18:31:07] <bill-auger> that is, the trick in that pacman patch only works if the user already has the updated keyring package installed
[18:33:18] <bill-auger> you may be right about arch - ive not checked how arch handles it - i expect it is the same deal though generally
[18:33:18] <bill-auger> - the signing key of the keyring package must never expire before users can install the repalcement
[18:33:39] <KitsuWhooa> yeah, that can not be guaranteed
[18:33:48] <KitsuWhooa> our fault here is that the keyring package was pushed out too late
[18:34:10] <bill-auger> yes it can - sign the keyring package with a key that never expires
[18:34:21] <KitsuWhooa> that's why I made my key never expire
[18:34:31] <bill-auger> that is how archarm handle everything - theuy have only one key and it never expires
[18:34:34] <KitsuWhooa> but the package gets signed by whatever builder it's built on
[18:34:45] <KitsuWhooa> in this case the only builders available are abaumann's
[18:34:56] <bill-auger> ok so you cant fix it
[18:34:58] <KitsuWhooa> we can not manually upload packages that we built ourselves
[18:35:20] <KitsuWhooa> the only thing we can do is be more prompt, like upstream, with key expirations
[18:35:44] <bill-auger> i suspect that is how arch hanmdles it - dilligence
[18:35:53] <KitsuWhooa> the only way to prevent others from having this issue is by me fixing my builders and forcing buildmaster to assign the build to my builder
[18:35:56] <KitsuWhooa> which will sign it with my key
[18:36:34] <bill-auger> it is more secure if the autobuilder has its own key
[18:36:48] <KitsuWhooa> what do you mean?
[18:36:56] <KitsuWhooa> each builder having its own key instead of one for all of them?
[18:36:57] <bill-auger> and packagers set their expire regularly
[18:36:59] <KitsuWhooa> that sounds like a pain
[18:38:11] <bill-auger> its not important how many it could be one key for all autobuilders - the important part is that the autobuilder signs the keyting pckage and its never expires
[18:38:35] <KitsuWhooa> we can't have a builder dedicated to the keyring package, but yes
[18:38:42] <KitsuWhooa> you'd need to convince girls and abaumann to make never expiring keys
[18:38:53] <KitsuWhooa> but I'm pretty sure that goes against the arch guidelines or w/e
[18:38:54] <bill-auger> but if the autobuilder signs all packagea then no one else needs a key
[18:39:09] <bill-auger> no - you are misunderstanding me
[18:39:28] <KitsuWhooa> Each person has a key for their builders that is dedicated to just building packages. The keys aren't used elsewhere
[18:39:29] <bill-auger> the autobuilder shuold not be using the personal keys of any developer
[18:39:30] <KitsuWhooa> sorry
[18:39:37] <KitsuWhooa> Yes, these aren't personal keys
[18:39:40] <KitsuWhooa> we just make them for our builders
[18:39:51] <bill-auger> ok i see 0 then just make thise never expire
[18:40:14] <bill-auger> but it is best practive that your personal key does expire regularly
[18:40:41] <KitsuWhooa> unfortunately I have more important things to do than maintain a key
[18:40:49] <KitsuWhooa> but that's unrelated to arch32
[18:40:51] <bill-auger> but if the autobuilder signs all packagea then why is anyone else's key in te keyring? - it seems like those dev keys would never sign any packages
[18:41:22] <KitsuWhooa> you need at least 3 trusted keys to trust other keys
[18:41:25] <KitsuWhooa> IIRC
[18:41:31] <bill-auger> oh i see - i forgot about that