launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #21528
[Merge] lp:~cjwatson/launchpad/unsigned-source-buildinfo into lp:launchpad
Colin Watson has proposed merging lp:~cjwatson/launchpad/unsigned-source-buildinfo into lp:launchpad.
Commit message:
Drop requirement for source .buildinfo files to be signed.
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/unsigned-source-buildinfo/+merge/323530
Signed .buildinfo files make sense for binary or source+binary where they can be part of a verified reproducible build toolchain (although doing that with Launchpad would also require working out how to sign our builds), but they don't seem especially valuable for source-only uploads. The requirement to sign them is also of some practical difficulty for Ubuntu developers at the moment because debsign only gained support for signing .buildinfo files in artful.
--
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad/unsigned-source-buildinfo into lp:launchpad.
=== modified file 'lib/lp/archiveuploader/tests/data/suite/bar_1.0-1_buildinfo/bar_1.0-1_source.buildinfo'
--- lib/lp/archiveuploader/tests/data/suite/bar_1.0-1_buildinfo/bar_1.0-1_source.buildinfo 2017-03-29 22:34:48 +0000
+++ lib/lp/archiveuploader/tests/data/suite/bar_1.0-1_buildinfo/bar_1.0-1_source.buildinfo 2017-05-02 23:07:09 +0000
@@ -1,6 +1,3 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
Format: 1.0
Source: bar
Binary: bar
@@ -14,10 +11,3 @@
Installed-Build-Depends:
dpkg (= 1.18.22),
dpkg-dev (= 1.18.22)
-
------BEGIN PGP SIGNATURE-----
-
-iF0EARECAB0WIQQ0DKO7Jw4nFsnuC3aOfrcIbGSoxQUCWNwqgQAKCRCOfrcIbGSo
-xee9AJwK4AIvXCWE409SBvALeq9/6PoR5QCfREHF/gdmZmvsI3hDunrSi3EzA0o=
-=Zgxq
------END PGP SIGNATURE-----
=== modified file 'lib/lp/archiveuploader/tests/data/suite/bar_1.0-1_buildinfo/bar_1.0-1_source.changes'
--- lib/lp/archiveuploader/tests/data/suite/bar_1.0-1_buildinfo/bar_1.0-1_source.changes 2017-03-29 22:34:48 +0000
+++ lib/lp/archiveuploader/tests/data/suite/bar_1.0-1_buildinfo/bar_1.0-1_source.changes 2017-05-02 23:07:09 +0000
@@ -21,11 +21,12 @@
5d533778b698edc1a122098a98c8490e 512 devel optional bar_1.0-1.dsc
fc1464e5985b962a042d5354452f361d 164 devel optional bar_1.0.orig.tar.gz
1e35b810764f140af9616de8274e6e73 537 devel optional bar_1.0-1.diff.gz
- 0b66a844c11fa81df970ac8d4edd1ed7 539 devel optional bar_1.0-1_source.buildinfo
+ 4fe26a2e0dcb2e7c194adfa1a6efb627 296 devel optional bar_1.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
-iF0EARECAB0WIQQ0DKO7Jw4nFsnuC3aOfrcIbGSoxQUCWNwqhQAKCRCOfrcIbGSo
-xfGGAKCBdw76SkJc8Fx6CCE2dmqJEkuSXwCfX6YlZRv+8dmu5nb5JAUcBzDxQ60=
-=m/R9
+iD8DBQFZCQJ3jn63CGxkqMURAn/cAJsEK2hbOACmvSz3hETU15iPv8HwtACeM9Vu
+hgq1uiiOzYJeFuBRYhvNrM4=
+=4BZe
-----END PGP SIGNATURE-----
=== modified file 'lib/lp/archiveuploader/tests/test_uploadpolicy.py'
--- lib/lp/archiveuploader/tests/test_uploadpolicy.py 2017-03-29 09:28:09 +0000
+++ lib/lp/archiveuploader/tests/test_uploadpolicy.py 2017-05-02 23:07:09 +0000
@@ -174,7 +174,7 @@
self.assertTrue(buildd_policy.unsigned_changes_ok)
self.assertFalse(insecure_policy.unsigned_dsc_ok)
self.assertTrue(buildd_policy.unsigned_dsc_ok)
- self.assertFalse(insecure_policy.unsigned_buildinfo_ok)
+ self.assertTrue(insecure_policy.unsigned_buildinfo_ok)
self.assertTrue(buildd_policy.unsigned_buildinfo_ok)
def test_setOptions_distro_name(self):
=== modified file 'lib/lp/archiveuploader/uploadpolicy.py'
--- lib/lp/archiveuploader/uploadpolicy.py 2017-03-29 09:28:09 +0000
+++ lib/lp/archiveuploader/uploadpolicy.py 2017-05-02 23:07:09 +0000
@@ -197,6 +197,9 @@
Distribution.redirect_release_uploads is set.
"""
super(InsecureUploadPolicy, self).setDistroSeriesAndPocket(dr_name)
+ # Signatures on source buildinfo files aren't a big deal, and older
+ # versions of debsign didn't produce them.
+ self.unsigned_buildinfo_ok = True
if (self.archive.purpose == ArchivePurpose.PRIMARY and
self.distro.redirect_release_uploads and
self.pocket == PackagePublishingPocket.RELEASE):
Follow ups
