launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #28744
[Merge] ~jugmac00/lpcraft:add-support-for-trusted-value into lpcraft:main
Jürgen Gmach has proposed merging ~jugmac00/lpcraft:add-support-for-trusted-value into lpcraft:main.
Commit message:
Allow overriding APT's security checks
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~jugmac00/lpcraft/+git/lpcraft/+merge/426416
--
Your team Launchpad code reviewers is requested to review the proposed merge of ~jugmac00/lpcraft:add-support-for-trusted-value into lpcraft:main.
diff --git a/NEWS.rst b/NEWS.rst
index da3bbc7..5fd2e10 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -5,7 +5,10 @@ Version history
0.0.19 (unreleased)
===================
-- nothing yet
+- Add new CLI option to provide secrets via a YAML-based configuration file.
+
+- Allow overriding APT's security checks via `PackageRepository.trusted`
+
0.0.18 (2022-07-04)
===================
@@ -19,8 +22,6 @@ Version history
- Rebuild the Snap package to include updated system packages.
See https://ubuntu.com/security/notices/USN-5495-1/.
-- Add new CLI option to provide secrets via a YAML-based configuration file.
-
0.0.17 (2022-06-17)
===================
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 6e2b84a..1fe25ac 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -172,3 +172,9 @@ More properties can be implemented on demand.
The URL is rendered using `Jinja2 <https://pypi.org/project/Jinja2/>`_.
This can be used to supply authentication details via the *secrets*
command line option.
+
+``trusted`` (optional)
+ Set this to ``yes`` to override APT's security checks, ie accept sources
+ which do not pass authentication checks. ``no`` does the opposite.
+ By default APT decides whether a source is considered trusted. This third
+ option cannot be set explicitly.
diff --git a/lpcraft/config.py b/lpcraft/config.py
index 0e835e2..e9ef69a 100644
--- a/lpcraft/config.py
+++ b/lpcraft/config.py
@@ -112,6 +112,17 @@ class PackageSuite(str, Enum):
jammy = "jammy" # 22.04
+class PackageTrusted(str, Enum):
+ """Specifies whether APT should trust a source.
+
+ The default value, ie let APT decide, cannot be set explicitly,
+ but can be achieved by not setting a key/value pair at all.
+ """
+
+ yes = "yes"
+ no = "no"
+
+
class PackageRepository(ModelConfigDefaults):
"""A representation of a package repository.
@@ -123,6 +134,7 @@ class PackageRepository(ModelConfigDefaults):
components: List[PackageComponent] # e.g. `[main, universe]`
suites: List[PackageSuite] # e.g. `[bionic, focal]`
url: AnyHttpUrl
+ trusted: Optional[PackageTrusted] # e.g. `yes`
def sources_list_lines(self) -> Iterator[str]:
"""Yield repository lines as strings.
@@ -131,7 +143,10 @@ class PackageRepository(ModelConfigDefaults):
""" # noqa: E501
for format in self.formats:
for suite in self.suites:
- yield f"{format} {self.url!s} {suite} {' '.join(self.components)}" # noqa: E501
+ if self.trusted:
+ yield f"{format} [trusted={self.trusted}] {self.url!s} {suite} {' '.join(self.components)}" # noqa: E501
+ else:
+ yield f"{format} {self.url!s} {suite} {' '.join(self.components)}" # noqa: E501
class Job(ModelConfigDefaults):
diff --git a/lpcraft/tests/test_config.py b/lpcraft/tests/test_config.py
index 3daf342..a7c0d86 100644
--- a/lpcraft/tests/test_config.py
+++ b/lpcraft/tests/test_config.py
@@ -422,6 +422,12 @@ class TestConfig(TestCase):
components: [main]
suites: [focal]
url: https://canonical.example.org/artifactory/jammy-golang-backport
+ - type: apt
+ formats: [deb]
+ components: [main]
+ suites: [focal]
+ url: https://canonical.example.org/artifactory/jammy-golang-backport
+ trusted: "no"
""" # noqa: E501
)
)
@@ -443,7 +449,22 @@ class TestConfig(TestCase):
host_type="domain",
path="/artifactory/jammy-golang-backport",
),
- )
+ ),
+ PackageRepository(
+ type="apt",
+ formats=["deb"],
+ components=["main"],
+ suites=["focal"],
+ url=AnyHttpUrl(
+ "https://canonical.example.org/artifactory/jammy-golang-backport";, # noqa: E501
+ scheme="https",
+ host="canonical.example.org",
+ tld="org",
+ host_type="domain",
+ path="/artifactory/jammy-golang-backport",
+ ),
+ trusted="no",
+ ),
],
config.jobs["test"][0].package_repositories,
)
@@ -466,6 +487,12 @@ class TestConfig(TestCase):
components: [main]
suites: [focal, bionic]
url: https://canonical.example.org/artifactory/jammy-golang-backport
+ - type: apt
+ formats: [deb]
+ components: [main]
+ suites: [focal]
+ url: https://canonical.example.org/artifactory/jammy-golang-backport
+ trusted: "yes"
""" # noqa: E501
)
)
@@ -481,3 +508,9 @@ class TestConfig(TestCase):
self.assertEqual(
expected, (list(repositories[0].sources_list_lines()))
)
+ self.assertEqual(
+ [
+ "deb [trusted=yes] https://canonical.example.org/artifactory/jammy-golang-backport focal main" # noqa: E501
+ ], # noqa: E501
+ list(repositories[1].sources_list_lines()),
+ )
Follow ups
