• Bug#1102621: gpgv-udeb can't be installed: depend on non-udeb libassuan

    From Cyril Brulebois@21:1/5 to All on Fri Apr 11 08:50:02 2025
    XPost: linux.debian.maint.boot

    Package: gpgv-udeb
    Version: 2.4.7-13
    Severity: serious
    Tags: d-i
    Justification: broken package
    X-Debbugs-Cc: debian-boot@lists.debian.org

    Hi,

    The upload of the 2.4.7 series to unstable just broke gpgv-udeb, which bootstrap-base and net-retriever rely on:

    Depends: libassuan9 (>= 3.0.2), libc6-udeb (>= 2.41), libgcrypt20-udeb (>= 1.11.0), libgpg-error0-udeb (>= 1.51), libnpth0t64 (>= 1.8), zlib1g-udeb (>= 1:1.2.3.3.dfsg-1)

    Until 2.4.6, that used to be:

    Depends: libc6-udeb (>= 2.41), libgcrypt20-udeb (>= 1.11.0), libgpg-error0-udeb (>= 1.51), zlib1g-udeb (>= 1:1.2.3.3.dfsg-1)

    If gpgv-udeb indeed requires libassuan.so.9 and libnpth.so.0, I'll
    look into preparing the required changes in those two other packages (src:libassuan and src:npth).


    Side note for the installer team, for some reason the dose code only
    reported libassuan9 (and didn't seem to have noticed libnpth0t64).
    Might be worth investigating/fixing.


    Cheers,
    --
    Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
    D-I release manager -- Release team member -- Freelance Consultant

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Daniel Kahn Gillmor@21:1/5 to Cyril Brulebois on Fri Apr 11 20:30:01 2025
    On Fri 2025-04-11 08:45:47 +0200, Cyril Brulebois wrote:
    The upload of the 2.4.7 series to unstable just broke gpgv-udeb, which bootstrap-base and net-retriever rely on:

    Depends: libassuan9 (>= 3.0.2), libc6-udeb (>= 2.41), libgcrypt20-udeb (>= 1.11.0), libgpg-error0-udeb (>= 1.51), libnpth0t64 (>= 1.8), zlib1g-udeb (>= 1:1.2.3.3.dfsg-1)

    Thanks for the heads-up, kibi. I'm looking into this now. I think the
    ideal situation would be to avoid the linkage between assuan and npth
    entirely.

    --dkg

    -----BEGIN PGP SIGNATURE-----

    iHUEARYKAB0WIQRjrBGOWy5dZsiKhad4C4VO2cK0lgUCZ/lCdAAKCRB4C4VO2cK0 lr0XAQCxOp8aNmA4siyuMmt8WB2eo7E041CG4MiIyzt+pjOXmQD/ffuj4fCcX6Io pkv3OWW56M2zzEUY7neE5Z19haUWsQM=
    =huqW
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Daniel Kahn Gillmor@21:1/5 to Andreas Metzler on Fri Apr 11 23:40:01 2025
    --=-=-=
    Content-Type: text/plain

    Control: forwarded 1102621 https://dev.gnupg.org/T7603
    Control: tags 1102621 + patch

    On Fri 2025-04-11 19:27:12 +0200, Andreas Metzler wrote:
    npth was added in
    ce9906b008c94c2aa4ac770a981d1e1e0b8aea47
    gpg: First rough implementation of keyboxd access for key lookup.

    and libassuan in aba82684fe14289cf62b4694bc398f3a274b4762
    gpg: New option --use-keyboxd.

    Thanks for the sleuthing here, Andreas. It's definitely useful to know
    where these additional dependencies were added. But i don't think gpgv
    has any business talking to keyboxd, at least according to its
    documentation.

    And, in the places where we use gpgv, it would probably be a disaster if
    it *did* talk to keyboxd.

    It looks like libassuan is present only due to g10/call-keyboxd.c. I've reported that upstream as https://dev.gnupg.org/T7603, and the patch
    attached here stubs out those calls for gpgv.

    I'm now looking into whether the npth dependency is really needed. it
    seems like the only invocations of npth in gpgv are:

    - npth_read
    - npth_sleep
    - npth_usleep

    afaict, those are merely collaborative asynchronous wrappers around the standard POSIX calls, which again seem unnecessary for gpgv.

    They appear to have been pulled in from common/sysutils.c when built
    with pth, which suggests that we just need to link gpgv against a
    non-pth libcommon. I'll test further and report back.

    --dkg


    --=-=-=
    Content-Type: text/x-diff
    Content-Disposition: inline;
    filename=0001-gpgv-Avoid-Assuan-dependency.patch
    Content-Transfer-Encoding: quoted-printable

    From 10db0bcdabf13adbbd9ffbb34e3b2b8516455ab3 Mon Sep 17 00:00:00 2001
    From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    Date: Fri, 11 Apr 2025 16:59:20 -0400
    Subject: [PATCH] gpgv: Avoid Assuan dependency

    * g10/internal-keydb.c: (new file) stub functions for basic keydb
    parsing without talking to keyboxd.
    * g10/Makefile.am: gpgv depend on internal-keydb instead of
    call-keyboxd

    --

    This avoids an unnecessary dependency on libassuan in gpgv. Since
    gpgv is targeted toward minimal environments, keeping a reduced set of dependencies is beneficial.

    GnuPG-Bug-Id: T7603
    Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    ---
    g10/Makefile.am | 11 ++--
    g10/internal-keydb.c | 118 +++++++++++++++++++++++++++++++++++++++++++
    2 files changed, 124 insertions(+), 5 deletions(-)
    create mode 100644 g10/internal-keydb.c

    diff --git a/g10/Makefile.am b/g10/Makefile.am
    index e8d8e9017..dce8e37b9 100644
    --- a/g10/Makefile.am
    +++ b/g10/Makefile.am
    @@ -104,7 +104,6 @@ common_source = \
    expand-group.c \
    keydb.h \
    keydb-private.h \
    - call-keyboxd.c \
    keydb.c \
    keyring.c keyring.h \
    seskey.c \
    @@ -132,6 +131,7 @@ common_source = \

    gpg_sources = server.c \
    $(common_source) \
    + call-keyboxd.c \
    pkclist.c \
    skclist.c \
    pubkey-enc.c \
    @@ -168,6 +168,7 @@ gpg_SOURCES = gpg.c \

    gpgv_SOURCES = gpgv.c \
    $(common_source) \
    + internal-keydb.c \
    verify.c

    LDADD = $(needed_libs) ../common/libgpgrl.a \
    @@ -186,21 +187,21 @@ t