XPost: linux.debian.maint.boot

Package: gpgv-udeb
Version: 2.4.7-13
Severity: serious
Tags: d-i
Justification: broken package
X-Debbugs-Cc: debian-boot@lists.debian.org

Hi,

The upload of the 2.4.7 series to unstable just broke gpgv-udeb, which bootstrap-base and net-retriever rely on:

Depends: libassuan9 (>= 3.0.2), libc6-udeb (>= 2.41), libgcrypt20-udeb (>= 1.11.0), libgpg-error0-udeb (>= 1.51), libnpth0t64 (>= 1.8), zlib1g-udeb (>= 1:1.2.3.3.dfsg-1)

Until 2.4.6, that used to be:

Depends: libc6-udeb (>= 2.41), libgcrypt20-udeb (>= 1.11.0), libgpg-error0-udeb (>= 1.51), zlib1g-udeb (>= 1:1.2.3.3.dfsg-1)

If gpgv-udeb indeed requires libassuan.so.9 and libnpth.so.0, I'll
look into preparing the required changes in those two other packages (src:libassuan and src:npth).


Side note for the installer team, for some reason the dose code only
reported libassuan9 (and didn't seem to have noticed libnpth0t64).
Might be worth investigating/fixing.


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri 2025-04-11 08:45:47 +0200, Cyril Brulebois wrote:

The upload of the 2.4.7 series to unstable just broke gpgv-udeb, which bootstrap-base and net-retriever rely on:

Depends: libassuan9 (>= 3.0.2), libc6-udeb (>= 2.41), libgcrypt20-udeb (>= 1.11.0), libgpg-error0-udeb (>= 1.51), libnpth0t64 (>= 1.8), zlib1g-udeb (>= 1:1.2.3.3.dfsg-1)

Thanks for the heads-up, kibi. I'm looking into this now. I think the
ideal situation would be to avoid the linkage between assuan and npth
entirely.

--dkg

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRjrBGOWy5dZsiKhad4C4VO2cK0lgUCZ/lCdAAKCRB4C4VO2cK0 lr0XAQCxOp8aNmA4siyuMmt8WB2eo7E041CG4MiIyzt+pjOXmQD/ffuj4fCcX6Io pkv3OWW56M2zzEUY7neE5Z19haUWsQM=
=huqW
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

--=-=-=
Content-Type: text/plain

Control: forwarded 1102621 https://dev.gnupg.org/T7603
Control: tags 1102621 + patch

On Fri 2025-04-11 19:27:12 +0200, Andreas Metzler wrote:

npth was added in
ce9906b008c94c2aa4ac770a981d1e1e0b8aea47
gpg: First rough implementation of keyboxd access for key lookup.

and libassuan in aba82684fe14289cf62b4694bc398f3a274b4762
gpg: New option --use-keyboxd.

Thanks for the sleuthing here, Andreas. It's definitely useful to know
where these additional dependencies were added. But i don't think gpgv
has any business talking to keyboxd, at least according to its
documentation.

And, in the places where we use gpgv, it would probably be a disaster if
it *did* talk to keyboxd.

It looks like libassuan is present only due to g10/call-keyboxd.c. I've reported that upstream as https://dev.gnupg.org/T7603, and the patch
attached here stubs out those calls for gpgv.

I'm now looking into whether the npth dependency is really needed. it
seems like the only invocations of npth in gpgv are:

- npth_read
- npth_sleep
- npth_usleep

afaict, those are merely collaborative asynchronous wrappers around the standard POSIX calls, which again seem unnecessary for gpgv.

They appear to have been pulled in from common/sysutils.c when built
with pth, which suggests that we just need to link gpgv against a
non-pth libcommon. I'll test further and report back.

--dkg


--=-=-=
Content-Type: text/x-diff
Content-Disposition: inline;
filename=0001-gpgv-Avoid-Assuan-dependency.patch
Content-Transfer-Encoding: quoted-printable

From 10db0bcdabf13adbbd9ffbb34e3b2b8516455ab3 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 11 Apr 2025 16:59:20 -0400
Subject: [PATCH] gpgv: Avoid Assuan dependency

* g10/internal-keydb.c: (new file) stub functions for basic keydb
parsing without talking to keyboxd.
* g10/Makefile.am: gpgv depend on internal-keydb instead of
call-keyboxd

--

This avoids an unnecessary dependency on libassuan in gpgv. Since
gpgv is targeted toward minimal environments, keeping a reduced set of dependencies is beneficial.

GnuPG-Bug-Id: T7603
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
g10/Makefile.am | 11 ++--
g10/internal-keydb.c | 118 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 124 insertions(+), 5 deletions(-)
create mode 100644 g10/internal-keydb.c

diff --git a/g10/Makefile.am b/g10/Makefile.am
index e8d8e9017..dce8e37b9 100644
--- a/g10/Makefile.am
+++ b/g10/Makefile.am
@@ -104,7 +104,6 @@ common_source = \
expand-group.c \
keydb.h \
keydb-private.h \
- call-keyboxd.c \
keydb.c \
keyring.c keyring.h \
seskey.c \
@@ -132,6 +131,7 @@ common_source = \

gpg_sources = server.c \
$(common_source) \
+ call-keyboxd.c \
pkclist.c \
skclist.c \
pubkey-enc.c \
@@ -168,6 +168,7 @@ gpg_SOURCES = gpg.c \

gpgv_SOURCES = gpgv.c \
$(common_source) \
+ internal-keydb.c \
verify.c

LDADD = $(needed_libs) ../common/libgpgrl.a \
@@ -186,21 +187,21 @@ t