Debian

[fepitre]

I've updated the code for with respect to latest intoto python lib and also reformat a little bit the code with PEP8.

[lukpueh]

Many thanks for the patch, @fepitre! Would you mind removing the reformat-to-PEP8 commit from this PR? It would make review easier. We should talk about re-formatting and above all re-indenting all the code in a separate PR.

[fepitre]

@lukpueh yes I've did it. After looking again to the whole diff it was not clear at all. Now it should be better :)

[fepitre]

@lukpueh it seems Travis has not updated the current PR status with latest build. You should check the failing one on https://github.com/in-toto/apt-transport-in-toto/pull/27/commits/2a7131dd52abdc555b45ef09095ceddabd3c662f.

[lukpueh]

Looks like our security linter bandit chokes on subprocess.Popen. Would you like to look into that?

[fepitre]

Looks like our security linter bandit chokes on subprocess.Popen. Would you like to look into that?

Sure.

[fepitre]

@lukpueh according to the comment https://github.com/PyCQA/bandit/issues/333#issuecomment-404103697, it looks like we need to decide or not the trusted input which is in this case fine. I simply silent the check on the subprocess call. As I don't know bandit that much, I don't have a better fix to propose.

[lukpueh]

Thanks for checking, @fepitre. I can take a look at this after the winter break early next year. At any rate, your reviving this repo is very much appreciated! :)

[fepitre]

@lukpueh did you have time to have a look on that? BTW, what is the status for the package in Debian?

[fepitre]

@lukpueh FYI, I can take care of sending it to mentors if you want? Ideally that would be awesome to have it for bullseye but we need to hurry before the submission deadline (~mid Feb. if I remember correctly)

[lukpueh]

@lukpueh did you have time to have a look on that? BTW, what is the status for the package in Debian?

Not yet. I'll make it a priority this week! Getting into bullseye would be awesome (freeze is Feb 12). The good news is the latest in-toto upstream release (v1.0.0) is already in unstable as of last Friday. :)

[fepitre]

@lukpueh FYI I'm fixing tests in test_intoto.py and will update the debian standards.

[lukpueh]

@lukpueh FYI I'm fixing tests in test_intoto.py and will update the debian standards.

Thanks! Given that you are PRing against the debian branch, I suppose you are aware of #26 and the TODO notes regarding Debian packaging I made there?

[fepitre]

@lukpueh FYI I'm fixing tests in test_intoto.py and will update the debian standards.

Thanks! Given that you are PRing against the debian branch, I suppose you are aware of #26 and the TODO notes regarding Debian packaging I made there?

Just read that properly. BTW, I think that current commits in this PR can be cherry-picked into the main branch up to the latest "debian: update ...". Would you like me to do something particularly?

[lukpueh]

Would you like me to do something particularly?

I would highly appreciate if you could take a look at 91af874 and let me know if the fix seems reasonable enough for an initial Debian release. The commit message and code comments should give some context.

Also it would be great if we could fix the tests so that they also work on Travis.

[lukpueh]

🎉 Thanks for fixing the CI builds, @fepitre!

[fepitre]

@lukpueh There were weird issue with python3.8 like if it was using cache (certainly in fact) but I think like we discussed with Holger, no need to bother with python3.8 as bullseye is 3.9 already. OK with that?

[fepitre]

@lukpueh for your BrokenPipe issue it looks like what we need to do in C to catch signals so I would say as a first approach it looks fine. We could think about improvements after in unstable I guess. Also, I've not encountered it.

[fepitre]

@lukpueh another info: https://github.com/fepitre/qubes-rebuilder#check-rebuild-proofs-before-installing-packages-apt-transport-in-toto currently in testing for production!

[lukpueh]

Just looking through the combined diff of #26 and #27. @h01ger told me that we'd need to upload one of these days to get into bullseye.

[fepitre]

Just looking through the combined diff of #26 and #27. @h01ger told me that we'd need to upload one of these days to get into bullseye.

From my side, I can confirm that this current version in this PR is working great on bullseye.

[h01ger]

On Mon, Jan 25, 2021 at 08:00:56AM -0800, lukpueh wrote:

Just looking through the combined diff of #26 and #27. @h01ger told me that we'd need to upload one of these days to get into bullseye.

https://release.debian.org/bullseye/freeze_policy.html

basically means we need to upload in January: it has to pass NEW before February 1st, so that I can do a -2 upload which then will migrate to bullseye 10 days later, which must be before/on February 12th at latest.

Problems are a.) there is an arbitrary delay between upload and passing NEW and b.) it's not guaranteed to pass NEW on first try ;)

-- cheers, Holger

⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄

"There's no glory in prevention." (Christian Drosten)

[lukpueh]

Thanks for the heads-up, @h01ger! I'll go ahead and upload what we have to mentors. Let's discuss the missing piece on https://github.com/in-toto/apt-transport-in-toto/pull/26.