Open fepitre opened 3 years ago
@lukpueh if you agree, I'm ok to be assigned to it of course :)
This is very much appreciated, @fepitre, especially if you volunteer to work on it! :P
IIRC I wanted send messages with 1xx
(informational) status code from the intoto transport to apt, in order to have apt present the message nicely to the user, but I think it did not work as expected.
So for a live demo at MiniDebConf, I ended up formatting/highlighting the Python log messages (see https://github.com/in-toto/apt-transport-in-toto/pull/25/commits/660f6227b16f7773b48003c435f9e4c2dc17ea78), which is rather quick and dirty.
I fill this issue as a TODO. When fetching in-toto metadata of a unreproducible package, the APT output looks not very user friendly:
The configuration and
root.layout
used can be found in https://github.com/fepitre/package-rebuilder#configure-apt-transport-in-toto. For this packagebash
the corresponding rebuild log shows that checksums comparison failed with the original. The produced metadata can be found in https://debian.notset.fr/rebuild/sources/bash/5.1-2%2Bb1/.We would need to figure out the best way to present failing in-toto test with respect to a fail because of no metadata at all like e.g.:
Unrelated remark: we have made a policy choice to not fail on checksums verification because that would help user to identify a package being unreproducible/having possibly an issue.