From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9E3EC1381F3 for ; Thu, 20 Jun 2013 06:40:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 79C90E0A80; Thu, 20 Jun 2013 06:40:04 +0000 (UTC) Received: from spot.xmw.de (spot.xmw.de [176.9.87.236]) by pigeon.gentoo.org (Postfix) with ESMTP id 831E4E09CD for ; Thu, 20 Jun 2013 06:40:03 +0000 (UTC) Received: from [IPv6:2001:6f8:1cd1:0:21d:72ff:fe88:9ac1] (x.l.xmw.de [IPv6:2001:6f8:1cd1:0:21d:72ff:fe88:9ac1]) by spot.xmw.de (Postfix) with ESMTPSA id 159D81412364C for ; Thu, 20 Jun 2013 08:40:02 +0200 (CEST) Message-ID: <51C2A3B6.2000506@gentoo.org> Date: Thu, 20 Jun 2013 08:39:50 +0200 From: Michael Weber User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130610 Thunderbird/17.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] repoman commit unexpectedly drops FEATURES="sign" on error References: <51C26FFC.1090000@gentoo.org> <51C27615.2020600@gentoo.org> <51C27699.8090600@gentoo.org> In-Reply-To: <51C27699.8090600@gentoo.org> X-Enigmail-Version: 1.6a1pre Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: f5a44cc6-4d30-4fb0-90ba-922d92bf376d X-Archives-Hash: a2c95c1228a81017a7b09c007168f0d1 On 06/20/2013 05:27 AM, Zac Medico wrote: > On 06/19/2013 08:25 PM, Zac Medico wrote: >> On 06/19/2013 07:59 PM, "Paweł Hajdan, Jr." wrote: >>> I was surprised by repoman just dropping FEATURES="sign" . I'm aware >>> that at that time it has to commit an updated Manifest to prevent >>> breakages, so if gpg fails it proceeds, but is there something it could >>> do to check gpg sanity before committing anything? Failing at the password prompt (two chances on regular pinentry) also results in this behaviour. >> It seems the simplest way to go would be to do a test signature before >> commit, as suggested here: >> >> https://bugs.gentoo.org/show_bug.cgi?id=298605 >> >> Is it okay to assume that everyone uses gpg-agent, so they won't have to >> enter the passphrase more than once? I have a remote (ssh) test-box to work on the tree, I don't want to cache my decrypted key there. Having the crypted version there is bad enough, but GPG_AGENT protocol only exchanges passwords (unlike SSH_AGENT). GPG_AGENT forwarding over SSH can be done with a general unix domain socket forwading hack [1]. > Or, we could skip the test signature if the GPG_AGENT_INFO variable is > not set? It's a clue, but the key-cache can be expired and a bad password entry can still result in failure. [1] http://25thandclement.com/~william/projects/streamlocal.html -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber