GNU bug report logs - #30109
[core-updates] shishi 1.0.2 not reproducible

Previous Next

Package: guix;

Reported by: Gábor Boskovits <boskovits <at> gmail.com>

Date: Sun, 14 Jan 2018 11:30:01 UTC

Severity: normal

Done: Danny Milosavljevic <dannym <at> scratchpost.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30109 in the body.
You can then email your comments to 30109 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#30109; Package guix. (Sun, 14 Jan 2018 11:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gábor Boskovits <boskovits <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 14 Jan 2018 11:30:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Gábor Boskovits <boskovits <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: [core-updates] shishi 1.0.2 not reproducible
Date: Sun, 14 Jan 2018 12:29:33 +0100
[Message part 1 (text/plain, inline)]
It seems, that the shishi build generates keys which end up in the store,
making the build unreproducible. Can the key generation be extracted from
the build?

If yes, then are we able to do the following: use a reproducible substitute
without the key, generate the key afterwards, and store it somewhere else.

diffoscope output attached.
[Message part 2 (text/html, inline)]
[diffoscope-shishi (application/octet-stream, attachment)]

Information forwarded to bug-guix <at> gnu.org:
bug#30109; Package guix. (Mon, 04 Mar 2019 11:47:01 GMT) Full text and rfc822 format available.

Message #8 received at 30109 <at> debbugs.gnu.org (full text, mbox):

From: Danny Milosavljevic <dannym <at> scratchpost.org>
To: 30109 <at> debbugs.gnu.org
Cc: Danny Milosavljevic <dannym <at> scratchpost.org>
Subject: [PATCH] gnu: shishi: Make shishi keys and database
 administrator-modifiable.
Date: Mon,  4 Mar 2019 12:45:59 +0100
Fixes <https://bugs.gnu.org/30109>.

* gnu/packages/kerberos.scm (shishi)[arguments]<#:configure-flags>:
Add --with-key-dir, --with-db-dir.
<#:phases>[disable-automatic-key-generation]: New phase.
---
 gnu/packages/kerberos.scm | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 873f5d8a3..9cfe95f4e 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -116,9 +116,19 @@ cryptography.")
     (build-system gnu-build-system)
     (arguments
      '(;; This is required since we patch some of the build scripts.
-       ;; Remove for the next Shishi release after 1.0.2 or when
-       ;; removing 'shishi-fix-libgcrypt-detection.patch'.
-       #:configure-flags '("ac_cv_libgcrypt=yes" "--disable-static")))
+       ;; Remove first two items for the next Shishi release after 1.0.2 or
+       ;; when removing 'shishi-fix-libgcrypt-detection.patch'.
+       #:configure-flags
+       '("ac_cv_libgcrypt=yes" "--disable-static"
+         "--with-key-dir=/etc/shishi" "--with-db-dir=/var/shishi")
+       #:phases
+       (modify-phases %standard-phases
+        (add-after 'configure 'disable-automatic-key-generation
+          (lambda* (#:key outputs #:allow-other-keys)
+            (substitute* "Makefile"
+             (("^install-data-hook:")
+              "install-data-hook:\nx:\n"))
+            #t)))))
     (native-inputs `(("pkg-config" ,pkg-config)))
     (inputs
      `(("gnutls" ,gnutls)
@@ -132,7 +142,10 @@ cryptography.")
     (description
      "GNU Shishi is a free implementation of the Kerberos 5 network security
 system.  It is used to allow non-secure network nodes to communicate in a
-secure manner through client-server mutual authentication via tickets.")
+secure manner through client-server mutual authentication via tickets.
+
+After installation, the system administrator should generate keys using
+@code{shisa -a /etc/shishi/shishi.keys}.")
     (license license:gpl3+)))
 
 (define-public heimdal




Information forwarded to bug-guix <at> gnu.org:
bug#30109; Package guix. (Thu, 18 Apr 2019 23:07:01 GMT) Full text and rfc822 format available.

Message #11 received at 30109 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Danny Milosavljevic <dannym <at> scratchpost.org>
Cc: 30109 <at> debbugs.gnu.org
Subject: Re: bug#30109: [PATCH] gnu: shishi: Make shishi keys and database
 administrator-modifiable.
Date: Thu, 18 Apr 2019 19:06:38 -0400
Hello Danny!

Danny Milosavljevic <dannym <at> scratchpost.org> writes:

> Fixes <https://bugs.gnu.org/30109>.
>
> * gnu/packages/kerberos.scm (shishi)[arguments]<#:configure-flags>:
> Add --with-key-dir, --with-db-dir.
> <#:phases>[disable-automatic-key-generation]: New phase.
> ---
>  gnu/packages/kerberos.scm | 21 +++++++++++++++++----
>  1 file changed, 17 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 873f5d8a3..9cfe95f4e 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -116,9 +116,19 @@ cryptography.")
>      (build-system gnu-build-system)
>      (arguments
>       '(;; This is required since we patch some of the build scripts.
> -       ;; Remove for the next Shishi release after 1.0.2 or when
> -       ;; removing 'shishi-fix-libgcrypt-detection.patch'.
> -       #:configure-flags '("ac_cv_libgcrypt=yes" "--disable-static")))
> +       ;; Remove first two items for the next Shishi release after 1.0.2 or
> +       ;; when removing 'shishi-fix-libgcrypt-detection.patch'.
> +       #:configure-flags
> +       '("ac_cv_libgcrypt=yes" "--disable-static"
> +         "--with-key-dir=/etc/shishi" "--with-db-dir=/var/shishi")
> +       #:phases
> +       (modify-phases %standard-phases
> +        (add-after 'configure 'disable-automatic-key-generation
> +          (lambda* (#:key outputs #:allow-other-keys)
> +            (substitute* "Makefile"
> +             (("^install-data-hook:")
> +              "install-data-hook:\nx:\n"))
> +            #t)))))
>      (native-inputs `(("pkg-config" ,pkg-config)))
>      (inputs
>       `(("gnutls" ,gnutls)
> @@ -132,7 +142,10 @@ cryptography.")
>      (description
>       "GNU Shishi is a free implementation of the Kerberos 5 network security
>  system.  It is used to allow non-secure network nodes to communicate in a
> -secure manner through client-server mutual authentication via tickets.")
> +secure manner through client-server mutual authentication via tickets.
> +
> +After installation, the system administrator should generate keys using
> +@code{shisa -a /etc/shishi/shishi.keys}.")
>      (license license:gpl3+)))
>  
>  (define-public heimdal

I've applied and tried your proposed fix, and it made shishi
reproducible; so LGTM!  Could you apply your fix to core-updates?

Thank you!

Maxim




Reply sent to Danny Milosavljevic <dannym <at> scratchpost.org>:
You have taken responsibility. (Sat, 20 Apr 2019 15:20:02 GMT) Full text and rfc822 format available.

Notification sent to Gábor Boskovits <boskovits <at> gmail.com>:
bug acknowledged by developer. (Sat, 20 Apr 2019 15:20:02 GMT) Full text and rfc822 format available.

Message #16 received at 30109-done <at> debbugs.gnu.org (full text, mbox):

From: Danny Milosavljevic <dannym <at> scratchpost.org>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 30109-done <at> debbugs.gnu.org
Subject: Re: bug#30109: [PATCH] gnu: shishi: Make shishi keys and database
 administrator-modifiable.
Date: Sat, 20 Apr 2019 17:19:31 +0200
[Message part 1 (text/plain, inline)]
Hi Maxim,

> I've applied and tried your proposed fix, and it made shishi
> reproducible; so LGTM!  Could you apply your fix to core-updates?

Thanks for the test!

I've pushed the fix to core-updates.
[Message part 2 (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 19 May 2019 11:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 4 years and 315 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.