Build install kernel & Client with verifiable repos

Mon Oct 19 22:19:17 CEST 2015

Thanks for your review Thomas.
I'll keep pursuing the key issue until success...

On 10/19/2015 08:53 AM, Thomas Lange wrote:
> Mmm, it should be working as I understand apt-key. You can put the key 
> in a file into /etc/fai/apt/keys/*.asc then this will be loaded via 
> apt-key add when building the nfsroot.
I now see the spot in task_repository where *.asc is loaded by apt-key.  
It escaped my notice earlier when I loaded .../apt/trusted.gpg.d/fai.gpg 
directly from web access using wget.

May I suggest an addition to the process?  On line 1021 is "...| 
$ROOTCMD apt-key add -" (see the excerpt copied below).  Please consider 
moving the added key keyring from .../apt/trusted.gpg to 
.../apt/trusted.gpg.d/$keyfile.asc.gpg or something like that.  Add the 
--keyring parameter making the statement something like:
                                                         "...| $ROOTCMD 
apt-key --keyring .../apt/trusted.gpg.d/$keyfile.asc.gpg add -"

Lines 1017 thru 1023 of subroutines showing a part of task_repository 
follow:
     # add apt keys for all classes
     for keyfile in ${classes:-}; do
         [ ! -f $FAI/package_config/$keyfile.asc ] && continue
         echo -n "Loading APT key from $keyfile.asc "
         cat $FAI/package_config/$keyfile.asc | $ROOTCMD apt-key add -
         unset keys["$keyfile.asc"]
     done

"why" I suggest it does relate to only my standard practice of using the 
"something.d/..." directory for my local adjustment to the /etc/... 
database if the feature is designed into the configuration by the 
author.  In the case of apt, I do prefer leaving /trusted.gpg and 
/sources.list files alone when adding things.  For special repos, I do 
like to install both .../apt/sources.list.d/name.list and 
.../apt/trusted.gpg.d/name.gpg from the web.   BUT again -- it is only 
me / not many.

On a similar subject:  I have become fairly happy using a proxy instead 
of a local mirror for FAI work.  My selection is apt-cacher-NG.  To 
configure apt for the proxy requires something like 
.../apt/apt.conf.d/02proxy (similar to your .../apt/apt.conf.d/10fai).  
If you agree with me, a new variable containing the IP:PORT might be 
enough to allow task_repository to create 02proxy file.  It fits at the 
end where mount_mirror is found -- a three-way option 
[mirror--proxy--nothing]?
Quite frankly this is beyond my ability to program when considering the 
impact on all the other options of FAI that I do not use.

> I will also add code into fai-make-nfsroot, that adds the official key 
> of the fai-project repository into the nfsroot by default. 
I do hope you mean to add both source and key?  If not, then I would 
argue that your presentation on the wiki download page is very adequate 
to to the task of adding the project repo as a optional source.  It 
would be _perfect_ if the "deb ..." was directed to a .d/fai.list file 
and apt-key included the --keyring to the .d/fai.gpg file...:-)  
(humor)  AND I believe I could modify the wiki page to get the idea 
published if you want.

I noticed something else in task_repository for 02fai file.  The 
subroutine does create 02fai, but does not delete it when the file is 
present and the "if [...]" test fails.  Does the "-f" or "-k" option 
work OK without the "else delete" clause in task_repository? I have not 
tested.  I do know a fresh install works OK.

Thanks again for your review this morning!
Skip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20151019/30f3d15e/attachment.html>