#733029 dpkg-buildpackage: disable signing by default (-us -uc should be the default)

#733029#5
Date:
2013-12-24 07:14:22 UTC
From:
To:
Please disable signing by default. Generally the right thing to do for
most dpkg-dev users is to have dpkg-buildpackage *not* auto-sign
anything. Almost all dpkg-dev users (except buildds) should test and
check the package *before* signing and uploading the package. We have a
volunteer for adjusting the buildds (in CC) if needed and I volunteer to
adjust any documentation outside of dpkg-dev that needs changing.

#733029#10
Date:
2013-12-30 11:27:29 UTC
From:
To:
Hi!

[ CCing debian-devel to get input from possibly afftected users. ]

The difference between this request and the one about not signing
UNRELEASED builds, is that this one has way greater user impact, and
the latter is supposedly not meant to be signed (in the general case)
anyway.

I guess it's probably a good idea to switch the default, becuse I
assume most maintainers do more test builds than final ones. Or users
who either don't have gpg installed or don't have a gpg key. Although
with the current no-signing-UNRELEASED behaviour, the need for -us -uc
should have dropped in many cases.

In any case, this is about the tool best global default, irrespective of
any future possibility of setting local defaults through a configuration
file or similar.

If most people agree this would be an improvement, and not just an
annoyance, I'm happy to do the change. But there's few things that I'd
want to tackle first:

 * signing would get rafactored into a new program so that users do
   not need to manually mangle the .changes file, rebuild or require
   devscripts for something that was possible out-of-the-box.
 * (possibly) new options would get added to specify signing, although
   there's --force-sign since 1.17.0, which could be used already on
   the buildds.
 * (possibly) wait for a grace period with warnings and the above
   available so that users can switch scripts/programs gracefully,
   before the flag day.

Thanks,
Guillem

#733029#13
Date:
2013-12-30 18:00:55 UTC
From:
To:
* Guillem Jover <guillem@debian.org>, 2013-12-30, 12:27:

ACK
[...]

I took a look at a random build log[0], and it looks like buildds don't
use dpkg-buildpackage for signing, but debsign. (It would be nice if
someone from the wb-team could confirm that this is the case.)


[0] https://buildd.debian.org/status/fetch.php?pkg=dpkg&arch=i386&ver=1.17.5&stamp=1386841160

#733029#18
Date:
2013-12-30 18:23:16 UTC
From:
To:
And also, it should be friendly to non-maintainers who are just trying
to rebuild the package grabbed from Debian. The assumption that the
builder is the maintainer is inadequate to start with.

So I'm in favor of a transition. I also agree that it makes sense to
add a dedicated signing tool in dpkg-dev (merging debsign as dpkg-sign?)
and that this change should dealt together with a general revamp of
dpkg-buildpackage.

Cheers,

#733029#23
Date:
2014-01-02 09:24:55 UTC
From:
To:
I chose to read that as "debsign will move from devscripts to src:dpkg"
and felt happier. I actually don't care if debsign is reimplemented, but
I'd prefer if the Debian package development brain space was not further
complicated with more command line tools to learn[1], so I suggest that
the existing name and arguments are preserved.

[1] or ignore

#733029#28
Date:
2014-01-02 10:03:04 UTC
From:
To:
Hi!

I'd feel very uncomfortable doing that, because it would mean, at least:

 * introducing a core dpkg tool within a different namespace
 * having to parse a devscripts specific configuration file
 * having to support DAK specific .commands signing
 * having to support remote signing

IMO having debsign become a thiner wrapper around this new tool would
be the goal, as it would simplify its code, people not wanting to use
debsign could use the dpkg tool directly, and people not wanting to
learn new stuff could keep using the wrapper w/o regressions.

Thanks,
Guillem

#733029#33
Date:
2014-01-02 17:22:33 UTC
From:
To:
You raise some very valid points and §I appreciate your concerns and
perhaps should rephrase my request so that I'm suggesting subsuming the
most common used features of debsign and perhaps as part of a staged
migration (compat symlink to debsign binary name in the phase 1, real
name dpkg-sign or whatever), to try and avoid further complicating the
debian package development universe.

So dpkg-sign (or dpkg sign if you ever decided to move to internal
namespacing, which seems to be fashionable) with a compatibility symlink
to debsign would resolve this one,

That's more awkward, I'd agree, but you could support the command-line
arguments without supporting the devscripts configuration file. It could
be confusing for those who have relied upon it, though. A more
considered migration would be necessary.

That could be awkward, although the format is very similar (if not
identical) to debian/control and only one header is of interest. I
imagine most people use dcut/dput nowadays[1]

It would be fair enough to stderr "not supported, please use the older
tool in devscripts" and error 1 if such an argument was provided. That
would be pragmatic if (as I suspect) -r is rarely used.
package development tools would continue to grow, meaning people would
use the non-recommended tool if they did not know better (or relied on
documentation which had not been updated).

[1] haven't checked whether they, in turn, rely on debsign.

#733029#38
Date:
2014-01-02 17:38:40 UTC
From:
To:
On the sbuild/buildd side, we have run dpkg-buildpackage with
"-us -uc" by default for years.  If you do enable signing, as is
the case for buildd uploads, we run debsign explicitly after
dpkg-buildpackage completed.  This avoids any need for GPG keys
to be present in the build chroot.  So from the POV of making
"-us -uc" the default, I think that's a good plan and matches
the requirements of the majority of both manual and automated
builds.  And from the POV of having a replacement for debsign,
we can conditionally switch to using it as soon as it becomes
available.


Regards,
Roger

#733029#43
Date:
2014-01-02 19:05:34 UTC
From:
To:
Roger Leigh writes ("Re: Bug#733029: dpkg-buildpackage: disable signing by default (-us -uc should be the default)"):

Likewise dgit, which does the signing only in "dgit push".  It does it
by itself without the use of debsign or anything from dpkg-dev.

I have no objection to the proposed change to dpkg-buildpackage, or
the moving of functionality from devscripts.

I do of course want debsign's command line interface and functionality
to continue to work in its entirity.  But I also need the arrangements
for making the signature remain part of the defined interface, so that
dgit keeps working: i.e. even if this functionality becomes part of
dpkg-dev, its use should not be mandatory.

Thanks,
Ian.

#733029#48
Date:
2014-01-04 17:54:05 UTC
From:
To:
Hi Jonathan (2014.01.02_19:22:33_+0200)

Aww. I'm a frequent user of -r.
I have better places to build big packages than on my lap, and I prefer
to keep my GPG key in as few places as possible.

But of course, this could be replaced by a new remote signing wrapper.
And, if popular enough, end up in devscripts...

SR

#733029#53
Date:
2014-01-05 10:58:07 UTC
From:
To:
Le samedi, 4 janvier 2014, 19.54:05 Stefano Rivera a écrit :

I concur. I build my packages on a server's sbuild and then debsign -r
from my laptop, then dput from the server.

Please keep this workflow possible with in-archive tools.

Cheers,
OdyX

#733029#58
Date:
2014-01-05 13:24:27 UTC
From:
To:
Indeed, my case here too. -r is crucial for my workflow :-/
#733029#63
Date:
2014-01-05 14:09:14 UTC
From:
To:
(Obviously, assuming devscripts maintainers would agree, I was just
inferring from previous interactions regarding debuild for example; in
any case what happens with debsign would be their decision entirely.)

Honestly, I've been struggling a bit trying to understand this concern,
because to me that reads as suggesting no new features, command-line
options or tools should be added (to dpkg or devscripts or similar
packages), to avoid increasing the packaging tools surface area, when
in this case usage of this tool would be completely optional, and might
make life easier for some people. I don't see either the problem of using
one or the other, or one being more recommended than the other. If a new
tool would get added to dpkg every second week, then I could see it, but
not with the current pace.

If it was just a “hey, please consider creating a single interfaces that
can cover all current usages, and drop the old one if possible”, sure
I'm all for integrating back stuff that has been developed or prototyped
elsewhere, and trying to end up with a single interface by deprecating
the old interface if necessary. In this case though, I think debsign
(and debuild, and other similar wrappers) add value, and have features
that I don't see fit in dpkg proper, or might serve as future playground
to try out new stuff that could get merged back too. So in this case I
don't see its deprecation as desirable (but again that's something for
the devscripts maintainers to decide).

They do, as well as many tools that need to control the signing
process, some mentioned in this thread.

Thanks,
Guillem

#733029#68
Date:
2014-01-08 22:51:52 UTC
From:
To:
Am Sonntag, den 05.01.2014, 15:09 +0100 schrieb Guillem Jover:

I agree with this proposal. It can become a thin wrapper around the new
tool (assuming someone does the work). Then it can either fade away (if
the new tool can replace it completely) or stay forever (like debuild)
if it provides additional features.

#733029#73
Date:
2023-02-01 20:42:21 UTC
From:
To:
Yes, please. The default signing just leads to error messages…
and we nowadays upload source-only anyway, so no builds should
be signed by default, only those explicitly created to publish.