dkgfiddling with the innards of GNUPGHOME is pretty much a guaranteed way to make your test suite brittle across GnuPG upgrades00:00
dkgGnuPG upstream is pretty bad about the fuzzy line between what's expected for machine use, and what bits are stable, on-disk representation00:00
cjwatsonOK, the GNUPGHOME removal thing only works from GnuPG 2.1.22 onward00:00
cjwatsonSo if we upgrade to 2 before upgrading to bionic then we'll need the gpgconf trick00:01
dkgbut the general rule of thumb is that aside from the *.conf files, you probably shouldn't expect *anything* in the GNUPGHOME to be stable.00:01
dkgyou'll need to do it for the test suite, i guess.  i don't know enough about the deployed architecture to know whether you'll "need" it in production.00:02
cjwatsonI realise we only got away with this because GnuPG 1.x didn't change a whole lot00:02
cjwatsonThe state resetting business is only used in tests00:03
dkglike i said, GnuPG upstream has been pretty bad at defining a stable API00:03
dkgthe reason 1.x didn't change a whole lot is that it doesn't see much attention from any developers :(00:03
cjwatsonThough it's possible we might need to make a slight adjustment for production; we do remove GNUPGHOME but on xenial we would need to explicitly kill agents or else they'll pile up indefinitely00:03
cjwatsonThere are some situations where we run gpg as part of frequent cron jobs (e.g. verifying uploads) and a gpg-agent process pileup would become a problem00:04
dkgit only piles up if you have multiple homedirs00:04
cjwatsonEach one creates a temporary homedir00:04
dkgif you have a single homedir that you use persistently then there's just one process00:04
dkgagain, verifying uploads is *not* a secret key operation00:05
cjwatsonWell OK, signing Release files then00:05
cjwatsonThat's also a cron job with similar properties00:05
dkggotcha -- not sure why it needs a temporary homedir, but then i definitely don't understand the system architecture00:06
dkg(fwiw, if you're manually handling all these invocations instead of using gpgme (or its python bindings, python3-gpg), i recommend sticking exclusively with gpgv for all tasks that involve signature verification)00:07
cjwatsonIt was a decision from well before my time, but I suspect we wanted to avoid the generic handler code piling up an unboundedly large number of public key files on disk as it verifies stuff00:07
cjwatsonAt the moment we use gpgme00:07
dkgmakes sense -- that's the one API that the GnuPG team has committed to (as idiosyncratic as it is)00:08
cjwatsonVia the older pygpgme.  I'd like to switch to python-gpg but haven't got to it yet00:08
dkgoh, pygpgme is not from upstream, i don't think.00:08
dkgnone of those bindings are particularly pythonic, but the latest stuff from upstream has a bit more of a pythonic wrapper around it00:09
cjwatsonIt was written by a Canonical employee00:09
dkgi'm still annoyed that python-gpg is using swig, which i think is basically a disaster, sigh :/00:09
cjwatsonAlthough the last two commits are from Werner00:09
cjwatsonAnyway, I know pygpgme is unmaintained, but bear in mind this code has been around for about three times as long as python-gpg has existed :)00:14
cjwatsonSo one option is possibly to just get the codebase working with 2.x as an option but then keep forcing 1.x until we have a chance to organise a bionic upgrade00:16
cjwatsonUnless xenial's can be made minimally acceptable00:17
cjwatsonWe *can* do independent backports for LP production, but I'm very reluctant to do that because it means we have to track security updates ourselves and we aren't super-good at that00:20
dkgi'd love to see xenial's GnuPG 2.1.x situation cleaned up, but i don't have the bandwidth to do it myself.  there are several unaddressed issues with the version there :/00:20
=== Eickmeyer[m] is now known as eickmeyer[m]
=== eickmeyer[m] is now known as Eickmeyer[m]
=== Eickmeyer[m] is now known as eickmeyer[m]
=== eickmeyer[m] is now known as Eickmeyer[m]
=== tomreyn_ is now known as tomreyn

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!