GNU bug report logs -
#22089
installs packages with bad signatures
Previous Next
Reported by: Glenn Morris <rgm <at> gnu.org>
Date: Thu, 3 Dec 2015 23:11:02 UTC
Severity: important
Found in version 25.0.50
Done: Artur Malabarba <bruce.connor.am <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 22089 in the body.
You can then email your comments to 22089 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#22089; Package
emacs.
(Thu, 03 Dec 2015 23:11:02 GMT)
Full text and
rfc822 format available.
Message #3 received at submit <at> debbugs.gnu.org (full text, mbox):
Package: emacs
Version: 25.0.50
Severity: important
Emacs happily installs packages with bad gpg signatures.
This has been flagged by the test-suite and automated builds for the past
several weeks. (I feel like asking why we even have those things, for
all the attention they seem to get.)
This seems to be the first failure.
http://hydra.nixos.org/build/27800227
Here is the diff from the previous build, with several package changes:
http://hydra.nixos.org/api/scmdiff?type=git&rev2=937565268a5dc3377d4c9bff6d48eb3645a77160&rev1=70f1fda4ae6abb5e11dcf281738c25f6f5b06061&uri=git%3A%2F%2Fgit.sv.gnu.org%2Femacs.git&branch=
Here's a standalone recipe in the emacs-25 branch:
cd test/automated
mkdir /tmp/foo
HOME=/tmp/foo ../../src/emacs -Q
(setq package-archives `(("gnu" . ,(expand-file-name "data/package/signed/"))))
(package-import-keyring "data/package/key.pub")
(package-initialize)
(package-refresh-contents)
(package-install 'signed-bad)
M-x list-packages -> signed-bad installed
Added indication that bug 22089 blocks19759
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Thu, 03 Dec 2015 23:13:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#22089; Package
emacs.
(Fri, 04 Dec 2015 00:15:03 GMT)
Full text and
rfc822 format available.
Message #8 received at 22089 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Thanks for the pointer, Glenn. I clearly messed something up there.
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#22089; Package
emacs.
(Fri, 04 Dec 2015 08:13:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 22089 <at> debbugs.gnu.org (full text, mbox):
Glenn Morris <rgm <at> gnu.org> writes:
> Emacs happily installs packages with bad gpg signatures.
> This has been flagged by the test-suite and automated builds for the past
> several weeks. (I feel like asking why we even have those things, for
> all the attention they seem to get.)
Off-topic to this bug, but: hydra status mails to <emacs-buildstatus <at> gnu.org>
have been stopped three months ago. Maybe this could be reactivated;
people (like me) check this list.
Best regards, Michael.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#22089; Package
emacs.
(Fri, 04 Dec 2015 18:44:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 22089 <at> debbugs.gnu.org (full text, mbox):
Michael Albinus wrote:
> Off-topic to this bug, but: hydra status mails to <emacs-buildstatus <at> gnu.org>
> have been stopped three months ago. Maybe this could be reactivated;
> people (like me) check this list.
The place to ask about such things is the hydra-users mailing list.
I've asked about this specific issue several times.
The latest times I asked, I got no reply.
Perhaps they are tired of talking to me (so you could ask instead),
but I assume that for some reason the mail notification feature can't
be fixed and isn't coming back. It's a shame, but personally I just
check the web status page now and then instead.
But if hacking on foo.el, run foo-tests.el (at least) before pushing.
It's not rocket science.
Eg today I see that simple-test is trivially broken by recent changes
in simple.el.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#22089; Package
emacs.
(Sat, 05 Dec 2015 11:36:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 22089 <at> debbugs.gnu.org (full text, mbox):
2015-12-04 18:42 GMT+00:00 Glenn Morris <rgm <at> gnu.org>:
> But if hacking on foo.el, run foo-tests.el (at least) before pushing.
> It's not rocket science.
> Eg today I see that simple-test is trivially broken by recent changes
> in simple.el.
FWIW, I always run the relevant tests before pushing. For some reason,
that specific test is always skipped on my system if I run it with
`make'. That's why I didn't catch that.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#22089; Package
emacs.
(Sat, 05 Dec 2015 19:36:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 22089 <at> debbugs.gnu.org (full text, mbox):
I push a fix for this today. Now waiting for the hydra build to run.
Is this the correct place to look? http://hydra.nixos.org/build/28513720
2015-12-05 11:35 GMT+00:00 Artur Malabarba <bruce.connor.am <at> gmail.com>:
> 2015-12-04 18:42 GMT+00:00 Glenn Morris <rgm <at> gnu.org>:
>> But if hacking on foo.el, run foo-tests.el (at least) before pushing.
>> It's not rocket science.
>> Eg today I see that simple-test is trivially broken by recent changes
>> in simple.el.
>
>
> FWIW, I always run the relevant tests before pushing. For some reason,
> that specific test is always skipped on my system if I run it with
> `make'. That's why I didn't catch that.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#22089; Package
emacs.
(Sun, 06 Dec 2015 09:02:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 22089 <at> debbugs.gnu.org (full text, mbox):
Artur Malabarba <bruce.connor.am <at> gmail.com> writes:
> I push a fix for this today. Now waiting for the hydra build to run.
> Is this the correct place to look? http://hydra.nixos.org/build/28513720
Not really. Start at <http://hydra.nixos.org/jobset/gnu/emacs-25>. There
you see, that there is still one failing test.
Follow <red 1> -> coverage -> Logfile: raw
At the end of the file, you see that package-test.log does not fail any
longer. If you perform the same exercise with a previous test run,
package-test.log was still mentioned to fail.
Best regards, Michael.
Reply sent
to
bruce.connor.am <at> gmail.com:
You have taken responsibility.
(Sun, 06 Dec 2015 14:02:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Glenn Morris <rgm <at> gnu.org>:
bug acknowledged by developer.
(Sun, 06 Dec 2015 14:02:03 GMT)
Full text and
rfc822 format available.
Message #28 received at 22089-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ok, thanks Michael.
Closing this then.
[Message part 2 (text/html, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 04 Jan 2016 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 9 years and 171 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.