Hide Forgot
Description of problem: The 2.33-1 update to debmirror breaks syncing DEB repos with gpg signature verification enabled. Version-Release number of selected component (if applicable): 2.33-1.el7 How reproducible: Update debmirror from 2.32-1 to 2.33-1 and attempt to sync a DEB repo with signature verification enabled. Steps to Reproduce: 1. Update debmirror to 2.33-1 2. Sync DEB mirror with GPG signature verification turned on. Actual results: debmirror reports an error with the message: gpgv: invalid option "--output" .temp/.tmp/dists/xenial/Release.gpg signature does not verify. Expected results: The repo syncs without errors. Wordaround: Downgrade debmirror from 2.33 to 2.32. Additional info: This appears to be happening because the version of GPG in CentOS 7, 2.0.22, does not have the "--output" option. Line 2255 in debmirror 2.33 is: my @gpgv = qw(gpgv --output - --status-fd); The gpgv call in debmirror 2.32 is made on line 2160 and does not contain the "--output" option: my @gpgv = qw(gpgv --status-fd 1); Rebasing GPG2 for CentOS/RHEL 7 to a newer 2.2.x release would resolve this issue but it's probably easier to back the change out of debmirror.
Sorry, I meant 2.30-1 not 2.32-1 in the above comment.
Thank you for the report use mean just remove "--output -" fixes the problem ?
I'm not sure that just removing "--output -" would resolve the issue. It appears the code changes between 2.30 and 2.33 added lines to dynamically change the "--status-fd" FD number at runtime. The code appears to check the gpgv STDOUT for a good signature message. If --status-fd isn't 1 or 2 the Perl code may not get the gpgv command output to check. I'm guessing that "--output -" was added so the output is always sent to STDOUT and other messages can be sent to other FD descriptors with the dynamic "--status-fd" FD option. The code change for this functionality was done in commit 3b5c84e534e52f51e0a6373223483f1130d45e3e in response to Debian bug 918304. The first release of debmirror with these changes was version 2.31. See here: https://salsa.debian.org/debian/debmirror/commit/3b5c84e534e52f51e0a6373223483f1130d45e3e and here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918304 I'll be honest, I'm not a programmer and Perl isn't a language I'm super familiar with so I'm guessing on the above analysis. I reverted the debmirror package to 2.30-1 and pinned it on my production system to work around this bug. My repos are still syncing correctly with the 2.30-1 package and GPG signature verification turned on.
OK, no worries, maybe the best is rollback to debmirror-2.30 in el7 , isn't it . Thanks for the report
debmirror-2.30-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-9d014c4edf
debmirror-2.30-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Sergio Basto from comment #2) > Thank you for the report > > use mean just remove "--output -" fixes the problem ? OK, I'm sending debmirror-2.35-1.el7 to testing with mentioned patch since I got other person which says that is working and debmirror-2.35 is need to pick up the new cnf metadata that ubuntu 20.04 requires.
FEDORA-EPEL-2021-f005e1b879 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f005e1b879
FEDORA-EPEL-2021-f005e1b879 has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f005e1b879 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2021-f005e1b879 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.