[PATCH] gnu: Patch duplicity with --ignore-mdc-error.

Done

Details

2 participants

Leo Famulari
Christopher Baines

Owner: unassigned

Submitted by: Christopher Baines

Severity: normal

Debbugs page

Christopher Baines wrote 7 years ago

Recipients:(address . guix-patches@gnu.org)

Message-ID:20180729154152.11296-1-mail@cbaines.net

Modify the package to patch gnu.py with an unreleased upstream change to fix

duplicity working with recent releases of GnuPG. This change make the package

build again.

* gnu/packages/backup.scm (duplicity)[arguments]: Patch gnu.py within the

patch-source phase.

---

gnu/packages/backup.scm | 9 +++++++++

1 file changed, 9 insertions(+)

Toggle diff (22 lines)diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 9884f58fc..0733d9c34 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -105,6 +105,15 @@
              (substitute* "duplicity/gpginterface.py"
                (("self.call = 'gpg'")
                 (string-append "self.call = '" (assoc-ref inputs "gnupg") "/bin/gpg'")))
+
+             ;; This matches up with an unreleased upstream fix, it should be
+             ;; removed when the package is updated
+             ;; https://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/revision/1308
+             (substitute* "duplicity/gpg.py"
+               (("--no-secmem-warning'\\)")
+                "--no-secmem-warning')
+        gnupg.options.extra_args.append('--ignore-mdc-error')"))
+
              (substitute* '("testing/functional/__init__.py"
                             "testing/overrides/bin/lftp")
                (("/bin/sh") (which "sh")))
-- 
2.18.0

Christopher Baines wrote 7 years ago

Recipients:(address . 32303-done@debbugs.gnu.org)

Message-ID:87va8qfu5k.fsf@cbaines.net

Christopher Baines <mail@cbaines.net> writes:

Toggle quote (10 lines)> Modify the package to patch gnu.py with an unreleased upstream change to fix
> duplicity working with recent releases of GnuPG. This change make the package
> build again.
>
> * gnu/packages/backup.scm (duplicity)[arguments]: Patch gnu.py within the
> patch-source phase.
> ---
>  gnu/packages/backup.scm | 9 +++++++++
>  1 file changed, 9 insertions(+)

Pushed now :)

Closed

Leo Famulari wrote 7 years ago

Recipients:(name . Christopher Baines)(address . mail@cbaines.net)(address . 32303@debbugs.gnu.org)

Message-ID:20180807165649.GA917@jasmine.lan

On Sun, Jul 29, 2018 at 04:41:52PM +0100, Christopher Baines wrote:

Toggle quote (6 lines)

> Modify the package to patch gnu.py with an unreleased upstream change to fix

> duplicity working with recent releases of GnuPG. This change make the package

> build again.

> + gnupg.options.extra_args.append('--ignore-mdc-error')"))

Thanks for taking care of this package.

I'm concerned about the impact of this change, and Duplicity in general.

By ignoring the result of the MDC (modification detection code) check, I

*think* Duplicity loses the ability to authenticate its archives. If so,

the Duplicity package description should be changed to reflect this. I

would at least remove the text about safety against modification.

Also and FYI, Duplicity uses the MD4 message digest truncated to 64 bits

(via librsync) to identify chunks for deduplication. [0] MD4 collisions

are trivial to generate.

It's not totally reasonable to remove packages like backup programs

since, in the future, people will want to read the archives they have

created. But perhaps we should steer users away from Duplicity in the

package description.

[0] See:

https://bugs.launchpad.net/duplicity/+bug/1342721

... also briefly discussed in our bug tracker:

https://bugs.gnu.org/30448

Christopher Baines wrote 7 years ago

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 32303@debbugs.gnu.org)

Message-ID:87ftzakul8.fsf@cbaines.net

Leo Famulari <leo@famulari.name> writes:

Toggle quote (20 lines)> On Sun, Jul 29, 2018 at 04:41:52PM +0100, Christopher Baines wrote:
>> Modify the package to patch gnu.py with an unreleased upstream change to fix
>> duplicity working with recent releases of GnuPG. This change make the package
>> build again.
>>
>> +        gnupg.options.extra_args.append('--ignore-mdc-error')"))
>
> Thanks for taking care of this package.
>
> I'm concerned about the impact of this change, and Duplicity in general.
>
> By ignoring the result of the MDC (modification detection code) check, I
> *think* Duplicity loses the ability to authenticate its archives. If so,
> the Duplicity package description should be changed to reflect this. I
> would at least remove the text about safety against modification.
>
> Also and FYI, Duplicity uses the MD4 message digest truncated to 64 bits
> (via librsync) to identify chunks for deduplication. [0] MD4 collisions
> are trivial to generate.

Hmm, this does look like more of an issue that I anticipated. I was

thinking that this was maybe to do with the tests alone, but checking

the upstream change again, it looks like it effects general operation.

Toggle quote (5 lines)

> It's not totally reasonable to remove packages like backup programs

> since, in the future, people will want to read the archives they have

> created. But perhaps we should steer users away from Duplicity in the

> package description.

Yeah, removing the statement about "modification" in the description

sounds like a good step. I don't know enough to add something more

informative to the description though.

One extra thing to note is that I use duplicity (well, not much) through

Deja Dup, so if there is issues with duplicity to describe in the

package description, it might be good to add something similar to the

few packages that use duplicity.

Thanks for looking in to this Leo :)

Leo Famulari wrote 7 years ago

Recipients:(name . Christopher Baines)(address . mail@cbaines.net)(address . 32303@debbugs.gnu.org)

Message-ID:20180822210523.GA5079@jasmine.lan

On Sun, Aug 19, 2018 at 08:46:43PM +0100, Christopher Baines wrote:

Toggle quote (2 lines)

> Thanks for looking in to this Leo :)

A few days ago, I sent an email to <duplicity-talk@nongnu.org>
requesting clarification on how this affects Duplicity. I think my
message is still waiting for moderation but hopefully it goes through.

Leo Famulari wrote 7 years ago

Recipients:(name . Christopher Baines)(address . mail@cbaines.net)(address . 32303@debbugs.gnu.org)

Message-ID:20180906172620.GA2362@jasmine.lan

On Wed, Aug 22, 2018 at 05:05:23PM -0400, Leo Famulari wrote:

Toggle quote (4 lines)

> A few days ago, I sent an email to <duplicity-talk@nongnu.org>

> requesting clarification on how this affects Duplicity. I think my

> message is still waiting for moderation but hopefully it goes through.

The Duplicity project clarified the effect of this change on the

integrity of the backup archives:

"Duplicity does a hash of the entire file so the MDC is duplication of

effort. [...] You are still protected by the hash stored in the

manifest." [0]

Based on that, I think the disabling of GnuPG's integrity check is not

that important in this case.

[0]

https://lists.nongnu.org/archive/html/duplicity-talk/2018-09/msg00005.html

Your comment

This issue is archived.

To comment on this conversation send an email to 32303@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 32303

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags

mumi command -t +confirmed -t +easy

Or, remove the moreinfo tag and set the help tag

mumi command -t -moreinfo -t +help

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date