This wasn't working properly: we weren't waiting for gpg-agent to
finish (just sending the signal). As a result, umount was still
failing.
The new PID namespace stuff supersedes this.
If we fail to umount, then this spams the logfile with numerous
errors, making it difficult to understand the cause of the issue.
This isn't a useful thing to do in the first place since this
directory is mounted.
This is a lightweight package, so shouldn't matter. Ignoring it
can lead to errors:
error: missing dependency 'initramfs' for package 'linux'
linux: ignoring package upgrade (6.7.6.arch1-1 => 6.7.8.arch1-1)
mkinitcpio: ignoring package upgrade (37.3-1 => 38-4)
Resolving dependencies...
Checking package conflicts...
:: uninstalling package 'mkinitcpio-37.3-1' due to conflict with 'cryptsetup-2.7.0-3'
If the secret exists but is not owned by the user, GetSecret now returns
sql.ErrNoRows and the previous owner ID check is not useful. Unknown
secrets should not fail the build.
The GraphQL API does a stricter validation of the manifest then the
Python code, specifically e.g. checking the `oauth:` directive. This can
lead to the API rejecting a manifest that passed the Python validation.
However, for this case, there is currently no error handling, causing
an exception. Such a case has been reported e.g. here: [1]
This commit adds such error handling by passing down the Validation
object all the way to the GraphQL call (which already accepts it). Only
caveat is that in this case, the `field` of the resulting error is not
set to "manifest" (or any other value). Hence, add an additional output
of the manifest summary to the template. This is added near the end of
the form, as we in fact do not know whether the error is from the
manifest, or something else.
[1] https://lists.sr.ht/~sircmpwn/sr.ht-discuss/%3Ce6709b1c-8181-4182-9926-595a38b7bc57%40app.fastmail.com%3E
The "port" used for build jobs is an actual TCP port (used e.g. for SSH
access). It is already enforced to be in a specific port range when
initially selected. Enshrine this fact in the API by making it a uint16.
The _apply_patch function for applying patches from lists.sr.ht requires
curl and since curl is not installed with the current set of packages
anymore, install it explicitly.
This link was using the previously unauthenticated API endpoint for
manifests. However, that now requires authentication like any other
endpoint. Instead, provide a simple UI route which displays the
manifest.
GnuPG recently made "keyboxd", an alternative keyring storage, the
default for new installs [1]. For reasons I cannot explain yet, a gpg
command will hang indefinetly trying to talk to keyboxd, if all of the
following are true:
- keyboxd is already running for the user
- it is managed by the systemd-user session (!?)
- the gpg command is run inside fakeroot
This is easily reproducible on builds.sr.ht: when building and signing a
package with `makepkg`, it will just hang forever after outputting
"Entering fakeroot environment". One can see in the process tree that it
is executing a gpg command inside a fakeroot at that time, which never
finishes.
While I have not found the cause, this issue is not isolated to
builds.sr.ht. I have reproduced this on other Arch Linux systems.
I am trying to figure out what the exact issue is, and whom to talk to
about it, but until then I think just avoiding keyboxd makes sense.
Hence, this commit disables keyboxd system-wide by adding a
configuration put forth in [2]. I verified that this is indeed
sufficient to make GnuPG fall back to the old storage format, even for
new setups.
[1] https://github.com/gpg/gnupg/blob/master/README#L119
[2] https://marc.info/?l=gnupg-users&m=170193805722787&w=2
For improved visibility, emails triggered by failures when building
build images will henceforth go to the new mailing list created for this
purpose: https://lists.sr.ht/~sircmpwn/sr.ht-image-failures
Otherwise we get this:
+ chroot root sudo -u build -g build /bin/bash -c 'cd /home/build && cd yay && env GOCACHE=/tmp/cache makepkg -si --noconfirm --skippgpcheck'
==> Making package: yay 12.2.0-1 (Mon Dec 4 09:06:25 2023)
==> Checking runtime dependencies...
warning: database file for 'multilib' does not exist (use '-Sy' to download)
==> Checking buildtime dependencies...
warning: database file for 'multilib' does not exist (use '-Sy' to download)
==> Installing missing dependencies...
warning: database file for 'multilib' does not exist (use '-Sy' to download)
error: failed to prepare transaction (could not find database)
==> ERROR: 'pacman' failed to install missing dependencies.
==> Missing dependencies:
-> go>=1.19
==> ERROR: Could not resolve all dependencies.
Currently the Arch image is broken because the keyring has been
updated but the package is too old:
curl: signature from "Leonidas Spyropoulos <artafinde@archlinux.org>" is unknown trust
:: deleting corrupted file '/var/cache/pacman/pkg/curl-8.4.0-2-x86_64.pkg.tar.zst' (invalid or corrupted package (PGP signature))
syslinux: signature from "Leonidas Spyropoulos <artafinde@archlinux.org>" is unknown trust
:: deleting corrupted file '/var/cache/pacman/pkg/syslinux-6.04.pre2.r11.gbf6db5b4-4-x86_64.pkg.tar.zst' (invalid or corrupted package (PGP signature))