Created attachment 511764 [details] signond-8.59-r1.ebuild net-libs/signond is used as a backend for packages such as kde-apps/kaccounts-integration and kde-apps/kaccounts-providers, but does not have USE flags nor dependencies to pull in at least one of the secure SecretsStorage backend plugins. If no backend plugins are found, signond falls back to a "default" unencrypted plain-text SQLite DB to store its secrets as described in the /etc/signond.conf bundled with the net-libs/signond package. It's fairly trivial to check whether this insecure default backend is in use, for example a KDE user with kde-misc/kio-gdrive installed may configure an online account through systemsettings5 -> Online Accounts -> Create -> Google. After following the steps in the GUI, open signond's SQLite database through the terminal and perform a .dump to print the password that was submitted back in unencrypted plain-text: sqlite3 ~/.config/signond/signon-secrets.db Luckily, KDE users can easily resolve this issue by manually pulling in the kde-apps/signon-kwallet-extension package as recommended per the documentation on: https://community.kde.org/KTp/Setting_up_KAccounts#Wallet_support A gnome-keyring plugin exists as per /etc/signond.conf which refers to https://launchpad.net/signon-keyring-extension, but it doesn't appear to be in the Gentoo Linux tree at this time. In my opinion, we should avoid storing secrets in the insecure default SQLite DB at all costs. Perhaps it would be a good idea to add a REQUIRED_USE "at least one of" style operator to the ebuild to make sure the end user has to install at least one secure SecretsStorage backend, starting with kwallet or gnome-keyring. I have uploaded a suggested ebuild for net-libs/signond-8.59-r1 which adds the required kwallet USE flag and in turn has an RDEPEND for "kwallet? ( kde-apps/signon-kwallet-extension )". I couldn't add a gnome-keyring USE flag and RDEPEND entry at the same time because the signon-keyring-extension plugin is not in the tree yet.
Created attachment 511766 [details] metadata.xml
Thanks for your report, it is always better if you attach unified diffs over the most recent ebuild instead of the full ebuild, so your changes can be reviewed.
Created attachment 511880 [details, diff] signond-ebuild.diff Thanks for the hint, I wasn't aware that a different format is preferred. I have attached the unified diffs you've asked for your review and obsoleted the old attachments.
Created attachment 511882 [details, diff] signond-metadata.diff
Created attachment 512680 [details, diff] kaccounts-integration-ebuild.diff The ebuild which I proposed last week results in circular dependencies on a system which doesn't already have both packages installed. Please excuse the newbie mistake on my part! ;-) =========== * Error: circular dependencies: (net-libs/signond-8.59-r1:0/0::local, ebuild scheduled for merge) depends on (kde-apps/signon-kwallet-extension-17.12.0:5/5::gentoo, ebuild scheduled for merge) (runtime) (net-libs/signond-8.59-r1:0/0::local, ebuild scheduled for merge) (buildtime) * Note that circular dependencies can often be avoided by temporarily * disabling USE flags that trigger optional dependencies. =========== Perhaps the cleaner solution, in this case, would be to modify the ebuild for kde-apps/kaccounts-integration so that it has a kwallet USE flag with an RDEPEND on kde-apps/signon-kwallet-extension when enabled. This was the upstream's recommended setup, and for users with the desktop/plasma profile the kwallet USE flag is going to be enabled by default anyway. That'll leave the Gnome team to decide what they'd like to do for the net-libs/signond integration with signon-keyring-extension. I'm not sure what'd be the best approach for other projects which may depend on net-libs/signond.
Created attachment 512682 [details, diff] kaccounts-integration-metadata.diff
I'm not sure about the best course of action here. Portage does not really support optional runtime deps, and USE flags exclusively in RDEPEND are frowned upon. If we add it unconditionally, definitely some people will complain. Until there is real support for it in Portage we typically solve situations like these via an elog/optfeature message in pkg_postinst. Right now we have the following dependency chain: kde-apps/plasma-telepathy-meta kde-apps/ktp-kded-module kde-apps/signon-kwallet-extension
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/kde.git/commit/?id=472b2c654c64e7e0d273982d668aada4aeee6531 commit 472b2c654c64e7e0d273982d668aada4aeee6531 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-04-22 19:37:09 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-04-22 19:37:09 +0000 net-libs/signond: Add pkg_postinst warning Bug: https://bugs.gentoo.org/642420 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> net-libs/signond/signond-9999.ebuild | 8 ++++++++ 1 file changed, 8 insertions(+) https://gitweb.gentoo.org/proj/kde.git/commit/?id=e658e5e8ad12f4c8d25e0e8420b0e7a169fd3caa commit e658e5e8ad12f4c8d25e0e8420b0e7a169fd3caa Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-04-22 19:19:00 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-04-22 19:28:00 +0000 kde-apps/kdenetwork-meta: Add kde-misc/kio-gdrive revdeps These packages had so far not been covered by any -meta: - kde-apps/kaccounts-integration - kde-apps/kaccounts-providers - kde-apps/signon-kwallet-extension With plasma-telepathy-meta last-rited, the latter has been stripped of the last remaining revdep as well. All three dependencies are listed in kdenetwork-meta sets, so the ebuild fits, and by seating it next to kde-misc/kio-gdrive within IUSE=webengine it still remains optional. Without kde-apps/signon-kwallet-extension, the default for kio-gdrive (through behaviour of signond) would be to save tokens in plaintext in an sqlite database. Thanks-to: Martijn Schmidt Bug: https://bugs.gentoo.org/642420 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> kde-apps/kdenetwork-meta/kdenetwork-meta-24.05.49.9999.ebuild | 7 ++++++- kde-apps/kdenetwork-meta/kdenetwork-meta-9999.ebuild | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83f1ca506ece6040cfc937738bdbc928ba909372 commit 83f1ca506ece6040cfc937738bdbc928ba909372 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-04-22 19:37:09 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-04-25 20:42:40 +0000 net-libs/signond: Add pkg_postinst warning Closes: https://bugs.gentoo.org/642420 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> net-libs/signond/signond-8.61-r100.ebuild | 8 ++++++++ net-libs/signond/signond-8.61.ebuild | 8 ++++++++ 2 files changed, 16 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a2850eaaef65d3626fcb6b99eff3594efafb5d7 commit 0a2850eaaef65d3626fcb6b99eff3594efafb5d7 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-04-22 19:19:00 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-04-25 20:42:40 +0000 kde-apps/kdenetwork-meta: Add kde-misc/kio-gdrive revdeps These packages had so far not been covered by any -meta: - kde-apps/kaccounts-integration - kde-apps/kaccounts-providers - kde-apps/signon-kwallet-extension With plasma-telepathy-meta last-rited, the latter has been stripped of the last remaining revdep as well. All three dependencies are listed in kdenetwork-meta sets, so the ebuild fits, and by seating it next to kde-misc/kio-gdrive within IUSE=webengine it still remains optional. Without kde-apps/signon-kwallet-extension, the default for kio-gdrive (through behaviour of signond) would be to save tokens in plaintext in an sqlite database. Thanks-to: Martijn Schmidt Closes: https://bugs.gentoo.org/642420 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../kdenetwork-meta-23.08.5-r1.ebuild | 36 ++++++++++++++++++++++ ....2.ebuild => kdenetwork-meta-24.02.2-r1.ebuild} | 7 ++++- 2 files changed, 42 insertions(+), 1 deletion(-)
