Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 949851 - app-crypt/certbot: rekeywording
Summary: app-crypt/certbot: rekeywording
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Keywording (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Matthew Thode ( prometheanfire )
URL:
Whiteboard:
Keywords: CC-ARCHES, PullRequest
: 949852 (view as bug list)
Depends on:
Blocks:
 
Reported: 2025-02-16 20:18 UTC by Thibaud CANALE
Modified: 2025-03-11 20:20 UTC (History)
5 users (show)

See Also:
Package list:
app-crypt/certbot dev-python/dns-lexicon >=dev-python/pyotp-2 >=dev-python/tldextract-2 >=dev-python/zeep-3 dev-python/python-augeas >=dev-python/requests-file-1.4 dev-python/aioresponses dev-python/pyu2f dev-python/xmlsec
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thibaud CANALE 2025-02-16 20:18:11 UTC 
Request rekeywording so Certbot’s modules (or whole package app-crypt/certbot considering bug 949725) can be available on multiple system, instead of currently amd64 & x86 systems.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-03-07 19:46:14 UTC 
The package list hasn't been populated. It's also better to do one big package list (see the last paragraph of this section: https://devmanual.gentoo.org/keywording/index.html#keywording-on-upgrades).
Comment 2 NATTkA bot gentoo-dev Security 2025-03-07 19:53:22 UTC Comment hidden (obsolete)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-03-07 20:18:17 UTC 
*** Bug 949852 has been marked as a duplicate of this bug. ***
Comment 4 NATTkA bot gentoo-dev Security 2025-03-07 20:20:30 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev Security 2025-03-08 20:36:35 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev Security 2025-03-08 20:44:43 UTC Comment hidden (obsolete)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-03-08 20:57:58 UTC 
We should mask some USE instead, I think.
Comment 8 Thibaud CANALE 2025-03-09 17:25:46 UTC 
(In reply to Sam James from comment #7)
> We should mask some USE instead, I think.

I think you are right, but this defeat the whole purpose of a single package if for specific Certbot’s modules we create dedicated packages with a restricted set of architectures.

Just to understand better the process, what is the target set of supported arch? Maybe we can restrict this instead if this is simpler?
Comment 9 Thibaud CANALE 2025-03-09 19:01:32 UTC 
(In reply to Sam James from comment #7)
> We should mask some USE instead, I think.

Just did a PR to drop Google DNS Authenticator, I created a new package for it in Guru* (branch[0] and commit[1]), not yet pushed in dev because need the update from this new PR.

*Why in Guru, because I am not a maintainer so it was using a warning when creating a new package on my name.

0: https://github.com/thican/guru/tree/app-crypt/certbot-dns-google
1: https://github.com/thican/guru/commit/723b76932c705ceb99f8a2cfadb862b424b2c98c
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-03-09 19:23:48 UTC 
(In reply to Thibaud CANALE from comment #8)
> (In reply to Sam James from comment #7)
> > We should mask some USE instead, I think.
> 
> I think you are right, but this defeat the whole purpose of a single package
> if for specific Certbot’s modules we create dedicated packages with a
> restricted set of architectures.

I don't understand how.. I was suggesting that we mask USE=certbot-dns-google (or whatever) in profiles/arch/arm/package.use.mask for certbot to avoid keywording extra dependencies there (as it ultimately pulls in pandas).
Comment 11 Thibaud CANALE 2025-03-09 20:23:43 UTC 
(In reply to Sam James from comment #10)
> (In reply to Thibaud CANALE from comment #8)
> > (In reply to Sam James from comment #7)
> > > We should mask some USE instead, I think.
> > 
> > I think you are right, but this defeat the whole purpose of a single package
> > if for specific Certbot’s modules we create dedicated packages with a
> > restricted set of architectures.
> 
> I don't understand how.. I was suggesting that we mask
> USE=certbot-dns-google (or whatever) in profiles/arch/arm/package.use.mask
> for certbot to avoid keywording extra dependencies there (as it ultimately
> pulls in pandas).

My bad, I misunderstood your idea. I thought you wanted to mask more USE flags and then export those modules as extra packages, like I did above; I didn’t know it could work this way too.

I thought the idea was to shorten the list of rekeywording by dropping some USE flags, hence my PR, and once this latter was merged, we could have reconfigure this list.

I considered dropping module for google dns is a good idea as it was not featured before and clearly is going too deep as I can understand from the sanity check report.

To be clear, I like my idea, it’s easier, faster and does the job, maybe because I lack the experience to judge.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-03-09 20:27:03 UTC 
IMO we should do for the p.use.mask approach to not have more churn and to provide options for amd64/arm64 users.
Comment 13 Thibaud CANALE 2025-03-09 20:29:49 UTC 
(In reply to Sam James from comment #12)
> IMO we should do for the p.use.mask approach to not have more churn and to
> provide options for amd64/arm64 users.

Okay then.
Do you want to do it, or should I?
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-03-09 20:30:44 UTC 
Could you?
Comment 15 NATTkA bot gentoo-dev Security 2025-03-09 20:52:45 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev Security 2025-03-09 21:36:43 UTC Comment hidden (obsolete)
Comment 17 Larry the Git Cow gentoo-dev 2025-03-09 23:01:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23078bb61cb9f5976ff38aaaa05ee8846ee3b33f

commit 23078bb61cb9f5976ff38aaaa05ee8846ee3b33f
Author:     Thibaud CANALE <thican@thican.net>
AuthorDate: 2025-03-09 21:07:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-03-09 23:00:33 +0000

    profiles/arch: restrict Certbot’s module "google dns" to amd64, arm64 and x86
    
    Dependencies for Certbot’s “Google DNS Authenticator” are only currently
    keyworded for amd64, arm64 and x86, so mask its USE flag by default.
    
    Bug: https://bugs.gentoo.org/949851
    Signed-off-by: Thibaud CANALE <thican@thican.net>
    Closes: https://github.com/gentoo/gentoo/pull/40985
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/arch/amd64/package.use.mask | 4 ++++
 profiles/arch/arm64/package.use.mask | 4 ++++
 profiles/arch/base/package.use.mask  | 6 ++++++
 profiles/arch/x86/package.use.mask   | 4 ++++
 4 files changed, 18 insertions(+)
Comment 18 NATTkA bot gentoo-dev Security 2025-03-09 23:16:55 UTC Comment hidden (obsolete)
Comment 19 Thibaud CANALE 2025-03-10 00:38:21 UTC 
Good, it’s finally `sanity-check+`, but I noticed a bit too late there is two unnecessary packages, as they are also dependencies for the module "google dns":
- dev-python/aioresponses: for dev-python/google-auth
- dev-python/pyu2f: for dev-python/google-auth
Comment 20 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-03-10 00:46:33 UTC 
arm64 done
Comment 21 Jakov Smolić archtester gentoo-dev 2025-03-10 12:46:33 UTC 
riscv done
Comment 22 Arthur Zamarin archtester Gentoo Infrastructure gentoo-dev Security 2025-03-11 20:20:10 UTC 
ppc64 done
Comment 23 Arthur Zamarin archtester Gentoo Infrastructure gentoo-dev Security 2025-03-11 20:20:11 UTC 
arm done

all arches done