ports/170114: sysutils/duplicity cannot resume encrypted backups

Tue Jul 24 17:30:13 UTC 2012

>Number:         170114
>Category:       ports
>Synopsis:       sysutils/duplicity cannot resume encrypted backups
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 24 17:30:12 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     William Orr
>Release:        9.0-RELEASE
>Organization:
>Environment:
FreeBSD puppies.worrbase.com 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root at farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
Users of duplicity are unable to resume encrypted backups. GPG always returns an error that an invalid passphrase was used. This is a known bug, and the attached patches revert the change that caused the problem.

https://answers.launchpad.net/duplicity/+question/183711
>How-To-Repeat:
Try and resume an encrypted backup with duplicity
>Fix:
Apply attached patches

Patch attached with submission follows:

--- bin/duplicity.orig	2012-05-22 10:58:53.000000000 -0400
+++ bin/duplicity	2012-07-24 12:12:35.670846734 -0400
@@ -299,32 +299,6 @@
             tdp.delete()
         return putsize
 
-    def validate_encryption_settings(backup_set, manifest):
-        """
-        When restarting a backup, we have no way to verify that the current
-        passphrase is the same as the one used for the beginning of the backup.
-        This is because the local copy of the manifest is unencrypted and we
-        don't need to decrypt the existing volumes on the backend.  To ensure
-        that we are using the same passphrase, we manually download volume 1
-        and decrypt it with the current passphrase.  We also want to confirm
-        that we're using the same encryption settings (i.e. we don't switch
-        from encrypted to non in the middle of a backup chain), so we check
-        that the vol1 filename on the server matches the settings of this run.
-        """
-        vol1_filename = file_naming.get(backup_type, 1,
-                                        encrypted=globals.encryption,
-                                        gzipped=globals.compression)
-        if vol1_filename != backup_set.volume_name_dict[1]:
-            log.FatalError(_("Restarting backup, but current encryption "
-                             "settings do not match original settings"),
-                           log.ErrorCode.enryption_mismatch)
-
-        # Settings are same, let's check passphrase itself if we are encrypted
-        if globals.encryption:
-            fileobj = restore_get_enc_fileobj(globals.backend, vol1_filename,
-                                              manifest.volume_info_dict[1])
-            fileobj.close()
-
     if not globals.restart:
         # normal backup start
         vol_num = 0
@@ -335,7 +309,6 @@
         mf = globals.restart.last_backup.get_local_manifest()
         globals.restart.checkManifest(mf)
         globals.restart.setLastSaved(mf)
-        validate_encryption_settings(globals.restart.last_backup, mf)
         mf.fh = man_outfp
         last_block = globals.restart.last_block
         log.Notice("Restarting after volume %s, file %s, block %s" %


>Release-Note:
>Audit-Trail:
>Unformatted:

