update Sbuild docs again re. building for stretch

Building for stretch requires newer sbuild.

2 files changed, 30 insertions, 9 deletions

diff --git a/debian/changelog b/debian/changelog
index eeac0d4f..ce8d6e41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,12 +9,18 @@ propellor (3.1.2) UNRELEASED; urgency=medium
   [ Sean Whitton ]
   * Pass --allow-unrelated-histories to git merge when run with git 2.9 or
     newer. This fixes the /usr/bin/propellor wrapper with this version of git.
-  * Sbuild.built & Sbuild.builtFor no longer force Sbuild.keygenGenerated.
-    This is only required for squeeze chroots, which we don't support anyway.
+  * Sbuild.built & Sbuild.builtFor no longer require Sbuild.keypairGenerated.
+    Transition guide: If you are using sbuild 0.70.0 or newer, you should
+    `rm -r /var/lib/sbuild/apt-keys`.  Otherwise, you should add either
+    Sbuild.keypairGenerated or Sbuild.keypairInsecurelyGenerated to your host.
   * Sbuild haddock improvements:
-    - State that we don't support squeeze and Buntish older than trusty
-    - Update sample ~/.sbuildrc for sbuild 0.71.0
-    - Add hint for customising chroots with propellor
+    - State that we don't support squeeze and Buntish older than trusty.
+      This is due to our enhancements, such as eatmydata.
+    - State that you need sbuild 0.70.0 or newer to build for stretch.
+      This is due to gpg2 hitting Debian stretch.
+    - Explain when a keygen is required.
+    - Update sample ~/.sbuildrc for sbuild 0.71.0.
+    - Add hint for customising chroots with propellor.
     - Update example usage of System type.
 
  -- Joey Hess <id@joeyh.name>  Sun, 24 Jul 2016 13:34:37 -0400
diff --git a/src/Propellor/Property/Sbuild.hs b/src/Propellor/Property/Sbuild.hs
index 16e21f55..b55b6e8c 100644
--- a/src/Propellor/Property/Sbuild.hs
+++ b/src/Propellor/Property/Sbuild.hs
@@ -7,9 +7,16 @@ Maintainer: Sean Whitton <spwhitton@spwhitton.name>
 Build and maintain schroots for use with sbuild.
 
 For convenience we set up several enhancements, such as ccache and
-eatmydata.  This means we have to assume that you want to build
-packages for a Debian release strictly newer than squeeze, or for
-Buntish releases newer than or equal to trusty.
+eatmydata.  This means we have to make several assumptions:
+
+1. you want to build for a Debian release strictly newer than squeeze,
+or for a Buntish release newer than or equal to trusty
+
+2. if you want to build for Debian stretch or newer, you have sbuild
+0.70.0 or newer (there is a backport to jessie)
+
+The latter is due to the migration from GnuPG v1 to GnuPG v2.1 in
+Debian stretch, which older sbuild can't handle.
 
 Suggested usage in @config.hs@:
 
@@ -21,6 +28,10 @@ Suggested usage in @config.hs@:
 >  & Sbuild.shareAptCache
 >  & Schroot.overlaysInTmpfs
 
+If you are using sbuild older than 0.70.0, you also need:
+
+>  & Sbuild.keypairGenerated
+
 In @~/.sbuildrc@ (sbuild 0.71.0 or newer):
 
 >  $run_piuparts = 1;
@@ -46,7 +57,7 @@ Nevertheless, the chroot that @sbuild-createchroot(1)@ creates might
 not meet your needs.  For example, you might need to enable an apt
 cacher.  In that case you can do something like this in @config.hs@:
 
->  & Sbuild.built (System (Debian Unstable) X86_32) `before` mySetup
+>  & Sbuild.built (System (Debian Linux Unstable) X86_32) `before` mySetup
 >    where
 >  	mySetup = Chroot.provisioned myChroot
 >  	myChroot = Chroot.debootstrapped
@@ -344,6 +355,8 @@ usableBy :: User -> Property DebianLike
 usableBy u = User.hasGroup u (Group "sbuild") `requires` installed
 
 -- | Generate the apt keys needed by sbuild
+--
+-- You only need this if you are using sbuild older than 0.70.0.
 keypairGenerated :: Property DebianLike
 keypairGenerated = check (not <$> doesFileExist secKeyFile) $ go
 	`requires` installed
@@ -369,6 +382,8 @@ secKeyFile = "/var/lib/sbuild/apt-keys/sbuild-key.sec"
 -- >  	`onChange` Systemd.started "my-rngd-service"
 --
 -- Useful on throwaway build VMs.
+--
+-- You only need this if you are using sbuild older than 0.70.0.
 keypairInsecurelyGenerated :: Property DebianLike
 keypairInsecurelyGenerated = check (not <$> doesFileExist secKeyFile) go
   where