[Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder
Patrick Schleizer
adrelanos at riseup.net
Sat Sep 14 08:00:00 CEST 2019
Awesome! Great to know you're interested in this!
Good question. I am not sure what I meant with that either. :) Will look
into it again.
First thing:
####
debootstrap:
--arch=ARCH
mmdebstrap:
--architectures=native[,foreign1,...]
####
In other words, grml-debootstrap calls debootstrap with --arch=ARCH.
This will fail since mmdebstrap does not support --arch=ARCH but wants
--architectures.
####
cowbuilder (or pbuilder?) calls debootstrap with:
+ args='--include=apt --variant=buildd --force-check-gpg buster
/var/cache/pbuilder/base.cow_amd64 http://HTTPS///deb.debian.org/debian'
I.e. it is possible to pass an apt repository URI through command line
(above last argument).
However, I am translating that in the wrapper to:
--verbose --architectures=amd64
--aptopt=/home/user/whonix_binary/aptgetopt.conf
--include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,apt-transport-https,python,eatmydata,aptitude,cowdancer
buster /var/cache/pbuilder/base.cow_amd64
/home/user/Whonix/build_sources/debian_stable_current_clearnet.list
Using a file
/home/user/Whonix/build_sources/debian_stable_current_clearnet.list
which contains both, Debian "standard" repository as well as Debian
security repository.
This is to make use of mmdebstrap excellent security feature to
bootstrap from two repositories at once. If the APT version in Debian
"standard" repository had a vulnerability, then the vulnerable version
would be installed first before vulnerable APT would be used to upgrade
in a later step from Debian security repository.
"Incompatibility" is perhaps a far stretched term. How do we "teach"
grml-debootstrap, cowbuilder (or pbuilder?) "use both, Debian "standard"
repository and Debian security repository when using mmdebstrap"?
It's like "the ecosystem does not take advantage of mmdebstrap" yet.
Not sure anymore why I added:
--include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,apt-transport-https,python,eatmydata,aptitude,cowdancer
apt-transport-https might be required to support https repositories in
sources list.
apt-transport-tor might be required to support tor+https and .onion in
sources list.
Johannes Schauer:
> I added a no-op --force-check-gpg option.
Where is the source code for that? git clones just now.
git clone http://gitlab.mister-muffin.de/josch/mmdebstrap.git
But cannot find any mention of "force-check-gpg".
Once I have the new version, and can get past the "force-check-gpg"
option, I will re-try these tools and see how far I get step by step.
Cheers,
Patrick
More information about the Whonix-devel
mailing list