[Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder

Jonas Smedegaard jonas at jones.dk
Sun Sep 15 13:18:18 CEST 2019


Quoting Johannes Schauer (2019-09-14 18:26:57)
> Hi,
> 
> Quoting Patrick Schleizer (2019-09-14 08:00:00)
> > cowbuilder (or pbuilder?) calls debootstrap with:
> > 
> > + args='--include=apt --variant=buildd --force-check-gpg buster 
> > /var/cache/pbuilder/base.cow_amd64 http://HTTPS///deb.debian.org/debian'
> > 
> > I.e. it is possible to pass an apt repository URI through command line
> > (above last argument).
> > 
> > However, I am translating that in the wrapper to:
> > 
> > --verbose --architectures=amd64
> > --aptopt=/home/user/whonix_binary/aptgetopt.conf
> > --include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,apt-transport-https,python,eatmydata,aptitude,cowdancer
> > buster /var/cache/pbuilder/base.cow_amd64
> > /home/user/Whonix/build_sources/debian_stable_current_clearnet.list
> > 
> > Using a file
> > /home/user/Whonix/build_sources/debian_stable_current_clearnet.list
> > which contains both, Debian "standard" repository as well as Debian
> > security repository.
> > 
> > This is to make use of mmdebstrap excellent security feature to
> > bootstrap from two repositories at once. If the APT version in Debian
> > "standard" repository had a vulnerability, then the vulnerable version
> > would be installed first before vulnerable APT would be used to upgrade
> > in a later step from Debian security repository.
> > 
> > "Incompatibility" is perhaps a far stretched term. How do we "teach"
> > grml-debootstrap, cowbuilder (or pbuilder?) "use both, Debian "standard"
> > repository and Debian security repository when using mmdebstrap"?
> > 
> > It's like "the ecosystem does not take advantage of mmdebstrap" yet.
> 
> Okay, but as far as I can see there is nothing that can be done in 
> mmdebstrap about this, right?

If mmdebstrap were to support curl-style URL expansion, then current 
wrappers for debootstrap supporting only a single string could be abused 
to pass an expandable set of strings, like this:

Perhaps mmdebstrab could support curl-style glob expansion of URLs + 
suite splitting, to allow passing multiple apt lines through wrappers 
which expects only a single base URL, like this:

  https://{deb.debian.org/debian/dists/{buster,buster-updates},security.debian.org/debian-security/dists/buster/updates}

expanding to this:

  https://deb.debian.org/debian buster
  https://deb.debian.org/debian buster-updates
  https://security.debian.org/debian-security buster/updates

Here's a quick one-line that maybe better explains what I mean:

echo 'https://{deb.debian.org/debian/dists/{buster,buster-updates},security.debian.org/debian-security/dists/buster/updates}' | perl -MFile::Glob=:bsd_glob -nE 'say map { s,/dists/, ,r } bsd_glob($_, GLOB_BRACE | GLOB_NOMAGIC )'


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://www.whonix.org/pipermail/whonix-devel/attachments/20190915/3b119361/attachment.sig>


More information about the Whonix-devel mailing list