[Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder

• Previous message (by thread): [Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder
• Next message (by thread): [Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Awesome! Great to know you're interested in this!

Good question. I am not sure what I meant with that either. :) Will look
into it again.

First thing:

####

debootstrap:

--arch=ARCH

mmdebstrap:

--architectures=native[,foreign1,...]

####

In other words, grml-debootstrap calls debootstrap with --arch=ARCH.
This will fail since mmdebstrap does not support --arch=ARCH but wants
--architectures.

####

cowbuilder (or pbuilder?) calls debootstrap with:

+ args='--include=apt --variant=buildd --force-check-gpg buster
/var/cache/pbuilder/base.cow_amd64 http://HTTPS///deb.debian.org/debian'

I.e. it is possible to pass an apt repository URI through command line
(above last argument).

However, I am translating that in the wrapper to:

--verbose --architectures=amd64
--aptopt=/home/user/whonix_binary/aptgetopt.conf
--include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,apt-transport-https,python,eatmydata,aptitude,cowdancer
buster /var/cache/pbuilder/base.cow_amd64
/home/user/Whonix/build_sources/debian_stable_current_clearnet.list

Using a file
/home/user/Whonix/build_sources/debian_stable_current_clearnet.list
which contains both, Debian "standard" repository as well as Debian
security repository.

This is to make use of mmdebstrap excellent security feature to
bootstrap from two repositories at once. If the APT version in Debian
"standard" repository had a vulnerability, then the vulnerable version
would be installed first before vulnerable APT would be used to upgrade
in a later step from Debian security repository.

"Incompatibility" is perhaps a far stretched term. How do we "teach"
grml-debootstrap, cowbuilder (or pbuilder?) "use both, Debian "standard"
repository and Debian security repository when using mmdebstrap"?

It's like "the ecosystem does not take advantage of mmdebstrap" yet.

Not sure anymore why I added:
--include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,apt-transport-https,python,eatmydata,aptitude,cowdancer

apt-transport-https might be required to support https repositories in
sources list.

apt-transport-tor might be required to support tor+https and .onion in
sources list.

Johannes Schauer:

> I added a no-op --force-check-gpg option.

Where is the source code for that? git clones just now.

git clone http://gitlab.mister-muffin.de/josch/mmdebstrap.git

But cannot find any mention of "force-check-gpg".

Once I have the new version, and can get past the "force-check-gpg"
option, I will re-try these tools and see how far I get step by step.

Cheers,
Patrick

• Previous message (by thread): [Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder
• Next message (by thread): [Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]