[Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder

Sat Sep 14 18:26:57 CEST 2019

Hi,

Quoting Patrick Schleizer (2019-09-14 08:00:00)
> Awesome! Great to know you're interested in this!
> 
> Good question. I am not sure what I meant with that either. :) Will look
> into it again.
> 
> First thing:
> 
> ####
> 
> debootstrap:
> 
> --arch=ARCH
> 
> mmdebstrap:
> 
> --architectures=native[,foreign1,...]
> 
> ####
> 
> In other words, grml-debootstrap calls debootstrap with --arch=ARCH.
> This will fail since mmdebstrap does not support --arch=ARCH but wants
> --architectures.
> 
> ####

you seem to claim that mmdebstrap does not support the --arch argument. But it
does. It does so by configuring Getopt::Long with auto_abbrev. This means that
a long option like --architectures can also be written with less characters. It
works on my system. It does not on yours? Also from the man page:

     Long options require a double dash and may be abbreviated to uniqueness.

> 
> cowbuilder (or pbuilder?) calls debootstrap with:
> 
> + args='--include=apt --variant=buildd --force-check-gpg buster
> /var/cache/pbuilder/base.cow_amd64 http://HTTPS///deb.debian.org/debian'
> 
> I.e. it is possible to pass an apt repository URI through command line
> (above last argument).
> 
> However, I am translating that in the wrapper to:
> 
> --verbose --architectures=amd64
> --aptopt=/home/user/whonix_binary/aptgetopt.conf
> --include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,apt-transport-https,python,eatmydata,aptitude,cowdancer
> buster /var/cache/pbuilder/base.cow_amd64
> /home/user/Whonix/build_sources/debian_stable_current_clearnet.list
> 
> Using a file
> /home/user/Whonix/build_sources/debian_stable_current_clearnet.list
> which contains both, Debian "standard" repository as well as Debian
> security repository.
> 
> This is to make use of mmdebstrap excellent security feature to
> bootstrap from two repositories at once. If the APT version in Debian
> "standard" repository had a vulnerability, then the vulnerable version
> would be installed first before vulnerable APT would be used to upgrade
> in a later step from Debian security repository.
> 
> "Incompatibility" is perhaps a far stretched term. How do we "teach"
> grml-debootstrap, cowbuilder (or pbuilder?) "use both, Debian "standard"
> repository and Debian security repository when using mmdebstrap"?
> 
> It's like "the ecosystem does not take advantage of mmdebstrap" yet.

Okay, but as far as I can see there is nothing that can be done in mmdebstrap
about this, right?

> Not sure anymore why I added:
> --include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,apt-transport-https,python,eatmydata,aptitude,cowdancer
> 
> apt-transport-https might be required to support https repositories in
> sources list.

Yes, old apt versions (1.4.9 and earlier) require that package. It is since a
dummy package.

> apt-transport-tor might be required to support tor+https and .onion in
> sources list.

Yes, but mmdebstrap auto-detects tor URLs and adds the package. This behaviour
is also documented in its man page.

> Johannes Schauer:
> > I added a no-op --force-check-gpg option.
> 
> Where is the source code for that? git clones just now.
> 
> git clone http://gitlab.mister-muffin.de/josch/mmdebstrap.git
> 
> But cannot find any mention of "force-check-gpg".

Yes, I didn't push these changes because I am travelling and have only limited
internet access. It has now been pushed.

> Once I have the new version, and can get past the "force-check-gpg" option, I
> will re-try these tools and see how far I get step by step.

I'm looking forward to your review!

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://www.whonix.org/pipermail/whonix-devel/attachments/20190914/08d55de5/attachment.sig>