[Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder

Patrick Schleizer adrelanos at riseup.net
Sat Sep 14 08:00:00 CEST 2019

Awesome! Great to know you're interested in this!

Good question. I am not sure what I meant with that either. :) Will look
into it again.

First thing:







In other words, grml-debootstrap calls debootstrap with --arch=ARCH.
This will fail since mmdebstrap does not support --arch=ARCH but wants


cowbuilder (or pbuilder?) calls debootstrap with:

+ args='--include=apt --variant=buildd --force-check-gpg buster
/var/cache/pbuilder/base.cow_amd64 http://HTTPS///deb.debian.org/debian'

I.e. it is possible to pass an apt repository URI through command line
(above last argument).

However, I am translating that in the wrapper to:

--verbose --architectures=amd64
buster /var/cache/pbuilder/base.cow_amd64

Using a file
which contains both, Debian "standard" repository as well as Debian
security repository.

This is to make use of mmdebstrap excellent security feature to
bootstrap from two repositories at once. If the APT version in Debian
"standard" repository had a vulnerability, then the vulnerable version
would be installed first before vulnerable APT would be used to upgrade
in a later step from Debian security repository.

"Incompatibility" is perhaps a far stretched term. How do we "teach"
grml-debootstrap, cowbuilder (or pbuilder?) "use both, Debian "standard"
repository and Debian security repository when using mmdebstrap"?

It's like "the ecosystem does not take advantage of mmdebstrap" yet.

Not sure anymore why I added:

apt-transport-https might be required to support https repositories in
sources list.

apt-transport-tor might be required to support tor+https and .onion in
sources list.

Johannes Schauer:

> I added a no-op --force-check-gpg option.

Where is the source code for that? git clones just now.

git clone http://gitlab.mister-muffin.de/josch/mmdebstrap.git

But cannot find any mention of "force-check-gpg".

Once I have the new version, and can get past the "force-check-gpg"
option, I will re-try these tools and see how far I get step by step.


More information about the Whonix-devel mailing list