[Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder
adrelanos at riseup.net
Sat Sep 14 08:00:00 CEST 2019
Awesome! Great to know you're interested in this!
Good question. I am not sure what I meant with that either. :) Will look
into it again.
In other words, grml-debootstrap calls debootstrap with --arch=ARCH.
This will fail since mmdebstrap does not support --arch=ARCH but wants
cowbuilder (or pbuilder?) calls debootstrap with:
+ args='--include=apt --variant=buildd --force-check-gpg buster
I.e. it is possible to pass an apt repository URI through command line
(above last argument).
However, I am translating that in the wrapper to:
Using a file
which contains both, Debian "standard" repository as well as Debian
This is to make use of mmdebstrap excellent security feature to
bootstrap from two repositories at once. If the APT version in Debian
"standard" repository had a vulnerability, then the vulnerable version
would be installed first before vulnerable APT would be used to upgrade
in a later step from Debian security repository.
"Incompatibility" is perhaps a far stretched term. How do we "teach"
grml-debootstrap, cowbuilder (or pbuilder?) "use both, Debian "standard"
repository and Debian security repository when using mmdebstrap"?
It's like "the ecosystem does not take advantage of mmdebstrap" yet.
Not sure anymore why I added:
apt-transport-https might be required to support https repositories in
apt-transport-tor might be required to support tor+https and .onion in
> I added a no-op --force-check-gpg option.
Where is the source code for that? git clones just now.
git clone http://gitlab.mister-muffin.de/josch/mmdebstrap.git
But cannot find any mention of "force-check-gpg".
Once I have the new version, and can get past the "force-check-gpg"
option, I will re-try these tools and see how far I get step by step.
More information about the Whonix-devel