[Whonix-devel] Bug#940188: compatibility with grml-debootstrap, pbuilder and cowbuilder
josch at debian.org
Sat Sep 14 18:26:57 CEST 2019
Quoting Patrick Schleizer (2019-09-14 08:00:00)
> Awesome! Great to know you're interested in this!
> Good question. I am not sure what I meant with that either. :) Will look
> into it again.
> First thing:
> In other words, grml-debootstrap calls debootstrap with --arch=ARCH.
> This will fail since mmdebstrap does not support --arch=ARCH but wants
you seem to claim that mmdebstrap does not support the --arch argument. But it
does. It does so by configuring Getopt::Long with auto_abbrev. This means that
a long option like --architectures can also be written with less characters. It
works on my system. It does not on yours? Also from the man page:
Long options require a double dash and may be abbreviated to uniqueness.
> cowbuilder (or pbuilder?) calls debootstrap with:
> + args='--include=apt --variant=buildd --force-check-gpg buster
> /var/cache/pbuilder/base.cow_amd64 http://HTTPS///deb.debian.org/debian'
> I.e. it is possible to pass an apt repository URI through command line
> (above last argument).
> However, I am translating that in the wrapper to:
> --verbose --architectures=amd64
> buster /var/cache/pbuilder/base.cow_amd64
> Using a file
> which contains both, Debian "standard" repository as well as Debian
> security repository.
> This is to make use of mmdebstrap excellent security feature to
> bootstrap from two repositories at once. If the APT version in Debian
> "standard" repository had a vulnerability, then the vulnerable version
> would be installed first before vulnerable APT would be used to upgrade
> in a later step from Debian security repository.
> "Incompatibility" is perhaps a far stretched term. How do we "teach"
> grml-debootstrap, cowbuilder (or pbuilder?) "use both, Debian "standard"
> repository and Debian security repository when using mmdebstrap"?
> It's like "the ecosystem does not take advantage of mmdebstrap" yet.
Okay, but as far as I can see there is nothing that can be done in mmdebstrap
about this, right?
> Not sure anymore why I added:
> apt-transport-https might be required to support https repositories in
> sources list.
Yes, old apt versions (1.4.9 and earlier) require that package. It is since a
> apt-transport-tor might be required to support tor+https and .onion in
> sources list.
Yes, but mmdebstrap auto-detects tor URLs and adds the package. This behaviour
is also documented in its man page.
> Johannes Schauer:
> > I added a no-op --force-check-gpg option.
> Where is the source code for that? git clones just now.
> git clone http://gitlab.mister-muffin.de/josch/mmdebstrap.git
> But cannot find any mention of "force-check-gpg".
Yes, I didn't push these changes because I am travelling and have only limited
internet access. It has now been pushed.
> Once I have the new version, and can get past the "force-check-gpg" option, I
> will re-try these tools and see how far I get step by step.
I'm looking forward to your review!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
More information about the Whonix-devel