[buildd-tools-devel] Bug#608972: Bug#608972: sbuild: How does that “local apt archive” work?

Roger Leigh rleigh at codelibre.net
Wed Jan 5 11:30:57 UTC 2011 

On Wed, Jan 05, 2011 at 03:36:52AM +0100, Cyril Brulebois wrote:
> It looks like besides some comments in NEWS or in changelogs, we know
> very little about what this local apt archive is about. How does it work
> exactly?

The apt archive is an internal implementation detail of the apt and
aptitude resolvers.  It hasn't been documented because it is
indended to be entirely transparent to the user; it only exists
transiently during the package build and there is nothing user-
configurable about it.  It does not persist across builds, and it
is only used to store the dummy dependency packages for a single
build.

What we do is basically this:

• Create a dummy dependency package
• Install it into the archive
• Generate the Packages/Sources/Release files
• Write a sources.list file into /etc/apt/sources.list.d
• Inject the lists directly into /var/lib/apt/lists
  (to save running apt-get update for all apt sources which is
  undesirable during a build; apt and aptitude do not support
  updating a single source at present)
• Regenerate the apt caches to ensure everything is in sync
• Install the dummy dependency package with apt; the dummy package
  is pulled from the local apt archive, while all its dependencies
  are pulled from the regular configured apt sources.

> What if several repositories, suites, etc. are used?

I'm not sure what you're getting at here.  The regular apt sources.list
configuration is untouched, so it shouldn't affect anything at all.
All we are doing is adding a single repo containing two dummy packages
(core dependencies and package dependencies).

> What if somebody tries to add some local (as in “personal”) repositories?

Again, I'm not sure what you're getting at here.  If this is configured
deliberately, then it will be used as you would expect.  If you're
implying using it as a means for a security exploit, that's not
possible as far as I can see.


I guess that one thing we might want to consider is that the package
build could allow alteration of the repo during the build; I'll need
to double-check the ownership and perms; should all be root:root
anyway to prevent tampering, but I'll check it again anyway.  The repo
is never used again after the build commences, so this is a purely
theoretical issue at present.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20110105/8588d2c5/attachment.pgp>

More information about the Buildd-tools-devel mailing list