[buildd-tools-devel] Bug#608972: Bug#608972: sbuild: How does that “local apt archive” work?

Cyril Brulebois kibi at debian.org
Wed Jan 5 16:37:08 UTC 2011 

Roger Leigh <rleigh at codelibre.net> (05/01/2011):
> The apt archive is an internal implementation detail of the apt and
> aptitude resolvers.  It hasn't been documented because it is
> indended to be entirely transparent to the user; it only exists
> transiently during the package build and there is nothing user-
> configurable about it.  It does not persist across builds, and it is
> only used to store the dummy dependency packages for a single build.

Still, “local apt archive” is mentioned. One may think it's related to
having ones own packages added to the standard pool, for example
because one doesn't want to wait a package to be installed in the
archive before building another one build-depending on it. So that's
confusing, and that's why I asked.

> What we do is basically this:
> 
> • Create a dummy dependency package
> • Install it into the archive
> • Generate the Packages/Sources/Release files
> • Write a sources.list file into /etc/apt/sources.list.d
> • Inject the lists directly into /var/lib/apt/lists
>   (to save running apt-get update for all apt sources which is
>   undesirable during a build; apt and aptitude do not support
>   updating a single source at present)

That's indeed pretty annoying. But that seems to contradict the
default behaviour after a fresh installation of the sid packages:
| $ sbuild -As -d unstable hugs98_98.200609.21-5.1.dsc
| sbuild (Debian sbuild) 0.60.8 (12 Dec 2010) on talisker
| 
| ╔══════════════════════════════════════════════════════════════════════════════╗
| ║ hugs98 98.200609.21-5.1 (amd64)                          05 janv. 2011 17:28 ║
| ╚══════════════════════════════════════════════════════════════════════════════╝
| 
| Package: hugs98
| Version: 98.200609.21-5.1
| Source Version: 98.200609.21-5.1
| Architecture: amd64
| Get:1 http://localhost sid Release.gpg [835 B]
| Ign http://localhost/debian/ sid/main Translation-en
| Get:2 http://localhost sid Release [104 kB]
| Get:3 http://localhost sid/main Sources/DiffIndex [2038 B]
| Get:4 http://localhost sid/main amd64 Packages/DiffIndex [2038 B]
| Get:5 http://localhost sid/main 2011-01-05-0226.14.pdiff [6088 B]
| Get:6 http://localhost sid/main 2011-01-05-0226.14.pdiff [6088 B]
| Get:7 http://localhost sid/main 2011-01-05-0226.14.pdiff [6088 B]
| Get:8 http://localhost sid/main amd64 2011-01-05-0226.14.pdiff [8830 B]
| Get:9 http://localhost sid/main amd64 2011-01-05-0226.14.pdiff [8830 B]
| Get:10 http://localhost sid/main amd64 2011-01-05-0226.14.pdiff [8830 B]
| Get:11 http://localhost sid/main 2011-01-05-0811.34.pdiff [1470 B]
| Get:12 http://localhost sid/main 2011-01-05-0811.34.pdiff [1470 B]
| Get:13 http://localhost sid/main 2011-01-05-0811.34.pdiff [1470 B]
| Get:14 http://localhost sid/main amd64 2011-01-05-0811.34.pdiff [1113 B]
| Get:15 http://localhost sid/main amd64 2011-01-05-0811.34.pdiff [1113 B]
| Get:16 http://localhost sid/main amd64 2011-01-05-0811.34.pdiff [1113 B]
| Get:17 http://localhost sid/main 2011-01-05-1410.03.pdiff [4223 B]
| Get:18 http://localhost sid/main 2011-01-05-1410.03.pdiff [4223 B]
| Get:19 http://localhost sid/main 2011-01-05-1410.03.pdiff [4223 B]
| Get:20 http://localhost sid/main amd64 2011-01-05-1410.03.pdiff [8043 B]
| Get:21 http://localhost sid/main amd64 2011-01-05-1410.03.pdiff [8043 B]
| Get:22 http://localhost sid/main amd64 2011-01-05-1410.03.pdiff [8043 B]
| Fetched 138 kB in 17s (7879 B/s)
| Reading package lists...
| Reading package lists...
| Building dependency tree...
| Reading state information...
| The following packages will be upgraded:
|   libsepol1
| 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
| Need to get 132 kB of archives.
| After this operation, 53.2 kB of additional disk space will be used.
| Get:1 http://localhost/debian/ sid/main libsepol1 amd64 2.0.42-1 [132 kB]
| debconf: delaying package configuration, since apt-utils is not installed
| Fetched 132 kB in 1s (114 kB/s)
| (Reading database ... 10134 files and directories currently installed.)
| Preparing to replace libsepol1 2.0.41-1 (using .../libsepol1_2.0.42-1_amd64.deb) ...
| Unpacking replacement libsepol1 ...
| Setting up libsepol1 (2.0.42-1) ...
| 
| ┌──────────────────────────────────────────────────────────────────────────────┐
| │ Fetch source files                                                           │
| └──────────────────────────────────────────────────────────────────────────────┘

Given the #$apt_update = 0; in sbuild.conf, one might think this
is/should be the default.

> • Regenerate the apt caches to ensure everything is in sync
> • Install the dummy dependency package with apt; the dummy package
>   is pulled from the local apt archive, while all its dependencies
>   are pulled from the regular configured apt sources.
> 
> > What if several repositories, suites, etc. are used?
> 
> I'm not sure what you're getting at here.  The regular apt sources.list
> configuration is untouched, so it shouldn't affect anything at all.
> All we are doing is adding a single repo containing two dummy packages
> (core dependencies and package dependencies).
> 
> > What if somebody tries to add some local (as in “personal”) repositories?
> 
> Again, I'm not sure what you're getting at here.  If this is configured
> deliberately, then it will be used as you would expect.  If you're
> implying using it as a means for a security exploit, that's not
> possible as far as I can see.

I think my first paragraph answers those questions.

KiBi.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20110105/5b393c26/attachment.pgp>

More information about the Buildd-tools-devel mailing list