Re: PPA

To: debian-devel@lists.debian.org
Subject: Re: PPA
From: Roger Leigh <rleigh@codelibre.net>
Date: Sun, 1 May 2011 18:04:05 +0100
Message-id: <[🔎] 20110501170405.GV13524@codelibre.net>
In-reply-to: <[🔎] 4DBD8920.6010203@debian.org>
References: <20110428205949.GB8870@rivendell.home.ouaza.com> <87fwp0grbb.fsf@solon.marcbrockschmidt.de> <20110430074538.GF19536@rivendell.home.ouaza.com> <8762pwgkb2.fsf@solon.marcbrockschmidt.de> <20110430102806.GA16642@upsilon.cc> <20110430233219.GA14045@madism.org> <[🔎] 20110501133444.GF15003@mails.so.argh.org> <[🔎] 4DBD756D.8090404@debian.org> <[🔎] 20110501151648.GI15003@mails.so.argh.org> <[🔎] 4DBD8920.6010203@debian.org>

On Sun, May 01, 2011 at 06:24:00PM +0200, Stéphane Glondu wrote:
> I was thinking of a request that would include a base suite (e.g.
> squeeze, wheezy, or sid), files to drop in /etc/apt/sources.list.d (and
> /etc/apt/preferences.d), and the key used to sign unofficial
> repositories. Of course, the request itself would be signed (like
> *.changes or *.commands files on ftp-master). Then a buildd accepting a
> job would add the key with apt-key, drop the files in /etc/apt, upgrade
> and launch the build as usual... the whole thing done in a throw-away
> chroot, obviously (I use cowbuilder myself for that, but I heard that
> sbuild had support for LVM snapshots).

sbuild has support for all the clonable chroot types schroot offers
(LVM snapshots, Btrfs snapshots, unionfs/aufs filesystem overlays
and file-based sources such as compressed tar).  AFAICT most of the
buildds are now using LVM with snapshotting.

If you do want to work on this, checkout sbuild.git.  See
etc/99builddsourceslist for the existing apt sources.list configuration
used by the buildds.  Could this be extended to do what you need?
Otherwise see lib/Sbuild/ResolverBase.pm for the existing sources.list.d
stuff.

WRT the signing key, there would need to be some form of trust path
or else the signature would be worthless.  If packages are being
uploaded to Debian infrastructure, and are under our control, can't
we use a single signing key?  We presumably verified the integrity
and origin of the package on initital upload, so we should be able to
use a generic signing key surely?  If this is provided in a package
then we can trigger automated installation of it.  This could even
be installed prior to downloading the source package; we don't currently
do this (we use the already available archive signing keys), but we can
add it.

The main thing sbuild needs would be the information to add to
sources.list, signing key packages etc.  This would probably require
passing from buildd, so probably more a question of how buildd will
be configured and get the information to pass to sbuild.

Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: PPA
  - From: Andreas Barth <aba@not.so.argh.org>

References:
- PPA (was: Bits from the Release Team - Kicking off Wheezy)
  - From: Andreas Barth <aba@not.so.argh.org>
- Re: PPA
  - From: Stéphane Glondu <glondu@debian.org>
- Re: PPA
  - From: Andreas Barth <aba@not.so.argh.org>
- Re: PPA
  - From: Stéphane Glondu <glondu@debian.org>

Prev by Date: Re: PPA
Next by Date: Re: PPA
Previous by thread: Re: PPA
Next by thread: Re: PPA
Index(es):
- Date
- Thread