Debootstrap and package versions

To: "debian-boot@lists.debian.org" <debian-boot@lists.debian.org>
Subject: Debootstrap and package versions
From: Matt Bearup <mbearup@microsoft.com>
Date: Wed, 25 Sep 2019 20:31:22 +0000
Message-id: <[🔎] CH2PR21MB1413EF632E97ED0396C873FABD870@CH2PR21MB1413.namprd21.prod.outlook.com>
In-reply-to: <[🔎] CH2PR21MB14134D58BE21BF79CB89AD72BD840@CH2PR21MB1413.namprd21.prod.outlook.com>
References: <[🔎] CH2PR21MB14134D58BE21BF79CB89AD72BD840@CH2PR21MB1413.namprd21.prod.outlook.com>

Hello all,
Trying to get some clarity on an issue we recently sorted out, was hoping you might be able to shed some light. This may be more of an 'apt' question than a debootstrap question...
1. We have a repository of Deb packages that has been curated for various purposes 
2. In the past we've been able to use debootstrap to build a chroot environment from those packages 
3. Recently debootstrap began to fail with a non-descript error (attempting to install a package with a zero-length name) which turned out to be part of pre-dependency resolution. The precise error was:
W: Failure trying to run: chroot "/path/to/chroot" dpkg --force-overwrite --force-confold --skip-same-version --install

4. We further tracked this down to two conflicting bits of behavior
    a. Our apt repo tool (aptly) *appends* packages to the metadata file in the order they're uploaded. So, for instance e2fsprogs version 1.44.5-1 appears *before* 1.44.5-1+deb10u1.
    b. Debootstrap appears to fetch the *first* version of each package that it looks for. So in phase 2 (installing packages and resolving dependencies) it gets "stuck" if the package version that it downloaded (1.44.5-1) is too old to fulfill a pre-dependency (1.44.5-1+deb10u1). I even tried using the make-tarball/unpack-tarball to inject the newer package version, but the same error would occur.

5. From looking at the official metadata for buster and buster-updates, it seems like the convention is to *remove* the old package versions. And indeed, doing this in our repo caused debootstrap to fetch our new package versions and run successfully.

So my questions...
1. Is it intended that debootstrap only grabs the first package version it finds, then neglects to fetch the newer version if it's needed for a pre-dependency? Is it worth scraping the rest of the metadata for newer package versions?
2. I'm fairly certain I've installed "old" package versions before (e.g. apt install foo=n-1). Are the conditions for old packages being removed or retained described anywhere? Looking at the PointReleaseChecklist (https://wiki.debian.org/Teams/ReleaseTeam/PointReleaseCheckList) and bullet #5 above it looks like old packages do in fact get removed, but are there situations where they are retained?

[Resending as I don't think I was fully joined to the mailing list yesterday. Apologies if duplicate]

Thanks,

Reply to:

References:
- Debootstrap and package versions
  - From: Matt Bearup <mbearup@microsoft.com>

Prev by Date: Re: Debootstrap and package versions
Next by Date: Bug#940801: missing virtio block Kernel Objects
Previous by thread: Re: Debootstrap and package versions
Next by thread: Bug#824954: flash-kernel: please provide a way to integrate with GRUB
Index(es):
- Date
- Thread