On Mon, Jul 29, 2019 at 10:53:45AM +0200, Johannes Schauer wrote: > squeeze ended, we finally were able to remove a few hundred lines of code from Julian is hoping that removing support for unsigned repositories would do the same for us with the added benefit that for apt these lines are security related … 😉 So far all usecases mentioned here seem to be local repositories though. Nobody seems to be pulling unsigned repositories over the network [for good reasons]. So perhaps we can agree on dropping support for unsigned repositories for everything expect copy/file sources? The other thing is repositories without a Release file, which seems to be something used (legally) by the same class of repositories only, too. That is in my opinion the more useful drop as the logic to decide if a file can be acquired with(out) hashes or not is very annoying and would probably benefit a lot from an "if not-local: return must-hashes" These should at least help with the security aspect even if I am not sure yet how that could be refactored to work [but that code area needs lots of love anyhow, as in the last years I was just busy adding jetpacks and nitro-injection to this horse-drawn vehicle to keep it afloat, would be nice if we could retire at least the horses eventually.]. > > Both sbuild and autopkgtest are designed to target multiple Debian releases > > including the oldest release that still attracts uploads (currently jessie, > > for LTS), so relying on "apt-get install --with-source" is undesirable. > > sbuild also uses aptitude instead of apt (for its more-backports-friendly > > resolver) in some configurations, and that doesn't have --with-source. Well, we are now building the tools we will be using in ten years in this really old and clunky bullseye LTS release rushing for a time machine so that we will would have had done this or that. Lets pretend for a minute we could avoid that (or: … will be could have had? …). What is it what you need? Sure, a local repository works, but that sounds painful and clunky to setup and like a workaround already, so in effect you don't like it and we don't like it either, it just happens to work so-so for both of us for the time being. > Yes. In sbuild we also cannot use other apt features like "apt-get build-dep" > because sbuild allows one to mangle the build dependencies, so it works with > dummy packages. So sbuild will have to keep creating its own repository. Julian did "apt satisfy" recently and build-dep supports dsc files as input, so naively speaking, could sbuild just write a dsc file the same way it is now writing a Sources file? Also, --with-source actually allows to add Packages/Sources files as well, I use them for simulations only, but in theory they should work "for real", too. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature