On 02/14/2016 12:16 PM, Brendan Simon (eTRIX) wrote:
> The thing is when you are deploying something to lots of sites (e.g. an
> embedded data logger in many remote locations), it's important to know
> exactly what versions you have created and installed, and more
> importantly be able to rebuild the exact same system sometime down the
> track. e.g. 6-12 months later, when bug is reported and you need to be
> able to replicate the build and make changes based on that build.
So if you just want to exactly reproduce something, then using
snapshot.d.o is actually the right thing to do. The Debian
reproducible builds effort [1] actually uses that service to be
able to reproduce the same build environment for a given package.
If you want to make sure that you exactly get the right package
versions, you could do the following:
- Use snapshot.d.o in your sources.list and put in the current
date
- Once you created a system you later want to reproduce, do the
following:
printf "Depends: "
dpkg-query -f 'ST<${db:Status-Abbrev}>${binary:Package} (= ${Version}), ' -W | \
sed 's%ST<[^i][^>]*>[^,]*, %%g;s%ST<[^>]*>%%g;s%, $%%'
printf '\n'
That will record all installed packages with their version in
the format Debian packages use for their dependencies.
- Create a fake binary package with that dependency information
(see [1])
To reproduce the image:
- Use the same date for snapshot.d.o
- debootstrap a minimal system
- install aptitude in there
- force-install the package via
dpkg --force-depends --force-conflicts \
-i force-package-versions-dummy.deb
- tell aptitude to resolve dependencies while keeping the dummy
package:
aptitude -y -o APT::Install-Recommends=false \
-o Aptitude::ProblemResolver::StepScore=100 \
-o "Aptitude::ProblemResolver::Hints::KeepDummy=reject force-package-versions-dummy :UNINST" \
-o Aptitude::ProblemResolver::Keep-All-Level=55000 \
-o Aptitude::ProblemResolver::Remove-Essential-Level=maximum \
install force-package-versions-dummy
(This is stolen from pbuilder how they satisfy Build-Depends)
- if everything works out, purge the dummy package again
dpkg -P force-package-versions-dummy
- remove aptitude in case your setup doesn't include it in the
image
Then you can be sure that you have exactly the same versions installed
as the reference.
Note that after image creation you should automate trying to reproduce
them, because if you notice an issue with the method I described here
to reproduce a certain image only once you need to find a bug.
Also note that if you really use snapshot.d.o a lot, you should be a
nice citizen and have a caching proxy in front of it (you could e.g.
configure apt-cacher-ng for that [2]) so that you don't cause the
snapshot.d.o unnecessary traffic - it's not part of Debian's mirror
network.
> Does apt not use keyrings or some kind of certificates for
> authenticating versions?
APT uses GnuPG cryptographic signatures of certain aggregate files that
contain hashes of the packages. The trusted keyring can be found under
/etc/apt/trusted.gpg - and additional keyrings may be installed under
/etc/apt/trusted.gpg.d. (The latter only in recent Debian versions,
starting with Wheezy IIRC.)
For Jessie you want to look at:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg \
--keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg \
--keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg \
--list-keys
Typically, the Release files are signed:
wget http://httpredir.debian.org/debian/dists/jessie/Release
wget -O Release.asc http://httpredir.debian.org/debian/dists/jessie/Release.gpg
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg \
--keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg \
--keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg \
--verify Release.asc
The 'Release' file then contains a list of MD5 and SHA256 sums of the
Packages files. For example, on amd64 there is
main/binary-amd64/Packages.gz. (The non-compressed files typically don't exist
on mirrors). So you can download that file and verify it's correct:
wget http://httpredir.debian.org/debian/dists/jessie/main/binary-amd64/Packages.gz
# Compare the output of the following two commands
# (size of the file, should be equal)
stat -c '%s' Packages.gz
grep ' main/binary-amd64/Packages.gz' Release | tail -n 1 | awk '{print $2}'
# Check the SHA256 sum:
grep ' main/binary-amd64/Packages.gz' Release | tail -n 1 | awk '{printf "%s %s\n", $1, $3}' | sed 's%main/binary-amd64/%%' > sums
sha256sum -c sums
The Packages files then contains a list of all packages with the hashes
of the .deb files.
And that's how APT verifies the authenticity of the archive.
(For things that change more often, such as security updates, there's
also a Valid-Until field, see <https://bugs.debian.org/499897>.)
Anyway, hope that helps.
Regards,
Christian
[1] e.g.
(with the output of the commands I gave you stored in a file
called /path/to/depends-line):
mkdir fpv/DEBIAN -p
cd fpv/DEBIAN
cat > control <<EOF
Package: force-package-versions-dummy
Version: 0.invalid.0
Maintainer: Your Name <your@email>
Description: Dummy package to ensure consistent package state
Architecture: all
Section: admin
Priority: required
EOF
cat /path/to/depends-line >> control
cd ../..
dpkg-deb -b fpv force-package-versions-dummy,deb
[2] e.g. add
Remap-snapshot: /snapshot ; http://snapshot.debian.org/archive/debian
Remap-snapshotsec: /snapshot-security ; http://snapshot.debian.org/archive/debian-security
to /etc/apt-cacher-ng/acng.conf
and use
http://$SERVER:3142/snapshot/20160124T041729Z/ jessie main
http://$SERVER:3142/snapshot-security/20160124T041729Z/ jessie/updates main
as the sources.list entries.
Attachment:
signature.asc
Description: OpenPGP digital signature