Package: apt Version: 1.4~rc2 X-Debbugs-Cc: Antoine Beaupré <anarcat@orangeseeds.org> Priority: wishlist Control: user -1 debian-dpkg@lists.debian.org Control: usertag -1 declarative-packaging Please add a new option for sources.list named "pinmark", which can also be referred to with a Pin: line in apt's preferences. This should make it much easier to place an apt pin that targets packages from a particular repository. The rest of this e-mail explains the reasoning for this request. -------- Consider a sources.list on a system that needs to install packages from a sketchy repository: deb http://deb.debian.org/debian unstable main deb [signed-by=/usr/share/keyrings/sketchy.gpg] http://sketchville.example/debian unstable sketchy A prudent administrator might want to set up some apt pinning so that all the sketchy packages are lower-priority than the standard debian packages. Or they might want to pin things such that only specific packages are ever installable from the sketchy repository. Today, there are a few ways to aim pins just at the one repository but none of them seem particularly clean. Consider: Package: * Pin: release o=Sketchville Pin-Priority: -10 This only works as long as the sketchville repository owner doesn't decide to change their Release file to say Origin: Debian instead. Almost all "Pin: release" lines are effectively under the control of the repo owner, not the sysadmin. The one exception is the Component: Package: * Pin: release c=sketchy Pin-Priority: -10 This works in this case, because the component name "sketchy" is explicitly set by the sysadmin the line in sources.list. The repo owner can change the Release file to add a different component name (like "main"), but if they do that, the other component won't be picked up by apt. The trouble is that lots of third-party repos already use common component names like "main", so this technique doesn't work for a sysadmin trying to add one of those repos. There's also pinning by the URI origin (not the Release Origin:), like so: Package: * Pin: origin "sketchville.example" Pin-Priority: -10 This works in this case, because the targeted repo is the only one that is provided from the given host. But it's possible that a sysadmin wants to use two different repositories hosted on the same mirror, and wants to pin them differently. In this case, "Pin: origin" won't let the user distinguish. So it would be better to have a more straightforward way to target a particular Apt source with a pin. ----- I'm proposing a new apt source option "pinmark", set by the sysadmin, which can then be used directly in the pinning. So that would mean modifying the sources.list like so: deb http://deb.debian.org/debian unstable main deb [signed-by=/usr/share/keyrings/sketchy.gpg pinmark=sketch] http://sketchville.example/debian unstable sketchy and then being able to place a specific pin based on the mark: Package: * Pin: mark sketch Pin-Priority: -10 ------ If this proposal still sounds weird, please consider it by analogy with netfilter's packet marking. Note: i don't actually care about the strings "pinmark" or "mark" or whatever -- if you've got a better proposal for option names, or an improved mechanism that provides the same level of simplicity and clarity (or better), i'd be happy to have it replace this proposal. Thanks for all the work on apt! Regards, --dkg PS I recognize that pinning a repository is only one step of the security puzzle in trying to secure a machine with packages pulled from multiple repositories. But it's a necessary (if insufficient) step, so i'm just trying to take it one step at a time. It's certainly related to the work outlined at: https://wiki.debian.org/Teams/Dpkg/Spec/DeclarativePackaging
Attachment:
signature.asc
Description: PGP signature