Package: apt
Version: 1.4~rc2
X-Debbugs-Cc: Antoine Beaupré <anarcat@orangeseeds.org>
Priority: wishlist
Control: user -1 debian-dpkg@lists.debian.org
Control: usertag -1 declarative-packaging
Please add a new option for sources.list named "pinmark", which can also
be referred to with a Pin: line in apt's preferences. This should make
it much easier to place an apt pin that targets packages from a
particular repository.
The rest of this e-mail explains the reasoning for this request.
--------
Consider a sources.list on a system that needs to install packages from
a sketchy repository:
deb http://deb.debian.org/debian unstable main
deb [signed-by=/usr/share/keyrings/sketchy.gpg] http://sketchville.example/debian unstable sketchy
A prudent administrator might want to set up some apt pinning so that
all the sketchy packages are lower-priority than the standard debian
packages. Or they might want to pin things such that only specific
packages are ever installable from the sketchy repository.
Today, there are a few ways to aim pins just at the one repository but
none of them seem particularly clean.
Consider:
Package: *
Pin: release o=Sketchville
Pin-Priority: -10
This only works as long as the sketchville repository owner doesn't
decide to change their Release file to say Origin: Debian instead.
Almost all "Pin: release" lines are effectively under the control of the
repo owner, not the sysadmin. The one exception is the Component:
Package: *
Pin: release c=sketchy
Pin-Priority: -10
This works in this case, because the component name "sketchy" is
explicitly set by the sysadmin the line in sources.list. The repo owner
can change the Release file to add a different component name (like
"main"), but if they do that, the other component won't be picked up by
apt. The trouble is that lots of third-party repos already use common
component names like "main", so this technique doesn't work for a
sysadmin trying to add one of those repos.
There's also pinning by the URI origin (not the Release Origin:), like
so:
Package: *
Pin: origin "sketchville.example"
Pin-Priority: -10
This works in this case, because the targeted repo is the only one that
is provided from the given host. But it's possible that a sysadmin
wants to use two different repositories hosted on the same mirror, and
wants to pin them differently. In this case, "Pin: origin" won't let
the user distinguish.
So it would be better to have a more straightforward way to target a
particular Apt source with a pin.
-----
I'm proposing a new apt source option "pinmark", set by the sysadmin, which
can then be used directly in the pinning.
So that would mean modifying the sources.list like so:
deb http://deb.debian.org/debian unstable main
deb [signed-by=/usr/share/keyrings/sketchy.gpg pinmark=sketch] http://sketchville.example/debian unstable sketchy
and then being able to place a specific pin based on the mark:
Package: *
Pin: mark sketch
Pin-Priority: -10
------
If this proposal still sounds weird, please consider it by analogy with
netfilter's packet marking.
Note: i don't actually care about the strings "pinmark" or "mark" or
whatever -- if you've got a better proposal for option names, or an
improved mechanism that provides the same level of simplicity and
clarity (or better), i'd be happy to have it replace this proposal.
Thanks for all the work on apt!
Regards,
--dkg
PS I recognize that pinning a repository is only one step of the
security puzzle in trying to secure a machine with packages pulled
from multiple repositories. But it's a necessary (if insufficient)
step, so i'm just trying to take it one step at a time. It's
certainly related to the work outlined at:
https://wiki.debian.org/Teams/Dpkg/Spec/DeclarativePackaging
Attachment:
signature.asc
Description: PGP signature