Bug#863622: apt: warn when installing packages that are not reproducible
On Mon, May 29, 2017 at 12:24:29PM +0100, Chris Lamb wrote:
> Package: apt
> Severity: wishlist
> X-Debbugs-CC: reproducible-builds@lists.alioth.debian.org
>
> Hi,
>
> APT should (eventually) warn when installing packages that are not
> reproducible.
>
> Clearly, all the bits to make this work today are not in dak, APT, the
> mirrors, etc. However, I thought it was best to experiment early with
> the potential user interface.
>
> This would ensure that we know exactly what data we need and we don't
> make a big mistake and miss something.
>
> To this end, I've attached a proof of concept patch. Example output:
>
> $ apt install python-pywt-doc
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> The following NEW packages will be installed:
> python-pywt-doc
> 0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
> Need to get 102 kB of archives.
> After this operation, 978 kB of additional disk space will be used.
> WARNING: The following packages are not reproducible!
> python-pywt-doc
> Install these packages anyway? [y/N]
>
> $ echo $?
> 130
Seems OK.
>
>
> It takes an expected "--allow-unreproducible" argument, as well as an
> "-o Debug::pkgAcquire::Reproducible=true" if you want to debug it. I
> might play with it more at https://github.com/lamby/apt on the
> reproducible-ui branch:
>
> https://github.com/lamby/apt/tree/lamby/wip/reproducible-ui
>
> Just to be clear, the patch is obviously an digusting hack and you
> should not use it, hence the lack of a "patch" tag (!).
Now, we are missing some stuff:
- Checking if a package is reproducible by simply asking for
package name (and version maybe) is not really "safe". You
could be installing a completely different package that happens
to share those attributes. In essence, that's more like asking
a bug tracker. We'd need some hash or something to add to the
lookup (unless the information comes from the same repo).
- For integration in APT, we need:
* sources.list entries
* InRelease files
* Some new kind of index referenced in the InRelease files
(Reproducibility ?) that we can parse - in deb822 format,
with fields Package, Architecture, Version, and
Reproducible: yes. And well, some kind of ID field maybe,
I don't know. Could also be part of the Packages
file (in case of multiple repro sources, if any did not
build reproducible, we can still mark it as not reprod.).
Because as I said before, we don't want to download
anything we can't verify with GPG. We likely also want
to restrict GPG keys to not work for normal repositories,
not sure how that would work.
There's also a reason for requiring reproducibility info
to be signed: If it ever becomes the default (or people use
it as a default), you could MITM a repro server and respond
that all packages are not reproducible, preventing (automatic)
upgrades.
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
| Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline'). Thank you.
Reply to: