Comment 8 for bug 645147
Revision history for this message
| Wookey (wookey) wrote Re: [Bug 645147] Re: pdebuild-cross fails to build things | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
+++ Steve Langasek [2010-09-29 18:03 -0000]:
> Sorry, last comments - saving the best for last... :)
>
> * xapt: Use /etc/lsb-release to identify Debian/Ubuntu and use correct default
> URL and suites, but avoid 9MB lsb-release+python dependency
>
> However, lsb_release is the defined interface for this - parsing the
> file may give you random otherness in the future.
agreed
> And lsb-release is a
> part of the minimal Ubuntu system.
Do you mean the file or the package? The file is part of base-files
and is present in any Ubuntu chroot, the package lsb-release is only there
if something installs it.
> Could you instead check for the
> existence of lsb-release at runtime, and fall back to assuming Debian if
> it's not present?
We could, but my understanding was that the file was due to start
existing in Debian soonish, so that seems even less reliable. If I'm
wrong about that then it would be plausible.
In fact we've decided that a much better way to do this is provide a
simple config file for the things that change between distros, and
that file can change with distro. So now the program itself doesn't
have to guess anything about distro - just read its file.
I could just implement that.
> * xapt: use --force-yes so unauthenticated repositories work
>
> unauthenticated remote repositories are a bug, that should not be worked
> around by disabling authentication as this opens a trivial MITM attack
> against the main repos that *do* provide gpg authentication. This needs
> to be an option to xapt, not a hard-coded setting, and needs to be OFF
> by default (i.e., authentication enabled).
I don't really agree that MITM attacks on disposable chroots matter
much, and certainly not that unauthenticated remote repos are a bug.
They are quite common, especially in embedded and cross-tool work
(that's where marcin's tools started a few weeks ago for example) and
it's useful if they work.
xapt is only doing this because the whole new authentication
infrastructure in 0.8 doesn't seem to work right (or at least we are
not using it right in multistrap). xapt already used --force-yes in
the version that's already in the repo (under some circs) so refusing
to upload it on those grounds is not realy convincing.
All that said I do agree that this is hackery and would love to have
it all working right, but I did quite a bit of fiddling and failed to
work out what was actually necessary for this to work, and in the
meantime it seemed a lot better to have a working solution of some
sort than to disappear further down that rathole. At least until I got
some clarification from the apt team.
A related issue is that no-auth is an apt-wide setting and should
arguably be a per-repo thing so that when you have one unauthed repo
with a few extra packages in it you don't have ignore auth on _all_
packages. It's very all-or-nothing currently.
> * xapt: Fix incorrect skipping of source URLs that don't end in .list
>
> I don't understand the point of this change - the only effective
> difference appears to be whether we print out the 'skipping' message for
> backup files, we're still ignoring all files which don't end in '.list',
> and that appears to be correct?
It used to use backup files if they were present, which confused me
for some time (I had fixed a URL typo but it kept using the old URL
until this fix (and of course my filer was hiding the 'file~' to add
to the confusion)).
> Finally:
>
> $progname = basename($0);
> $ourversion = &scripts_version();
> $dir = "/var/lib/xapt/";
> -# $mirror = "http://
> -$mirror = "http://
> +given(
> + when (/^Debian/) {
> + $mirror = "http://
> + $defaultsuites = "main contrib non-free";
> + }
> + when (/^Ubuntu/) {
> + $mirror = "http://
> + $defaultsuites = "main universe multiverse";
> + }
> + when (undef) {
> + $mirror = "http://
> + $defaultsuites = "main contrib non-free";
> + }
> +}
>
> should this use cdn.debian.net maybe, which is geo-aware?
Seems a good idea.
> And the
> default suties list duplicates 'main' here and below; and $distribution
> should never be undefined because we already fall back to Debian. So
> maybe this is better written like so?:
>
> -# $mirror = "http://
> -$mirror = "http://
> +given(
> + when (/^Debian/) {
> + $mirror = "http://
> + $defaultsuites = "contrib non-free";
> + }
> + when (/^Ubuntu/) {
> + $mirror = "http://
> + $defaultsuites = "universe multiverse";
> + }
> +}
Fair comment again - made moot by the idea of just using a config file.
Wookey
--
Principal hats: Linaro, Emdebian, Wookware, Balloonboard, ARM
http://