Add archlinux repo config

[marmarek]

Key is included here, but other parts needs adjustment.

TODO:

• fix repository definition for "current" repo
• fix repository definition for "current-testing" - is there any better option to disable it than comment out?
• fix path where key is installed
• load key to pacman on install (is it automatic? is there a path needed in repo config?)

I haven't quickly found documentation for pacman repository config format. Any help appreciated.

[marmarek]

But also - reconsider repository layout - currently there is needlessly deep structure (vm/archlinux/pkgs) - I think at least the last part is not necessary.

[neowutran]

Afaik:

• There is no requirement for repository layout. It could just be
  Server = https://archlinux.qubes-os.org/r4.1/current/

• Probably better if there is a explicit priority number here (if 1 package is found in multiple repository, what is the one pacman should select):
  https://github.com/QubesOS/qubes-meta-packages/pull/27/files#diff-9b0e931f925a86f08dd87a6b1d2bafa2cbafcdf40cf49fc9a376dab085427504R40
  Example "99-qubes-4.1.conf", or https://github.com/unman/notes/blob/master/Arch

• " is there any better option to disable it than comment out?".
  If the file doesn't end with ".conf" it is ignored. Could be 2 files "r4.1-current.conf" & "r4.1-current-testing.conf.disabled"
  So file would need to be renamed instead of edited to be active. Could be better/easier depending on what you want to do.

• "is it automatic? is there a path needed in repo config?", it is just GPG, with no direct link between the trusted keys and the repositories. From archwiki "gpg --homedir /etc/pacman.d/gnupg --list-keys"
  So just need to add the trusted key (example from unman: https://github.com/unman/notes/blob/master/Arch)

[ptitdoc]

• is there any better option to disable it than comment out?

Actually @neowutran solution is correct and that what I have done in my failed community repository attempts.

You can also install r4.1-current-testing.conf.disabled in the package and create a symlink r4.1-current-testing.conf to this .disabled file to enable the repository:

https://github.com/QubesOS/qubes-core-agent-linux/blob/75ffdf6a5392cf034d74474b661b0c4ab9ed4037/archlinux/PKGBUILD-keyring.install#L8

[ptitdoc]

• load keys on pacman : is it automatic? is there a path needed in repo config?

Please check the package qubes-vm-keyring that enable trust, first by copying the GPG keys:

https://github.com/QubesOS/qubes-core-agent-linux/blob/75ffdf6a5392cf034d74474b661b0c4ab9ed4037/archlinux/PKGBUILD#L129

Then by updating the trust:

https://github.com/QubesOS/qubes-core-agent-linux/blob/75ffdf6a5392cf034d74474b661b0c4ab9ed4037/archlinux/PKGBUILD-keyring.install#L3

[ptitdoc]

Of course this can be removed from qubes-core-agent-linux afterwards.

[icequbes1]

Will the archlinux.qubes-os.org be considered a qubes-contrib repo? Otherwise as @ptitdoc says there is scaffolding in core-agent-linux to bootstrap a qubes archlinux repo.

Are we simply moving it over here and adding the Qubes signing keys + repo, or do we want to just add the Qubes signing keys+repo to core-agent-linux?

[ptitdoc]

Actually it is defined as a sub-package called qubes-vm-keyring, so that one could actually bootstrap the repository using the package qubes-vm-keyring package alone.

But it make sense to put it in qubes-meta-packages instead as it allow managing all repositories GPG keys from a single git repository.

[marmarek]

Yes, exactly - since now we have qubes-meta-package repository, it is the right place for such files (it didn't existed at the time when previous attempts at Arch were made).

[ptitdoc]

Do you need help on this ? I can migrate the repository management code if you want.

[ptitdoc]

Sorry I through about something:

Pacman has no drop-in directory by default for repositories. So we setup the drop-in directory in core-agent-vm:
https://github.com/QubesOS/qubes-core-agent-linux/blob/75ffdf6a5392cf034d74474b661b0c4ab9ed4037/archlinux/PKGBUILD.install#L306

Maybe we should do the same here (using exactly the same markers in pacman.conf to avoid conflicts with core-agent). This way we can really use this package as bootstrap for enabling qubes-repository.

[marmarek]

Ah, I moved the part about placing files in /etc/pacman.d here (see latest force-push), but haven't noticed the drop-in support isn't by default. Probably makes sense to move it here too, right?

[ptitdoc]

I would say keep the dropin support in both. For core agent we need the proxy configuration & all.

[marmarek]

Right, core-agent needs dropin support too. The install logic clears the content between markers, so when added here, it will break proxy on update (until core-agent fixes it).
Since the content between markers doesn't need to be dynamic here, maybe simply check for this include and add it (perhaps with a comment suffix on the same line to be able to update it later, if comments on the same line are allowed in pacman.conf).

[ptitdoc]

If I remember markers are just for enabling droppins in /etc/pacman.d, and even if we clear them every time, we never actually remove them.

Adding or removing a config file inside /etc/pacman.d however will have effects.

So if we put exactly the same marker, both package will only try to ensure that Include = /etc/pacman.d/*.conf is at the right place, which is right before the first repository definition so that dropins can either be repositories or global config options.

Ordering of config files is important however because these dropins are just a hack and we need to add repositories only after pacman options, so I used files starting with 99-myrepo.conf for repositories.

[marmarek]

Ah, right, and proxy is setup as a drop-in, not directly in pacman.conf using markers. Then it should be fine.

[ptitdoc]

Opps we posted at the same time. Please look at my note about using 99-myrepo.conf.

[icequbes1]

Based on the files already at the current-testing archlinux.qubes-os.org URL, the repo reference on line 1 of the .conf files would need to be [qubes] instead of [qubes-r4.1-current-testing] as there is qubes.db at the URL. Or the other way around - rename qubes.db to qubes-r4.1-current-testing.db, etc

[marmarek]

I already updated the scripts to rename .db: QubesOS/qubes-linux-repo-archlinux@7ab8bc7
This will apply on the next package upload.

[ptitdoc]

If you want to install a file directly from the PKGBUILD, you have to set the array source=() with the proper files which will then be available into ${srcdir}. However archlinux does not allow adding a whole directory (only local file or archives in the same directory than PKGBUILD)

So we have to fake the fact that the source is self contained like that:

    for source in repos ; do
        # shellcheck disable=SC2154
        (ln -s "$srcdir/../$source" "$srcdir/$source")
    done

So here is my proposal:

# Frédéric Pierret <[email protected]>

pkgname=(qubes-vm-dependencies qubes-vm-recommended qubes-vm-repo)
pkgver=$(cat version)
pkgrel=1

epoch=
pkgdesc="Meta packages for Qubes-specific components"
arch=("x86_64")
url="http://qubes-os.org/"
license=('GPL')
groups=()
depends=()
makedepends=()
checkdepends=()
optdepends=()
provides=()
conflicts=()
replaces=('')
backup=()
options=()
install=
changelog=

source=()

noextract=()
md5sums=() #generate with 'makepkg -g'

build() {
  for source in repos ; do
    # shellcheck disable=SC2154
    (ln -s "${srcdir}/../${source}" "${srcdir}/${source}")
  done
}

package_qubes-vm-dependencies() {
    depends=(qubes-vm-xen qubes-vm-core qubes-vm-qrexec qubes-vm-gui qubes-vm-pulseaudio)
}

package_qubes-vm-recommended() {
    depends=(qubes-vm-passwordless-root qubes-vm-networking qubes-gpg-split qubes-usb-proxy)
}

package_qubes-vm-repo() {
    replaces=('qubes-vm-keyring')
    install=PKGBUILD-repo.install
    install -m 0644 -D ${srcdir}/repos/archlinux-qubes-repo-4.1-current.conf "${pkgdir}/etc/pacman.d/90-qubes-4.1-current.conf.disabled"
    install -m 0644 -D ${srcdir}/repos/archlinux-qubes-repo-4.1-current-testing.conf "${pkgdir}/etc/pacman.d/90-qubes-4.1-current-testing.conf.disabled"

    # Install keyring (will be activated through the .install file)
    install -dm755 "${pkgdir}/usr/share/pacman/keyrings/"
    install -m0644 ${srcdir}/repos/qubes-repo-archlinux-key.asc  "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm.gpg"
    install -m0644 ${srcdir}/repos/qubes-repo-archlinux-trusted "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-trusted"
    install -m0644 ${srcdir}/repos/qubes-repo-archlinux-revoked "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-revoked"
}

# vim:set ts=4 sw=4 et:

[ptitdoc]

build failure as repo is not found.

[ptitdoc]

Need to put absolute path there because it may creates an invalid symlink, and prepend with 90-.
ln -s /etc/pacman.d/90-qubes-${release}-current.conf.disabled /etc/pacman.d/90-qubes-${release}-current.conf

[ptitdoc]

From these fixes, it is building and installing properly. Using the right repository name still need to be fixed (qubes vs qubes-r4.0-current-testing). It tried changing testing repository to [qubes] to verify everything is working and it seems OK.

Should we care about cleanup ? (removing symlinks, disabling trust ...)

[ptitdoc]

marmarek#1

[marmarek]

Should we care about cleanup ? (removing symlinks, disabling trust ...)

I'd say it is optional, we don't do that in other distros.

[marmarek]

Thanks for fixes @ptitdoc !

[marmarek]

PipelineRetry

[icequbes1]

I think this needs to be merged into meta-packages/release-4.0 as well?

Building R4.0 archlinux fails because builder-archlinux now wants qubes-vm-dependencies in scripts/04_install_qubes.sh and that only exists here in meta-packages/master.

builder-archlinux does not have a release-4.0 branch, so all the R4.1/master updates for builder-archlinux have to work for R4.0.

Edit: temporary workaround for R4.0

cd qubes-src/builder-archlinux
git revert 49c9ca6bb
git revert bb9825361