Builder logic should pin upstream dependencies

[conorsch]

On the latest master branch, the make template operation fails:

Makefile:591: target 'mgmt-salt.grep' given more than once in the same rule
make[2]: Leaving directory '/home/user/qubes-template-securedrop-workstation/qubes-builder'
-> Building template buster (logfile: build-logs/template-buster.log)...
make[1]: *** [Makefile:320: template-local-buster+securedrop-workstation] Error 1
make[1]: Leaving directory '/home/user/qubes-template-securedrop-workstation/qubes-builder'
make: *** [Makefile:2: template] Error 2

Inspecting that log file, we see:

Reading package lists...
Building dependency tree...
Reading state information...
apt-transport-https is already the newest version (1.8.2.1).
qubes-vm-recommended is already the newest version (4.0.7-1+deb10u1).
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 qubes-img-converter : Depends: python3-qubesimgconverter but it is not installable
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).
Removing 'local diversion of /sbin/initctl to /sbin/initctl.distrib'
make[2]: *** [Makefile:65: rootimg-build] Error 100
make[2]: Leaving directory '/home/user/qubes-template-securedrop-workstation/qubes-builder/qubes-src/linux-template-builder'

It looks like newer upstream changes have broken our template build logic, so let's investigate. There may be overrides that we can place in securedrop-workstation.conf, or perhaps we should pin a submodule of the qubes-builder repo.

Steps to reproduce

1. Configure an F31-based build environment, as described in the README.
2. Check out this repository, on the master branch
3. Run make template
4. Inspect ./qubes-builder/build-logs/template-buster.log, observe error

[conorsch]

Documenting a few research notes from discussion with @emkll.

Would expect a patch like this to resolve (but it doesn't):

diff --git a/securedrop-workstation.conf b/securedrop-workstation.conf
index 785d3b8..82a38a3 100644
--- a/securedrop-workstation.conf
+++ b/securedrop-workstation.conf
@@ -7,6 +7,7 @@
 # Assigments can be made with VAR_NAME="VALUE"
 GIT_URL_template_securedrop_workstation = https://github.com/freedomofpress/qubes-template-securedrop-workstation
+BRANCH_app_linux_img_converter = v1.2.8
 BRANCH_template_securedrop_workstation ?= master
 BUILDER_PLUGINS += builder-debian

There are relevant vars such as USE_QUBES_REPO_VERSION (which we already use) documented in https://www.qubes-os.org/doc/qubes-builder/#use-pre-built-qubes-packages.

[kushaldas]

I can reproduce the error, the dependency came via QubesOS/qubes-linux-utils@99d87c2 . @marmarek suggested to wait until QubesOS/qubes-linux-utils@99d87c2 lands into qubes-utils 4.0.29 and there is one dependency issue to be fixed.

[marmarek]

The problematic version (1.2.9) is only in testing repository, do you have USE_QUBES_REPO_TESTING enabled?
BRANCH_* applies only to locally built packages (listed in COMPONENTS), not those downloaded as a binary package.

[conorsch]

Thank you both, that's very helpful guidance.

The problematic version (1.2.9) is only in testing repository, do you have USE_QUBES_REPO_TESTING enabled?

@marmarek No, we don't! However, I'm definitely getting the 1.2.9 version in the local chroot when building. If copy the contents of qubes-builder/chroot-vm-buster/tmp/ into a separate dir for inspection, I see:

 $ sudo find | grep -i qubes-img-converter
./qubes-deb/deb/qubes-img-converter_1.2.9.orig.tar.xz
./qubes-deb/deb/qubes-img-converter_1.2.9-1+deb10u1_amd64.deb
./qubes-deb/deb/qubes-img-converter_1.2.9-1+deb10u1_amd64.changes
./qubes-deb/deb/qubes-img-converter_1.2.9-1+deb10u1_amd64.buildinfo
./qubes-deb/deb/qubes-img-converter_1.2.9-1+deb10u1.dsc
./qubes-deb/deb/qubes-img-converter_1.2.9-1+deb10u1.debian.tar.xz

And that 1.2.9 version is pulled in via etc/apt/sources.list.d/qubes-builder.list in the chroot, which contains:

deb [trusted=yes] file:/tmp/qubes-deb buster main

But in a Debian10-based AppVM elsewhere on my machine, clearly that package is not in the stable repos, so clearly the build process is using test-only dependencies, despite lack of testing repos being enabled. Even after applying this patch:

diff --git a/securedrop-workstation.conf b/securedrop-workstation.conf
index 785d3b8..c63494f 100644
--- a/securedrop-workstation.conf
+++ b/securedrop-workstation.conf
@@ -22,6 +22,10 @@ TEMPLATE_ONLY ?= 1
 # Default: 3
 RELEASE := 4.0
 
+# Explicitly disable testing repo.
+# Should be disabled if undefined, let's make sure
+USE_QUBES_REPO_TESTING = 0
+
 DISTS_VM :=
 DISTS_VM += securedrop-workstation

and re-running make template, I'm encountering the same error. So it appears that we are using testing repos even though we don't want to. Can you comment what I'm doing wrong?

[marmarek]

Ok, by not working BRANCH_app_linux_img_converter = v1.2.8 I assumed app-linux-img-converter is simply not included in COMPONENTS and it gets downloaded from deb.qubes-os.org. But I think there is another reason - after changing BRANCH_*, COMPONENTS or similar settings affecting what source you want, you need to execute make get-sources and then re-build (at least) that specific component.

[marmarek]

FYI QubesOS/updates-status#1921