Add support for pinning package versions #700
Comments
|
Also see #748 |
|
FWIW, just putting specific package versions in the manifest already works, to some extent. You can specify a full package nevra in We could retrieve the package lists, even post-factum by introspecting the rpm database or parsing the logs. But the hard part is retrieving the specific versions of packages from somewhere. Packages in the distro stop being available from the mirrors after after a new version appears. It is possible to retrieve them with a bit of an effort (e.g. in Fedora's case, directly from koji). So pinning of a specific version would work if there is a local cache, or for a while as long as the distro doesn't update, but then it would break. |
The output is something like this
{
"packages": [
{
"type": "rpm",
"name": "acl",
"version": "2.3.1-2.fc35.x86_64"
},
{
"type": "rpm",
"name": "alternatives",
"version": "1.19-1.fc35.x86_64"
},
{
"type": "rpm",
"name": "audit-libs",
"version": "3.0.3-2.fc35.x86_64"
},
...
]
}
This is a partial step towards systemd#700, but has other uses too.
The output is something like this
{
"packages": [
{
"type": "rpm",
"name": "acl",
"version": "2.3.1-2.fc35.x86_64"
},
{
"type": "rpm",
"name": "alternatives",
"version": "1.19-1.fc35.x86_64"
},
{
"type": "rpm",
"name": "audit-libs",
"version": "3.0.3-2.fc35.x86_64"
},
...
]
}
This is a partial step towards systemd#700, but has other uses too.
The output is something like this
{
"packages": [
{
"type": "rpm",
"name": "acl",
"version": "2.3.1-2.fc35.x86_64"
},
{
"type": "rpm",
"name": "alternatives",
"version": "1.19-1.fc35.x86_64"
},
{
"type": "rpm",
"name": "audit-libs",
"version": "3.0.3-2.fc35.x86_64"
},
...
]
}
This is a partial step towards systemd#700, but has other uses too.
The output is something like this
{
"packages": [
{
"type": "rpm",
"name": "acl",
"version": "2.3.1-2.fc35.x86_64"
},
{
"type": "rpm",
"name": "alternatives",
"version": "1.19-1.fc35.x86_64"
},
{
"type": "rpm",
"name": "audit-libs",
"version": "3.0.3-2.fc35.x86_64"
},
...
]
}
This is a partial step towards systemd#700, but has other uses too.
The output is something like this
{
"packages": [
{
"type": "rpm",
"name": "acl",
"version": "2.3.1-2.fc35.x86_64"
},
{
"type": "rpm",
"name": "alternatives",
"version": "1.19-1.fc35.x86_64"
},
{
"type": "rpm",
"name": "audit-libs",
"version": "3.0.3-2.fc35.x86_64"
},
...
]
}
This is a partial step towards systemd#700, but has other uses too.
This implements the ability to rebuild packages from cache that was requested in systemd#700. I don't think it can be said to resolve the issue, since this is only a partial solution, but useful nonetheless.
This implements the ability to rebuild packages from cache that was requested in systemd#700. I don't think it can be said to resolve the issue, since this is only a partial solution, but useful nonetheless.
DaanDeMeyer
changed the title
|
Does RH/Fedora have a package archive? For both Arch Linux and Debian all released packages are uploaded and stored on the archive. In the case of Arch, recreating any ISO from the past couple of years should be possible by just fetching them and passing them as arguments to https://archive.archlinux.org/ How this is implemented in the current Arch Linux repro tooling; https://github.com/archlinux/archlinux-repro/blob/master/repro.in#L490 |
|
No Fedora expert, but https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/ looks similar to the Debian archives. No idea though, whether this can be directly hooked into |
|
I'm not sure if this should be implemented by mkosi tbh. Users can either use --cacheonly to never hit the mirrors again after the initial download, which effectively pins the package versions. The other option is to setup your own mirror with the versions of the package that you want and then configure mkosi to use that mirror. That seems like it would scale much better than pinning individual package versions. Closing this for now but we can reopen if needed. |
|
I think both of the proposed alternatives are less than ideal due to their being hard to mesh with all of the nice semantics of Git, especially the change atomicity that git gives us, but also...
Users would then have to ship around a tarball or similar of the cache, which seems less than ideal, especially if the other option of using mirrors is available.
I think a common pattern for environments which need these kinds of reproducible builds is to use some flavor of local caching proxy as a mirror where one can use a pinned set of packages from the mirror, potentially across multiple images, as well as use that same mirror for other systems running whatever distribution is being built. Should users have to create a mirror per image they need to lock down in this way? In the case of RHEL variants, |
For now we can look into re-enabling the versionlock plugin. Anything more than that is blocked by rpm-software-management/dnf5#833 |
See-Also: systemd#700 (comment) Signed-off-by: Jake Helmert <[email protected]>
See-Also: systemd#700 (comment) Signed-off-by: Jake Helmert <[email protected]>
See-Also: systemd#700 (comment) Signed-off-by: Jake Helmert <[email protected]>
See-Also: systemd#700 (comment) Signed-off-by: Jake Helmert <[email protected]>
See-Also: systemd#700 (comment) Signed-off-by: Jake Helmert <[email protected]>
I think it would make sense to optionally support "pinning" package versions, i.e. write the used RPM/DEB package versions to some file while doing an initial build, and if that file exists, use exactly these versions to build the package. The file could then be commited to git, ensuring that images are somehwat stabe in their package selection.
This should bring us a step closer towards reasonably reproducible builds.
I figure this means, at least for the Fedora case, to call directly into the python dnf module to retrieve these package lists.
The text was updated successfully, but these errors were encountered: