-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explore possibility of splitting current /sources into /source and /binary #28
Comments
cc @SantiagoTorres, @adityasaky, @kpcyrd and @kristelfung, who might be able to help here. |
Disclaimer: I haven't worked on the debian-rebuilder-setup since late 2018 and my summary might be out of date. The visualizer is the public read-only api to fetch results from and the accumulator is the internal api that results are reported to. srebuild runs one build per source package/buildinfo file and generates an in-toto attestation that contains all binary packages built from that source package. I don't know how this integrates with apt-transport-in-toto, maybe somebody familiar with that part of the system can answer this. :) The debian-rebuilder-setup project staled because debian never defined how a rebuilder is supposed to ingest buildinfo files. I've spent some time thinking about this while working on rebuilderd, the architecture I'd currently suggest is:
Note that srebuild is being replaced with debrebuild but the merge request to provide feature parity with srebuild is still being worked on and the latest released version of debrebuild can't actually run any builds yet. |
@kpcyrd thank you for your answer that's mostly latest updates you gave me on IRC and also this is why I've started helping 'josch' on debrebuild tool. As you said, this is mostly how the people of apt-transport-in-toto was thinking on how to deal with the original debian approach with debian-rebuilder-setup. As a current workaround and for having some working intoto POC, I've just symlinks https://github.com/fepitre/qubes-rebuilder-setup/blob/master/visualizer/visualizer.py#L149 packages. Ideally I would love to add a database entry of the "package source" instead of creating useless symlinks. This is what motivated my original question here for knowing the ideas behind :) |
As far as apt-transport-in-toto/intoto.py Lines 577 to 579 in 363a110
|
@lukpueh yes I think this is clear from the transport even if I would rather distinguish |
This sounds reasonable and worth a ticket somewhere. |
@lukpueh would you like me to rename the issue and rework the description or to put it elsewhere in another issue? I don't see this |
Good idea to reuse this ticket, and yes, I'd appreciate if you could rework issue name and description accordingly. |
@lukpueh I've updated the issue. Any feedback on this possible change is welcomed. Also, I'm completely ok for implementing it! :) |
Thanks for the update and for volunteering, @fepitre. I'd appreciate if you go ahead and explore/implement this. Do you already have an idea what the split would mean for the transport? As far as I understand, we currently only deal with binary installs. So all we'd need to do is update the endpoint URL. Or would you also add some case handling for apt source installs to use both endpoints. At any rate, I think we should seize the opportunity and add some documentation about the expected API, maybe to the README, or even better, to a man page, which we should add for other reasons anyway. |
For the transport it would mean to identify requested source package and binary packages. For example, in case of RPM, we do have specific package |
Topic: Explore the possibility of replacing current
/sources
used by the transport into/source
and/binary
in order to distinguish between source package name and produced binary package names. It would have the advantage to also be consistent with current Debian snapshot API having start point/mr/package/...
(well not source) and/mr/binary/...
(see comment #28 (comment)). From the user point of view, it helps in understanding what exactly we are looking for and which (built) package. From rebuilder software point of view, it makes referring/linking produced in-toto metadata to all binary packages.Original description: I'm trying to understand how originally
debian-rebuilder-setup
was intended to work. From what I can see, a rebuilder is supposed to POST to visualizer (https://salsa.debian.org/reproducible-builds/debian-rebuilder-setup/-/blob/master/builder/srebuild#L454) an in-toto metadata referenced by part of the name of buildinfo file (https://salsa.debian.org/reproducible-builds/debian-rebuilder-setup/-/blob/master/visualizer/accumulator.py#L69), mostly the source package name right? My question is how is supposed to be referenced for examplemypackage-dev
or any other packages built from a given sourcesmypackage.buildinfo
?The text was updated successfully, but these errors were encountered: