Page MenuHomeVyOS Platform

Use Debian snapshot repository in vyos-build Docker image
Open, NormalPublicFEATURE REQUEST

Description

We often have problems with outdated dependencies in the Debian repository, as well as non-reproducible builds because of changes in the Debian repository.

One of the possible first steps for solving this is using a snapshot Debian repository, instead of a normal one.
With this, we also may need to update the vyos-build more frequently to get the latest updates from Debian.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Feature (new functionality)

Event Timeline

Viacheslav triaged this task as Normal priority.Jan 20 2024, 2:15 PM
syncer added subscribers: dmbaturin, syncer.

@dmbaturin was this completed already?

@dmbaturin , @Viacheslav - I use debian snapshot repository when building VyOS LTS on my own.

In order to get that going, the following apt setting needs to be set to false:

Acquire::Check-Valid-Until

I fix that the following way in my build-script:

# Determine date of tag in proper format
date="$(git log --tags --simplify-by-decoration --pretty="format:%aI %d"  | grep " $version)"  | sed 's/-//g;s/://g;s/\+.*//g')Z"
archive_url="https://snapshot.debian.org/archive/debian/$date/"
archive_security_url="https://snapshot.debian.org/archive/debian-security/$date/"

# Export build env, for other steps
echo "VYOS_DEBIAN_MIRROR=$archive_url" >> build.env
echo "VYOS_DEBIAN_MIRROR_SECURITY=$archive_security_url" >> build.env

# Allow older packages
sed -i 's/-oAPT::Get::allow-downgrades=true/-oAPT::Get::allow-downgrades=true -oAcquire::Check-Valid-Until=false/g' $(readlink -f build-vyos-image) 

# Build
./build-vyos-image $type --debian-mirror "$VYOS_DEBIAN_MIRROR" --pbuilder-debian-mirror "$VYOS_DEBIAN_MIRROR" --debian-security-mirror "$VYOS_DEBIAN_MIRROR_SECURITY" --architecture amd64 --build-by "some-mail"  --build-type release --version "$version"

Opening a PR for the "-oAcquire::Check-Valid-Until=false"-Option is still on my todo list, would that go into the direction that you are looking for? If yes, I'll do some adjustments that set that setting to false in case somebody is using snapshot repos and open a PR on GitHub.

Regarding reproducible builds: It's really hard to determine which version of packages / which debian snapshot the "official" LTS iso has been built. I would actually imagine that with setting a tag in the build script, also the proper snapshot url gets set as default for this tag. This would then actually create reproducible builds, at least regarding package versions. In order to make them really reproducible (as in: yields the same hash for the iso file), I guess more work needs to be done.