Hi, Quoting Patrick Schleizer (2019-09-14 08:00:00) > Awesome! Great to know you're interested in this! > > Good question. I am not sure what I meant with that either. :) Will look > into it again. > > First thing: > > #### > > debootstrap: > > --arch=ARCH > > mmdebstrap: > > --architectures=native[,foreign1,...] > > #### > > In other words, grml-debootstrap calls debootstrap with --arch=ARCH. > This will fail since mmdebstrap does not support --arch=ARCH but wants > --architectures. > > ####
you seem to claim that mmdebstrap does not support the --arch argument. But it
does. It does so by configuring Getopt::Long with auto_abbrev. This means that
a long option like --architectures can also be written with less characters. It
works on my system. It does not on yours? Also from the man page:
Long options require a double dash and may be abbreviated to uniqueness.
>
> cowbuilder (or pbuilder?) calls debootstrap with:
>
> + args='--include=apt --variant=buildd --force-check-gpg buster
> /var/cache/pbuilder/base.cow_amd64 http://HTTPS///deb.debian.org/debian'
>
> I.e. it is possible to pass an apt repository URI through command line
> (above last argument).
>
> However, I am translating that in the wrapper to:
>
> --verbose --architectures=amd64
> --aptopt=/home/user/whonix_binary/aptgetopt.conf
> --include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,apt-transport-https,python,eatmydata,aptitude,cowdancer
> buster /var/cache/pbuilder/base.cow_amd64
> /home/user/Whonix/build_sources/debian_stable_current_clearnet.list
>
> Using a file
> /home/user/Whonix/build_sources/debian_stable_current_clearnet.list
> which contains both, Debian "standard" repository as well as Debian
> security repository.
>
> This is to make use of mmdebstrap excellent security feature to
> bootstrap from two repositories at once. If the APT version in Debian
> "standard" repository had a vulnerability, then the vulnerable version
> would be installed first before vulnerable APT would be used to upgrade
> in a later step from Debian security repository.
>
> "Incompatibility" is perhaps a far stretched term. How do we "teach"
> grml-debootstrap, cowbuilder (or pbuilder?) "use both, Debian "standard"
> repository and Debian security repository when using mmdebstrap"?
>
> It's like "the ecosystem does not take advantage of mmdebstrap" yet.
Okay, but as far as I can see there is nothing that can be done in mmdebstrap
about this, right?
> Not sure anymore why I added:
> --include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,apt-transport-https,python,eatmydata,aptitude,cowdancer
>
> apt-transport-https might be required to support https repositories in
> sources list.
Yes, old apt versions (1.4.9 and earlier) require that package. It is since a
dummy package.
> apt-transport-tor might be required to support tor+https and .onion in
> sources list.
Yes, but mmdebstrap auto-detects tor URLs and adds the package. This behaviour
is also documented in its man page.
> Johannes Schauer:
> > I added a no-op --force-check-gpg option.
>
> Where is the source code for that? git clones just now.
>
> git clone http://gitlab.mister-muffin.de/josch/mmdebstrap.git
>
> But cannot find any mention of "force-check-gpg".
Yes, I didn't push these changes because I am travelling and have only limited
internet access. It has now been pushed.
> Once I have the new version, and can get past the "force-check-gpg" option, I
> will re-try these tools and see how far I get step by step.
I'm looking forward to your review!
Thanks!
cheers, josch
signature.asc
Description: signature

