I'm currently banging my head against a proverbial wall trying to figure out why there are some packages being incorrectly pulled into an ISO I'm building. I assume all of the packages are being pulled in for a similar reason, so right now I just want to focus on one particular package. My live-build config is located at https://github.com/ArrayBolt3/kicksecure-live-build. I am using my own fork of live-build, however none of the code modifications I have made or integrated from other sources seem likely to cause this particular issue.
Some notable parts of my config: * I'm using aptitude rather than apt for installing packages for debugging purposes. * I explicitly set '--apt-recommends false' in auto/config. * I have a list of packages at https://github.com/ArrayBolt3/kicksecure-live-build/blob/master/config/apt/preferences that I do NOT want to be installed on the live ISO. For some reason, when I build my ISO without the config/apt/preferences file in place, a package called jh7100-bootloader-recovery is installed. According to `apt-cache show`, this is apparently something intended to help fix some particular StarFive RISC-V SOC. I don't have any use for this package, and did not put anything in my config that would result in it being installed. If I `cd` into the root of the config tree and do a `grep -Ri jh7100`, I see nothing except a mention of it in my README (which is there because I was listing it as "I don't know how this got installed, figure out how to remove it) and a mention of it in config/apt/preferences, which is attempting to prevent it from being installed. I similarly see no mention of it in my live-build source tree. Running `apt-cache rdepends jh7100-bootloader-recovery` shows me that this package has no reverse dependencies, recommends, or suggests. Thus as far as I can tell, this should not be getting installed. Looking at the build log, it looks like the package is being installed explicitly for some reason, not that it's being pulled in by anything in particular: put logs here In an attempt to prevent the package from being installed, I tried to blacklist it with config/apt/preferences as documented at the end of https://live-team.pages.debian.net/live-manual/html/live-manual/customizing-package-installation.en.html. Not only did this fail to fix the problem, it actually made it worse. Now the build fails entirely, with the following error shown at the end of the log: Reading package lists... Building dependency tree... Reading state information... Reading extended state information... Initializing package states... Writing extended state information... Building tag database... Unable to apply some actions, aborting Package live-tools is not installed, so it will not be removed Package live-boot is not installed, so it will not be removed No candidate version found for jh7100-bootloader-recovery xargs: aptitude: exited with status 255; aborting E: An unexpected failure occurred, exiting... P: Begin unmounting filesystems... P: Saving caches... Reading package lists... Building dependency tree... Reading state information... (The messages about live-tools and live-boot are benign and are a result of me blacklisting them via a hacky patch to the live-build code, which I intend on getting rid of and replacing with a proper blacklisting mechanism.) At this point, I have two questions: * How in creation is this package getting pulled in, in the first place? * Failing that, or should it be infeasible to fix the root issue, how do I blacklist the package to get it to go away? Nothing depends on it, not in Debian's repos and not in any of the other repos I'm pulling in, and I don't need it. This is not the only package being incorrectly pulled in - the rest of the packages listed in the config/apt/preferences file are also ones that I want rid of, and while some of them seem like they're probably the result of the build system being "too helpful", at least two of the others (ixo-usb-jtag and hdmi2usb-fx2-firmware) are similarly unnecessary, unreferenced anywhere I can find, and aren't being pulled in due to dependencies. Is there some file that live-build pulls in over the network at build time that has a list of packages to install that might be the culprit here?
