On Mon, 14 Oct 2024 19:40:19 -0500 Aaron Rainbolt <arraybo...@gmail.com> wrote:
> I'm currently banging my head against a proverbial wall trying to > figure out why there are some packages being incorrectly pulled into > an ISO I'm building. I assume all of the packages are being pulled in > for a similar reason, so right now I just want to focus on one > particular package. My live-build config is located > at https://github.com/ArrayBolt3/kicksecure-live-build. I am using my > own fork of live-build, however none of the code modifications I have > made or integrated from other sources seem likely to cause this > particular issue. > > Some notable parts of my config: > > * I'm using aptitude rather than apt for installing packages for > debugging purposes. > * I explicitly set '--apt-recommends false' in auto/config. > * I have a list of packages at > > https://github.com/ArrayBolt3/kicksecure-live-build/blob/master/config/apt/preferences > that I do NOT want to be installed on the live ISO. > > For some reason, when I build my ISO without the > config/apt/preferences file in place, a package called > jh7100-bootloader-recovery is installed. According to `apt-cache > show`, this is apparently something intended to help fix some > particular StarFive RISC-V SOC. I don't have any use for this > package, and did not put anything in my config that would result in > it being installed. If I `cd` into the root of the config tree and do > a `grep -Ri jh7100`, I see nothing except a mention of it in my > README (which is there because I was listing it as "I don't know how > this got installed, figure out how to remove it) and a mention of it > in config/apt/preferences, which is attempting to prevent it from > being installed. I similarly see no mention of it in my live-build > source tree. Running `apt-cache rdepends jh7100-bootloader-recovery` > shows me that this package has no reverse dependencies, recommends, > or suggests. Thus as far as I can tell, this should not be getting > installed. > > Looking at the build log, it looks like the package is being installed > explicitly for some reason, not that it's being pulled in by anything > in particular: > > put logs here Ahem. As you can probably tell, I meant to put some logs here, and then sent this email too early. Here are the logs I meant to put here: Reading package lists... Building dependency tree... Reading state information... Reading extended state information... Initializing package states... Writing extended state information... Building tag database... Package live-tools is not installed, so it will not be removed Package live-boot is not installed, so it will not be removed Package live-tools is not installed, so it will not be removed Package live-boot is not installed, so it will not be removed The following NEW packages will be installed: jh7100-bootloader-recovery 0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 12.4 kB of archives. After unpacking 36.9 kB will be used. Writing extended state information... Get: 1 http://deb.debian.org/debian bookworm/main amd64 jh7100-bootloader-recovery all 0~2021.07.14~git2b268a1c-2 [12.4 kB] Fetched 12.4 kB in 0s (81.2 kB/s) Selecting previously unselected package jh7100-bootloader-recovery. (Reading database ... 58189 files and directories currently installed.) Preparing to unpack .../jh7100-bootloader-recovery_0~2021.07.14~git2b268a1c-2_all.deb ... Unpacking jh7100-bootloader-recovery (0~2021.07.14~git2b268a1c-2) ... Setting up jh7100-bootloader-recovery (0~2021.07.14~git2b268a1c-2) ... This is about 3690 lines down a 15913 line long log file from a successful ISO build. Apologies for any typos, I typed this across rather than copy-pasting. > In an attempt to prevent the package from being installed, I tried to > blacklist it with config/apt/preferences as documented at the end of > https://live-team.pages.debian.net/live-manual/html/live-manual/customizing-package-installation.en.html. > Not only did this fail to fix the problem, it actually made it worse. > Now the build fails entirely, with the following error shown at the > end of the log: > > Reading package lists... > Building dependency tree... > Reading state information... > Reading extended state information... > Initializing package states... > Writing extended state information... > Building tag database... > Unable to apply some actions, aborting > Package live-tools is not installed, so it will not be removed > Package live-boot is not installed, so it will not be removed > No candidate version found for jh7100-bootloader-recovery > xargs: aptitude: exited with status 255; aborting > E: An unexpected failure occurred, exiting... > P: Begin unmounting filesystems... > P: Saving caches... > Reading package lists... > Building dependency tree... > Reading state information... > > (The messages about live-tools and live-boot are benign and are a > result of me blacklisting them via a hacky patch to the live-build > code, which I intend on getting rid of and replacing with a proper > blacklisting mechanism.) > > At this point, I have two questions: > > * How in creation is this package getting pulled in, in the first > place? > * Failing that, or should it be infeasible to fix the root issue, how > do I blacklist the package to get it to go away? Nothing depends on > it, not in Debian's repos and not in any of the other repos I'm > pulling in, and I don't need it. > > This is not the only package being incorrectly pulled in - the rest of > the packages listed in the config/apt/preferences file are also ones > that I want rid of, and while some of them seem like they're probably > the result of the build system being "too helpful", at least two of > the others (ixo-usb-jtag and hdmi2usb-fx2-firmware) are similarly > unnecessary, unreferenced anywhere I can find, and aren't being pulled > in due to dependencies. Is there some file that live-build pulls in > over the network at build time that has a list of packages to install > that might be the culprit here?
