Package: live-build Version: 1:20240810 Severity: wishlist X-Debbugs-Cc: adrela...@kicksecure.com
I'm using live-build to build ISO images of Kicksecure, a Debian derivative. Currently, we use apt-cacher-ng to cache package downloads for speed's sake. We also install special apt sources.list files on the ISO *after* the chroot stage, since the package transport methods we use at build time are different than the ones we want our users to use at run time. (In particular, we use HTTP(S) to connect to repos at build time, but want our users to use Tor to connect to the repos later.) In order to ensure apt-cacher-ng is used properly, we have the HTTPS tunneling feature disabled, and use http://HTTPS///example.com URIs in our sources.list files instead. Unfortunately, this particular combination of features has hit a problematic conflict with part of live-build's behavior. In order to install our specific sources.list files onto the ISO without using them to do the actual ISO build, we have to install them before live-build's binary stage. However, this only works if live-build's binary stage doesn't run any apt commands. As it turns out, it does run apt commands, in this section of code: # Chroot preparation component lists # We deliberately exclude 'debianchroot' CHROOT_PREP_MOUNTS="devpts proc selinuxfs sysfs" CHROOT_PREP_OTHER="dpkg tmpfs sysv-rc hosts resolv hostname apt" if [ "${LB_BUILD_WITH_CHROOT}" = "true" ]; then # Configuring chroot # FIXME: cannot run in 'all' mode while excluding 'debianchroot', do we really need to exclude it? #lb chroot_prep install all mode-apt-install-binary mode-archives-chroot "${@}" lb chroot_prep install "${CHROOT_PREP_MOUNTS}" "${@}" lb chroot_prep install "${CHROOT_PREP_OTHER}" mode-apt-install-binary mode-archives-chroot "${@}" lb chroot_archives chroot install "${@}" fi This results in problems - the sources.list files we place into the chroot do not work with apt-cacher-ng when it is configured to run without HTTPS tunnelling enabled, and so when one of these low-level commands runs `sudo apt update`, the build crashes. There isn't any way to insert our sources.list files after this particular block of code that I'm aware of, since inserting them before the binary stage breaks things, and inserting them afterwards is impossible since the ISO is built at that point. Being unable to change sources.list files after all apt commands have run also means we can't reliably ensure that only locally built packages are used during the primary portion of the build process, which is another thing Kicksecure intentionally does. It's somewhat unexpected to me that the binary stage would run apt commands - the live OS filesystem should be complete once the bootstrap and chroot stages have been run. It seems to me that if possible, the apt installation stuff should move into the binary stage, or if that's not possible, it should be split into a "binary_pre" stage or something like that. That would resolve the issue. I'm happy to implement the patch for this myself, I just want some suggestions on how to best do so before moving forward. Thanks! (I'm reporting from an Ubuntu system, so Ubuntu system info is shown below.) -- System Information: Debian Release: trixie/sid APT prefers noble-updates APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'), (100, 'noble-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.8.0-45-kfocus (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages live-build depends on: ii cpio 2.15+dfsg-1ubuntu2 ii debootstrap 1.0.134ubuntu1 ii initramfs-tools 0.142ubuntu25.4 live-build recommends no packages. Versions of packages live-build suggests: ii dosfstools 4.2-1.1build1 ii fakeroot 1.33-1 ii genisoimage 9:1.1.11-3.5 ii git 1:2.43.0-1ubuntu7.1 pn gnu-fdisk <none> ii memtest86+ 7.00-1build1 ii mtools 4.0.43-1build1 ii parted 3.6-4build1 ii squashfs-tools 1:4.6.1-1build1 ii sudo 1.9.15p5-3ubuntu5 ii syslinux 3:6.04~git20190206.bf6db5b4+dfsg1-3ubuntu3 ii uuid-runtime 2.39.3-9ubuntu6.1 pn win32-loader <none>
pgpGjNR4MyDiR.pgp
Description: OpenPGP digital signature
