Hi all, Some time has passed and there are further news for the APK migration:
Timo and Ansuel worked out a way to allow index trust[1]. If a package index is
signed by a trusted key, all containing packages are automatically trusted. It
is still possible distribute and sign single packages.
With this in place, the last missing bit was to teach our Buildbot
infrastructure to sign indexes with the Buildmaster key[2]. For context, the
OpenWrt project does not store private signing keys on Buildworkers but only on
the Buildmaster. Indexes are transferred to the Buildmaster and signed there,
later uploaded to the download server.
This, too, works now and can be tested for a limited number of targets/archs
(if your favorite is missing, please ping me)[3].
The firmware contains a APK public key (in /etc/apk/keys) for testing[4] and
the download server is modified[5]. The key is not official and will be
replaced once things go further upstream.
If you run one of those images, please give APK a spin and see how it’s doing.
A simple example would b to run the following:
apk add luci # install LuCI
apk audit # see what file changed since rootfs creation
Looking at the failing packages[6], some maintainers have not yet switches to
an APK conform version schema. I’ll try to ping those or create PRs myself.
I’m optimistic’ish that things will work out just great. Please give it a test
and let me know how it goes.
Best,
Paul
[1]:
https://gitlab.alpinelinux.org/alpine/apk-tools/-/commit/54caa31be633efc5f655700b77af290124f71689
[2]:
https://github.com/openwrt/buildbot/commit/a94d4e15fdc1e9715d7d0cfdcc62227186d0fc45
[3]: https://buildbot.aparcar.org/targets/
[4]:
https://github.com/aparcar/openwrt/commit/de9b171c5a98c9e23e3da8b787ddc5ba7dd0ac53
[5]:
https://github.com/aparcar/openwrt/commit/2c98eb52e365be6e59b470b4c0001cf29e8a6fb3
[6]: https://buildbot.aparcar.org/faillogs/x86_64/
> On 13. Jun 2024, at 13:29, Paul Spooren <m...@aparcar.org> wrote:
>
> Dear all,
>
> With great contributions from Timo, Ansuel, Jonas, Daniel, Petr, John, and
> many others, APK is evolving smoothly, and the integration is progressing
> well!
>
> We have established a staging buildbot environment[1] that compiles firmware
> images and certain packages. To replicate this setup locally, simply enable
> “Use APK instead of OPKG to build distribution” (`USE_APK`) in the “Global
> build settings”.
>
> Once the firmware is compiled, it is uploaded to the staging downloads
> page[2]. Currently, we have limited the targets created to a subset that we
> have found useful for testing purposes.The firmware images boot up
> successfully and allow for the installation of external feeds[3]!
>
> Be aware, there is still some work required on the package feeds to
> accommodate the new version requirements. If you are maintaining something,
> please take a look (e.g. [4]).
>
> We are facing an architectural challenge that needs to be addressed. In the
> past, both OPKG and APKv2 would only sign the package indexes and
> automatically trust the included packages. With APKv3 (the version we are
> using), each individual package is signed. We are exploring ways to securely
> integrate this into the existing setup, where build workers do not have a
> private key but upload the package index to a dedicated server for signing.
> We will keep you updated on our progress.
>
> I will provide more updates as we make further advancements. Please stay
> tuned for more information.
>
> Sunshine,
> Paul
>
> PS: since we do parallel experiments with the Buildbot itself some packages
> are missing, please be aware that your milage may vary when testing package
> installation
>
> [1]: https://buildbot.staging.openwrt.org
> <https://buildbot.staging.openwrt.org/>
> [2]: https://downloads.staging.openwrt.org/snapshots/targets/
> [2]: apk add --allow-untrusted kmod-usb-serial-cp210x
> [4]: https://github.com/openwrt/packages/issues/23706
>
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
