Feature #5926: Freezable APT repository
Cannot import needed packages into the new tagged APT snapshot at point-release time
./bin/tag-apt-snapshots as part of the Tails 2.5 release process, I'm told:
I: detected origin: debian with reference: 2016073103 [...] W: some packages were not found anywhere: - base-files/8+deb8u4/i386/binary - dmeventd/2:1.02.90-2.2/i386/binary - dmsetup/2:1.02.90-2.2/i386/binary - electrum/2.6.3-1/all/binary - evince-common/3.14.1-2/all/binary - evince/3.14.1-2/i386/binary
The build manifest contains:
origin_references: debian: reference: '2016073103'
config/APT_snapshots.d/debian/serial contains "latest", which in this context means "do what I mean", that is stick to previous release's tagged snapshot (
auto/scripts/apt-mirror)… except the part of our build system that creates the build manifest does not know about this convention.
And anyway, even if the build manifest pointed to the right place, i.e. the previous release's (2.4) tagged APT snapshot, which is the only place where the missing packages are as of today:
tails-prepare-tagged-apt-snapshot-import in its current shape does not know how to generate a configuration that pulls from there.
One option could be to modify how we deal with point-releases: when releasing, instead of using the aforementioned "latest" convention, on the stable branch we could keep pointing to the actual time-based snapshots we need for the next point-releases (in this case: 2016052503) and prevent them from being garbage-collected until next major release.
Never (pretend to) thaw APT snapshots on the stable branch.
Let's always encode, on the stable branch, the exact set of APT snapshots we
want to use in next point-release. Previously we would pretend to thaw them by
writing "latest" in APT_snapshots.d/*/serial, but then apt-mirror would
special-case this situation: on an unreleased branch based on stable, it would
consider that "latest" means "stick to previous release's tagged snapshot".
Which worked fine at build time, except the part of our build system that
creates the build manifest does not know about this convention, so the resulting
build manifest would point to the latest APT snapshots we have, even though they
were not really used during the build. And even if the build manifest pointed to
the right place (i.e. the previous release's tagged APT snapshot), which is the
only place where some of the needed packages are when tagging the next
point-release's APT snapshot: tails-prepare-tagged-apt-snapshot-import does not
know how to generate a configuration that pulls from there.
So let's drop this special meaning of "latest", and make things simpler by
actually hard-coding in Git the snapshots we really want to use.
This implies the documentation change that makes sure that we're keeping these
time-based APT snapshots long enough.
Simplify freezable APT repository handling for stable and testing -based branches.
We now enforce that any branch based on stable or testing uses frozen
APT snapshots, except for the debian-security archive. This simplifies
the documentation, the code, and eases reasoning about the whole thing.
#5 Updated by intrigeri over 3 years ago
- Status changed from Confirmed to In Progress
- Assignee changed from intrigeri to anonym
- % Done changed from 0 to 50
- QA Check set to Ready for QA
Please merge into devel, but not into stable as this would break its build currently (we've lost the time-based APT snapshots it should use, so we can't encode them).