Project

General

Profile

Bug #15690

Stop installing all "Priority: standard" packages only to remove some of them later

Added by intrigeri 11 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Build system
Target version:
Start date:
06/29/2018
Due date:
% Done:

100%

QA Check:
Pass
Feature Branch:
bugfix/15690-stop-installing-all-priority-standard-packages
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

We currently pass --tasks standard to lb config. Due to inconsistencies between the main Debian archive and security.d.o regarding packages priority overrides, combined with an aufs bug, this has broken our incremental upgrades to 3.0.1 and later to 3.6: #13426, #15418.

I think our best option is to stop passing --tasks standard to lb config and instead explicitly list the packages we want to install in config/chroot_local-packageslists/*.list. And then every time we upgrade to a new version of Debian, we create a ticket to update that list, based on the current set of Priority: standard packages in that version of Debian. Using a separate file will make this clearer and easier to maintain.


Related issues

Related to Tails - Bug #15418: Find out what's going on with Exim in our ISO build process Resolved 03/16/2018
Related to Tails - Bug #13426: Tor does not start on Tails 3.0.1 automatically upgraded from 3.0 Resolved 07/05/2017
Related to Tails - Feature #16280: Refresh tails-standard.list packages list for Bullseye Confirmed 01/04/2019
Blocked by Tails - Bug #15472: Rebase our Tor Browser AppArmor policy on top of torbrowser-launcher 0.2.9-2's Resolved 03/28/2018
Blocked by Tails - Bug #15419: Detect earlier in the dev process if we're breaking automatic upgrades Resolved 06/28/2018
Blocks Tails - Bug #15854: Re-add UID/GID stability checks on feature/buster Resolved 08/27/2018
Blocks Tails - Bug #16272: Compare packages lists devel vs. feature/buster Resolved 01/04/2019

Associated revisions

Revision 6e170f3f (diff)
Added by intrigeri 11 months ago

Install all "Priority: standard" packages via an explicit packages list instead of via --tasks (refs: #15690)

This will make it easier to remove some of these packages from the list
of those that should be installed in the first place, as opposed to letting them
be installed by tasksel only to uninstall them later.

I've seeded tails-000-standard.list with the output of:

tasksel --task-packages standard | sort

… run on a clean Stretch system.

Also:

  • live-build forcibly translates --packages-lists="standard" into "tasksel
    install standard", so to make this change effective we also need to switch
    to "--packages-lists minimal" or "--packages-lists none". The former has
    problematic side-effects so let's use the latter.
  • Add to tails-common.list some of the packages that were previously installed
    automatically, e.g. via live-build's lists/standard → lists/minimal.

Revision ef8f8921 (diff)
Added by intrigeri 11 months ago

Don't install "Priority: standard" packages we would remove later (refs: #15690)

Revision 822d198a (diff)
Added by intrigeri 5 months ago

Refresh subset of "Priority: standard" packages for Buster (refs: #15690)

This comes from the output of "tasksel --task-packages standard | sort"
run on a clean Buster system, with the packages we don't want commented out.

Revision 973d4261 (diff)
Added by intrigeri 5 months ago

Don't install 2 new "Priority: standard" packages (refs: #15690)

Revision d6a8ef2c (diff)
Added by intrigeri 5 months ago

Don't install gdbm-l10n (refs: #15690).

It's installed on this branch while it's not on current feature/buster.

Revision b00d9a60 (diff)
Added by intrigeri 4 months ago

Don't install full-blown cryptsetup, take 2 (refs: #15690)

We've stopped installing it (#16264) but this branch independently
reintroduced it.

Revision eaeb426f
Added by intrigeri 4 months ago

Merge branch 'bugfix/15690-stop-installing-all-priority-standard-packages' into feature/buster

Closes: #15690, #15854

History

#1 Updated by intrigeri 11 months ago

  • Related to Bug #15419: Detect earlier in the dev process if we're breaking automatic upgrades added

#2 Updated by intrigeri 11 months ago

  • Related to Bug #15418: Find out what's going on with Exim in our ISO build process added

#3 Updated by intrigeri 11 months ago

  • Related to Bug #13426: Tor does not start on Tails 3.0.1 automatically upgraded from 3.0 added

#4 Updated by intrigeri 11 months ago

  • Related to Feature #15691: Refresh tails-standard.list packages list for Buster added

#5 Updated by intrigeri 11 months ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/15690-stop-installing-all-priority-standard-packages

#6 Updated by intrigeri 11 months ago

  • Blocked by Bug #15472: Rebase our Tor Browser AppArmor policy on top of torbrowser-launcher 0.2.9-2's added

#7 Updated by intrigeri 11 months ago

  • Related to deleted (Bug #15419: Detect earlier in the dev process if we're breaking automatic upgrades)

#8 Updated by intrigeri 11 months ago

  • Blocked by Bug #15419: Detect earlier in the dev process if we're breaking automatic upgrades added

#9 Updated by intrigeri 11 months ago

  • Target version changed from Tails_3.9 to Tails_4.0
  • Feature Branch changed from bugfix/15690-stop-installing-all-priority-standard-packages to wip/bugfix/15690-stop-installing-all-priority-standard-packages

I've got a WIP branch that builds fine and the resulting packages list looks OK, but changing the installation order impacts the allocated UIDs/GIDs, which is precisely what we want to avoid here. So I think we should merge this branch into feature/buster, so that it's applied only to a release that we won't provide automatic upgrades to anyway. I doubt the kind of issues we're after here will affect Stretch again anyway: I seriously hope that once the exim4 priority override problem was identified on security.d.o, all such overrides were sync'ed from Stretch.

#10 Updated by intrigeri 11 months ago

  • Related to deleted (Feature #15691: Refresh tails-standard.list packages list for Buster)

#11 Updated by intrigeri 11 months ago

  • Blocks Feature #15691: Refresh tails-standard.list packages list for Buster added

#12 Updated by intrigeri 5 months ago

  • Blocks Bug #15854: Re-add UID/GID stability checks on feature/buster added

#13 Updated by intrigeri 5 months ago

  • Feature Branch changed from wip/bugfix/15690-stop-installing-all-priority-standard-packages to bugfix/15690-stop-installing-all-priority-standard-packages

#14 Updated by intrigeri 5 months ago

Additionally:

  1. refresh this list based on the output of tasksel --task-packages standard | sort run in a clean Buster system
  2. create a ticket to do that again for Bullseye (see #15691 for an example)

#15 Updated by intrigeri 5 months ago

  • Blocks deleted (Feature #15691: Refresh tails-standard.list packages list for Buster)

#16 Updated by intrigeri 5 months ago

  • Related to Feature #16280: Refresh tails-standard.list packages list for Bullseye added

#17 Updated by intrigeri 5 months ago

  • Assignee changed from intrigeri to CyrilBrulebois
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

#18 Updated by intrigeri 5 months ago

  • Blocks Bug #16272: Compare packages lists devel vs. feature/buster added

#19 Updated by hefee 4 months ago

  • Assignee changed from CyrilBrulebois to hefee

#20 Updated by hefee 4 months ago

  • Assignee changed from hefee to intrigeri
  • QA Check changed from Ready for QA to Pass

Te diff between the two packagelists look reasonable. More stuff is getting to be removed.

--- feature/buster
+++ bugfix/15690-stop-installing-all-priority-standard-packages

-aspell 0.60.7~20110707-5
-aspell-en      2018.04.16-0-1
+cryptsetup     2:2.0.6-1
 cryptsetup-bin 2:2.0.6-1
+cryptsetup-initramfs   2:2.0.6-1
+cryptsetup-run 2:2.0.6-1
-enchant        1.6.0-11.1+b1
-geoip-database 20181108-1
-libgdk-pixbuf2.0-bin   2.38.0+dfsg-7
-libgtk-3-bin   3.24.2-3
-libswitch-perl 2.17-2
-publicsuffix   20181227.1630-1

#21 Updated by intrigeri 4 months ago

  • QA Check changed from Pass to Ready for QA

Te diff between the two packagelists look reasonable. More stuff is getting to be removed.

> --- feature/buster
> +++ bugfix/15690-stop-installing-all-priority-standard-packages

> -aspell 0.60.7~20110707-5
> -aspell-en      2018.04.16-0-1
> +cryptsetup     2:2.0.6-1
>  cryptsetup-bin 2:2.0.6-1
> +cryptsetup-initramfs   2:2.0.6-1
> +cryptsetup-run 2:2.0.6-1
> -enchant        1.6.0-11.1+b1
> -geoip-database 20181108-1
> -libgdk-pixbuf2.0-bin   2.38.0+dfsg-7
> -libgtk-3-bin   3.24.2-3
> -libswitch-perl 2.17-2
> -publicsuffix   20181227.1630-1
> 

Thanks for checking!

  • aspell, aspell-en, enchant: I left them out on purpose as per #16272#note-3 (otherwise #16272 would lead to another branch that removes them anyway :)
  • cryptsetup: this branch independently re-introduces stuff that we've removed for #16264; fixed with b00d9a608b6f4e1ab9e22b24f389468587c2d529, will compare the packages lists again before merging into feature/buster
  • libgtk-3-bin, publicsuffix: similarly to aspell, we don't ship them in Tails 3.x, no reason to add it here just to remove them later
  • geoip-database, libgdk-pixbuf2.0-bin, libswitch-perl: I doubt we need them, let's see how it goes without them

#22 Updated by hefee 4 months ago

  • QA Check changed from Ready for QA to Pass
  • aspell, aspell-en, enchant: I left them out on purpose as per #16272#note-3 (otherwise #16272 would lead to another branch that removes them anyway :)

ok

ok

  • libgtk-3-bin, publicsuffix: similarly to aspell, we don't ship them in Tails 3.x, no reason to add it here just to remove them later

ok

  • geoip-database, libgdk-pixbuf2.0-bin, libswitch-perl: I doubt we need them, let's see how it goes without them

libs are mostly just installed as dependency, so if the purpose of installatino is gone, it is mostly safe to remove the libs too.

#23 Updated by intrigeri 4 months ago

  • QA Check changed from Pass to Ready for QA

(As per "will compare the packages lists again before merging into feature/buster")

#24 Updated by intrigeri 4 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100

#25 Updated by intrigeri 4 months ago

  • Assignee deleted (intrigeri)
  • QA Check changed from Ready for QA to Pass

Also available in: Atom PDF