From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7023151278367703040 X-Received: by 2002:adf:df8e:: with SMTP id z14mr619597wrl.114.1635283716812; Tue, 26 Oct 2021 14:28:36 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:adf:8b92:: with SMTP id o18ls7385978wra.0.gmail; Tue, 26 Oct 2021 14:28:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz9dTouHpirAoY7bAJZZQJs/yoOmwQeWXr/DGCF+sxfanqSf3kN5eHuzAE+CMBm2LuzYrfT X-Received: by 2002:a5d:6ac3:: with SMTP id u3mr35267948wrw.357.1635283715915; Tue, 26 Oct 2021 14:28:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635283715; cv=none; d=google.com; s=arc-20160816; b=qTZrRCAC3iAIydKeyeAgSOHGeJm9uYiQkhpQVhUAd8Vk11dDYnTQrM9TAOQujoud/x fxRjUy8IXRzN0kQtTNrz3YtkULXhuDVI6Aw7X1B/SQ0Dhi+UQ0vYiDhlz2COlBhyXsZ7 vV59Hjq5mjjhENW6EFvClDsFl88Vy6FL9tW3kwtUHrsJcfaWy+eGH67dE4wdS1xWa8f2 wmYty0ol6Ew9dkcQNq/jZyY2jcHz9JufPt40wxcqJDNGPcY5T4qUZpfzjbyQT8us//Wg VXNH+9VSKjezLaP/QJ9fQv8XPJ6HVGzE2lBHIEmgT11moYYi6Kx1cXW+SyVDnRHz/ptn 4kAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:subject:in-reply-to :message-id:cc:to:from:date:dkim-signature; bh=qpYxyYrhNBm0kHlyzvOTRwrRDjCya8iucU/12BTakEo=; b=ryPm8M9u3oDPAuR1jn1kgBd2b2XwUGdP7iE5YOKTZfFWgGKb1FLU8I/qKpI+2zHwEn nq5JHNcM+x5igND7eoFgUY/98CqHay4MKkQ9wynAz4XtVXGOOdTt1tF0qj9syb+F3++A RK/5cm+3zOMOPUAYzrtdhZ5DQ+OKNjY1geV+cKw7dYYaXJQ0FztuPcCMfouOXTNb65ZR wrsbimH4D4eeiRdyfAxNa6mfgAald5uDc9yyVzPwnuSEYzyQJQZAFuOwj4yVtPI2HE7h A7aiuIJhmMGDbQcC32Z87ZYn4kOluMkt9MZ2r0bcuU49Zum2aqXmQ3yXRb0MSIXmlf6k Pxog== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@free.fr header.s=smtp-20201208 header.b=NLwy0CwZ; spf=pass (google.com: domain of ydirson@free.fr designates 212.27.42.3 as permitted sender) smtp.mailfrom=ydirson@free.fr; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=free.fr Return-Path: Received: from smtp3-g21.free.fr (smtp3-g21.free.fr. [212.27.42.3]) by gmr-mx.google.com with ESMTPS id j23si170701wms.0.2021.10.26.14.28.35 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 26 Oct 2021 14:28:35 -0700 (PDT) Received-SPF: pass (google.com: domain of ydirson@free.fr designates 212.27.42.3 as permitted sender) client-ip=212.27.42.3; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@free.fr header.s=smtp-20201208 header.b=NLwy0CwZ; spf=pass (google.com: domain of ydirson@free.fr designates 212.27.42.3 as permitted sender) smtp.mailfrom=ydirson@free.fr; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=free.fr Received: from zimbra39-e7.priv.proxad.net (unknown [172.20.243.189]) by smtp3-g21.free.fr (Postfix) with ESMTP id A694313F84C; Tue, 26 Oct 2021 23:28:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=free.fr; s=smtp-20201208; t=1635283715; bh=nO1FccR4Uu/Wp8ntbMOrL3OdSeHb6H+Pt/u1PVPZQpw=; h=Date:From:To:Cc:In-Reply-To:Subject:From; b=NLwy0CwZaM1+Sgw0/aK6sb8ez4GzHGc0/D3N0jdrr1pboW0av2/v/1u2e39UEhBRc Nh/pZ50Foa2fMcc7hQsJu0nRw5ogMMHAEj+43TRF9mEt8K5zOUzzqytXQ4iTjBodDv oAvSHtCQRVlE3tgDf445SDFKsQYoFvT5SQcCF0LwL7DftvvrVpF7Cj10KMbMPNF0pP UGTJsxvNAOrwfc6Hl7YJS/ntFlvBGS4N1QA+RQls+8ajDNDrlUsOWM/JRGzhpE8nbZ 2fYdPiGBC0UfgNLO/GmXJr8faQdvko210axxY50fVXDVQjG4IgikPahHlHHGMA6id+ uOSAG2C9AAvRg== Date: Tue, 26 Oct 2021 23:28:35 +0200 (CEST) From: ydirson@free.fr To: Henning Schild Cc: Anton Mikanovich , isar-users@googlegroups.com Message-ID: <1548129620.1347950321.1635283715616.JavaMail.root@zimbra39-e7> In-Reply-To: <20211026231545.74e85f5d@md1za8fc.ad001.siemens.net> Subject: Re: isar-bootstrap MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [88.120.44.86] X-Mailer: Zimbra 7.2.0-GA2598 (ZimbraWebClient - FF3.0 (Linux)/7.2.0-GA2598) X-Authenticated-User: ydirson@free.fr X-TUID: 5rFLpzfz5QYw ----- Mail original ----- > De: "Henning Schild" > =C3=80: ydirson@free.fr > Cc: "Anton Mikanovich" , isar-users@googlegroups.com > Envoy=C3=A9: Mardi 26 Octobre 2021 23:15:45 > Objet: Re: isar-bootstrap >=20 > Am Tue, 26 Oct 2021 22:48:53 +0200 (CEST) > schrieb ydirson@free.fr: >=20 > > > For the download Isar goes the pragmatic way and lets debian > > > fetch > > > what > > > it wants. With a few exceptions ... i.e. there is only one > > > "global > > > apt-get update" so you have to hope that you can apt-get install > > > what that initial run created your external database for. In > > > practice that does not fail too ofter ... or you have to clean > > > build again. > > >=20 > > > If you really need to pin debian down to what it fetches, because > > > for some reason (like repro build) you need your own mirror. In > > > fact Isar spits out a partial debian mirror after an "online" > > > build > > > (base-apt). That can be used for consecutive offline builds, or > > > as > > > a base for consecutive "online" builds with custom > > > DISTRO_APT_SOURCES. > > >=20 > > > While snapshots.debian.org can be used as DISTRO_APT_SOURCES > > > mirror > > > in > > > theory ... in practice it has rate-limiting in place. So you > > > might > > > succeed in a manual build that you retry over and over (or a > > > small > > > image), but in CI without caching ... you will never get a big > > > image > > > to > > > build. That rate-limiting issue will need to be discussed with > > > snapshots, we are not the first ones to have issues with it. > > > But i personally would tell people to simply not freeze if they > > > can, > > > and the ones that need to freeze i would in fact tell to get a > > > full > > > debian mirror of their own, instead of a partial one produced by > > > isars > > > base-apt. > > > As an OSS project you might see less of a need of freezing, > > > tracking > > > in > > > fact is a security feature ... and debian will not do much more > > > than > > > security on their stable distros. > >=20 > > This is more of a concern for reproducibility of the build process > > at package level. Probably this was not published very widely, but > > there has been work on Debian package reproducibility in the > > context > > of Qubes already, including a solution to the snapshots.d.o > > problem: > >=20 > > https://forum.qubes-os.org/t/reproducible-builds-for-debian-a-big-step-= forward/6800 >=20 > Cool stuff! I will give that service a try and look into where the > tool > debrebuild comes into play. A tool that might in itself add some > value. >=20 > But to me it all seems like a workaround of the rate-limiting on > snapshots. A problem that can maybe be solved with funding, in case > it > is a cost-problem. In Siemens people end up with their own > implementations of snapshots, which in sum likely costs more than > funding the real one for public non-limited use (together with other > stakeholders). > Still getting funding right and stable might be harder than any > costly > workaround downstream. > I think i also heard trust arguments against snapshots, but those > might > just be pointless. Even if it is not-Debian (is it?) there will be > gpg > in place, Yes it is started as an independent service (from a DD, as snapshots.debian= .net) but has been an official one for some time now. And it hosts the original Debian-signed indices, so that's just "trusting Debian" at all levels. > but then you still need to trust that you get what you > asked > for because if a snapshot holds back a security update gpg would not > be > able to tell. >=20 > But yes, good stuff! I bet that can be used in Isar somehow, but > maybe > only in your layers. You might not want the load from others on your > infra. And the amd64 limitation is kind of severe. We have arm64 > becoming more and more relevant and even riscv working for early > prototypes. And i686 and arm32 floating around in places for some > time > to be maintained. Well, that limitation I guess is mostly that it's the only arch used in Qubes today, I assume it should work with other archs too, as long as someone funds a server :)