From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7146503320914362368 X-Received: by 2002:adf:dbc3:0:b0:22a:d393:bd84 with SMTP id e3-20020adfdbc3000000b0022ad393bd84mr13332741wrj.626.1664195288083; Mon, 26 Sep 2022 05:28:08 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a5d:490a:0:b0:225:6559:3374 with SMTP id x10-20020a5d490a000000b0022565593374ls12358781wrq.2.-pod-prod-gmail; Mon, 26 Sep 2022 05:28:07 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4Gu8f7Z/xeyvlN1BsMXzrgVhuNVfw/tVzI/b1Om6KjzHBHYWVyEpsT6oEq4IJmXQ3fs3Rm X-Received: by 2002:a5d:5b18:0:b0:22a:fb91:3d6b with SMTP id bx24-20020a5d5b18000000b0022afb913d6bmr13669060wrb.56.1664195286893; Mon, 26 Sep 2022 05:28:06 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1664195286; cv=pass; d=google.com; s=arc-20160816; b=ksUSiKQO20uH3cY4A6g9bji3+Kxf8HzRXxmi1kaa/SFGw8MvP/uqcEGv3+aJRAzUvq ZaDPlCs/rSnX5IFQU6AAMx0Ms0uUC8D8N7HZmh6HdqAaL30CQyG33tBbN4fsIKowNH2f n0RltxjbWxLqwUfxHAsi7IVjwshwLeFoxuCBVKwa3XlXnas+lgnQlQLTj0P6ajwVi84q oDM1ax8ZPJHV1jSlKVeH4H0oPv/vNZuoXkUL1WYMWM4yu3jbfwdMfOtKfXavuJtrTVoR bDGbWFgCSeNUaJ1wXLb2YWmJ4ym5u0mgy5MZCKVP8zMlvJAOh4+ezu1Y8n5oaN2CdceH ULmA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:subject:cc:to:from:date:dkim-signature; bh=MJrIQelyyhxmLXzIXe8q4Z8VGvhgs0P0u0MA8p5AUlw=; b=p7XMW5XFiZ/Reu4OwhqnsMs9Kno2+M0Ya/tuAil9mvUyA8bfKJYr617gWR6WQ1oySZ qpZ+oLjFNHC9ybX7hHDTGVTsK51GhuJEWppJoiSpD3dGEgPubWpRt5SDolcgZsK9a0ZU 30+W4U/GHnnfHHn+wEA3b4LN6WutU6nwnydRDS6ack2NHNsF7Y29UQ9zCXrRGzWc2m7B XgJUWHbqKlKJxjzBz6zKTrFU+QxDmyjuWAiNVLuJ/iuzZwaPtrBvDDhx1jMhUsSyEcAb NZ+P4FwOWM7IgHXmvOTdSFjdCAQgOdVNqEszP4kAlOI/eh0Ku+Vcant2uoraFybeMV/P P+Bg== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="vhp/up2W"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of henning.schild@siemens.com designates 40.107.15.89 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150089.outbound.protection.outlook.com. [40.107.15.89]) by gmr-mx.google.com with ESMTPS id by18-20020a056000099200b0022a69378414si589171wrb.0.2022.09.26.05.28.06 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Sep 2022 05:28:06 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 40.107.15.89 as permitted sender) client-ip=40.107.15.89; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="vhp/up2W"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of henning.schild@siemens.com designates 40.107.15.89 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iiFU9wLBSWW9VZCZ2uOpsvmiL31+q9Gk8kCK18ej62vpVoPE+k3ucJqOH9d1Jq5FBE9+mtGpqcJ34LOcHIiJC6ZTy+V4sWujACkxQoxIKlWUwGT6FkFjXBX19sfhYj0TzzyuOIB23JFLOKLt3SiL/wLatRARJGpmJzPU6duphYhEgRpHTdlc4A3lD3CUrOToJ+6A9MZeGJ+eGxY3mcbXY5iJVoFaBU672waLmH88UWnPNpYZqSVvSEtpjWpHTufOjnxzq4srDY1uFikZENiLG7SRo6sH2bQVKad0KKlkLZ1rfoFfGAJE8PoC5A3FyVdRYlwfQ+XW7lpqdk0P22JGqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MJrIQelyyhxmLXzIXe8q4Z8VGvhgs0P0u0MA8p5AUlw=; b=oXC4MYJ9irJWWeSkI96cokAUL/pV0/8Zd9Tqg9R6aIMl/VwPJpyNqdbk+uiEzJbHzK1kK07hv2TdA/+Lrt03ppCqdlk2edf5+YVBZ6XdtMYIcdyuRBcKIgiQECz4e8iWBQ6oCfBwKVdXfBUKao1uxAPDpdB41xzOrleupjT9gP6yD7FXQvfAs1w32m2i0KucXXmqnKq/WY7l6XaApPd+pigFEwqUBK8c2Vp+Po0A8z1GyWgTVma+q7TEbEhFLCTpWW5IYn6VZNIQBLTg4Xc5m1rE0SNbU8fcPCScK4++Ao7jm8VcWW2fv0/y6pLRPciUFyTdBaVEQqXnGw6hY7QYZw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MJrIQelyyhxmLXzIXe8q4Z8VGvhgs0P0u0MA8p5AUlw=; b=vhp/up2W/YQFOgE4dD3epcWpjkEF6EB3/T0jZUcVQvVapo7p0KwIB5BqBc8kzrig1XJ0sKbr/kchFi/D5tjtg8InjRv+oPFsg0EHf9vktxdalSsNX7C8spT0zSPWwh8/2FJSI9CD8as9aDwi0sV20u9QmkyCzfMkekmKCZ5Av3z0a3T4dLar4Br0Jv6NVtCnOVl0tV8ZWOWe+y1fjGTQzDCdCkjPNt+ewdKHoM8U1kYiF8+0NMg57/ZufKkFs6DUokX7OiSeQZM2zZC/TB+CGteC6DAWINyp5BYTQXc8eLJVuj6sYTuwQhMcCWjC9NTfWERNC9qxvcGUSTj0cq6V8g== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:269::8) by AM7PR10MB3461.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:134::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.17; Mon, 26 Sep 2022 12:28:05 +0000 Received: from PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM ([fe80::e4a0:49e4:2152:11b1]) by PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM ([fe80::e4a0:49e4:2152:11b1%7]) with mapi id 15.20.5654.024; Mon, 26 Sep 2022 12:28:05 +0000 Date: Mon, 26 Sep 2022 14:27:58 +0200 From: Henning Schild To: "Roberto A. Foglietta" Cc: isar-users@googlegroups.com Subject: Re: apt-mark hold package within postinst Message-ID: <20220926142758.051d76c2@md1za8fc.ad001.siemens.net> In-Reply-To: References: <20220923125648.798e010a@md1za8fc.ad001.siemens.net> <20220926090936.73382d26@md1za8fc.ad001.siemens.net> X-Mailer: Claws Mail 4.1.0 (GTK 3.24.34; x86_64-pc-linux-gnu) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-ClientProxiedBy: CH2PR07CA0050.namprd07.prod.outlook.com (2603:10b6:610:5b::24) To PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:269::8) Return-Path: henning.schild@siemens.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PA4PR10MB5780:EE_|AM7PR10MB3461:EE_ X-MS-Office365-Filtering-Correlation-Id: 1d03d66a-3846-4290-c89b-08da9fba9008 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: RzYlGh9ufeB2cQwmD9dMJTlCKZz1i3IeEqFjdzKbmedz9xzpLRMGNMn18ucdGst4DslV2wknbP6lQRAMthxb9RgLSPkxfY3EwpGgAbqxGF+KO1iAsvCiERF5UvLnmcmhr/zeC5oGcGLLGvF+63vj4XODGIvkINHSM6jjKfNaltfMSW4dDRzE82ZS01E82hT1TI8+3Q31n4uqkt7anX20/U9cvaDuAM35AiuEjak5MZpIBPIvx0YyAR4QQpJptbNuvurBZkSQH9r3L81g+2YcqDhUeLozpdojqyAQoM5CaItrG39Jj6jfBLfptef6tJgkv98l1B7MLHSaesqzXfp7VH0U6DDXXfoDYiZOAd7I5h/IqpiEO4mkS2X2xmZCiRi140cZ8rxN5VwrNSWEsN73NJRNeBmw/MsOy0JgjdcVmSeXY+wSjB9+dIwyAzS+uCge1blZvcuVo0uZphw3ddi+REkbNEGRwZLDbqeHtKwRLC61C9ptMvuhGgvwMcJ85RLR7Cs3a8YpidQRJyWc54Y4RqapuVz/BiqAP34icz8GRpG/w8/ePR9wo+KQQssF54bft8nxHNCbcCzdDQ5dHuuF7SGKTAkTcaSLeGHRZc8AJ081heuaNLxqnf3rghiqBEHd31nDIFmgnesXtVMjLIK3SI80YlPdSoJ+skpStwQpw9YfGbb5T1tpOOTB5L9flA+vWb+mxWOw0VMtrv0xd48Ckg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(366004)(396003)(39860400002)(376002)(136003)(346002)(451199015)(8936002)(4326008)(5660300002)(6506007)(86362001)(6666004)(66476007)(6916009)(8676002)(316002)(66556008)(66946007)(41300700001)(82960400001)(478600001)(186003)(2906002)(83380400001)(1076003)(6486002)(38100700002)(9686003)(26005)(66899012)(6512007)(44832011);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?18vA/G4TLiUbY1ChgZ1wswoz+/XDxxE2SZk2uxDwovmUfvIpeHGRZOY8RR7h?= =?us-ascii?Q?cMG2U6Xbmt+pSiVoJkF21UOFm23nQE0lzqfJCc6lO75UTnl4NiTaw9myF7Wc?= =?us-ascii?Q?m7TTqixZJ+jtcdkc2GAcm3J0bTwsr3pBxoWXynMvSabXC7n5hskNDx/TYOxO?= =?us-ascii?Q?rvjGFTo3vrbQ6iuGYYWeSqL6tIxagDv5OlDDwKKOF8DU0HmEmi/NjA6i9GUn?= =?us-ascii?Q?2zKlw/iaKG+EwEL7raD/AgQBmv0PVvF0PLFzJaa4P9FdksDkeFVfZjMLWB3m?= =?us-ascii?Q?LwUu2ENsfeiehgYZywYOrpbQzVLGMPa83daxjd6qNQdfJhG0imvyQaLSSFDf?= =?us-ascii?Q?HJJP/nucr2boT/b4oOAU+drnSxVS+SCiF8mxVzjLg4InFslTysq1Vy/o4fDe?= =?us-ascii?Q?MmuEmXJt0fvi/V5RiFUMfnTi+GTEUA1m+r6LMy1HsW9hMKQpSufgPuEbGxks?= =?us-ascii?Q?T0nj4Xr4FECdrB7e+m7Q+BLZ8WGcHOK8HSamuH4CG7eyMsaZTpQe/u49eSxk?= =?us-ascii?Q?PzKpFR1d6o9bFuNWdgH9x/WtPDD7Ae/mRhkArbCD8n16YOjwWQLXrex8gyAr?= =?us-ascii?Q?S8J9NQTOYkUn7xS3GQveYaU1z04kifKKA9R6iNJPvF+pJFH1vpQ5tNTK7i+/?= =?us-ascii?Q?Cil+/pwAxNEUvTkVmxN3xVJljUTaEzyoSi6UEn12t5xrFIkqiLBsWAEcho96?= =?us-ascii?Q?9veZNKkxKkddfPA/c09YmCYJNmD7EzqS0p5WU724/R2CnL/kuQlngOf8F18E?= =?us-ascii?Q?zujmHqUBw7rFt+je3ztD3JpPcgLwpwjRCVOenR/qt5AAI500oEl9NKg4tXwJ?= =?us-ascii?Q?+nHgrYi/Q9Sw9hvrF3rc2s164M2B4NBbU4AXMiipq94jzIVdmrUZwkoDH5yW?= =?us-ascii?Q?kWkLvAlBS2Ychx+BZIaCQPMQA/gIBtPDIPBvTn+/8x2j8h6zm3rQXNuMJz1n?= =?us-ascii?Q?xgi2dyptQtpc/Cyyiqk4Qtc44aOQleyJGPP5Fv0T6c66NpZgILyGsFz+rDrb?= =?us-ascii?Q?YsovxFVEkGCeX62qWZ48wHyFcRRWcUY9BXcRHnD1n4ye9EwKEg8F9VuXJ6Xy?= =?us-ascii?Q?7EWNkv74DzgY5U27L91iGOPtonZlsz66hVKiMZdJ1sIBdgdl8LIECZwUX9BR?= =?us-ascii?Q?iZVcHTwfgZXb7Ubtee0j46Sg0JSCEKTjLJqPhpQ6/LMZu0X5XENHds7JxyXH?= =?us-ascii?Q?dhY5YkrwaI+PHBf3EJtRpI/ueP/UJvg3VBTPQDvQv2TpqsdLFLGviRAmzoZ0?= =?us-ascii?Q?n/HROSIeRDW2GQ3Z/uU8YCpc11b134Y3f/GRu9qe16eOISGyaR7tazRsbHOL?= =?us-ascii?Q?8qddo0saVKRf/LKYA81j1ilKNkHHUNyrb7UfeLf6R3PFllqPk5l/uuCrsMSs?= =?us-ascii?Q?/2Z8E8hcTSx3Bk6YlrnalJPxrnl5nkYOU52tuIqw3qwtRvY18Rl8Tqd5lsK3?= =?us-ascii?Q?y7lEBJV5op/NeBo76lR15gU/o5MY7aVc5cEkpF/goKwzHweD09iKA00O5F+0?= =?us-ascii?Q?I1wJkk9r/2QOVEpIUrwZD3auKZzlFH809Fq23soNO9n/xU2bEv7yBBU4Hyy+?= =?us-ascii?Q?7YGJcvj2FElf24JNzfVb0MJxBh1oCTFn4CzaPgUabkqJ84CVSlbCZV2Lirbb?= =?us-ascii?Q?PA=3D=3D?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1d03d66a-3846-4290-c89b-08da9fba9008 X-MS-Exchange-CrossTenant-AuthSource: PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Sep 2022 12:28:05.7449 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 5OKjYI9HAF9d7bnCv6esFd6P9QzyXVD8VefxRkk2AzkohFRsdyETOD5THeGrZCz/AUrwFuqm+OAufNoKuQc2zrUk2EcmZ2qzcc7nQekqsoM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR10MB3461 X-TUID: gHmOtH7VYCz/ Am Mon, 26 Sep 2022 09:53:26 +0200 schrieb "Roberto A. Foglietta" : > Il Lun 26 Set 2022, 09:09 Henning Schild > ha scritto: > > > Am Sat, 24 Sep 2022 22:53:22 +0200 > > schrieb "Roberto A. Foglietta" : > > > > > Il Ven 23 Set 2022, 12:56 Henning Schild > > > ha scritto: > > > > > > > Am Fri, 23 Sep 2022 11:58:53 +0200 > > > > schrieb "Roberto A. Foglietta" : > > > > > > > > > Il Ven 23 Set 2022, 11:22 Roberto A. Foglietta > > > > > ha scritto: > > > > > > > > > > > Hi all, > > > > > > > > > > > > .deb repackaged should not upgrade with any external > > > > > > source so they should marked on hold. Easy but not possible > > > > > > to do within postinst obviously. Not in a straight way, at > > > > > > least. Am I wrong? > > > > > > > > I you rebuild you should add some suffix to PV > > > > > > > > CHANGELOG_V ?= "${PV}+roberto" > > > > > > > > During installation of isar itself your rebuilt package will win > > > > anyways. Make sure to add it to IMAGE_INSTALL instead of > > > > PREINSTALL, or make sure to have a bitbake DEPENDS if it comes > > > > in via a debian dep chain. > > > > > > > > But during lifetime any apt-get upgrade could replace yours when > > > > debian brings an update. To deal with that it is best to deploy > > > > a preferences file with some dpkg-raw configuration package. > > > > > > > > roberto-pin_0.1.bb: > > > > inherit dpkg-raw > > > > do_install() { > > > > echo -e "Package: *\nPin: version *+roberto*\nPin-Priority: > > > > 1000" > > > > > ${D}/etc/apt/preferences.d/${PN} > > > > } > > > > > > > > With this all packages that have the roberto suffix will become > > > > non-replaceable ... unless someone uses that same suffix. > > > > > > > > Generally you want to try and mainline all your changes to avoid > > > > local rebuilds. > > > > > > > > Another trick would be an empty package that conflicts with > > > > anything greater than "${PV}+roberto", that should also prevent > > > > updates. Not sure which way is better. > > > > > > > > We mostly build images that are replaces as a whole and will > > > > not get much "apt-get" during their life. Note that kernel > > > > updates with apt-get will not easily work in an isar built > > > > image. It will depend on your bootloader whether it might work, > > > > and you might have to add scripts that update bootloader > > > > configs after kernel install. > > > > > > Dear Henning, > > > > > > first of all, thank you for your explanation. I think about it > > > and I arrived to the conclusion that your solution is good but top > > > definitive for my need/goals. > > > > > > The problem is 1. that even wintout any update available the > > > original packages are seen as updates and > > > > That should not happen, if it really does we need to fix that. When > > the rootfs gets its packages installed all the ones build with isar > > should have higher prio even if one is a rebuild that did not > > increase the PV. > > > > Maybe you can send an example where that does not work as expected. > > > > Ok, I will investigate it deeply. > > > > 2. I wish to avoid that the user > > > upgrade the repackaged packages installing the dependencies I > > > removed. > > > > > > However, I am not interested in make their upgrade difficult. > > > Probably, I will keep only hold the packages at the installation > > > but even remove the holding as configuration. > > > > If you system is really closed/embedded but somehow open for > > someone to install updates and additional stuff ... i would again > > like to really stress that rdep removal is a really bad idea. You > > will not know what people do and you seriously break their > > assumptions if they think they deal with debian/ubuntu. > > Do only modify that debian for a really good reason! You could see > > with the removed man-pages and than "jre" can not be installed > > anymore. > > It is an evaluation system aimed to be tried by human users. > > > > Just a way to avoid that kids break up the system just with a basic > > > > > admin operation without further complications. > > > > That sounds like security might be your reasoning to remove some > > packages. Installing less naturally decreases the attack surface, > > but the removal also can have a negative impact on the availability > > ... also security. > > Software stacks are simply large and keep growing. You might want to > > consider apparmor or selinux instead of ripping out bits without a > > concrete problem. Debian will handle CVEs just fine for you, if you > > mess with it you rather risk that their updates will not fit on your > > modified system. > > > > As every evaluation system, it has no security nor any quality/grade > granted. > > However, I do not want it breaks apart in a minute by any > reasonable/expected user interaction. > > It should reasonably work as proof-of-concept / commercial-demo, ONLY. In that case skip _all_ customization. Let the docs installed, all runtime deps etc. Just install a debian, your applications and deploy your preconfiguration ... done. That is also the advice i would have for any product, but there one sometimes sees very strange requirements/constraints which force one to touch what one should not. ... that debian base ... Henning > Others people more experienced of me will be in charge to provide the > custom system for the production with an industrial grade and > everything else is needed for that market positioning. > > Thanks, R- > > >