From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7023151278367703040 X-Received: by 2002:a05:6402:278a:: with SMTP id b10mr21578853ede.390.1635281335254; Tue, 26 Oct 2021 13:48:55 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:aa7:ce96:: with SMTP id y22ls2799464edv.3.gmail; Tue, 26 Oct 2021 13:48:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzLosn215OyOXEtiCBj618cwLhLcT6C82csBfl0ja6FUHqek6+dlOEhV3eS/dxxB6V6Vtd7 X-Received: by 2002:a05:6402:5194:: with SMTP id q20mr7762710edd.294.1635281333461; Tue, 26 Oct 2021 13:48:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635281333; cv=none; d=google.com; s=arc-20160816; b=x+7tgdrQmJUdohoIDYPoRA1MwdapHksGF9DsiaoqkiBALhE4ntmFMvuciIs7INAM7G WSagbNe+adBQiEoy0ZTeX8fLFmIdk65+AL79klUdlG4E5ORReoEIeS7cfpzm4HRK2+Kp oOoVsJkDOiBvpA6AXEQbNmsaj04hc8Ed+EkVE0uJsh2V0F9EP8TvRGFkQ/8GgNWwrN1C MHMzMdkXhO6SAbyrQwWkpHnFnDYeFbsWjudFIwRXBlma3+Jq5Pa2p+TxP798H5EEY8gF Bdvykwa/rtC4QghRJVSXPv5aECB0xrem36IS6KvfO1ECJTErJfdKQXlqkpW8mVjZML02 kA0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:subject:in-reply-to :message-id:cc:to:from:date:dkim-signature; bh=M3ZH9um6c8IJ96OXrMKelBUbkoeMXD6qChsqTzYFtgc=; b=OaEyzpDkZSgSGwKmquOVal9dvi90xwPbhB0MI7ume1/d93nSWadei6AxijwEVNoml2 wF+PtZYGTIOWe2nPx//wvWBU6ixMkCx45xhE67UIHYaIEAdCBl1g9yJNjjqQkcK8PfSB hgqKUvpJ5TnM3wO/AUoKbLuJ+Nnttr7pSe3nFG+gOkgGQyUnHmPmRv8LD1hOZ4Qhid/X KnybP7MvFpRhAl44Q/alTaYDK9O/6NFYCxj9QGaFTirqQvapznG88KHiCRwaRcAFDlzQ 7iJXIP2oLVsr3GTGLa9YqyDp/Q82n9iQ4RYbWySDNM2oUDCC5KmPVK40Mgcrb7jbB0WR geNQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@free.fr header.s=smtp-20201208 header.b=KPM9FbBW; spf=pass (google.com: domain of ydirson@free.fr designates 212.27.42.1 as permitted sender) smtp.mailfrom=ydirson@free.fr; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=free.fr Return-Path: Received: from smtp1-g21.free.fr (smtp1-g21.free.fr. [212.27.42.1]) by gmr-mx.google.com with ESMTPS id bi21si1043207edb.0.2021.10.26.13.48.53 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 26 Oct 2021 13:48:53 -0700 (PDT) Received-SPF: pass (google.com: domain of ydirson@free.fr designates 212.27.42.1 as permitted sender) client-ip=212.27.42.1; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@free.fr header.s=smtp-20201208 header.b=KPM9FbBW; spf=pass (google.com: domain of ydirson@free.fr designates 212.27.42.1 as permitted sender) smtp.mailfrom=ydirson@free.fr; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=free.fr Received: from zimbra39-e7.priv.proxad.net (unknown [172.20.243.189]) by smtp1-g21.free.fr (Postfix) with ESMTP id 38CC8B0055E; Tue, 26 Oct 2021 22:48:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=free.fr; s=smtp-20201208; t=1635281333; bh=fD/OZYs1Qr4p+UYoruBe+puDnyq9UxL3H12fV3ukhHY=; h=Date:From:To:Cc:In-Reply-To:Subject:From; b=KPM9FbBWtAGOHHsn3BHUa6WA2YEHPqbS7/Ng3mhnwRvqJDImxFp+VIQcH3gHkgxAd wcyYNlRgLNH5U2M2TEj//Ob1oIBD27987d80fjHYxu6Fq2CKYNI5yx2yZl7xgiBplY TjWK/xdOIcyjiR6+JPetfEWuKTZ6j/vpS2dOCjZzN2gX3N2gay2ws/rYrxvZlDgHXx wP5MicZsfucBXRrjwty+bHNw8gWD2JjRzym522ufhfEfiVzP6KO2S14rdek0njcMe0 HHrihUwWDuow9cvqgilSWatadtHxV/SWJHLF31TfCI6ZdYKO00YC3PTHhQQrlHJwan rJlp1CVgyeSPQ== Date: Tue, 26 Oct 2021 22:48:53 +0200 (CEST) From: ydirson@free.fr To: Henning Schild Cc: Anton Mikanovich , isar-users@googlegroups.com Message-ID: <849250711.1347880253.1635281333166.JavaMail.root@zimbra39-e7> In-Reply-To: <20211026214408.22030b2f@md1za8fc.ad001.siemens.net> Subject: Re: isar-bootstrap MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [88.120.44.86] X-Mailer: Zimbra 7.2.0-GA2598 (ZimbraWebClient - FF3.0 (Linux)/7.2.0-GA2598) X-Authenticated-User: ydirson@free.fr X-TUID: BUDJCksUqb5z > For the download Isar goes the pragmatic way and lets debian fetch > what > it wants. With a few exceptions ... i.e. there is only one "global > apt-get update" so you have to hope that you can apt-get install what > that initial run created your external database for. In practice that > does not fail too ofter ... or you have to clean build again. > > If you really need to pin debian down to what it fetches, because for > some reason (like repro build) you need your own mirror. In fact Isar > spits out a partial debian mirror after an "online" build (base-apt). > That can be used for consecutive offline builds, or as a base for > consecutive "online" builds with custom DISTRO_APT_SOURCES. > > While snapshots.debian.org can be used as DISTRO_APT_SOURCES mirror > in > theory ... in practice it has rate-limiting in place. So you might > succeed in a manual build that you retry over and over (or a small > image), but in CI without caching ... you will never get a big image > to > build. That rate-limiting issue will need to be discussed with > snapshots, we are not the first ones to have issues with it. > But i personally would tell people to simply not freeze if they can, > and the ones that need to freeze i would in fact tell to get a full > debian mirror of their own, instead of a partial one produced by > isars > base-apt. > As an OSS project you might see less of a need of freezing, tracking > in > fact is a security feature ... and debian will not do much more than > security on their stable distros. This is more of a concern for reproducibility of the build process at package level. Probably this was not published very widely, but there has been work on Debian package reproducibility in the context of Qubes already, including a solution to the snapshots.d.o problem: https://forum.qubes-os.org/t/reproducible-builds-for-debian-a-big-step-forward/6800 Best regards, -- Yann