From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7146503320914362368 X-Received: by 2002:a25:7d44:0:b0:6bb:95e3:55bc with SMTP id y65-20020a257d44000000b006bb95e355bcmr4025557ybc.313.1664178818754; Mon, 26 Sep 2022 00:53:38 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a25:dc8a:0:b0:6b3:e91f:8e6 with SMTP id y132-20020a25dc8a000000b006b3e91f08e6ls11541254ybe.7.-pod-prod-gmail; Mon, 26 Sep 2022 00:53:38 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6n35W0fKKYe7x+3twWDUL5z8bfQEFgD3EiMW24J2EIcuzDauelgQLpbJ388rjP6LOwZtwp X-Received: by 2002:a25:ac05:0:b0:6ba:42:91d6 with SMTP id w5-20020a25ac05000000b006ba004291d6mr7874946ybi.434.1664178818004; Mon, 26 Sep 2022 00:53:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664178818; cv=none; d=google.com; s=arc-20160816; b=aW1vlb3Bf4O/Tf/OUznLybhuAAkUm2hk0VLklvFw5JZ5uMBa/VfV2D2Ld0a1/mLmI6 cbiLJo62whZ82AuychJTxZFoP4/zO6up7obEqUeUK59qKdtj+s3SJtp2wyzjYADNmWEy XqIH60d3TUUEMQOtYjdRKWWSKZwDrUrk9CJuEhcwgfHSqnR3VscUrByHdJXsDgaJAiNx TgGtbJ+CtMIVyRR/zn0DKp980xkcMC6RPz5GgJzhFnhYtow4/aybsMByrCsvLdl+9Jin 3AnljJ9Pb6uQbM08ZOlC3fi69TOq/KG0rQryRWyeCKolAvXhDEDlwT7+uDL+63FkHsrh nlUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=kEuR1/4nxND8CybATeb4PlzTrf+UZSxFLwbftZMZUVA=; b=ecJRLktezESDIrhy65NImj+QofM1NByDiHMk/LsuhDWAuuMNhJvG14TphBySOvWQtr lqKBWTfj+gTbqgRyb9JDdGWjfXlQ7OnJC1mRqvbB3qtXjhwhIIfD7MsaRuG8kPRVNCHc +XINb4psoScKH06tDfwovSV1zXSYhgSUu3zJjp4FsnLXv6erICrxakwn5ERZPvZSHjoP nrRVaXPE3ENOwmHajPgQpykN6DKuLnhlPEfcLiF+6ga5e8zNh//3EmSXWaGRbGn4k23E 4Zk5iHFV8Gqc9BXTcfbcyLo52/mR0NVaQSwq60GWTncabgqSi45KQg7oSRrNWYfxhP80 u0xQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=SNfOaZGK; spf=pass (google.com: domain of roberto.foglietta@gmail.com designates 2607:f8b0:4864:20::d30 as permitted sender) smtp.mailfrom=roberto.foglietta@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com. [2607:f8b0:4864:20::d30]) by gmr-mx.google.com with ESMTPS id l71-20020a0de24a000000b00349f81a2957si1331179ywe.1.2022.09.26.00.53.37 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Sep 2022 00:53:37 -0700 (PDT) Received-SPF: pass (google.com: domain of roberto.foglietta@gmail.com designates 2607:f8b0:4864:20::d30 as permitted sender) client-ip=2607:f8b0:4864:20::d30; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=SNfOaZGK; spf=pass (google.com: domain of roberto.foglietta@gmail.com designates 2607:f8b0:4864:20::d30 as permitted sender) smtp.mailfrom=roberto.foglietta@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: by mail-io1-xd30.google.com with SMTP id e205so4562207iof.1 for ; Mon, 26 Sep 2022 00:53:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=kEuR1/4nxND8CybATeb4PlzTrf+UZSxFLwbftZMZUVA=; b=SNfOaZGK8NVs0Vs45HNKEay2r9WkHRg/8yd5sqEffU3aKdwmP0JKSi9aRN7X2o0FOA iPLi0R/w2vbXPawKlG1aUk/Au9GNmXzOKt7ZVA5O2uEBco0/6RcIa15YtC16nbrydWaz n2PRTaCAcsiYSP/hvXUUc9Uwd11fHczKTmJZfqybltOWQ28kC0Ff5MAnbaL6YFbKHKYV jjOLFJDQeFNtx9WeDXWH/CligMLQ54W5sfJzT1HYC77FkTP8FrTZe5z1KhKE6ruC2fR7 iAdgiVwvi0TUIhU0HpIfNd72LSp8EpTxUdctPzt+9NZf05K+0AC75GzGBZzyP6Wyy7Oy c0zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=kEuR1/4nxND8CybATeb4PlzTrf+UZSxFLwbftZMZUVA=; b=bzzeSfw6qWCvBACZa8s9yLVx86zqQ6OXM4/dglyIyhHZ9E4Uap7fWeZbUkUUZBtS3j cBR8n6IN2eWAxcHGblNujgBfsF78EyoJwo/tPHQ4fQeIwCa5/uuTQzVQh2OsXEncfR+J a5jfRjJ49EJJW4N1C84fCkVB+iyPmUrhMxF+8TbfB2C2se4bOZIAcxpf1gkTCyrPZsJO OeRs/InBljzroKsPOjLeuJ7+n2LEjUPUR4eIfwc+OrvNsnl8Nje337FYVvqaLm7lP0MM IDIq0FUIAHJ7WkLMHt3vMGRbSQRcKBCqz3V6qiEq5hPIob4g0U/UCOOEX1cXHcDQN2hj OZPg== X-Gm-Message-State: ACrzQf1jCVSV2+OUTAAg9SlWpuS5gpTaVBtYewp7GeoaGOX2RsTZPMSY p4tUkl3OLwETu7sKGwSJoweyfzT4bG9BUhqouw== X-Received: by 2002:a05:6638:24d6:b0:35a:632a:f8a2 with SMTP id y22-20020a05663824d600b0035a632af8a2mr11671357jat.262.1664178817449; Mon, 26 Sep 2022 00:53:37 -0700 (PDT) MIME-Version: 1.0 References: <20220923125648.798e010a@md1za8fc.ad001.siemens.net> <20220926090936.73382d26@md1za8fc.ad001.siemens.net> In-Reply-To: <20220926090936.73382d26@md1za8fc.ad001.siemens.net> From: "Roberto A. Foglietta" Date: Mon, 26 Sep 2022 09:53:26 +0200 Message-ID: Subject: Re: apt-mark hold package within postinst To: Henning Schild Cc: isar-users@googlegroups.com Content-Type: multipart/alternative; boundary="00000000000041c3f005e98fd31a" X-TUID: NtJqSCjHZkBK --00000000000041c3f005e98fd31a Content-Type: text/plain; charset="UTF-8" Il Lun 26 Set 2022, 09:09 Henning Schild ha scritto: > Am Sat, 24 Sep 2022 22:53:22 +0200 > schrieb "Roberto A. Foglietta" : > > > Il Ven 23 Set 2022, 12:56 Henning Schild > > ha scritto: > > > > > Am Fri, 23 Sep 2022 11:58:53 +0200 > > > schrieb "Roberto A. Foglietta" : > > > > > > > Il Ven 23 Set 2022, 11:22 Roberto A. Foglietta > > > > ha scritto: > > > > > > > > > Hi all, > > > > > > > > > > .deb repackaged should not upgrade with any external source so > > > > > they should marked on hold. Easy but not possible to do within > > > > > postinst obviously. Not in a straight way, at least. Am I wrong? > > > > > > > > > > > I you rebuild you should add some suffix to PV > > > > > > CHANGELOG_V ?= "${PV}+roberto" > > > > > > During installation of isar itself your rebuilt package will win > > > anyways. Make sure to add it to IMAGE_INSTALL instead of > > > PREINSTALL, or make sure to have a bitbake DEPENDS if it comes in > > > via a debian dep chain. > > > > > > But during lifetime any apt-get upgrade could replace yours when > > > debian brings an update. To deal with that it is best to deploy a > > > preferences file with some dpkg-raw configuration package. > > > > > > roberto-pin_0.1.bb: > > > inherit dpkg-raw > > > do_install() { > > > echo -e "Package: *\nPin: version *+roberto*\nPin-Priority: 1000" > > > > ${D}/etc/apt/preferences.d/${PN} > > > } > > > > > > With this all packages that have the roberto suffix will become > > > non-replaceable ... unless someone uses that same suffix. > > > > > > Generally you want to try and mainline all your changes to avoid > > > local rebuilds. > > > > > > Another trick would be an empty package that conflicts with anything > > > greater than "${PV}+roberto", that should also prevent updates. Not > > > sure which way is better. > > > > > > We mostly build images that are replaces as a whole and will not get > > > much "apt-get" during their life. Note that kernel updates with > > > apt-get will not easily work in an isar built image. It will depend > > > on your bootloader whether it might work, and you might have to add > > > scripts that update bootloader configs after kernel install. > > > > > > > Dear Henning, > > > > first of all, thank you for your explanation. I think about it and I > > arrived to the conclusion that your solution is good but top > > definitive for my need/goals. > > > > The problem is 1. that even wintout any update available the original > > packages are seen as updates and > > That should not happen, if it really does we need to fix that. When the > rootfs gets its packages installed all the ones build with isar should > have higher prio even if one is a rebuild that did not increase the PV. > > Maybe you can send an example where that does not work as expected. > Ok, I will investigate it deeply. > 2. I wish to avoid that the user > > upgrade the repackaged packages installing the dependencies I removed. > > > > However, I am not interested in make their upgrade difficult. > > Probably, I will keep only hold the packages at the installation but > > even remove the holding as configuration. > > If you system is really closed/embedded but somehow open for someone to > install updates and additional stuff ... i would again like to really > stress that rdep removal is a really bad idea. You will not know what > people do and you seriously break their assumptions if they think they > deal with debian/ubuntu. > Do only modify that debian for a really good reason! You could see with > the removed man-pages and than "jre" can not be installed anymore. > It is an evaluation system aimed to be tried by human users. > Just a way to avoid that kids break up the system just with a basic > > admin operation without further complications. > > That sounds like security might be your reasoning to remove some > packages. Installing less naturally decreases the attack surface, but > the removal also can have a negative impact on the availability ... > also security. > Software stacks are simply large and keep growing. You might want to > consider apparmor or selinux instead of ripping out bits without a > concrete problem. Debian will handle CVEs just fine for you, if you > mess with it you rather risk that their updates will not fit on your > modified system. > As every evaluation system, it has no security nor any quality/grade granted. However, I do not want it breaks apart in a minute by any reasonable/expected user interaction. It should reasonably work as proof-of-concept / commercial-demo, ONLY. Others people more experienced of me will be in charge to provide the custom system for the production with an industrial grade and everything else is needed for that market positioning. Thanks, R- > --00000000000041c3f005e98fd31a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Il Lun 26 Set 2022, 09:09 Henning Schild <henning.schild@siemens.com> ha scritto:=
Am Sat, 24 Sep 2022 22:53:22 +0200=
schrieb "Roberto A. Foglietta" <roberto.foglietta@gma= il.com>:

> Il Ven 23 Set 2022, 12:56 Henning Schild <henning.schild@si= emens.com>
> ha scritto:
>
> > Am Fri, 23 Sep 2022 11:58:53 +0200
> > schrieb "Roberto A. Foglietta" <roberto.fog= lietta@gmail.com>:
> >=C2=A0
> > > Il Ven 23 Set 2022, 11:22 Roberto A. Foglietta
> > > <roberto.foglietta@gmail.com> ha scritto:=
> > >=C2=A0
> > > > Hi all,
> > > >
> > > >=C2=A0 .deb repackaged should not upgrade with any exter= nal source so
> > > > they should marked on hold. Easy but not possible to do= within
> > > > postinst obviously. Not in a straight way, at least. Am= I wrong?
> > > >=C2=A0
> >
> > I you rebuild you should add some suffix to PV
> >
> > CHANGELOG_V ?=3D "${PV}+roberto"
> >
> > During installation of isar itself your rebuilt package will win<= br> > > anyways. Make sure to add it to IMAGE_INSTALL instead of
> > PREINSTALL, or make sure to have a bitbake DEPENDS if it comes in=
> > via a debian dep chain.
> >
> > But during lifetime any apt-get upgrade could replace yours when<= br> > > debian brings an update. To deal with that it is best to deploy a=
> > preferences file with some dpkg-raw configuration package.
> >
> > roberto-pin_0.1.bb:
> > inherit dpkg-raw
> > do_install() {
> >=C2=A0 =C2=A0echo -e "Package: *\nPin: version *+roberto*\nPi= n-Priority: 1000"
> > > ${D}/etc/apt/preferences.d/${PN}
> > }
> >
> > With this all packages that have the roberto suffix will become > > non-replaceable ... unless someone uses that same suffix.
> >
> > Generally you want to try and mainline all your changes to avoid<= br> > > local rebuilds.
> >
> > Another trick would be an empty package that conflicts with anyth= ing
> > greater than "${PV}+roberto", that should also prevent = updates. Not
> > sure which way is better.
> >
> > We mostly build images that are replaces as a whole and will not = get
> > much "apt-get" during their life. Note that kernel upda= tes with
> > apt-get will not easily work in an isar built image. It will depe= nd
> > on your bootloader whether it might work, and you might have to a= dd
> > scripts that update bootloader configs after kernel install.
> >=C2=A0
>
> Dear Henning,
>
>=C2=A0 first of all, thank you for your explanation. I think about it a= nd I
> arrived to the conclusion that your solution is good but top
> definitive for my need/goals.
>
> The problem is 1. that even wintout any update available the original<= br> > packages are seen as updates and

That should not happen, if it really does we need to fix that. When the
rootfs gets its packages installed all the ones build with isar should
have higher prio even if one is a rebuild that did not increase the PV.

Maybe you can send an example where that does not work as expected.

Ok, I wi= ll investigate it deeply.


> 2. I wish to avoid that the user
> upgrade the repackaged packages installing the dependencies I removed.=
>
> However, I am not interested in make their upgrade difficult.
> Probably, I will keep only hold the packages at the installation but > even remove the holding as configuration.

If you system is really closed/embedded but somehow open for someone to
install updates and additional stuff ... i would again like to really
stress that rdep removal is a really bad idea. You will not know what
people do and you seriously break their assumptions if they think they
deal with debian/ubuntu.
Do only modify that debian for a really good reason! You could see with
the removed man-pages and than "jre" can not be installed anymore= .

It is an evaluation system aimed to be tried by human users.


> Just a way to avoid t= hat kids break up the system just with a basic
> admin operation without further complications.

That sounds like security might be your reasoning to remove some
packages. Installing less naturally decreases the attack surface, but
the removal also can have a negative impact on the availability ...
also security.
Software stacks are simply large and keep growing. You might want to
consider apparmor or selinux instead of ripping out bits without a
concrete problem. Debian will handle CVEs just fine for you, if you
mess with it you rather risk that their updates will not fit on your
modified system.

As every evaluation system, it has no security nor any qual= ity/grade granted.=C2=A0

However, I do not want it breaks apart in a minute by any reasonable/expec= ted user interaction.=C2=A0

It should reasonably work as proof-of-concept / commercial-demo, ONLY.<= /div>

Others people more exper= ienced of me will be in charge to provide the custom system for the product= ion with an industrial grade and everything else is needed for that market = positioning.

Thanks, R-<= /div>
--00000000000041c3f005e98fd31a--