Skip to content

APT fixes #185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

APT fixes #185

wants to merge 7 commits into from
+82 −14

Conversation

lool
Copy link
Contributor

@lool lool commented Oct 15, 2025
edited
Loading

Collection of APT fixes:

  • fix(debos/rootfs): Add missing trixie suites
  • fix(debos/rootfs): Update debootstrap components
  • feat(debos/rootfs): Add Debian backports
  • feat(debos/rootfs): APT pinning for pipewire
  • fix(debos): Bump imagesize to 4.5GiB

@github-actions GitHub Actions
Copy link

Test Results

 2 files  ±0   6 suites  ±0   6m 12s ⏱️ ±0s
20 tests ±0  20 ✅ ±0  0 💤 ±0  0 ❌ ±0 
64 runs  ±0  64 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit f614049. ± Comparison against base commit 4073c53.

@github-actions GitHub Actions
Copy link

Test jobs for commit f614049

@lool
Copy link
Contributor Author

lool commented Oct 15, 2025

I did a first version as an embedded shell snippet in the rootfs.yaml recipe, until I decided that going for overlays would be cleaner. The first version correctly exhibited these sources:

Types: deb
URIs: http://deb.debian.org/debian/
Suites: trixie
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb
URIs: http://deb.debian.org/debian/
Suites: trixie-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb
URIs: http://deb.debian.org/debian-security/
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

@lool
Copy link
Contributor Author

lool commented Oct 15, 2025

In the v1, I also added an apt update and upgrade, and indeed I can see that while our daily has a vulnerable libssl (3.5.1-1), the v1 rootfs picked up 3.5.1-1+deb13u1.

@lool
Copy link
Contributor Author

lool commented Oct 15, 2025

I diffed the SBOMs of v1 and v2 (after switching to overlays), and these were identical.

@github-actions GitHub Actions
Copy link

Test jobs for commit 7c034f6

@lool
Copy link
Contributor Author

lool commented Oct 15, 2025

I can see in the latest run that we correctly picked up mesa from backports:

2025/10/15 22:07:18 apt | Get:107 http://deb.debian.org/debian trixie-backports/main arm64 libegl-mesa0 arm64 25.2.4-1~bpo13+2 [115 kB]

@github-actions GitHub Actions
Copy link

Test jobs for commit cfd5b02

@lool
Copy link
Contributor Author

lool commented Oct 15, 2025

Diff (attached) between daily build and latest build shows:

  • security updates (e.g. libssl)
  • stable updates (e.g. systemd)
  • updated packages from backports

The updates from backports are interesting:

  • mesa taking over ours (good)
  • updated firmware (good)
  • updated libcamera with new SONAME and new dependency (a bit intrusive, but perhaps what we want)

diff.txt

lool added 6 commits October 16, 2025 01:52
@lool
fix(debos/rootfs): Add missing trixie suites
189ed2b 
Add missing trixie-updates and trixie-security suites as these aren't
created by debootstrap by default. Run an APT update and full-upgrade
to pickup changes from these suites.

Signed-off-by: Loïc Minier <[email protected]>
@lool
fix(debos/rootfs): Update debootstrap components
b9efc29 
Align the list of components used for debootstrap with the new APT
sources.

Signed-off-by: Loïc Minier <[email protected]>
@lool
feat(debos/rootfs): Add Debian backports
4d7c23b 
Add Debian backports to APT sources and prefer them for a few key source
packages that participate in hardware enablement.

Signed-off-by: Loïc Minier <[email protected]>
@lool
feat(debos/rootfs): APT pinning for pipewire
6d5042b 
Prefer pipewire from trixie-overlay over everything else.

Signed-off-by: Loïc Minier <[email protected]>
@lool
fix(debos): Bump imagesize to 4.5GiB
929eb5f 
Effective rootfs size in current images is about 3.4G and is 99% full;
latest builds fail due to lack of space. Bump the default imagesize in
image.yaml and README to 4.5GiB, which is roughly 512MiB for ESP and
4GiB for rootfs. The debos imagesize parsing is based on docker/go-units
which was confirmed to support fractional sizes correctly.

Signed-off-by: Loïc Minier <[email protected]>
@lool
fix(debos/rootfs): Local APT repo needs no upgrade
48157cc 
apt update and upgrade are done after setting up overlays already, no
need to have two upgrades with potentially intermediate package
versions.

Signed-off-by: Loïc Minier <[email protected]>
@github-actions GitHub Actions
Copy link

Test jobs for commit 6321ba2

@lool
Copy link
Contributor Author

lool commented Oct 16, 2025

It's been some time now, probably forever, that our APT updates for image builds on AWS self-hosted runners log this:

2025/10/15 23:20:59 set -eux... | Ign:5 https://qartifactory-edge.qualcomm.com/artifactory/qsc-deb-releases trixie-overlay InRelease
[...]
2025/10/15 23:20:59 set -eux... | Get:22 http://deb.debian.org/debian-security trixie-security/main Translation-en [35.9 kB]
2025/10/15 23:21:00 set -eux... | Ign:5 https://qartifactory-edge.qualcomm.com/artifactory/qsc-deb-releases trixie-overlay InRelease
2025/10/15 23:21:02 set -eux... | Ign:5 https://qartifactory-edge.qualcomm.com/artifactory/qsc-deb-releases trixie-overlay InRelease
2025/10/15 23:21:06 set -eux... | Err:5 https://qartifactory-edge.qualcomm.com/artifactory/qsc-deb-releases trixie-overlay InRelease
2025/10/15 23:21:06 set -eux... |   SSL connection failed: error:0A000086:SSL routines::certificate verify failed / Success [IP: 35.160.231.47 443]
2025/10/15 23:21:06 set -eux... |   SSL connection failed: error:0A000086:SSL routines::certificate verify failed / Success [IP: 52.10.249.110 443]
2025/10/15 23:21:06 set -eux... | Fetched 7031 kB in 7s (996 kB/s)

I don't get this error locally. APT still manages to plow through, but I guess isn't able to get an useful release file.

Surprisingly, things just worked to install e.g. mesa from that archive; but APT pinning worked differently in my local attempts (which had a release file) and in the rootfs builds on github...

I've tried adding a workaround for this: matching package versions instead of release metadata; I also had to add a workaround for an APT bug/limitation with matching versions. But this isn't working, it looks like apt-cache is very broken when the release file isn't present, and the resolver is unusable.

@github-actions GitHub Actions
Copy link

Test jobs for commit 48157cc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lool