Skip to content

Comments

[initramfs-tools] Replace git clone with pinned tarball + SHA256#25664

Open
rustiqly wants to merge 1 commit intosonic-net:masterfrom
rustiqly:pin/initramfs-tools-tarball
Open

[initramfs-tools] Replace git clone with pinned tarball + SHA256#25664
rustiqly wants to merge 1 commit intosonic-net:masterfrom
rustiqly:pin/initramfs-tools-tarball

Conversation

@rustiqly
Copy link
Contributor

What I did

Replace the git clone from salsa.debian.org with a pinned tarball download and SHA256 checksum verification.

Why I did it

The initramfs-tools build fetches source via git clone from Debian's GitLab instance (salsa.debian.org) during the build. This is fragile:

  • salsa.debian.org returning HTTP 502 causes the entire build to fail late in the process (after 400+ packages have already built successfully)
  • The git clone is slower than a tarball download
  • No integrity verification on the downloaded source

This happened in practice — a transient salsa.debian.org 502 killed a 30-minute build that was almost done.

How I did it

  • Download the release tarball from salsa.debian.org's archive URL instead of git clone
  • Verify SHA256 checksum (27a78cc25a...) to ensure integrity
  • Extract and rename to match the expected directory structure
  • Remove the git checkout step (tarball is already at the pinned version)
  • Quilt patches still apply normally

How to verify it

make target/debs/trixie/initramfs-tools_0.142_all.deb

The package should build identically to the git-clone version.

@rustiqly rustiqly requested a review from qiluo-msft as a code owner February 25, 2026 03:05
@mssonicbld
Copy link
Collaborator

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

Replace the git clone from salsa.debian.org with a pinned tarball download
and SHA256 checksum verification. This improves build reliability and
reproducibility:

- Eliminates dependency on salsa.debian.org git server availability
  (HTTP 502 errors have caused build failures)
- Adds SHA256 integrity verification to detect corrupted downloads
- Tarball download is faster than full git clone
- Version is pinned via URL path and verified via checksum

Signed-off-by: Rustiqly <rustiqly@users.noreply.github.com>
@rustiqly rustiqly force-pushed the pin/initramfs-tools-tarball branch from 3e8bb9b to 9603593 Compare February 25, 2026 15:01
@mssonicbld
Copy link
Collaborator

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants