Hi,

Quoting Chris Hofstaedtler (2025-02-22 00:52:59)
> > Yes, I fully agree that this is not really an issue for scripts, they
> > can be adjusted, but it is more problematic for interactive users,
> > either directly or probably through sbuild when adding extra chroots.
> 
> In light of todays discussion about build tarballs, a simpler
> solution for ca-certificates struck me: why not raise the Priority:
> of ca-certificates to important or higher?

you can do that but it will not fix this problem. Debian Policy says:

> If build-time dependencies are specified, it must be possible to build the
> package and produce working binaries on a system with only essential and
> build-essential packages installed

Our buildd chroots used to install much more than that until recently when
this changed in debootstrap:

https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/106

The majority of the work was done by Santiago Vila who has been diligent with
finding and filing bugs for packages which FTBFS with only Essential and
build-essential installed.

Packages with Priority:required are no longer installed for Trixie
and later. There is a bug for mmdebstrap to do the same: #1091866

Note though that even after this change, 'apt' still gets installed into buildd
chroots even though it is neither Essential nor build-essential. This is
because sbuild cannot (yet) work with chroots that do not have apt installed in
them.

> I see two good reasons to do this:
> 
> 1) the (non-)presence of ca-certificates in a build environment
> should not depend on the used mirror to create the chroot. It's
> (non-)presence can cause other packages to FTBFS or otherwise differ
> in their builds. Having it always be present would give us a more
> consistent build environment.

Not having it present also makes the build environment consistent. So
consistency is not an argument *for* installing it. In the long run, I propose
to go the other way: lets not have apt inside the chroot. Without apt inside
the chroot, there is also no ca-certificates required inside the chroot and the
problem is solved as well in a consistent way, no?

Thanks to reproduce.d.n we also have continuous CI testing package builds in
chroots without apt today. This highlights another problem of installing more
than build-essential inside buildd chroots: the .buildinfo files will not store
information about packages like apt, fakeroot or ca-certificates and thus,
rebuilds on reproduce.d.n will not contain them.

> 2) I'd argue an OS install that cannot practically speak TLS to
> anything is not very useful.

I agree. But this is not an OS install. I'd also argue that an OS install
should have an init but we do not install and run systemd inside buildd chroots
either. I think in contrast to an OS install, a buildd chroot should be as
minimal as possible so that we can find problems involving undeclared build
dependencies early.

> What do people think?
> 
> Should we approach the ca-certificates maintainers and ftpmasters?

I'd rather work towards a future that makes buildd chroots smaller, not large.
The current soft-blocker in sbuild for apt-less buildd chroots to happen is
schroot. In contrast to the unshare backend, the schroot backend is unable to
support running apt from outside the chroot. It's not a hard-blocker because
using a lot of special-casing, we can make the unshare backend special and let
it do different things. But that's not work I have done yet. Thanks to Jochen
the first step in this direction is done though and buildds run the unshare
backend. I expect that during Trixie, sbuild will also support apt-less
chroots.

Thanks!

cheers, josch

Attachment: signature.asc
Description: signature

Reply via email to