On Mon, 09 Jun 2025 at 10:21:34 -0400, Daniel Kahn Gillmor wrote:
On Sat 2025-06-07 14:52:33 +0100, Simon McVittie wrote:
What I'm trying to avoid is that when I bootstrap a container with
Essential + apt,
To be clear, we're talking here about devscripts, which isn't involved
in either Essential or apt, right?
Sorry, yes, I was conflating two things here.
When I bootstrap an Essential + apt container, you're right that
devscripts isn't involved, but I want apt to pull in a predictable
implementation of whatever interface apt uses to verify signatures, and
not flap between two or more different implementations with each
rebuild. At the moment, apt has a hard dependency on sqv rather than
participating in alternatives, which is great for predictability
(although less so for flexibility).
And, when I bootstrap an Essential + apt container and then install a
stack of additional packages to make a runtime platform or SDK (which
might reasonably include devscripts), I want that container to pull in a
predictable implementation of whatever interface devscripts uses to
verify signatures, and not flap between two or different implementations
with each rebuild. This is the use-case that devscripts' dependencies
contribute to.
A concrete example is that the Steam Runtime SDK that I help to maintain
for Valve does pull in devscripts - albeit without most of its
Recommends, because we only want parts of its functionality.
smcv
