-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, Oct 28, 2018 at 12:37:45AM +0100, Aaron Gray wrote: > Marek, > > Hope you don't mind me writing to you off list.
I definitely prefer such discussion on mailing list. Adding qubes-devel. > What are your thoughts on docker'izing The Qubes build system ? I think if we'd start writing qubes-builder few years later, we'd definitely consider docker from the start (but not necessary choose it). There are few catches: 1. Docker use trust-on-first-use verification model (in some combinations even this is disabled), which is a big issue - it's much weaker than each package's signature verification which we currently do. If docker image build would be reproducible, then it could be solved by referencing specific image hash. Without that, we'd be extending trust to docker infrastructure (and also whoever build docker images), which is a major drawback. 2. While docker may (but see below) provide good environment for building individual packages, it isn't necessary such a good thing for template build (optimizations done for docker may interfere later when running such system on Qubes VM). Right now, preparing initial environment is shared for those two purposes (at least for Fedora, for Debian there are two distinct calls to debootstrap). 3. Each distribution have own native mechanism for preparing build environment. We're slowly switching to that, instead of manual chroot preparation. For Fedora/CentOS this is mock, already integrated into builder-rpm and can be enabled with RPM_USE_MOCKBUILD=1 builder.conf option. We use it to build Fedora packages for R4.0 already. For Debian this is pbuilder or sbuild. Preliminary support is here: https://github.com/marmarek/qubes-builder-debian/tree/reprobuild Require a little more testing and probably few bug fixes. As long as R3.2 is supported, we still need legacy build scripts, but later those can be dropped. When using native tools, you still have some requirements regarding build host - for example you need to install them. But in practice it isn't such a big issue - for example right now it's possible to use both mock and pbuilder on both Fedora and Debian. BTW mock do use containers internally (depending on configuration), just not docker. > If I was to do this well and to your satisfaction would you be interested > in either using it or using it in parallel to the existing build system ? As you can see, there is alternative path to get rid of manual chroot building (all those prepare-chroot-* scripts). I don't know about other distributions, but I believe each have some solution for that. If some distribution's native solution is to use docker, I'm fine using it for that package format (given the trust issue is solved). > Secondly, I have Fedora F29 running Xen 4.11.0-7 and can run both Linii and > Windows 10 satisfactorily on it, and I would like to work on merging Xen > 4.11 into Qubes so I can get a working Qubes on my Z270 based machines. There is WIP branch here: https://github.com/marmarek/qubes-vmm-xen/tree/xen-4.11-devel It doesn't work as drop-in replacement of xen-4.8, because some patches are dropped with an intention to use upstream mechanism instead (in some cases, it is our work committed upstream, but slightly modified in the process). From top of my head, this is mostly about block scripts support dropped (libvirt rejected existence of such mechanism) - need to be moved to storage pool drivers. Right now it is blocked on finalizing Linux-stubdomain in upstream Xen (to be included in 4.12 or 4.13) - then, depending on the timeline, include _the same_ patches in our repo (or simply switch to 4.12). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvVA3IACgkQ24/THMrX 1yzlSQf+III+IagkpFkT1FFzHPH8JJVM+yZYzGui8cJ/1YpR+JWIDyEVgTfMfSPd VX94OfSTUqMH4CWJlEEZLZLWGt2FjtGGygZi8AzV73Dj6t2LNDrkFpr39VpqrqCc z1JZyJgUKtkooCsE/THaRuhDLlj9zt/Igb4K6xSPtd46sRw/YWXN94o6w9hLZiEc iQd9NgOVe5CKpMaXPPVw/IESlffMA/TeGQ+j/nnHFfgmfQxkHgqivQDDzeudbsPs P04q9pkR2q4r2E8sYqA/sYqAkCSMpWsYLIQwBTJiMmiO/1Bm+l28OdVd2IsXe8JD hEwSM1baPOHb0csIEtgKUaAaj4AtDQ== =HliF -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20181028003147.GE1563%40mail-itl. For more options, visit https://groups.google.com/d/optout.
