[neon/backports-jammy/debuerreotype/Neon/unstable] /: 0.10-1 (patches unapplied)
git-ubuntu importer
null at kde.org
Fri Aug 11 03:02:00 BST 2023
Git commit 9aed29ae724b352432318c826a8791f9a206f479 by git-ubuntu importer, on behalf of Tianon Gravi.
Committed on 15/08/2019 at 00:28.
Pushed by carlosdem into branch 'Neon/unstable'.
0.10-1 (patches unapplied)
Imported using git-ubuntu import.
M +12 -11 .travis.yml
M +1 -1 Dockerfile
M +3 -3 README.md
M +1 -1 VERSION
M +42 -20 build.sh
M +8 -0 debian/changelog
M +1 -1 debian/compat
M +2 -2 debian/control
M +1 -1 debian/copyright
M +3 -1 debian/tests/stretch
A +28 -0 scripts/.fix-apt-comments.sh
A +35 -0 scripts/.gpgv-ignore-expiration.sh
M +12 -7 scripts/.tar-exclude
M +3 -0 scripts/debuerreotype-apt-get
A +118 -0 scripts/debuerreotype-debian-sources-list
D +0 -77 scripts/debuerreotype-gen-sources-list
A +53 -0 scripts/debuerreotype-gpgv-ignore-expiration-config
M +1 -4 scripts/debuerreotype-init
M +84 -83 scripts/debuerreotype-minimizing-config
M +12 -0 scripts/debuerreotype-tar
https://invent.kde.org/neon/backports-jammy/debuerreotype/-/commit/9aed29ae724b352432318c826a8791f9a206f479
diff --git a/.travis.yml b/.travis.yml
index 9988c94..c8e7102 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,19 +2,20 @@ language: bash
services: docker
env:
- - SUITE=stable CODENAME=jessie TIMESTAMP=2017-01-01T00:00:00Z SHA256=c3f1697c699487382d5d15e4462c0e84b3069d3fc29ca100914c20258aa8ecc3
- - SUITE=jessie CODENAME= TIMESTAMP=2017-01-01T00:00:00Z SHA256=c3f1697c699487382d5d15e4462c0e84b3069d3fc29ca100914c20258aa8ecc3
- - SUITE=testing CODENAME=stretch TIMESTAMP=2017-01-01T00:00:00Z SHA256=e9679f1070950a6bdd9b56206e43dc32a9a89bb1e850cdc0e213b69e72f137b5
- - SUITE=stretch CODENAME= TIMESTAMP=2017-01-01T00:00:00Z SHA256=e9679f1070950a6bdd9b56206e43dc32a9a89bb1e850cdc0e213b69e72f137b5
- - SUITE=unstable CODENAME=sid TIMESTAMP=2017-01-01T00:00:00Z SHA256=e78b061b4cbcafc5fc6011b83eaa996851207f80b178ec7ae763f6dcda5e775f
- - SUITE=sid CODENAME= TIMESTAMP=2017-01-01T00:00:00Z SHA256=e78b061b4cbcafc5fc6011b83eaa996851207f80b178ec7ae763f6dcda5e775f
- - SUITE=oldstable CODENAME=wheezy TIMESTAMP=2017-01-01T00:00:00Z SHA256=59387392aa63da1f77ea28be581a4b2d8e7e9720121d1d563a3f0cb4356f9856
- - SUITE=wheezy CODENAME= TIMESTAMP=2017-01-01T00:00:00Z SHA256=59387392aa63da1f77ea28be581a4b2d8e7e9720121d1d563a3f0cb4356f9856
+ - SUITE=stable CODENAME=jessie TIMESTAMP=2017-01-01T00:00:00Z SHA256=55ba54fdca819df18d813be36503b0a02abf1570c3bf5999b10891ccca5448e2
+ - SUITE=jessie CODENAME= TIMESTAMP=2017-01-01T00:00:00Z SHA256=55ba54fdca819df18d813be36503b0a02abf1570c3bf5999b10891ccca5448e2
+ - SUITE=testing CODENAME=stretch TIMESTAMP=2017-01-01T00:00:00Z SHA256=1608c820c1d9c9d8adf210f80b1d751e5c26179aa27a1c1ddb8e41ae0222d8c4
+ - SUITE=stretch CODENAME= TIMESTAMP=2017-01-01T00:00:00Z SHA256=1608c820c1d9c9d8adf210f80b1d751e5c26179aa27a1c1ddb8e41ae0222d8c4
+ - SUITE=unstable CODENAME=sid TIMESTAMP=2017-01-01T00:00:00Z SHA256=49a5152822ec9f0e1a61ff1d02671681f12fc1aba083f39e972f6ff897b69c80
+ - SUITE=sid CODENAME= TIMESTAMP=2017-01-01T00:00:00Z SHA256=49a5152822ec9f0e1a61ff1d02671681f12fc1aba083f39e972f6ff897b69c80
+ - SUITE=oldstable CODENAME=wheezy TIMESTAMP=2017-01-01T00:00:00Z SHA256=f1bd72548e3c25ce222fb9e2bb57a5b6d4b01042180894fb05d83a0251e6dab1
+ - SUITE=wheezy CODENAME= TIMESTAMP=2017-01-01T00:00:00Z SHA256=f1bd72548e3c25ce222fb9e2bb57a5b6d4b01042180894fb05d83a0251e6dab1
# EOL suites testing
- - SUITE=eol CODENAME=etch TIMESTAMP=2017-01-01T00:00:00Z SHA256=11257bba9c16e146184e9715a3ec89db4f701bb71d1a4f416e29a68fb20928ff
- - SUITE=eol CODENAME=woody ARCH=i386 TIMESTAMP=2017-01-01T00:00:00Z SHA256=79645a893e1e39a5421a15ba54e20724704b407d9fbb5bbef146a8b03863d1cf
+ - SUITE=eol CODENAME=etch TIMESTAMP=2017-01-01T00:00:00Z SHA256=b48e999ab4fda1720b0dc863d38cdd4d6b55530f34f262a28949eb6173102da9
+ - SUITE=eol CODENAME=lenny TIMESTAMP=2017-01-01T00:00:00Z SHA256=1a2fffd34daa4a6bb968aebe86480a4093035a23700ec5f2e883423b9b4dcfa7
+ - SUITE=eol CODENAME=woody ARCH=i386 TIMESTAMP=2017-01-01T00:00:00Z SHA256=ef4bc81e31db51fa9f095811ddbcc8a005f05f098596317d5a138fa90157bf40
# qemu-debootstrap testing
- - ARCH=arm64 SUITE=jessie CODENAME= TIMESTAMP=2017-01-01T00:00:00Z SHA256=a54b0b74f32d2c03f4036e7c305672471553ac18682ba109d9481da31069dc94
+ - ARCH=arm64 SUITE=jessie CODENAME= TIMESTAMP=2017-01-01T00:00:00Z SHA256=893efc1b9db1ba2df4f171d4422194a408f9810d3b55d9b0cd66fcc7722f7567
# a few entries for "today" to try and catch issues like https://github.com/debuerreotype/debuerreotype/issues/41 sooner
- SUITE=unstable CODENAME= TIMESTAMP="today 00:00:00" SHA256=
- SUITE=stable CODENAME= TIMESTAMP="today 00:00:00" SHA256=
diff --git a/Dockerfile b/Dockerfile
index 1e71c17..8c42313 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,7 +3,7 @@
# bootstrapping a new architecture?
# ./scripts/debuerreotype-init /tmp/docker-rootfs stretch now
# ./scripts/debuerreotype-minimizing-config /tmp/docker-rootfs
-# ./scripts/debuerreotype-gen-sources-list /tmp/docker-rootfs stretch http://deb.debian.org/debian http://security.debian.org/debian-security
+# ./scripts/debuerreotype-debian-sources-list /tmp/docker-rootfs stretch
# ./scripts/debuerreotype-tar /tmp/docker-rootfs - | docker import - debian:stretch-slim
# alternate:
# debootstrap --variant=minbase stretch /tmp/docker-rootfs
diff --git a/README.md b/README.md
index e8059e1..46ab8d2 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ Available scripts:
| `debuerreotype-apt-get` | run `apt-get` via `debuerreotype-chroot`, including `-o Acquire::Check-Valid-Until=false` to account for older snapshots with (now) invalid `Valid-Until` values |
| `debuerreotype-minimizing-config` | apply configuration tweaks to make the rootfs minimal and keep it minimal (especially targeted at Docker images, with comments explicitly describing Docker use cases) |
| `debuerreotype-slimify` | remove files such as documentation to create an even smaller rootfs (used for creating `slim` variants of the Docker images, for example) |
-| `debuerreotype-gen-sources-list` | generate an appropriate `sources.list` in the rootfs given a suite, mirror, and secmirror (especially for updating `sources.list` to point at deb.debian.org before generating outputs) |
+| `debuerreotype-debian-sources-list` | generate an appropriate Debian `sources.list` in the rootfs given a suite (especially for updating `sources.list` to point at deb.debian.org before generating outputs) |
| `debuerreotype-fixup` | invoked by `debuerreotype-tar` to fixup timestamps and remove known-bad log files for determinism |
| `debuerreotype-tar` | deterministically create a tar file of the rootfs |
| `debuerreotype-version` | print out the version of the current `debuerreotype` installation |
@@ -86,10 +86,10 @@ Setting up inetutils-ping (2:1.9.4-2+b1) ...
Setting up iproute2 (4.9.0-1) ...
Processing triggers for libc-bin (2.24-8) ...
-$ debuerreotype-gen-sources-list rootfs stretch http://deb.debian.org/debian http://security.debian.org/debian-security
+$ debuerreotype-debian-sources-list rootfs stretch
$ debuerreotype-tar rootfs - | sha256sum
-4465b2ba26c06c39f5bfe702e1b22964b3a13386e86abab71bfefab409b64000 -
+a076d4cd04f68ee117e598a40cc947ad051fc8b063340da015fdceddeb1b0e75 -
$ # try it! you should get that same sha256sum value!
```
diff --git a/VERSION b/VERSION
index b63ba69..68c123c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.9
+0.10
diff --git a/build.sh b/build.sh
index c3c0096..425475a 100755
--- a/build.sh
+++ b/build.sh
@@ -166,17 +166,28 @@ docker run \
debuerreotype-init "${initArgs[@]}" rootfs "$suite" "@$epoch"
+ if [ -n "$eol" ]; then
+ debuerreotype-gpgv-ignore-expiration-config rootfs
+ fi
+
debuerreotype-minimizing-config rootfs
debuerreotype-apt-get rootfs update -qq
debuerreotype-apt-get rootfs dist-upgrade -yqq
aptVersion="$("$debuerreotypeScriptsDir/.apt-version.sh" rootfs)"
- case "$aptVersion" in
+ if dpkg --compare-versions "$aptVersion" ">=" "0.7.14~"; then
+ # https://salsa.debian.org/apt-team/apt/commit/06d79436542ccf3e9664306da05ba4c34fba4882
+ noInstallRecommends="--no-install-recommends"
+ else
# --debian-eol etch and lower do not support --no-install-recommends
- 0.6.*|0.5.*) noInstallRecommends="-o APT::Install-Recommends=0" ;;
+ noInstallRecommends="-o APT::Install-Recommends=0"
+ fi
- *) noInstallRecommends="--no-install-recommends" ;;
- esac
+ if [ -n "$eol" ] && dpkg --compare-versions "$aptVersion" ">=" "0.7.26~"; then
+ # https://salsa.debian.org/apt-team/apt/commit/1ddb859611d2e0f3d9ea12085001810f689e8c99
+ echo "Acquire::Check-Valid-Until \"false\";" > rootfs/etc/apt/apt.conf.d/check-valid-until.conf
+ # TODO make this a real script so it can have a nice comment explaining why we do it for EOL releases?
+ fi
# make a couple copies of rootfs so we can create other variants
for variant in slim sbuild; do
@@ -186,7 +197,7 @@ docker run \
# prefer iproute2 if it exists
iproute=iproute2
- if ! debuerreotype-chroot rootfs apt-get install -qq -s iproute2 &> /dev/null; then
+ if ! debuerreotype-apt-get rootfs install -qq -s iproute2 &> /dev/null; then
# poor wheezy
iproute=iproute
fi
@@ -214,27 +225,16 @@ docker run \
cp "$rootfs/etc/apt/sources.list" "$targetBase.sources-list-snapshot"
touch_epoch "$targetBase.sources-list-snapshot"
- local mirror secmirror
- if [ -z "$eol" ]; then
- mirror="http://deb.debian.org/debian"
- secmirror="http://security.debian.org/debian-security"
- else
- mirror="http://archive.debian.org/debian"
- secmirror="http://archive.debian.org/debian-security"
- fi
- checkmirror="$(< "$exportDir/$serial/$dpkgArch/snapshot-url")"
- checksecmirror="$(< "$exportDir/$serial/$dpkgArch/snapshot-url-security")"
-
local tarArgs=()
if [ -n "$qemu" ]; then
tarArgs+=( --exclude="./usr/bin/qemu-*-static" )
fi
if [ "$variant" != "sbuild" ]; then
- debuerreotype-gen-sources-list "$rootfs" "$suite" "$mirror" "$secmirror" "$checkmirror" "$checksecmirror"
+ debuerreotype-debian-sources-list $([ -z "$eol" ] || echo "--eol") "$rootfs" "$suite"
else
# sbuild needs "deb-src" entries
- debuerreotype-gen-sources-list --deb-src "$rootfs" "$suite" "$mirror" "$secmirror" "$checkmirror" "$checksecmirror"
+ debuerreotype-debian-sources-list --deb-src $([ -z "$eol" ] || echo "--eol") "$rootfs" "$suite"
# APT has odd issues with "Acquire::GzipIndexes=false" + "file://..." sources sometimes
# (which are used in sbuild for "--extra-package")
@@ -249,6 +249,28 @@ docker run \
tarArgs+=( --include-dev )
fi
+ case "$suite" in
+ sarge)
+ # for some reason, sarge creates "/var/cache/man/index.db" with some obvious embedded unix timestamps (but if we exclude it, "man" still works properly, so *shrug*)
+ tarArgs+=( --exclude ./var/cache/man/index.db )
+ ;;
+
+ woody)
+ # woody not only contains "exim", but launches it during our build process and tries to email "root at debuerreotype" (which fails and creates non-reproducibility)
+ tarArgs+=( --exclude ./var/spool/exim --exclude ./var/log/exim )
+ ;;
+
+ potato)
+ tarArgs+=(
+ # for some reason, pototo leaves a core dump (TODO figure out why??)
+ --exclude "./core"
+ --exclude "./qemu*.core"
+ # also, it leaves some junk in /tmp (/tmp/fdmount.conf.tmp.XXX)
+ --exclude "./tmp/fdmount.conf.tmp.*"
+ )
+ ;;
+ esac
+
debuerreotype-tar "${tarArgs[@]}" "$rootfs" "$targetBase.tar.xz"
du -hsx "$targetBase.tar.xz"
@@ -256,7 +278,7 @@ docker run \
touch_epoch "$targetBase.tar.xz.sha256"
debuerreotype-chroot "$rootfs" bash -c "
- if ! dpkg-query -W &> /dev/null; then
+ if ! dpkg-query -W 2> /dev/null; then
# --debian-eol woody has no dpkg-query
dpkg -l
fi
@@ -306,7 +328,7 @@ docker run \
targetBase="$variantDir/rootfs"
# point sources.list back at snapshot.debian.org temporarily (but this time pointing at $codename instead of $suite)
- debuerreotype-gen-sources-list "$rootfs" "$codename" "$(< "$exportDir/$serial/$dpkgArch/snapshot-url")" "$(< "$exportDir/$serial/$dpkgArch/snapshot-url-security")"
+ debuerreotype-debian-sources-list --snapshot $([ -z "$eol" ] || echo "--eol") "$rootfs" "$codename"
create_artifacts "$targetBase" "$rootfs" "$codename" "$variant"
done
diff --git a/debian/changelog b/debian/changelog
index e3ea69b..93cf812 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+debuerreotype (0.10-1) unstable; urgency=medium
+
+ * Update to 0.10 upstream release (very focused on building EOL suites)
+ - https://github.com/debuerreotype/debuerreotype/releases/tag/0.10
+ * Update to compat level 11, Standards-Version 4.3.0, https copyright Format
+
+ -- Tianon Gravi <tianon at debian.org> Wed, 14 Aug 2019 08:06:50 -0700
+
debuerreotype (0.9-1) unstable; urgency=medium
* Update to 0.9 upstream release; notable PRs:
diff --git a/debian/compat b/debian/compat
index ec63514..b4de394 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-9
+11
diff --git a/debian/control b/debian/control
index 288c9f1..39b3c12 100644
--- a/debian/control
+++ b/debian/control
@@ -2,8 +2,8 @@ Source: debuerreotype
Maintainer: Tianon Gravi <tianon at debian.org>
Section: admin
Priority: optional
-Standards-Version: 4.1.4
-Build-Depends: debhelper (>= 10~)
+Standards-Version: 4.3.0
+Build-Depends: debhelper (>= 11~)
Homepage: https://github.com/debuerreotype/debuerreotype
Vcs-Browser: https://github.com/debuerreotype/debian-debuerreotype
Vcs-Git: https://github.com/debuerreotype/debian-debuerreotype.git
diff --git a/debian/copyright b/debian/copyright
index 5e77206..2d3f8c4 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: debuerreotype
Upstream-Contact: Tianon Gravi <tianon at debian.org>
Source: https://github.com/debuerreotype/debuerreotype
diff --git a/debian/tests/stretch b/debian/tests/stretch
index 14593e0..3dc41ab 100755
--- a/debian/tests/stretch
+++ b/debian/tests/stretch
@@ -18,7 +18,9 @@ debuerreotype-init "$rootfs" "$suite" "$timestamp"
debuerreotype-chroot "$rootfs" true
-debuerreotype-gen-sources-list "$rootfs" "$suite" http://deb.debian.org/debian http://security.debian.org/debian-security
+debuerreotype-debian-sources-list "$rootfs" "$suite"
+# remove effect of https://github.com/debuerreotype/debuerreotype/pull/56 (to avoid regenerating expected tarballs to compensate)
+sed -i -e '/^#/d' "$rootfs/etc/apt/sources.list"
debuerreotype-tar "$rootfs" "$tempDir/actual.tar"
sha256="$(sha256sum "$tempDir/actual.tar" | cut -d' ' -f1)"
diff --git a/scripts/.fix-apt-comments.sh b/scripts/.fix-apt-comments.sh
new file mode 100755
index 0000000..1e8b545
--- /dev/null
+++ b/scripts/.fix-apt-comments.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+thisDir="$(dirname "$(readlink -f "$BASH_SOURCE")")"
+source "$thisDir/.constants.sh" \
+ '<apt-version> <file> [file ...]' \
+ '0.7.22 rootfs/etc/apt/apt.conf.d/example'
+
+eval "$dgetopt"
+while true; do
+ flag="$1"; shift
+ dgetopt-case "$flag"
+ case "$flag" in
+ --) break ;;
+ *) eusage "unknown flag '$flag'" ;;
+ esac
+done
+
+aptVersion="${1:-}"; shift || eusage 'missing apt-version'
+[ "$#" -gt 0 ] || eusage 'missing file(s)'
+
+# support for "apt.conf" comments of the style "# xxx" was added in 0.7.22
+# (https://salsa.debian.org/apt-team/apt/commit/81e9789b12374073e848c73c79e235f82c14df44)
+if dpkg --compare-versions "$aptVersion" '>=' '0.7.22~'; then
+ exit
+fi
+
+sed -ri -e 's!^#!//!' "$@"
diff --git a/scripts/.gpgv-ignore-expiration.sh b/scripts/.gpgv-ignore-expiration.sh
new file mode 100755
index 0000000..31690bf
--- /dev/null
+++ b/scripts/.gpgv-ignore-expiration.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -Eeu
+
+# For the sake of EOL releases (whose archive keys have often expired), we need a fake "gpgv" substitute that will essentially ignore *just* key expiration.
+# (So we get *some* signature validation instead of using something like "--allow-unauthenticated" or "--force-yes" which disable security entirely instead.)
+
+# Intended usage (APT >= 1.1):
+# apt-get -o Apt::Key::gpgvcommand=/.../.debuerreotype-gpgv-ignore-expiration ...
+# or (APT < 1.1):
+# apt-get -o Dir::Bin::gpg=/.../.debuerreotype-gpgv-ignore-expiration ...
+# (https://salsa.debian.org/apt-team/apt/commit/12841e8320aa499554ac50b102b222900bb1b879)
+
+# Functionally, this script will scrape "--status-fd" (which is the only way a user of "gpgv" can care about / process expired key metadata) and MITM "gpgv" to replace EXPKEYSIG with GOODSIG instead.
+
+_status_fd() {
+ while [ "$#" -gt 0 ]; do
+ case "$1" in
+ --status-fd)
+ echo "$2"
+ return 0
+ ;;
+ esac
+ shift
+ done
+ return 1
+}
+
+if fd="$(_status_fd "$@")" && [ -n "$fd" ]; then
+ # older bash (3.2, lenny) doesn't support variable file descriptors (hence "eval")
+ # (bash: syntax error near unexpected token `$fd')
+ eval 'exec gpgv "$@" '"$fd"'> >(sed "s/EXPKEYSIG/GOODSIG/" >&'"$fd"')'
+fi
+
+# no "--status-fd"? no worries! ("gpgv" without "--status-fd" doesn't seem to care about expired keys, so we don't have to either)
+exec gpgv "$@"
diff --git a/scripts/.tar-exclude b/scripts/.tar-exclude
index 083b38b..ff84919 100644
--- a/scripts/.tar-exclude
+++ b/scripts/.tar-exclude
@@ -6,8 +6,18 @@
./proc/**
./sys/**
-./var/cache/apt/**
-./var/lib/apt/lists/**
+# targeted exclusions to get rid of everything except "/var/cache/apt/archives/partial" and "/var/lib/apt/lists/partial"
+# (https://salsa.debian.org/apt-team/apt/commit/1cd1c398d18b78f4aa9d882a5de5385f4538e0be)
+./var/cache/apt/*.bin
+./var/cache/apt/archives/*.deb
+./var/cache/apt/archives/lock
+./var/lib/apt/lists/*Packages*
+./var/lib/apt/lists/*Release*
+./var/lib/apt/lists/lock
+# https://salsa.debian.org/apt-team/apt/commit/5555ef9850b7e66aa02d39bb7d624fdf3e43edb2 (APT 0.9.14 removed support for /var/state/apt)
+./var/state/apt/lists/*Packages*
+./var/state/apt/lists/*Release*
+./var/state/apt/lists/lock
# ends up with host-kernel info
./etc/apt/apt.conf.d/01autoremove-kernels
@@ -30,8 +40,3 @@
# (according to "man 1 journalctl", this is automatically recreated by "journalctl --update-catalog")
# Tails also removes this file to achieve reproducibility (https://labs.riseup.net/code/projects/tails/repository/revisions/b1e05c8aac12fc79293f6a220b40a538d4f38c51/diff/config/chroot_local-hooks/99-zzzzzz_reproducible-builds-post-processing)
./var/lib/systemd/catalog/database
-
-# for some reason, pototo leaves a core dump (TODO figure out why??)
-./core
-# also, it leaves some junk in /tmp (/tmp/fdmount.conf.tmp.XXX)
-./tmp/fdmount.conf.tmp.*
diff --git a/scripts/debuerreotype-apt-get b/scripts/debuerreotype-apt-get
index fe90526..a460a1a 100755
--- a/scripts/debuerreotype-apt-get
+++ b/scripts/debuerreotype-apt-get
@@ -19,4 +19,7 @@ done
targetDir="${1:-}"; shift || eusage 'missing target-dir'
[ -n "$targetDir" ]
+epoch="$(< "$targetDir/debuerreotype-epoch")"
+export SOURCE_DATE_EPOCH="$epoch"
+
"$thisDir/debuerreotype-chroot" "$targetDir" apt-get -o Acquire::Check-Valid-Until=false "$@"
diff --git a/scripts/debuerreotype-debian-sources-list b/scripts/debuerreotype-debian-sources-list
new file mode 100755
index 0000000..2dd77e6
--- /dev/null
+++ b/scripts/debuerreotype-debian-sources-list
@@ -0,0 +1,118 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+thisDir="$(dirname "$(readlink -f "$BASH_SOURCE")")"
+source "$thisDir/.constants.sh" \
+ --flags 'eol,snapshot' \
+ --flags 'deb-src' \
+ -- \
+ '[--deb-src] [--eol] [--no-snapshot] <target-dir> <suite>' \
+ '--snapshot rootfs stretch
+--eol rootfs wheezy'
+
+eval "$dgetopt"
+eol=
+snapshot=
+debSrc=
+while true; do
+ flag="$1"; shift
+ dgetopt-case "$flag"
+ case "$flag" in
+ --eol) eol=1 ;;
+ --snapshot) snapshot=1 ;;
+ --deb-src) debSrc=1 ;;
+ --) break ;;
+ *) eusage "unknown flag '$flag'" ;;
+ esac
+done
+
+targetDir="${1:-}"; shift || eusage 'missing target-dir'
+suite="${1:-}"; shift || eusage 'missing suite'
+[ -n "$targetDir" ]
+
+epoch="$(< "$targetDir/debuerreotype-epoch")"
+
+standardMirror='http://deb.debian.org/debian'
+snapshotStandardMirrors=( "$("$thisDir/.snapshot-url.sh" "@$epoch")" )
+
+securityMirror='http://security.debian.org/debian-security'
+snapshotSecurityMirrors=( "$("$thisDir/.snapshot-url.sh" "@$epoch" 'debian-security')" )
+
+if [ -n "$eol" ]; then
+ archiveSnapshotMirror="$("$thisDir/.snapshot-url.sh" "@$epoch" 'debian-archive')"
+
+ standardMirror='http://archive.debian.org/debian'
+ snapshotStandardMirrors=( "$archiveSnapshotMirror/debian" "${snapshotStandardMirrors[@]}" )
+
+ securityMirror='http://archive.debian.org/debian-security'
+ snapshotSecurityMirrors=( "$archiveSnapshotMirror/debian-security" "${snapshotSecurityMirrors[@]}" )
+fi
+
+comp='main'
+arch="$("$thisDir/.dpkg-arch.sh" "$targetDir")"
+
+deb() {
+ local suite="$1"; shift
+ local comp="$1"; shift
+ local target="$1"; shift # "standard" or "security"
+
+ local nonSnapshotMirror= snapshotMirrors=()
+ case "$target" in
+ standard) nonSnapshotMirror="$standardMirror"; snapshotMirrors=( "${snapshotStandardMirrors[@]}" ) ;;
+ security) nonSnapshotMirror="$securityMirror"; snapshotMirrors=( "${snapshotSecurityMirrors[@]}" ) ;;
+ *) echo >&2 "error: unknown 'deb' line target: '$target'"; exit 1 ;;
+ esac
+
+ local found= mirror
+ for mirror in "${snapshotMirrors[@]}"; do
+ # http://snapshot.debian.org/archive/debian-archive/20160314T000000Z/debian/dists/squeeze-updates/main/binary-amd64/Packages.gz
+ if wget --quiet --spider -O /dev/null -o /dev/null "$mirror/dists/$suite/$comp/binary-$arch/Packages.gz"; then
+ found="$mirror"
+ break
+ fi
+ done
+ if [ -z "$found" ]; then
+ echo >&2 "warning: no apparent '$suite/$comp' for '$arch' on any of the following; skipping"
+ for mirror in "${snapshotMirrors[@]}"; do echo >&2 " - $mirror"; done
+ return
+ fi
+
+ if [ -n "$snapshot" ]; then
+ mirror="$found"
+ else
+ echo "# deb $found $suite $comp"
+ mirror="$nonSnapshotMirror"
+ fi
+ echo "deb $mirror $suite $comp"
+ if [ -n "$debSrc" ]; then
+ echo "deb-src $mirror $suite $comp"
+ fi
+}
+
+# https://github.com/tianon/go-aptsources/blob/e066ed9cd8cd9eef7198765bd00ec99679e6d0be/target.go#L16-L58
+{
+ case "$suite" in
+ sid|unstable|testing)
+ deb "$suite" "$comp" standard
+ ;;
+
+ *)
+ # https://salsa.debian.org/installer-team/apt-setup/tree/d7a642fb5fc76e4f0b684db53984bdb9123f8360/generators
+ deb "$suite" "$comp" standard # "50mirror"
+ deb "$suite/updates" "$comp" security # "91security"
+ deb "$suite-updates" "$comp" standard # "92updates"
+ # https://wiki.debian.org/SourcesList#Example_sources.list
+
+ if [ "$suite" = 'squeeze' ]; then
+ # https://wiki.debian.org/DebianSqueeze#FAQ
+ deb "$suite-lts" "$comp" standard
+ fi
+ ;;
+ esac
+} > "$targetDir/etc/apt/sources.list"
+chmod 0644 "$targetDir/etc/apt/sources.list"
+
+if [ ! -s "$targetDir/etc/apt/sources.list" ]; then
+ echo >&2 "error: sources.list ended up empty -- something is definitely wrong"
+ exit 1
+fi
diff --git a/scripts/debuerreotype-gen-sources-list b/scripts/debuerreotype-gen-sources-list
deleted file mode 100755
index 1403a12..0000000
--- a/scripts/debuerreotype-gen-sources-list
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/usr/bin/env bash
-set -Eeuo pipefail
-
-thisDir="$(dirname "$(readlink -f "$BASH_SOURCE")")"
-source "$thisDir/.constants.sh" \
- --flags 'deb-src' \
- -- \
- '[--deb-src] <target-dir> <suite> <mirror> <secmirror> [checkmirror checksecmirror]' \
- 'rootfs stretch http://deb.debian.org/debian http://security.debian.org/debian-security
-rootfs stretch http://deb.debian.org/debian http://security.debian.org/debian-security http://snapshot.debian.org/archive/debian/20170508T000000Z http://snapshot.debian.org/archive/debian-security/20170508T000000Z'
-
-eval "$dgetopt"
-debSrc=
-while true; do
- flag="$1"; shift
- dgetopt-case "$flag"
- case "$flag" in
- --deb-src) debSrc=1 ;;
- --) break ;;
- *) eusage "unknown flag '$flag'" ;;
- esac
-done
-
-targetDir="${1:-}"; shift || eusage 'missing target-dir'
-suite="${1:-}"; shift || eusage 'missing suite'
-mirror="${1:-}"; shift || eusage 'missing mirror'
-secmirror="${1:-}"; shift || eusage 'missing secmirror'
-checkmirror="${1:-}"; shift || :
-checksecmirror="${1:-}"; shift || :
-[ -n "$targetDir" ]
-
-comp='main'
-arch="$("$thisDir/.dpkg-arch.sh" "$targetDir")"
-
-deb() {
- local mirror="$1"; shift
- local checkmirror="$1"; shift
- local suite="$1"; shift
- local comp="$1"; shift
-
- # http://snapshot.debian.org/archive/debian-archive/20160314T000000Z/debian/dists/squeeze-updates/main/binary-amd64/Packages.gz
- if ! wget --quiet --spider -O /dev/null -o /dev/null "${checkmirror:-$mirror}/dists/$suite/$comp/binary-$arch/Packages.gz"; then
- echo >&2 "warning: ${checkmirror:-$mirror} does not appear to support $suite/$comp on $arch; skipping"
- return
- fi
-
- #if [ -n "$checkmirror" ]; then
- # echo "# deb $checkmirror $suite $comp"
- #fi
- echo "deb $mirror $suite $comp"
- if [ -n "$debSrc" ]; then
- echo "deb-src $mirror $suite $comp"
- fi
-}
-
-# https://github.com/tianon/go-aptsources/blob/e066ed9cd8cd9eef7198765bd00ec99679e6d0be/target.go#L16-L58
-{
- case "$suite" in
- sid|unstable|testing)
- deb "$mirror" "$checkmirror" "$suite" "$comp"
- ;;
-
- *)
- # https://salsa.debian.org/installer-team/apt-setup/tree/d7a642fb5fc76e4f0b684db53984bdb9123f8360/generators
- deb "$mirror" "$checkmirror" "$suite" "$comp" # "50mirror"
- deb "$secmirror" "$checksecmirror" "$suite/updates" "$comp" # "91security"
- deb "$mirror" "$checkmirror" "$suite-updates" "$comp" # "92updates"
- # https://wiki.debian.org/SourcesList#Example_sources.list
- ;;
- esac
-} > "$targetDir/etc/apt/sources.list"
-chmod 0644 "$targetDir/etc/apt/sources.list"
-
-if [ ! -s "$targetDir/etc/apt/sources.list" ]; then
- echo >&2 "error: sources.list ended up empty -- something is definitely wrong"
- exit 1
-fi
diff --git a/scripts/debuerreotype-gpgv-ignore-expiration-config b/scripts/debuerreotype-gpgv-ignore-expiration-config
new file mode 100755
index 0000000..4de6171
--- /dev/null
+++ b/scripts/debuerreotype-gpgv-ignore-expiration-config
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+thisDir="$(dirname "$(readlink -f "$BASH_SOURCE")")"
+source "$thisDir/.constants.sh" \
+ '<target-dir>' \
+ 'rootfs'
+
+eval "$dgetopt"
+while true; do
+ flag="$1"; shift
+ dgetopt-case "$flag"
+ case "$flag" in
+ --) break ;;
+ *) eusage "unknown flag '$flag'" ;;
+ esac
+done
+
+targetDir="${1:-}"; shift || eusage 'missing target-dir'
+[ -n "$targetDir" ]
+
+aptVersion="$("$thisDir/.apt-version.sh" "$targetDir")"
+# if we're on APT 0.6 or lower, this isn't relevant
+# (added in 0.7.21 / 0.7.20.2+lenny1; https://salsa.debian.org/apt-team/apt/commit/0b77f4775db7bc45964e0337b8978a170b3f0483)
+if dpkg --compare-versions "$aptVersion" '<<' '0.7.20~'; then
+ echo >&2 "note: skipping $self: APT version ($aptVersion) too old to be relevant"
+ exit
+fi
+
+sourceFile="$thisDir/.gpgv-ignore-expiration.sh"
+targetPath='/usr/local/bin/.debuerreotype-gpgv-ignore-expiration'
+targetFile="$targetDir$targetPath"
+cp -T "$sourceFile" "$targetFile"
+chmod 0755 "$targetFile"
+
+# APT 1.1+ changed to use "apt-key verify" instead of invoking "gpgv" directly
+# (https://salsa.debian.org/apt-team/apt/commit/12841e8320aa499554ac50b102b222900bb1b879)
+aptConfigKey='Apt::Key::gpgvcommand'
+case "$aptVersion" in
+ 0.* | 1.0*) aptConfigKey='Dir::Bin::gpg' ;;
+esac
+
+cat > "$targetDir/etc/apt/apt.conf.d/debuerreotype-gpgv-ignore-expiration" <<-EOF
+ # For the sake of EOL releases (whose archive keys have often expired), we need
+ # a fake "gpgv" substitute that will essentially ignore *just* key expiration.
+ # (So we get *some* signature validation instead of using something like
+ # "--allow-unauthenticated" or "--force-yes" which disable security entirely
+ # instead.)
+
+ $aptConfigKey "$targetPath";
+EOF
+chmod 0644 "$targetDir/etc/apt/apt.conf.d/debuerreotype-gpgv-ignore-expiration"
+"$thisDir/.fix-apt-comments.sh" "$aptVersion" "$targetDir/etc/apt/apt.conf.d/debuerreotype-gpgv-ignore-expiration"
diff --git a/scripts/debuerreotype-init b/scripts/debuerreotype-init
index 0f1288b..dec401a 100755
--- a/scripts/debuerreotype-init
+++ b/scripts/debuerreotype-init
@@ -57,7 +57,6 @@ suite="${1:-}"; shift || eusage 'missing suite'
timestamp=
mirror=
-secmirror=
if [ -z "$nonDebian" ]; then
timestamp="${1:-}"; shift || eusage 'missing timestamp'
else
@@ -72,11 +71,9 @@ export SOURCE_DATE_EPOCH="$epoch"
if [ -z "$nonDebian" ]; then
if [ -z "$debianEol" ]; then
mirror="$("$thisDir/.snapshot-url.sh" "@$epoch")"
- secmirror="$("$thisDir/.snapshot-url.sh" "@$epoch" 'debian-security')"
else
mirrorbase="$("$thisDir/.snapshot-url.sh" "@$epoch" 'debian-archive')"
mirror="$mirrorbase/debian"
- secmirror="$mirrorbase/debian-security"
fi
fi
@@ -133,7 +130,7 @@ fi
echo "$epoch" > "$targetDir/debuerreotype-epoch"
if [ -z "$nonDebian" ]; then
- "$thisDir/debuerreotype-gen-sources-list" "$targetDir" "$suite" "$mirror" "$secmirror"
+ "$thisDir/debuerreotype-debian-sources-list" --snapshot $([ -z "$debianEol" ] || echo '--eol') "$targetDir" "$suite"
"$thisDir/debuerreotype-apt-get" "$targetDir" update -qq
fi
diff --git a/scripts/debuerreotype-minimizing-config b/scripts/debuerreotype-minimizing-config
index 58dac4e..2764e1c 100755
--- a/scripts/debuerreotype-minimizing-config
+++ b/scripts/debuerreotype-minimizing-config
@@ -56,95 +56,96 @@ if [ -d "$targetDir/etc/dpkg/dpkg.cfg.d" ]; then
chmod 0644 "$targetDir/etc/dpkg/dpkg.cfg.d/docker-apt-speedup"
fi
-case "$aptVersion" in
- # not supported on --debian-eol lenny and older
- 0.7.*|0.6.*|0.5.*) ;;
-
- *)
- # update "autoremove" configuration to be aggressive about removing suggests deps that weren't manually installed
- cat > "$targetDir/etc/apt/apt.conf.d/docker-autoremove-suggests" <<-'EOF'
- # Since Docker users are looking for the smallest possible final images, the
- # following emerges as a very common pattern:
-
- # RUN apt-get update \
- # && apt-get install -y <packages> \
- # && <do some compilation work> \
- # && apt-get purge -y --auto-remove <packages>
-
- # By default, APT will actually _keep_ packages installed via Recommends or
- # Depends if another package Suggests them, even and including if the package
- # that originally caused them to be installed is removed. Setting this to
- # "false" ensures that APT is appropriately aggressive about removing the
- # packages it added.
-
- # https://aptitude.alioth.debian.org/doc/en/ch02s05s05.html#configApt-AutoRemove-SuggestsImportant
- Apt::AutoRemove::SuggestsImportant "false";
- EOF
- chmod 0644 "$targetDir/etc/apt/apt.conf.d/docker-autoremove-suggests"
-
- # keep us lean by effectively running "apt-get clean" after every install
- aptGetClean='"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true";'
- cat > "$targetDir/etc/apt/apt.conf.d/docker-clean" <<-EOF
- # Since for most Docker users, package installs happen in "docker build" steps,
- # they essentially become individual layers due to the way Docker handles
- # layering, especially using CoW filesystems. What this means for us is that
- # the caches that APT keeps end up just wasting space in those layers, making
- # our layers unnecessarily large (especially since we'll normally never use
- # these caches again and will instead just "docker build" again and make a brand
- # new image).
-
- # Ideally, these would just be invoking "apt-get clean", but in our testing,
- # that ended up being cyclic and we got stuck on APT's lock, so we get this fun
- # creation that's essentially just "apt-get clean".
- DPkg::Post-Invoke { $aptGetClean };
- APT::Update::Post-Invoke { $aptGetClean };
-
- Dir::Cache::pkgcache "";
- Dir::Cache::srcpkgcache "";
-
- # Note that we do realize this isn't the ideal way to do this, and are always
- # open to better suggestions (https://github.com/debuerreotype/debuerreotype/issues).
- EOF
- chmod 0644 "$targetDir/etc/apt/apt.conf.d/docker-clean"
+if [ -d "$targetDir/etc/apt/apt.conf.d" ]; then
+ # TODO make some (all?) of these conditional based on the version of APT that added the feature
+ # (perhaps it's finally time for an "apt-version-cmp.sh" helper script to test whether APT is X or newer one version component at a time? "dpkg --compare-versions"!!!)
+
+ # update "autoremove" configuration to be aggressive about removing suggests deps that weren't manually installed
+ cat > "$targetDir/etc/apt/apt.conf.d/docker-autoremove-suggests" <<-'EOF'
+ # Since Docker users are looking for the smallest possible final images, the
+ # following emerges as a very common pattern:
+
+ # RUN apt-get update \
+ # && apt-get install -y <packages> \
+ # && <do some compilation work> \
+ # && apt-get purge -y --auto-remove <packages>
+
+ # By default, APT will actually _keep_ packages installed via Recommends or
+ # Depends if another package Suggests them, even and including if the package
+ # that originally caused them to be installed is removed. Setting this to
+ # "false" ensures that APT is appropriately aggressive about removing the
+ # packages it added.
+
+ # https://aptitude.alioth.debian.org/doc/en/ch02s05s05.html#configApt-AutoRemove-SuggestsImportant
+ Apt::AutoRemove::SuggestsImportant "false";
+ EOF
+ chmod 0644 "$targetDir/etc/apt/apt.conf.d/docker-autoremove-suggests"
+ "$thisDir/.fix-apt-comments.sh" "$aptVersion" "$targetDir/etc/apt/apt.conf.d/docker-autoremove-suggests"
+
+ # keep us lean by effectively running "apt-get clean" after every install
+ aptGetClean='"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true";'
+ cat > "$targetDir/etc/apt/apt.conf.d/docker-clean" <<-EOF
+ # Since for most Docker users, package installs happen in "docker build" steps,
+ # they essentially become individual layers due to the way Docker handles
+ # layering, especially using CoW filesystems. What this means for us is that
+ # the caches that APT keeps end up just wasting space in those layers, making
+ # our layers unnecessarily large (especially since we'll normally never use
+ # these caches again and will instead just "docker build" again and make a brand
+ # new image).
+
+ # Ideally, these would just be invoking "apt-get clean", but in our testing,
+ # that ended up being cyclic and we got stuck on APT's lock, so we get this fun
+ # creation that's essentially just "apt-get clean".
+ DPkg::Post-Invoke { $aptGetClean };
+ APT::Update::Post-Invoke { $aptGetClean };
+
+ Dir::Cache::pkgcache "";
+ Dir::Cache::srcpkgcache "";
+
+ # Note that we do realize this isn't the ideal way to do this, and are always
+ # open to better suggestions (https://github.com/debuerreotype/debuerreotype/issues).
+ EOF
+ chmod 0644 "$targetDir/etc/apt/apt.conf.d/docker-clean"
+ "$thisDir/.fix-apt-comments.sh" "$aptVersion" "$targetDir/etc/apt/apt.conf.d/docker-clean"
- cat > "$targetDir/etc/apt/apt.conf.d/docker-gzip-indexes" <<-'EOF'
- # Since Docker users using "RUN apt-get update && apt-get install -y ..." in
- # their Dockerfiles don't go delete the lists files afterwards, we want them to
- # be as small as possible on-disk, so we explicitly request that Apt keep them
- # compressed on-disk too instead of decompressing them.
+ cat > "$targetDir/etc/apt/apt.conf.d/docker-gzip-indexes" <<-'EOF'
+ # Since Docker users using "RUN apt-get update && apt-get install -y ..." in
+ # their Dockerfiles don't go delete the lists files afterwards, we want them to
+ # be as small as possible on-disk, so we explicitly request that Apt keep them
+ # compressed on-disk too instead of decompressing them.
- # For comparison, an "apt-get update" layer without this on a pristine
- # "debian:wheezy" base image was "29.88 MB", where with this it was only
- # "8.273 MB".
+ # For comparison, an "apt-get update" layer without this on a pristine
+ # "debian:wheezy" base image was "29.88 MB", where with this it was only
+ # "8.273 MB".
- Acquire::GzipIndexes "true";
+ Acquire::GzipIndexes "true";
+ EOF
+ # https://github.com/debuerreotype/debuerreotype/issues/41
+ isDebianJessie="$([ -f "$targetDir/etc/os-release" ] && source "$targetDir/etc/os-release" && [ "${ID:-}" = 'debian' ] && [ "${VERSION_ID:-}" = '8' ] && echo '1')" || :
+ if [ -n "$isDebianJessie" ] || [[ "$aptVersion" == 0.* ]] || "$thisDir/debuerreotype-chroot" "$targetDir" dpkg --compare-versions "$aptVersion" '<<' '1.0.9.2~'; then
+ cat >> "$targetDir/etc/apt/apt.conf.d/docker-gzip-indexes" <<-'EOF'
+
+ # https://salsa.debian.org/apt-team/apt/commit/b0f4b486e6850c5f98520ccf19da71d0ed748ae4; released in src:apt 1.0.9.2, 2014-10-02
+ # prior to src:apt 1.0.9.2, "Acquire::GzipIndexes" _only_ applied to gzip-compressed list files, so we need to prefer those on older releases
+ Acquire::CompressionTypes::Order:: "gz";
EOF
- # https://github.com/debuerreotype/debuerreotype/issues/41
- isDebianJessie="$([ -f "$targetDir/etc/os-release" ] && source "$targetDir/etc/os-release" && [ "${ID:-}" = 'debian' ] && [ "${VERSION_ID:-}" = '8' ] && echo '1')" || :
- if [ -n "$isDebianJessie" ] || [[ "$aptVersion" == 0.* ]] || "$thisDir/debuerreotype-chroot" "$targetDir" dpkg --compare-versions "$aptVersion" '<<' '1.0.9.2~'; then
+ if [ -n "$isDebianJessie" ]; then
cat >> "$targetDir/etc/apt/apt.conf.d/docker-gzip-indexes" <<-'EOF'
-
- # https://salsa.debian.org/apt-team/apt/commit/b0f4b486e6850c5f98520ccf19da71d0ed748ae4; released in src:apt 1.0.9.2, 2014-10-02
- # prior to src:apt 1.0.9.2, "Acquire::GzipIndexes" _only_ applied to gzip-compressed list files, so we need to prefer those on older releases
- Acquire::CompressionTypes::Order:: "gz";
+ # see also https://github.com/debuerreotype/debuerreotype/issues/41 (details of a bug that's apparently specific to Debian Jessie)
EOF
- if [ -n "$isDebianJessie" ]; then
- cat >> "$targetDir/etc/apt/apt.conf.d/docker-gzip-indexes" <<-'EOF'
- # see also https://github.com/debuerreotype/debuerreotype/issues/41 (details of a bug that's apparently specific to Debian Jessie)
- EOF
- fi
fi
- chmod 0644 "$targetDir/etc/apt/apt.conf.d/docker-gzip-indexes"
-
- # remove apt-cache translations for faster "apt-get update"
- cat > "$targetDir/etc/apt/apt.conf.d/docker-no-languages" <<-'EOF'
- # In Docker, we don't often need the "Translations" files, so we're just wasting
- # time and space by downloading them, and this inhibits that. For users that do
- # need them, it's a simple matter to delete this file and "apt-get update". :)
+ fi
+ chmod 0644 "$targetDir/etc/apt/apt.conf.d/docker-gzip-indexes"
+ "$thisDir/.fix-apt-comments.sh" "$aptVersion" "$targetDir/etc/apt/apt.conf.d/docker-gzip-indexes"
- Acquire::Languages "none";
- EOF
- chmod 0644 "$targetDir/etc/apt/apt.conf.d/docker-no-languages"
+ # remove apt-cache translations for faster "apt-get update"
+ cat > "$targetDir/etc/apt/apt.conf.d/docker-no-languages" <<-'EOF'
+ # In Docker, we don't often need the "Translations" files, so we're just wasting
+ # time and space by downloading them, and this inhibits that. For users that do
+ # need them, it's a simple matter to delete this file and "apt-get update". :)
- ;;
-esac
+ Acquire::Languages "none";
+ EOF
+ chmod 0644 "$targetDir/etc/apt/apt.conf.d/docker-no-languages"
+ "$thisDir/.fix-apt-comments.sh" "$aptVersion" "$targetDir/etc/apt/apt.conf.d/docker-no-languages"
+fi
diff --git a/scripts/debuerreotype-tar b/scripts/debuerreotype-tar
index 8dba33c..80e8c99 100755
--- a/scripts/debuerreotype-tar
+++ b/scripts/debuerreotype-tar
@@ -31,6 +31,18 @@ targetTar="${1:-}"; shift || eusage 'missing target-tar'
epoch="$(< "$targetDir/debuerreotype-epoch")"
[ -n "$epoch" ]
+aptVersion="$("$thisDir/.apt-version.sh" "$targetDir")"
+if dpkg --compare-versions "$aptVersion" '>=' '0.8~'; then
+ # if APT is new enough to auto-recreate "partial" directories, let it
+ # (https://salsa.debian.org/apt-team/apt/commit/1cd1c398d18b78f4aa9d882a5de5385f4538e0be)
+ excludes+=(
+ './var/cache/apt/**'
+ './var/lib/apt/lists/**'
+ './var/state/apt/lists/**'
+ )
+ # (see also the targeted exclusions in ".tar-exclude" that these are overriding)
+fi
+
"$thisDir/debuerreotype-fixup" "$targetDir"
tarArgs=(
More information about the Neon-commits
mailing list