distrobuilder icon indicating copy to clipboard operation
distrobuilder copied to clipboard

Published 20 hours ago verified publisher icon lxc

Void Linux downloader is out of date to the point of being unsupported

Open the-maldridge opened this issue 3 years ago • 1 comments

Hello. I was recently fiddling with LXC/LXD on Void Linux and figured I'd take a brief look into the void template for LXC. To say it is impressively un-void like is a bit of an understatement.

I can fix the template to download from one of Void's actual mirrors instead of a 3rd party and remove all the config stuff that seems to have just been arbitrarily selected, but the downloader still lacks features for Void in general, such as validating signify signatures. We discontinued use of GPG over 3 years ago, so ideally signatures would be validated for newer images, even when https is in use since distrobuilder doesn't appear to have a way to validate that the https connection is as expected.

Preferably I'd rather just start from nothing and run the package manager to generate the rootfs image as part of the build, but this doesn't seem possible from my current understanding of distrobuilder. Is my best bet at having an up to date, upstream supportable image to just dump out the filesystems that are present in our OCI containers and import those to LXC?

Also worth pointing out that as written the void template is non-deterministic. Dunno if the lxc project cares about such things or not, but I figured it was worth pointing out.

the-maldridge avatar Feb 18 '22 06:02 the-maldridge

Hello. I was recently fiddling with LXC/LXD on Void Linux and figured I'd take a brief look into the void template for LXC. To say it is impressively un-void like is a bit of an understatement.

Fixes are always welcome.

I can fix the template to download from one of Void's actual mirrors instead of a 3rd party and remove all the config stuff that seems to have just been arbitrarily selected,

Which config stuff is arbitrary? We tend to add fixes when running into issues with the container.

but the downloader still lacks features for Void in general, such as validating signify signatures. We discontinued use of GPG over 3 years ago, so ideally signatures would be validated for newer images, even when https is in use since distrobuilder doesn't appear to have a way to validate that the https connection is as expected.

That could be added in the future.

Preferably I'd rather just start from nothing and run the package manager to generate the rootfs image as part of the build, but this doesn't seem possible from my current understanding of distrobuilder.

It is possible, and we do that for a bunch of distros already.

Is my best bet at having an up to date, upstream supportable image to just dump out the filesystems that are present in our OCI containers and import those to LXC?

We always update the packages in void, so our images should be up to date. What makes you think they aren't?

monstermunchkin avatar Feb 18 '22 07:02 monstermunchkin

Closing this due to inactivity.

monstermunchkin avatar Nov 30 '22 20:11 monstermunchkin