mkosi icon indicating copy to clipboard operation
mkosi copied to clipboard
verified publisher icon systemd

Add support for pinning package versions

Open poettering opened this issue 4 years ago • 4 comments

I think it would make sense to optionally support "pinning" package versions, i.e. write the used RPM/DEB package versions to some file while doing an initial build, and if that file exists, use exactly these versions to build the package. The file could then be commited to git, ensuring that images are somehwat stabe in their package selection.

This should bring us a step closer towards reasonably reproducible builds.

I figure this means, at least for the Fedora case, to call directly into the python dnf module to retrieve these package lists.

poettering avatar Apr 16 '21 14:04 poettering

Also see #748

poettering avatar Jul 02 '21 14:07 poettering

FWIW, just putting specific package versions in the manifest already works, to some extent. You can specify a full package nevra in Packages=, and dnf will honour that. I also use this to install locally built packages: when a path with slashes is given, dnf will install that package from disk.

We could retrieve the package lists, even post-factum by introspecting the rpm database or parsing the logs.

But the hard part is retrieving the specific versions of packages from somewhere. Packages in the distro stop being available from the mirrors after after a new version appears. It is possible to retrieve them with a bit of an effort (e.g. in Fedora's case, directly from koji). So pinning of a specific version would work if there is a local cache, or for a while as long as the distro doesn't update, but then it would break.

keszybz avatar Jul 03 '21 07:07 keszybz

Does RH/Fedora have a package archive? For both Arch Linux and Debian all released packages are uploaded and stored on the archive. In the case of Arch, recreating any ISO from the past couple of years should be possible by just fetching them and passing them as arguments to pacstrap.

https://archive.archlinux.org/

How this is implemented in the current Arch Linux repro tooling; https://github.com/archlinux/archlinux-repro/blob/master/repro.in#L490

Foxboron avatar Aug 10 '22 10:08 Foxboron

No Fedora expert, but https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/ looks similar to the Debian archives. No idea though, whether this can be directly hooked into dnf (or yum for the more ancient releases there).

behrmann avatar Aug 10 '22 12:08 behrmann

I'm not sure if this should be implemented by mkosi tbh. Users can either use --cacheonly to never hit the mirrors again after the initial download, which effectively pins the package versions. The other option is to setup your own mirror with the versions of the package that you want and then configure mkosi to use that mirror. That seems like it would scale much better than pinning individual package versions.

Closing this for now but we can reopen if needed.

DaanDeMeyer avatar Jun 27 '23 08:06 DaanDeMeyer