From 8a0a5a7e4af68e07e9047c71e2c3bc1b85dfdcc1 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Wed, 10 Jan 2024 18:13:05 +0100 Subject: [PATCH 1/2] Switch from sources.list to ubuntu.sources Template is based on the specification with some rewording for Ubuntu Pro as agreed. v2: - Enabled backports by default (I did not see that!) - Enabled restricted, multiverse security updates - Replaced tweaked with adjusted v3: - Insert an explanatory sources.list LP: #2048129 --- live-build/functions | 132 ++++++++++++++++++++++++++----------------- 1 file changed, 81 insertions(+), 51 deletions(-) diff --git a/live-build/functions b/live-build/functions index 85e58aa3..18124302 100644 --- a/live-build/functions +++ b/live-build/functions @@ -101,15 +101,27 @@ use_lp_archives_in_sourceslist(){ # recover_sourceslist mountpoint="${1}" - MOUNTPOINT_BACKUP_SOURCES_LIST="sources.list.tmp" . config/bootstrap # For the LB_MIRROR_* variables - cp -a "${mountpoint}/etc/apt/sources.list" "${MOUNTPOINT_BACKUP_SOURCES_LIST}" - sed -i "s#http://archive.ubuntu.com/ubuntu#${LB_PARENT_MIRROR_CHROOT}#g" \ - "${mountpoint}/etc/apt/sources.list" - sed -i "s#http://security.ubuntu.com/ubuntu#${LB_PARENT_MIRROR_CHROOT}#g" \ - "${mountpoint}/etc/apt/sources.list" - - sha256sum "${mountpoint}/etc/apt/sources.list" > sources.list.sha + if [ -e "${mountpoint}/etc/apt/sources.list.d/ubuntu.sources" ]; then + MOUNTPOINT_BACKUP_UBUNTU_SOURCES="ubuntu.sources.tmp" + cp -a "${mountpoint}/etc/apt/sources.list.d/ubuntu.sources" "${MOUNTPOINT_BACKUP_UBUNTU_SOURCES}" + sed -i "s#http://archive.ubuntu.com/ubuntu#${LB_PARENT_MIRROR_CHROOT}#g" \ + "${mountpoint}/etc/apt/sources.list.d/ubuntu.sources" + sed -i "s#http://security.ubuntu.com/ubuntu#${LB_PARENT_MIRROR_CHROOT}#g" \ + "${mountpoint}/etc/apt/sources.list.d/ubuntu.sources" + + sha256sum "${mountpoint}/etc/apt/sources.list.d/ubuntu.sources" > ubuntu.sources.sha + fi + if [ -e "${mountpoint}/etc/apt/sources.list" ]; then + MOUNTPOINT_BACKUP_SOURCES_LIST="sources.list.tmp" + cp -a "${mountpoint}/etc/apt/sources.list" "${MOUNTPOINT_BACKUP_SOURCES_LIST}" + sed -i "s#http://archive.ubuntu.com/ubuntu#${LB_PARENT_MIRROR_CHROOT}#g" \ + "${mountpoint}/etc/apt/sources.list" + sed -i "s#http://security.ubuntu.com/ubuntu#${LB_PARENT_MIRROR_CHROOT}#g" \ + "${mountpoint}/etc/apt/sources.list" + + sha256sum "${mountpoint}/etc/apt/sources.list" > sources.list.sha + fi } recover_sourceslist(){ @@ -121,10 +133,18 @@ recover_sourceslist(){ # sources.list.sha mountpoint="${1}" - sha256sum --check sources.list.sha + if [ -e "${MOUNTPOINT_BACKUP_UBUNTU_SOURCES:-/doesnotexist}" ]; then + sha256sum --check ubuntu.sources.sha + + mv "${MOUNTPOINT_BACKUP_UBUNTU_SOURCES}" "${mountpoint}/etc/apt/sources.list.d/ubuntu.sources" + unset MOUNTPOINT_BACKUP_UBUNTU_SOURCES + fi + if [ -e "${MOUNTPOINT_BACKUP_SOURCES_LIST:-/doesnotexist}" ]; then + sha256sum --check sources.list.sha - mv "${MOUNTPOINT_BACKUP_SOURCES_LIST}" "${mountpoint}/etc/apt/sources.list" - unset MOUNTPOINT_BACKUP_SOURCES_LIST + mv "${MOUNTPOINT_BACKUP_SOURCES_LIST}" "${mountpoint}/etc/apt/sources.list" + unset MOUNTPOINT_BACKUP_SOURCES_LIST + fi } setup_mountpoint() { @@ -872,48 +892,58 @@ configure_universe() { # debian-installer's apt-setup: cat > chroot/etc/apt/sources.list << EOF +# Ubuntu sources have moved to the /etc/apt/sources.list.d/ubuntu.sources +# file, which uses the deb822 format. Use deb822-formatted .sources files +# to manage package sources in the /etc/apt/sources.list.d/ directory. +# See the sources.list(5) manual page for details. +EOF + + cat > chroot/etc/apt/sources.list.d/ubuntu.sources << EOF # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution. -deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION main restricted -# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION main restricted - -## Major bug fix updates produced after the final release of the -## distribution. -deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates main restricted -# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates main restricted - -## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu -## team. Also, please note that software in universe WILL NOT receive any -## review or updates from the Ubuntu security team. -deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION universe -# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION universe -deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates universe -# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates universe - -## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu -## team, and may not be under a free licence. Please satisfy yourself as to -## your rights to use the software. Also, please note that software in -## multiverse WILL NOT receive any review or updates from the Ubuntu -## security team. -deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION multiverse -# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION multiverse -deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates multiverse -# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates multiverse - -## N.B. software from this repository may not have been tested as -## extensively as that contained in the main release, although it includes -## newer versions of some applications which may provide useful features. -## Also, please note that software in backports WILL NOT receive any review -## or updates from the Ubuntu security team. -deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-backports main restricted universe multiverse -# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-backports main restricted universe multiverse - -deb $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security main restricted -# deb-src $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security main restricted -deb $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security universe -# deb-src $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security universe -deb $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security multiverse -# deb-src $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security multiverse + +## Ubuntu distribution repository +## +## The following settings can be adjusted to configure which packages to use from Ubuntu. +## Mirror your choices (except for URIs and Suites) in the security section below to +## ensure timely security updates. +## +## Types: Append deb-src to enable the fetching of source package. +## URIs: A URL to the repository (you may add multiple URLs) +## Suites: The following additional suites can be configured +## -updates - Major bug fix updates produced after the final release of the +## distribution. +## -backports - software from this repository may not have been tested as +## extensively as that contained in the main release, although it includes +## newer versions of some applications which may provide useful features. +## Also, please note that software in backports WILL NOT receive any review +## or updates from the Ubuntu security team. +## Components: Aside from main, the following components can be added to the list +## restricted - Software that may not be under a free license, or protected by patents. +## universe - Community maintained packages. +## Software from this repository is only maintained and supported by Canonical +## for machines with Ubuntu Pro subscriptions. Without Ubuntu Pro, the Ubuntu +## community provides best-effort security maintenance. +## multiverse - Community maintained of restricted. Software from this repository is +## ENTIRELY UNSUPPORTED by the Ubuntu team, and may not be under a free +## licence. Please satisfy yourself as to your rights to use the software. +## Also, please note that software in multiverse WILL NOT receive any +## review or updates from the Ubuntu security team. +## +## See the sources.list(5) manual page for further settings. +Types: deb +URIs: $LB_PARENT_MIRROR_BINARY +Suites: $LB_DISTRIBUTION $LB_DISTRIBUTION-updates $LB_DISTRIBUTION-backports +Components: main universe restricted multiverse +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg + +## Ubuntu security updates. Aside from URIs and Suites, +## this should mirror your choices in the previous section. +Types: deb +URIs: $LB_PARENT_MIRROR_BINARY_SECURITY +Suites: $LB_DISTRIBUTION-security +Components: main universe restricted multiverse +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg EOF fi From 04d1f1af2541d28395ab92535c13eb15f9819009 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Mon, 15 Jan 2024 13:40:32 +0100 Subject: [PATCH 2/2] Setup preinstalled pool in preinstalled-pool.sources Also Use Signed-By: /etc/apt/keyrings/preinstalled-pool.gpg and make sure we only update from that .sources file as we did before. This code may all be dead, who can say. FIXME: We should figure out how to do an armored export of that key and then embed it in the signed-by field instead of using a keyring file. --- live-build/auto/build | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/live-build/auto/build b/live-build/auto/build index 0c07a772..a3a187dc 100755 --- a/live-build/auto/build +++ b/live-build/auto/build @@ -366,7 +366,7 @@ EOF mkdir -p chroot/var/lib/preinstalled-pool/dists/$LB_DISTRIBUTION/$component/binary-$LB_ARCHITECTURES done apt-ftparchive generate config/indices/apt.conf - cat << @@EOF > chroot/etc/apt/sources.list.preinstall + cat << @@EOF > chroot/etc/apt/sources.list.d/preinstalled-pool.sources # This is a sources.list entry for a small pool of packages # provided on your preinstalled filesystem for your convenience. # @@ -374,12 +374,13 @@ EOF # it references, should you want to save disk space and fetch the # packages remotely instead. # -deb file:/var/lib/preinstalled-pool/ $LB_DISTRIBUTION $LB_PARENT_ARCHIVE_AREAS -# +Types: deb +URIs: file:/var/lib/preinstalled-pool/ +Suites: $LB_DISTRIBUTION +Components: $LB_PARENT_ARCHIVE_AREAS +Signed-By: /etc/apt/keyrings/preinstalled-pool.gpg @@EOF - cp chroot/etc/apt/sources.list chroot/etc/apt/sources.list.orig - cp chroot/etc/apt/sources.list.preinstall chroot/etc/apt/sources.list echo "Waiting on gnupg ("$GPG_PROCESS") to finish generating a key." wait $GPG_PROCESS @@ -403,13 +404,10 @@ deb file:/var/lib/preinstalled-pool/ $LB_DISTRIBUTION $LB_PARENT_ARCHIVE_AREAS chroot/var/lib/preinstalled-pool/dists/$R_CODENAME/Release mv config/gnupg/Release.asc \ chroot/var/lib/preinstalled-pool/dists/$R_CODENAME/Release.gpg - cp config/gnupg/pubring.gpg chroot/etc/apt/trusted.gpg.d/livecd-rootfs.gpg + cp config/gnupg/pubring.gpg chroot/etc/apt/keyrings/preinstalled-pool.gpg find chroot/var/lib/preinstalled-pool/ -name Packages | xargs rm - - Chroot chroot "apt-get update" - cat chroot/etc/apt/sources.list.preinstall chroot/etc/apt/sources.list.orig \ - > chroot/etc/apt/sources.list - rm chroot/etc/apt/sources.list.preinstall chroot/etc/apt/sources.list.orig + # We only want to have a cache for the pre-installed pool at this point + Chroot chroot "apt-get update -o Dir::Etc::SourceParts=/dev/null -oDir::Etc::SourceList=etc/apt/sources.list.d/preinstalled-pool.sources" fi case $PROJECT:$SUBPROJECT in *)