Hi all,

I'd like us to move from

/etc/apt/sources.list

to
/etc/apt/sources.list.d/debian.sources

in bookworm.

# deb822 intro

The deb822 format can be shorter and easier to read, to quote the
sources.list manual page:

As an example, the sources for your distribution could look like this in one-line-style format:

deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://security.debian.org bullseye-security main contrib non-free

or like this in deb822 style format:

Types: deb
URIs: http://deb.debian.org/debian
Suites: bullseye
Components: main contrib non-free

Types: deb
URIs: http://security.debian.org
Suites: bullseye-security
Components: main contrib non-free


Now if you mix unstable and testing, you could just have that it one
paragraph.

The big advantage of deb822 sources is that you can embed larger data:

Types: deb
URIs: https://deb.debian.org
Suites: stable
Components: main contrib non-free
Signed-By:
-----BEGIN PGP PUBLIC KEY BLOCK-----
.
mDMEYCQjIxYJKwYBBAHaRw8BAQdAD/P5Nvvnvk66SxBBHDbhRml9ORg1WV5CvzKY
CuMfoIS0BmFiY2RlZoiQBBMWCgA4FiEErCIG1VhKWMWo2yfAREZd5NfO31cFAmAk
IyMCGyMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQREZd5NfO31fbOwD6ArzS
dM0Dkd5h2Ujy1b6KcAaVW9FOa5UNfJ9FFBtjLQEBAJ7UyWD3dZzhvlaAwunsk7DG
3bHcln8DMpIJVXht78sL
=IE0r
-----END PGP PUBLIC KEY BLOCK-----

Oh yeah, a standalone sources file with embedded key - making third-party repository management substantially more convenient.

# issues

several software does not support deb822 currently. I plan to work on
adding deb822 support to python-apt in the upcoming months, I don't know
what else is affected.

There is some software "parsing" sources.list on its own, most of that
is better served by `apt-get indextargets` (and for downloading stuff
based on the urls, `apt-helper download-file`, such that it respects
proxies and supports all transports users may use in sources.list)

In terms of setting up system, I guess debootstrap and d-i's apt-setup
module need changes? I admit I do not have a total overview.

# timeline

I do not know the total outcome of this. My hope would be that
we can switch the default in Summer 2022 and see what breaks,
although I don't know who's going to install from testing
d-i :D

docker images probably can move earlier as they don't have
as much interactive users that use tools that might be broken
(e.g. software-properties). Possibly others, there's no need
to roll out in multiple places at the same time, as long as
we converge by freeze time.

I invite people to test this out already on their own systems,
I know several people do; and extrepo also builds deb822 sources
files, but several people I guess do not know about it yet. Please
test and report bugs.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Nov 3, 2021 at 11:45 PM Julian Andres Klode <jak@debian.org> wrote:

Hi all,

I'd like us to move from

/etc/apt/sources.list

to
/etc/apt/sources.list.d/debian.sources

While it's really a nice feature for the third-party repository, I
don't see the benefits to change the default one, especially the path.
I had to admit that I have countless scripts which run `sed /etc/apt/souces.list`, to change the default mirror, as well as in the Dockerfile.

in bookworm.

# deb822 intro

The deb822 format can be shorter and easier to read, to quote the sources.list manual page:

As an example, the sources for your distribution could look like this in one-line-style format:

deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://security.debian.org bullseye-security main contrib non-free

or like this in deb822 style format:

Types: deb
URIs: http://deb.debian.org/debian
Suites: bullseye
Components: main contrib non-free

Types: deb
URIs: http://security.debian.org
Suites: bullseye-security
Components: main contrib non-free

Now if you mix unstable and testing, you could just have that it one paragraph.

The big advantage of deb822 sources is that you can embed larger data:

Types: deb
URIs: https://deb.debian.org
Suites: stable
Components: main contrib non-free
Signed-By:
-----BEGIN PGP PUBLIC KEY BLOCK-----
.
mDMEYCQjIxYJKwYBBAHaRw8BAQdAD/P5Nvvnvk66SxBBHDbhRml9ORg1WV5CvzKY
CuMfoIS0BmFiY2RlZoiQBBMWCgA4FiEErCIG1VhKWMWo2yfAREZd5NfO31cFAmAk
IyMCGyMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQREZd5NfO31fbOwD6ArzS
dM0Dkd5h2Ujy1b6KcAaVW9FOa5UNfJ9FFBtjLQEBAJ7UyWD3dZzhvlaAwunsk7DG
3bHcln8DMpIJVXht78sL
=IE0r
-----END PGP PUBLIC KEY BLOCK-----

Oh yeah, a standalone sources file with embedded key - making third-party repository management substantially more convenient.

# issues

several software does not support deb822 currently. I plan to work on
adding deb822 support to python-apt in the upcoming months, I don't know
what else is affected.

There is some software "parsing" sources.list on its own, most of that
is better served by `apt-get indextargets` (and for downloading stuff
based on the urls, `apt-helper download-file`, such that it respects
proxies and supports all transports users may use in sources.list)

In terms of setting up system, I guess debootstrap and d-i's apt-setup
module need changes? I admit I do not have a total overview.

# timeline

I do not know the total outcome of this. My hope would be that
we can switch the default in Summer 2022 and see what breaks,
although I don't know who's going to install from testing
d-i :D

docker images probably can move earlier as they don't have
as much interactive users that use tools that might be broken
(e.g. software-properties). Possibly others, there's no need
to roll out in multiple places at the same time, as long as
we converge by freeze time.

I invite people to test this out already on their own systems,
I know several people do; and extrepo also builds deb822 sources
files, but several people I guess do not know about it yet. Please
test and report bugs.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

--
Shengjing Zhu

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Julian,

this sounds like a nice and useful plan and feature(s), thank you!
just one question:

On Wed, Nov 03, 2021 at 04:45:15PM +0100, Julian Andres Klode wrote:

I'd like us to move from
/etc/apt/sources.list
to
/etc/apt/sources.list.d/debian.sources

[...]

#timeline

You didn't say so explicitly, but do you plan to support old style /etc/apt/sources.list until forever? ;) Or do you envision automatic
migration of that file? Or?


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

Only change is constant.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmGCt5IACgkQCRq4Vgaa qhxggw/9Ejs5A595NbHinCRXONYr7lw2L+E+iImIv1fpXvUrmjmik7mWPl+vHy57 RvUJRtR0/q/24ZNVUB+sgKJHO/q6bYNXYFfhuGbN4bpSNcmLhHv3pgQ2hXxT/nEt oy53SZoVew3yMshBC1ev0CSoRXbImUcn2E+AsEnU1yfCUYqioaTmsJMlv4KLMTl8 DocPppYMtEsc/jA1VDXdt+lGheCZxqkpPEctdIkcsjtac0xOKCORswwSFEKH8lVk IpFm8JB6LeXnV2/VhjW8+YWvSz5UfEFaDMnzP2p8rF6ZRk6vfq7GBL+gt4ZDg5Z4 wSTYOHGaWp5eLCiAHKUE8RVCdAC/LG/00MUxUQQgie7ZVt1YJzd+4MjY20uVSxSp tfuiUOVhh4U9NcqfYmUJ5eLLzqHPCGCRbovCrQmmzkdyo1xZI48n8Z+yIHs+OcbK OzsD3m7jlnK5txSQdbmKz9HAZ5u98ILnWw6rnzG4SeVOmNSE4mltEkR05LFvamia NmsJHuq6O09o+cRiYMnt/TZtycTQFMkNzXtvSpoFO5ORC+B1TQbw8ailHEnffnp0 ZzF1nQqwG3ybv7qjgFNQ4fnr+9TnRUXnpvZG91ysjZPIZaqzdor0YSN9CO0Ti+rh 5SaZdCRHBKIga5DZtc5Jhr

On Wed, Nov 03, 2021 at 04:23:52PM +0000, Holger Levsen wrote:

Hi Julian,

this sounds like a nice and useful plan and feature(s), thank you!
just one question:

On Wed, Nov 03, 2021 at 04:45:15PM +0100, Julian Andres Klode wrote:

I'd like us to move from
/etc/apt/sources.list
to
/etc/apt/sources.list.d/debian.sources

[...]

#timeline

You didn't say so explicitly, but do you plan to support old style /etc/apt/sources.list until forever? ;) Or do you envision automatic migration of that file? Or?

I don't know, to be honest, have not thought about it yet.

With APT's 5 year interface stability and major version bump,
The first time we could remove support for old releases would be
trixie/apt 3.0 in 2025 (that schedule just happens because I don't
want to release .10 versions, but keep the 2nd component single
digit :D)

I think an automatic migration might be to painful what with all the
juju and ansible and saltstack (I feel like it'd be nice to have
those tools migrate config to new formats).

Of course, once everyone and their dog has migrated, I might feel
different and complain about legacy sources.list and deprecate
them.

So presumably, we'd have both as supported in bookworm, sources.list
deprecated for trixie, and then removed in 2030 in apt 4.0, but that's
still 8 years to go.

(all dates are 1 year after the change lands in unstable, as the
changes land in odd numbers earlier in the cycle)

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmGCubMACgkQb6RY3R2w P3EysQ/9FhM91QQx/RyahCv5wuB5JYJjwADfurOyGMc9WRgN9YPXyLHftb8MtX0x RFD7OmZ+louoL/kc8rxh3Vjt8qup8hE7LeJ5SyZb0M53hTr0qanFzwmp7UnfgLBb /VzfbkMsdy7OFtg3X6gGKJNY0e3HvPQeI3tsRKpQQtPeUjg663XzpIyYxBogWYNR cpTpWNUeTLIF0DiNr5PoDqZ0Z2pc8jM3gGOfby6rD8uMPm81ShSX7F2bKQcwNlFF gBHBXu9XZxH8lUA/MCNC4yjRuT1WSj6UOQ1SRvmLEcLikmsTRgbjZ6DaFvsrWorw hkzKTHdGo3qIj7KbW1/7xDLd7QPOgolVsJE9XbSESkOJz0hGgqoO3YToDTlSzMEQ uN3RUsX9F1uQOXU/Ny5kvGxWN1bMX0NPHgOCpmJ3vopmBmuIwGuPJnNLK7oATUKr lGR/rxIYKXPkoFYC9GqXDneGDdaRDj1RvjzqU/FHa3UAtn+mcg/5spAvUmR2y7GQ /d8cx/+t8dVqHggd+Yfg5OqDmBDZlfcVWiPDvuGkxQOAiXuzAebDHmZgOJoklq50 8XD9fq3Cx69FUOqRVtQ2g4o1F5lfik9bq7adJfgk2AQ5QHUdcsaDIK388o31pg4Z aBbk++Dn4ybQ6KIbD4m3SoO1q9jH1TZhdtIWfFGB8t2jeYtm38Y=
=kcLJ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Ori

On Wed, Nov 03, 2021 at 05:32:53PM +0100, Julian Andres Klode wrote:

I don't know, to be honest, have not thought about it yet.

many thanks for your verbose reply! /me likes this timeline.

I think an automatic migration might be to painful what with all the
juju and ansible and saltstack (I feel like it'd be nice to have
those tools migrate config to new formats).

I guess it would be nice if those tools (and users not using those
tools) could run one standard tool doing the job :)


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

This too shall pass.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmGCv+UACgkQCRq4Vgaa qhzetA/+KWcd8wdhVAHyKJU0SBefhRLxRKssIGqPSFhJj6yXgWgIGHQJ7xyCcdai yWEiGE1MtTYwsH+yRMETEWqZCB9E3KX+h71o6hJWlmC9FY+aWKCLNMjYLmIr7MhK KC/dbo1eVDPHNuvbOiIKg7lsz+O53sx+ay+ruPcn6AZocBEE4EZ8xrGrpeHu+nNO pYl/9ThkAx7iB+cpBsg23jyoY6YlSuBHARfuXB+oqo1Bluzizu+A/5GT4MVFSlKH v/2Ngmz7osZF33zZetvw8giIPsc5xm/gjT71f/qMWLzPt4SQ7sh6LU10Gb7KmAAV K84CIkcmY1APtANBYa2alilrXfOW0MGgqz3SDQFtEn3mnRSzn/2gEsw9io0dNY1y FujmoUf6lhJZgsa2MjMSHYYJfMud0WXpkHPJ6hniqnT95AYk3PnVNGr3xa8seQ4O kD8L9rAdwZOuajowrbjMOLzI2NTo+edE+kUUTq9H3hupq0uHX3A/va7SPQi9BNI5 RSInp2F3xVmbNTtPT3FNzzqa7XVrjefqXFUD+nqmowNtpYWyS95nBRuSdJnRKqcF vvzHyyTqtxRvXzMxLbBbIz+6Y4IlBavaIJxfb4Uu/gF+Ky6/PJ/KSX3upcDz9skj zWTtudQs1by/yydN6UuFl67bsS

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --udao3xgsl41Z1uAmddlrJXcLvm6hAjqJV
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hi Julian,

On 03-11-2021 16:45, Julian Andres Klode wrote:

There is some software "parsing" sources.list on its own, most of that
is better served by `apt-get indextargets` (and for downloading stuff
based on the urls, `apt-helper download-file`, such that it respects
proxies and supports all transports users may use in sources.list)

Like autopkgtest. When I was working on it to support Debian's migration testing, I looked at python-apt and because that didn't support it,
stopped thinking. With indextargets and download-file I guess we could
work on it again. When were those introduced? Ubuntu needs it on old
releases so before autopkgtest can change it, we'd need support for a while.

Paul


--udao3xgsl41Z1uAmddlrJXcLvm6hAjqJV--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmGC6KsFAwAAAAAACgkQnFyZ6wW9dQrg Igf/YCpQgSOhs2oZBj8F6Z8cbab1Co1dbJv12+Qy/YFYQWKUaDJxBMp4pLqiDBvDRdq8bruFNCVB nGuDhoi6yPh245AZp2PCbHM1w8euWjdC9h595ExzasuNKlJtPzUEOeyvD+DgaRyNrJDIoP4dM7iS NzB8KUJW5WXnTYAnE0RtlOh/Wyg9R+V8cemb+9NcWL+8i+X7crh3GXBY2jHWlMgEKKWrIlcWChFn Yo7SFEJVCxm/i3ZfRx/pLSksrYCMMPoMhnxaLYT/Gi4mng88GK3HGG86NPITdfPrP7ppyeex0Rs/ huUKt0QZ5iS+74Tier2kBnVjnO+y5bb1KncrnqHFqg==
=BpEp
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Nov 03, 2021 at 08:53:15PM +0100, Paul Gevers wrote:

Hi Julian,

On 03-11-2021 16:45, Julian Andres Klode wrote:

There is some software "parsing" sources.list on its own, most of that
is better served by `apt-get indextargets` (and for downloading stuff
based on the urls, `apt-helper download-file`, such that it respects proxies and supports all transports users may use in sources.list)

Like autopkgtest. When I was working on it to support Debian's migration testing, I looked at python-apt and because that didn't support it,
stopped thinking. With indextargets and download-file I guess we could
work on it again. When were those introduced? Ubuntu needs it on old
releases so before autopkgtest can change it, we'd need support for a while.

download-file gained hash checking support in 0.9.16, did not find when
it was introduced.

indextargets has been around since 1.1.

(I'm not subscribed, please Cc me, I don't check archives/nntp often)

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmGFSgYACgkQb6RY3R2w P3HsEw/+M9Wo9FIIv2Q6xB3GUL3xNbAHVUptD9G2/OrO6oTgjBgOM8TOv/aGlxCq 3oAuvL0wdD0xET29J1w/8esjyB56HhJOkvDFSBCptquqK5cEh+tL+Xf7GLqhQuJk U2vkJnPhlWOfojtg6yBCLGrm+XWgt1HCfgyDSizpaqfHooEA4W2QntiVDmhpVncX WWzU2+28NCS4RvXTJEc2gAKQHQnIwEjcNWWs1mGJqJtIbMwkCny/o23K5xLqtFh+ TwRWlkeuPDU+fmE7r9w+CU8d9540TJQXzY3VBHc/2Dd2BlhGbnBQpSDcdNUF8fNN RdA6VrFTO8ZISg6HlSU9RR4INP79leZq9Ym3Y4C36gJSaVs+/PyB6rr+XeKnrYtJ c+CC4HRszEFj3ryhpJ0FtyUwIqJQKYQ4ycE3revKuLKh4VjMCP+5pUVxXJSKoYx0 FbgoWCAXnWQMa2gNh+8Sc3gCGD6WkdRmPnEgB/4KL83qp5R1aKEO2aWLNerETC2y UfvAfNOCR768BGLfB+4//4z+L68eIaloB3AJEEya4LKcrxhh53pc0VEDz4EJpM2A 1CtFRgjVEefT2Re82yQRcNP6AlQ1m1GFG71eyKlNV2FHcft+23KF+aKVCnz03q1c GFn4PxVKDOq/Z+sMQrT/jeSc+gPKV0MBXecEANmOqnBsRvErGK8=
=/aA4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Ori

On 11/3/21 5:59 PM, Holger Levsen wrote:

On Wed, Nov 03, 2021 at 05:32:53PM +0100, Julian Andres Klode wrote:

I don't know, to be honest, have not thought about it yet.

many thanks for your verbose reply! /me likes this timeline.

I think an automatic migration might be to painful what with all the
juju and ansible and saltstack (I feel like it'd be nice to have
those tools migrate config to new formats).

I guess it would be nice if those tools (and users not using those
tools) could run one standard tool doing the job :)

This feels like a very nicely thought plans, which I 100% support. I
especially like the timeline for deprecating and removal, which gives
enough time for everyone to support the new format.

So I'm joining to say thank you to Julian.

Cheers,

Thomas Goirand (zigo)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Nov 03, 2021 at 08:53:15PM +0100, Paul Gevers wrote:

On 03-11-2021 16:45, Julian Andres Klode wrote:

There is some software "parsing" sources.list on its own, most of that
is better served by `apt-get indextargets` (and for downloading stuff
based on the urls, `apt-helper download-file`, such that it respects proxies and supports all transports users may use in sources.list)

Like autopkgtest. When I was working on it to support Debian's migration testing, I looked at python-apt and because that didn't support it,
stopped thinking. With indextargets and download-file I guess we could
work on it again. When were those introduced? Ubuntu needs it on old
releases so before autopkgtest can change it, we'd need support for a while.

`apt-get indextargets` is from 2015 and a part of the acquire-additional-
files feature used mainly by apt-file and appstream to have apt download
files it isn't using itself, so those tools don't have to implement it.

The job of indextargets is it mostly to give access to metadata (and
crucially filenames) for those previously configured and hopefully now downloaded files. apt-file e.g. asks for the Contents files in this way
to avoid exposing file naming logic and location to other tools.

So, for the filenames of all (downloaded) Packages files:
apt-get indextargets --format '$(FILENAME)' 'Identifier: Packages'
(the default output is deb822 stanzas you could grep with more powerful
tools than the simple inbuilt line-based filter)

Note that you either have to implement opening compressed files yourself
or use `/usr/lib/apt/apt-helper cat-file`.


That was historically the most common reason to fiddle with sources.list parsing, hence Julian referring to it, but this seems not what autpkgtest
is aiming for. On a casual look (well, grep) I see only:

* lib/adt_testbed.py apt-pocket codepath seems to want to construct new
sources.list entries based on existing ones. That should be possible
with some indextargets busywork in general, but I am not completely
sure what is going on here and the gymnastics should be similar to…

* setup-commands/setup-testbed tries to find the mirror (and release)
used for target distribution based on your current system. I am
a bit surprised that works actually…

Anyway, the later could perhaps be implement with:
apt-get indextargets --format '$(ORIGIN)|$(REPO_URI)' | sort -u | \
grep -i -e "^$(. /etc/os-release; echo "$ID")" | cut -d'|' -f 2

(That is one line only for posterity – as you see, I am trying to fix
the too general search by checking against Origin as defined by the
Release file of a repository, but that would need work still to
eliminate same-origin-but-different-repo cases)


Parsing of the sources files is not really indextargets job through, so
it might not always work for that task: It e.g. doesn't work if the data
files are not on disk which might or might not be okay for you (there is 'guess' mode, but that of course has no metadata extracted from the
Release files – the Origin I was using above).

The apt family doesn't really have a publicly exposed way of reasoning
about sources.list (or .sources) files and I am not quite sure it really
can as subtil differences between repositories make it hard to give them
all a common interface which makes sense. (I will probably be proven
wrong by Julian though.)


Like, for example, if stable is in the sources, make sure there
is also updates and security there and/or add them. What for Debian are
three distinct repositories might for others very well be components.

Assuming you even know which line refers to Debian: I was using Origin
above for this task as we can't really guess based on the URI. And even
then… that logic above finds the tor+mirror+file source I am using,
that won't work for autopkgtest, but I am special and this just
a default fallback, so I might be thinking way too much about it…


Anyway, if you have specific needs/questions feel free to ask on deity@
or #debian-apt. I am sure we will work something out even if in this
case it might very well be new code nobody really uses for years (as is
common in apt land – backward compat be damned 😉).

Best regards

David Kalnischkies

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE5sn+Q4uCja/tn0GrMRvlz3HQeIMFAmGFXHAACgkQMRvlz3HQ eIPgrg/+IpJQfIrnEyZ2o/K8MKW0rX+lPrs9J+7EfRgAhHYSbwDlCi5KXtS7LDsZ ewv2Qjea/nAQzVokFjxhCYHx7UohhsxJnFcWJMFVGGfjn2TrkclZX/IYePp5O6rL 3cUxQPQSF9fnU+5LSP8VQrxWwg/myqwJnjlpZwxJ8uhniRWBDWN3n8xkiKZzQWUi o06FzBQuRD2Zz5W6Yqby4ZHD1g+EIAN+vU0mKgMPgAii3YEZYnxjNs/pW47ua4KU IJa3+Ks6/zpAiLqpCu0HlghgEWxYB4fGcd0OtTVcTkMwYJhMqY0CvD9Dgp4z39av rWqkyhOD7IaWLdCIQ4WcSK+3My2qYE3svdCaCZlsGmRE52RK73kI3VRw5HWC6Byc ZP7G90L4Dluo8UOCv8AkP/XI5nAPK4bhvg9o6btiGzLGY8ouI09LHE/ea8HYli9p NKS0JyoMDUYEpdSTFGli+JrFn7uIcfPzCPlKwE5/jGmubzc7EO9iXYIAtaWF8yKW xoBczht+uoyzdgvzopMD+iHR5n+ryD1LcqDdeT7MbMsRFtkf+JdDhjzKv1p/aSDp DxK7X/ve2agvGnl3qsQfJpjMFsWv9li7nq2PmEiR/YjtLFnMEDm0zI5D6Q6sY/UG bKnNQ9lQHUHAsX54iKELUAqGiWsQ3CuFjnCgKbOBjIplVFYYU/A=
=PWcj
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Nov 03, 2021 at 05:32:53PM +0100, Julian Andres Klode wrote:

On Wed, Nov 03, 2021 at 04:23:52PM +0000, Holger Levsen wrote:

You didn't say so explicitly, but do you plan to support old style /etc/apt/sources.list until forever? ;) Or do you envision automatic migration of that file? Or?

I don't know, to be honest, have not thought about it yet.

With APT's 5 year interface stability and major version bump,
The first time we could remove support for old releases would be
trixie/apt 3.0 in 2025 (that schedule just happens because I don't
want to release .10 versions, but keep the 2nd component single
digit :D)

I think an automatic migration might be to painful what with all the
juju and ansible and saltstack (I feel like it'd be nice to have
those tools migrate config to new formats).

Of course, once everyone and their dog has migrated, I might feel
different and complain about legacy sources.list and deprecate
them.

I think it would be a mistake to ever drop support for the older format. Instructions for using it are scattered all over the place, and there'll
be an enormous long tail of things to update, not to mention things like
old forum posts that can never really be updated.

I agree we might feel different in ten years' time!

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Nov 05, 2021 at 05:31:49PM +0100, David Kalnischkies wrote:

On Wed, Nov 03, 2021 at 08:53:15PM +0100, Paul Gevers wrote:

On 03-11-2021 16:45, Julian Andres Klode wrote:

There is some software "parsing" sources.list on its own, most of that
is better served by `apt-get indextargets` (and for downloading stuff based on the urls, `apt-helper download-file`, such that it respects proxies and supports all transports users may use in sources.list)

Like autopkgtest. When I was working on it to support Debian's migration testing, I looked at python-apt and because that didn't support it,
stopped thinking. With indextargets and download-file I guess we could
work on it again. When were those introduced? Ubuntu needs it on old releases so before autopkgtest can change it, we'd need support for a while.

`apt-get indextargets` is from 2015 and a part of the acquire-additional- files feature used mainly by apt-file and appstream to have apt download files it isn't using itself, so those tools don't have to implement it.

The job of indextargets is it mostly to give access to metadata (and crucially filenames) for those previously configured and hopefully now downloaded files. apt-file e.g. asks for the Contents files in this way
to avoid exposing file naming logic and location to other tools.

So, for the filenames of all (downloaded) Packages files:
apt-get indextargets --format '$(FILENAME)' 'Identifier: Packages'
(the default output is deb822 stanzas you could grep with more powerful
tools than the simple inbuilt line-based filter)

Note that you either have to implement opening compressed files yourself
or use `/usr/lib/apt/apt-helper cat-file`.

That was historically the most common reason to fiddle with sources.list parsing, hence Julian referring to it, but this seems not what autpkgtest
is aiming for. On a casual look (well, grep) I see only:

* lib/adt_testbed.py apt-pocket codepath seems to want to construct new
sources.list entries based on existing ones. That should be possible
with some indextargets busywork in general, but I am not completely
sure what is going on here and the gymnastics should be similar to…

* setup-commands/setup-testbed tries to find the mirror (and release)
used for target distribution based on your current system. I am
a bit surprised that works actually…

Anyway, the later could perhaps be implement with:
apt-get indextargets --format '$(ORIGIN)|$(REPO_URI)' | sort -u | \
grep -i -e "^$(. /etc/os-release; echo "$ID")" | cut -d'|' -f 2

(That is one line only for posterity – as you see, I am trying to fix
the too general search by checking against Origin as defined by the
Release file of a repository, but that would need work still to
eliminate same-origin-but-different-repo cases)

Parsing of the sources files is not really indextargets job through, so
it might not always work for that task: It e.g. doesn't work if the data files are not on disk which might or might not be okay for you (there is 'guess' mode, but that of course has no metadata extracted from the
Release files – the Origin I was using above).

The apt family doesn't really have a publicly exposed way of reasoning
about sources.list (or .sources) files and I am not quite sure it really
can as subtil differences between repositories make it hard to give them
all a common interface which makes sense. (I will probably be proven
wrong by Julian though.)

Like, for example, if stable is in the sources, make sure there
is also updates and security there and/or add them. What for Debian are
three distinct repositories might for others very well be components.

Assuming you even know which line refers to Debian: I was using Origin
above for this task as we can't really guess based on the URI. And even then… that logic above finds the tor+mirror+file source I am using,
that won't work for autopkgtest, but I am special and this just
a default fallback, so I might be thinking way too much about it…

We could render what we passed as a deb822 format in apt{,-get}
sources list (remind me to add subcommand support to the parser).

Possibly with some normalization in there. Presumably if you have
a paragraph "Suites: foo bar Components: x y" you end up with 2
paragraphs in the output, as IIRC we group our sources entries
by Release file.

I think that provides a reasonable top-level interface. You could
of course then also normalize this further such that all fields only
have one value, and give them all IDs and then you can apt source
remove <id> or stuff, idk.

Will have to see how I implement the deb822 parsing and editing
on the python-apt side.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmGFZaoACgkQb6RY3R2w P3ENfA/+K0E0CMghBDdtZHIspHctdvAHy7bCtDCjHe1/I8oyR323IR7Df3WuCoPs fJzwqSAkfxiKavy7mnpyPLYxJHuBpfZlQbTWKJGFxgimdseCmBRdVLOop7DNlBgM cjR98Q8LZVufXUKbMc9AoSVU1t3SoIy2wyVs56oUONQ5/LRWRE+C6C3nDsA0NfYL JKc+9KwGPXkNK9hb3HTyfrIB4Ccl11wvgyj7hKgAEo8inZlmios/l4pdAYOCxYTg 04nmhLvlo/Q4DR3ahw+MybccBJCDjxuMVapsRWdi2OKlO26jz7KiebUwtv5UJZ9b V345dBBCr6PPB9rtu2AaXm+i5o+D9MUEyZkd/ihr3SI4rHWo0XwBt1IncJyVNeox oU12DfNqSH66qo0CjEk04bNujHj0e3Qsh6DQMN89vavHJuGAQxCcglDgqi4iH0wN 6un/nxPjImBPL9+gNKrcX/KBy/UaHBU67UiSjHbh0O2PH2n2ya/cjB1T76TMZl4E 9BDOB7l1DwCmlVHElpLj2sjx59cIHf5eKzA+wjGBoGDm/0L7WhArhPYw+GoWnU83 WOUJYSk3ittbM6Sp+dkOThsNG8Rt6zGFPUtTGbRCVDuyw9dMXj/AarYQ9jPHec+e zFFmBQP/Gc2OiuwBqkhBoX5hozqOtZskIy3EDxPC1VGlEVWKzt4=
=xNlv
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Ori

On Thu, Nov 04, 2021 at 12:13:48AM +0800, Shengjing Zhu wrote:

On Wed, Nov 3, 2021 at 11:45 PM Julian Andres Klode <jak@debian.org> wrote:

Hi all,

I'd like us to move from

/etc/apt/sources.list

to
/etc/apt/sources.list.d/debian.sources

While it's really a nice feature for the third-party repository, I
don't see the benefits to change the default one, especially the path.
I had to admit that I have countless scripts which run `sed /etc/apt/souces.list`, to change the default mirror, as well as in the Dockerfile.

There's a technical limitation in that we get the format from the file extension. It's a bit annoying.

Also this makes multi-origin downstream distros cleaner, so you can
have

/etc/apt/sources.list.d/debian.sources
/etc/apt/sources.list.d/downstream.sources

instead of worrying about either creating a combined sources.list or
dropping just your downstream bits into sources.list.d

We'll have to see how much trouble that causes, and it might work
to make sources.list a symlink to sources.list.d/debian.sources,
and have apt inspect readlink() to get the "real" file extension
for sources.list

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Nov 05, 2021 at 06:16:10PM +0100, Julian Andres Klode wrote:

On Thu, Nov 04, 2021 at 12:13:48AM +0800, Shengjing Zhu wrote:

On Wed, Nov 3, 2021 at 11:45 PM Julian Andres Klode <jak@debian.org> wrote:

Hi all,

I'd like us to move from

/etc/apt/sources.list

to
/etc/apt/sources.list.d/debian.sources

While it's really a nice feature for the third-party repository, I
don't see the benefits to change the default one, especially the path.
I had to admit that I have countless scripts which run `sed /etc/apt/souces.list`, to change the default mirror, as well as in the Dockerfile.

(fwiw you could use a 'mirror+file' entry (see man apt-transport-mirror)
specifying your preferred mirror of the day. As a bonus that will reuse
the files of the old mirror instead of discarding them blindly)

There's a technical limitation in that we get the format from the file extension. It's a bit annoying.

It was shortly the case that .list files could contain both formats, but
I opted to change that as of course countless things poking into those
files broke left and right.

cups used to detect if it ran on a Debian-like system by checking the sources.list file for deb entries… I doubt it does nowadays as there are countless better options now, I just mention it as trivial example of
the type of unexpected breakage which is to be expected…


Best regards

David Kalnischkies

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE5sn+Q4uCja/tn0GrMRvlz3HQeIMFAmGFkmcACgkQMRvlz3HQ eINDaA//cnLUi2b8fTbMDiQcdCMy9cD+uwdBuSeiw1phi5S8G/Toe60IJg0i6scr 6XR5IsU7KolgQ5g8h07zdIr2gLZ5spcSb8E0JTpMD/R81wTr1SDejS9ZAK/atu/6 lszVuue8JazcyTYnv/jHz/8m05N/rwcAhbTSnml5VSSIxf/2xtPtkdgijSw0pihE j9XfIAZbiQL8KRCUeqD0obJ4hGkQ6Lxl2O7G0iOaVJKaLZWB2BZuJvOjN71gaqGa Y2xlw8S23+pFYzmPRfTad3hvuk0TWtTTyjVAwpPOXIcAqaFx5CCJbsQ62IUN2pne 8neWURInqJu2By2htgjDWFdWMnEssWRwGZgAImElGq14qdsfP5F7901J6gy/BiH4 jVrjILisCsub28fNYthb/O7WS+oPcFzHucgEthU6GfENLZKUYs7FkWcLWVhhcLUE +Ma7izICxSYq/powFmrLSe8QC4fIxTgtCEOVdp2FXZpDy/0/HQTyh0I5NyF3jVCe 0lSTuawsC0MaHGe7CTIEHOWgIeT+ziQkjT+Lf754H0RibkA5ozAqRVjHhNzFJRNY pt+YhBCd4i2sm4K7T4Z0z2/GpPizX7IAFd9G8Co+kFAzY4dNNDbUjr3RELvFwerw BrcOAzjxXKjK74LEnFSlR4ff90/1gxKxUuyv1R+BGw9F5eh+6Pc=
=jhWj
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Julian Andres Klode wrote:

docker images probably can move earlier as they don't have
as much interactive users that use tools that might be broken
(e.g. software-properties).

I didn't see any open disagreement in this thread (apologies if I
missed it elsewhere), and I think this makes sense, so I've opened
[1].

[1]: https://github.com/debuerreotype/debuerreotype/pull/128

There's still an open discussion point on whether it should be
"debian.sources" or something like "00debian.sources" and I think the
timeline is still a little fluid, especially depending on whether /
how many folks complain and how heavy the breakage is (ie, "my sed
one-liner needs to change" vs "this really-useful-in-containers
package fundamentally can't handle this correctly").

I guess I'm also wondering (in the spirit of #877012 - hopefully dkg
will forgive me for the explicit CC) whether "Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg" is sufficient or
whether folks think that it needs to somehow be more specific?

(please keep me CC'd in replies or comment on that PR directly)

♥,
- Tianon
4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)