On Wed, Sep 08, 2021 at 03:56:14PM +0200, Ansgar wrote:

On Wed, 2021-09-08 at 15:41 +0200, Helmut Grohne wrote:

On Wed, Sep 08, 2021 at 02:01:03PM +0200, Ansgar wrote:

So what do you suggest then? Tech-ctte as with merged-/usr? Or a
GR? Or
something else?

I propose that the proponents pay the cost. In this case, it is a bit
unclear what that means precisely (which likely is the reason they
haven't done it already). At the very least though, apt install
auto-apt-proxy should continue to work on a default installation in a
sensible way.

I can file a bug for auto-apt-proxy to include an apt.conf snippet
saying

Acquire::https::Verify-Peer false;

That clearly makes it work again

I think the issue isn't certificate validation, it's that https proxy
requests are made via CONNECT rather than GET. You could theoretically
rewrite the proxy mechanism to MITM the CONNECT, but that wouldn't be a
drop-in replacement. I suppose you could instead add an apt option to
pass the https request to the proxy via GET instead of using CONNECT,
but I think that also won't necessarily work on an existing proxy.

If we're imagining apt options, something like
Acquire::https::Force-Proxy-HTTP true;
would probably be more useful for this specific case (not that I think
it's a great idea--too much potential for surprise).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

All,

I am against automatically setting HTTPS. Their should be an option in
the installer to set or unset HTTPS while configuring the mirror! I
like a lot of folks am on a metered internet connection with a UTM
proxy firewall. I have multiple computers that need patched and only
having to download the package once is a great convenience to both
data usage and download time as my internet is not fast 4G LTE usually
only operating at 3G speed.

Tim

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Sep 09, 2021 at 11:54:44AM +0530, Pirate Praveen wrote:

Why can't auto-apt-proxy ask this as a debconf question? I also like auto-apt-proxy but I agree with this, someone needing auto-apt-proxy should be able to change the default as well.

I don't really see why adding another debconf question would be better
than just preseeding the existing one.

The only thing I could see that would be a net gain would be to
generalizes sources.list more. Instead of having a user select a
specific protocol and path, allow the user to just select high-level
objects. Make this a new pseudo-protocol for backward compatibility, and introduce something like
deb apt:// suite component[s]
so the default could be something like
deb apt:// bullseye main
deb apt:// bullseye/updates main
then the actual protocols, servers, and paths could be managed by
various plugins and overridden by configuration directives in
apt.conf.d. For existing configurations it's a no-op but it allows more flexibility & new plugins/protocols in the future without having to
micromanage sources.list. If someone wants to use tor by default but
fall back to https if it's unreachable, they can do that. If someone
wants to use a local proxy via http but https if they're not on their
local network, they can do that. New installations could default to
https, existing installations can keep doing their thing, and a plugin
like auto-apt-proxy can override defaults to do something more
complicated, using more policy-friendly .d configurations rather than
figuring out a way to rewrite some other package's configuration file.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hallo,
* Michael Stone [Wed, Sep 08 2021, 07:25:26PM]:

On Wed, Sep 08, 2021 at 03:56:14PM +0200, Ansgar wrote:

On Wed, 2021-09-08 at 15:41 +0200, Helmut Grohne wrote:

On Wed, Sep 08, 2021 at 02:01:03PM +0200, Ansgar wrote:

So what do you suggest then? Tech-ctte as with merged-/usr? Or a
GR? Or
something else?

I propose that the proponents pay the cost. In this case, it is a bit unclear what that means precisely (which likely is the reason they haven't done it already). At the very least though, apt install auto-apt-proxy should continue to work on a default installation in a sensible way.

I can file a bug for auto-apt-proxy to include an apt.conf snippet
saying

Acquire::https::Verify-Peer false;

That clearly makes it work again

I think the issue isn't certificate validation, it's that https proxy requests are made via CONNECT rather than GET. You could theoretically rewrite the proxy mechanism to MITM the CONNECT, but that wouldn't be a drop-in replacement. I suppose you could instead add an apt option to pass the https request to the proxy via GET instead of using CONNECT, but I think

Precisely. Current handling of HTTPS on a caching proxy is either
impossible or PITA for the user, as long as a such mixed behavior is not configurable. apt-cacher-ng works around that by telling users to
disguise https URLs as HTTP with a special marker for protocol switch
(ugly, I know).

Also keep in mind that it off-loads the encryption work to the proxy,
but that might be even intentional.

that also won't necessarily work on an existing proxy.

Speaking at least for ACNG, my assumption was that it would support that
but I was wrong. TODO created, https://salsa.debian.org/blade/apt-cacher-ng/-/issues/11 .

If we're imagining apt options, something like Acquire::https::Force-Proxy-HTTP true;
would probably be more useful for this specific case (not that I think it's
a great idea--too much potential for surprise).

I would make it a list of trusted proxy hosts and a special value ALL.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994032 created.

Best regards,
Eduard.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Michael Stone <mstone@debian.org> [2021-09-08 19:25]:

I think the issue isn't certificate validation, it's that https proxy >requests are made via CONNECT rather than GET. You could theoretically >rewrite the proxy mechanism to MITM the CONNECT, but that wouldn't be
a drop-in replacement. I suppose you could instead add an apt option
to pass the https request to the proxy via GET instead of using
CONNECT, but I think that also won't necessarily work on an existing
proxy.

apt-cacher-ng has a second mode of operation where you can prefix
the source URL with the proxy URL, i.e.

deb http://proxyhost:3142/deb.debian.org/debian unstable main

Maybe we could introduce this as an "official" APT proxy mode, where http(s)://REPO gets replaced by http://PROXY_URL/REPO (and the proxy
can decide whether or not to fetch via HTTPS as an implementation
detail)?

Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAABCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmE7LNYACgkQ+C8H+466 LVnlKAwAzJIja8TEn7185IaAVkn6H22u6q+JGScLi4geNqesf87gZdUlo++gSBj5 LGxhhKZHXnLdhjpeN8KI1w4P+vnqUNfnbBtDZTTgXQk7HUG06ZueAhU4K7GZMX2Z DSdDU89Q9OpmD6paOhS8SLwncObGBE8jj2aqaqWQqcB19Bnw0hRq1Mow8fuNxSOx puXocc7KTUsXSaAS065fAzC8dUWO7nKGvcWLhzifiGuCANNe8DkPGImt6stCk1Yb 6pinnaoxuJDT2VM2DajIOZaexrTwjRCafJxvDHAXZsapglxJkMY8q6nPS0KRLtnT 4i6Rwll0ECTGgvdqChtStsJ/4rTjEYsgbFhTMwIDror

On Fri, Sep 10, 2021 at 12:00:57PM +0200, Timo R�hling wrote:

* Michael Stone <mstone@debian.org> [2021-09-08 19:25]:

I think the issue isn't certificate validation, it's that https
proxy requests are made via CONNECT rather than GET. You could >>theoretically rewrite the proxy mechanism to MITM the CONNECT, but
that wouldn't be a drop-in replacement. I suppose you could instead
add an apt option to pass the https request to the proxy via GET
instead of using CONNECT, but I think that also won't necessarily
work on an existing proxy.

apt-cacher-ng has a second mode of operation where you can prefix
the source URL with the proxy URL, i.e.

deb http://proxyhost:3142/deb.debian.org/debian unstable main

Maybe we could introduce this as an "official" APT proxy mode, where >http(s)://REPO gets replaced by http://PROXY_URL/REPO (and the proxy
can decide whether or not to fetch via HTTPS as an implementation
detail)?

I'd much rather see something more like I proposed earlier (splitting the selection of what suites/components to install from the policy of how to
obtain them) rather than further layering+confusing these two concepts
within sources.list.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Sep 09, 2021 at 08:53:21AM -0400, Michael Stone wrote:

The only thing I could see that would be a net gain would be to generalizes sources.list more. Instead of having a user select a specific protocol and path, allow the user to just select high-level objects. Make this a new pseudo-protocol for backward compatibility, and introduce something like
deb apt:// suite component[s]
so the default could be something like
deb apt:// bullseye main
deb apt:// bullseye/updates main
then the actual protocols, servers, and paths could be managed by various plugins and overridden by configuration directives in apt.conf.d. For

In this scheme the Debian bullseye main repo has the same 'URI' as the
Darts bullseye main repo. So, you would need to at least include an
additional unique identifier of the likes of Debian and Darts, but
who is to assign those URNs?
(Currently we are piggybacking on the domain name system for this)

Also, but just as an aside, whatever clever system you think of apt
could be using, you still need a rather simple system for the likes of
tools which come before apt like the installers/bootstrappers as they
are not (all) using apt, especially not in the very early stages, and
a mapping between them.

If someone wants to use tor by default but fall back to https if it's unreachable, they can do that. If someone wants to use a local proxy via
http but https if they're not on their local network, they can do that. New installations could default to https, existing installations can keep doing

You can do most of the fallback part with the mirror method backed by
a local file. It is of no concern to apt how that file comes to be, so
you could create it out of a massive amount of options or simply by
hand. I do think if the creation is tool-based it shouldn't be apt
as I envision far too many unique snowflakes for a one-size-fits-all
approach.

(The Tor to https fallback can be done already if we talk onion services
to others. You can't fall out of Tor – or redirect into it – through as
that would allow bad actors to discover who you are/that you have an
operational tor client installed. proxy configuration you can already
change programmatically on the fly – a job auto-apt-proxy implements –,
changing the mirror file with a hook from your network manager would
be equally easy.)

their thing, and a plugin like auto-apt-proxy can override defaults to do something more complicated, using more policy-friendly .d configurations rather than figuring out a way to rewrite some other package's configuration file.

JFTR: auto-apt-proxy has nothing to do with sources. It is true that apt-cacher-ng (and perhaps others) have a mode of operation in which you
prefix the URI of your (in that case caching) proxy to the URI of the
actual repo, but that isn't how a proxy usually operates and/or is
configured.


Best regards

David Kalnischkies

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE5sn+Q4uCja/tn0GrMRvlz3HQeIMFAmE7bMAACgkQMRvlz3HQ eINyiRAAhpewvwLyPFShlYyizsL1MpevHvTrW0uU9S5FH93XUpSOjj8pLNmjbukn FzuCRD0TZznU6q03OIbAlaHcGoY99fXAhuZ6YO7iXtfsuVxkNwOIIeJZFGt25D+d iH2DHNsZNC7Z1/0E+gKPf4DV+ufIzJ6UxG/zlPezx6U/AxvcMa5JZAXSsbC4kO6Y RP/ryxtEjwwonLsxA0JVURbIkUY+L+9Eg/SZhRvVRSelS53QdHSqp79QHNRQrndg 5mW7am45MBToiFT8X+NU+RdEAk+fX28pt7e0Cuz7koN+prZXErpS2USOw+SibSO/ bdknz8TLOLM81q/0HxaJUpRLxv++EciuFqTh/Wxg18qnBe6vOO13w/k4GCTBQks4 lbIdGl4kdCabTBXzsBYvv5pj691FBL68hxbbQXC3T0J15MmaXstOhELPDY5mkatR uOLPDretuMuo72+za4HfSixpoNydkuZgxHSrhmAY+gWdkjXxIVv9VIW6pPY6Yk/e rqaqsrBKNnYefbf/8/40hCx8A3VjMpIXvsrquPF0whDYqlp/FMy10aK0IgO8Om8l 6XMXnR/Ix9AUoLl+BfaMMs04toh/GoVRHN8V55dIoCF4u1eN1vDz94xnDELHfkpv LRVr53CXAvtg4WNxO0pEhoS7vusu996sB6uXijMRG9Anrynl2jY=
=+K3V
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Sep 10, 2021 at 04:33:42PM +0200, David Kalnischkies wrote:

On Thu, Sep 09, 2021 at 08:53:21AM -0400, Michael Stone wrote:

The only thing I could see that would be a net gain would be to generalizes >> sources.list more. Instead of having a user select a specific protocol and >> path, allow the user to just select high-level objects. Make this a new
pseudo-protocol for backward compatibility, and introduce something like
deb apt:// suite component[s]
so the default could be something like
deb apt:// bullseye main
deb apt:// bullseye/updates main
then the actual protocols, servers, and paths could be managed by various
plugins and overridden by configuration directives in apt.conf.d. For

In this scheme the Debian bullseye main repo has the same 'URI' as the
Darts bullseye main repo. So, you would need to at least include an >additional unique identifier of the likes of Debian and Darts, but
who is to assign those URNs?
(Currently we are piggybacking on the domain name system for this)

I have no idea what darts is, so I don't have an answer. :)

Also, but just as an aside, whatever clever system you think of apt
could be using, you still need a rather simple system for the likes of
tools which come before apt like the installers/bootstrappers as they
are not (all) using apt, especially not in the very early stages, and
a mapping between them.

I'm not sure why you think I need that? The goal of my musings is to
separate the definition of what set of debian packages to use from the
decision of how to get those packages *when using apt*, so that there
are fewer things to consider in the common case, and to allow new
capabilities in uncommon cases. If someone's using some other tool, why
would anyone assume that the same configuration syntax would work? Just
use the same configuration file you use now, and ignore all of this. If
you want configurations to match across tools, then ignore all of this
again and keep the same sources.list syntax you're already using that presumably does what you want.

If someone wants to use tor by default but fall back to https if it's
unreachable, they can do that. If someone wants to use a local proxy via
http but https if they're not on their local network, they can do that. New >> installations could default to https, existing installations can keep doing

You can do most of the fallback part with the mirror method backed by
a local file. It is of no concern to apt how that file comes to be, so
you could create it out of a massive amount of options or simply by
hand. I do think if the creation is tool-based it shouldn't be apt
as I envision far too many unique snowflakes for a one-size-fits-all >approach.

The intent would be to make it easier to plug other tools into apt,
not to have the apt codebase do everything.

their thing, and a plugin like auto-apt-proxy can override defaults to do
something more complicated, using more policy-friendly .d configurations
rather than figuring out a way to rewrite some other package's configuration >> file.

JFTR: auto-apt-proxy has nothing to do with sources. It is true that >apt-cacher-ng (and perhaps others) have a mode of operation in which you >prefix the URI of your (in that case caching) proxy to the URI of the
actual repo, but that isn't how a proxy usually operates and/or is >configured.

I have no idea what you're saying here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Sep 10, 2021 at 11:08:38AM -0400, Michael Stone wrote:

On Fri, Sep 10, 2021 at 04:33:42PM +0200, David Kalnischkies wrote:

On Thu, Sep 09, 2021 at 08:53:21AM -0400, Michael Stone wrote:

The only thing I could see that would be a net gain would be to generalizes
sources.list more. Instead of having a user select a specific protocol and
path, allow the user to just select high-level objects. Make this a new pseudo-protocol for backward compatibility, and introduce something like
deb apt:// suite component[s]
so the default could be something like
deb apt:// bullseye main
deb apt:// bullseye/updates main
then the actual protocols, servers, and paths could be managed by various plugins and overridden by configuration directives in apt.conf.d. For

In this scheme the Debian bullseye main repo has the same 'URI' as the Darts bullseye main repo. So, you would need to at least include an additional unique identifier of the likes of Debian and Darts, but
who is to assign those URNs?
(Currently we are piggybacking on the domain name system for this)

I have no idea what darts is, so I don't have an answer. :)

"Darts" was just a play on "bullseye". It is not hard to imagine
a repository which has the same suite and component(s) but is not
Debian itself. As a pseudo-random [= its in an other topic here] real
example you can take Wine (https://dl.winehq.org/wine-builds/debian/).
So to what is "deb apt:// bullseye main" referring? Debian or Wine?

And to pre-empt the most common response: As an apt dev I can assure you
that we won't accept a solution involving "I am on Debian, so it means
Debian" as that is impossible to correctly guess programmatically (for
example on derivatives using a small overlay repo).

Also, but just as an aside, whatever clever system you think of apt
could be using, you still need a rather simple system for the likes of tools which come before apt like the installers/bootstrappers as they
are not (all) using apt, especially not in the very early stages, and
a mapping between them.

I'm not sure why you think I need that? The goal of my musings is to

Because this thread started with the idea to switch the default of d-i
and co to another URI. If you target only apt then you still need
a solution for d-i and a way to convert whatever d-i had into what apt
gets in the end (of the installation).

The configuration option which only works with apt tools already
exists in the form of the mirror method…

their thing, and a plugin like auto-apt-proxy can override defaults to do something more complicated, using more policy-friendly .d configurations rather than figuring out a way to rewrite some other package's configuration
file.

JFTR: auto-apt-proxy has nothing to do with sources. It is true that apt-cacher-ng (and perhaps others) have a mode of operation in which you prefix the URI of your (in that case caching) proxy to the URI of the actual repo, but that isn't how a proxy usually operates and/or is configured.

I have no idea what you're saying here.

And I have no idea if you know what you are talking about.

auto-apt-proxy already uses an interface apt provides to configure the
proxy at runtime. It isn't in the business of modifying sources.list nor
has it any interest in that. So you using it as an example for a plugin
who could use your proposed scheme to modify the sources at runtime
makes no sense.


Best regards

David Kalnischkies

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE5sn+Q4uCja/tn0GrMRvlz3HQeIMFAmE7nbsACgkQMRvlz3HQ eIMlcg/+Jo2FfoLYxQ2BC4Mjpg35bs3y6bK+54jUD0n2lvdoPeqlK1BWG923pyN9 W35/6ngqJHx5QOIIEI6qf2WUPGgUZ+gCmvhNH29GgDfGV2YDe7ErxviThBm1EXof 54+fzi2j0FJkaEnl7lMQEHfOh7+6/dB9kAp3QD/ZE3yEzycOXJiGsKgVnZizMuPH T48Cq7A/kEFQmYor507E72Alnk02Em/o9fwDxOOLQOmtE7s/mSkw0fdGVNtNRodz XtAhrCEPo8+HqX0VBphDfpbG7qjnlQTrbIgDwyhdXea0USBR51NQFw2c3JtWV55E 2Vh8a787yRgCDrBeODHw3Ztbk3wnhRjZQbM3vceirlaY7XfRbNtSl2+kTWlOWr14 scT+G5DmHhUjch8J9jXSTdpiyJgrNWizI47YUSKeloLRCXXAmbgXcEYzmo8V+hzh 1GMCgXo37xfTTP2c7WZp58ioDiPjsn5dSWMexJJaeSlSFdKSemZxmBnYzouHIM6B fzs5LGfEijlWKvdAZ/z/Fk8uUJh+zaInOy+iCoiYKn9XiA3URZX+X28FgpVE9BFW ORVT68cZJeX51qvUlRZST+ohIQlacgtIfT0+5K8epxpCJDO9Y5+wSiXpbeXofcjl upqeMWjEO4NX7e6s1D4ChVxG2jK0+1C49+ROYvBThCnKINd1EmE=
=vcyq
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Sep 10, 2021 at 08:02:42PM +0200, David Kalnischkies wrote:

On Fri, Sep 10, 2021 at 11:08:38AM -0400, Michael Stone wrote:

On Fri, Sep 10, 2021 at 04:33:42PM +0200, David Kalnischkies wrote:

On Thu, Sep 09, 2021 at 08:53:21AM -0400, Michael Stone wrote:

The only thing I could see that would be a net gain would be to generalizes
sources.list more. Instead of having a user select a specific protocol and
path, allow the user to just select high-level objects. Make this a new >> > > pseudo-protocol for backward compatibility, and introduce something like >> > > deb apt:// suite component[s]
so the default could be something like
deb apt:// bullseye main
deb apt:// bullseye/updates main
then the actual protocols, servers, and paths could be managed by various
plugins and overridden by configuration directives in apt.conf.d. For

In this scheme the Debian bullseye main repo has the same 'URI' as the
Darts bullseye main repo. So, you would need to at least include an
additional unique identifier of the likes of Debian and Darts, but
who is to assign those URNs?
(Currently we are piggybacking on the domain name system for this)

I have no idea what darts is, so I don't have an answer. :)

"Darts" was just a play on "bullseye". It is not hard to imagine
a repository which has the same suite and component(s) but is not
Debian itself. As a pseudo-random [= its in an other topic here] real
example you can take Wine (https://dl.winehq.org/wine-builds/debian/).
So to what is "deb apt:// bullseye main" referring? Debian or Wine?

And to pre-empt the most common response: As an apt dev I can assure you
that we won't accept a solution involving "I am on Debian, so it means >Debian" as that is impossible to correctly guess programmatically (for >example on derivatives using a small overlay repo).

I'd considered adding a scope to the model, e.g., apt://debian.org but
removed it for simplicity. If that was a desired feature then there'd
either have to be some sort of well-known path or such a distribution
would need to provide a policy plugin for that scope. Alternatively,
they could just use the existing http/https/whatever syntax in
sources.list for their overlay if they didn't want to bother. Same for
third party repos.

their thing, and a plugin like auto-apt-proxy can override defaults to do
something more complicated, using more policy-friendly .d configurations >> > > rather than figuring out a way to rewrite some other package's configuration
file.

JFTR: auto-apt-proxy has nothing to do with sources. It is true that
apt-cacher-ng (and perhaps others) have a mode of operation in which you >> > prefix the URI of your (in that case caching) proxy to the URI of the
actual repo, but that isn't how a proxy usually operates and/or is
configured.

I have no idea what you're saying here.

And I have no idea if you know what you are talking about.

auto-apt-proxy already uses an interface apt provides to configure the
proxy at runtime. It isn't in the business of modifying sources.list nor
has it any interest in that. So you using it as an example for a plugin
who could use your proposed scheme to modify the sources at runtime
makes no sense.

The concern I was responding to was that switching to https breaks the
case of using auto-apt-proxy to cache the transaction. Just turning the
proxy on and off isn't sufficient if the default sources.list uses https instead of http--you'd currently have to both turn the proxy on *and*
change sources.list from http to https. Hence my musings on whether it's possible/desirable to separate the configuration of what to use as a
transport from the configuration of what repository is desired.

More generally, if we're talking about changing the default way that
people interact with debian it just seems like a good time to ponder
whether specifying sources the same way we did in 1998 makes sense given
how many changes there have been to expectations about how we use
internet resources. Maybe the answer is yes, and I'm not arguing that
there has to be a change or that what I threw out as a possibility is
the right answer, but it does seem worth considering.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Sep 10, 2021 at 6:03 PM David Kalnischkies wrote:

Because this thread started with the idea to switch the default of d-i
and co to another URI. If you target only apt then you still need
a solution for d-i and a way to convert whatever d-i had into what apt
gets in the end (of the installation).

ISTR the future of creating new Debian installations is to move from debootstrap to dpkg/apt. As an interim step, debootstrap could move
from doing its own downloads to passing the appropriate APT_CONFIG/DPKG_ROOT/etc to `apt download`.

https://wiki.debian.org/Teams/Dpkg/Spec/InstallBootstrap

--
bye,
pabs

https://wiki.debian.org/PaulWise

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Sep 12, 2021 at 03:10:27AM +0000, Paul Wise wrote:

ISTR the future of creating new Debian installations is to move from debootstrap to dpkg/apt. As an interim step, debootstrap could [...]

I've switched all my occurances of using debootstrap to mmdebstrap and
am a very happy user of it.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmE+dlYACgkQCRq4Vgaa qhxW6w/+J4j0WIyTFhB05K+A67cRTJgHku6n8/5p5UOGvJqChYr+Ak+SYiWKD2QZ ghcRd2rwjNfrHn4HTL6I/425BpV5pHMDdGgCdeoIc900Yiv6mCtrkELsla0NmCwx J+72E366eXbtVPYrBgEyhdKwh49heYkuo3PITHNnQN7zMSkklUl2Mylx4OW9d4Wq ozYe5g4OZkuOmUCXBOLic1xRTpCF8E5qUYmb0YCP6aibT7zBTtX0DuINOr21tKTK taFbWoxoUn6x5GaJbA6agg/B9lLu8cPXB2QbMstLGw9ShizjUot7eCxOVxrNUqC6 9Q4JxbkSy49lVzAnUNsXLWznDs+2HaJWx8Ee558F5nzd/6etcxmOCE3YWu544Bfx xMqId5vylGMd2w2Fv0l77uDzmEplXPA1Tu2b5jMBTP3RXaU7G4xnj7AEKSGemr9b iJSxfondKLCstj5tOP5QX5tUdySbiOMg31zOkBSSOOjn8R9rOBbDxYm0HKarM1/+ nLGml0TZMnXiAe7xAyGuCt+klPnf1mn1SK297zuu5Bp4HgR7quK0TxPJBtWAmF4I prEfQ7zio9IOX9C7wgXGArHQDlfhwSjbWcOM9OYhipAjDFgt2WZm1papMGLXY7mD IV2EopJUfGS4zy3q4m7W+aUYPGMz/IDOjNWMseobDvBXtaW8/u

On Sun, Sep 12, 2021 at 03:10:27AM +0000, Paul Wise wrote:

On Fri, Sep 10, 2021 at 6:03 PM David Kalnischkies wrote:

Because this thread started with the idea to switch the default of d-i
and co to another URI. If you target only apt then you still need
a solution for d-i and a way to convert whatever d-i had into what apt
gets in the end (of the installation).

ISTR the future of creating new Debian installations is to move from debootstrap to dpkg/apt. As an interim step, debootstrap could move
from doing its own downloads to passing the appropriate APT_CONFIG/DPKG_ROOT/etc to `apt download`.

https://wiki.debian.org/Teams/Dpkg/Spec/InstallBootstrap

The spec deals with the installation of the essential set.
APT isn't essential – it is 'only' one of the first packages installed
after the bootstrap is done, usually at least.

Moving {,c}debootstrap to use apt means you increase the system
requirements from "can execute debootstrap" all the way up to "is
a fully bootstrapped Debian-based system". At which point you could
just use mmdebstrap instead of debootstrap and be done.

I am not involved with d-i to know if they would plan such a move, but
I have at least never heard of it and it seems outside the linked spec.
You might have confused this with the pipe-dream of obsoleting
mmdebstrap at some far away in the future point by folding it into apt directly. The spec is one (of the many) pre-requirements for that.


Even if we do, that would move the goal post only slightly as you still
have the problem that the conf used to create the system might very well
not be the conf that can be used by the created system (as a trivial
example some old apt versions do not support https). That doesn't really
change regardless of using anna, debootstrap, apt or whatever else.


Best regards

David Kalnischkies

P.S.: Having apt be involved in its own bootstrap reminds me of that
time when I saved myself from drowning in a swamp by pulling on my hair… https://en.wikipedia.org/wiki/Baron_Munchausen#Fictional_character

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE5sn+Q4uCja/tn0GrMRvlz3HQeIMFAmE/S2MACgkQMRvlz3HQ eIP42Q/9FG/aigZVwwo4emD4wCI19x5swcQaAqOYF5Mp4Nj/Or+wjVwPAZZp17wp 6C0gqv2Va03O82xmmK2ljSgMA8rgx4F+xx+2tJdAmesj0VDYuRVYdUt64JK7VhSq F9DuQC7ILojJiO8VQulcNMtr8fkS+yVNjLO+Ld0X8KQtJpzUE//8rp8RmnxbmzeZ bCFjSzAEbCMITAtR/tjpZzISJWdIesWl11zaZ1N0I6BNL0X85FSoOAMUvqkukvDL 8WP7+7DTPyyl6qMtJDOsD3806b71YtKBcPBZAR+qQyS3ejsPUUyUod4HcDPWwnSQ RjBr9l3WVS1F+sVLwQ+e7JXFgo2NYVy26sBcuFRbnvQF98Qpz2YD75ZvOlIc1jg1 W+5hWA1brBHy6M2MQHybC/LQ4gHFNTC7HK+cm+pV3iMog3+hay6rzqbHj4qRdvOy qOLCRzvSH5Mc8fjsEjlKNXL/jofAEPRvNugyfhzsoFXTmPrVaVb3kjwXaoxmx7l/ 0Z2x1kfrKBubsAkWY9P3zeeV3s5Cr3HFxb/X5W1DKeeFOwRuWHcph7Z8J4muxj+w nTRHtb33iXRlxR51FZCXdCiQsmORjnT+hJoASa5n9BRSisAAVBwJQhUFUFYId62Y wilSeLObI/mXEMuYLfyvCxEpjGjWkVy2aLumz3UbggQFsT6ilHI=
=kvyN
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)