What is missing for opkg -> apk switch [Was: Re: OpenWrt 24.XX release plan]
Petr Štetiar
ynezz at true.cz
Wed Oct 23 13:02:35 PDT 2024
Hi,
> I understood that index based trust is now impemented in APK:
> https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/11008
yep, I've tested that and this part works fine.
Although having my QA hat on, there might be probably one missed use case with
`apk verify` which is probably not using the package index (yet?) for the
verification (as `apk add` does):
root at OpenWrt:/tmp# apk verify packages.adb
packages.adb: OK
root at OpenWrt:/tmp# apk verify 464xlat-13.apk
464xlat-13.apk: UNTRUSTED signature
> What else is missing?
* ImageBuilder (IB) seems to be broken https://lists.openwrt.org/pipermail/openwrt-devel/2024-September/043186.html
* packages CDX SBOMs are missing (we've SBOM only for images x86/64/openwrt-x86-64.bom.cdx.json)
* apk version compat in few packages
> If on the buildbot side everything is ready to do the switch, then lets
> do it as soon as possible I'd say.
Yes, buildbot part is prepared, tested and I would say ready for the apk
switch.
IMO we should really first enable it on the `main` branch and eventually later
in `openwrt-24.10` once we're confident, that its release ready (apk itself is
release ready, just our integration needs a bit more of testing and love).
I've following on my TODO list towards apk switch proposal:
1. Extend GitHub CI action with a test for the ImageBuilder as we're not aware
about the current breakage, prevent future regressions, probably continue
in https://github.com/openwrt/actions-shared-workflows/pull/5
2. Fix the IB
3. Fix the SBOM generation (perhaps try to QA this part on CI as well?)
I'll start with 1. this/next week, hopefully.
Cheers,
Petr
More information about the openwrt-devel
mailing list