State of APK package manger integration

Rosen Penev rosenp at gmail.com
Sat Aug 24 20:03:37 PDT 2024


On Sun, Aug 11, 2024 at 11:36 AM Paul Spooren <mail at aparcar.org> wrote:
>
> Hi all,
>
> Some time has passed and there are further news for the APK migration:
>
> Timo and Ansuel worked out a way to allow index trust[1]. If a package index is signed by a trusted key, all containing packages are automatically trusted. It is still possible distribute and sign single packages.
>
> With this in place, the last missing bit was to teach our Buildbot infrastructure to sign indexes with the Buildmaster key[2]. For context, the OpenWrt project does not store private signing keys on Buildworkers but only on the Buildmaster. Indexes are transferred to the Buildmaster and signed there, later uploaded to the download server.
>
> This, too, works now and can be tested for a limited number of targets/archs (if your favorite is missing, please ping me)[3].
>
> The firmware contains a APK public key (in /etc/apk/keys) for testing[4] and the download server is modified[5]. The key is not official and will be replaced once things go further upstream.
>
> If you run one of those images, please give APK a spin and see how it’s doing. A simple example would b to run the following:
>
>     apk add luci # install LuCI
>     apk audit # see what file changed since rootfs creation
>
> Looking at the failing packages[6], some maintainers have not yet switches to an APK conform version schema. I’ll try to ping those or create PRs myself.
>
> I’m optimistic’ish that things will work out just great. Please give it a test and let me know how it goes.
ca-bundle and ca-certificates can't coexist it seems.
>
> Best,
> Paul
>
> [1]: https://gitlab.alpinelinux.org/alpine/apk-tools/-/commit/54caa31be633efc5f655700b77af290124f71689
> [2]: https://github.com/openwrt/buildbot/commit/a94d4e15fdc1e9715d7d0cfdcc62227186d0fc45
> [3]: https://buildbot.aparcar.org/targets/
> [4]: https://github.com/aparcar/openwrt/commit/de9b171c5a98c9e23e3da8b787ddc5ba7dd0ac53
> [5]: https://github.com/aparcar/openwrt/commit/2c98eb52e365be6e59b470b4c0001cf29e8a6fb3
> [6]: https://buildbot.aparcar.org/faillogs/x86_64/
>
>
> > On 13. Jun 2024, at 13:29, Paul Spooren <mail at aparcar.org> wrote:
> >
> > Dear all,
> >
> > With great contributions from Timo, Ansuel, Jonas, Daniel, Petr, John, and many others, APK is evolving smoothly, and the integration is progressing well!
> >
> > We have established a staging buildbot environment[1] that compiles firmware images and certain packages. To replicate this setup locally, simply enable “Use APK instead of OPKG to build distribution” (`USE_APK`) in the “Global build settings”.
> >
> > Once the firmware is compiled, it is uploaded to the staging downloads page[2]. Currently, we have limited the targets created to a subset that we have found useful for testing purposes.The firmware images boot up successfully and allow for the installation of external feeds[3]!
> >
> > Be aware, there is still some work required on the package feeds to accommodate the new version requirements. If you are maintaining something, please take a look (e.g. [4]).
> >
> > We are facing an architectural challenge that needs to be addressed. In the past, both OPKG and APKv2 would only sign the package indexes and automatically trust the included packages. With APKv3 (the version we are using), each individual package is signed. We are exploring ways to securely integrate this into the existing setup, where build workers do not have a private key but upload the package index to a dedicated server for signing. We will keep you updated on our progress.
> >
> > I will provide more updates as we make further advancements. Please stay tuned for more information.
> >
> > Sunshine,
> > Paul
> >
> > PS: since we do parallel experiments with the Buildbot itself some packages are missing, please be aware that your milage may vary when testing package installation
> >
> > [1]: https://buildbot.staging.openwrt.org <https://buildbot.staging.openwrt.org/>
> > [2]: https://downloads.staging.openwrt.org/snapshots/targets/
> > [2]: apk add --allow-untrusted kmod-usb-serial-cp210x
> > [4]: https://github.com/openwrt/packages/issues/23706
> >
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list