apt talk in mdp format

README.md

apt talk

I gave this talk to some co-workers on 2022-01-18. It has some informaton on apt repository layout, general apt usage and some other bits and pieces.

I presented apt-talk.md with mdp, which is convienently installable in Ubuntu with apt.

apt-talk.md

%title: apt - Get me a package. %author: smoser %date: 2022-01-14

-> # apt <-

• apt-get install cool-package ^
• Overview:
  • general overview of apt usage
  • definition of some terms
  • apt repository layout
  • Other apt tips

---

-> # apt-get subcommands

• apt-get update
  • reads/downloads metadata referenced in sources.list
  • checks signatures and checksums.
  • stores info in /var/lib/apt/lists ^
• apt-get install ^
• apt-get upgrade / dist-upgrade ^
• apt-get remove
• apt-get autoremove

---

-> # Personal Package Archives (PPAs)

• Allow anyone to upload source and build and publish packages on launchpad
• Easy for people to use: ^ sudo add-apt-repository ppa:smoser/swtpm

---

-> # sources.list and sources.list.d

sources.list [/etc/apt/sources.list]

[]

deb [ arch=amd64,armel ] http://deb.debian.org/debian buster main deb http://archive.ubuntu.com/ubuntu focal main universe

---

-> # Terms

• package - a debian package (archive of files to be extracted) ^

• repo[sitory] - basically an apt entry point it can be served via http, ftp, file . http://archive.ubuntu.com/ubuntu or http://archive.debian.org/debian ^

• mirror: a mirror/copy of a different repository ^

• suite - can be one of

  • A "suite" like in debian 'stable' or 'testing'
  • A "pocket" like in ubuntu 'focal' (release pocket), 'focal-updates', 'focal-security' ^

• component - just a "group" of packages.

  • debian: main, contrib, non-free
  • ubuntu: main, universe, multiverse, restricted ^

• release - "focal" not an offical apt term, but in practice means the 3 or 4 pockets together (focal, focal-updates, focal-security, focal-proposed)

---

-> # Ubuntu archive practices

An ubuntu release is made up of 3 suites, often called pockets:

• {release}, {release}-updates, {release}-security
• focal, focal-updates, focal-security

^ release pocket (focal) is frozen on release day.

• The contents of http://archive.ubuntu.com/ubuntu/dists/focal/ change during development but not after. ^

security pocket (focal-security) contents are always copied to -updates

• security updates only is supported. (focal and focal-security) ^

updates pocket (focal-updates)

• packages here "fall off" when they are supersceded. ^

proposed pocket (focal-proposed)

• Packages enter -proposed pocket for testing per Stable Release Update (SRU) Guidlines
• Copied to -updates after verification.

---

-> # Signing / Security

• gpg signing allows secure transmission over insecure transport (http).
• Launchpad publishes archive.ubuntu.com and signs InRelease and Release.gpg ^
• trusted keys
  • Canonical key is published in /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  • /etc/apt/trusted.gpg.d/ contains keyrings of trusted signers.
  • apt-key add gives a lot of trust more info

---

-> # Apt respository Tree layout (generic) http://my-mirror/path/

- dists
  + suite
    - InRelease, Release, Release.gpg
    - {COMPONENT1}/, {COMPONENT2}/  (main, universe ...)
    - by-hash/
      + {HASHNAME}/ (SHA256)
        - {HASH0}, {HASH1}, {HASH2}
  + pool/
    + {COMPONENT1}
      - lots of debs and tarballs
    + {COMPONENT2}
    + ...

---

-> # Apt repository / Tree layout (ubuntu)

http://archive.ubuntu.com/ubuntu/
- dists/
    - focal/
      - InRelease, Release, Release.gpg
      - by-hash/SHA256/
         - 452d981cb97db95c...af2799d6d
         - 712628959bc561ac...7c9613acd
         - 743f39c4cc8a9442...caf023ec5
         - 9a27cff7af857858...92b50da72
      - main/
        - binary-amd64
           - Packages.gz, Packages.xz
           - Release
           - by-hash/SHA256/
             - 44fa689d816504f...e32ce0b60
             - 7757921ff8feed9...d43fc9861
             - f25bb719a900d96...131f5a604
        - binary-i386/
        - source/
      - universe/
    - focal-updates/
      ....
- pool/
  - pool/main/a/accountsservice/accountsservice_0.6.55-0ubuntu11_amd64.deb
  - pool/main/a/acct/acct_6.6.4-2_amd64.deb
  ...

---

-> # Index files

InRelease [dists/{suite}/InRelease] is inline signed list of all files and their hashes under dists/suite ^

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Origin: Ubuntu Label: Ubuntu Suite: focal Version: 20.04 Codename: focal Date: Thu, 23 Apr 2020 17:33:17 UTC Architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Components: main restricted universe multiverse Description: Ubuntu Focal 20.04

SHA256: af226b4496cb....5da13cc 5826751 main/binary-amd64/Packages f25bb719a900....1f5a604 1274738 main/binary-amd64/Packages.gz 44fa689d8165....2ce0b60 95 main/binary-amd64/Release 7757921ff8fe....3fc9861 970408 main/binary-amd64/Packages.xz ...

---

-> # Index Files (2)

Packages [{component}/{arch}/Packages.(.gz, .xz)] files
are referenced by InRelease and contain info on binary packages. ^ Filename: references paths. ^

Package: apache2-doc Architecture: all Version: 2.4.41-4ubuntu3.9 Priority: optional Section: doc Source: apache2 ... Installed-Size: 24237 Recommends: apache2 Filename: pool/main/a/apache2/apache2-doc_2.4.41-4ubuntu3.9_all.deb Size: 3848232 MD5sum: 28871b9f02854de4eb6ae130362c7fb4 SHA256: cd88a562a58fef3274d2d49ef0ccc6e57046dcb8f598b628bf4d8fa8e0a9e184 ... Homepage: https://httpd.apache.org/ Description: Apache HTTP Server (on-site documentation)

---

-> # Index Files (3)

Sources(.gz, .xz) [{component}/source/Sources.gz] contains information about source packages. ^

Package: apache2 Format: 3.0 (quilt) Binary: apache2, apache2-data, apache2-bin, apache2-utils, ... apache2-dev, ... Architecture: any all Version: 2.4.41-4ubuntu3.9 ... Build-Depends: debhelper (>= 10), dpkg-dev (>= 1.16.1~), bison, gawk | awk, ... Build-Conflicts: autoconf2.13 Testsuite: autopkgtest Homepage: https://httpd.apache.org/ Vcs-Git: https://salsa.debian.org/apache-team/apache2.git Directory: pool/main/a/apache2 Package-List: apache2 deb httpd optional arch=any apache2-bin deb httpd optional arch=any apache2-data deb httpd optional arch=all ... Files: c3724f8bcf400a0a4974c953c74a3efc 3382 apache2_2.4.41-4ubuntu3.9.dsc 9dd9c5fae398c3696805d19cb1f1a104 9267917 apache2_2.4.41.orig.tar.gz 89698e860367cbc1b64cac94d8022b72 1076980 apache2_2.4.41-4ubuntu3.9.debian.tar.xz ... Checksums-Sha256: 04779f62c85f3...d02617 3382 apache2_2.4.41-4ubuntu3.9.dsc 3c0f9663240be...3a5461 9267917 apache2_2.4.41.orig.tar.gz aecf5dfb01e24...7df3a1 1076980 apache2_2.4.41-4ubuntu3.9.debian.tar.xz

---

-> # Versioning

[epoch][-]

• normal:

  • thermald 1.9.1-1ubuntu0.6

• native [a "native" debian package (no upstream)]

  • base-files - 11ubuntu5.4

• epoch - oops we messed up versioning. an epoch of 1: will will be larger than no epoch and 2: will be larger than 1.

  • xserver-xorg 1:7.7+19ubuntu14
  • vim - 2:8.1.2269-1ubuntu5.4

• Messed up versioning:

  • graphicsmagick 1.4+really1.3.35-1

---

-> # Versioning continued

• binary packages have same version as source package. (different than rpm)
• ~ (tilde): means less than
  • 1.9-1ubuntu1~ppa0 is less than 1.9-1ubuntu1
• first packaging verison would typically be '-1'.
• ubuntu uses -0ubuntu1 for packages where either ubuntu upstream is newer than debian or no debian packaging yet so that debian's will be newer (preferred) when it is packaged.

---

-> # Pins / Policy

• apt_preferences(5) has doc.
• 'apt-cache policy' to show.

---

-> # Pins continued We can use this to select atomix packages if we always use an atomix suffix.

Package: *
Pin: version *atomix*
Pin-Priority: 1000

---

-> # Other stuff

• apt vs apt-get
• --no-install-recommends
• apt-go-fast
• old format had significat race conditions hashsum mismatch fixed in 16.04

---

-> # Alternative sources.list format (deb822-style) more verbose, not common.

Types: deb URIs: http://us.archive.ubuntu.com/ubuntu Suites: focal focal-updates Components: main restricted