Wandering Thoughts archives

2020-08-07

Our problem installing an old Ubuntu kernel set of packages

On Twitter, I said:

It has been '0' days since I've wound up hating Debian's choice to sign package metadata instead of packages (or perhaps 'in addition to' these days). Why? Because it makes it much more difficult to support 'install a package, satisfying dependencies from this directory of debs'.

Naturally there is a story here.

We have some Linux fileservers running Ubuntu, and we are very controlled about upgrading their kernel versions (partly because of mysterious crashes). We have a new kernel version that's proven on our test fileserver and our most recently build fileserver (which is itself a story), and we're looking at upgrading the other fileservers to that kernel. However, this kernel is not the most recent Ubuntu kernel; it's sufficiently old that it's no longer in the official Ubuntu package repositories.

We have our own local Ubuntu mirror, where we never delete packages, and it has all of the many linux-* packages and meta-packages required. However, we can't just do 'apt-get install linux-generic=...' and get all of those packages. Because these older Linux kernels aren't in the Ubuntu official package repositories, they're not in the official repository index files. Because these index files are signed, our mirror can't just rebuild them to reflect the full set of packages we have available. Although we have these files available on our mirror, we can't use them, at least not easily.

Similarly, I suspect this fundamental assumption of signed index files (or at least the existence of index files) is part of why I don't think any dpkg frontend has an option to just get packages and dependencies from a directory you supply. You can 'dpkg -i *.deb' for everything in a directory, but that requires you to carefully curate the directory to have absolutely everything required, and Ubuntu kernels come in a rather large number of packages.

(If there is a command line frontend that supports this, I would like to know about it. I don't count dropping .debs into /var/cache/apt/archives for apt, although I've read that it actually works.)

You don't really have this problem on RPM based systems like CentOS. Since all RPM packages themselves are signed, signed metadata isn't as important and tools like yum and dnf are generally happy to work with a pool of RPMs in a directory.

(Note that unsigned repository metadata opens you up to some attacks, so you definitely want to sign it if possible. It's also safe to generate your own local unsigned repository metadata, since you generally trust yourself.)

(See also my wish to be able to easily update the packages on an Ubuntu ISO image, which also runs into this issue.)

UbuntuOldPackageProblem written at 00:00:03; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.