[tor-bugs] #33277 [Internal Services/Tor Sysadmin Team]: adopt puppetlabs apt module

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 11 22:46:36 UTC 2020 

#33277: adopt puppetlabs apt module
-------------------------------------------------+-------------------------
 Reporter:  anarcat                              |          Owner:  anarcat
     Type:  task                                 |         Status:  closed
 Priority:  Low                                  |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Major                                |     Resolution:  fixed
 Keywords:  tpa-roadmap-february                 |  Actual Points:
Parent ID:                                       |         Points:  1
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 we are now using the upstream apt module.

 i've also took this opportunity to move the gpg trust anchor out of
 trusted.gpg.d and into /usr/share/keyrings as per
 https://wiki.debian.org/DebianRepository/UseThirdParty for the servers
 that support it (stretch and up).

 there are two downsides with the switch:

  1. we cannot define multiple mirrors at once
  2. we cannot define multiple suites at once

 The latter is not a big problem: just create another entry alongside the
 other, it's very similar to how things currently work except you have two
 files instead of one, and you need to name them differently. Because suite
 names are short, they can easily be used in the filename as well.

 But the former is a bigger problem: we can't really name the sources.list
 file after the mirror, because we don't have a good short name for those.
 We would need to implement the same kind of logic that was in the previous
 template, by looping over the provided mirrors. But that would require an
 upstream change and I'm not sure we can convince upstream to provide
 support for multiple mirrors.

 It seems the tradeoff isn't worth it anyways: either the POP mirror is
 reliable, or it isn't. If it's not then we ditch it. If it is, then we
 don't need the fallback.

 So I favor consolidating our work with upstream and losing that
 functionality over complicating code and forking even deeper than we
 already have.

 We have *one* patch to the upstream module right now, documented here:

 https://github.com/puppetlabs/puppetlabs-apt/pull/904
 https://tickets.puppetlabs.com/browse/MODULES-10543

 It's a fairly trivial patch and I believe it has good chances to be
 accepted. But if it is refused, we can just accept that we have an empty
 `sources.list` instead of no file at all, that seems like a compromise we
 could live with, in a pinch.

 That was quite a ride, but we're now "apt-safe", as long as we don't start
 asking it for "keys", because of the various problems with that module.

 We might want to implement a wrapper around apt::source so it has a better
 "key" semantic than the current one to workaround that problem, but I'll
 cross that bridge when I get there. I'll wait for that issue to get more
 traction before I venture down that larger refactoring:

 https://tickets.puppetlabs.com/browse/MODULES-9695

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33277#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list