On 2018-09-21, Raphaƫl Hertzog wrote: > Version 0.6.5 introduced a checksum check based on the data from > the "extrafiles" file at the root of the mirror. Now when that > file doesn't exist, simple-cdd fails with a stacktrace and is > unable to build any image. > > Arguably, the lack of this file is not a showstopper, it should > just generate a warning... and effectively there are many custom > Debian repositories without this file and you still want to be able > to run simple-cdd on them.
Before simple-cdd used extrafiles, it would blindly download
debian-installer files from the mirror with no verification, and
recursively get entire directory trees...
Using extrafiles enables a signed trust path to checksums of various
non-package files, and conveniently lists the files available to
download on the archive as an added bonus.
So it's non-trivial to add support for arbitrary files in arbitrary
directories in a secure manner...
> In my specific case, the Debian mirror is created with "debmirror"
> and this tool doesn't include that file. But I could also mention the
> case of many derivatives that just use reprepro.
Maybe these other tools could add support for extrafiles?
It's unfortunate that it may not work in all environments, though
simple-cdd has always targeted building images with files from
debian.org, and not arbitrary locations.
A patch to enable support without extrafiles would, of course, be
considered if it didn't risk degrading the trust path by default.
> Also it would be nice if simple-cdd documented somewhere its requirements for
> the mirror and repositories that it can use.
That's surely doable.
> FTR here's the stacktrace:
> 2018-09-18 14:36:26,005 DEBUG Building local Debian mirror for debian-cd...
> 2018-09-18 14:36:26,007 DEBUG downloading: .../tmp/mirror/extrafiles
> Traceback (most recent call last):
> File "/usr/bin/build-simple-cdd", line 658, in <module>
> scdd.build_mirror()
> File "/usr/bin/build-simple-cdd", line 270, in build_mirror
> self.run_tool("mirror", tool)
> File "/usr/bin/build-simple-cdd", line 367, in run_tool
> tool.run()
> File "/usr/lib/python3/dist-packages/simple_cdd/tools/mirror_wget.py", line
> 64, in
> run
> _download(download_extrafiles_file, extrafiles_file_inlinesig)
> File "/usr/lib/python3/dist-packages/simple_cdd/tools/mirror_wget.py", line
> 55, in
> _download
> request.urlretrieve(url, filename=output)
> File "/usr/lib/python3.5/urllib/request.py", line 188, in urlretrieve
> with contextlib.closing(urlopen(url, data)) as fp:
> File "/usr/lib/python3.5/urllib/request.py", line 163, in urlopen
> return opener.open(url, data, timeout)
> File "/usr/lib/python3.5/urllib/request.py", line 472, in open
> response = meth(req, response)
> File "/usr/lib/python3.5/urllib/request.py", line 582, in http_response
> 'http', request, response, code, msg, hdrs)
> File "/usr/lib/python3.5/urllib/request.py", line 510, in error
> return self._call_chain(*args)
> File "/usr/lib/python3.5/urllib/request.py", line 444, in _call_chain
> result = func(*args)
> File "/usr/lib/python3.5/urllib/request.py", line 590, in http_error_default
> raise HTTPError(req.full_url, code, msg, hdrs, fp)
> urllib.error.HTTPError: HTTP Error 404: Not Found
Yeah, simple-cdd should at least handle this rather than spitting out a
backtrace.
Thanks for the report, sorry I don't have better news for this issue!
live well,
vagrant
signature.asc
Description: PGP signature
