On Sun, Aug 11, 2024 at 11:36 AM Paul Spooren <m...@aparcar.org> wrote: > > Hi all, > > Some time has passed and there are further news for the APK migration: > > Timo and Ansuel worked out a way to allow index trust[1]. If a package index > is signed by a trusted key, all containing packages are automatically > trusted. It is still possible distribute and sign single packages. > > With this in place, the last missing bit was to teach our Buildbot > infrastructure to sign indexes with the Buildmaster key[2]. For context, the > OpenWrt project does not store private signing keys on Buildworkers but only > on the Buildmaster. Indexes are transferred to the Buildmaster and signed > there, later uploaded to the download server. > > This, too, works now and can be tested for a limited number of targets/archs > (if your favorite is missing, please ping me)[3]. > > The firmware contains a APK public key (in /etc/apk/keys) for testing[4] and > the download server is modified[5]. The key is not official and will be > replaced once things go further upstream. > > If you run one of those images, please give APK a spin and see how it’s > doing. A simple example would b to run the following: > > apk add luci # install LuCI > apk audit # see what file changed since rootfs creation > > Looking at the failing packages[6], some maintainers have not yet switches to > an APK conform version schema. I’ll try to ping those or create PRs myself. > > I’m optimistic’ish that things will work out just great. Please give it a > test and let me know how it goes. ca-bundle and ca-certificates can't coexist it seems. > > Best, > Paul > > [1]: > https://gitlab.alpinelinux.org/alpine/apk-tools/-/commit/54caa31be633efc5f655700b77af290124f71689 > [2]: > https://github.com/openwrt/buildbot/commit/a94d4e15fdc1e9715d7d0cfdcc62227186d0fc45 > [3]: https://buildbot.aparcar.org/targets/ > [4]: > https://github.com/aparcar/openwrt/commit/de9b171c5a98c9e23e3da8b787ddc5ba7dd0ac53 > [5]: > https://github.com/aparcar/openwrt/commit/2c98eb52e365be6e59b470b4c0001cf29e8a6fb3 > [6]: https://buildbot.aparcar.org/faillogs/x86_64/ > > > > On 13. Jun 2024, at 13:29, Paul Spooren <m...@aparcar.org> wrote: > > > > Dear all, > > > > With great contributions from Timo, Ansuel, Jonas, Daniel, Petr, John, and > > many others, APK is evolving smoothly, and the integration is progressing > > well! > > > > We have established a staging buildbot environment[1] that compiles > > firmware images and certain packages. To replicate this setup locally, > > simply enable “Use APK instead of OPKG to build distribution” (`USE_APK`) > > in the “Global build settings”. > > > > Once the firmware is compiled, it is uploaded to the staging downloads > > page[2]. Currently, we have limited the targets created to a subset that we > > have found useful for testing purposes.The firmware images boot up > > successfully and allow for the installation of external feeds[3]! > > > > Be aware, there is still some work required on the package feeds to > > accommodate the new version requirements. If you are maintaining something, > > please take a look (e.g. [4]). > > > > We are facing an architectural challenge that needs to be addressed. In the > > past, both OPKG and APKv2 would only sign the package indexes and > > automatically trust the included packages. With APKv3 (the version we are > > using), each individual package is signed. We are exploring ways to > > securely integrate this into the existing setup, where build workers do not > > have a private key but upload the package index to a dedicated server for > > signing. We will keep you updated on our progress. > > > > I will provide more updates as we make further advancements. Please stay > > tuned for more information. > > > > Sunshine, > > Paul > > > > PS: since we do parallel experiments with the Buildbot itself some packages > > are missing, please be aware that your milage may vary when testing package > > installation > > > > [1]: https://buildbot.staging.openwrt.org > > <https://buildbot.staging.openwrt.org/> > > [2]: https://downloads.staging.openwrt.org/snapshots/targets/ > > [2]: apk add --allow-untrusted kmod-usb-serial-cp210x > > [4]: https://github.com/openwrt/packages/issues/23706 > > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
