search

cirocosta / estaleiro

building container images with bill of materials
Apache License 2.0
2 stars 0 forks source link

bom: repository that brought the package #2

Closed cirocosta closed 5 years ago

cirocosta commented 5 years ago

Hey,

In order to retrieve the repository that brought a particular package, we need to run apt-cache policy $pkg_name and parse the outputs of it.

apt-cache policy search vim
vim:
  Installed: 2:8.0.1453-1ubuntu1.1
  Candidate: 2:8.0.1453-1ubuntu1.1
  Version table:
 *** 2:8.0.1453-1ubuntu1.1 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2:8.0.1453-1ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
N: Unable to locate package search

That, however, needs to run from within a container within the buildstep. To prepare the bom.yml then, we'd need to get access to the output of such execution, which seems to be only available through mounts 🤔

cirocosta commented 5 years ago

BOM collector

1. `apt` packages that have been installed
    - parses `/var/lib/dpk/status`

2. `apt-cache policy $pkg` parser
    - to determine where package came from

in the end:
    -- ability to retrieve a file from a given layer that has been built

=> implement a filter to the `local` exporter
    https://github.com/moby/buildkit/search?q=file+exporter&type=Issues
cirocosta commented 5 years ago

https://github.com/moby/buildkit/issues/874

cirocosta commented 5 years ago

apt install --print-uris vim | grep 'http' | tr -d "'" | awk '{print$1}' > uris wget -i uris dpkg -i *.deb

cirocosta commented 5 years ago

dpkg-deb -I ./vim_8.0.1453-1ubuntu1.1_amd64.deb control

cirocosta commented 5 years ago

superseded https://github.com/cirocosta/estaleiro/issues/9