Mirroring Debian in Reproducible Build flow
43 views
Skip to first unread message
Kacper Cyganik
Jul 5, 2025, 8:51:58 AMJul 5
to sonicproject
Hi, I couldn’t find a similar question, so I’m asking here.
I want to create a local Debian package mirror and update it periodically. Here’s how I understand the flow - could someone confirm if this is correct or suggest improvements?
1) (non reproducible build) I need to parse sonic-buildimage/files/build/versions/ to extract the exact Debian package versions used in the build (run make freeze before to lock versions actually used in the build.)
I want to create a local Debian package mirror and update it periodically. Here’s how I understand the flow - could someone confirm if this is correct or suggest improvements?
1) (non reproducible build) I need to parse sonic-buildimage/files/build/versions/ to extract the exact Debian package versions used in the build (run make freeze before to lock versions actually used in the build.)
2) I use aptly to create a filtered mirror that contains only the needed packages, instead of mirroring the entire Debian release (e.g., Buster). I then publish it as a snapshot.
3) Since different versions/components may use different package versions, I assume I need to merge all relevant snapshots into a single published repository, available under a common URL.
4) (reproducible build) In my reproducible build environment, I set:
3) Since different versions/components may use different package versions, I assume I need to merge all relevant snapshots into a single published repository, available under a common URL.
4) (reproducible build) In my reproducible build environment, I set:
MIRROR_URLS=<my-local-mirror-url>
so that APT uses only my locally mirrored packages during the build.
Q1: What’s the role of the following variables in this context?
DEBIAN_TIMESTAMP
DEBIAN_SECURITY_TIMESTAMP
MIRROR_SNAPSHOT
Q2: Do I still need to merge all my debian mirror snapshots into a single unified mirror/repo to support multiple builds?
Much appreciate your help.
so that APT uses only my locally mirrored packages during the build.
Q1: What’s the role of the following variables in this context?
DEBIAN_TIMESTAMP
DEBIAN_SECURITY_TIMESTAMP
MIRROR_SNAPSHOT
Q2: Do I still need to merge all my debian mirror snapshots into a single unified mirror/repo to support multiple builds?
Much appreciate your help.
Message has been deleted
Kacper Cyganik
Jul 5, 2025, 2:04:28 PMJul 5
to sonicproject
Now I see that aptly doesn’t support storing multiple versions of the same package in the same mirror or snapshot (and other similar tools don’t either), which can happen since different modules can use different package versions in the same build (?) so the logic for creating snapshots would have to be quite complicated... I’m really curious how to reliably store different versions of the same packages and update the repository in a safest way. I know this isn’t exactly a SONiC problem but more about Debian repository organization, yet I’m interested in how to do it in the simplest way possible. Manually?
Kacper Cyganik
Jul 5, 2025, 2:48:31 PMJul 5
to sonicproject
Also, is running
make freeze -r
enough for updating the package versions (running make freeze after the build, but before populating the mirror)?
make freeze -r
enough for updating the package versions (running make freeze after the build, but before populating the mirror)?
Reply all
Reply to author
Forward
0 new messages