Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 73B52781A58
	for <~alpine/devel@lists.alpinelinux.org>; Tue,  3 Dec 2019 16:07:23 +0000 (UTC)
Received: by mail-lf1-f52.google.com with SMTP id n25so3472116lfl.0
        for <~alpine/devel@lists.alpinelinux.org>; Tue, 03 Dec 2019 08:07:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:subject:message-id:mime-version
         :content-transfer-encoding;
        bh=+dq1PAD1VBmCsB3Dx2eGi1rqVcvh77k3kbOiKHNQJ2k=;
        b=laWWcvfSCXmCAPIfdyvQyVo9rJ5OXw/s7gYp7OubEcLhECXSGTQx0B8UfLn1iOsbG+
         fGP3GPxLq4caIGNRuOdTeO1V8dWdPR3PESD7bAGCbG4V/Gu45kaBBcriqZIxF+0VpsXw
         YdAx5hORM/t4OO55xIwt5cvpis+8yeH2U+aIjuEFw3TPbODqTf4pBv//IAQBppBP6v4A
         htAZAO5riGYvYmbhe7lC7Mz0tMPEOuHZ0znS0IZNbsA27lWLhme4I5+1jWVV5eJnWBke
         Ms6GTT48Pd0+O+hM9u+ETHRmqNYh2KEdrnHLCzOAW0aeIGTb3sp+xg0c2kLu3L+Tuj0l
         5ttA==
X-Gm-Message-State: APjAAAXweXn1nkMlfeoe6P/ab1ZyguVnSQ2owMk2GqceiCQZbKfnuTCb
	Vmr2VC7X1QPWHOQ8ZJKjHZQuaxJT
X-Google-Smtp-Source: APXvYqwcz0ImTzUbPSKUzM7BS2J64zgwXQhoo9gujCkU9rENliE+SVG6B/FgbttNX+4nW55TP9rH0g==
X-Received: by 2002:ac2:4a89:: with SMTP id l9mr3107665lfp.121.1575389242014;
        Tue, 03 Dec 2019 08:07:22 -0800 (PST)
Received: from vostro (87-100-234-203.bb.dnainternet.fi. [87.100.234.203])
        by smtp.gmail.com with ESMTPSA id e26sm1578795ljp.14.2019.12.03.08.07.20
        for <~alpine/devel@lists.alpinelinux.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 03 Dec 2019 08:07:21 -0800 (PST)
Date: Tue, 3 Dec 2019 18:07:17 +0200
From: Timo Teras <timo.teras@iki.fi>
To: ~alpine/devel@lists.alpinelinux.org
Subject: apk-tools plans
Message-ID: <20191203180717.0016af8a@vostro>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi Alpiners,

I am writing to let you know, and discuss here some items related to
apk-tools development.

For many years already, we have had discussion in the IRC on certain
apk-tools related design changes, and feature improvements. I have
already twice or so started working on some of it, yet there's been
always something else that came up. But I'm finally committing to doing
these. Hopefully, we already get some of the changes done by late
February / early March, and get next spring Alpine release to use them.

As background.. it has come obvious that the Alpine package base has
increased a lot. And low end embedded systems are starting to struggle
with the amount of packages in our DB. There's also a number of bugs
filed related to this. Majority of the apk-tools startup time goes to
just uncompressing and parsing the index files and installed db.

Another thing, I really want to improve is the security of 'apk audit'
and the system integrity checking. The concept is to create and store
signed file manifests in the DB that can be used to establish strong
trust in a system. (The current 'apk audit' was designed for 'lbu
commit'.)

Slightly related is also changing the file formats so that signature
checking can be done first without much parsing to make the attack
surface smaller. (The old design was motivated by restrictions from
the original shell script based Alpine package manager; the signatures
were not considered as first class citizen back then.)

In connection with the work, I'm hoping also to do additional minor
improvements such as implementing some multicore support, and
supporting better handling of duplicate files in simultaneously
installed packages.

Unfortunately the above changes cannot be fixed easily without changing
to binary file formats.

The primary target for me is to redo the binary apk package and index
formats for next Alpine release. We can discuss the exact details in
this or another thread later in the coming weeks. Main design being
security and speed. The idea is that index will be mmap:able; and the
structures from .apk can be directly copied to installed-db.

For later features there's ideas such as supporting TPM or hostkey
signed system DB (e.g. 'world', set of config options, trusted
package keys, etc.). So the whole system state would be signed and
validateable.

Due to packages and indexes being binary formats in future, the plan is
to build into apk the feature to create these files. So some of the
related functionality from 'abuild' would be moved to apk. This also
simplifies things if apk-tools is used in other distributions.

Please, feel free to comment or present additional questions regarding
the concept or roadmap. I'll publish more technical details of the
formats later. And try to publish my work-in-progress git tree of apk
sooner than later.

For those needing/wanting to parse the old style text databases, we
could add applets to dump current state in the old style format.

Cheers,
Timo