build system dependency management / lockfile support

[malt3]

I think I identified a missing feature that many users of dnf would benefit from:

Let's say I have a build system that uses my source code to bundle an rpm.
I also want to build further artifacts based on my rpm. This could include:

• Container images (built using docker build, podman, Buildah, ...)
• OS images (built using mkosi, CoreOS builder, or a raw dnf5 --installroot)

For supply chain security and general repeatability of build steps, I think the rpm/dnf ecosystem should support the following:

A dependency file format

If you are familiar with go, this would be the equivalent of a go.mod file.
You specify your direct dependencies here.
As an example, if I have a program written C that depends on libcurl and xz, the dependency file might look like this:

rpm.deps

[fedora-updates]
curl-devel
xz-devel

A dependency lock file format

If you are familiar with go, this would be the equivalent of a go.sum file.
DNF could take this as an optional input. And, if provided, any rpm installed has to be included in the lockfile.
The lockfile would include: a specifier for an rpm file including the name of the rpm, the version and architecture (nevra) and one or more hashes of the expected rpm file itself.

Here is an example for a lockfile format. The actual format could be completely different.

rpm.lock

https://github.com/microsoft/rpmoci/blob/5b3d17345e9b012d36c05b3c2de06426d6db9922/tests/fixtures/update_from_lockfile/rpmoci.lock#L1-L67

A vendoring command

This would read a dependency file and a lock file and download all rpms requested by the dependency file (with their dependencies) into a local folder.
This could be a part of the dnf5 download command.

Benefits to the ecosystem

Many projects are implementing their own version of this today and could standardize instead

Examples include Fedora CoreOS, bazeldnf, rpmoci, repro-get.
Standardizing also allows dependency management systems (like renovate) to notify developers that dependencies are outdated (and could also warn about known CVEs by parsing the lockfile).

Incremental build systems

Incremental build systems (including Bazel, mkosi, Dockerfile / Containerfile) could read a dependency lockfile to decide if an image (or layer) needs to be rebuilt. This can lead to better caching and incremental builds.

Correct cache invalidation

This proposal eliminates the well known issue of having unknown state in a container image layer:

FROM fedora:38
RUN dnf install openssl

If I do a docker build once, docker will give me an old (and probably vulnerable) version of openssl.

Let's instead say I could do this:

FROM fedora:38
COPY rpm.deps rpm.lock /
RUN dnf install --dep-file rpm.deps --lock-file rpm.lock  openssl

Now if I update my lockfile and rerun docker build I could get a newer version of openssl (instead of the old vulnerable one that is cached).

Reproducible / repeatable builds

This is a basic requirement for reproducible builds. If I build an OS or container image based on RPMs, I basically need to vendor / mirror / pin every RPM myself. Otherwise, when rebuilding the image, dnf could install other versions of rpms from a repository.

Next steps

I would encourage feedback from different stakeholders and would like to get feedback if this rough idea would be welcome by the maintainers of dnf.
If this is the case, I would be happy to create a more detailed proposal.

[ppisar]

This is an interesting idea.

The rpm.deps and rpm.lock feature can be, in a crude form, implemented as a third-party convertor from those formats to arguments for "dnf install" command. More advanced features, like comparing package hashes could be implemented as a DNF plugin and exposed as a DNF subcommand (e.g. "dnf install-rpm-deps rpm.deps"). This again can be a third-party plugin. Though I'm not sure whether DNF library exposes all necessary functions.

What I worry more about is versatility of the format. Once it is implemented by multiple distributions, people will naturally want to have it portable across distributions. And there is the problem because different distributors package software under different names. What Fedora calls curl-devel, Debian calls libcurl4-openssl-dev, and Gentoo net-misc/curl. Who's going to map the names? The formats you examples completely ignore it and instead pin to a specific package repository of a specific distribution release. Or even hard-code URLs of the packages. With a format specific to a distribution, I actually cannot see a benefit in implementing this new format if user needs to tailor it the the specific distribution. Then he can simply write "dnf install curl-devel = 1.2.3" without bothering any intermediate format.

[malt3]

What I worry more about is versatility of the format. Once it is implemented by multiple distributions, people will naturally want to have it portable across distributions. And there is the problem because different distributors package software under different names. What Fedora calls curl-devel, Debian calls libcurl4-openssl-dev, and Gentoo net-misc/curl. Who's going to map the names?

I don't think it's a good idea to even attempt to to have portable dependency naming. Users do not expect this today and it will always break in practice. Distributions carry custom patches, do custom versioning, enable or disable features. I think doing this per package manager is the right approach.
If you want to have the same format across package managers, you could have one file (or one section of a file) that is dedicated to a distro:

fedora~38.deps

[fedora-updates]
curl-devel
xz-devel

ubuntu~jammy.deps

[jammy-updates]
libcurl4-gnutls-dev
liblzma-dev

With a format specific to a distribution, I actually cannot see a benefit in implementing this new format if user needs to tailor it the the specific distribution. Then he can simply write "dnf install curl-devel = 1.2.3" without bothering any intermediate format.

Pinning RPMs to expected hashes is still very much an improvement for reproducible builds. While it is unlikely, there is no real guarantee that curl-devel = 1.2.3 actually results in the exact same rpm.

[ppisar]

Hashes and URLs to mirrors are useless in case of Fedora because Fedora repositories do not preserve historical packages. One would have to maintain its own repository, or link to Fedora build system which preserves history but is too slow.

I believe that a package hash is not stored anywhere now. DNF has to handle packages installed without DNF directly with rpm. As far as I know there is only a hash of an RPM header (SHA256HEADER) and a hash of a files content (PAYLOADDIGEST). Maybe one could use a signature of the package (SIGPGP) instead. But packages can be generally unsigned.

But you are right that "curl-devel = 1.2.3" is not unique. As well as full NEVRA is not unique. I remember @j-mracek was pondering how to give a user a mean of selecting an exact package for installation (at least from syntax point view) but I never heard any outcome.

[malt3]

Hashes and URLs to mirrors are useless in case of Fedora because Fedora repositories do not preserve historical packages. One would have to maintain its own repository, or link to Fedora build system which preserves history but is too slow.

This is where a custom mirror or the vendor command from above might come into play as it provides an option to download everything referenced in a lockfile for archival storage.
We first need to have a way to specify exact dependencies via a lock file. DNF would (for now) only need to check rpms against the lockfile before installing them.
How you provide the packages in the future is an additional thing that can be implemented using a caching proxy, createrepo_c, tools to mirror rpm repos, fedora repo snapshots, a downloaded set of rpms in a local folder or using other future tools.

[j-mracek]

I think many thing are achievable with current DNF. And some of the features might get added. What we cannot do - specify direct dependency for particular package. We can favor, disfavor, exclude or even lock package to modify decision of solver for dependencies in whole transaction, but we cannot modify a decision for particular package.

In some rare cases (but valid one) favor and disfavor switches off obsoletes.

[jriddy]

I wonder if something like this would fit better outside DNF. One of challenges I've face with DNF is its memory usage, as it will attempt to solve package needs regardless of how finely you specify what you want.

This can make it really difficult to run DNF on resource-restricted environments like tiny cloud VMs. Rather than making this something dnf can consume, could we make it something dnf can genrate and can be consumed by a much simpler tool?

Unless I'm totally off, a consumer of a lockfile just needs to compare what is installed locally to what is requested in the lockfile and download and install those packages from the specified locations. Is this what is meant with the "vendoring" command?

[ppisar]

Rather than making this something dnf can consume, could we make it something dnf can genrate and can be consumed by a much simpler tool?

"dnf --assumeno install ..." displays what packages would be installed, removed etc. The format is not ideal for parsing by machines, but I think a JSON output is considered in issue #867.

Maybe DNF could output the transaction in a form of an rpm command. rpm tool does not solve a dependency tree. It only verifies that dependencies are satisfied. And that is much faster and needs fewer memory.

Another approach would be doing a real "dnf install" and exporting the transaction with "dnf history store" on a beefy machine. Then consuming the "dnf history store" output with "dnf history replay ..." command on the target machine.

Unless I'm totally off, a consumer of a lockfile just needs to compare what is installed locally to what is requested in the lockfile and download and install those packages from the specified locations.

That would be true if the lockfile was exhaustive. I.e. listing desired packages including all their dependencies. And even then it would require resolving a dependency tree because a package installation is not purely additive operation. E.g. if a package to be installed conflicts with an already installed package, DNF will need to uninstall the installed package first. E.g. when replacing libcurl-minimal with libcurl.

[travier]

To cross reference existing implementations, rpm-ostree has support for a lockfile format: https://coreos.github.io/rpm-ostree/treefile/#experimental-options (lockfile-repos option)

Example in https://github.com/coreos/fedora-coreos-config/blob/testing-devel/manifest-lock.x86_64.json and https://github.com/coreos/fedora-coreos-config/blob/472c23d6a0656867f5bf12e8f169e33617990e59/manifests/fedora-coreos.yaml#L72

[ralphbean]

I worked briefly on a poc of a dnf plugin to support something like this before discovering this issue tracker:

• https://gist.github.com/ralphbean/a6c0b09efc64f108815c0a8db7d3a7bf
• https://github.com/ralphbean/dnf-plugin-lockfile

[Tojaj]

I like the format, few comments.

Would be great if the format can include also information about SRPMs (sources) so they can be in the listed together with the binaries - ideally if the format distinguish between sources and binary RPMs explicitly so sources can be downloaded if needed or ignored if not needed.

What I'm missing here is information about architectures, current world is more heterogeneous then before (x86_64 is still around, ARM is trending, RISC is potential big thing). What I would even like is if the file can store info for multiple arches so artifacts that target multiple architectures and build based on a single lockfile. Multiple files (one per arch) would be also acceptable, but then there are more likely to be consistency issues (what if one lockfile is regenerated/pushed to git with new versions while the other is not?).

Another missing piece are modules as just list of RPMs is not enough for modules. For example a record for modulemd, defaults and obsoletes would be needed so consumer of the lock file knows where to download these files.

Btw. what is [[local_packages]] section about is it a list of "requires" that must be available on the target system/image? (So the manifest itself is a complete dep chain for the particular foo package but without these assumed requires - in order to not have the dep chain to go too deep to things like glibc, kernel, etc..)?