Only copy repository metadata from specific subdirs from /var

/var usually contains state specific to the local system so it's more
prudent to specify an allowlist of what should be copied rather than a
denylist of what shouldn't be copied.

This doesn't matter so much when using mkosi's own package cache directory
since that is only used when syncing repository metadata and not when actually
installing stuff, but it does matter when PackageCacheDirectory=/var is used since
then we're copying from a state directory in /var that is also used when installing
packages and as such will contain a lot of stuff that we don't want.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 5eda5fec10b156eab2fa6be58bf4fff9a0398269..dcffe6346f6f61e6ccc9cacb09c044f9cd6e6301 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3869,30 +3869,22 @@ def copy_repository_metadata(config: Config, dst: Path) -> None:
     subdir = config.distribution.package_manager(config).subdir(config)
 
     with complete_step("Copying repository metadata"):
-        for d in ("cache", "lib"):
-            src = config.package_cache_dir_or_default() / d / subdir
-            if not src.exists():
-                logging.debug(f"{src} does not exist, not copying repository metadata from it")
-                continue
+        cachedir = config.package_cache_dir_or_default() / "cache" / subdir
+        if cachedir.exists():
+            with umask(~0o755):
+                (dst / "cache" / subdir).mkdir(parents=True, exist_ok=True)
 
             with tempfile.TemporaryDirectory() as tmp:
                 os.chmod(tmp, 0o755)
 
                 # cp doesn't support excluding directories but we can imitate it by bind mounting
                 # an empty directory over the directories we want to exclude.
-                exclude: list[PathString]
-                if d == "cache":
-                    exclude = flatten(
-                        ("--ro-bind", tmp, workdir(p))
-                        for p in config.distribution.package_manager(config).package_subdirs(src)
-                    )
-                else:
-                    exclude = flatten(
-                        ("--ro-bind", tmp, workdir(p))
-                        for p in config.distribution.package_manager(config).state_subdirs(src)
-                    )
+                exclude = flatten(
+                    ("--ro-bind", tmp, workdir(p))
+                    for p in config.distribution.package_manager(config).package_subdirs(cachedir)
+                )
 
-                subdst = dst / d / subdir
+                subdst = dst / "cache" / subdir
                 with umask(~0o755):
                     subdst.mkdir(parents=True, exist_ok=True)
 
@@ -3902,7 +3894,21 @@ def copy_repository_metadata(config: Config, dst: Path) -> None:
                 ) -> AbstractContextManager[list[PathString]]:
                     return config.sandbox(options=[*options, *exclude])
 
-                copy_tree(src, subdst, sandbox=sandbox)
+                copy_tree(cachedir, subdst, sandbox=sandbox)
+        else:
+            logging.debug(f"{cachedir} does not exist, not copying repository metadata from it")
+
+        statedir = config.package_cache_dir_or_default() / "lib" / subdir
+        for src in config.distribution.package_manager(config).state_subdirs(statedir):
+            if not src.exists():
+                logging.debug(f"{src} does not exist, not copying repository metadata from it")
+                continue
+
+            subdst = dst / "lib" / subdir / src.relative_to(statedir)
+            with umask(~0o755):
+                subdst.mkdir(parents=True, exist_ok=True)
+
+            copy_tree(src, subdst, sandbox=config.sandbox)
 
 
 @contextlib.contextmanager

diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py
index 4750f714516c4966144d4cf333e930948e6f0b88..12174b71d6f2adacbdd695933dc20d6492bf1564 100644 (file)
--- a/mkosi/installer/apt.py
+++ b/mkosi/installer/apt.py
@@ -57,6 +57,10 @@ class Apt(PackageManager):
     def package_subdirs(cls, cache: Path) -> list[Path]:
         return [cache / "archives"]
 
+    @classmethod
+    def state_subdirs(cls, state: Path) -> list[Path]:
+        return [state / "lists"]
+
     @classmethod
     def dpkg_cmd(cls, command: str) -> list[PathString]:
         return [

diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py
index cc86de294b4930bc55754a47b19ade304cfd0cfa..55b34f0f9d1f8428f88b65ead6624862524c8cb2 100644 (file)
--- a/mkosi/installer/pacman.py
+++ b/mkosi/installer/pacman.py
@@ -40,7 +40,7 @@ class Pacman(PackageManager):
 
     @classmethod
     def state_subdirs(cls, state: Path) -> list[Path]:
-        return [state / "local"]
+        return [state / "sync"]
 
     @classmethod
     def scripts(cls, context: Context) -> dict[str, list[PathString]]: