 So welcome to our next talk David Kalnishniks will talk us why this app has super cow powers So we are very curious give him a warm applause Thanks, I'm actually surprised so many people are here And not alone here. I've actually brought super cow with me phoning so Exactly So the talk is called apt has superpowers. So why we actually see this line on the up get help Man page, which is one of these tags apt has But let's start with me, which is yeah me The most interesting part for deviant people is actually that I'm at 80 but well, that's the mailing list of the Debian apt team. So not the real gods just the package manager gods and Yeah And do a bit of other stuff like I'm a student and do a lot of stuff in my hometown and well a thing most people are quite annoyed by is that I'm actually really Annoyed by official titles and official responsibilities. So I shy away from those and so I'm not a DD not a DM Well, nobody wants to comment that that's great. So I had to invert the colors. So that's a bit messed up but the point is here I actually wanted to find out something about apt and The first thing I get suggested by Google is apt get is broken. That's great duck that go says the same thing Upget is broken Well, that's not a lot of information about that. So But yeah, it's the proper thing you do as a student, right? You're searching search engines for the answer So I tried to actually do the same with my name just to figure out if it's a common problem with the broken thing and Well, I put it in surprisingly no broken came out. But well, I was called the German giadist that's But well, that's an add so not their fault, but well that that was interesting I dropped this approach then so That doesn't work So I went to look up what people say about apt and that's actually a pretty nice description of what apt is 100% back 3 That's right, right? And yeah, no homing intervention at everything and Yeah Sounds right, right, but it's still not telling really what apt does or not do so we're looking again at the man page and And it says apt has super care powers so I Said that's the that's one of the Easter eggs where they're actually more But yeah How many people in this room think that you actually know all Easter eggs and apt? That's a trick question Nobody actually wants to show this number. So that's the obvious one Right, everybody knows that but most people actually think that's all apt can do but there's actually More cows and even more cows and even more cows and then there's even This which is actually better if you are looking at the right color Yeah, well if I find it so well it's blinking, right? That actually works in your command line on stable. I put it on stable and you don't even know about that boys So let's get back to the right color So That is that still doesn't Hasn't told us what apt is. So let's look at the really really old days the days before apt That's 1997 Really the dark ages. So that's the official design documents in version zero zero one So yeah, you can say apt has a pretty Standard approach to very low numbers Bad well, so the official design documents that well data should be a placement for deselect It's still in the archive We are a replacement. It should be easier to use and that's confusing I think so and a bunch of other things The interesting part here is actually that we as that's it's still called deity at this point it was renamed and It was renamed on the first April Which is why we are announcing great stuff always on the first April so that nobody actually expects them to be real but That's one of the great announcements. It was apt apt so As I started with the history You can There's a lot of history, but I will skip all the Boring parts of beta releases and all all that stuff. So I skip right ahead to the stable release which was 16 years later last year and That was the announcement or the start of the announcement If you compare this it's pretty much the same text, right? The only difference is that we announced our new version number That was kind of great Because yeah, we went stable stable app after 16 years So the other interesting thing we announced actually in this mail and Yeah, quite a few people missed It is that we have an apt binary now So you don't actually need to type up get any more as you saw on the moving I Used always up for it. So and at this point I actually want to thank the Java maintainers to free the name because it was blocked for quite a few time for quite a while for the annotation processing tool Yeah, you can save it You can say just a few things about yeah short names and name conflicts Now we have this name and now everything good so As we are moving through history That's even worse to read, but these are actually correctly colored. So That's what we have had before that camp Which is our back count which if you are going by the saying that If you are actually doing great stuff, you you get criticized. We are actually really great 1000 open bug reports we worked on this for Yeah, that camp and that conf and got it a bit lower You want to compare this now It's actually like Free nor more than 300 bucks down which is in a graph Yeah, no We closed very old bugs. I'm very happy. I actually closed the five number bug report 22550 Actually with with the comment that it was fixed in an earlier version. So I didn't all close them as yeah Doesn't isn't reproducible no longer applies or stuff like that. So Julian I really worked hard on this and it's not It's not all just closed We actually fixed quite a few also. That's the yellow spot Actually, that was 15 50 buck reports which were pending with this so or more actually 60 at the end so, yeah I As I said, I didn't do this alone Julian Claude is yeah Also Responsible for this and that's really great thing Which brings me to the comparison and it's actually nice that Axel said this because I'm declaring aptitude the enemy as We are now actually a few bucks below aptitude Yes So, yeah, as you see, that's the current screenshots, but didn't even five bucks five bucks So just for comparison I've actually looked up a few other things so they pay an MPPP that's well Yeah, a lot of bucks, but that's new packages, but the others are kind of very interesting like Linux with Very high numbers and which actually gets pretty quickly new buck reports and these these plus numbers are really just the buck reports which Still open in the years So there are actually more reported but handled and these are numbers of Unhandled buck reports or well unhandled is bit too much. You can actually confirm one just like that So I was just new buck reports, which aren't closed so aptitude and apt are Properly the packages or the deviant native packages with the most open bucks It's quite worse the packages a bit better when we when we are and they are handling bugs better. So That's the point at which I want to invite everyone who wants to help To judge all these bugs because that's way too many Debian Debian native packages shouldn't have so many open buck reports That's yeah, but well So we are actually back to the wonderful quote from before Because I want to talk now about a few of the features we implemented In a new release we are currently calling 1.1 experimental 9 and Which sits there for a while? The new release happened just today at 11 o'clock. So maybe it's already on the archive You can download it. It has a few changes just a few I counted Yeah, well the countered line numbers and the change log are in the round of 250 lines so just a few changes, but they are all fine and they are all great because The most interesting thing is or for me at least is the new acquire system So the download of files and that's actually the quote about the new acquire system Yeah, well at least what I hope It is For the acquire system, so it's 100% bug free At least it hopes so so It's actually a few details about the acquire system, which Yeah, I'm going to read and explain a bit so Yeah, sure Well So We have an apt-user now or underscore apt-user now, which actually means that The for example the HTTP download Happens not as rude any longer, but as this Unprivileged user so that we are more protected against Exploits actually coming from the net to us, which I think never happened Before but it's better to be protected and Another very important thing for us is That we are now checking more hash sums, which means that And the file is downloaded we check a hash some we uncompress it we check a hash some And after that it's used and not as before we like we were Downloading and uncompressing and after or for some files doing this and for some not and it was quite confusing so That's actually that was the point why we were we will Revote the Download of all these files There's no guessing No going back in time as another thing like replay attacks Always nifty little technical terms Michelle want me about that, but I'm actually now trying to show you this because well, that's a lot of text but If it works or if all this stuff works You will never see it. So I have to show you this now So I'm actually copying I'm actually using now a state from last Sunday and Calling update on this for this run. I will actually use PDFs because that's another thing. I want to show you as many people still think that PDFs or air red as It's called an app is actually very very slow, but yeah, I have I think now downloaded for a lot of I have Or my source list there are four architectures and four releases. So that's a lot of files and For each of them I have applied roughly eight patches and it's still Yeah, what's the total 23 Let's try this again This time without PDFs So that actually takes longer. Hopefully at least As that's a presentation, so And it took longer way So we have so what to take away from this is and this is actually working on your stable machines already. So There is no point in saying that PDFs are slow and need to be disabled Stuff like that. They actually work. They are fast So other things I actually want to show you is that For example this year You were told today in the briefing that you are That you should switch to this mirror to save bandwagon And that's a great idea, but I was an naughty boy and didn't Change my source list for it. I still have the HTTP dbn.org Source list but up actually shows you now which mirror was used which is Very important actually for user support Stuff like that to actually report errors against the right mirror as yeah, well an error happened on HTTP dbn.net which mirror One of one of the hundreds, right? So That's one of the nicer things which actually works now The really important thing is all these warnings you see at the bottom I have Now or I have Two archives in it one without a release file one with release file, but not signed both of them in the old versions where well they're there warnings, but not really encouraging and These are now and Will get even harder Later on that you are really encouraged to not do this anymore because we have release file signing now for many many years and It's still not everywhere used and that's really a key part of our security chain. So We really want to press basically people to use signed repositories finally Yeah, okay My phone. Yes. So in general I agree with you. That's great. But when bootstrapping Locally, it's actually quite tiresome getting all the parts to have all their keys in the right places and the cheroots And the thing and the thing I know thing. So still being able to do old-fashioned. I really don't care I just made this package. I want to put it there and I want to use it again. I know that's why I'm Yeah, well, that's why there are options to actually allow this still you are currently You are actually getting the Unautificated packages warning at installation of packages You can actually mark in your sources list that this repository is trusted and Ups will accept that this is a trusted repository checked by you a local mirror Maybe on your network or something like that. So that up says, okay, the user said it's okay. So I'm not second-guessing him anymore That's that should work on stable also. So Try this So that's really about Yeah, external repositories and stuff like that which are shipping without keys or just really old Stuff which should really not be used anymore because it's really unsecure and We have all this great security features, but well if you have unsigned repositories Everything is broken from a security point. So We really want to get away from these unsigned repositories in the future And really press forward at this point Let me look again There isn't yeah, I should actually mention this That's the second-class point on the list is arbitrary additional files download. So that's a Very techie name for something quite simple There are many front ends based on apt which actually want more files to use them and have to get them somehow from the net but at the moment they Have to implement this all by themselves Okay, and I have to implement this all by themselves and That's hard up file up file for example doesn't even check the hash sums So it's just downloading the contents files unchecked because well, it's too hard and nobody will mess with them, right? So That's that's actually the answer in a bug report. So So now it's actually possible to tell apt yeah I want you to download These and that file which is on Do this securely? Well, there is no other default. You can just download them securely and Uptville download these files and place them at a right point and The front end can use them without actually caring about the security and stuff because that's handled by app There's just one point now for this So Let me look Missed. Oh Okay There's another thing Julian worked on this at that conf That is pinning is actually working now at his as it is at word test Which was kind of surprising that it didn't work I could fill a whole session about how pinning actually works But You just have to trust me on this point now Okay, everyone accepts trusting me. That's nice No comments on that The key point is that you couldn't pin two different package versions differently, so that works now and that's great and As it's written on the page you can actually get it from experimental now Hopefully anytime soon if it doesn't if it hasn't hit your mirror yet So The other important or interesting thing about the new experimental version which we want is that Currently you have a wonderful one line and description of your sources and the sources list and That's this line very long and Above there is our new Format or an additional format we want to support because there are actually many many options you can set on report repositories now to Yeah changed certain certain parts like various snapshot debion arc to get old packages and Usually these are because of all the security features and apt actually you are getting warnings a lot of warnings if you are using old sources so it was actually requested that You can disable this well it until security feature based on the source line alone as you Currently need to disable it completely which is well Disabling it completely is breaking it so The other thing is which I had to mention a few times now on deviant devil Is that you can actually tell apt now that a key or that? Repository can only be signed by a certain key or by a certain key ring at this point this Example is maybe not the greatest idea my new PG public hearing. I trust all of you guys, but Or maybe not that much But yeah, it's just an example They can and I choose this example because I wanted to show that this file doesn't even need to be Placed in the trusted GPG D directory from app so doesn't need to be Signing other repositories or stuff like that and This contents here both is as I said additional downloads of other Files so it can actually be configured as well for different sources and Yeah, I forgot to mention actually for the acquire download It's it's written on the slide, but No guessing means here really that Currently we had for the translation files, which I mentioned here We had to support a long time very different Instances of this and so we had to guess if these exist on the repository or not and in these files are descriptions or the disc Translated descriptions, so they're actually important for the user that we download them if they are available But we didn't know if they are available now. They are or they should be in the release file and indexed and with hash sums so You can actually do this now and not guess anymore about if they exist or not and display ignore line and not so Well, can it's actually shown here And at the top as I said, I have this Unsecure thing and where we have to guess all the time and these requests That's a local repository. So that didn't even hurt me that much But if it's on a server, I'm requesting from the net basically guessing if these file exists So that's actually fixed now as You can see here I'm testing. I actually got the end file and There's another thing what happens now is that As you see I'm just trying the in release files and Figures out that these files haven't changed at all. So it doesn't even try the other files anymore Which was also quite a hit on service if these files Do not change a lot like on stable the repositories only updated on point releases. So It's not changed that much and Well, there are a few other very nifty things some of which Michelle talked about last year already But I will mention it here anyway which is You can actually install depth packages now with app get install and the depth package of course, you have to ensure that this was a secure download, right, but Currently you had to download them somehow type in the package minus e the depth file and then run up get install Minus f which by the way stands for fix broken not for force Many people confuse this that's so that's actually a nicer interaction now and Yeah, the same for build that which is kind of interesting So you can get a source package downloaded and get the build dependencies installed not from the Not from in from the sources file or from an uploaded Source files, but you can just say here in the directory. Where's the Debian control file parse it for me install these build dependencies Some people are actually happy about it, right so and other interesting things but I will actually Well, I can talk a bit about these more, but I actually want to Open this up now for questions if you have any or comments or whatever Otherwise, I will continue talking. Hi Is it on? Yes. Hi, you said you rewrote the acquire system so we can download extra files now Yeah, is the documentation for it for developers as well. What? Yeah, there is documentation Actually, there's a quite long documentation for it. I just have to find it so acquire additional files, what a surprising name and Well, that's that's a file documenting it everything and Well, I'm not reading it out now, but we will manage we can talk So that was actually the up file maintainer Just one more thing since you mentioned this translation files there is a long on-standing issue with The archives not having a release file the organization code expected the Look at translation files to be named like language code dot busy to without this translation prefix Are you aware of this issue? I don't really know. I okay. What do you mean? I'm I will show you the exact print F Constart later it was you okay. Yeah, well Okay, but I'm pretty sure this works. So it works for me for you, you know Yeah You showed us these examples with the local depth files, but they were called without get Doesn't those sub commands exist in up? No, it works in up too. So, okay. Yeah, I Was just I Yeah, I'm the developer of the stuff and I actually have to type apt Quite often. So I'm still muscle memory up get And still can't remember to type out. Sorry. So I Don't need a DPKG Minus e anymore No, you don't need it anymore. You can just tell apt to do the right thing Well, I can actually Well, that's that's really secure now Downloading stuff as route bad. Well, so up get down. Awesome. I've actually downloaded it now. Yeah so Install Yeah, well, I don't have auto-completition for it. So Muscle memory as I said so So it's asking me and It has extracted the build dependencies and all that stuff so I can just So if I press yes now, but I don't I have installed awesome Which is the perfect example for this awesome My next question is basically to Michael So will G Debbie vanish now Yeah, the answer Okay, I don't know Probably we need to write bindings first like at this is not I believe at least this is not exposed yet in pysynapt But we will check it's a good point pysynapt Should support it eventually Hello When I'm building a custom kernel the Debian way What's the difference when I install it with the package with APT? Well, the only difference is that As I said here, for example It's actually resolving the dependencies now. You don't have to call Install f anymore After you installed something with the package which could actually fail or suggest you that it removes the package you had just installed No, if if I'm building a custom kernel, I have depth idols directly after the building You know, it's I'm building for after the kernel handbook from Debian And so you have depth files. Yeah, yeah sure. I Mean I have only a depth file here. This awesome file is just a depth file I've just downloaded it from the archive, but I could have built it myself Yeah, watch why? Well, I can So the package install Awesome and it's installing and yeah, well quite a few things broken as the package tells me So it's not actually installed so I have to call app get install f after this and Maybe It suggests the right thing. Yeah app discover it suggests the right thing. It couldn't actually say Let me de-install awesome because I can't resolve the dependencies now and By telling apps that you actually want to install this depth now it can help you with this as Yeah, well But if you don't want to use it, you can of course still use the package I I mean, that's what apt uses At the lower level. It's just a higher level to help you my question is if I Have a download package with dependencies and I've some of these dependencies also downloaded will up look into the A Download Directory whether he finds the dependencies there No, it will not look in your directory because well It can't it can't know about you can You can specify multiple depths on the command line. So If you want to resolve your dependencies manually, you can do Is there also an interface so I can give it a Dependency string and it will satisfy that Currently not there's a open bug report for it. I guess please do that as well Yeah Sure, otherwise great. Yeah It's just yeah What what did I say 700 open bugs? So we are actually exacting patches. We are not working on this alone Community so Yeah, sure, but there are a lot of vicious and we are who want to Satisfy all of them, but yeah, there's a finite amount of time, but yeah Satisfying dependency lines is a good idea and should be implemented So anyone else then I'm showing a list of Contribute us while you are thinking about asking another question or not Because as I said, we are not working not alone on this Quite a few people contributed to this over the last 17 years Some of them are hidden in this conversion Name that especially all the outdoors like Jason Gantrop But as you see there are quite a few people mentioned on that list and It goes on for a while So As I said, it's a community working on this. We are not working on this alone and Yeah, if nobody wants to actually ask another question I can actually tell you Shortly my story how I Got into apt it was in 2009 I was relatively new to Debian and All of this and my laptop didn't support or had a very new card for Wi-Fi and Stable didn't support it. So I tried unstable and did I did this worked? So I stuck with it, but I found a few or well There was a very very small thingy about apt which annoyed me as an unstable user. So I thought So I didn't Well, I was new to this whole open source thing. So I thought well, I can't try right I can I can why the patch what could possibly go wrong and I posted this on the bug tracker or well I found the bug report about this and I posted it in the bug tracker and I thought well I'm just I was I was a student fresh student and these are yeah, well deities the mailing list, right? so that's probably not going to be accepted, right and Well, it was accepted and Michelle folked the first one in this list and still working on apt for quite a while now He mailed me and said well, yeah That's that's a nice patch and well, we should talk and well. Yeah, we talked we talked and Well, he he pulled me into this basically and then I yeah Was a bit hooked. So I gave him small finger as you know and well in 2010 I was Googled some of code student in apt and implemented smoky multi-architecture in apt. That was the project name and The point is at that point. I couldn't yeah, I was completely involved. So yeah, as I said I gave him the small finger and he took the wall arm and the rest of me with Yeah, now I'm completely in it and can't leave anymore and I don't want to but I want to encourage more people to actually Work on this. It's it's not that hard as it sounds and you come you can become a deity Yeah, another question Not not really a question Debian has a severe sort of shortage of people working on core infrastructure And I wanted to thank you that you are one of the few people doing this actually very thank you very much