Whonix build script now optionally supports installing packages from Whonix remote repository rather than building packages locally

By adding

--remote-derivative-packages true

Whonix images will be build with packages from Whonix developers repository. No packages will be build locally.

This option is optional.
This option is opt-in.

This option is useful for me during development, during creation of developers-only test images. It saves a ton of time having to rebuild all packages again and rebuilding these packages over and over again for each build.

This option might be useful for other developers who work on aspects of the build which is not related to any contents of any packages.

Builds which will be redistributed to users (those announced in Whonix News Forums) will still be build from locally build packages to ensure consistency.

Using --remote-derivative-packages true Kicksecure XFCE images were build in around a half hour.

Wohoo! Awesome feature. I’m using this bad boy th next time. Now I’ll be more motivated to make a new release sooner than once every quarter.

That could lead to inconsistent results.

If package build time is discouraging, I could perhaps rather figure out how to only rebuild packages that require rebuild and not always rebuild all packages all the time. But sometimes all packages have some minor changes (packaging compat level bumps and whatnot) and require rebuild so I wouldn’t know if this would save a lot time in practice.

That state of Whonix developers (or any) repository is currently still a bit opaque. All files are there in the open, welcome to review. But there are no tools to simplify this process. There is no way to know at which version Whonix/Whonix git tag version the Whonix developers repository is. Therefore the build version number wouldn’t tell much.

For example at the moment by building Whonix/Whonix git tag 15.0.0.4.9-stable with --remote-derivative-packages true it would actually use Whonix/Whonix build script version 15.0.0.4.9-stable with packages from Whonix developers repository which are at 15.0.0.5.6-developers-only.

Latest git tag doesn’t necessarily match the state of Whonix developers repository.

Sometimes changes in the developers repository are badly breaking. As in, no easy upgrade path. (Let’s say for example permission bugs.) These bugs aren’t fixed (sometimes difficult or impossible) since they never get introduced for any non-developer and simply replaced by functional packages.

Qubes-Whonix is build from Whonix proposed-updates repository but this requires orchestration to know when the repository matches the expected git tag version.

How easy would it be to switch the build process to use apt repo snapshots for builds like outlined on this Tails page?

https://tails.boum.org/contribute/APT_repository/time-based_snapshots/

@Patrick

Looks complex, daunting.

A simpler implementation maybe: Instead of suite buster-developers there could be an additional suite 15.0.0.5.8.

In other words, instead of using
https://deb.whonix.org/dists/buster-developers/
a could use for example
https://deb.whonix.org/dists/15.0.0.5.8

Patches welcome or perhaps some day.

Implementation:

• In https://github.com/Whonix/Whonix/blob/master/build-steps.d/1200_create-debian-packages look for
  WHONIX_BUILD_APT_CODENAME

• But also a reprepro distribution file similar to https://github.com/Whonix/Whonix/blob/master/aptrepo_remote/conf/distributions (with only 1 entry) would have to be auto generated.

• https://github.com/Whonix/whonix-developer-meta-files/blob/master/debug-steps/reprepro-wrapper

• https://github.com/Whonix/Whonix/blob/master/help-steps/variables function set_WHONIX_BUILD_REPREPRO_FOLDER_OPTIONS