
Show HN: Deterministically install Linux packages with apt-lock - TrevorSundberg
https://github.com/TrevorSundberg/apt-lock
======
stephenr
> limitations > Written in Node.js and packaged into an executable with nexe,
> so it's huge. Sorry it's not written in C.

> future work > Rewrite in C or C++ to make it considerably smaller

if all it does is install via apt, record the version, and then refer to the
lock file the next time it's called, why on earth would you use C?

I'd be surprised if you need more than ~50 lines of shell to do that,
including help output, error handling, etc

~~~
TrevorSundberg
Great point! Honestly I only started using linux back in October and my shell
experience is still pretty limited, but growing.

~~~
stephenr
For deb based distros at least all the tool needs to do is `apt-get install
foo=x.y.z; apt-mark hold foo`

------
unmole
Perhaps because I'm unfamiliar with npm, I don't really understand what it's
for. What exactly is "package install determinism"?

~~~
TrevorSundberg
In short it just means it installs the exact same packages every time. If you
write `apt install something` without an explicit version you may get a newer
version depending on how recently you've updated your package manager.

Our build server got burned by this because we wrote the line `apt update`
within a Docker image. We did this at the time to get the most recent version
of a package. Ideally we should have locked the version there, but we weren't
really thinking of it until half a year later all our builds started failing.
The package inadvertently updated and had breaking changes in it. With apt-
lock you don't need to manually specify, you can just install once and then
every reinstall will be the same (such as in a Docker image, or a new member
joins your team and you're setting up their machine).

