Handling of aports which invoke external package managers
Alpine packages for programming languages like Rust/Go/Haskell currently relying on invoking the package manager of this programming language from within the APKBUILD. As such, dependencies of such packages are not properly tracked by apk. This leads to a variety of issues, most importantly:
- We cannot reason about the dependencies using apk.
- Patching dependencies of such packages is almost impossible.
This has security implications. As a recent case in point, finding and patching packages which are vulnerable to the recent Terrapin SSH attack is very cumbersome. With the every increasing amount of Go and Rust packages, this problem will become even more relevant in the future. Therefore, I believe we should attempt to improve our packaging guidelines for such software.
The following may be potential solutions:
- Package the source code of Rust/Go dependencies (the Debian approach) [1] [2].
- Track additional metadata within the generated APK which at least allows us to identify vendored dependencies and their pinned version.
Note though that the second solution is only partial as it does not resolve the patching problem.
Additional suggestions regarding solutions for the outlined problems are more than welcome!