Akku.scm is a language package manager for R6RS and R7RS Scheme. The software that powers the package index has been growing beyond the simple one-liner it was in the beginning and today I’ve finally pushed it to a public repository. I’ve also made preparations for hosting packages as tarballs directly in the archive.
Tarballs
The Akku archive has never hosted packages directly. The index points at
git repositories and commit revisions. These are added to each
project’s Akku.lock
file and are used when akku install
clones the repository.
This has two major drawbacks. Cloning a git repository can be really slow. The repositories are also hosted on sites like GitHub where users sometimes decide to force-push or remove the repositories completely. I feel this is likely to happen more often the more politics and business influences GitHub in the future.
I’ve prepared the Akku archive to host tarballs directly. These are made
with git archive
from the submitted git repository. Downloading
these is much faster than cloning a repository, they are not at risk
of being removed at a whim, and they are cached in a local shared
cache. Other package managers as a rule host their own archives as
well, so this is nothing unusual.
Provenance
It’s important to me that users of Akku can trust that they get original software that has not been tampered with. I review all code that goes into the archive to protect Akku against use in supply chain attacks.
Building tarballs changes the equation a little bit since you now need to trust that the tarballs have not been tampered with. Tarballs are verified when they are downloaded, but how do you know that they match the original software?
This can be seen as an issue of provenance, or providing proof of the history of a piece of software. Here is the chain for the new tarballs:
Akku packages are submitted through
akku publish
by a developer (or by the Snow mirror software) as a.akku
file with a detached GPG signature. This signature can be independently verified by fetching the key from the keyservers.The signed
.akku
file contains a git commit id. Because it is signed by the person who submitted the package, we can use the signature to verify that it was not tampered with after it went into the archive.Copies of these files are hosted under /archive/packages.
The archive software creates a tarball from the original repository using the
git archive
command. It also creates a new.akku
file which contains information about the original repository and commit id as a comment. The non-comment part of the file contains the URL and hash of the new tarball. Like other.akku
files, it is signed. This provides a signature linking the original git commit to the new tarball’s hash.These files are available under /archive/pkg. The signature is made with the current Akku archive key, which is in turn signed by my own key (which is in the Debian keyring).
The
.akku
files for Snow packages and the new tarballs are combined usingakku archive-scan
and written toAkku-index.scm
, which is then XZ-compressed and signed with the archive key. Theakku update
command verifies the signature when it downloads this file. When Akku creates anAkku.lock
file it incorporates the hash from the index, which is verified whenakku install
runs.
The above should make it possible for any interested party to check the integrity of the archive. It also protects against attackers uploading funky tarballs that don’t match the git repository.
All git repositories and Snow packages are mirrored in the archive under /archive/mirror. This mirror is not used in the index and is mostly provided for backup purposes.
Beta testers
The new index with tarballs is not live yet, it needs some testing.
Anyone who wants to do so can try it and report successes or failures in the comments section below or in GitLab issues. Here is how to update to the new archive manually:
curl https://archive.akkuscm.org/beta/Akku-index.scm \
> ~/.local/share/akku/index.db
There is a GPG signature (.sig
) in the same directory in case you
want to verify that it was not tampered with.
Run akku lock
in your existing project to get a lockfile that uses
the new index. Then run akku install
to download your packages as usual.
If all goes well then some time soon the switch to the new index will
happen and akku update
will use the new style index. You will still
be able to revert to the old index by downloading Akku-origin.scm
manually from the archive site and then use that as your index. This
file will keep being maintained because that is where the Akku website
generator finds pointers to upstream Git repositories.
Further reading
More about Akku: