Akku.scm is a language package manager for R6RS and R7RS Scheme. The software that powers the package index has been growing beyond the simple one-liner it was in the beginning and today I’ve finally pushed it to a public repository. I’ve also made preparations for hosting packages as tarballs directly in the archive.
The Akku archive has never hosted packages directly. The index points at
git repositories and commit revisions. These are added to each
Akku.lock file and are used when
akku install clones the repository.
This has two major drawbacks. Cloning a git repository can be really slow. The repositories are also hosted on sites like GitHub where users sometimes decide to force-push or remove the repositories completely. I feel this is likely to happen more often the more politics and business influences GitHub in the future.
I’ve prepared the Akku archive to host tarballs directly. These are made
git archive from the submitted git repository. Downloading
these is much faster than cloning a repository, they are not at risk
of being removed at a whim, and they are cached in a local shared
cache. Other package managers as a rule host their own archives as
well, so this is nothing unusual.
It’s important to me that users of Akku can trust that they get original software that has not been tampered with. I review all code that goes into the archive to protect Akku against use in supply chain attacks.
Building tarballs changes the equation a little bit since you now need to trust that the tarballs have not been tampered with. Tarballs are verified when they are downloaded, but how do you know that they match the original software?
This can be seen as an issue of provenance, or providing proof of the history of a piece of software. Here is the chain for the new tarballs:
Akku packages are submitted through
akku publishby a developer (or by the Snow mirror software) as a
.akkufile with a detached GPG signature. This signature can be independently verified by fetching the key from the keyservers.
.akkufile contains a git commit id. Because it is signed by the person who submitted the package, we can use the signature to verify that it was not tampered with after it went into the archive.
Copies of these files are hosted under /archive/packages.
The archive software creates a tarball from the original repository using the
git archivecommand. It also creates a new
.akkufile which contains information about the original repository and commit id as a comment. The non-comment part of the file contains the URL and hash of the new tarball. Like other
.akkufiles, it is signed. This provides a signature linking the original git commit to the new tarball’s hash.
These files are available under /archive/pkg. The signature is made with the current Akku archive key, which is in turn signed by my own key (which is in the Debian keyring).
.akkufiles for Snow packages and the new tarballs are combined using
akku archive-scanand written to
Akku-index.scm, which is then XZ-compressed and signed with the archive key. The
akku updatecommand verifies the signature when it downloads this file. When Akku creates an
Akku.lockfile it incorporates the hash from the index, which is verified when
The above should make it possible for any interested party to check the integrity of the archive. It also protects against attackers uploading funky tarballs that don’t match the git repository.
All git repositories and Snow packages are mirrored in the archive under /archive/mirror. This mirror is not used in the index and is mostly provided for backup purposes.
The new index with tarballs is not live yet, it needs some testing.
Anyone who wants to do so can try it and report successes or failures in the comments section below or in GitLab issues. Here is how to update to the new archive manually:
curl https://archive.akkuscm.org/beta/Akku-index.scm \ > ~/.local/share/akku/index.db
There is a GPG signature (
.sig) in the same directory in case you
want to verify that it was not tampered with.
akku lock in your existing project to get a lockfile that uses
the new index. Then run
akku install to download your packages as usual.
If all goes well then some time soon the switch to the new index will
akku update will use the new style index. You will still
be able to revert to the old index by downloading
manually from the archive site and then use that as your index. This
file will keep being maintained because that is where the Akku website
generator finds pointers to upstream Git repositories.
More about Akku: