From: Ivan Shmakov Document-Id: urn:uuid:3083ffaa-7304-4eed-bdb6-9d1ca12002dd License: CC-BY-SA-3.0+ Link: ; rel="canonical" Link: ; rel="predecessor-version" Link: ; rel="author" Link: ; rel="license" In the text below, leading horizontal tabulation (ASCII HT) code indicates human-readable prose, while lines lacking one are intended for machine processing. Here we document the selection of Debian 10 Buster packages as used for the minimalistic AM-1.ORG live image, codenamed Echro, including the rationale behind our choice. Generally, the packages listed first are the most likely to be included on the image. However, for technical reasons the kernel and supporting packages are listed last. The lists below also serve as the basis for the bigger Entic live image, as well as for non-live systems based on Debian 10. The system as described is intended to fit on an approximately 256 MiB Zstd-compressed Squashfs (-always-use-fragments -comp zstd -b 1048576), not including the kernel (and initramfs), which thus would be usable when copied to tmpfs (toram=) even on rather modest (down to around 512 MiB RAM, no swap) hardware. The omit tag indicates packages which were considered but not included in the final list for one reason or another. This document is a work in progress. * * * The following Debian packages comprise the base system, common to all AM-1.ORG environments, including those running on real hardware, under Qemu, live images, within containers and chroots (although non-container chroots are deprecated on AM-1.ORG systems), etc. The base system is expected to be reasonably self-contained. In particular, any dependencies it may have should be either purely automatic (i. e., not mentioned anywhere later in this document), or listed explicitly here and only here. This list is ought to include ca-cacert, which is unfortunately no longer in Debian as of Buster, due to uncertain licensing. Tags: base Packages: apg apt ascii bash bc bmake bsdutils busybox bzip2 ca-certificates coreutils cpio dash dc debian-archive-keyring debianutils debootstrap diffutils dpkg e2fsprogs ed fakechroot fakeroot file findutils gawk gdisk gnutls-bin gpgv grep gzip less libc-bin libcommon-sense-perl libconvert-asn1-perl libdata-dump-perl libdigest-sha-perl libencode-locale-perl libtasn1-bin libterm-readline-gnu-perl libuuid-perl locales-all ltrace lynx lzop m4 minilzip mtree-netbsd ncurses-bin ncurses-term nettle-bin patch patchutils pdlzip perl procps pseudo psmisc rcs rhash rsync sed sharutils sleuthkit sqlite3 squashfs-tools strace tar time tree unzip util-linux vim-tiny wamerican wdiff wget xxd zip As an alternative to ed and vim-tiny, lightweight Emacs-like zile editor may also be used. Tags: omit, base Packages: zile For data recovery, a generous selection of archivers and compressors (beyond those included in base above) may get handy. Tags: archivers Packages: arj lhasa p7zip xz-utils zstd Similarly, we may need to interact with FAT filesystems. Tags: fatfs Packages: dosfstools mtools The following packages are useful for interfacing equipment over serial lines, as well as managing virtual and pseudo ttys. Also relevant is rlwrap, not included because of its superfluous dependencies. In addition to (or in place of) screen, dtach and tmux may be included. Tags: tty Packages: cu lrzsz reptyr screen Tags: omit, tty Packages: dtach rlwrap tmux For networking diagnostics the following packages may be useful. Also included is the polipo proxy, to allow for setting up HTTP proxies (including HTTP over Tor), should the need arise. Tags: network Packages: curl dns-root-data esmtp netbase polipo sic socat Tags: network, perl Packages: libdigest-hmac-perl libio-socket-inet6-perl libio-socket-ip-perl libmail-spf-perl libnet-dns-perl libnet-ip-perl spf-tools-perl swaks Tags: buster, network Packages: dnsutils Tags: bullseye, network Packages: bind9-dnsutils The following packages are expected on a system that has an init (PID 1) process, such as a container. Tags: initable Packages: initscripts lsof sysv-rc sysvinit-utils uuid-runtime Tags: initable-lite Packages: busybox-syslogd tinysshd Implies: initable Certain packages only make sense on systems that anticipate user (non-root) interactive sessions, as opposed to, say, a container managed entirely from the hosting system. Among those are openssh-client and dsh, a wrapper that facilitates starting several SSH client instances in sequence or in parallel, which comes particularly useful in clustered environments. Please note that ssh-agent is installed with a setgid flag set as a precaution against someone gaining access to a user session of another person and then using GNU/Linux debugging facilities (such as the /proc/PID/mem file) to hijack currently loaded SSH keys. Such a measure is, however, not effective in AM-1.ORG containers (see below.) Tags: interactive Packages: acl jdupes pinentry-tty Implies: initable Tags: interactive, network Packages: openssh-client Tags: cluster, interactive Packages: dsh Implies: network The following packages are likely to be useful on a system booted on real hardware or in a (para)virtualized environment, but not necessarily in a chroot or a container. We formerly made use of Btrfs and Nilfs filesystems, hence the respective packages may be useful on recovery images, yet currently not included to save space. We include here the packages which require privileges not generally granted to AM-1.ORG containers, such as those required to run dmsetup(8), mount(8), mtr(8), oping(8), tcpdump(8), etc. We include iputils-ping here alongside oping, although the latter supersedes the former in regular AM-1.ORG usage. For instance, AM-1.ORG containers and chroots are typically meant to run very few, if any, processes under superuser (root, uid 0) privileges, and even those only posess a limited set of capabilities (e. g., mknod syscall is not available.) Moreover, the usual privilege gates, such as setuid (setgid) programs are disabled (via both the no_new_privs bit and by only making available filesystems mounted with the nosuid option.) Together, these measures render programs such as MAKEDEV, mount, mtr and oping meaningless. Similarly, containers rely on host system clock (which is ought to be properly synchronized), thus need no NTP support themselves. Tags: bootable Packages: gnupg1 kexec-tools login makedev mount sysvinit-core Implies: initable Tags: omit, bootable Packages: btrfs-progs nilfs-tools Tags: cryptsetup Packages: cryptsetup-bin cryptsetup-initramfs cryptsetup-run Implies: bootable Tags: lvm2 Packages: dmsetup lvm2 thin-provisioning-tools Implies: bootable Tags: mdadm Packages: mdadm Implies: bootable Tags: bootable, network Packages: ifupdown iproute2 iputils-ping mtr-tiny net-tools netdiag ntp oping tcpdump For a live image, support for DHCP IPv4 autoconfiguration may come handy. Tags: udhcpc Packages: udhcpc Implies: bootable, network The following packages are mainly useful for systems booted on real hardware. We do not include fbset here as it apparently does not allow for framebuffer mode setting with recent kernels. Tags: bootable, real Packages: beep console-setup flashrom gddrescue gpm haveged hddtemp hdparm kbd keyutils lm-sensors parted pciutils setserial smartmontools statserial usbutils vlock Implies: cryptsetup, lvm2 Tags: omit, bootable, real Packages: fbset We may also need to access NFS, iSCSI, IMAP, Kerberos and (or) LDAP servers. Please note that Neomutt in Debian Depends: (albeit indirectly) on gnupg | gpg, the first of which adds considerably to the system footprint. To resolve this issue either an alternative mail (and news) user agent is to be used (such as alpine), or a dummy Provides: gpg (or gnupg) package can be installed. (An example of the latter can be found at http://am-1.org/~ivan/dist/no-gnupg_0.1_all.deb.) Typically we will use autofs to automatically (un)mount remote filesystems, but for a recovery image it seems superfluous. Tags: nfs-client Packages: nfs-common rpcbind Implies: bootable, network Tags: open-iscsi Packages: open-iscsi Implies: bootable, network Tags: conventional, network Packages: libsasl2-modules neomutt Tags: omit, conventional, network Packages: alpine Tags: heimdal Packages: heimdal-clients Implies: network Tags: ldap Packages: ldap-utils Implies: network Tags: ntlm Packages: cntlm Implies: network We may also want to use a system started from this live image as a (perhaps temporary) Ethernet bridge or router. Tags: bridge Packages: bridge-utils ebtables Implies: bootable, network Tags: gateway Packages: ipset iptables iptables-persistent nftables Implies: bootable, network Miscellaneous network-related packages. In particular, aria2 may be used to efficiently transfer large datasets to multiple destinations (thanks to its BitTorrent support), while openbsd-inetd is our preferred way to start tinysshd, which is part of bootable-lite above. (Although tinysshd can alternatively be started via socat.) The iputils-tracepath package provides the tracepath(8) utility similar to mtr(8) and traceroute(8), but which does not rely on superuser privileges, making it suitable for AM-1.ORG containers. Tags: network-extra Packages: aria2 idn idn2 iputils-tracepath lighttpd openbsd-inetd tcpd Implies: network Tags: bootable, network-extra Packages: radvdump The following packages may be selected on a case by case basis. In particular, the more generic socat tool (already in network) makes the netcat-openbsd and netcat-traditional packages generally unnecessary. Tags: imap Packages: dovecot-imapd isync Implies: network Tags: netcat Packages: netcat-openbsd netcat-traditional Implies: network Tags: radvd Packages: radvd Implies: bootable, network Tags: tinc Packages: tinc Implies: bootable, network The otherwise useful for network diagnostics nmap package is not included to save space. Tags: omit, network-extra Packages: nmap Perl-compatible regular expressions occasionally get handy. Given the presence of sqlite3 in base, it does not make sense to omit sqlite3-pcre from here. Tags: pcre Packages: pcregrep sqlite3-pcre A selection of languages beyond those already in base. Note that edbrowse is included here chiefly as a lightweight (although largely incomplete) Javascript implementation, in case one is needed. Tags: languages Packages: duktape jimsh make mawk Tags: edbrowse Packages: edbrowse A selection of extra packages for Perl. Tags: perl Packages: libconvert-base32-perl liblocale-gettext-perl libsys-mmap-perl libterm-readkey-perl libterm-readline-perl-perl libterm-readpassword-perl libtree-rb-perl liburi-perl Tags: perl, sqlite-extra Packages: libdbd-sqlite3-perl libdbi-perl Sometimes tinysshd may be not enough (for instance, it lacks support for TCP and Unix domain socket forwarding), so we include openssh-server as well. Please note that openssh-server would not ordinarily start in an AM-1.ORG container due to the latter lacking the audit_write capability, which is one of the reasons tinysshd is used instead. Tags: openssh-server Packages: openssh-server Implies: initable, network For long-term archival storage, AM-1.ORG specifies the use of DVD+R media with the ISO 9660 filesystem being preferred. The following packages facilitate making such archives. (For CD-R media, it may make sense to include cdrdao as well. Also relevant to ISO 9660 is the xorriso package, not included here to save space.) Tags: cd Packages: dvd+rw-tools eject growisofs Tags: iso9660 Packages: genisoimage makefs Tags: omit, cd Packages: cdrdao Tags: omit, iso9660 Packages: xorriso The mandoc package provides a somewhat lighter-weight formatter for the *roff-based man pages documentation. Tags: conventional Packages: mandoc The following packages are somewhat unlikely to get included in smaller live images in order to save space. We do not use *roff for document formatting, and so to avoid a dependency on hence unneeded groff-base we relegate man-db to -extra. Similarly, we generally expect for Texinfo-based documentation to be available in a form readable via lynx, edbrowse, or some other similar software. Tags: conventional-extra Packages: fakeroot-ng fdisk gdb man-db pinfo popularity-contest The following packages allow for basic graphics manipulation, which may be of use when recovering images from failed media. Tags: graphics Packages: jpeginfo libjpeg-turbo-progs netpbm pvrg-jpeg To view images on Linux framebuffer we may use fbi, which in turn requires a scalable font, the smallest of which apparently being ttf-bitstream-vera. Tags: graphics, real, ttf Packages: fbi Tags: ttf Packages: ttf-bitstream-vera It does make sense to boot the system with init=/bin/bash and set the root password explicitly (# passwd) before proceeding (# exec /sbin/init). Nevertheless, sudo is provided as a more conventional way to gain root access. Tags: bootable, conventional Packages: sudo A diagnostics and recovery image would also make use of the following packages. It does not make much sense to include them on the Squashfs image proper. Tags: omit, syslinux Packages: extlinux isolinux syslinux syslinux-common Tags: omit, bootable Packages: memtest86+ memtest86 The kernel and the utilities to make the respective initramfs. Note that it is not necessary to include initramfs itself (nor anything else from below boot/) on the Squashfs image proper. Tags: bootable, final Packages: initramfs-tools linux-image-amd64 Tags: omit, bootable, final Packages: firmware-linux-free The following packages make it possible to run the system from read-only media, overlaid by a tmpfs. Tags: live Packages: live-config live-config-sysvinit live-tools user-setup Tags: live, bootable Packages: live-boot live-boot-initramfs-tools