[build-hooks] Fix reproducible build: pin apt versions and track autoremove

[rustiqly]

Problem

When ENABLE_VERSION_CONTROL_DEB=y (SONIC_VERSION_CONTROL_COMPONENTS includes deb), the apt-get hook has two issues:

1. Versions from versions-deb are never applied to apt-get arguments (#7502)

check_apt_version() only warns about missing package versions — it never modifies the apt-get install command to pin versions. While the APT preferences mechanism (01-versions-deb → /etc/apt/preferences.d/) provides pinning via Pin-Priority: 999, this doesn't guarantee exact version matching (APT can still pick a different version if the pinned one isn't available).

2. apt-get autoremove doesn't capture package versions

The hook captures package versions before purge and remove, but not autoremove. Build dependencies installed via apt-get install and later cleaned up via apt-get autoremove are lost from the version tracking, making builds non-reproducible.

Fix

pin_apt_versions() — new function in buildinfo_base.sh

When ENABLE_VERSION_CONTROL_DEB=y, rewrites apt-get install foo bar to apt-get install foo=1.2.3 bar=4.5.6 by looking up versions in the versions-deb file.

• Only activates when deb version control is enabled (off by default)
• Packages already pinned (foo=1.2.3) pass through unchanged
• Packages not in versions-deb pass through with existing warning
• Works alongside the existing APT preferences mechanism as defense-in-depth

autoremove tracking

Added autoremove to the list of commands that trigger version capture (dpkg-query -W → purge-versions-deb), alongside purge and remove.

Impact

• No change for default builds — deb is not in the default SONIC_VERSION_CONTROL_COMPONENTS
• When version control IS enabled, packages are now actually pinned to the versions in versions-deb
• Intermediate build dependencies removed via autoremove are now tracked

Fixes #7502

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[Copilot]

Pull request overview

This PR updates the sonic-build-hooks apt-get hook path to improve reproducible builds when ENABLE_VERSION_CONTROL_DEB=y, by pinning apt-get install package arguments to the versions recorded in versions-deb and by capturing versions prior to apt-get autoremove.

Changes:

• Add pin_apt_versions() helper to rewrite apt-get install args into pkg=version using versions-deb.
• Update the apt-get hook to apply pinned args before invoking the real apt-get.
• Extend version capture to include apt-get autoremove in addition to purge/remove.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
src/sonic-build-hooks/scripts/buildinfo_base.sh	Adds pin_apt_versions() to pin apt-get install package arguments based on versions-deb.
src/sonic-build-hooks/hooks/apt-get	Applies pinned args during installs and captures versions on autoremove.

[yxieca]

autoremove tracking: Clean, LGTM.

pin_apt_versions(): A few concerns:

1. Grep injection with + in package names — grep "^${para}==" uses regex, but Debian package names commonly contain + (e.g., g++-10, libstdc++6, libc++1). The + is a regex quantifier, so grep "^g++-10==" matches g-10==, gg-10==, etc. instead of the literal package name. This could silently pin the wrong version or fail to match. Fix: use grep -F with an exact match pattern, e.g., grep -F "${para}==" "$VERSION_FILE" | head -1 | awk -F'==' '{print $2}' — since grep -F treats the pattern as a literal string, + is matched correctly.

2. set -- $versioned_args loses quoting — The subshell output is re-split on whitespace via unquoted $versioned_args. Package names don't have spaces, but option values could. Minor risk but worth noting.

3. Options after install keyword — Args like -t bullseye will have -t skipped but bullseye treated as a package name and looked up in versions-deb. It won't match so it passes through safely, but it's a design gap worth a comment in the code.

Item #1 is the actionable one — + in package names is common enough to cause real issues.

[mssonicbld]

/azp run Azure.sonic-buildimage

[rustiqly]

Thanks for the thorough review @yxieca! All addressed in the latest push:

1. Grep injection with + in package names — Replaced grep "^${para}==" with awk -F'==' -v pkg="$para" '$1==pkg {print $2; exit}'. This does exact string matching on the package name field, so g++, libstdc++6, etc. are handled correctly.

2. set -- $versioned_args loses quoting — Now uses read -r -a to split into a proper bash array, then set -- "${versioned_args[@]}" to preserve argument boundaries.

3. Options after install keyword — Added a comment explaining the behavior (option values like bullseye pass through safely since they won't match in versions-deb).

Also fixed Copilot's catch: VERSION_FILE is now local to avoid mutating the global.

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[yxieca]

All feedback addressed — awk for exact match, proper array quoting, options documented. LGTM.

@xumia @liushilongbuaa — could you review the build-hooks changes? The pin_apt_versions() function modifies the apt-get install args to enforce version pinning from versions-deb when ENABLE_VERSION_CONTROL_DEB=y.

[liushilongbuaa]

@yijingyan2 , please review and test.

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rustiqly]

Addressed all Copilot review comments in latest incremental commit:

1. VERSION_FILE not local — Now local in both pin_apt_versions() and check_apt_version()
2. grep regex injection — Replaced with awk -F'==' -v pkg=... exact string match in both functions
3. check_apt_version uses = vs == — Fixed to use awk with == delimiter matching versions-deb format
4. set -- $versioned_args injection — Replaced with read -r -a array + quoted expansion

[yijingyan2]

@yijingyan2 , please review and test.

Hi @rustiqly, I ran a test build with the build option SONIC_VERSION_CONTROL_COMPONENTS=py2,py3,web,git,docker,deb. With your changes, the packages versions can be correctly pinned to those specified in the 'versions-deb' file. But this introduced a new issue.
The versions in versions-deb files for docker/host images may contain +fips e.g. openssh-server==1:10.0p1-7+fips (this is because the images were built with build option ENABLE_FIPS=y). So when building these docker/host images, the version for openssh-server is pinned to 1:10.0p1-7+fips, this causes apt-get install fail with the error message:

E: Version '1:10.0p1-7+fips' for 'openssh-server' was not found

currently, we are using snapshot to pin the package versions. It may cause conflict if we pin the versions based on both versions-deb files and snapshot?
@liushilongbuaa, please add or correct anything as needed. Thanks

[mssonicbld]

/azp run Azure.sonic-buildimage

[rustiqly]

Good catch @yijingyan2! You're right — when versions-deb is generated from a FIPS build, packages like openssh-server get pinned to versions with a +fips suffix that don't exist in non-FIPS repos.

I just pushed a fix: pin_apt_versions() now strips the +fips suffix from the version string when ENABLE_FIPS is not y. This way:

• FIPS builds: version used as-is (e.g. 1:10.0p1-7+fips)
• Non-FIPS builds: suffix stripped (e.g. 1:10.0p1-7)

Regarding snapshot vs versions-deb conflict — they serve different purposes: snapshot pins the repo state (which packages are available), while versions-deb pins the installed versions. They should be complementary, not conflicting. But if you see issues there, happy to discuss further.

Could you re-test with this latest commit?

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[yijingyan2]

Good catch @yijingyan2! You're right — when versions-deb is generated from a FIPS build, packages like openssh-server get pinned to versions with a +fips suffix that don't exist in non-FIPS repos.

I just pushed a fix: pin_apt_versions() now strips the +fips suffix from the version string when ENABLE_FIPS is not y. This way:

• FIPS builds: version used as-is (e.g. 1:10.0p1-7+fips)
• Non-FIPS builds: suffix stripped (e.g. 1:10.0p1-7)

Regarding snapshot vs versions-deb conflict — they serve different purposes: snapshot pins the repo state (which packages are available), while versions-deb pins the installed versions. They should be complementary, not conflicting. But if you see issues there, happy to discuss further.

Could you re-test with this latest commit?

Hi @rustiqly, if ENABLE_FIPS=y, the apt-get install openssh-server=1:10.0p1-7+fips would also fail, because there are no official versions of +fips from Debian, the +fips version is locally rebuilt.
there is another issue regarding different arch. When building image like mellanox (amd64), it failed with error message:

E: Version '3.11-4+b1' for 'grep' was not found
E: Version '4.9-2+b1' for 'sed' was not found

The versions for grep and sed are pinned to versions that are only available in arm64

[rustiqly]

Great catches @yijingyan2, both issues are real:

1. +fips suffix: You're right — even with ENABLE_FIPS=y, the +fips packages are locally rebuilt and won't exist in Debian repos. Fixed: now stripping +fips unconditionally.

2. Cross-arch versions: The +b1/+b2 binary NMU revisions are arch-specific, so versions pinned on arm64 can fail on amd64. Fixed: pin_apt_versions() now does an apt-cache show check before pinning — if the version isn't available for the current arch, it falls back to unpinned.

Pushed both fixes. Could you re-test?

[mssonicbld]

/azp run Azure.sonic-buildimage

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rustiqly]

CI failures are all infrastructure/flaky issues unrelated to this change:

• kvmtest-t1-lag-vpp [OPTIONAL] — known flaky, explicitly marked optional
• PREPARE_TESTBED_FAILED — Elastictest testbed setup timeout
• Azure.sonic-buildimage (parent) — umbrella check that fails when any child fails

Could a maintainer please re-trigger CI? Thank you!

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[yejianquan]

LGTM. Three solid fixes:

1. grep pattern fixed from ^pkg= to ^pkg== matching the actual versions-deb format
2. autoremove added to version capture -- intermediate build deps were previously lost
3. +fips suffix stripping for locally-rebuilt FIPS packages

Also good: VERSION_FILE made local to avoid leaking into global scope.

🤖 Posted by DevAce, Jianquan's AI Agent, on his behalf.

[StormLiangMS]

@liushilongbuaa ms_conflict.

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[StormLiangMS]

/azpw ms_conflict

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).