...instead of running apk every time to get the list of installed
packages and their versions. The internal package database from
apk has the same format, as the extracted APKINDEX file (except
that it has more key-value pairs, which we ignore/do not need
right now). So the APKINDEX code has been extended to parse both
tar-packed APKINDEX files and regular text files in the APKINDEX
format.
This is required for #108, for a better detection of outdated
packages (because the internal package database saves the
package's timestamp, too). A nice benefit is, that this is faster
than calling apk every time and it doesn't fill up the log as much.
I've also used this improved function for determining the apk
version (for the outdated version check), and I've deleted
pmb.parse.other.package_split(), as it is not needed anymore.
* Minimum version: 2.7.2 (which fixes two CVEs)
* Check the minimum apk version before doing something with apk and
before entering the chroot manually (previously, it has just checked
the apk-tools-static version, which gets used to set up the chroot)
* Reword the message for an outdated APK version. Most likely it is
just the outdated http cache, instead of a man-in-the-middle attack.
See also:
b849b481a0
pmb.chroot.apk.installed() used to return only the explicitly installed
packages. This is not good enough for the initfs check functions (and
especially for the "lazy reproducible builds", from which branch this
commit was cherry picked).
This commit introduces more noise for the logfile - if this becomes
a problem, raise your voice in the issues tracker and we'll do something
about it.
(This commit also changes minor code styling in other files, I did
not run autopep8 last time, because flake8 didn't complain...)
