Local repositories should not be added in /etc/apk/repositories

Question

Local repositories should not be added in /etc/apk/repositories

justpolidor opened this issue 8 months ago · 0 comments

When building packages with melange and using these in apko by referencing a repository that points to a local folder like this:

contents:
  keyring:
    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
  repositories:
    - https://packages.wolfi.dev/os
    - '@local ./packages'
  packages:
    - wolfi-base
    - mypackage@local
entrypoint:
   command: /usr/bin/mypackage

environment:
  PATH: /usr/sbin:/sbin:/usr/bin:/bin:/usr/local/bin

the docker images created will have the following content in the /etc/apk/repositories file

@local ./packages
https://packages.wolfi.dev/os

This will cause the apk add command to fail when a user wants to add packages outside apko/melange (e.g using the image produced from APKO as FROM in a Dockerfile and executing apk commands).

/ # apk add curl
WARNING: opening ./packages: No such file or directory
WARNING: The repository tag for world dependency 'mypackage@local' does not exist
ERROR: Not committing changes due to missing repository tags. Use --force-broken-world to override.

Is this supposed to be like this or can we avoid to add local repositories in the /etc/apk/repositories file? Or, is there a way to exclude repositories programmatically?