desktops: install runtime apt pin so apt.armbian.com .debs win#850
Closed
igorpecovnik wants to merge 8 commits intomainfrom
Closed
desktops: install runtime apt pin so apt.armbian.com .debs win#850igorpecovnik wants to merge 8 commits intomainfrom
igorpecovnik wants to merge 8 commits intomainfrom
Conversation
apt.armbian.com hosts real .debs of chromium / firefox /
google-chrome-stable, so the existing browser virtual token can
point straight at them — no need for a separate package list or
temp-source juggling.
- common.yaml `browser:` map: amd64 every release -> google-chrome-
stable. Ubuntu releases (jammy/noble/plucky/questing/resolute)
switch arm64/armhf to chromium and riscv64 to firefox (real .debs
from apt.armbian.com instead of the previous epiphany-browser
fallback). Debian rules unchanged (chromium / firefox-esr).
- common.yaml `full.packages` += code (vscode from apt.armbian.com,
universal across arches).
Schema extension (kept for future use):
- _apply_tier_overrides() now honours per-arch / per-release-per-arch
`packages:` ADDS in addition to the existing `packages_remove`.
Symmetric with the top-level tier block. Not used by this commit
(the browser token is the cleaner place for browser substitution),
but available when a future change needs an arch-only addition
that isn't a browser.
Smoke-tested across xfce {trixie,noble} {amd64,arm64,riscv64}
{minimal,mid,full} plus bookworm/riscv64 (browser dropped — no
riscv64 port) and sid/loong64 (firefox-esr — chromium not built).
apt.armbian.com hosts both: armbian-imager (universal) and a real
thunderbird .deb that wins by version against Ubuntu's snap-shim
package on amd64/arm64. The previous tier_overrides stripped
thunderbird on every Ubuntu arch out of caution about the snap-shim.
- common.yaml `mid.packages` += armbian-imager (SD-card flasher,
universal — apt.armbian.com builds for every arch we ship).
- common.yaml `tier_overrides.full.releases.<release>.architectures`
for noble/plucky/jammy/questing/resolute: drop the amd64 + arm64
thunderbird strips. Keep armhf + riscv64 strips since the original
comment notes the upstream Ubuntu deb is missing on those arches
and we don't (yet) ship them via apt.armbian.com — the audit will
catch any false positive on the next run.
Debian armhf strips (bookworm, trixie, forky, sid) untouched —
those are Debian-side gaps, unrelated to the snap-shim issue.
Smoke-tested across xfce {noble,trixie} {amd64,arm64,armhf,riscv64}
{mid,full}: amd64 keeps chrome+thunderbird, arm64 keeps chromium+
thunderbird, armhf keeps chromium (no thunderbird), riscv64 keeps
firefox (no thunderbird), armbian-imager present on every mid+.
plucky (Ubuntu 25.04) is eos as of 2026-01-25 — see armbian/build#9657 where we flipped its support flag. The audit script already excludes eos releases from the missing-releases report, but it does not auto-remove existing entries; those just sit as drift. questing (Ubuntu 25.10) is a 9-month interim release with about 3 months of life left (EOL ~2026-07). Rare on real boards and not worth the per-release maintenance overhead. Dropped: common.yaml - browser map: plucky, questing entries - tier_overrides.mid.releases: plucky, questing loupe blocks - tier_overrides.full.releases: plucky, questing thunderbird blocks (jammy still strips on armhf+riscv64; resolute keeps its strip) per-DE YAMLs (11 files): plucky and questing release blocks Bianbu was already noble+resolute only; nothing to drop there. Comments mentioning plucky/questing as historical context (e.g. "pavumeter dropped in plucky") are kept — those are reference, not active config. Verified DESKTOP_SUPPORTED="yes" still for every kept release/arch combo on xfce; "no" for plucky/questing as expected. Knock-on: armbian/os#444 will drop the questing aptly configs (chromium-aarch64-questing.conf, firefox-questing.conf, thunderbird-questing.conf) since this PR removes their consumer.
Two real (release, arch) gaps for `code` (Microsoft VSCode) that the apt.armbian.com expansion (armbian/os#444) doesn't fill: - `riscv64` every release — Microsoft publishes no riscv64 build upstream, so apt.armbian.com cannot mirror one. Permanent arch-wide hole; uses the per-arch tier_overrides layer. - `sid` every arch — Debian unstable is intentionally not tracked in apt.armbian.com (vendor debs may break against rolling base). Per-release strip across all four arches. The other combos a code-review bot flagged (forky/jammy/resolute for `code`; jammy/resolute amd64+arm64 for `thunderbird`) are either covered by armbian/os#444 (apt.armbian.com expansion) or already removed in #849 (plucky/questing drop) — no further YAML changes needed for them. The BSP pin file at packages/bsp/common/etc/apt/preferences.d/armbian forces o=Armbian to priority 1001 over Ubuntu's 50, so the real apt. armbian.com .debs win on every release/arch where they exist.
The desktop YAML lists chromium / firefox / thunderbird / chrome /
code / edge expecting apt.armbian.com to host them; for the
apt.armbian.com .deb to actually win over Ubuntu's snap-transitional
package, an apt pin needs to force priority over Ubuntu's archive.
Today that pin lives in the BSP at packages/bsp/common/etc/apt/
preferences.d/armbian. That file is a dpkg conffile — once a user
has it on disk (even commented out, as the May-2023 → Feb-2026 era
ones are), `armbian-bsp-cli` upgrades preserve the local copy
instead of shipping the new one. Result on those systems: the pin
is inert and the snap-shim wins, exactly the symptom we just
debugged.
Fix: have armbian-config own the desktop apt pin instead, written
to a *distinct* path (/etc/apt/preferences.d/armbian-desktops) so
dpkg's conffile preservation is moot. The helper rewrites the
file on every `module_desktops install`, idempotent, atomic temp+mv.
Lands BEFORE pkg_update / pkg_install so apt resolves the desktop
package list with the right priority from the first invocation.
Pin block:
Package: chromium chromium-* firefox firefox-esr firefox-l10n-* \
thunderbird thunderbird-l10n-* google-chrome-stable \
code microsoft-edge-stable
Pin: release o=Armbian
Pin-Priority: 1001 # 990 is not enough — the snap-
# shim has a higher epoch, so 990
# only upgrades; 1001 forces the
# downgrade required to swap.
Package: chromium chromium-* firefox firefox-esr firefox-l10n-* \
thunderbird thunderbird-l10n-* google-chrome-stable
Pin: release o=Ubuntu
Pin-Priority: 50 # push the snap-shim below 500
# so it's never auto-selected.
Non-fatal: a pin write failure warns and continues — apt without
the pin picks the wrong package but the install proceeds.
Build framework still needs to either invoke module_desktops
install at image build time, or write the same pin from its own
desktop hook, otherwise newly-built images would still get the
snap-shim. That's a separate change in the build repo.
Contributor
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 36 minutes and 16 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (14)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
Bot
added
05
igorpecovnik
added a commit
to armbian/build
that referenced
this pull request
Apr 13, 2026
…an-config The pin block in this file (firefox / firefox-esr / thunderbird at o=Armbian:1001, o=Ubuntu:50) is moving to armbian-config, which will write /etc/apt/preferences.d/armbian-desktops on every `module_desktops install` (see armbian/configng#850). The build framework will install desktops via armbian-config going forward, so the runtime helper covers both image-build time and post-install upgrades. That gives the pin a single source of truth in the configng repo (next to the YAML that lists the packages the pin protects), and dodges the dpkg conffile preservation trap that left this file commented-out and inert on systems built between May 2023 and Feb 2026. Existing systems with this file already deployed will keep it as an orphan conffile — it does no harm because the priorities match what armbian-config emits to the new -desktops file. The legacy file can be cleaned up by users (or a later BSP postrm) if needed, but does not need active removal.
Merged
3 tasks
The `code` (Microsoft VSCode) postinst asks interactively whether to add Microsoft's apt repository so future updates flow through apt-get. That blocks the install with a dialog and — if accepted — adds a parallel apt source that races against the apt.armbian.com pin (#850). We don't want either: apt.armbian.com already hosts a current `code` build and the runtime pin from #850 keeps it preferred. Adding Microsoft's repo on top would let upgrades from there sneak in whenever the version sorts higher than apt.armbian.com's. Pre-seed `code/add-microsoft-repo boolean false` alongside the existing encfs entry, switched from echo-pipe to a heredoc so adding a third selection later doesn't get awkward.
…work Symptom on a fresh GNOME install: Settings -> Printers shows "Error: some settings cannot be unlocked" and the user can't add or configure printers from the GUI. Cause: the GNOME printer panel talks to cupsd over D-Bus and asks polkit to authorize unlocking. The bridging package is cups-pk-helper, and gnome.yaml deliberately omits the system-config-printer dep that pulls it transitively (gnome-control- center has its own printer panel and the comment notes system-config-printer is "not needed" — true for the UI, not for the polkit plumbing). Other DEs (xfce, mate, cinnamon, budgie) ship system-config-printer which depends on cups-pk-helper, so they're already covered. Adding to common.yaml's mid tier rather than per-DE keeps the matrix simple — it's a transparent no-op on DEs that already get it transitively, and fixes GNOME and KDE in one line.
Member
Author
|
@copilot resolve the merge conflicts in this pull request |
# Conflicts: # tools/modules/desktops/yaml/common.yaml Co-authored-by: igorpecovnik <6281704+igorpecovnik@users.noreply.github.com>
Contributor
Resolved in |
github-actions
Bot
added
size/medium
igorpecovnik
added a commit
that referenced
this pull request
Apr 13, 2026
The `code` (Microsoft VSCode) postinst asks interactively whether to add Microsoft's apt repository so future updates flow through apt-get. That blocks the install with a dialog and — if accepted — adds a parallel apt source that races against the apt.armbian.com pin (#850). We don't want either: apt.armbian.com already hosts a current `code` build and the runtime pin from #850 keeps it preferred. Adding Microsoft's repo on top would let upgrades from there sneak in whenever the version sorts higher than apt.armbian.com's. Pre-seed `code/add-microsoft-repo boolean false` alongside the existing encfs entry, switched from echo-pipe to a heredoc so adding a third selection later doesn't get awkward.
igorpecovnik
added a commit
that referenced
this pull request
Apr 13, 2026
The `code` (Microsoft VSCode) postinst asks interactively whether to add Microsoft's apt repository so future updates flow through apt-get. That blocks the install with a dialog and — if accepted — adds a parallel apt source that races against the apt.armbian.com pin (#850). We don't want either: apt.armbian.com already hosts a current `code` build and the runtime pin from #850 keeps it preferred. Adding Microsoft's repo on top would let upgrades from there sneak in whenever the version sorts higher than apt.armbian.com's. Pre-seed `code/add-microsoft-repo boolean false` alongside the existing encfs entry, switched from echo-pipe to a heredoc so adding a third selection later doesn't get awkward.
igorpecovnik
added a commit
to armbian/build
that referenced
this pull request
Apr 14, 2026
…an-config The pin block in this file (firefox / firefox-esr / thunderbird at o=Armbian:1001, o=Ubuntu:50) is moving to armbian-config, which will write /etc/apt/preferences.d/armbian-desktops on every `module_desktops install` (see armbian/configng#850). The build framework will install desktops via armbian-config going forward, so the runtime helper covers both image-build time and post-install upgrades. That gives the pin a single source of truth in the configng repo (next to the YAML that lists the packages the pin protects), and dodges the dpkg conffile preservation trap that left this file commented-out and inert on systems built between May 2023 and Feb 2026. Existing systems with this file already deployed will keep it as an orphan conffile — it does no harm because the priorities match what armbian-config emits to the new -desktops file. The legacy file can be cleaned up by users (or a later BSP postrm) if needed, but does not need active removal.
Open
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The desktop YAML lists
chromium/firefox/thunderbird/chrome/code/edgeexpecting apt.armbian.com to host them as real .debs that should win over Ubuntu's snap-transitional packages. For that to actually happen, an apt pin must forceo=Armbianto priority 1001 and pusho=Ubuntudown to 50.Today that pin lives in the BSP at packages/bsp/common/etc/apt/preferences.d/armbian. That file is a dpkg conffile — once a user has any version on disk (even the May-2023 → Feb-2026 era one which was shipped fully commented out),
armbian-bsp-cliupgrades preserve the local copy instead of installing the new one. Result on those systems: the pin is inert and the snap-shim wins. Exactly the symptom we just debugged on a real test box.Fix
Move pin ownership to armbian-config and write to a distinct path so dpkg's conffile preservation is moot:
_module_desktops_write_apt_pin()writes/etc/apt/preferences.d/armbian-desktopsvia temp + atomicmv. Idempotent — runs on everyinstall, always reflects the current configng version.installsubcommand beforepkg_update/pkg_installso apt resolves the desktop package list with the right priority from the first invocation.Pin block emitted:
Why 1001, not 990
Ubuntu's snap-transitional packages have a higher epoch than Armbian's real .debs. Priority 990 only permits upgrades; 1001 also permits the downgrade required to swap an existing snap-shim install for the real .deb. The build-repo HEAD pin already uses 1001 — this matches.
Stack
Built on top of:
Will rebase cleanly when those land.
Build-repo follow-up
Newly-built images still install desktop packages via the build framework's own apt path, so they'd get the snap-shim until either:
module_desktops installfor desktop images (long-term — single source of truth), orSeparate PR. The BSP pin file at
packages/bsp/common/etc/apt/preferences.d/armbianshould also be deleted (or kept minimal) once the runtime pin is the source of truth.Test plan
armbian-config --api module_desktops install de=xfce tier=fullproduces/etc/apt/preferences.d/armbian-desktopswith both pin blocks, andapt-cache policy thunderbirdshows Armbian = 1001, Ubuntu = 50, snap-shim NOT installed/etc) warns and the install still proceeds