debootsnap
I upgraded a system of a friend to bullseye and found an RC bug. To reproduce it, I needed to create a system with the exact same package versions from before the upgrade. Currently, we do not have a tool that I can give a list of versioned packages and it will download the packages from snapshot.d.o and create a chroot with those packages installed. Such a tool is also useful for debrebuild because we want to build the package with the exact package versions from the buildinfo file installed. So far, debrebuild used an ugly heuristic that estimated a "base release" from the base-files version and then upgraded to the right package versions. This method does not avoid downgrades since sometimes, the versions in stable are newer than the versions in unstable due to security uploads.
I propose a new tool I call debootsnap (thanks to Adrian Bunk for coming up with that name) which can create a chroot from dpkg-query --showformat '${binary:Package}=${Version}\n' --show output and thus allows to reproduce bugs or reproduce package builds. This is a WIP merge request because it requires a version of mmdebstrap that is not yet released due to bullseye being frozen right now. The mmdebstrap feature that debootsnap relies upon is to be able to install packages into the chroot using apt from outside the chroot because some chroots do not contain apt (for example buildinfo files do not contain apt).
I'm posting my current PoC for feedback. Thanks!
EDIT: In fact, for very large installations (several thousand packages) this also needs apt with a patch that currently only me and its author David Kalnischkies have. Again we have to wait for the bullseye release before this fix can land in unstable.
EDIT2: If you have a Debian stable system with some packages from unstable mixed in and with security updates and with *-dbg packages and packages from backports, send the output of dpkg-query --showformat '${binary:Package}=${Version}\n' --show to josch@debian.org so that I can use it as test input. Thanks!
EDIT3: debootsnap downloads *.deb packages from snapshot.d.o but doesn't use debsnap to do that. One reason is, that debsnap is plainly downloading the archives without verifying their integrity against the Debian archive keyring. The other reason is, that debsnap can only download a package at a time which means we'd have to call it multiple times, which in turns makes it impossible to respect the throttling behaviour of snapshot.d.o. If you tell me how you'd like to see debsnap changed to support downloading multiple packages verified by gpg, I'll improve debsnap first and then let debootsnap make use of the new debsnap.