Content-Type: multipart/alternative;
 boundary="------------6fkfPjf6cmgJVVpOX8qSNkPM"
Message-ID: <964e72f1-89aa-4512-9d7a-ec722165d291@Data-Bene.io>
Date: Tue, 21 Jan 2025 10:26:00 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: deb package sizes
To: Magnus Hagander <magnus@hagander.net>, =?UTF-8?B?w4FsdmFybyBIZXJuw6Fu?=
 =?UTF-8?Q?dez?= <aht@ongres.com>
Cc: Jeremy Schneider <schneider@ardentperf.com>,
 Christoph Berg <myon@debian.org>, pgsql-pkg-debian@lists.postgresql.org
References: <20250109005301.3b145092@jeremy-ThinkPad-T430s>
 <Z3-RzHXhWeQkSFU7@msg.df7cb.de>
 <bf542776-4c08-403b-9353-ed2bb3579589@ongres.com>
 <20250109090845.24e1df6e@jeremy-ThinkPad-T430s>
 <bc8a4c35-7190-48f0-aa7c-f816cf9b0615@ongres.com>
 <CABUevEzt5sF7tcn6=WVW8PTCfrf9qzmHicxN3mt37Th1kwfZHQ@mail.gmail.com>
Content-Language: en-US
From: =?UTF-8?Q?C=C3=A9dric_Villemain?= <Cedric.Villemain@Data-Bene.io>
Organization: Data Bene
In-Reply-To: 
 <CABUevEzt5sF7tcn6=WVW8PTCfrf9qzmHicxN3mt37Th1kwfZHQ@mail.gmail.com>
Archived-At: 
 <https://www.postgresql.org/message-id/964e72f1-89aa-4512-9d7a-ec722165d291%40Data-Bene.io>
Precedence: bulk

This is a multi-part message in MIME format.
--------------6fkfPjf6cmgJVVpOX8qSNkPM
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit


On 10/01/2025 10:52, Magnus Hagander wrote:
> On Thu, Jan 9, 2025 at 11:40 PM Álvaro Hernández <aht@ongres.com> wrote:
>
>
>
>     On 9/1/25 18:08, Jeremy Schneider wrote:
>>     On Thu, 9 Jan 2025 17:06:57 +0100
>>     Álvaro Hernández<aht@ongres.com> <mailto:aht@ongres.com> wrote:
>>
>>>     On 9/1/25 10:07, Christoph Berg wrote:
>>>>     Re: Jeremy Schneider
>>>>>     I'm wondering if there might be any support for providing a
>>>>>     "postgresql-slim" package on PGDG which excludes llvm and python? I
>>>>>     think this might almost cut the total install size in half, and I
>>>>>     think there might be many users who would value having the option.
>>>>>       
>>>>     Hi,
>>>>
>>>>     could you explain why 250 MB is too much? Disk space these days is
>>>>     ultra cheap
>>>           Hi Christoph.
>>>
>>>           Container images allow (are meant to) contain only the necessary
>>>     files needed to run the process that will be run when the image is
>>>     run. As such, any additional file poses two main problems:
>>>
>>>     * Disk space is cheap. Bandwidth not so much. Time to start a
>>>
>>>     * Security analysis. Unneeded files (specially binaries, but not
>>     Another concern is the impact of image rebuilds as dependencies are
>>     updated. Tianon (a primary maintainer of the docker images) has noted
>>     that they limit frequency of the debian base containers, because every
>>     rebuild of the base container triggers an avalance of downstream
>>     rebuilds. CNPG was doing daily rebuilds for awhile, and every time any
>>     python dependency was updated you'd get a new image - boto3 was
>>     notorious for very frequent updates. So with a different image version
>>     for every day, a single server running multiple copies of postgres might
>>     easily end up with multiple image versions on the server as copies are
>>     slowly updated.
>
>         I see this as a symptom of a different, bigger issue: that
>     package versions, and all transitive dependencies, should be
>     version pinned when building container images. I haven't seen too
>     many examples of taking the effort to do this. But it's the only
>     way to have a way to re-run building images and guarantee outputs
>     that are reproducible. Once you have this in place, you can decide
>     how and when you upgrade which versions.
>
>
> I'm guessing most container builders are just not interested in doing 
> that much work. It's easier to just "always upgrade", but as noted 
> that comes with a whole different set of problems. It's only really 
> feasible if you manage to first reduce the set of dependencies 
> substantially.
>
>
>         Actually, even version pinning is not enough, unless the
>     package system guarantees that a version of a package is strictly
>     immutable (and AFAIK this is usually not the case). So digest
>     pinning is essentially required.
>
>
> Debian (as this was talking about it) is actually doing a very good 
> job ot that these days, though they're not there all the way. But 
> https://tests.reproducible-builds.org/debian/reproducible.htmlshows 
> they're doing really well.


Also on debian.net : https://amd64.reproduce.debian.net/#postgresql-17 
for "non fancy" webpage.


There was a talk on this very topic, at minidebconf recently (by kpcyrd):

https://toulouse2024.mini.debconf.org/talks/4-reproducible-builds-rebuilding-what-is-distributed-from-ftpdebianorg/

"Since about a month we’ve also been rebuilding trying to exactly match 
the builds being distributed via ftp.d.o - this talk will describe the 
setup and the lessons learned so far, and why the results currently are 
what they are (spoiler: less <30% reproducible) and what we can do to 
fix that."

And rebuilderd is surely of interest for people willing to work on 
reproducible builds: https://github.com/kpcyrd/rebuilderd

  
---
Cédric Villemain +33 6 20 30 22 52
https://www.Data-Bene.io
PostgreSQL Support, Expertise, Training, R&D

--------------6fkfPjf6cmgJVVpOX8qSNkPM
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 10/01/2025 10:52, Magnus Hagander
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CABUevEzt5sF7tcn6=WVW8PTCfrf9qzmHicxN3mt37Th1kwfZHQ@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div dir="ltr">On Thu, Jan 9, 2025 at 11:40 PM Álvaro Hernández
          &lt;<a href="mailto:aht@ongres.com" moz-do-not-send="true"
            class="moz-txt-link-freetext">aht@ongres.com</a>&gt; wrote:</div>
        <div class="gmail_quote gmail_quote_container">
          <blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
            <div> <br>
              <br>
              <div>On 9/1/25 18:08, Jeremy Schneider wrote:<br>
              </div>
              <blockquote type="cite">
                <pre>On Thu, 9 Jan 2025 17:06:57 +0100
Álvaro Hernández <a href="mailto:aht@ongres.com" target="_blank"
                moz-do-not-send="true">&lt;aht@ongres.com&gt;</a> wrote:

</pre>
                <blockquote type="cite">
                  <pre>On 9/1/25 10:07, Christoph Berg wrote:
</pre>
                  <blockquote type="cite">
                    <pre>Re: Jeremy Schneider  
</pre>
                    <blockquote type="cite">
                      <pre>I'm wondering if there might be any support for providing a
"postgresql-slim" package on PGDG which excludes llvm and python? I
think this might almost cut the total install size in half, and I
think there might be many users who would value having the option.
 
</pre>
                    </blockquote>
                    <pre>Hi,

could you explain why 250 MB is too much? Disk space these days is
ultra cheap  
</pre>
                  </blockquote>
                  <pre>     Hi Christoph.

     Container images allow (are meant to) contain only the necessary 
files needed to run the process that will be run when the image is
run. As such, any additional file poses two main problems:

* Disk space is cheap. Bandwidth not so much. Time to start a

* Security analysis. Unneeded files (specially binaries, but not
</pre>
                </blockquote>
                <pre>Another concern is the impact of image rebuilds as dependencies are
updated. Tianon (a primary maintainer of the docker images) has noted
that they limit frequency of the debian base containers, because every
rebuild of the base container triggers an avalance of downstream
rebuilds. CNPG was doing daily rebuilds for awhile, and every time any
python dependency was updated you'd get a new image - boto3 was
notorious for very frequent updates. So with a different image version
for every day, a single server running multiple copies of postgres might
easily end up with multiple image versions on the server as copies are
slowly updated.</pre>
              </blockquote>
              <br>
                  I see this as a symptom of a different, bigger issue:
              that package versions, and all transitive dependencies,
              should be version pinned when building container images. I
              haven't seen too many examples of taking the effort to do
              this. But it's the only way to have a way to re-run
              building images and guarantee outputs that are
              reproducible. Once you have this in place, you can decide
              how and when you upgrade which versions.<br>
            </div>
          </blockquote>
          <div><br>
          </div>
          <div>I'm guessing most container builders are just not
            interested in doing that much work. It's easier to just
            "always upgrade", but as noted that comes with a whole
            different set of problems. It's only really feasible if you
            manage to first reduce the set of dependencies
            substantially.</div>
          <div><br>
          </div>
          <div> </div>
          <blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
            <div> <br>
                  Actually, even version pinning is not enough, unless
              the package system guarantees that a version of a package
              is strictly immutable (and AFAIK this is usually not the
              case). So digest pinning is essentially required.<br>
            </div>
          </blockquote>
          <div><br>
          </div>
          <div>Debian (as this was talking about it) is actually doing a
            very good job ot that these days, though they're not there
            all the way. But <a
href="https://tests.reproducible-builds.org/debian/reproducible.htmlshows"
              moz-do-not-send="true" class="moz-txt-link-freetext">https://tests.reproducible-builds.org/debian/reproducible.htmlshows</a>
            they're doing really well. <br>
          </div>
        </div>
      </div>
    </blockquote>
    <p><br>
    </p>
    <p>Also on debian.net :
      <a class="moz-txt-link-freetext" href="https://amd64.reproduce.debian.net/#postgresql-17">https://amd64.reproduce.debian.net/#postgresql-17</a> for "non fancy"
      webpage.<br>
    </p>
    <p><br>
    </p>
    <p>There was a talk on this very topic, at minidebconf recently (by
      kpcyrd):</p>
    <p> <a class="moz-txt-link-freetext" href="https://toulouse2024.mini.debconf.org/talks/4-reproducible-builds-rebuilding-what-is-distributed-from-ftpdebianorg/">https://toulouse2024.mini.debconf.org/talks/4-reproducible-builds-rebuilding-what-is-distributed-from-ftpdebianorg/</a><br>
    </p>
    "Since about a month we’ve also been rebuilding trying to exactly
    match the builds being distributed via ftp.d.o - this talk will
    describe the setup and the lessons learned so far, and why the
    results currently are what they are (spoiler: less &lt;30%
    reproducible) and what we can do to fix that."<br>
    <br>
    And rebuilderd is surely of interest for people willing to work on
    reproducible builds: <a class="moz-txt-link-freetext" href="https://github.com/kpcyrd/rebuilderd">https://github.com/kpcyrd/rebuilderd</a><br>
    <pre class="moz-signature" cols="72"> 

---
Cédric Villemain +33 6 20 30 22 52
<a class="moz-txt-link-freetext" href="https://www.Data-Bene.io">https://www.Data-Bene.io</a>
PostgreSQL Support, Expertise, Training, R&amp;D</pre>
  </body>
</html>

--------------6fkfPjf6cmgJVVpOX8qSNkPM--