pmb.config.apk_tools_min_version: support branches (MR 2015)

Support branches, so pmbootstrap won't fail if v20.05 is selected:
  ERROR: You have an outdated version of the 'apk' package manager installed
  (your version: 2.10.5-r1, expected at least: 2.12.1-r0).

Move the logic for this check to pmb.helpers.apk.check_outdated and
adjust the test.

This fixes the CI failure in test_crossdirect_rust, which uses the
stable channel. (My bad for not creating this patch earlier, while at
the same time explaining in the creating pmbootstrap release instructions,
that this minimum apk version should be adjusted.)

pmb/chroot/apk.py

@@ -78,13 +78,10 @@ def check_min_version(args, suffix="native"):
 
     # Compare
     version_installed = installed(args, suffix)["apk-tools"]["version"]
-    version_min = pmb.config.apk_tools_min_version
-    if pmb.parse.version.compare(version_installed, version_min) == -1:
-        raise RuntimeError("You have an outdated version of the 'apk' package"
-                           " manager installed (your version: " + version_installed +
-                           ", expected at least: " + version_min + "). Delete"
-                           " your http cache and zap all chroots, then try again:"
-                           " 'pmbootstrap zap -hc'")
+    pmb.helpers.apk.check_outdated(
+        args, version_installed,
+        "Delete your http cache and zap all chroots, then try again:"
+        " 'pmbootstrap zap -hc'")
 
     # Mark this suffix as checked
     args.cache["apk_min_version_checked"].append(suffix)

pmb/chroot/apk_static.py

@@ -153,16 +153,12 @@ def init(args):
                                             indexes=[apkindex])
     version = index_data["version"]
 
-    # Extract and verify the apk-tools-static version
-    version_min = pmb.config.apk_tools_min_version
-    apk_name = "apk-tools-static-" + version + ".apk"
-    if pmb.parse.version.compare(version, version_min) == -1:
-        raise RuntimeError("Your APKINDEX has an outdated version of"
-                           " apk-tools-static (your version: " + version +
-                           ", expected at least:" + version_min + "). Please" +
-                           " run 'pmbootstrap update'.")
+    # Verify the apk-tools-static version
+    pmb.helpers.apk.check_outdated(
+        args, version, "Run 'pmbootstrap update', then try again.")
 
     # Download, extract, verify apk-tools-static
+    apk_name = "apk-tools-static-" + version + ".apk"
     apk_static = download(args, apk_name)
     extract(args, version, apk_static)
 

pmb/config/__init__.py

@@ -19,10 +19,14 @@ version = "1.29.0"
 pmb_src = os.path.normpath(os.path.realpath(__file__) + "/../../..")
 apk_keys_path = pmb_src + "/pmb/data/keys"
 
+# apk-tools minimum version
+# https://pkgs.alpinelinux.org/packages?name=apk-tools&branch=edge
 # Update this frequently to prevent a MITM attack with an outdated version
-# (which may contain a vulnerable apk/libressl, and allows an attacker to
+# (which may contain a vulnerable apk/openssl, and allows an attacker to
 # exploit the system!)
-apk_tools_min_version = "2.12.1-r0"
+apk_tools_min_version = {"edge": "2.12.1-r0",
+                         "v3.13": "2.12.1-r0",
+                         "v3.12": "2.10.5-r1"}
 
 # postmarketOS aports compatibility (checked against "version" in pmaports.cfg)
 pmaports_min_version = "7"

pmb/helpers/apk.py

@@ -1,10 +1,12 @@
-# Copyright 2021 Johannes Marbach
+# Copyright 2021 Johannes Marbach, Oliver Smith
 # SPDX-License-Identifier: GPL-3.0-or-later
 import os
 
 import pmb.chroot.root
+import pmb.config.pmaports
 import pmb.helpers.cli
 import pmb.helpers.run
+import pmb.parse.version
 
 
 def _run(args, command, chroot=False, suffix="native", output="log"):
@@ -106,3 +108,26 @@ def apk_with_progress(args, command, chroot=False, suffix="native"):
             pmb.helpers.cli.progress_flush(args)
             pmb.helpers.run_core.check_return_code(args, p_apk.returncode,
                                                    log_msg)
+
+
+def check_outdated(args, version_installed, action_msg):
+    """
+    Check if the provided alpine version is outdated, depending on the alpine
+    mirrordir (edge, v3.12, ...) related to currently checked out pmaports
+    branch.
+
+    :param version_installed: currently installed apk version, e.g. "2.12.1-r0"
+    :param action_msg: string explaining what the user should do to resolve
+                       this
+    :raises: RuntimeError if the version is outdated
+    """
+    channel_cfg = pmb.config.pmaports.read_config_channel(args)
+    mirrordir_alpine = channel_cfg["mirrordir_alpine"]
+    version_min = pmb.config.apk_tools_min_version[mirrordir_alpine]
+
+    if pmb.parse.version.compare(version_installed, version_min) >= 0:
+        return
+
+    raise RuntimeError("Found an outdated version of the 'apk' package"
+                       f" manager ({version_installed}, expected at least:"
+                       f" {version_min}). {action_msg}")

test/test_apk_static.py

@@ -1,6 +1,7 @@
 # Copyright 2021 Oliver Smith
 # SPDX-License-Identifier: GPL-3.0-or-later
 import os
+import copy
 import sys
 import tarfile
 import glob
@@ -113,17 +114,16 @@ def test_signature_verification(args, tmpdir):
     assert "downgrade attack" in str(e.value)
 
 
-def test_outdated_version(args):
+def test_outdated_version(args, monkeypatch):
     if os.path.exists(args.work + "/apk.static"):
         os.remove(args.work + "/apk.static")
 
-    # change min version
-    min = pmb.config.apk_tools_min_version
-    pmb.config.apk_tools_min_version = "99.1.2-r1"
+    # Change min version for all branches
+    min_copy = copy.copy(pmb.config.apk_tools_min_version)
+    for key, old_ver in min_copy.items():
+        min_copy[key] = "99.1.2-r1"
+    monkeypatch.setattr(pmb.config, "apk_tools_min_version", min_copy)
 
     with pytest.raises(RuntimeError) as e:
         pmb.chroot.apk_static.init(args)
     assert "outdated version" in str(e.value)
-
-    # reset min version
-    pmb.config.apk_tools_min_version = min