@bazel_linux_packages//apt:extensions.bzl

Extension for downloading and extracting Debian/Ubuntu packages.

Usage

Place the following in your MODULE.bazel. Then:

run bazel run @busybox//:lock to create a lockfile and
run bazel run @busybox//:bin/busybox to download/extract the package and run the binary.

apt = use_extension("@bazel_linux_packages//apt:extensions.bzl", "apt")
apt.ubuntu(
    name = "busybox",
    lockfile = "//:focal.lock.json",
    packages = ["busybox"],
    suites = ["focal"],
)
use_repo(apt, "busybox")

Module Extensions

apt

Tag Classes

index_integrity

Optional tag to extend the list of integrity hashes for the package index URLs.

Attribute	Type	Description
`*integrities`	`dictionary: String → String`	URL -> integrity mapping for the package index URLs

source

Define a Debian/Ubuntu repository to download from.

The suites, architectures, components, uri parameters roughly follow
DEB822.
This allows you copy and adapt from the sources.list.

For example

Types: deb
URIs: http://deb.debian.org/debian
Suites: trixie
Components: main
Architectures: amd64 armel

would be translated into

apt.source(
    ...
    architectures = ["amd64", "armel"],
    components = ["main"],
    suites = ["trixie"],
    uri = "http://deb.debian.org/debian",
    ...
)

It is strogly advised to use archive URLs to ensure stability of the
retrieved package index files to be able to re-generate the same lockfiles.

Multiple source() tags are allowed but need unique names.

Attribute	Type	Description
`*suites`	`list of strings`	Deb suites to download the packages from (see DEB822)
`architectures`	`list of strings`	Architectures for which to download the package lists (see DEB822) Default: `["amd64"]`
`components`	`list of strings`	Deb components to download the packages from (see DEB822) Default: `["main"]`
`*name`	`name`	Name of the generated repository
`*uri`	`string`	Deb mirror to download the packages from (see URIs in DEB822 but only allows what basel supports)

download

Download/extract a set of packages from the Ubuntu/Debian repositories.

The packages are only extracted, no install hooks will be executed.
In most cases you need to consider how to handle library paths. See the
Handle Library Paths for details.

The lockfile attribute is mandatory, but does not need to exist during the
initial setup. If the attribute is set to a non-existing file a mostly empty
repository that only exposes the target to copy the lockfile into the
workspace is created.

Attribute	Type	Description
`*name`	`name`	Base name of the generated repository
`*packages`	`list of strings`	Packages to download
`*lockfile`	`label`	The lock file to use for the index (it is fine for the file to not exist yet)
`resolve_transitive`	`boolean`	Whether dependencies of dependencies should be resolved and added to the lockfile. Default: `True`
`fix_rpath_with_patchelf`	`boolean`	Whether to fix the RPATH of executables/libraries using `patchelf` Default: `False`
`fix_relative_interpreter_with_patchelf`	`boolean`	Whether to fix the interpreter of executables using `patchelf` Only has an effect if `fix_rpath_with_patchelf` is set to `True`. Mutually exclusive with `fix_absolute_interpreter_with_patchelf`. Default: `False`
`fix_absolute_interpreter_with_patchelf`	`boolean`	Whether to absolutize the interpreter while fixing executables/libraries using `patchelf` Only has an effect if `fix_rpath_with_patchelf` is set to `True`. Mutually exclusive with `fix_relative_interpreter_with_patchelf`. Note that this will destroy remote-executability and cache-reuse across different systems if the path to the source/build directory is not exactly the same. Default: `False`
`patchelf_dirs`	`list of strings`	Paths to inspect for executable/library files to fix with `patchelf` Note that this will not recursively inspect subdirectories. "{arch}" will be replaced by the value as returned by `uname -m`). Default: `["lib/{arch}-linux-gnu", "usr/lib/{arch}-linux-gnu", "usr/bin"]`
`extra_patchelf_dirs`	`list of strings`	Additional paths to inspect for executable/library files to fix with `patchelf` Note that this will not recursively inspect subdirectories. "{arch}" will be replaced by the value as returned by `uname -m`). Default: `[]`
`add_files`	`dictionary: Strings → Label`	Experimental: add files to the install dir. The keys are paths into the install dir. The label may only refer to a single file. "{arch}" in keys will be replaced by the value as returned by `uname -m`). Default: `{}`
`post_install_cmd`	`dictionary: String → List of strings`	Experimental: run a command after the install. The keys are the unused, the values the command to run as given to `rctx.execute()`. Default: `{}`
`build_file`	`label`	Experimental: BUILD.bazel template for the generated install dir. Default: `"//apt:install.BUILD.bazel.tmpl"`
`glob_pattern`	`list of strings`	Experimental: `glob()` pattern for the default `build_file` template. Default: `["**"]`
`glob_excludes`	`list of strings`	Experimental: `glob()` pattern excludes for the default `build_file` template. Default: `["usr/share/man/**"]`
`*sources`	`list of strings`	Names of source() repositories to download packages from
`architectures`	`list of strings`	Architectures for which to create the install (defaults to architectures from `sources` if not given) Default: `[]`

ubuntu

Download/extract a set of packages from the Ubuntu/Debian repositories.

The packages are only extracted, no install hooks will be executed.
In most cases you need to consider how to handle library paths. See the
Handle Library Paths for details.

Define a Debian/Ubuntu repository to download from.

The suites, architectures, components, uri parameters roughly follow
DEB822.
This allows you copy and adapt from the sources.list.

For example

Types: deb
URIs: http://deb.debian.org/debian
Suites: trixie
Components: main
Architectures: amd64 armel

would be translated into

apt.ubuntu(
    ...
    architectures = ["amd64", "armel"],
    components = ["main"],
    suites = ["trixie"],
    uri = "http://deb.debian.org/debian",
    ...
)

It is strogly advised to use archive URLs to ensure stability of the
retrieved package index files to be able to re-generate the same lockfiles.

Multiple ubuntu() tags are allowed but need unique names.

Attribute	Type	Description
`*name`	`name`	Base name of the generated repository
`*packages`	`list of strings`	Packages to download
`*lockfile`	`label`	The lock file to use for the index (it is fine for the file to not exist yet)
`resolve_transitive`	`boolean`	Whether dependencies of dependencies should be resolved and added to the lockfile. Default: `True`
`fix_rpath_with_patchelf`	`boolean`	Whether to fix the RPATH of executables/libraries using `patchelf` Default: `False`
`fix_relative_interpreter_with_patchelf`	`boolean`	Whether to fix the interpreter of executables using `patchelf` Only has an effect if `fix_rpath_with_patchelf` is set to `True`. Mutually exclusive with `fix_absolute_interpreter_with_patchelf`. Default: `False`
`fix_absolute_interpreter_with_patchelf`	`boolean`	Whether to absolutize the interpreter while fixing executables/libraries using `patchelf` Only has an effect if `fix_rpath_with_patchelf` is set to `True`. Mutually exclusive with `fix_relative_interpreter_with_patchelf`. Note that this will destroy remote-executability and cache-reuse across different systems if the path to the source/build directory is not exactly the same. Default: `False`
`patchelf_dirs`	`list of strings`	Paths to inspect for executable/library files to fix with `patchelf` Note that this will not recursively inspect subdirectories. "{arch}" will be replaced by the value as returned by `uname -m`). Default: `["lib/{arch}-linux-gnu", "usr/lib/{arch}-linux-gnu", "usr/bin"]`
`extra_patchelf_dirs`	`list of strings`	Additional paths to inspect for executable/library files to fix with `patchelf` Note that this will not recursively inspect subdirectories. "{arch}" will be replaced by the value as returned by `uname -m`). Default: `[]`
`add_files`	`dictionary: Strings → Label`	Experimental: add files to the install dir. The keys are paths into the install dir. The label may only refer to a single file. "{arch}" in keys will be replaced by the value as returned by `uname -m`). Default: `{}`
`post_install_cmd`	`dictionary: String → List of strings`	Experimental: run a command after the install. The keys are the unused, the values the command to run as given to `rctx.execute()`. Default: `{}`
`build_file`	`label`	Experimental: BUILD.bazel template for the generated install dir. Default: `"//apt:install.BUILD.bazel.tmpl"`
`glob_pattern`	`list of strings`	Experimental: `glob()` pattern for the default `build_file` template. Default: `["**"]`
`glob_excludes`	`list of strings`	Experimental: `glob()` pattern excludes for the default `build_file` template. Default: `["usr/share/man/**"]`
`*suites`	`list of strings`	Deb suites to download the packages from (see DEB822)
`architectures`	`list of strings`	Architectures for which to download the package lists (see DEB822) Default: `["amd64"]`
`components`	`list of strings`	Deb components to download the packages from (see DEB822) Default: `["main"]`
`uri`	`string`	Deb mirror to download the packages from (see URIs in DEB822 but only allows what basel supports) Default: `"https://snapshot.ubuntu.com/ubuntu/20250219T154000Z"`

debian

Download/extract a set of packages from the Ubuntu/Debian repositories.

The packages are only extracted, no install hooks will be executed.
In most cases you need to consider how to handle library paths. See the
Handle Library Paths for details.

Define a Debian/Ubuntu repository to download from.

The suites, architectures, components, uri parameters roughly follow
DEB822.
This allows you copy and adapt from the sources.list.

For example

Types: deb
URIs: http://deb.debian.org/debian
Suites: trixie
Components: main
Architectures: amd64 armel

would be translated into

apt.debian(
    ...
    architectures = ["amd64", "armel"],
    components = ["main"],
    suites = ["trixie"],
    uri = "http://deb.debian.org/debian",
    ...
)

It is strogly advised to use archive URLs to ensure stability of the
retrieved package index files to be able to re-generate the same lockfiles.

Multiple debian() tags are allowed but need unique names.

Attribute	Type	Description
`*name`	`name`	Base name of the generated repository
`*packages`	`list of strings`	Packages to download
`*lockfile`	`label`	The lock file to use for the index (it is fine for the file to not exist yet)
`resolve_transitive`	`boolean`	Whether dependencies of dependencies should be resolved and added to the lockfile. Default: `True`
`fix_rpath_with_patchelf`	`boolean`	Whether to fix the RPATH of executables/libraries using `patchelf` Default: `False`
`fix_relative_interpreter_with_patchelf`	`boolean`	Whether to fix the interpreter of executables using `patchelf` Only has an effect if `fix_rpath_with_patchelf` is set to `True`. Mutually exclusive with `fix_absolute_interpreter_with_patchelf`. Default: `False`
`fix_absolute_interpreter_with_patchelf`	`boolean`	Whether to absolutize the interpreter while fixing executables/libraries using `patchelf` Only has an effect if `fix_rpath_with_patchelf` is set to `True`. Mutually exclusive with `fix_relative_interpreter_with_patchelf`. Note that this will destroy remote-executability and cache-reuse across different systems if the path to the source/build directory is not exactly the same. Default: `False`
`patchelf_dirs`	`list of strings`	Paths to inspect for executable/library files to fix with `patchelf` Note that this will not recursively inspect subdirectories. "{arch}" will be replaced by the value as returned by `uname -m`). Default: `["lib/{arch}-linux-gnu", "usr/lib/{arch}-linux-gnu", "usr/bin"]`
`extra_patchelf_dirs`	`list of strings`	Additional paths to inspect for executable/library files to fix with `patchelf` Note that this will not recursively inspect subdirectories. "{arch}" will be replaced by the value as returned by `uname -m`). Default: `[]`
`add_files`	`dictionary: Strings → Label`	Experimental: add files to the install dir. The keys are paths into the install dir. The label may only refer to a single file. "{arch}" in keys will be replaced by the value as returned by `uname -m`). Default: `{}`
`post_install_cmd`	`dictionary: String → List of strings`	Experimental: run a command after the install. The keys are the unused, the values the command to run as given to `rctx.execute()`. Default: `{}`
`build_file`	`label`	Experimental: BUILD.bazel template for the generated install dir. Default: `"//apt:install.BUILD.bazel.tmpl"`
`glob_pattern`	`list of strings`	Experimental: `glob()` pattern for the default `build_file` template. Default: `["**"]`
`glob_excludes`	`list of strings`	Experimental: `glob()` pattern excludes for the default `build_file` template. Default: `["usr/share/man/**"]`
`*suites`	`list of strings`	Deb suites to download the packages from (see DEB822)
`architectures`	`list of strings`	Architectures for which to download the package lists (see DEB822) Default: `["amd64"]`
`components`	`list of strings`	Deb components to download the packages from (see DEB822) Default: `["main"]`
`uri`	`string`	Deb mirror to download the packages from (see URIs in DEB822 but only allows what basel supports) Default: `"https://snapshot.debian.org/archive/debian/20250201T023325Z"`