I am fine with the idea but I think it is not really compatible with mirror rotation in pkg. We must download up to date data from mirror, otherwise apt will use stale data (because there is separate *_Release file for each mirror).

If other maintainers agree with this using this concept we can workaround it though.
We can define our own transport which will replace URL of server to the one defined in current selected mirror's file with simple sed command and fallback to regular https transport and it will work fine for all mirrors without explicitly doing pkg up for all of them since all of them will have a single *_Release file. In this case we will have immutable deb termux://server termux termux-main record in termux.list file and mirror selection will fully rely on the selected mirror symlink/record/other mechanism fully defined by pkg.

Also since we have full control on apt we can simply patch it to invoke DoUpdate + DoInstall after receiving 404 error. In this case we will be sure the user gave consent to installing packages and re-apply the consent to subsequent DoInstall invocation.

Or we could simply do a simple GET request to current mirror for reading first 200 bytes in Release file, compare it with the 200 first bytes of the current release file and ask user if they want to perform an update (in apt). Probably it is naive but it also a viable option, it breaks current UX though.

Also since we have full control on apt we can simply patch it to invoke DoUpdate + DoInstall after receiving 404 error. In this case we will be sure the user gave consent to installing packages and re-apply the consent to subsequent DoInstall invocation.

I think we should not patch apt (or pacman)'s behavior if it can be avoided.
Any deviation for the upstream default behaviors is a potential stumbling block for users.

Obligatory XKCD.

I am fine with the idea but I think it is not really compatible with mirror rotation in pkg. We must download up to date data from mirror, otherwise apt will use stale data

I will add some additional clarification. This is intended behavior in my idea here.

In my personal opinion, it is completely OK for apt to use stale data and continue to use the last selected mirror for as long as the packages can be successfully downloaded, until it is time for package cache to be updated and a full upgrade also performed.

You can see here that, when the failure to download the package during package installation is detected for any reason, which could also include the mirror being down, too slow, or a network outage (which can take many forms and can be partial), select_mirror is immediately run to select a new, accessible mirror (if the criteria within the select_mirror function, including its timeout, are met), and also the package cache is updated and a full upgrade is performed too.

I chose this because it is my personal belief that a mirror should implicitly be allowed to default to being used (just in pkg install specifically, I have left the original behavior of pkg upgrade unchanged here because I agree with the original behavior of pkg upgrade) for as long as it continues to remain online and accessible, if it was sufficiently up to date at the last time the device ran select_mirror.

If your opinion is different that the detection of the mirror outdatedness compared to the main mirror packages-cf.termux.dev needs to be run very regularly, for example after this PR:

• feat(scripts/pkg): filter out outdated mirrors #169

And that you believe pkg install should be included in always checking the mirror outdatedness, then what I can do here is, I can make the select_mirror timeout check happen in all pkg install situations (not only in the case of when the package failed to download on the first try), and if the current mirror's rotation has timed out, then proceed with select_mirror to select a mirror that is not outdated, and updating package cache, and updating all packages.

Also since we have full control on apt we can simply patch it to invoke DoUpdate + DoInstall after receiving 404 error. In this case we will be sure the user gave consent to installing packages and re-apply the consent to subsequent DoInstall invocation.

I would agree with this idea and it is fine in my opinion (note: my approval of the behavior of changes to apt internal code is conditional on my review when testing the changes to apt, to make sure what it would do is the same thing I am imagining now). However, I do not currently know how to implement that inside apt code, but I could try. I might have a little easier time doing the part of implementing it inside pacman code since I am a little more experienced with pacman internal code than apt.

Also, If you read the discussions above, originally I had a little bit more assumptions that the user gave consent, but I removed them in favor of complete interactive prompts at every possible step, because Tomjo2000 requested that all interactive prompts be kept.

We can define our own transport which will replace URL of server to the one defined in current selected mirror's file with simple sed command and fallback to regular https transport and it will work fine for all mirrors without explicitly doing pkg up for all of them since all of them will have a single *_Release file. In this case we will have immutable deb termux://server termux termux-main record in termux.list file and mirror selection will fully rely on the selected mirror symlink/record/other mechanism fully defined by pkg.

I am not very sure whether that would work because, if any mirror is not absolutely 100% up to date always, then it will not contain identical package versions to the versions in other mirrors, so it is not be possible to swap between mirrors like that without performing either a full upgrade (desired situation in this proposal) or a partial upgrade (undesired situation in this proposal). Maybe I do not exactly understand what you mean by this part though.

Or we could simply do a simple GET request to current mirror for reading first 200 bytes in Release file, compare it with the 200 first bytes of the current release file and ask user if they want to perform an update (in apt). Probably it is naive but it also a viable option, it breaks current UX though.

I do not fully understand this idea. By "current release file" do you mean a similar, second GET request to the main mirror packages-cf.termux.dev to compare with its release file? Or do you mean the local release file copy stored on the device?

In my personal opinion, it is completely OK for apt to use stale data and continue to use the last selected mirror for as long as the packages can be successfully downloaded, until it is time for package cache to be updated and a full upgrade also performed.

Apt stores separate local copies of Release files for every single mirror. So after rotating mirrors most likely Release file will be outdated by more that 6/12/24/48 hours because most likely a mirror was not used for a long time.

I do not fully understand this idea. By "current release file" do you mean a similar, second GET request to the main mirror packages-cf.termux.dev to compare with its release file? Or do you mean the local release file copy stored on the device?

Second GET request to obtain actual timestamp of current mirror because of the reason above.

Apt stores separate local copies of Release files for every single mirror. So after rotating mirrors most likely Release file will be outdated by more that 6/12/24/48 hours because most likely a mirror was not used for a long time.

What I mean is that in the proposal shown here, just as before (except without checking the metadata files or timeout anymore that I mentioned at the start of the PR description), the package cache is always updated immediately after the select_mirror function is run, which downloads new release files anyway. So, by "last selected mirror", I mean that in this proposal, the same mirror is used for potentially a long time without rotating it, and then the way that it is determined that select_mirror should be run is in three cases:

1. the first apt install during pkg install produced an error, and it is determined from the error message that select_mirror and updating package cache and updating all packages has a reasonable chance to help fix the error.
2. the user used pkg update which is an explicit command to update package cache (not an implicit one)
3. the user used pkg upgrade which is an explicit full upgrade

I realized I forgot to close fd 3 in the codepath where execution is returned to the case statement which called handle_install_*, so the change I made just now fixes that.

The logic around individual install ops in the top comment makes some sense to me, and I'm (obviously) motivated by the goal of not doing things in common paths that are known to be dangerous. :)

Just thinking out loud for now, not voting either way. Other goals that are important to us and maybe don't interact well with this proposal:

1. We're talking elsewhere about mirror availability and performance, and the best card in our hand at the moment is the assumption that after 6h, most pkg ops will result in a fresh choice of mirror, which doesn't seem separable from a metadata update. The logic in this proposal would say that we also need to do an upgrade/-Su everytime there's a metadata update. Seems like the difference between this proposal and the clumsier "just translate every install into an update+upgrade/Syu would only exist in 6h periods after the first op, and it won't actually be different from the clumsy answer in practice for casual/infrequent usage, which is probably the common case?

2. One of my least favorite categories of user issue is when someone runs a long package install, switches to another app because it's boring, and ends up with broken packages/package management because Android killed termux and left things in an inconsistent state. It's difficult for us to diagnose (users often don't realize this is a risk), difficult to fix (it can break almost anything), and I think it's much more common than real breakage caused by partial updates. So I'm wary of increasing the risk of bored users by increasing the wall time required to do common package ops.

3. Both in conversational support and in READMEs, we're used to being able to say pkg i $whatever and assume that if pkg succeeds, the user has a pretty recent version of $whatever installed. This isn't really different if we implement your proposal as currently written - the resulting installed packages would tend to be staler, but I think they're still capped at 6h of staleness for metadata reasons. But if you took a more aggressive approach to addressing 1), you might introduce more of a risk here. It would not be great if we lost the assumption of recency from "okay now pkg i it" -> "okay it worked".

The logic in this proposal would say that we also need to do an upgrade/-Su everytime there's a metadata update. Seems like the difference between this proposal and the clumsier "just translate every install into an update+upgrade/Syu would only exist in 6h periods after the first op, and it won't actually be different from the clumsy answer in practice for casual/infrequent usage, which is probably the common case?

Correct except for the "6h period" part, I don't think there is any enforced "6h period" involved here in this version of this proposal except for the time between rotating mirrors, which is not modified here, with the exception that this proposes to not rotate mirrors during pkg install operations unless the package cache is missing, or outdated relative to the current mirror.

This proposal is designed to provide users of pkg an imitation of my own behavior while using the package managers of rolling-release distros before and after Termux came to exist:

1. Try to install package without updating package cache
2. If the package installs successfully, it means that the package cache with relation to this package and all its dependencies is sufficiently up-to-date to the degree that the mirror still contains the cached versions of all needed packages, so no further action is necessary
3. If the package failed to install because of a missing or outdated package cache, that means that it is time to perform a package cache update and a full upgrade, because partial upgrades are not reliable on rolling-release distros.

One of my least favorite categories of user issue is when someone runs a long package install, switches to another app because it's boring, and ends up with broken packages/package management because Android killed termux and left things in an inconsistent state... I think it's much more common than real breakage caused by partial updates.

I personally disagree. In my opinion, errors caused by partial updates are more common than errors caused by interrupted updates, but it could just be that I've personally seen more errors caused by partial updates, and you've personally seen more errors caused by interrupted updates. It's hard to gather evidence to identify which type of error is objectively more common. There is, however, the factor in support of my position that, if all intended package operations complete successfully, then if implicit partial updates are invoked repeatedly, an error will always eventually happen to at least one package, but if implicit partial updates are disallowed, then all user-side dependency-related errors are prevented.

the resulting installed packages would tend to be staler, but I think they're still capped at 6h of staleness for metadata reasons.

Not quite correct - this proposal would introduce the behavior that, if someone types pkg install and the package is already installed (but a potentially old version if they have not used pkg upgrade in a long time), then nothing will happen. If the package is not already installed, then in that case, the package age would not be capped at "6h of staleness", it would be capped at "the age of the package in the current mirror or, should the package cache be outdated, the next mirror according to the mirror rotation logic", because if the package fails to download from the mirror (due to the package cache being outdated), the mirror rotation logic would be run, then the package cache updated, then a full upgrade performed, then the package installed from the next mirror.

It would not be great if we lost the assumption of recency from "okay now pkg i it" -> "okay it worked".

Correct, this proposal introduces a behavior where if someone types pkg install and the package is already installed, then nothing will happen (because the package will remain at the current, possibly-outdated version). If this proposal were accepted, then after it deployed, people offering support would have to realize that pkg install does not guarantee an updated package cache anymore, and that the only command to guarantee a fully up-to-date Termux installation is pkg upgrade (true anyway regardless of this proposal, because updating the package cache and then installing packages without performing a full upgrade is a partial upgrade, which does not guarantee a fully up-to-date Termux installation).

General message for readers here:

I have tried to explain every detail of the proposed changes in a precise way through the commit message and my responses here,

but despite that, I believe that the full extent of the subtle changes in the behavior of the pkg install command that this would cause is not easy to realize just from reading my messages, particularly because of how different the behavior is from the behavior that Termux currently has, and has had for a long time.

If anyone is confused about what these changes would mean for them, I encourage them to consider installing and testing this PR on a temporary Termux installation, such as an installation on a test device, an Android virtual device, or a termux-docker container, so that they can experience the changes firsthand and compare with their expectations and preferences of how they believe Termux pkg install should behave.

I don't think there is any enforced "6h period" involved here in this version of this proposal except for the time between rotating mirrors, which is not modified here

Sorry, wasn't saying there was. I meant that in the other discussions, in today's pkg, we are significantly depending on the assumption that if select_mirror makes a bad choice, it only holds onto it for 6h. (I am taking others at their word that it works that way - haven't had a chance to familiarize myself with that code yet.)

it could just be that I've personally seen more errors caused by partial updates, and you've personally seen more errors caused by interrupted updates. It's hard to gather evidence to identify which type of error is objectively more common.

To be clear, I'm reporting my experience of other people's problems in the discord/matrix, not my own. :) apt-getting-killed feels like it comes up every month or three, is independent of changes or lack of changes to repo state, and is largely independent of user behavior. (It doesn't matter a ton if you have lots of packages or any specific packages or an old install or run upgrades frequently/rarely/through any specific path - you just have background Termux mid-update, which is a natural thing to do.) The partial update problem, and particularly the version of the partial update problem that isn't trivially fixed by a pkg up, has happened to anyone in a way that made it into my field of view, I wanna say, twice?

I agree that it's a problem worth fixing! But I'm worried about worsening something that's in the first few pages of my playbook for "someone says their shit is broken".

Not quite correct - this proposal would introduce the behavior...

I think we're saying the same thing here, but I didn't do a great job explaining it. One of the sources of package staleness is metadata staleness; I think your proposal will increase the average, but not the tail, contribution of metadata staleness to overall staleness, as long as we don't mess with the behavior of only holding mirror choices for 6h. That's not a problem.

Mentioning this because thinking through this proposal seems to create an incentive to mess with that behavior, and doing so has negatives for the way we do support communications and write instructions.

General message for readers here:

I think I'm following, but if you'd like to develop this further and build some consensus, I recommend adding a "what would change / what wouldn't change" to the top comment. I mean that in the broad sense: software behavior, UX, assumptions we can/can't have about the world. This is a thorny space and it'll help to get that front and center.

To be clear, I'm reporting my experience of other people's problems in the discord/matrix, not my own.
The partial update problem, and particularly the version of the partial update problem that isn't trivially fixed by a pkg up, has happened to anyone in a way that made it into my field of view, I wanna say, twice?

My guess is that the discrepancy we're seeing is because partial upgrade errors may be more commonly reported in GitHub Issues, while interrupted upgrade errors may be more commonly reported in Discord/Matrix.

In messages above this, I didn't want to basically "spam ping" in GitHub by saying something like "fixes all of these", because what I'm about to do will GitHub-ping all subscribers to these issues, but the topic has more or less been forced, so doing so now:

• [Bug]: CANNOT LINK EXECUTABLE "apt": library "liblz4.so.1" not found: needed by /data/data/com.termux/files/usr/lib/libapt-pkg.so in namespace (default) termux-packages#23861
• [Bug]: missing versioned dependency from gpgme to libassuan termux-packages#24015
• [Bug]: CANNOT LINK EXECUTABLE "apt": library "liblz4.so.1" not found: needed by /data/data/com.termux/files/usr/lib/libapt-pkg.so in namespace (default) termux-packages#20944
• [Bug]: Install python arcade on Termux app failed termux-packages#24325
• Swift broken termux-packages#21187
• [Bug]: python-torch installation is broken termux-packages#24728
• [Bug]:  termux-packages#14926
• [Bug]: faild to install openssh  termux-packages#15200
• 0% [working]:  termux-packages#15357
• [Package]: libcrypto missing from ssh install - Solution: pkg install openssl termux-packages#20276
• [Bug]: CANNOT LINK EXECUTABLE "hugo": cannot locate symbol "_ZTVNSt6_ndk119basic_ostrxxx" termux-packages#21633

Issue list collected from searches like this: https://github.com/termux/termux-packages/issues?q=label%3Anot-bug%20is%3Aclosed%20CANNOT%20LINK%20EXECUTABLE

It's a bit hard to separate out issues that this proposal would actually fix from ones that have other causes (limited information provided, real dependency bug, mirror partially synced, revision-bumps still building in CI, interrupted upgrade), but ones where termux-info is provided, and does not show "All packages are up to date", can confidently be assumed to have been preventable by the changes in this proposal.

I recommend adding a "what would change / what wouldn't change" to the top comment. I mean that in the broad sense: software behavior, UX, assumptions we can/can't have about the world. This is a thorny space and it'll help to get that front and center.

Noted, like you suggest, I could probably think of a clearer way to summarize the changes with phrasing that fits under headings "what would change" and "what wouldn't change" for easier understanding. I'll work on writing that.

"What would change" and "What wouldn't change" summaries are now added to the description of the PR.

I think we're saying the same thing here, but I didn't do a great job explaining it. One of the sources of package staleness is metadata staleness; I think your proposal will increase the average, but not the tail, contribution of metadata staleness to overall staleness, as long as we don't mess with the behavior of only holding mirror choices for 6h. That's not a problem.

If I am understanding the concern you are talking about here correctly, I believe I can provide a worst-case scenario example of what would become possible after the changes proposed here.

In a worst-case scenario of what you describe, what would become possible is this:

1. Someone installs a package, and their package cache is outdated relative to their current mirror, and it has been more than 6 hours, or they perform a package upgrade,
2. so mirror rotation is run and a mirror from termux-tools' builtin mirrorlist that for the purposes of this example, is assumed to be valid and up-to-date at the time it is first selected, is selected, and used to install packages
3. The person continues to use Termux and install packages, and they don't use pkg upgrade, instead they continue to install packages successfully using their current mirror and package cache, which remain matched to each other for as long as the mirror does not sync with a Termux main mirror on the mirror's side.
4. The mirror, which for the purposes of this example is assumed to have been up-to-date and valid at the moment that it was selected by the mirror rotation, gradually becomes outdated because it either has not been synchronized in a long time, or it has become stale and its operator is no longer performing synchronizations of it with a Termux main mirror.
5. The person continues to install packages and use Termux, but since they never use pkg upgrade explicitly, and the mirror continues to not receive any bumps of any packages, their mirror is never automatically rotated, they are receiving outdated Termux packages, and they are not necessarily aware of this.

This is essentially one of the intended behaviors of the current design of this proposal, because I personally have a belief that if a mirror was not stale when it was initially rotated to, and the user does not ever experience any errors nor perform an explicit pkg upgrade command, then the mirror becoming stale and serving outdated packages is possibly a situation desired by that user (this seems like a confusing assumption to make, but the key part of this for me is that the user's avoidance of the pkg upgrade command could imply that they might actually be trying to avoid upgrading their packages and avoid rotating away from their current mirror, and I propose that these changes should not impose mirror rotations or package upgrades on a user who appears to be doing that unless a package download error actually occurs because of their actions, at which point the handler of mirror rotation and package cache update and full upgrading takes over)

However, if this part of the proposal is disliked, this could be resolved and avoided by changing this proposal in a way that I mentioned in one of my earlier comments. Quoting what I said above:

If you believe pkg install should be included in always checking the mirror outdatedness, then what I can do here is, I can make the select_mirror timeout check happen in all pkg install situations (not only in the case of when the package failed to download on the first try), and if the current mirror's rotation has timed out, then proceed with select_mirror to select a mirror that is not outdated, and updating package cache, and updating all packages.