aptsnapshottest.vs.mythic-beasts.com

A point-in-time Debian mirror snapshot service. Add a snapshot URL to your APT sources to pin packages to a specific date — useful for reproducible builds and controlled upgrades.

Usage

Create a file in /etc/apt/sources.list.d/ with a .sources extension. Two date formats are accepted:

Format	Example	Resolves to
Date only	`/20240115/`	Last snapshot taken on or before 2024-01-15
Full timestamp	`/20240115T143022Z/`	Last snapshot at or before 14:30:22 UTC on 2024-01-15
No date	`/`	Most recent snapshot available

Examples

Pin to the last snapshot of a specific day (/etc/apt/sources.list.d/snapshot.sources):

Types: deb
URIs: https://aptsnapshottest.vs.mythic-beasts.com/20260101
Suites: trixie
Components: main
Signed-By: /usr/share/keyrings/raspberrypi-archive-keyring.pgp

Pin to an exact snapshot by timestamp:

Types: deb
URIs: https://aptsnapshottest.vs.mythic-beasts.com/20260101T143022Z
Suites: trixie
Components: main
Signed-By: /usr/share/keyrings/raspberrypi-archive-keyring.pgp

Always use the latest snapshot:

Types: deb
URIs: https://aptsnapshottest.vs.mythic-beasts.com/
Suites: trixie
Components: main
Signed-By: /usr/share/keyrings/raspberrypi-archive-keyring.pgp

When pinning to a specific date, add Check-Valid-Until: no to the stanza above to suppress the "Release file expired" warning.

Package metadata API

A JSON API for looking up which snapshots contain a given package version (intended for reproducible-build tooling such as debrebuild and debootsnap):

GET /mr/timestamp                              # list snapshot timestamps
GET /mr/binary/<pkg>/                          # versions of a binary
GET /mr/binary/<pkg>/<ver>/binfiles            # per-arch SHA1 hashes
GET /mr/package/<src>/                         # versions of a source package
GET /mr/package/<src>/<ver>/srcfiles           # source-file SHA1 hashes
GET /mr/package/<src>/<ver>/binpackages        # binaries from a source
GET /mr/file/<hash>/info                       # path / size / first_seen

Append ?fileinfo=1 to binfiles or srcfiles to inline the /mr/file/<hash>/info block for every returned hash.

Example — list every indexed version of rpicam-apps:

$ curl -s https://aptsnapshottest.vs.mythic-beasts.com/mr/binary/rpicam-apps/ \
    | jq -r '.result[].binary_version'
1.9.1-1
1.9.0-1~bpo12+1
1.9.0-1
1.8.1-1~bookworm
...

Version availability API

A POST API for looking up the snapshot range over which a given package version was available (used by debootsnap to resolve Installed-Build-Depends against the archive):

POST /metasnap/api                             # multipart/form-data
  archive=pios
  arch=arm64                                   # default for unqualified pkgs
  pkgs=name[:arch]=ver[,name[:arch]=ver,...]

200 text/plain — one line per range:
  name arch version suite component begin_ts end_ts

Unmatched packages return HTTP 404 with one name arch version line per unmatched entry; clients retry with the matched subset.

Example — find which snapshot(s) carried rpicam-apps 1.4.1-1 on arm64:

$ curl -s -F archive=pios -F arch=arm64 \
       -F 'pkgs=rpicam-apps:arm64=1.4.1-1' \
       https://aptsnapshottest.vs.mythic-beasts.com/metasnap/api
rpicam-apps arm64 1.4.1-1 bookworm main 20231124T142243Z 20240130T120715Z

Reproducible builds with debootsnap

debootsnap bootstraps a reproducible build chroot from a .buildinfo file. To target this host alongside snapshot.debian.org for Debian build-depends, pass three flags — currently only available in a patched devscripts fork:

debootsnap --buildinfo=foo_1.2.3-1_arm64.buildinfo \
  --metasnap-url=https://aptsnapshottest.vs.mythic-beasts.com/metasnap/api \
  --archives=pios,debian \
  --snapshot-mirrors=pios=http://aptsnapshottest.vs.mythic-beasts.com/archive \
  output.tar

--metasnap-url points the metasnap probe at this host; queries with archive=debian* are transparently forwarded to metasnap.debian.net, so a mixed-archive .buildinfo resolves without per-archive routing on the client.
--archives adds pios to the archive iteration list (the upstream default is debian-only).
--snapshot-mirrors=pios=<host>/archive is the base URL for fetching .debs. The /archive suffix is required because debootsnap's in-process proxy cache (devscripts/proxy.py) only accepts paths under /archive/<archive>/<ts>/.... The http:// (not https://) scheme is required because the same proxy can't speak TLS — apt's Release signature check runs end-to-end, so the cleartext hop loses confidentiality only.

debrebuild accepts the same three flags and passes them through to debootsnap.

.buildinfo files for packages built into this archive are published at archive.raspberrypi.com/debian/buildinfo-pool/; a flat path index is at buildinfo-pool.list.

Available snapshots

Browse available snapshots · Recent changes (last 7 days)