# πŸ”„ **apt-ostree Package Override System Architecture** ## πŸ“‹ **Overview** This document outlines the package override system architecture for apt-ostree, based on analysis of how rpm-ostree implements package overrides, base package replacement, and package customization. The override system allows users to replace base packages with custom versions while maintaining system integrity. ## πŸ”— **Related Documents** - **Core Architecture**: [Overview](overview.md) | [CLI-Daemon Separation](cli-daemon-separation.md) - **Package Management**: [APT Integration](apt-library-analysis.md) | [Package Overrides](package-overrides.md) - **System Operations**: [Transaction System](transaction-system.md) | [Live Updates](live-updates.md) - **Security**: [Responsibility Analysis](responsibility-analysis.md) | [Error Handling](error-handling-analysis.md) ## πŸ—οΈ **Architecture Overview** ### **Component Separation** ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ CLI Client β”‚ β”‚ Rust Core β”‚ β”‚ Rust Daemon β”‚ β”‚ (apt-ostree) │◄──►│ (DBus) │◄──►│ (aptostreed) β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β€’ override β”‚ β”‚ β€’ Client Logic β”‚ β”‚ β€’ Override β”‚ β”‚ β€’ reset β”‚ β”‚ β€’ DBus Client β”‚ β”‚ β€’ Package β”‚ β”‚ β€’ list β”‚ β”‚ β€’ Override Mgmt β”‚ β”‚ β€’ State Mgmt β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` ### **Responsibility Distribution** #### **CLI Client (`apt-ostree`)** - **Command parsing** for override subcommands - **User interface** and override management - **DBus communication** with daemon - **Override validation** and processing #### **Daemon (`apt-ostreed`)** - **Override application** and management - **Package replacement** and installation - **Override state** persistence - **Conflict resolution** and validation ## πŸ” **rpm-ostree Implementation Analysis** ### **Override Commands Structure** Based on `rpmostree-builtin-override.cxx`, rpm-ostree provides these override subcommands: ```c static RpmOstreeCommand override_subcommands[] = { { "replace", RPM_OSTREE_BUILTIN_FLAG_REQUIRES_ROOT, "Replace a base package with a different version", rpmostree_override_builtin_replace }, { "reset", RPM_OSTREE_BUILTIN_FLAG_REQUIRES_ROOT, "Reset a package override to base version", rpmostree_override_builtin_reset }, { "list", RPM_OSTREE_BUILTIN_FLAG_LOCAL_CMD, "List current package overrides", rpmostree_override_builtin_list }, { NULL, (RpmOstreeBuiltinFlags)0, NULL, NULL } }; ``` ### **Key Insights from rpm-ostree** 1. **Package Replacement**: Can replace base packages with different versions 2. **Override Persistence**: Overrides are stored and persist across deployments 3. **Conflict Resolution**: Handles package conflicts and dependencies 4. **Reset Capability**: Can restore packages to base versions ## πŸš€ **apt-ostree Implementation Strategy** ### **1. CLI Command Structure** ```rust // src/main.rs - Override command handling async fn override_commands(args: &[String]) -> AptOstreeResult<()> { if args.is_empty() { show_override_help(); return Ok(()); } let subcommand = &args[0]; match subcommand.as_str() { "replace" => override_replace(&args[1..]).await?, "reset" => override_reset(&args[1..]).await?, "list" => override_list(&args[1..]).await?, _ => { println!("❌ Unknown override subcommand: {}", subcommand); show_override_help(); } } Ok(()) } ``` ### **2. Package Override System** #### **Core Override Manager** ```rust // src/override/override_manager.rs pub struct OverrideManager { ostree_manager: Arc, apt_manager: Arc, override_store: Arc>, security_manager: Arc, } impl OverrideManager { pub async fn replace_package( &self, package_name: &str, new_version: &str, user_id: u32, session_id: String, ) -> Result { // Validate package override request self.validate_override_request(package_name, new_version).await?; // Check user authorization self.security_manager .authorize_package_override(package_name, user_id) .await?; // Get current deployment let current_deployment = self.ostree_manager.get_booted_deployment().await?; // Create staging deployment let staging_ref = self.ostree_manager.create_staging_deployment().await?; // Remove base package from staging self.remove_base_package_from_staging(&staging_ref, package_name).await?; // Install new package version to staging let package_info = self.apt_manager .get_package_info(package_name, new_version) .await?; self.install_package_to_staging(&staging_ref, &package_info).await?; // Resolve and install dependencies let dependencies = self.apt_manager .resolve_package_dependencies(&package_info) .await?; for dependency in &dependencies { self.install_package_to_staging(&staging_ref, dependency).await?; } // Execute package scripts self.execute_package_scripts(&staging_ref, &[package_info.clone()]).await?; // Commit staging deployment let commit_hash = self.ostree_manager.commit_staging_deployment( &staging_ref, &format!("Override package: {} -> {}", package_name, new_version), ).await?; // Update boot configuration self.ostree_manager.set_default_deployment(&commit_hash).await?; // Store override information let override_info = PackageOverride { package_name: package_name.to_string(), base_version: self.get_base_package_version(package_name).await?, override_version: new_version.to_string(), user_id, session_id, created_at: chrono::Utc::now(), commit_hash: commit_hash.clone(), }; self.override_store .write() .await .add_override(override_info) .await?; Ok(OverrideResult::Success { message: format!("Package {} overridden to version {}", package_name, new_version), commit_hash, details: Some(format!("Base version: {}", override_info.base_version)), }) } pub async fn reset_package( &self, package_name: &str, user_id: u32, session_id: String, ) -> Result { // Check if package has an override let override_info = self.override_store .read() .await .get_override(package_name) .await?; if override_info.is_none() { return Err(Error::NoOverrideFound(package_name.to_string())); } let override_info = override_info.unwrap(); // Check user authorization self.security_manager .authorize_package_override(package_name, user_id) .await?; // Get current deployment let current_deployment = self.ostree_manager.get_booted_deployment().await?; // Create staging deployment let staging_ref = self.ostree_manager.create_staging_deployment().await?; // Remove overridden package from staging self.remove_package_from_staging(&staging_ref, package_name).await?; // Restore base package to staging let base_package = self.apt_manager .get_base_package(package_name) .await?; self.install_package_to_staging(&staging_ref, &base_package).await?; // Commit staging deployment let commit_hash = self.ostree_manager.commit_staging_deployment( &staging_ref, &format!("Reset package override: {} -> base version", package_name), ).await?; // Update boot configuration self.ostree_manager.set_default_deployment(&commit_hash).await?; // Remove override from store self.override_store .write() .await .remove_override(package_name) .await?; Ok(OverrideResult::Success { message: format!("Package {} reset to base version", package_name), commit_hash, details: Some(format!("Base version: {}", base_package.version)), }) } pub async fn list_overrides(&self) -> Result, Error> { let overrides = self.override_store .read() .await .list_overrides() .await?; Ok(overrides) } async fn validate_override_request( &self, package_name: &str, new_version: &str, ) -> Result<(), Error> { // Check if package exists in base system if !self.apt_manager.base_package_exists(package_name).await? { return Err(Error::BasePackageNotFound(package_name.to_string())); } // Check if new version exists if !self.apt_manager.package_version_exists(package_name, new_version).await? { return Err(Error::PackageVersionNotFound( package_name.to_string(), new_version.to_string(), )); } // Check for package conflicts let conflicts = self.apt_manager .check_package_conflicts(package_name, new_version) .await?; if !conflicts.is_empty() { return Err(Error::PackageConflicts(conflicts)); } // Check if package is already overridden if self.override_store .read() .await .has_override(package_name) .await? { return Err(Error::PackageAlreadyOverridden(package_name.to_string())); } Ok(()) } async fn remove_base_package_from_staging( &self, staging_ref: &str, package_name: &str, ) -> Result<(), Error> { // Get staging deployment path let staging_path = self.ostree_manager.get_staging_path(staging_ref); // Remove package files from staging let package_files = self.apt_manager .get_package_files(package_name) .await?; for file_path in &package_files { let full_path = staging_path.join(file_path); if full_path.exists() { tokio::fs::remove_file(&full_path).await?; } } // Remove package from package database let dpkg_status_path = staging_path.join("var/lib/dpkg/status"); self.remove_package_from_dpkg_status(&dpkg_status_path, package_name).await?; Ok(()) } async fn install_package_to_staging( &self, staging_ref: &str, package_info: &PackageInfo, ) -> Result<(), Error> { // Get staging deployment path let staging_path = self.ostree_manager.get_staging_path(staging_ref); // Download package let package_path = self.apt_manager .download_package(&package_info.name, &package_info.version) .await?; // Extract package to staging self.extract_package_to_staging(&staging_path, &package_path).await?; // Update package database self.update_package_database_in_staging(&staging_path, package_info).await?; Ok(()) } async fn extract_package_to_staging( &self, staging_path: &Path, package_path: &Path, ) -> Result<(), Error> { // Extract DEB package contents let package_contents = self.extract_deb_package(package_path).await?; // Apply files to staging for (file_path, file_content) in package_contents.files { let full_path = staging_path.join(&file_path); // Create parent directories if let Some(parent) = full_path.parent() { tokio::fs::create_dir_all(parent).await?; } // Write file content tokio::fs::write(&full_path, file_content).await?; } // Store package scripts if let Some(scripts) = package_contents.scripts { self.store_package_scripts_in_staging(staging_path, &scripts).await?; } Ok(()) } async fn execute_package_scripts( &self, staging_ref: &str, packages: &[PackageInfo], ) -> Result<(), Error> { // Get staging deployment path let staging_path = self.ostree_manager.get_staging_path(staging_ref); for package in packages { // Execute preinst script if exists if let Some(preinst_script) = self.get_package_script(&staging_path, package, "preinst").await? { self.execute_script_in_staging(&staging_path, &preinst_script).await?; } // Execute postinst script if exists if let Some(postinst_script) = self.get_package_script(&staging_path, package, "postinst").await? { self.execute_script_in_staging(&staging_path, &postinst_script).await?; } } Ok(()) } async fn execute_script_in_staging( &self, staging_path: &Path, script_path: &Path, ) -> Result<(), Error> { // Create sandboxed environment let mut sandbox = self.create_staging_sandbox(staging_path).await?; // Execute script in sandbox let output = sandbox.exec_script(script_path).await?; if !output.status.success() { return Err(Error::ScriptExecutionFailed { script: script_path.to_string_lossy().to_string(), stderr: output.stderr, exit_code: output.status.code(), }); } Ok(()) } } ``` ### **3. Override Store and Persistence** #### **Override Storage System** ```rust // src/override/override_store.rs pub struct OverrideStore { database: Arc>, storage_path: PathBuf, } impl OverrideStore { pub async fn add_override( &self, override_info: PackageOverride, ) -> Result<(), Error> { // Save to database self.database .write() .await .save_override(&override_info.package_name, &override_info) .await?; // Save to file system for recovery let file_path = self.storage_path.join(format!("{}.json", override_info.package_name)); let content = serde_json::to_string_pretty(&override_info)?; tokio::fs::write(&file_path, content).await?; Ok(()) } pub async fn get_override( &self, package_name: &str, ) -> Result, Error> { // Try database first if let Some(override_info) = self.database .read() .await .load_override(package_name) .await? { return Ok(Some(override_info)); } // Fallback to file system let file_path = self.storage_path.join(format!("{}.json", package_name)); if file_path.exists() { let content = tokio::fs::read_to_string(&file_path).await?; let override_info: PackageOverride = serde_json::from_str(&content)?; return Ok(Some(override_info)); } Ok(None) } pub async fn list_overrides(&self) -> Result, Error> { // Get from database let overrides = self.database .read() .await .list_overrides() .await?; Ok(overrides) } pub async fn remove_override( &self, package_name: &str, ) -> Result<(), Error> { // Remove from database self.database .write() .await .delete_override(package_name) .await?; // Remove from file system let file_path = self.storage_path.join(format!("{}.json", package_name)); if file_path.exists() { tokio::fs::remove_file(&file_path).await?; } Ok(()) } pub async fn has_override(&self, package_name: &str) -> Result { let override_info = self.get_override(package_name).await?; Ok(override_info.is_some()) } pub async fn cleanup_orphaned_overrides(&self) -> Result<(), Error> { let overrides = self.list_overrides().await?; for override_info in overrides { // Check if override commit still exists if !self.ostree_manager.commit_exists(&override_info.commit_hash).await? { // Remove orphaned override self.remove_override(&override_info.package_name).await?; } } Ok(()) } } ``` ### **4. CLI Command Implementations** #### **Replace Command** ```rust // src/commands/override_replace.rs pub async fn override_replace(args: &[String]) -> AptOstreeResult<()> { let mut osname = None; let mut package_name = None; let mut new_version = None; let mut reboot = false; let mut lock_finalization = false; // Parse arguments let mut i = 0; while i < args.len() { match args[i].as_str() { "--os" => { if i + 1 < args.len() { osname = Some(args[i + 1].clone()); i += 2; } else { return Err(AptOstreeError::InvalidArgument("--os requires a value".to_string())); } } "--stateroot" => { if i + 1 < args.len() { osname = Some(args[i + 1].clone()); i += 2; } else { return Err(AptOstreeError::InvalidArgument("--stateroot requires a value".to_string())); } } "--reboot" => { reboot = true; i += 1; } "--lock-finalization" => { lock_finalization = true; i += 1; } _ => { if package_name.is_none() { package_name = Some(args[i].clone()); } else if new_version.is_none() { new_version = Some(args[i].clone()); } else { return Err(AptOstreeError::InvalidArgument( format!("Unexpected argument: {}", args[i]), )); } i += 1; } } } // Validate arguments let package_name = package_name.ok_or_else(|| { AptOstreeError::InvalidArgument("PACKAGE is required".to_string()) })?; let new_version = new_version.ok_or_else(|| { AptOstreeError::InvalidArgument("VERSION is required".to_string()) })?; // Initialize override manager let override_manager = OverrideManager::new(osname.as_deref()).await?; // Get user and session information let user_id = get_current_user_id()?; let session_id = get_current_session_id().await?; // Replace package let result = override_manager .replace_package(&package_name, &new_version, user_id, session_id) .await?; // Display results match result { OverrideResult::Success { message, commit_hash, details } => { println!("βœ… {}", message); println!("πŸ“ Commit: {}", commit_hash); if let Some(details) = details { println!("ℹ️ {}", details); } if reboot { println!("πŸ”„ Rebooting system..."); // Trigger reboot trigger_system_reboot().await?; } } OverrideResult::Failure { message, details } => { println!("❌ {}", message); if let Some(details) = details { println!("ℹ️ {}", details); } } } Ok(()) } ``` #### **Reset Command** ```rust // src/commands/override_reset.rs pub async fn override_reset(args: &[String]) -> AptOstreeResult<()> { let mut osname = None; let mut package_name = None; let mut reboot = false; let mut lock_finalization = false; // Parse arguments let mut i = 0; while i < args.len() { match args[i].as_str() { "--os" => { if i + 1 < args.len() { osname = Some(args[i + 1].clone()); i += 2; } else { return Err(AptOstreeError::InvalidArgument("--os requires a value".to_string())); } } "--stateroot" => { if i + 1 < args.len() { osname = Some(args[i + 1].clone()); i += 2; } else { return Err(AptOstreeError::InvalidArgument("--stateroot requires a value".to_string())); } } "--reboot" => { reboot = true; i += 1; } "--lock-finalization" => { lock_finalization = true; i += 1; } _ => { if package_name.is_none() { package_name = Some(args[i].clone()); } else { return Err(AptOstreeError::InvalidArgument( format!("Unexpected argument: {}", args[i]), )); } i += 1; } } } // Validate arguments let package_name = package_name.ok_or_else(|| { AptOstreeError::InvalidArgument("PACKAGE is required".to_string()) })?; // Initialize override manager let override_manager = OverrideManager::new(osname.as_deref()).await?; // Get user and session information let user_id = get_current_user_id()?; let session_id = get_current_session_id().await?; // Reset package let result = override_manager .reset_package(&package_name, user_id, session_id) .await?; // Display results match result { OverrideResult::Success { message, commit_hash, details } => { println!("βœ… {}", message); println!("πŸ“ Commit: {}", commit_hash); if let Some(details) = details { println!("ℹ️ {}", details); } if reboot { println!("πŸ”„ Rebooting system..."); // Trigger reboot trigger_system_reboot().await?; } } OverrideResult::Failure { message, details } => { println!("❌ {}", message); if let Some(details) = details { println!("ℹ️ {}", details); } } } Ok(()) } ``` #### **List Command** ```rust // src/commands/override_list.rs pub async fn override_list(args: &[String]) -> AptOstreeResult<()> { let mut osname = None; // Parse arguments let mut i = 0; while i < args.len() { match args[i].as_str() { "--os" => { if i + 1 < args.len() { osname = Some(args[i + 1].clone()); i += 2; } else { return Err(AptOstreeError::InvalidArgument("--os requires a value".to_string())); } } "--stateroot" => { if i + 1 < args.len() { osname = Some(args[i + 1].clone()); i += 2; } else { return Err(AptOstreeError::InvalidArgument("--stateroot requires a value".to_string())); } } _ => { return Err(AptOstreeError::InvalidArgument( format!("Unknown option: {}", args[i]), )); } } } // Initialize override manager let override_manager = OverrideManager::new(osname.as_deref()).await?; // List overrides let overrides = override_manager.list_overrides().await?; // Display results if overrides.is_empty() { println!("πŸ“¦ No package overrides found"); } else { println!("πŸ“¦ Package overrides ({}):", overrides.len()); println!("========================"); for override_info in overrides { println!(" β€’ {}: {} β†’ {}", override_info.package_name, override_info.base_version, override_info.override_version ); println!(" User: {} | Created: {}", override_info.user_id, override_info.created_at.format("%Y-%m-%d %H:%M:%S UTC") ); println!(" Commit: {}", override_info.commit_hash); println!(); } } Ok(()) } ``` ## πŸ” **Security and Privileges** ### **1. Override Authorization** ```rust // Security checks for package overrides impl SecurityManager { pub async fn authorize_package_override( &self, package_name: &str, user_id: u32, ) -> Result<(), SecurityError> { // Check if user has permission to override packages let action = "org.projectatomic.aptostree.override"; self.check_authorization(action, user_id, HashMap::new()).await?; // Check if package is in protected list if self.is_protected_package(package_name).await? { return Err(SecurityError::ProtectedPackage( "Cannot override protected system package".to_string(), )); } Ok(()) } async fn is_protected_package(&self, package_name: &str) -> Result { // List of packages that cannot be overridden let protected_packages = [ "systemd", "systemd-sysv", "systemd-udev", "ostree", "apt-ostree", "aptostreed", "linux-image-generic", "linux-headers-generic", ]; Ok(protected_packages.contains(&package_name)) } } ``` ### **2. Override Validation** ```rust // Validate override requests impl OverrideManager { async fn validate_override_safety( &self, package_name: &str, new_version: &str, ) -> Result<(), Error> { // Check if override would break system let system_impact = self.assess_system_impact(package_name, new_version).await?; if system_impact.critical_dependencies_affected { return Err(Error::CriticalDependenciesAffected( "Override would break critical system dependencies".to_string(), )); } if system_impact.boot_affected { return Err(Error::BootAffected( "Override would affect system boot process".to_string(), )); } if system_impact.security_implications { tracing::warn!("Package override has security implications: {}", package_name); } Ok(()) } async fn assess_system_impact( &self, package_name: &str, new_version: &str, ) -> Result { // Analyze package dependencies and system impact let package_info = self.apt_manager .get_package_info(package_name, new_version) .await?; let dependencies = self.apt_manager .resolve_package_dependencies(&package_info) .await?; let mut impact = SystemImpact::new(); for dependency in &dependencies { if self.is_critical_system_package(dependency).await? { impact.critical_dependencies_affected = true; } if self.is_boot_critical_package(dependency).await? { impact.boot_affected = true; } if self.has_security_implications(dependency).await? { impact.security_implications = true; } } Ok(impact) } } ``` ## πŸ“Š **Performance Optimization** ### **1. Override Caching** ```rust // Cache override information impl OverrideManager { pub async fn get_cached_override( &self, package_name: &str, ) -> Result, Error> { // Check cache first if let Some(cached) = self.cache.get_override(package_name).await? { return Ok(Some(cached)); } // Fetch from store let override_info = self.override_store .read() .await .get_override(package_name) .await?; // Cache the result if let Some(ref info) = override_info { self.cache.cache_override(info).await?; } Ok(override_info) } } ``` ### **2. Parallel Override Processing** ```rust // Parallel override operations impl OverrideManager { pub async fn batch_overrides( &self, overrides: Vec, ) -> Result, Error> { let mut tasks = JoinSet::new(); // Spawn parallel override tasks for override_request in overrides { let override_manager = self.clone(); tasks.spawn(async move { override_manager .replace_package( &override_request.package_name, &override_request.new_version, override_request.user_id, override_request.session_id, ) .await }); } // Collect results let mut results = Vec::new(); while let Some(result) = tasks.join_next().await { results.push(result??); } Ok(results) } } ``` ## πŸ§ͺ **Testing Strategy** ### **1. Unit Tests** ```rust #[cfg(test)] mod tests { use super::*; #[tokio::test] async fn test_package_override_creation() { let override_manager = OverrideManager::new().await.unwrap(); let result = override_manager .replace_package("vim", "2:9.0.1378-1", 1000, "session-123".to_string()) .await .unwrap(); assert!(matches!(result, OverrideResult::Success { .. })); } #[tokio::test] async fn test_package_override_reset() { let override_manager = OverrideManager::new().await.unwrap(); // First create an override override_manager .replace_package("vim", "2:9.0.1378-1", 1000, "session-123".to_string()) .await .unwrap(); // Then reset it let result = override_manager .reset_package("vim", 1000, "session-123".to_string()) .await .unwrap(); assert!(matches!(result, OverrideResult::Success { .. })); } } ``` ### **2. Integration Tests** ```rust #[tokio::test] async fn test_full_override_workflow() { // Set up test environment let test_repo = create_test_repository().await?; // Initialize override manager let override_manager = OverrideManager::new(&test_repo.path()).await?; // Test package override let result = override_manager .replace_package("test-package", "2.0.0", 1000, "session-123".to_string()) .await?; assert!(matches!(result, OverrideResult::Success { .. })); // Verify override exists let overrides = override_manager.list_overrides().await?; assert!(overrides.iter().any(|o| o.package_name == "test-package")); // Test package reset let reset_result = override_manager .reset_package("test-package", 1000, "session-123".to_string()) .await?; assert!(matches!(reset_result, OverrideResult::Success { .. })); // Verify override removed let overrides_after = override_manager.list_overrides().await?; assert!(!overrides_after.iter().any(|o| o.package_name == "test-package")); } ``` ## πŸš€ **Future Enhancements** ### **1. Advanced Override Features** - **Conditional overrides** based on system state - **Override groups** and batch management - **Override templates** and presets - **Override validation** rules and policies ### **2. Performance Improvements** - **Incremental overrides** with minimal rebuilds - **Override dependency** analysis and optimization - **Background override** processing - **Override conflict** resolution and prevention ### **3. Integration Features** - **External override** sources and repositories - **Override monitoring** and alerting - **Override analytics** and reporting - **Automated override** testing and validation ## πŸ—ΊοΈ **Implementation Roadmap** ### **Phase 1: Core Foundation** πŸ—οΈ - [ ] **Basic Override Structure** - Core override manager and store - [ ] **Package Validation** - Override request validation and safety checks - [ ] **Basic CLI Commands** - Override replace, reset, and list commands ### **Phase 2: Advanced Features** πŸš€ - [ ] **Conflict Resolution** - Package conflict detection and resolution - [ ] **Dependency Management** - Override dependency handling - [ ] **Rollback Support** - Override rollback and recovery ### **Phase 3: Production Features** 🎯 - [ ] **Security Integration** - Polkit authorization and privilege management - [ ] **Performance Optimization** - Caching and parallel processing - [ ] **Monitoring & Logging** - Override tracking and audit trails ### **Phase 4: Integration & Testing** πŸ§ͺ - [ ] **Comprehensive Testing** - Unit, integration, and system tests - [ ] **Performance Testing** - Override performance benchmarks - [ ] **Production Deployment** - Production-ready override system --- This architecture provides a solid foundation for implementing production-ready package overrides in apt-ostree, maintaining compatibility with the rpm-ostree ecosystem while providing robust package replacement, validation, and management capabilities.