debsbom 0.1.0__tar.gz

debsbom-0.1.0/LICENSE

@@ -0,0 +1,8 @@
+Copyright (c) 2025 Siemens
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

debsbom-0.1.0/PKG-INFO

@@ -0,0 +1,162 @@
+Metadata-Version: 2.4
+Name: debsbom
+Version: 0.1.0
+Summary: Generate SBOMs for Debian-based distributions.
+Author-email: Christoph Steiger <christoph.steiger@siemens.com>
+Maintainer-email: Christoph Steiger <christoph.steiger@siemens.com>, Gernot Hillier <gernot.hillier@siemens.com>
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/siemens/debsbom
+Project-URL: Repository, https://github.com/siemens/debsbom.git
+Classifier: Intended Audience :: Developers
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: System :: Operating System Kernels :: Linux
+Classifier: Topic :: Utilities
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cyclonedx-python-lib>=11.0.0
+Requires-Dist: packageurl-python>=0.16.0
+Requires-Dist: spdx-tools>=0.8.3
+Requires-Dist: python-debian>=0.1.49
+Provides-Extra: dev
+Requires-Dist: pytest>=6.0; extra == "dev"
+Requires-Dist: pytest-cov>=6; extra == "dev"
+Requires-Dist: black; extra == "dev"
+Requires-Dist: beartype>=0.20; extra == "dev"
+Requires-Dist: debsbom[download]; extra == "dev"
+Requires-Dist: debsbom[doc]; extra == "dev"
+Provides-Extra: download
+Requires-Dist: requests>=2.25.1; extra == "download"
+Requires-Dist: zstandard>=0.20; extra == "download"
+Provides-Extra: apt
+Requires-Dist: python3-apt>=2.6.0; extra == "apt"
+Provides-Extra: doc
+Requires-Dist: sphinx<8,>=7; extra == "doc"
+Requires-Dist: sphinx-rtd-theme>=2.0.0; extra == "doc"
+Requires-Dist: sphinx-autodoc-typehints>=2.0.0; extra == "doc"
+Requires-Dist: sphinx-argparse>=0.2.1; extra == "doc"
+Dynamic: license-file
+
+[![Tests](https://github.com/siemens/debsbom/actions/workflows/test.yml/badge.svg)](https://github.com/siemens/debsbom/actions/workflows/test.yml)
+[![Documentation](https://github.com/siemens/debsbom/actions/workflows/docs.yml/badge.svg)](https://siemens.github.io/debsbom)
+
+# debsbom - SBOM generator for Debian-based distributions
+
+`debsbom` generates SBOMs (Software Bill of Materials) for distributions based on Debian in the two standard formats [SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).
+
+The generated SBOM includes all installed binary packages and also contains [Debian Source packages](https://www.debian.org/doc/debian-policy/ch-source.html).
+
+Source packages are especially relevant for security as CVEs in the Debian ecosystem are filed not against the installed binary packages, but source packages. The names of source and binary packages must not always be the same, and in some cases a single source package builds a number of binary packages.
+
+## Usage
+
+```
+usage: debsbom [-h] [--version] [-v] [--progress] {generate,download,source-merge,repack} ...
+
+SBOM tool for Debian systems.
+
+positional arguments:
+  {generate,download,source-merge,repack}
+                        sub command help
+    generate            generate a SBOM for a Debian system
+    download            download referenced packages
+    source-merge        merge referenced source packages
+    repack              repack sources and sbom
+
+options:
+  -h, --help            show this help message and exit
+  --version             show program's version number and exit
+  -v, --verbose         be more verbose
+  --progress            report progress
+```
+
+## Scope of the tool
+
+The primary goal is to generate Software Bills of Materials (SBOMs) for Debian-based systems, focusing on security and license clearing requirements.
+The `generate` command operates entirely offline, making it suitable for use in air-gapped networks or environments where internet connectivity is restricted.
+
+### Goals
+
+The `generate` command creates comprehensive SBOMs that include all installed software packages and their dependencies (binary, source package and
+`built-using`[[1]](https://www.debian.org/doc/debian-policy/ch-relationships.html#s-built-using)).
+These SBOM outputs are designed to serve as reliable input for vulnerability management systems and license compliance checks.
+
+The tool provides auxiliary commands for package source retrieval. These enable users to:
+1. Retrieve packages from Debian's upstream repositories and report missing packages.
+2. Convert the multi-archive source packages into a single artifact (one archive per source package)
+
+At its core, this tool was designed to fulfill these SBOM generation requirements while maintaining:
+1. A minimal dependency footprint: avoid huge dependency graph of external software ecosystems (like Go or Rust)
+2. Strict focus on Debian-specific package formats
+3. Clear separation between binary packages and their corresponding source packages
+4. Use official SPDX / CycloneDX libraries to ensure syntactic and semantic correctness
+
+### Non Goals
+
+- License and copyright text extraction from source packages
+- Real-time vulnerability database integration
+- Signing and attestation of generated artifacts
+
+## Package Relations
+
+A Debian distribution is composed of source packages and binary packages.
+Binary packages are installed into the root filesystem, while the source packages are the originals from which those binaries are built.
+
+Some binary packages are installed explicitly by the user; others appear automatically as dependencies of the explicitly‑installed packages.
+The SBOM mirrors this relationship, using the `distro-package` entry as the single central node for traversing the package graph.
+
+```
+distro-package
+├─ binary-package-foo
+├─── source-package-foo
+├─── binary-dep-of-foo
+├─ binary-package-bar
+├─── source-package-bar
+└─── binary-dep-of-bar
+```
+
+### Source-Binary
+
+To differentiate binary and source packages in the SBOM a different approach for each SBOM standard is required.
+
+#### CycloneDX
+
+In the CDX format it is currently not possible to mark a component as a source package. There is an ongoing discussion [[2]](https://github.com/CycloneDX/specification/issues/612) which, while looking promising, will not land in the standard for quite some time. In the meantime source packages can only be identified by their PURL by looking at the `arch=source` qualifier. The relationships between a binary and its source package is done with a simple dependency.
+
+#### SPDX
+
+We differentiate a source package by setting `"primaryPackagePurpose": "SOURCE"` as opposed to `LIBRARY` for binary packages. Their relationship is expressed with the `GENERATES` relation. For packages that are marked as `Built-Using` in the dpkg status file, we use the `GENERATED_FROM` relation. This expresses the same semantic in SPDX, but this way it can still be identified if it is a proper source/binary relationship or a built-using one.
+
+## Generate from Package List
+
+In addition to parsing the list of installed packages from the dpkg status file, we also support to provide a list of packages that should be resolved
+from the apt-cache: When running `debsbom generate --from-pkglist`, the tool
+processes package entries passed via stdin as line separated items. The format
+for each entry is:
+
+```
+<package-name> <package-version> <package-arch>
+```
+
+Example:
+
+```bash
+cat <<EOF | debsbom generate --from-pkglist -t cdx -t spdx -o sbom
+cpp 4:15.2.0-4 amd64
+htop 3.4.1-5 amd64
+EOF
+```
+
+## Limitations
+
+### License Information
+
+License information in Debian is stored in `/usr/share/doc/**/copyright`. The format of these files is not required to be machine-interpretable. For most packages this is the case and they are machine-readable, but there are some cases where the exact license determination is hard.
+To prevent any false license information to be included in the SBOM they are not emitted for now.
+
+### Vendor Packages
+
+Vendor packages are currently not identified. Identifying them is important to emit the correct PURL. Right now we make no difference between vendor and official packages. That means we emit potentially incorrect PURLs for vendor packages.
+
+Reliably and correctly identifying if a package is a vendor package or not is non-trivial without access to the internet. For this reason we do not attempt it. If you have vendor packages in your distribution we assume you know them, and if not you can identify them in postprocessing. A simple way is to use `debsbom download` and look for any packages that failed to download, or whose checksums do not match.

debsbom-0.1.0/README.md

@@ -0,0 +1,122 @@
+[![Tests](https://github.com/siemens/debsbom/actions/workflows/test.yml/badge.svg)](https://github.com/siemens/debsbom/actions/workflows/test.yml)
+[![Documentation](https://github.com/siemens/debsbom/actions/workflows/docs.yml/badge.svg)](https://siemens.github.io/debsbom)
+
+# debsbom - SBOM generator for Debian-based distributions
+
+`debsbom` generates SBOMs (Software Bill of Materials) for distributions based on Debian in the two standard formats [SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).
+
+The generated SBOM includes all installed binary packages and also contains [Debian Source packages](https://www.debian.org/doc/debian-policy/ch-source.html).
+
+Source packages are especially relevant for security as CVEs in the Debian ecosystem are filed not against the installed binary packages, but source packages. The names of source and binary packages must not always be the same, and in some cases a single source package builds a number of binary packages.
+
+## Usage
+
+```
+usage: debsbom [-h] [--version] [-v] [--progress] {generate,download,source-merge,repack} ...
+
+SBOM tool for Debian systems.
+
+positional arguments:
+  {generate,download,source-merge,repack}
+                        sub command help
+    generate            generate a SBOM for a Debian system
+    download            download referenced packages
+    source-merge        merge referenced source packages
+    repack              repack sources and sbom
+
+options:
+  -h, --help            show this help message and exit
+  --version             show program's version number and exit
+  -v, --verbose         be more verbose
+  --progress            report progress
+```
+
+## Scope of the tool
+
+The primary goal is to generate Software Bills of Materials (SBOMs) for Debian-based systems, focusing on security and license clearing requirements.
+The `generate` command operates entirely offline, making it suitable for use in air-gapped networks or environments where internet connectivity is restricted.
+
+### Goals
+
+The `generate` command creates comprehensive SBOMs that include all installed software packages and their dependencies (binary, source package and
+`built-using`[[1]](https://www.debian.org/doc/debian-policy/ch-relationships.html#s-built-using)).
+These SBOM outputs are designed to serve as reliable input for vulnerability management systems and license compliance checks.
+
+The tool provides auxiliary commands for package source retrieval. These enable users to:
+1. Retrieve packages from Debian's upstream repositories and report missing packages.
+2. Convert the multi-archive source packages into a single artifact (one archive per source package)
+
+At its core, this tool was designed to fulfill these SBOM generation requirements while maintaining:
+1. A minimal dependency footprint: avoid huge dependency graph of external software ecosystems (like Go or Rust)
+2. Strict focus on Debian-specific package formats
+3. Clear separation between binary packages and their corresponding source packages
+4. Use official SPDX / CycloneDX libraries to ensure syntactic and semantic correctness
+
+### Non Goals
+
+- License and copyright text extraction from source packages
+- Real-time vulnerability database integration
+- Signing and attestation of generated artifacts
+
+## Package Relations
+
+A Debian distribution is composed of source packages and binary packages.
+Binary packages are installed into the root filesystem, while the source packages are the originals from which those binaries are built.
+
+Some binary packages are installed explicitly by the user; others appear automatically as dependencies of the explicitly‑installed packages.
+The SBOM mirrors this relationship, using the `distro-package` entry as the single central node for traversing the package graph.
+
+```
+distro-package
+├─ binary-package-foo
+├─── source-package-foo
+├─── binary-dep-of-foo
+├─ binary-package-bar
+├─── source-package-bar
+└─── binary-dep-of-bar
+```
+
+### Source-Binary
+
+To differentiate binary and source packages in the SBOM a different approach for each SBOM standard is required.
+
+#### CycloneDX
+
+In the CDX format it is currently not possible to mark a component as a source package. There is an ongoing discussion [[2]](https://github.com/CycloneDX/specification/issues/612) which, while looking promising, will not land in the standard for quite some time. In the meantime source packages can only be identified by their PURL by looking at the `arch=source` qualifier. The relationships between a binary and its source package is done with a simple dependency.
+
+#### SPDX
+
+We differentiate a source package by setting `"primaryPackagePurpose": "SOURCE"` as opposed to `LIBRARY` for binary packages. Their relationship is expressed with the `GENERATES` relation. For packages that are marked as `Built-Using` in the dpkg status file, we use the `GENERATED_FROM` relation. This expresses the same semantic in SPDX, but this way it can still be identified if it is a proper source/binary relationship or a built-using one.
+
+## Generate from Package List
+
+In addition to parsing the list of installed packages from the dpkg status file, we also support to provide a list of packages that should be resolved
+from the apt-cache: When running `debsbom generate --from-pkglist`, the tool
+processes package entries passed via stdin as line separated items. The format
+for each entry is:
+
+```
+<package-name> <package-version> <package-arch>
+```
+
+Example:
+
+```bash
+cat <<EOF | debsbom generate --from-pkglist -t cdx -t spdx -o sbom
+cpp 4:15.2.0-4 amd64
+htop 3.4.1-5 amd64
+EOF
+```
+
+## Limitations
+
+### License Information
+
+License information in Debian is stored in `/usr/share/doc/**/copyright`. The format of these files is not required to be machine-interpretable. For most packages this is the case and they are machine-readable, but there are some cases where the exact license determination is hard.
+To prevent any false license information to be included in the SBOM they are not emitted for now.
+
+### Vendor Packages
+
+Vendor packages are currently not identified. Identifying them is important to emit the correct PURL. Right now we make no difference between vendor and official packages. That means we emit potentially incorrect PURLs for vendor packages.
+
+Reliably and correctly identifying if a package is a vendor package or not is non-trivial without access to the internet. For this reason we do not attempt it. If you have vendor packages in your distribution we assume you know them, and if not you can identify them in postprocessing. A simple way is to use `debsbom download` and look for any packages that failed to download, or whose checksums do not match.

debsbom-0.1.0/pyproject.toml

@@ -0,0 +1,84 @@
+[build-system]
+requires = ["setuptools"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "debsbom"
+version = "0.1.0"
+dependencies = [
+  "cyclonedx-python-lib>=11.0.0",
+  "packageurl-python>=0.16.0",
+  "spdx-tools>=0.8.3",
+  "python-debian>=0.1.49",
+]
+requires-python = ">=3.11"
+authors = [
+  { name="Christoph Steiger", email="christoph.steiger@siemens.com" },
+]
+maintainers = [
+  { name="Christoph Steiger", email="christoph.steiger@siemens.com" },
+  { name="Gernot Hillier", email="gernot.hillier@siemens.com" },
+]
+description = "Generate SBOMs for Debian-based distributions."
+readme = "README.md"
+license = "MIT"
+classifiers = [
+  "Intended Audience :: Developers",
+  "Operating System :: POSIX :: Linux",
+  "Programming Language :: Python :: 3",
+  "Topic :: System :: Operating System Kernels :: Linux" ,
+  "Topic :: Utilities",
+]
+[project.urls]
+Homepage = "https://github.com/siemens/debsbom"
+Repository = "https://github.com/siemens/debsbom.git"
+
+[project.optional-dependencies]
+dev = [
+  "pytest>=6.0",
+  "pytest-cov>=6",
+  "black",
+  "beartype>=0.20",
+  "debsbom[download]",
+  "debsbom[doc]",
+]
+download = [
+    "requests>=2.25.1",
+    "zstandard>=0.20",
+]
+# only distributed in Debian (not pip).
+# only needed to speedup apt parsing
+apt = [
+    "python3-apt>=2.6.0",
+]
+
+# dependencies to build documentation
+doc = [
+  "sphinx>=7,<8",
+  "sphinx-rtd-theme>=2.0.0",
+  "sphinx-autodoc-typehints>=2.0.0",
+  "sphinx-argparse>=0.2.1",
+]
+
+[project.scripts]
+debsbom = "debsbom.cli:main"
+
+[tool.black]
+line-length = 100
+
+[tool.pytest.ini_options]
+minversion = "6.0"
+testpaths = [
+    "tests",
+]
+markers = [
+  "online: tests requiring internet access",
+]
+filterwarnings = [
+  "error",
+]
+
+[tool.coverage.run]
+source = [
+  "debsbom"
+]

debsbom-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

debsbom-0.1.0/src/debsbom/__init__.py

@@ -0,0 +1,14 @@
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+
+# Optional transitive dependency of dep822 which is only distributed
+# via Debian (not pip). If not available but requested, the library
+# issues a warning which we want to avoid by checking upfront and
+# explicitly requesting the fallback mechanism.
+try:
+    import apt
+
+    HAS_PYTHON_APT = True
+except ImportError:
+    HAS_PYTHON_APT = False

debsbom-0.1.0/src/debsbom/apt/cache.py

@@ -0,0 +1,189 @@
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+
+from collections.abc import Callable, Iterable
+from dataclasses import dataclass
+from debian.deb822 import Deb822, Sources, Packages
+from debian.debian_support import Version
+import logging
+from pathlib import Path
+
+from ..util.compression import find_compressed_file_variants, stream_compressed_file
+from ..dpkg.package import BinaryPackage, SourcePackage
+from .. import HAS_PYTHON_APT
+
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class ExtendedStates:
+    """
+    The apt extended states encode information if a package is manually
+    installed or installed via a dependency only.
+    """
+
+    auto_installed: set[tuple[str, str]]
+
+    def is_manual(self, name: str, arch: str) -> bool:
+        """True if package is explicitly installed"""
+        return (name, arch) not in self.auto_installed
+
+    @classmethod
+    def from_file(
+        cls, file: str | Path, filter_fn: Callable[[str, str], bool] | None = None
+    ) -> "ExtendedStates":
+        """Factory to create instance from the apt extended states file"""
+        auto_installed = set()
+        with open(Path(file)) as f:
+            for s in Deb822.iter_paragraphs(f, use_apt_pkg=HAS_PYTHON_APT):
+                name = s.get("Package")
+                arch = s.get("Architecture")
+                if s.get("Auto-Installed") != "1":
+                    continue
+                if (filter_fn is None) or (filter_fn(name, arch)):
+                    auto_installed.add((name, arch))
+
+        return cls(auto_installed=auto_installed)
+
+
+@dataclass
+class Repository:
+    """Represents a debian repository as cached by apt."""
+
+    in_release_file: Path
+    origin: str | None
+    codename: str | None
+    architectures: list[str]
+    components: list[str] | None = None
+    version: Version | None = None
+    description: str | None = None
+
+    @classmethod
+    def from_apt_cache(cls, lists_dir: str | Path) -> Iterable["Repository"]:
+        """Create repositories from apt lists directory."""
+        for entry in Path(lists_dir).iterdir():
+            if entry.name.endswith("_InRelease"):
+                with open(entry) as f:
+                    repo = Deb822(f)
+                origin = repo.get("Origin")
+                codename = repo.get("Codename")
+                version = repo.get("Version")
+                architectures = repo.get("Architectures", "").split()
+                components = repo.get("Components")
+                description = repo.get("Description")
+                logger.info(f"Found apt lists cache repository: {entry}")
+                if not len(architectures):
+                    logger.error(f"Repository does not specify 'Architectures', ignoring: {entry}")
+                    continue
+                yield Repository(
+                    in_release_file=entry,
+                    origin=origin,
+                    codename=codename,
+                    version=Version(version) if version else None,
+                    architectures=architectures,
+                    components=components.split() if components else None,
+                    description=description,
+                )
+
+    @classmethod
+    def _make_srcpkgs(
+        cls, sources: Iterable[Sources], filter_fn: Callable[[str], bool] | None = None
+    ) -> Iterable[SourcePackage]:
+        _sources = filter(lambda p: filter_fn(p["Package"]), sources) if filter_fn else sources
+        for source in _sources:
+            yield SourcePackage.from_dep822(source)
+
+    @classmethod
+    def _make_binpkgs(
+        cls, packages: Iterable[Packages], filter_fn: Callable[[str, str], bool] | None = None
+    ) -> Iterable[BinaryPackage]:
+        _pkgs = (
+            filter(lambda p: filter_fn(p["Package"], p["Architecture"]), packages)
+            if filter_fn
+            else packages
+        )
+        for pkg in _pkgs:
+            yield BinaryPackage.from_dep822(pkg)
+
+    @classmethod
+    def _parse_sources(
+        cls, sources_file: str, srcpkg_filter: Callable[[str], bool] | None = None
+    ) -> Iterable["SourcePackage"]:
+        sources_path = Path(sources_file)
+        try:
+            if sources_path.exists():
+                with open(sources_path) as f:
+                    logger.debug(f"Parsing apt cache source packages: {sources_file}")
+                    sources_raw = Packages.iter_paragraphs(f, use_apt_pkg=HAS_PYTHON_APT)
+                    for s in Repository._make_srcpkgs(sources_raw, srcpkg_filter):
+                        yield s
+            else:
+                compressed_variant = find_compressed_file_variants(sources_path)[0]
+                content = stream_compressed_file(compressed_variant)
+                logger.debug(f"Parsing apt cache source packages: {sources_file}")
+                # TODO: in python-debian >= 1.0.0 it is possible to directly
+                # pass the filename of a compressed file when using apt_pkg
+                sources_raw = Packages.iter_paragraphs(content, use_apt_pkg=False)
+                for s in Repository._make_srcpkgs(sources_raw, srcpkg_filter):
+                    yield s
+        except (FileNotFoundError, IndexError, RuntimeError):
+            logger.debug(f"Missing apt cache sources: {sources_file}")
+
+    @classmethod
+    def _parse_packages(
+        cls, packages_file: str, binpkg_filter: Callable[[str, str], bool] | None = None
+    ) -> Iterable[BinaryPackage]:
+        packages_path = Path(packages_file)
+        try:
+            if packages_path.exists():
+                with open(packages_path) as f:
+                    packages_raw = Packages.iter_paragraphs(f, use_apt_pkg=HAS_PYTHON_APT)
+                    logger.debug(f"Parsing apt cache binary packages: {packages_file}")
+                    for s in Repository._make_binpkgs(packages_raw, binpkg_filter):
+                        yield s
+            else:
+                compressed_variant = find_compressed_file_variants(packages_path)[0]
+                content = stream_compressed_file(compressed_variant)
+                # TODO: in python-debian >= 1.0.0 it is possible to directly
+                # pass the filename of a compressed file when using apt_pkg
+                packages_raw = Packages.iter_paragraphs(content, use_apt_pkg=False)
+                logger.debug(f"Parsing apt cache binary packages: {packages_file}")
+                for s in Repository._make_binpkgs(packages_raw, binpkg_filter):
+                    yield s
+        except (FileNotFoundError, IndexError, RuntimeError):
+            logger.debug(f"Missing apt cache packages: {packages_file}")
+
+    def sources(self, filter_fn: Callable[[str], bool] | None = None) -> Iterable[SourcePackage]:
+        """Get all source packages from this repository."""
+        repo_base = str(self.in_release_file).removesuffix("_InRelease")
+        if self.components:
+            for component in self.components:
+                sources_file = "_".join([repo_base, component, "source", "Sources"])
+                for s in self._parse_sources(sources_file, filter_fn):
+                    yield s
+        else:
+            sources_file = "_".join([repo_base, "source", "Sources"])
+            return self._parse_sources(sources_file, filter_fn)
+
+    def binpackages(
+        self,
+        filter_fn: Callable[[str, str], bool] | None = None,
+        ext_states: ExtendedStates = ExtendedStates(set()),
+    ) -> Iterable[BinaryPackage]:
+        """Get all binary packages from this repository"""
+        repo_base = str(self.in_release_file).removesuffix("_InRelease")
+        if self.components:
+            for component in self.components:
+                for arch in self.architectures:
+                    packages_file = "_".join([repo_base, component, f"binary-{arch}", "Packages"])
+                    for p in self._parse_packages(packages_file, filter_fn):
+                        p.manually_installed = ext_states.is_manual(p.name, p.architecture)
+                        yield p
+        else:
+            for arch in self.architectures:
+                packages_file = "_".join([repo_base, f"binary-{arch}", "Packages"])
+                for p in self._parse_packages(packages_file, filter_fn):
+                    p.manually_installed = ext_states.is_manual(p.name, p.architecture)
+                    yield p