DebianPackaging922021-08-07 20:01:46ClintonEbadiAlso need to update the exported public key at debian.hcoop.net when rotating the archive key912020-02-16 22:33:53ClintonEbadi902020-02-15 19:44:36ClintonEbadi892020-02-15 19:43:38ClintonEbadiremove obsolete section on config packages882020-02-15 18:39:20ClintonEbadifix gpg call for uploaders keyring, ful path is required872020-02-15 18:11:52ClintonEbadipuppet method for adding new uploader keys862020-02-01 19:03:39ClintonEbadiwe also have to manually reset the acl when updating the archive key852020-02-01 18:53:21ClintonEbadiwe switched the archive key managed to puppet... document the correct way instead. remove --batch... it barfs with innapropriate ioctl errors, maybe revisit after buster upgrades842020-02-01 18:18:24ClintonEbadimention signing packages before uploading832020-02-01 18:13:12ClintonEbadi822020-02-01 18:06:50ClintonEbadiinstructions on generation a gpg upload signing key appropriate for hcoop812020-02-01 17:44:09ClintonEbadibatch mode doesn't print the secret key id802020-02-01 17:39:27ClintonEbadi792020-02-01 17:38:55ClintonEbadiprocess that actually works for generating the archive key, not sure why gpg insists on using the tty when told not to...782020-02-01 17:05:36ClintonEbadidebian archive key should be generated under the debarchiver account772018-04-22 07:41:50ClintonEbadifixed pinning problems, note location of debarchiver config762018-04-22 05:51:05ClintonEbadinote solution for preferring our package versions752018-04-22 05:39:11ClintonEbadino unsigned uploads742018-04-22 05:10:31ClintonEbadirepo is gpg signed now732018-04-07 21:31:51ClintonEbaditypo722018-04-07 21:30:49ClintonEbadino more i386 servers, remove obsolete releases from dput config example712018-03-23 03:37:58ClintonEbadigit-buildpackage -> gbp, we're in the future now702015-09-26 20:11:08ClintonEbadigit-buildpackage et al are no more, replaced by the extremely annoying to type gbp692015-05-23 17:08:07ClintonEbadimight want to mention the whole pbuilder thing, even if we don't document how to set them up682015-05-23 16:49:13ClintonEbadijessie bpo versioning drops 0, ~bpo8 insteead of ~bpo80672015-05-17 07:30:40ClintonEbadijessie stuff662014-04-30 02:58:22ClintonEbadimention checking for new versions, and watching out during upgrades652014-04-30 01:17:36ClintonEbadimention backport version642014-04-30 00:20:08ClintonEbadigit-import-dsc does many things, we're using distinputdirs for debarchiver, and we're using git-pbuilder for builds now, sources.list here is already out of sync with reality632014-04-29 23:30:03ClintonEbadistep one to documenting how we should use pbuilder622014-04-08 09:19:48ClintonEbadifor backports/fork, don't bother with version in directory path since we're tracking versions with git and this only complicates matters612014-04-08 04:24:45ClintonEbadidget defaults to extracting the source package, specify download only uption602014-03-04 05:32:23ClintonEbadineed to pass initial version to dh_make592012-09-07 21:17:13ClintonEbadidocument forks that are not backports582012-09-06 07:06:36ClintonEbadi572012-06-04 04:38:41ClintonEbadigit-dch stuff, changelogs are ... required562012-06-04 04:03:17ClintonEbadimake sure config packages are arch independent552012-03-26 02:50:27ClintonEbadislightly better directory structure for package sources542012-03-26 00:55:55ClintonEbadipush debian git repos to somewhere else532012-03-25 23:25:23ClintonEbadimove info on new debian archive / config packaging / releasing packages522012-03-25 22:02:06ClintonEbaditry to make this not outright misleading512008-12-17 01:08:03AdamChlipalaspam502008-12-16 01:56:40170.35.208.23<a href='http://wejolly.strefa.pl/sitemap.html'>url</a> <a href="http://wejolly.strefa.pl/sitemap.html">link</a> [link=http://wejolly.strefa.pl/sitemap.html]index[/link]492008-12-16 01:56:22170.35.208.23<a href='http://haschucka.interfree.it/sitemap.html'>links</a> <a href="http://haschucka.interfree.it/sitemap.html">top</a> [link=http://haschucka.interfree.it/sitemap.html]top[/link]482008-12-16 00:35:04AdamChlipalaspam472008-12-15 18:39:36213.186.116.57.utel.net.ua462008-12-15 10:06:57213.186.116.57.utel.net.ua452008-12-15 10:06:48213.186.116.57.utel.net.ua442008-12-15 10:06:42213.186.116.57.utel.net.ua432008-12-15 10:06:30213.186.116.57.utel.net.ua422008-12-14 18:34:13198.83.124.250<a href='http://kamada.strefa.pl/page1342.html'>scientist</a> <a href="http://kamada.strefa.pl/page1342.html">scientist</a> [link=http://kamada.strefa.pl/page1342.html]scientist[/link]412008-12-14 18:33:47198.83.124.250402008-12-13 20:49:23AdamChlipalaspam392008-12-13 20:20:17170.35.208.23382008-12-13 20:20:11170.35.208.23372008-12-13 20:20:07170.35.208.23362008-12-13 20:19:58170.35.208.23352008-12-13 17:42:09RyanMikulovskyspam342008-12-13 12:22:13194.176.176.82332008-12-13 12:22:03194.176.176.82322008-12-13 03:14:22170.35.208.23312008-12-13 03:14:18170.35.208.23302008-12-13 03:14:08170.35.208.23<a href='http://crbaldwi.interfree.it/1038133179/'>20in wheels</a> <a href="http://crbaldwi.interfree.it/1038133179/">20in wheels</a> [link=http://crbaldwi.interfree.it/1038133179/]20in wheels[/link]292008-12-12 19:13:34194.176.176.82282008-12-12 07:43:49210.75.8.122272008-12-12 07:43:14210.75.8.122262008-12-11 22:40:14170.35.208.23252008-12-11 22:39:56170.35.208.23242008-12-11 15:08:06AdamChlipalaspam232008-12-11 13:28:46ns25093.ovh.net222008-12-11 13:28:32ns25093.ovh.net212008-12-11 13:27:54ns25093.ovh.net202008-12-11 03:19:40213.186.116.57.utel.net.ua192008-12-11 03:19:32213.186.116.57.utel.net.ua<a href='http://timae.strefa.pl/news247.html'>jet engine plan</a> <a href="http://timae.strefa.pl/news247.html">jet engine plans</a> [link=http://timae.strefa.pl/news247.html]jet engine plans[/link]182008-12-11 00:39:43ClintonEbadispam172008-12-10 17:52:25PS-US-CA-01.dvmns.com162008-12-06 23:31:09AdamChlipalavandalism152008-12-06 18:42:5360.213.185.214domdron142008-07-07 04:28:00localhostconverted to 1.6 markup132008-03-30 02:12:14AdamMegacz122008-03-30 02:11:21AdamMegacz112008-03-23 22:36:05MichaelOlsonChange git reset --hard to git clean -d102008-03-17 00:35:48AdamMegacz92008-03-17 00:32:02AdamMegacz82008-03-13 03:04:49MichaelOlsonAdd missing cd and don't extract source72008-03-03 00:07:01MichaelOlsonFix path in instructions62008-02-20 04:32:43MichaelOlsonAdd overview52008-02-20 00:12:11MichaelOlson42008-02-20 00:09:52MichaelOlsonDocument the handling of new upstream versions.32008-02-12 00:05:28MichaelOlsonFinish initial effort22008-01-26 01:39:31MichaelOlsonMake progress12008-01-15 02:56:52MichaelOlsonRough initial contentsThis page describes how to make custom Debian packages for HCoop. OverviewThe idea is to keep track of each custom HCoop Debian package using three branches, which are as follows. upstream
: The source code from the current release of the upstream software. debian
: The source code plus the latest Debian packaging that Debian has for the software. master
: The source code plus the latest Debian packaging plus any changes that HCoop has made to the source or the packaging. If you are creating a native package (e.g. for configuration files) then you only have a master
branch. Developing PackagesCommon to all of the types of packages we might develop. HCoop is standardized on all amd64 packages, aside from architecture independent packages. Setting Up Environment For Clean BuildsPackages must be signed to be accepted, in ~/.devscripts
make sure your signing key is set: TODO: pbuilder Set up pbuilder for each distribution and architecture. We build with backports and the hcoop repository available. Example: Building a packageYears ago HCoop standardized on Git for VersionControl; as such we're using git-buildpackage to maintain our packages. First, make sure you are on the "master" branch by running: If you see an asterisk by "master", you're on the right branch. If we want to build the package with some uncommitted changes, as a sanity check, then do: When it comes time to test the changes, build the package using: The packages will be built and placed in the temporary directory you specify. You have to use a directory not in afs, because pbuilder runs using sudo
and will not have your tokens. To indicate that we are done making changes to this particular version of the Debian package, tag it with: This makes the package version show up when you do git tag -l
, for easy diffing and viewing. New PackagesAfter creating the git-buildpackage repository, push it to the public HCoop debian packages git area: We may revisit only having one area for Debian packages at a later time. Forking a Debian PackageIf a package is available in the official backports, use it. If you need to backport something not backported, make a sloppy backport from testing/unstable to stable/oldstable, or must make changes for afs and kerberos support, read on. Making a new custom packageIf you want to make changes to an existing Debian package, and we haven't made our own custom package before, then do the following.
cd /afs/hcoop.net/common/debian/src/{backports,fork}/
# Browse http://packages.debian.org/ and find a link to a dsc file
# If you already have the .dsc, .diff.gz, and orig tarball downloaded
# to the current directory, then skip this step.
gbp import-dsc --debian-branch=debian --upstream-branch=upstream http://path/to/file.dsc
cd ]]>These last two steps create a subdirectory named after the package. The subdirectory has the complete source, including the ./debian
directory. The original tarball (without ./debian
) is in the "upstream" branch, and the original stuff plus Debian changes would be in the "debian" branch, and a copy of the contents of the "debian" branch is placed in the "master" branch. You will be in the "master" branch now. If you are not, create it with git checkout -b master
Make your HCoop-specific changes (preferably in an incremental and atomic fashion) and commit them using git. You may want to use quilt and commit the quilt patches instead if the package uses quilt. hcoopifying the debian packageOpen debian/changelog
in emacs and invoke M-x debian-changelog-mode
. Press C-c C-v
to create a new entry in the changelog and append +hcoopN
(where N
is the hcoop revision) to the version. E.g. 0.60.0-3
become 0.60.0-3+hcoop1
If it is a backport, change the distribution to $stable-backports (as of 2015, this is jessie-backports
). The version should also have ~bpo8+hcoopN for jessie, ~bpo70+hcoopN
for wheezy (~bpo7+hcoopN
for a sloppy backport), or ~bpo60+hcoopN
for squeeze appended to conform to standard backports versioning. Add a comment Press C-c C-c
to close the entry. Save and exit. Alternatively, you can use git-dch
for this task if you ensure that your git commits work as debian changelog entries. New package from DebianWhen a new Debian package comes out, and we want to incorporate their changes, the routine will be as follows. <pkgname> is the name of the package. <ver> is the upstream version of the software. <patch> is the patch level of the package. For example: "1". We always add an "hcoop" suffix to patch levels of packages that we modify.
gbp import-dsc --debian-branch=debian http://path/to/file.dsc]]>git-import-dsc
should do the right thing. Now we'll want to switch back to the master branch (where we keep HCoop-specific changes) and merge the latest Debian changes. Now, make a new debian/changelog entry and list the changes that were kept in our version. When done, commit, build packages, and tag the version of the package as in the Building a Package section. New upstream version not yet in DebianThis section needs decrufting and may produce unexpected results. It also makes it difficult for the package for sync with Debian again in the future. If you want to update an existing custom HCoop Debian package with a new version of the upstream program, and no Debian package yet exists for that version, then you'll need to work with the upstream tarball for the new release directly. Instructions are as follows. Make a directory for the new version.
mkdir
cd ]]>Download the new upstream tarball to this directory. Rename it to <pkgname>_<ver>.orig.tar.gz
. Move the git repo for the old version over to the new directory. / .]]>Run git-import-orig.
git-import-orig ../_.orig.tar.gz]]>Resolve conflicts and built the new package. When Debian catches up to our blazing pace and makes their own package, perhaps with changes that we want, then we will need to use some trickery to make the packages sync up. Change directory to /afs/hcoop.net/common/debian/<pkgname>/<ver>
. Obtain the debian .dsc file and extract the contents to <pkgname>-<ver>, as in New package from Debian section. Switch to the debian
branch.
git checkout debian]]>Check in Debian's changes. -ver
GIT_DIR=..//.git git add .
GIT_DIR=..//.git git add -u .
GIT_DIR=..//.git git commit -m "Import Debian package -"
cd ../
git add . ; git reset --hard]]>Do an "ours" merge with the upstream
branch. This basically does a merge that is guaranteed not to have conflicts, with the end result being the contents of the current branch. This allows us to more easily merge in the changes that Debian made, later on. For instructive purposes, do a git log
. You will see a log entry for the upstream version just below the log entry for the new Debian package. Very nifty. Now switch back to the master
branch which contains our changes and merge from the debian
branch. Resolve any conflicts. You shouldn't see conflicts in the upstream source -- only the debian/
directory might have conflicts. Build and tag the package, making a new HCoop version. Debian ArchiveUsing debarchiver on gibran Configuration is managed in Puppet class hcoop::service::debarchiver
/afs/hcoop.net/common/debian/...
.../old/
= current contents (obsolete package sources / builds) .../src/
hcoop/
our custom packages (hcoop-$foo-config
and libnss-afs
) backport/
manually backported packages (ideally, this contains only a few packages) fork/
manually forked packages (ideally, this contains nothing) .../archive/
= debarchiver /afs/hcoop.net/debian/archive/
is exported as Packages are built using git-pbuilder
for all arch/dist combinations hcoop must support at the moment Debian Archive SigningOur apt repository requires signed uploads and releases are signed. Upload Signing KeysGenerating An Upload Signing KeyGenerate the key on your local machine, where you will be running pbuilder/uploading from, with: Keys used by admins to sign uploads should have the following attributes: Key Type: RSA and RSA Key Length: 4096 bits Expiration: 1y Name: YOUR NAME
(HCoop Debian Archive Upload Signing Key) Email: you
_admin@hcoop.net Comment: CURRENT_YEAR
Ensure the keyid is set in ~/.devscripts
so debsign will sign uploads with the correct key: Importing a New Upload KeyExport the key that will be used to sign uploads Copy the exported key to the debarchiver server, and import it: If managed using Puppet, enter the hcoop private data repository for gnupg and run as root: Archive KeyThe Debian archive is signed, and the signing key should be rotated every year (currently February 2nd). The keyring is managed by Puppet, and is not committed to git. GPG has weird restrictions on the length of the agent socket filename, so you may need to symlink the directory into /root to work around them. You will also need to reset the default mask and we are using a POSIX ACL, and GPG removes the mask bits during key generation, negating all ACLs. As root: Key Type: RSA and RSA Key Length: 4096 bits Expiration: 1y Name: HCoop Debian Archive Signing Key Email: admins@hcoop.net Comment: CURRENT_YEAR
After generating, run sudo -u debarchiver gpg --list-secret-keys
and copy the keyid of the private key that was generated to the debarchiver config option $gpgkey
. After the updated configuration is in place, regenerate the published public key: sudo -u debarchiver gpg --armour --export NEW_PUBLIC_KEYID | tee /afs/hcoop.net/common/debian/archive/archive.pub
Installing Packages to the Archivedebarchiver
is configured to scan /afs/hcoop.net/common/debian/archive/incoming/$dists
every five minutes. The easiest way to install a package to the archive is to use dput
on the .changes
file. By uploading to a distinputdir
, you can leave the distribution as unstable
in the changelog, and upload a package to multiple releases. The package should be built using pbuilder for each target release, and the source tarballs must match. You can to upload packages for backports into a distinput directory, but you still have to update the version in changelog. Example ~/.dput.cf
: To upload a new package, sign the changes file: debsign PACKAGE.changes
upload with dput: dput RELEASE PACKAGE.changes
, for example to upload exim 4.89-2+deb9u6~hcoop11 to stretch: put hcoop-stretch exim4_4.89-2+deb9u6~hcoop11_amd64.changes
Checking for new versionsMany packages supply files which allow for easy scanning of new upstream versions. Run uscan /afs/hcoop.net/common/debian/src/
occasionally to scan for new upstream versions. CategorySystemAdministration