- Using debarchiver on gibran
Configuration is managed in Puppet class hcoop::service::debarchiver
/afs/hcoop.net/common/debian/...
.../old/ = current contents (obsolete package sources / builds)
.../src/
hcoop/ our custom packages (hcoop-$foo-config and libnss-afs)
backport/ manually backported packages (ideally, this contains only a few packages)
fork/ manually forked packages (ideally, this contains nothing)
.../archive/ = debarchiver
/afs/hcoop.net/debian/archive/ is exported as http://debian.hcoop.net/
Packages are built using git-pbuilder for all arch/dist combinations hcoop must support at the moment
1. Debian Archive Signing
Our apt repository requires signed uploads and releases are signed.
1.1. Upload Signing Keys
1.1.1. Generating An Upload Signing Key
Generate the key on your local machine, where you will be running pbuilder/uploading from, with:
gpg --full-gen-key
Keys used by admins to sign uploads should have the following attributes:
- Key Type: RSA and RSA
- Key Length: 4096 bits
- Expiration: 1y
Name: YOUR NAME (HCoop Debian Archive Upload Signing Key)
Email: you_admin@hcoop.net
Comment: CURRENT_YEAR
Ensure the keyid is set in ~/.devscripts so debsign will sign uploads with the correct key:
DEBSIGN_KEYID=YOUR_KEYID_HERE
1.1.2. Importing a New Upload Key
Export the key that will be used to sign uploads
gpg --armor --export YOUR_KEYID_HERE
Copy the exported key to the debarchiver server, and import it:
sudo -u debarchiver gpg --no-default-keyring --keyring uploaders.gpg --import YOUR_KEYFILE_HERE
If managed using Puppet, enter the hcoop private data repository for gnupg and run as root:
gpg --no-default-keyring --keyring /path/to/private/puppet/module/files/debarchiver/gnupg/uploaders.gpg --import YOUR_KEYFILE_HERE
1.2. Archive Key
The Debian archive is signed, and the signing key should be rotated every year (currently February 2nd). The keyring is managed by Puppet, and is not committed to git. GPG has weird restrictions on the length of the agent socket filename, so you may need to symlink the directory into /root to work around them. You will also need to reset the default mask and we are using a POSIX ACL, and GPG removes the mask bits during key generation, negating all ACLs. As root:
ln -s /path/to/private/puppet/module/files/debarchiver/gnupg/ /root/debarchiver-gnupg gpg --homedir /root/debarchiver-gnupg --full-gen-key setfacl -m m::rwx -R /root/debarchiver-gnupg/ rm /root/debarchiver-gnupg
- Key Type: RSA and RSA
- Key Length: 4096 bits
- Expiration: 1y
- Name: HCoop Debian Archive Signing Key
Email: admins@hcoop.net
Comment: CURRENT_YEAR
After generating, run sudo -u debarchiver gpg --list-secret-keys and copy the keyid of the private key that was generated to the debarchiver config option $gpgkey.
After the updated configuration is in place, regenerate the published public key: sudo -u debarchiver gpg --armour --export NEW_PUBLIC_KEYID | tee /afs/hcoop.net/common/debian/archive/archive.pub
2. Installing Packages to the Archive
debarchiver is configured to scan /afs/hcoop.net/common/debian/archive/incoming/$dists every five minutes. The easiest way to install a package to the archive is to use dput on the .changes file. By uploading to a distinputdir, you can leave the distribution as unstable in the changelog, and upload a package to multiple releases. The package should be built using pbuilder for each target release, and the source tarballs must match.
You can to upload packages for backports into a distinput directory, but you still have to update the version in changelog.
Example ~/.dput.cf:
[hcoop-stretch] fqdn = local method = local incoming = /afs/hcoop.net/common/debian/archive/incoming/stretch/ [hcoop-stretch-backports] fqdn = local method = local incoming = /afs/hcoop.net/common/debian/archive/incoming/stretch_backports/ [hcoop] fqdn = local method = local incoming = /afs/hcoop.net/common/debian/archive/incoming
To upload a new package,
sign the changes file: debsign PACKAGE.changes
upload with dput: dput RELEASE PACKAGE.changes, for example to upload exim 4.89-2+deb9u6~hcoop11 to stretch: put hcoop-stretch exim4_4.89-2+deb9u6~hcoop11_amd64.changes
3. Checking for new versions
Many packages supply https://wiki.debian.org/debian/watch/][debian/watch files which allow for easy scanning of new upstream versions. Run uscan /afs/hcoop.net/common/debian/src/ occasionally to scan for new upstream versions.