dput + mini-dinstall to ease people.d.o uploads
As DDs we often want to offer unofficial packages, but still preserving a bit of "authoritativeness". A widespread solution is to upload somewhere under https://people.debian.org/~LOGIN as an APT repository.
I've been using that solution too since ... ever, but I've never
been happy about how to advertise the packages, probably just
because I've never liked
and hackish scripts built on top of them. My goal, as simple as it
can be, is to work as I do to prepare "real" packages to be
uploaded to the Debian archive, and just upload to people.d.o as
the final step.
Thanks to DSA which satisfied a request of mine by installing a while ago mini-dinstall on ravel, today I've finally set up a work-flow that enabled me to reach my goal. This post is a quick howto to implement that setup.
If you have suggestions about where (wiki.d.o? devref?) to paste these info so that other DDs can more easily find them in the future, please let me know, via comments or mailing me.
Step 1: configure mini-dinstall on people.debian.org
On people.debian.org, create a ~/.mini-dinstall.conf file containing something like the following:
[DEFAULT] mail_to = zack incoming_permissions = 0750 architectures = all, i386, amd64 archive_style = flat dynamic_reindex = 1 archivedir = /home/zack/public_html/debian/ generate_release = 1 release_origin = Zack release_label = Zack release_description = Unofficial Debian packages maintained by Stefano Zacchiroli [zack-unstable] release_suite = zack-unstable
Highlights of that conf:
- "flat" archive style means "all in one dir", a more structured alternative is "simple-subdir"
- you request to generate a
Releasefile, which is needed for the secure APT machinery; various fields of that file are specified by the
- you call your suite "zack-unstable" (well, I do ). That suite must
match the distribution in your
debian/changelogentries. In theory you can use legacy names such as "unstable", but as we are humans and we make mistakes, better to use invalid suite names that will be refused by dak if you upload to the wrong queue
The resulting repository will be accessible using the following
deb https://people.debian.org/~zack/debian zack-unstable/ deb-src https://people.debian.org/~zack/debian zack-unstable/
Step 2: configure dput
The default incoming dir of mini-dinstall, relative to the
configured archivedir, is
following entry for your
~/.dput.cf (on the machine
you upload from) will therefore setup your dput for uploads:
[people.debian.org] fqdn = people.debian.org method = scp login = * incoming = /home/zack/public_html/debian/mini-dinstall/incoming post_upload_command = ssh people.debian.org mini-dinstall -b
The only interesting detail here is the post upload command, which will run a "pulse" of mini-dinstall on people.d.o just after the upload, to process the uploaded file. Alternatively, you can leave mini-dinstall running on people.d.o, but I consider it unnecessary (because usually you are the only one able to upload to your home dir), unelegant, and complicated (because you then need to verify mini-dinstall is running).
Step 3: enjoy (i.e., upload)
Now you can prepare your packages as you always do (which means
using cowbuilder!) and,
when you are done with your
upload it doing:
$ dput people.debian.org foo_1.0-1_amd64.changes
Signing the Release file
The above setup does not sign
Release files, which
means your APT users will receive complaints from the secure APT
machinery. To fix that you must sign the
with some key and distribute the key to your users to be processed
You have a couple of ways to sign the release file automatically:
(/me doesn't like this) use a GPG key created for the occasion, store that key (including the private part) on people.d.o, and use the mini-dinstall contrib script sign-release.sh by adding something like the following to your
release_signscript = ~/bin/sign-release.sh
(/me likes this) use some script to sign the Release file remotely and send the resulting deatched signature back to people.d.o just after the mini-dinstall pulse; that way you can sign with your own private key, which will be reasonably felt as more trustworthy, being part of the Debian keyring.
To achieve that, the most elegant way would be to fix debsign
(volunteers? ). As I'm lazy, I'm using my own sign-remote script, which is a bit more
generic. Remote signing should be attached to dput upload hook as
well. All in all, here is my actual
[people.debian.org] fqdn = people.debian.org method = scp login = * incoming = /home/zack/public_html/debian/mini-dinstall/incoming post_upload_command = ssh people.debian.org "mini-dinstall --batch" && sign-remote people.debian.org:~/public_html/debian/zack-unstable/Release
Update: do both mini-dinstall run and signing
post_upload_command, following gregoa's suggestion
Update 2015/05/18: switch sources.list lines to https, as suggested by Santiago in comments