dput + mini-dinstall to ease people.d.o uploads

As DDs we often want to offer unofficial packages, but still preserving a bit of "authoritativeness". A widespread solution is to upload somewhere under https://people.debian.org/~LOGIN as an APT repository.

I've been using that solution too since ... ever, but I've never been happy about how to advertise the packages, probably just because I've never liked dpkg-scan{packages,sources} and hackish scripts built on top of them. My goal, as simple as it can be, is to work as I do to prepare "real" packages to be uploaded to the Debian archive, and just upload to people.d.o as the final step.

Thanks to DSA which satisfied a request of mine by installing a while ago mini-dinstall on ravel, today I've finally set up a work-flow that enabled me to reach my goal. This post is a quick howto to implement that setup.

If you have suggestions about where (wiki.d.o? devref?) to paste these info so that other DDs can more easily find them in the future, please let me know, via comments or mailing me.

Step 1: configure mini-dinstall on people.debian.org

On people.debian.org, create a ~/.mini-dinstall.conf file containing something like the following:

    mail_to = zack
    incoming_permissions = 0750
    architectures = all, i386, amd64
    archive_style = flat
    dynamic_reindex = 1
    archivedir = /home/zack/public_html/debian/
    generate_release = 1
    release_origin = Zack
    release_label = Zack
    release_description = Unofficial Debian packages maintained by Stefano Zacchiroli

    release_suite = zack-unstable

Highlights of that conf:

  • "flat" archive style means "all in one dir", a more structured alternative is "simple-subdir"
  • you request to generate a Release file, which is needed for the secure APT machinery; various fields of that file are specified by the release_* options
  • you call your suite "zack-unstable" (well, I do :-) ). That suite must match the distribution in your debian/changelog entries. In theory you can use legacy names such as "unstable", but as we are humans and we make mistakes, better to use invalid suite names that will be refused by dak if you upload to the wrong queue

The resulting repository will be accessible using the following /etc/apt/sources.list lines:

    deb https://people.debian.org/~zack/debian zack-unstable/
    deb-src https://people.debian.org/~zack/debian zack-unstable/

Step 2: configure dput

The default incoming dir of mini-dinstall, relative to the configured archivedir, is mini-dinstall/incoming. The following entry for your ~/.dput.cf (on the machine you upload from) will therefore setup your dput for uploads:

    fqdn = people.debian.org
    method = scp
    login = *
    incoming = /home/zack/public_html/debian/mini-dinstall/incoming
    post_upload_command = ssh people.debian.org mini-dinstall -b

The only interesting detail here is the post upload command, which will run a "pulse" of mini-dinstall on people.d.o just after the upload, to process the uploaded file. Alternatively, you can leave mini-dinstall running on people.d.o, but I consider it unnecessary (because usually you are the only one able to upload to your home dir), unelegant, and complicated (because you then need to verify mini-dinstall is running).

Step 3: enjoy (i.e., upload)

Now you can prepare your packages as you always do (which means using cowbuilder!) and, when you are done with your foo_1.0-1_amd64.changes, upload it doing:

    $ dput people.debian.org foo_1.0-1_amd64.changes

Signing the Release file

The above setup does not sign Release files, which means your APT users will receive complaints from the secure APT machinery. To fix that you must sign the Release file with some key and distribute the key to your users to be processed by apt-key add.

You have a couple of ways to sign the release file automatically:

  1. (/me doesn't like this) use a GPG key created for the occasion, store that key (including the private part) on people.d.o, and use the mini-dinstall contrib script sign-release.sh by adding something like the following to your mini-dinstall.conf:

        release_signscript = ~/bin/sign-release.sh
  2. (/me likes this) use some script to sign the Release file remotely and send the resulting deatched signature back to people.d.o just after the mini-dinstall pulse; that way you can sign with your own private key, which will be reasonably felt as more trustworthy, being part of the Debian keyring.

To achieve that, the most elegant way would be to fix debsign wishlist #465240 (volunteers? :-) ). As I'm lazy, I'm using my own sign-remote script, which is a bit more generic. Remote signing should be attached to dput upload hook as well. All in all, here is my actual ~/.dput.cf stanza:

      fqdn = people.debian.org
      method = scp
      login = *
      incoming = /home/zack/public_html/debian/mini-dinstall/incoming
      post_upload_command = ssh people.debian.org "mini-dinstall --batch" && sign-remote people.debian.org:~/public_html/debian/zack-unstable/Release


Update: do both mini-dinstall run and signing in post_upload_command, following gregoa's suggestion via comment

Update 2015/05/18: switch sources.list lines to https, as suggested by Santiago in comments

It works!

Dear Zack,

thank you very much for this information, it is higly appreciated. I was looking for something like this for years. And the best is, it also works for guest accounts on Alioth. :D

Cheers, Fabian

Comment by Fabian Fri 24 Apr 2009 04:49:48 PM CEST

I'm using something like

post_upload_command = ssh $user@$host "mini-dinstall --batch" && ~/bin/sign-remote

successfully in my .dput.conf for quite some while.

Comment by gregoa Fri 24 Apr 2009 09:27:33 PM CEST
Re: post_upload_command

Indeed, your command works as a charm, and I've updated the post with that.

My mistake was (obviously, now that I know the reason :-) ) that ssh was eating all args, while it does not do that with your doublequotes.


Comment by zack Sun 26 Apr 2009 07:30:47 PM CEST

Zack, thanks for this useful tutorial.

Just a note: people.debian.org only serves https connections now. Please, update the repository lines to avoid making apt unhappy:

deb https://people.debian.org/~zack/debian zack-unstable/
deb-src https://people.debian.org/~zack/debian zack-unstable/



Comment by santiago Fri 15 May 2015 12:26:44 PM CEST

Just a note: people.debian.org only serves https connections now. Please, update the repository lines to avoid making apt unhappy:

Nice catch, Santiago!

I've updated the tutorial above as you suggested.


Comment by zack Mon 18 May 2015 08:35:43 PM CEST

Hi Zack, I use this setup for a long time and I'm very glad to you for share it with us.

I created a GitHub repository to maintain the script sign-remote and I did some changes on top of your version. If you wish to write any changes in repository I will be very happy to give you permission for that.

  • http://github.com/joenio/sign-remote
Comment by Joenio Fri 22 May 2015 05:50:36 PM CEST

It seems that apt now expects Release.gpg to be in ASCII armored format, so sign-remote needs to be edited to add --armor to the gpg invocation, otherwise you'll get an error message like:

Detached signature file '/var/lib/apt/lists/partial/blablabla_Release.gpg' is in unsupported binary format

Comment by david Sat 14 Dec 2019 01:00:13 PM CET