dput + mini-dinstall to ease people.d.o uploads

As DDs we often want to offer unofficial packages, but still preserving a bit of "authoritativeness". A widespread solution is to upload somewhere under https://people.debian.org/~LOGIN as an APT repository.

I've been using that solution too since ... ever, but I've never been happy about how to advertise the packages, probably just because I've never liked dpkg-scan{packages,sources} and hackish scripts built on top of them. My goal, as simple as it can be, is to work as I do to prepare "real" packages to be uploaded to the Debian archive, and just upload to people.d.o as the final step.

Thanks to DSA which satisfied a request of mine by installing a while ago mini-dinstall on ravel, today I've finally set up a work-flow that enabled me to reach my goal. This post is a quick howto to implement that setup.

If you have suggestions about where (wiki.d.o? devref?) to paste these info so that other DDs can more easily find them in the future, please let me know, via comments or mailing me.

Step 1: configure mini-dinstall on people.debian.org

On people.debian.org, create a ~/.mini-dinstall.conf file containing something like the following:

    mail_to = zack
    incoming_permissions = 0750
    architectures = all, i386, amd64
    archive_style = flat
    dynamic_reindex = 1
    archivedir = /home/zack/public_html/debian/
    generate_release = 1
    release_origin = Zack
    release_label = Zack
    release_description = Unofficial Debian packages maintained by Stefano Zacchiroli

    release_suite = zack-unstable

Highlights of that conf:

  • "flat" archive style means "all in one dir", a more structured alternative is "simple-subdir"
  • you request to generate a Release file, which is needed for the secure APT machinery; various fields of that file are specified by the release_* options
  • you call your suite "zack-unstable" (well, I do :-) ). That suite must match the distribution in your debian/changelog entries. In theory you can use legacy names such as "unstable", but as we are humans and we make mistakes, better to use invalid suite names that will be refused by dak if you upload to the wrong queue

The resulting repository will be accessible using the following /etc/apt/sources.list lines:

    deb https://people.debian.org/~zack/debian zack-unstable/
    deb-src https://people.debian.org/~zack/debian zack-unstable/

Step 2: configure dput

The default incoming dir of mini-dinstall, relative to the configured archivedir, is mini-dinstall/incoming. The following entry for your ~/.dput.cf (on the machine you upload from) will therefore setup your dput for uploads:

    fqdn = people.debian.org
    method = scp
    login = *
    incoming = /home/zack/public_html/debian/mini-dinstall/incoming
    post_upload_command = ssh people.debian.org mini-dinstall -b

The only interesting detail here is the post upload command, which will run a "pulse" of mini-dinstall on people.d.o just after the upload, to process the uploaded file. Alternatively, you can leave mini-dinstall running on people.d.o, but I consider it unnecessary (because usually you are the only one able to upload to your home dir), unelegant, and complicated (because you then need to verify mini-dinstall is running).

Step 3: enjoy (i.e., upload)

Now you can prepare your packages as you always do (which means using cowbuilder!) and, when you are done with your foo_1.0-1_amd64.changes, upload it doing:

    $ dput people.debian.org foo_1.0-1_amd64.changes

Signing the Release file

The above setup does not sign Release files, which means your APT users will receive complaints from the secure APT machinery. To fix that you must sign the Release file with some key and distribute the key to your users to be processed by apt-key add.

You have a couple of ways to sign the release file automatically:

  1. (/me doesn't like this) use a GPG key created for the occasion, store that key (including the private part) on people.d.o, and use the mini-dinstall contrib script sign-release.sh by adding something like the following to your mini-dinstall.conf:

        release_signscript = ~/bin/sign-release.sh
  2. (/me likes this) use some script to sign the Release file remotely and send the resulting deatched signature back to people.d.o just after the mini-dinstall pulse; that way you can sign with your own private key, which will be reasonably felt as more trustworthy, being part of the Debian keyring.

To achieve that, the most elegant way would be to fix debsign wishlist #465240 (volunteers? :-) ). As I'm lazy, I'm using my own sign-remote script, which is a bit more generic. Remote signing should be attached to dput upload hook as well. All in all, here is my actual ~/.dput.cf stanza:

      fqdn = people.debian.org
      method = scp
      login = *
      incoming = /home/zack/public_html/debian/mini-dinstall/incoming
      post_upload_command = ssh people.debian.org "mini-dinstall --batch" && sign-remote people.debian.org:~/public_html/debian/zack-unstable/Release


Update: do both mini-dinstall run and signing in post_upload_command, following gregoa's suggestion via comment

Update 2015/05/18: switch sources.list lines to https, as suggested by Santiago in comments