Debian Repository » History » Revision 10
Revision 9 (Marc Dequènes, 2021-08-16 08:24) → Revision 10/22 (Marc Dequènes, 2021-10-06 19:59)
h1. Debian Repository
h2. Content
Since Buster we document here the reason for having custom/ported packages in this repository.
h3. Bullseye
|_.Packages|_.Reason|
|spoolinger|DC tool, packaging in Debian WIP|
|xl2tpd|fixed upstream release|
|openldap|/2.N-Way Sync and better cn=config management|
|python-ldap|
|python-acme|/3.certbot with "CNAME resolution patch":https://github.com/certbot/certbot/pull/7244|
|python-certbot|
|python-certbot-dns-rfc2136|
|spoolinger|DC tool, packaging in Debian WIP|
h3. Buster
|_.Packages|_.Reason|
|ftp-ssl|missing in Buster|
|m2crypto|dependency for *srv_cert_tlsa_gen*|
|molly-guard|/2.backported "fix for Debian#914716":https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914716|
|usrmerge|
|phpmyadmin|/7.phpmyadmin is missing from Buster and previous version was broken (#670), simple backport with a few dependencies|
|google-recaptcha|
|phpmyadmin-motranslator|
|phpmyadmin-shapefile|
|phpmyadmin-sql-parser|
|tcpdf|
|twig-extensions|
|python-acme|/3.certbot with "CNAME resolution patch":https://github.com/certbot/certbot/pull/7244|
|python-certbot|
|python-certbot-dns-rfc2136|
|roundcube|/2.port of the 1.4 series to get important improvements|
|php-masterminds-html5|
|spoolinger|DC tool, packaging in Debian WIP|
|inspircd|patched to be able to reload the TLS certificate without restarting (not supported in v2)|
|xl2tpd|fixed upstream release|
|openldap|/2.N-Way Sync and better cn=config management|
|python-ldap|
h2. Administration
All files are stored into */srv/www/sites/repository.duckcorp.org* (config, packages, upload zone…). The user *dc-repository* has been created to handle all the necessary tasks with only limited rights.
Regular administration is to be done using the *adm_dc-repository* script as root. This script is able to sudo and pass local configuration options to reprepro, and avoid messing with the rights.
For example:
<pre>
# adm_dc-repository list jessie
jessie|dc-net|amd64: libiksemel-dev 1.4-2+dc1
jessie|dc-net|amd64: libiksemel-utils 1.4-2+dc1
jessie|dc-net|amd64: libiksemel3 1.4-2+dc1
jessie|dc-net|amd64: zabbix-agent 1:2.4.6+dfsg-1+dc1
…
jessie|dc-net|i386: zabbix-agent 1:2.4.6+dfsg-1+dc1
…
jessie|dc-net|source: libiksemel 1.4-2+dc1
jessie|dc-net|source: zabbix 1:2.4.6+dfsg-1+dc1
</pre>
h2. Adding Contributors
The list of uploader is setup into */srv/www/sites/repository.duckcorp.org/htdocs/debian/conf/dc-incoming-uploaders*.
h2. Renewing Signing Key
gpg expects to have full control over the tty, so temporarily give the tty's ownership over to the _dc-repository_ user (or document here a better solution).
Key creation:
<pre>
chown dc-repository $(tty)
su - dc-repository
gpg --full-generate-key
# default key is fine
# expiration: 5y
# Real name: DuckCorp Archive Automatic Signing Key
# Email address: admin_at_duckcorp.org
# note the new <key-id>
gpg --armor --export <key-id> >duckcorp_repository.gpg.key
chown root $(tty)
</pre>
Update the <key_id> in _host_vars/Toushirou/debian_repository.yml_ and redeploy the repository configuration:
ansible-playbook --diff playbooks/tenants/duckcorp/debian_repository.yml
Force resigning with the new key:
adm_dc-repository --export=lookedat export
Then update the APT trusted keys on all hosts:
ansible-playbook --diff -t apt playbooks/common.yml