Project

General

Profile

Debian Repository » History » Revision 10

Revision 9 (Marc Dequènes, 2021-08-16 08:24) → Revision 10/22 (Marc Dequènes, 2021-10-06 19:59)

h1. Debian Repository 

 h2. Content 

 Since Buster we document here the reason for having custom/ported packages in this repository. 

 h3. Bullseye 

 |_.Packages|_.Reason| 
 |spoolinger|DC tool, packaging in Debian WIP| 
 |xl2tpd|fixed upstream release| 
 |openldap|/2.N-Way Sync and better cn=config management| 
 |python-ldap| 
 |python-acme|/3.certbot with "CNAME resolution patch":https://github.com/certbot/certbot/pull/7244| 
 |python-certbot| 
 |python-certbot-dns-rfc2136| 
 |spoolinger|DC tool, packaging in Debian WIP| 

 h3. Buster 

 |_.Packages|_.Reason| 
 |ftp-ssl|missing in Buster| 
 |m2crypto|dependency for *srv_cert_tlsa_gen*| 
 |molly-guard|/2.backported "fix for Debian#914716":https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914716| 
 |usrmerge| 
 |phpmyadmin|/7.phpmyadmin is missing from Buster and previous version was broken (#670), simple backport with a few dependencies| 
 |google-recaptcha| 
 |phpmyadmin-motranslator| 
 |phpmyadmin-shapefile| 
 |phpmyadmin-sql-parser| 
 |tcpdf| 
 |twig-extensions| 
 |python-acme|/3.certbot with "CNAME resolution patch":https://github.com/certbot/certbot/pull/7244| 
 |python-certbot| 
 |python-certbot-dns-rfc2136| 
 |roundcube|/2.port of the 1.4 series to get important improvements| 
 |php-masterminds-html5| 
 |spoolinger|DC tool, packaging in Debian WIP| 
 |inspircd|patched to be able to reload the TLS certificate without restarting (not supported in v2)| 
 |xl2tpd|fixed upstream release| 
 |openldap|/2.N-Way Sync and better cn=config management| 
 |python-ldap| 

 h2. Administration 

 All files are stored into */srv/www/sites/repository.duckcorp.org* (config, packages, upload zone…). The user *dc-repository* has been created to handle all the necessary tasks with only limited rights. 

 Regular administration is to be done using the *adm_dc-repository* script as root. This script is able to sudo and pass local configuration options to reprepro, and avoid messing with the rights. 

 For example: 
 <pre> 
 # adm_dc-repository list jessie 
 jessie|dc-net|amd64: libiksemel-dev 1.4-2+dc1 
 jessie|dc-net|amd64: libiksemel-utils 1.4-2+dc1 
 jessie|dc-net|amd64: libiksemel3 1.4-2+dc1 
 jessie|dc-net|amd64: zabbix-agent 1:2.4.6+dfsg-1+dc1 
 … 
 jessie|dc-net|i386: zabbix-agent 1:2.4.6+dfsg-1+dc1 
 … 
 jessie|dc-net|source: libiksemel 1.4-2+dc1 
 jessie|dc-net|source: zabbix 1:2.4.6+dfsg-1+dc1 
 </pre> 

 h2. Adding Contributors 

 The list of uploader is setup into */srv/www/sites/repository.duckcorp.org/htdocs/debian/conf/dc-incoming-uploaders*. 

 h2. Renewing Signing Key 

 gpg expects to have full control over the tty, so temporarily give the tty's ownership over to the _dc-repository_ user (or document here a better solution). 

 Key creation: 

 <pre> 
 chown dc-repository $(tty) 
 su - dc-repository 
 gpg --full-generate-key 
 # default key is fine 
 # expiration: 5y 
 # Real name: DuckCorp Archive Automatic Signing Key 
 # Email address: admin_at_duckcorp.org 
 # note the new <key-id> 
 gpg --armor --export <key-id> >duckcorp_repository.gpg.key 
 chown root $(tty) 
 </pre> 

 Update the <key_id> in _host_vars/Toushirou/debian_repository.yml_ and redeploy the repository configuration: 

     ansible-playbook --diff playbooks/tenants/duckcorp/debian_repository.yml 

 Force resigning with the new key: 

     adm_dc-repository --export=lookedat export 

 Then update the APT trusted keys on all hosts: 

     ansible-playbook --diff -t apt playbooks/common.yml