Debian Repository » History » Revision 6
Revision 5 (Marc Dequènes, 2020-04-07 15:16) → Revision 6/22 (Marc Dequènes, 2020-08-04 05:47)
h1. Debian Repository h2. Content Since Buster we document here the reason for having custom/ported packages in this repository. h3. Buster |_.Packages|Reason| |ftp-ssl|missing in Buster| |m2crypto|dependency for *srv_cert_tlsa_gen*| |molly-guard|/2.backported "fix for Debian#914716":https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914716| |usrmerge| |phpmyadmin|/7.phpmyadmin is missing from Buster and previous version was broken (#670), simple backport with a few dependencies| |google-recaptcha| |phpmyadmin-motranslator| |phpmyadmin-shapefile| |phpmyadmin-sql-parser| |tcpdf| |twig-extensions| |python-acme|/3.certbot with "CNAME resolution patch":https://github.com/certbot/certbot/pull/7244| |python-certbot| |python-certbot-dns-rfc2136| |roundcube|/2.port of the 1.4 series to get important improvements| |php-masterminds-html5| |spoolinger|DC tool, packaging in Debian WIP| |inspircd|patched to be able to reload the TLS certificate without restarting| h2. Administration All files are stored into */srv/www/sites/repository.duckcorp.org* (config, packages, upload zone…). The user *dc-repository* has been created to handle all the necessary tasks with only limited rights. Regular administration is to be done using the *adm_dc-repository* script as root. This script is able to sudo and pass local configuration options to reprepro, and avoid messing with the rights. For example: <pre> # adm_dc-repository list jessie jessie|dc-net|amd64: libiksemel-dev 1.4-2+dc1 jessie|dc-net|amd64: libiksemel-utils 1.4-2+dc1 jessie|dc-net|amd64: libiksemel3 1.4-2+dc1 jessie|dc-net|amd64: zabbix-agent 1:2.4.6+dfsg-1+dc1 … jessie|dc-net|i386: zabbix-agent 1:2.4.6+dfsg-1+dc1 … jessie|dc-net|source: libiksemel 1.4-2+dc1 jessie|dc-net|source: zabbix 1:2.4.6+dfsg-1+dc1 </pre> h2. Adding Contributors The list of uploader is setup into */srv/www/sites/repository.duckcorp.org/htdocs/debian/conf/dc-incoming-uploaders*. h2. Renewing Signing Key gpg expects to have full control over the tty, so temporarily give the tty's ownership over to the _dc-repository_ user (or document here a better solution). Key creation: <pre> chown dc-repository $(tty) su - dc-repository gpg --full-generate-key # default key is fine # expiration: 5y # Real name: DuckCorp Archive Automatic Signing Key # Email address: admin_at_duckcorp.org # note the new <key-id> gpg --armor --export <key-id> >duckcorp_repository.gpg.key chown root $(tty) </pre> Update the <key_id> in _host_vars/Toushirou/debian_repository.yml_ and redeploy the repository configuration: ansible-playbook --diff playbooks/tenants/duckcorp/debian_repository.yml Force resigning with the new key: adm_dc-repository --export=lookedat export Then update the APT trusted keys on all hosts: ansible-playbook --diff -t apt playbooks/common.yml