This document summarises setting up a Debian package repository.
I have taken care to provide the most accurate information at the time of writing but should you find any mistakes, please fix them.
There are 2 kinds of repositories from user's perspective:
archive style |
apt line |
apt-pinning |
secure APT |
trivial archive |
"deb http://example.org/debian ./" |
No |
Yes |
official archive |
"deb http://example.org/debian unstable main" |
Yes |
Yes |
These have different meta-data structure, but both store actual package files. Many repository HOWTOs address creation of a "trivial archive". These are problematic since the "trivial archive" lacks support for apt-pinning and modern secure APT due to the collision of 2 types of Release files. (e.g., old "Debian Reference (sarge)" and "APT HOWTO (sarge)")
Even with an "official archive", you can create a much simpler archive than the real official one. This is explained in Debian Reference (lenny) using apt-ftparchive in apt-utils and dupload. All uploaded packages are located in a directory and no database server is needed. This may be good enough for people hosting a few packages.
For creating something similar to the official archive, there are some good packages to help you but they tend to require a database server.
Contents
The following sections contain more info about these applications.
Available Tools
dak (Debian Archive Kit)
- Goals: Packaging of the tools handling the official Debian repositories.
- Pro: Real stuff.
- Cons: Depends on python and PostgreSQL (even if on an other host), lack of documentation, designed for large repositories.
Package: http://packages.qa.debian.org/d/dak.html
- python
- postgresql (optional)
Distributions: stable, unstable, still the CVS version is ages ahead
Dependencies: http://packages.debian.org/unstable/devel/dak
- Automatic repositories: Yes
- Incoming mechanism: Yes
Pools: Yes
- GPG signing: Yes
Wiki Page: dak
reprepro (formerly known as mirrorer)
- Goals: Local Debian package repository storing files in a pool/ directory.
- Pro: Strict checking of what comes in, no database server needed.
- Cons: ?
Distributions: stable, testing, unstable and etch-backports
Dependencies: http://packages.debian.org/unstable/utils/reprepro
- Automatic repositories: Yes
- Incoming mechanism: Yes
- Pools: Yes
- GPG signing: Yes
HOWTO: Setting up your own automatic Debian repository see this arcticle on reprepro. The link is rather outdated, but still contains some useful information.
debpool
- Goals: Lightweight replacement for dak using a pool layout.
- Pro:
- No external dependencies.
- easy to use incoming mechanism
- standard repository (can be pinned)
- Cons:
- only available from experimental
not actively maintained, although there is a debpool resurrection project which didn't made any uploads so far (2008-06-19), but there seems to be development going on
- no checking of older packages being replaced with new ones
- no notification of what is going on (no mails when new packages are added)
Distributions: experimental
Dependencies: http://packages.debian.org/experimental/devel/debpool
- perl
- gnupg (optional)
- Automatic repositories: Yes
- Incoming mechanism: Yes
- Pools: Yes
- GPG signing: Yes (with gnupg).
Wiki page: debpool
debarchiver
- Goals: Make a simpler version of dak.
- Pro:
- easy to use incoming mechanism - even on remote systems - by using a cron-job
- packages can be moved into a distribution by
- reading the Distribution value from .changes file or
- directly putting the whole package into a distributions-incoming directory.
- standard repository (can be pinned)
- Cons:
- no Pool-architecture at the moment
- some useful checks are missing
- cleaning needs to be done manually
Dependencies: http://packages.debian.org/unstable/devel/debarchiver
- adduser
- apt-utils (recommended) | dpkg-dev
- opalmod (Perl modules)
- gnupg (optional)
- Automatic repositories: Yes
- Incoming mechanism: Yes
Pools: No (but suggested somewhere at BTS).
- GPG signing: Yes (with gnupg, post-Sarge feature).
A debarchiver how-to. An other nice debarchiver how-to (in German). An Italian howto for local Debian package mirroring (similar to apt-proxy).
mini-dinstall
- Goals: Miniature version of dak.
- Pro:
- Doesn't require a PostgreSQL database.
- small footprint
Dependencies: http://packages.debian.org/unstable/devel/mini-dinstall
- apt-utils
- python2.3
- python-apt
- Automatic repositories: Yes (?)
- Incoming mechanism: Yes
- Pools: No
- GPG signing: Yes (external script and setup example provided in documentation)
apt-ftparchive
- Goals: Superset of dpkg-scanpackages and dpkg-scansources.
- Pro: Does not rely on any external programs aside from gzip. Creates Release and Contents files.
- Cons:
Distributions: oldstable, stable, testing, unstable, experimental
Dependencies: http://packages.debian.org/unstable/admin/apt-utils
- Automatic repositories: No (Yes with dupload)
- Incoming mechanism: No (Maybe with dupload)
- Pools: Yes
- GPG signing: No (Yes with dupload)
- HOWTOs:
apt-ftparchive generate Roberto Sanchez how-to -- he now recommend to use reprepro
dpkg-scanpackages and dpkg-scansources
- Goals:
- Pro:
- Cons: Cannot create Release nor Contents files.
Dependencies: http://packages.debian.org/unstable/utils/dpkg-dev
- Automatic repositories: No
- Incoming mechanism: No
- Pools: No
- GPG signing: No
HOWTO: Aaron Isotton how-to
mini-dak
- Goals: Partial and lightweight reimplementation of dak in shell script and with no database dependencies, "designed" to host new Debian architectures.
- Pro:
- easy to setup: edit a config file and run a script to generate the whole structure
- no database (the pool is the database)
- all .changes files kept for later possible importing into the master repository
- supports mail notifications and does extensive logging
- auto package obsoleting
- repository snapshotting
- supports multiple suites from the Distribution field on the .changes file
- additionally supports multipool (splitting each arch into its own pool, to ease partial mirroring)
- supports upload ACLs based on gpg public keys
- mirror push via ssh
- Cons:
- slow on huge repositories (due to not using a real db mainly)
- has been written and tested mainly as a slave archive, so might have some hardcoded stuff which should be fixed to make it work as a master server
- still has some quirks to be fixed
- Distributions: not in Debian
- Dependencies: ('grep Requires: *' on the source tree)
- apt-utils
- procmail
- gnupg
- wget
- ssh (optional)
- bzip2 (optional)
- quinn-diff (optional)
- Automatic repositories: Yes
- Incoming mechanism: Yes
Pools: Yes
- GPG signing: Yes
- Sites using it:
DebMarshal
- Goals: Maintain multiple snapshots from upstream distros, to permit staging.
- Pro: Fast, no database server needed (BerkeleyDB).
- Cons: Lack of documentation. Hasn't been released (No version available, SVN repo has only trunk).
Download: http://code.google.com/p/debmarshal/
- Distributions: not in Debian
- Automatic repositories: Yes
- Incoming mechanism: Yes
- Pools: Yes
- GPG signing: Yes
Built by Google for their use.
Related software
- netselect selects the fastest mirrors from a list you give, and netselect-apt does the same from all existing mirrors.
- apt-spy does something similar with a different method.
- dput uploads one or more Debian packages into a repository.
parse-apt-files.inc PHP-script by Jarno Elonen produces a nice XHTML-summary of available packages in a repository - enhanced version for special usage with (but not limited to) debarchiver. There seems
to be some efforts to develop a wordpress-plugin based on these scripts.
HowTos
How to setup a mini-dinstall repository on people.debian.org
an howto is available on how to quickly setup mini-dinstall on people.debian.org. It supports SecureAPT and remote signing.