• HowToSetupADebianRepository

This document summarises what I have found about setting up a Debian package repository.

I have taken care of providing the most correct information at the time of writing but if you find any inaccuracy, please, fix it.

There are 2 kinds of repositories from user's view:

These have different meta-data structure, but both store actual package files. Many repository HOWTOs address creation of a "trivial archive". These are problematic since the "trivial archive" lacks support for apt-pinning and modern secure APT due to the collision of 2 types of Release files. (e.g., old "Debian Reference (sarge)" and "APT HOWTO (sarge)")

Even with an "official archive", you can create a much simpler archive than the real official one. This is explained in Debian Reference (lenny) using apt-ftparchive in apt-utils and dupload. All uploaded packages are located in a directory and no database server is needed. This may be good enough for people hosting a few packages.

For creating something similar to the official archive, there are some good packages to help you but they tend to require a database server.

The following sections contain more info about these applications.

dak (Debian Archive Kit)

• Goals: Packaging of the tools handling the official Debian repositories.
• Pro: Real stuff.
• Cons: Depends on python and PostgreSQL (even if on an other host), lack of documentation, designed for large repositorues.

• Package: http://packages.qa.debian.org/d/dak.html

  • python
  • postgresql (optional)

• Distributions: stable, unstable, still the CVS version is ages ahead

• Dependencies: http://packages.debian.org/unstable/devel/dak

• Automatic repositories: Yes
• Incoming mechanism: Yes

• Pools: Yes

• GPG signing: Yes

• Wiki Page: dak

reprepro (formerly known as mirrorer)

• Goals: Local Debian package repository storing files in a pool/ directory.
• Pro: Strict checking of what comes in, no database server needed.
• Cons: ?

• Package: http://packages.qa.debian.org/r/reprepro.html

• Distributions: stable, testing, unstable and etch-backports

• Dependencies: http://packages.debian.org/unstable/utils/reprepro

• Automatic repositories: Yes
• Incoming mechanism: Yes
• Pools: Yes
• GPG signing: Yes

• HOWTO: Setting up your own automatic Debian repository see this arcticle on reprepro. The link is rather outdated, but still contains some useful information.

debpool

• Goals: Lightweight replacement for dak using a pool layout.
• Pro:
  • No external dependencies.
  • easy to use incoming mechanism
  • standard repository (can be pinned)
• Cons:
  • only available from experimental

  • not actively maintained, although there is a debpool resurrection project which didn't made any uploads so far (2008-06-19), but there seems to be development going on

  • no checking of older packages being replaced with new ones
  • no notification of what is going on (no mails when new packages are added)

• Package: http://packages.qa.debian.org/d/debpool.html

• Distributions: experimental

• Dependencies: http://packages.debian.org/experimental/devel/debpool

  • perl
  • gnupg (optional)
• Automatic repositories: Yes
• Incoming mechanism: Yes
• Pools: Yes
• GPG signing: Yes (with gnupg).

• Wiki page: debpool

debarchiver

• Goals: Make a simpler version of dak.
• Pro:
  • easy to use incoming mechanism - even on remote systems - by using a cron-job
  • packages can be moved into a distribution by
    1. reading the Distribution value from .changes file or
    2. directly putting the whole package into a distributions-incoming directory.
  • standard repository (can be pinned)
• Cons:
  • no Pool-architecture at the moment
  • some useful checks are missing
  • cleaning needs to be done manually

• Package: http://packages.qa.debian.org/d/debarchiver.html

• Distributions: oldstable, stable, testing, unstable

• Dependencies: http://packages.debian.org/unstable/devel/debarchiver

  • adduser
  • apt-utils (recommended) | dpkg-dev
  • opalmod (Perl modules)
  • gnupg (optional)
• Automatic repositories: Yes
• Incoming mechanism: Yes

• Pools: No (but suggested somewhere at BTS).

• GPG signing: Yes (with gnupg, post-Sarge feature).

• A debarchiver how-to. An other nice debarchiver how-to (in German). An Italian howto for local Debian package mirroring (similar to apt-proxy).

• An example of a repository produced with debarchiver.

mini-dinstall

• Goals: Miniature version of dak.
• Pro:
  • Doesn't require a PostgreSQL database.
  • small footprint
• Cons:
  • produces trivial repositories (can't be pinned)

• Package: http://packages.qa.debian.org/m/mini-dinstall.html

• Distributions: stable, testing, unstable

• Dependencies: http://packages.debian.org/unstable/devel/mini-dinstall

  • apt-utils
  • python2.3
  • python-apt
• Automatic repositories: Yes (?)
• Incoming mechanism: Yes
• Pools: No
• GPG signing: Yes (external script and setup example provided in documentation)

apt-ftparchive

• Goals: Superset of dpkg-scanpackages and dpkg-scansources.
• Pro: Does not rely on any external programs aside from gzip. Creates Release and Contents files.
• Cons:

• Package: http://packages.qa.debian.org/a/apt.html

• Distributions: oldstable, stable, testing, unstable, experimental

• Dependencies: http://packages.debian.org/unstable/admin/apt-utils

• Automatic repositories: No (Yes with dupload)
• Incoming mechanism: No (Maybe with dupload)
• Pools: Yes
• GPG signing: No (Yes with dupload)
• HOWTOs:

  • apt-ftparchive generate Roberto Sanchez how-to -- he now recommend to use reprepro

  • Debian Reference (lenny)

dpkg-scanpackages and dpkg-scansources

• Goals:
• Pro:
• Cons: Cannot create Release nor Contents files.

• Package: http://packages.qa.debian.org/d/dpkg.html

• Distributions: oldstable, stable, testing, unstable

• Dependencies: http://packages.debian.org/unstable/utils/dpkg-dev

• Automatic repositories: No
• Incoming mechanism: No
• Pools: No
• GPG signing: No

• HOWTO: Aaron Isotton how-to

mini-dak

• Goals: Partial and lightweight reimplementation of dak in shell script and with no database dependencies, "designed" to host new Debian architectures.
• Pro:
  • easy to setup: edit a config file and run a script to generate the whole structure
  • no database (the pool is the database)
  • all .changes files kept for later possible importing into the master repository
  • supports mail notifications and does extensive logging
  • auto package obsoleting
  • repository snapshotting
  • supports multiple suites from the Distribution field on the .changes file
  • additionaly supports multipool (splitting each arch into its own pool, to ease partial mirroring)
  • supports upload ACLs based on gpg public keys
  • mirror push via ssh
• Cons:
  • slow on huge repositories (due to not using a real db mainly)
  • has been written and tested mainly as a slave archive, so might have some hardcoded stuff which should be fixed to make it work as a master server
  • still has some quirks to be fixed

• Download: http://www.hadrons.org/~guillem/debian/mini-dak/

• Distributions: not in Debian
• Dependencies: ('grep Requires: *' on the source tree)
  • apt-utils
  • procmail
  • gnupg
  • wget
  • ssh (optional)
  • bzip2 (optional)
  • quinn-diff (optional)
• Automatic repositories: Yes
• Incoming mechanism: Yes

• Pools: Yes

• GPG signing: Yes
• Sites using it:

  • debian-ports

  • debian-avr32

  • nexenta

Related software

• netselect selects the fastest mirrors from a list you give, and netselect-apt does the same from all existing mirrors.
• apt-spy does something similar with a different method.
• dput uploads one or more Debian packages into a repository.

• parse-apt-files.inc PHP-script by Jarno Elonen produces a nice XHTML-summary of available packages in a repository - enhanced version for special usage with (but not limited to) debarchiver. There seems to be some efforts to develop a wordpress-plugin based on these scripts.

CategoryPackageManagement