For Users

Debian Fast Track is a repository that allows making “backports” of packages available to users of the stable distribution, if those packages cannot be maintained in testing and backported in the usual way.

Checkout https://fasttrack.debian.net for using packages from Debian FastTrack repository. Some of the software currently available via FastTrack include Gitlab, Virtual Box. Matrix Synapse was in buster-fasttrack briefly (now it is available in backports).

Presentation at DebConf 22 in Kosovo:

Server space is provided by Infomaniak (thanks to Zigo).

Archived version of the website at https://archive.is/7QPDI can be used as a fallback option if the main site is not accessible.

FastTrack Mirror at https://mirror.linux.pizza/debian-fasttrack/ can be used as a fallback option if the main repository is not accessible.

For maintainers

See https://fasttrack.debian.net/#FAQ for frequently asked questions about Fast Track.

Deciding which suite to target

  1. Packages permanently blocked from official backports go to -fasttrack (either it does not qualify for backports or its maintainers specifically don't want it in backports)
  2. Others go to -backports (if relevant outside -fasttrack) or -backports-staging (for convenience)

We can upload a package to backports only if it is in testing already. Also first time upload to backports usually takes at least a week to clear backports-NEW. If we don't want to wait for a package to reach testing or clear backports-NEW, we upload to backports-staging. If a package is useful for others and not just for gitlab, we try to upload to backports. gitlab, gitaly, ruby or ruby C extensions or packages depending on C extensions, we upload to fasttrack.

May be we can simplify this for bookworm, see https://salsa.debian.org/fasttrack-team/support/-/issues/34 for the proposal.

Contact FastTrack Team

Contact fasttrack team via matrix/irc or opening salsa issues as mentioned at https://fasttrack.debian.net/#Contribute or write an email to team at fasttrack.debian.net

Sample changelog entries

bullseye-fasttrack

gitlab (13.12.8+ds1-1~fto11+1) bullseye-fasttrack; urgency=medium

  * Rebuild for bullseye-fasttrack.

 -- Pirate Praveen <praveen@debian.org>  Thu, 08 Jul 2021 22:56:17 +0530

Since we started including newer ruby and ruby native libraries in fasttrack, we are now changing +fto suffix to ~fto.

buster-fasttrack

gitlab (11.11.8+dfsg-1~fto10+1) buster-fasttrack; urgency=medium

  * Rebuild for buster-fasttrack.

 -- Pirate Praveen <praveen@debian.org>  Wed, 14 Aug 2019 17:39:22 +0530

What other packages can be in -fasttrack?

Ruby team does not want to support newer ruby versions in official -backports, so these are also uploaded in -fasttrack. ruby native packages that needs a rebuild against newer ruby versions, and any rubygem that depends on a native packages should be uploaded to -fasttrack (to avoid maintaining it in both -fasttrack and -backports). For example, ruby-rails and any gem that depends on a rails component is uploaded to -fasttrack.

Packages temporarily blocked from official backports

We have a suite for temporarily uploading packages that otherwise qualify backports criteria but we want in backports before it hits testing (transitions, freeze, backports-new or NEW blocking security update of a package in fasttrack).

Note: To avoid confusion with official backports, we are using -backports-staging suffix from bullseye.

ruby-marcel (1.0.1+dfsg-1~bpo11+1) bullseye-backports-staging; urgency=medium

  * Rebuild for bullseye-backports-staging.

 -- Pirate Praveen <praveen@debian.org>  Mon, 10 May 2021 15:26:41 +0530

rails (2:6.0.3.1+dfsg-1~bpo10+1) buster-backports; urgency=medium

  * Rebuild for fasttrack/buster-backports.

 -- Pirate Praveen <praveen@debian.org>  Sun, 31 May 2020 20:28:43 +0530

Once it qualifies for official backports, it should be uploaded to official backports. Once it is accepted into official backports, it should be removed from fast track repo. Follow BuildingFormalBackports instructions to build these packages.

Since many dependencies are only relevant for packages in -fasttrack, we relax this rule to upload packages that qualifies for official backports to be uploaded there to avoid extra maintenance work (as we have to upload anyway to -backports-staging to avoid backports-new delay). If a backported package is useful outside -fasttrack it is recommended to upload it to official -backports.

Building packages for fasttrack

bullseye-fasttrack

  1. Create bullseye-fasttrack branch from the last release tag (Example: git checkout -b bullseye-fasttrack debian/1.1.2-1. Use git log for finding last uploaded tag).
  2. Add new changelog entry: run dch --bpo and modify version s/~bpo11/~fto11/ and s/bullseye-backports/bullseye-fasttrack/)
  3. Add tag gbp tag --debian-branch=bullseye-fasttrack
  4. Sample sbuild command for building packages targetting fasttrack (you will have to install fasttrack-archive-keyring package).

sbuild -A -s --force-orig-source -c bullseye-amd64-sbuild \
--extra-repository='deb http://deb.debian.org/debian bullseye-backports main' \
--extra-repository='deb http://fasttrack.debian.net/debian bullseye-backports-staging main' \
--extra-repository='deb http://fasttrack.debian.net/debian bullseye-fasttrack main' \
--extra-repository-key=/etc/apt/trusted.gpg.d/fasttrack-archive-keyring.gpg \
--build-dep-resolver=aptitude -d bullseye-fasttrack --no-run-lintian "$@"

buster-fasttrack

  1. Create buster-fasttrack branch from the last release tag (Example: git checkout -b buster-fasttrack debian/1.1.2-1. Use git log for finding last uploaded tag).
  2. Add new changelog entry: run dch --bpo and modify version s/~bpo/~fto/ and s/backports/fasttrack/)
  3. Optional: Update minimum version of gem2deb to 1.3 (and mention it in changelog), if it is a arch:any ruby package.
  4. Optional: Lower debhelper-compat to 11 (and mention it in changelog), if it is an arch:any package
  5. Add tag gbp tag --debian-branch=buster-fasttrack
  6. Sample sbuild command for building packages targetting fasttrack (you will have to download fasttrack-archive-key.asc from fasttrack.debian.net).

sbuild -A -s --force-orig-source -c buster-amd64-sbuild \
--extra-repository='deb http://deb.debian.org/debian buster-backports main' \
--extra-repository='deb http://incoming.debian.org/debian-buildd buildd-buster-backports main' \
--extra-repository='deb http://fasttrack.debian.net/debian buster-backports main' \
--extra-repository='deb http://fasttrack.debian.net/debian buster-fasttrack main' \
--extra-repository-key=$HOME/fasttrack-archive-key.asc \
--build-dep-resolver=aptitude -d buster-fasttrack --no-run-lintian "$@"

You can also check this package with buster-fasttrack branch

Uploading to Fast Track

Add this to your ~/.dput.cf

[fasttrack]
fqdn                    = fasttrack.debian.net
incoming                = /pub/UploadQueue/
login                   = anonymous
allow_dcut              = 1
method                  = ftp
# Please, upload your package to the proper archive
# http://fasttrack.debian.net
allowed_distributions   = (?!UNRELEASED|.*-security)

$ dput fasttrack gitlab_11.11.8+dfsg-1~fto10+1_amd64.changes

Note: Source only uploads are not supported at this time. Help is welcome to setup a buildd instance.

You can see the ?UploadQueue at ftp://fasttrack.debian.net/pub/UploadQueue/

For FastTrack Admins

Current list of admins: Pirate Praveen, Utkarsh Gupta, Abhijith PA, Akhil Varkey, Akshay S Dinesh, Sahil Dhiman, Gianfranco Costamagna, Mohd Bilal

DAK documentation

Please note that dak's documentation is not up-to-date. (dak has switched to python3 and dependencies are not documented)

fasttrack-team maintains a "federated" branch of dak https://salsa.debian.org/fasttrack-team/dak/-/tree/federated to allow binaries without source in the fasttrack dak instance (but for which source is present in upstream/official debian repos). See https://salsa.debian.org/fasttrack-team/support/-/issues/8 for why.

The federated branch is meant to be kept up-to-date with the upstream dak master.

Upgrading dak

git fetch origin
git checkout -b newbranch
git rebase origin/master
git diff newbranch oldbranch # inspect changes
# apt install new-dependencies
dak update-db

SSH upload

Add this to ~/.dput.cf for ssh upload (for unreliable connections)

[fasttrack-ssh]
login   = root
# login = another_username
fqdn    = fasttrack.debian.net
method  = sftp
incoming        = /srv/dak/queue/unchecked/
allow_dcut      = 1
# Please, upload your package to the proper archive
# http://fasttrack.debian.net
allowed_distributions   = (?!UNRELEASED|.*-security)

Accept packages

dak process-upload -d /srv/dak/queue/unchecked # SSH uploads
dak process-upload -d /srv/ftp/pub/UploadQueue/ # anonymous ftp uploads
dak process-new
dak process-policy new
dak generate-packages-sources2
dak generate-release

Remove Packages

We should remove packages from buster-backports suite when they are accepted into official archive.

dak rm -s buster-backports -C <email> <package name>

Mention 'Accepted into official buster I backports' as reason.

dak dominate
dak clean-suites
dak generate-packages-sources2
dak generate-release

Modifying Suite Configurations

To instruct package manager to assign priorities as defined here for a suite, do

dak admin s-cfg set <suite-name> notautomatic=True butautomaticupgrades=True

The changes will be reflected in the release file when release for the suite are generated on the next try. With the above option package manager will assign a priority of 100 for the packages from the release.

Add new architecture

Example for adding armhf for buster-fasttrack

$ dak admin architecture add armhf "Arm Hard Float Port"
$ dak admin suite-architecture add buster-fasttrack armhf
$ dak init-dirs

Add new OpenPGP keys for upload access

Download the keys on your local machine,

First find the OpenPGP keyid using wkd

$ gpg --locate-keys email@domain.tld # if they have setup wkd - see https://wiki.gnupg.org/WKD

or from keys.openpgp.org

$ gpg --search email@domain.tld # if the key is also available in keys.openpg.org, take keyid and download from keyring.debian.org

Or from https://salsa.debian.org/debian-keyring/keyring/-/blob/master/keyids

And download keys from keyring.debian.org

$ gpg --keyserver keyring.debian.org --recv-key 0xkeyid
$ gpg --export --armor 0xF34F09744E9F5DD9 >name.key.asc
$ scp name.key.asc root@fasttrack.debian.net:keys

On fasttrack server,

# ~/keys# gpg --no-default-keyring --keyring /srv/dak/keyrings/upload-keyring.gpg --import name.key.asc
# su - dak
$ dak import-keyring -U '%s' /srv/dak/keyrings/upload-keyring.gpg

Server Configuration

ufw

Allow all outgoing traffic

Block all incoming traffic

Open tcp ports 21 open for ftp.

Open few ports in the range 100xx to 10xxx for passive mode.

Open 80,443 port for http and https

ssh

Disable authentication via password for openssh-server

Add PasswordAuthentication no to /etc/ssh/sshd_config

nginx-http

Return 404 for files that shouldn't be publicly served

vsftpd

Set the following options in /etc/vsftpd.conf

anon_upload_enable=YES # Enables anonymous upload

write_enable=YES # Enables write to be permitted

pasv_enable=YES # Enables passive mode for ftp 

pasv_max_port=xxxxx

pasv_min_port=xxxxx

local_enable=NO # Disables login using local account in the server

The passive mode requires a small range of tcp ports (you can chose 10 as a range value) to be enabled. The pasv_max_port value should be greater than pasv_min_port value for the range to be proper.