Debian Fast Track is a repository that allows making “backports” of packages available to users of the stable distribution, if those packages cannot be maintained in testing and backported in the usual way.

See this proposal to create a fasttrack repo for packages like gitlab to understand the rationale and technical details.

This new unofficial service is being setup at http://fasttrack.debian.net

Server space is provided by Infomaniak (thanks to Zigo).

Add this to your ~/.dput.cf

[fasttrack]
fqdn                    = fasttrack.debian.net
incoming                = /pub/UploadQueue/
login                   = anonymous
allow_dcut              = 1
method                  = ftp
# Please, upload your package to the proper archive
# http://fasttrack.debian.net
allowed_distributions   = (?!UNRELEASED|.*-security)

Sample changelog entry

gitlab (11.11.8+dfsg-1+fto10+1) buster-fasttrack; urgency=medium

  * Rebuild for buster-fasttrack.

 -- Pirate Praveen <praveen@debian.org>  Wed, 14 Aug 2019 17:39:22 +0530

Note: Since this package is not expected to be upgradable when next stable version is released (unlike backports), the version does not have to be lesser than the version in unstable/testing.

We have a buster-backports suite as well for temporarily uploading packages that otherwise qualify backports criteria but we want in backports before it hits testing (transitions, freeze or blocking security update of a package in fasttrack). Once it reaches official backports, it should be removed from fast track repo.

Admins corner

DAK documentation

SSH upload

Add this to ~/.dput.cf for ssh upload (for unreliable connections)

[fasttrack-ssh]

login   = root
# login = another_username
fqdn    = fasttrack.debian.net
method  = sftp
incoming        = /srv/dak/queue/unchecked/
allow_dcut      = 1
# Please, upload your package to the proper archive
# http://fasttrack.debian.net
allowed_distributions   = (?!UNRELEASED|.*-security)

Remove Packages

We should remove packages from buster-backports suite when they are accepted into official archive.

dak rm -s buster-backports -C <email> <package name>

Mention 'Accepted into official buster I backports' as reason.

dak generate-packages-sources2
dak generate-release
rm -rf /srv/dak/ftp/pool/<path to package>

Server Configuration

ufw

Allow all outgoing traffic

Block all incoming traffic

Open tcp ports 21 open for ftp.

Open few ports in the range 100xx to 10xxx for passive mode.

Open 80,443 port for http and https

ssh

Disable authentication via password for openssh-server

Add PasswordAuthentication no to /etc/ssh/sshd_config

nginx-http

Return 404 for files that shouldn't be publicly served

vsftpd

Set the following options in /etc/vsftpd.conf

anon_upload_enable=YES # Enables anonymous upload

write_enable=YES # Enables write to be permitted

pasv_enable=YES # Enables passive mode for ftp 

pasv_max_port=xxxxx

pasv_min_port=xxxxx

local_enable=NO # Disables login using local account in the server

The passive mode requires a small range of tcp ports (you can chose 10 as a range value) to be enabled. The pasv_max_port value should be greater than pasv_min_port value for the range to be proper.