Debian Fast Track is a repository that allows making “backports” of packages available to users of the stable distribution, if those packages cannot be maintained in testing and backported in the usual way.
Checkout https://fasttrack.debian.net for using packages from Debian FastTrack repository. Some of the software currently available via FastTrack include Gitlab, Virtual Box. Matrix Synapse was in buster-fasttrack briefly (now it is available in backports).
Presentation at DebConf 22 in Kosovo:
Server space is provided by Infomaniak (thanks to Zigo).
Archived version of the website at https://archive.is/7QPDI can be used as a fallback option if the main site is not accessible.
FastTrack Mirror at https://mirror.linux.pizza/debian-fasttrack/ can be used as a fallback option if the main repository is not accessible.
See https://fasttrack.debian.net/#FAQ for frequently asked questions about Fast Track.
Deciding which suite to target
- Packages permanently blocked from official backports go to -fasttrack (either it does not qualify for backports or its maintainers specifically don't want it in backports)
- Others go to -backports (if relevant outside -fasttrack) or -backports-staging (for convenience)
We can upload a package to backports only if it is in testing already. Also first time upload to backports usually takes at least a week to clear backports-NEW. If we don't want to wait for a package to reach testing or clear backports-NEW, we upload to backports-staging. If a package is useful for others and not just for gitlab, we try to upload to backports. gitlab, gitaly, ruby or ruby C extensions or packages depending on C extensions, we upload to fasttrack.
May be we can simplify this for bookworm, see https://salsa.debian.org/fasttrack-team/support/-/issues/34 for the proposal.
Contact FastTrack Team
Contact fasttrack team via matrix/irc or opening salsa issues as mentioned at https://fasttrack.debian.net/#Contribute or write an email to team at fasttrack.debian.net
Sample changelog entries
gitlab (13.12.8+ds1-1~fto11+1) bullseye-fasttrack; urgency=medium * Rebuild for bullseye-fasttrack. -- Pirate Praveen <email@example.com> Thu, 08 Jul 2021 22:56:17 +0530
Since we started including newer ruby and ruby native libraries in fasttrack, we are now changing +fto suffix to ~fto.
gitlab (11.11.8+dfsg-1~fto10+1) buster-fasttrack; urgency=medium * Rebuild for buster-fasttrack. -- Pirate Praveen <firstname.lastname@example.org> Wed, 14 Aug 2019 17:39:22 +0530
What other packages can be in -fasttrack?
Ruby team does not want to support newer ruby versions in official -backports, so these are also uploaded in -fasttrack. ruby native packages that needs a rebuild against newer ruby versions, and any rubygem that depends on a native packages should be uploaded to -fasttrack (to avoid maintaining it in both -fasttrack and -backports). For example, ruby-rails and any gem that depends on a rails component is uploaded to -fasttrack.
Packages temporarily blocked from official backports
We have a suite for temporarily uploading packages that otherwise qualify backports criteria but we want in backports before it hits testing (transitions, freeze, backports-new or NEW blocking security update of a package in fasttrack).
Note: To avoid confusion with official backports, we are using -backports-staging suffix from bullseye.
ruby-marcel (1.0.1+dfsg-1~bpo11+1) bullseye-backports-staging; urgency=medium * Rebuild for bullseye-backports-staging. -- Pirate Praveen <email@example.com> Mon, 10 May 2021 15:26:41 +0530
rails (2:126.96.36.199+dfsg-1~bpo10+1) buster-backports; urgency=medium * Rebuild for fasttrack/buster-backports. -- Pirate Praveen <firstname.lastname@example.org> Sun, 31 May 2020 20:28:43 +0530
Once it qualifies for official backports, it should be uploaded to official backports. Once it is accepted into official backports, it should be removed from fast track repo. Follow BuildingFormalBackports instructions to build these packages.
Since many dependencies are only relevant for packages in -fasttrack, we relax this rule to upload packages that qualifies for official backports to be uploaded there to avoid extra maintenance work (as we have to upload anyway to -backports-staging to avoid backports-new delay). If a backported package is useful outside -fasttrack it is recommended to upload it to official -backports.
Building packages for fasttrack
- Create bullseye-fasttrack branch from the last release tag (Example: git checkout -b bullseye-fasttrack debian/1.1.2-1. Use git log for finding last uploaded tag).
- Add new changelog entry: run dch --bpo and modify version s/~bpo11/~fto11/ and s/bullseye-backports/bullseye-fasttrack/)
- Add tag gbp tag --debian-branch=bullseye-fasttrack
- Sample sbuild command for building packages targetting fasttrack (you will have to install fasttrack-archive-keyring package).
sbuild -A -s --force-orig-source -c bullseye-amd64-sbuild \ --extra-repository='deb http://deb.debian.org/debian bullseye-backports main' \ --extra-repository='deb http://fasttrack.debian.net/debian bullseye-backports-staging main' \ --extra-repository='deb http://fasttrack.debian.net/debian bullseye-fasttrack main' \ --extra-repository-key=/etc/apt/trusted.gpg.d/fasttrack-archive-keyring.gpg \ --build-dep-resolver=aptitude -d bullseye-fasttrack --no-run-lintian "$@"
- Create buster-fasttrack branch from the last release tag (Example: git checkout -b buster-fasttrack debian/1.1.2-1. Use git log for finding last uploaded tag).
- Add new changelog entry: run dch --bpo and modify version s/~bpo/~fto/ and s/backports/fasttrack/)
- Optional: Update minimum version of gem2deb to 1.3 (and mention it in changelog), if it is a arch:any ruby package.
- Optional: Lower debhelper-compat to 11 (and mention it in changelog), if it is an arch:any package
- Add tag gbp tag --debian-branch=buster-fasttrack
- Sample sbuild command for building packages targetting fasttrack (you will have to download fasttrack-archive-key.asc from fasttrack.debian.net).
sbuild -A -s --force-orig-source -c buster-amd64-sbuild \ --extra-repository='deb http://deb.debian.org/debian buster-backports main' \ --extra-repository='deb http://incoming.debian.org/debian-buildd buildd-buster-backports main' \ --extra-repository='deb http://fasttrack.debian.net/debian buster-backports main' \ --extra-repository='deb http://fasttrack.debian.net/debian buster-fasttrack main' \ --extra-repository-key=$HOME/fasttrack-archive-key.asc \ --build-dep-resolver=aptitude -d buster-fasttrack --no-run-lintian "$@"
You can also check this package with buster-fasttrack branch
Uploading to Fast Track
Add this to your ~/.dput.cf
[fasttrack] fqdn = fasttrack.debian.net incoming = /pub/UploadQueue/ login = anonymous allow_dcut = 1 method = ftp # Please, upload your package to the proper archive # http://fasttrack.debian.net allowed_distributions = (?!UNRELEASED|.*-security)
$ dput fasttrack gitlab_11.11.8+dfsg-1~fto10+1_amd64.changes
Note: Source only uploads are not supported at this time. Help is welcome to setup a buildd instance.
For FastTrack Admins
Current list of admins: Pirate Praveen, Utkarsh Gupta, Abhijith PA, Akhil Varkey, Akshay S Dinesh, Sahil Dhiman, Gianfranco Costamagna, Mohd Bilal
dak setup - Documentation for managing suites, granting permissions, accepting packages etc Note: Adding a new OpenPGP key to upload-keyring.gpg requires root.
Please note that dak's documentation is not up-to-date. (dak has switched to python3 and dependencies are not documented)
fasttrack-team maintains a "federated" branch of dak https://salsa.debian.org/fasttrack-team/dak/-/tree/federated to allow binaries without source in the fasttrack dak instance (but for which source is present in upstream/official debian repos). See https://salsa.debian.org/fasttrack-team/support/-/issues/8 for why.
The federated branch is meant to be kept up-to-date with the upstream dak master.
git fetch origin git checkout -b newbranch git rebase origin/master git diff newbranch oldbranch # inspect changes # apt install new-dependencies dak update-db
Add this to ~/.dput.cf for ssh upload (for unreliable connections)
[fasttrack-ssh] login = root # login = another_username fqdn = fasttrack.debian.net method = sftp incoming = /srv/dak/queue/unchecked/ allow_dcut = 1 # Please, upload your package to the proper archive # http://fasttrack.debian.net allowed_distributions = (?!UNRELEASED|.*-security)
dak process-upload -d /srv/dak/queue/unchecked # SSH uploads dak process-upload -d /srv/ftp/pub/UploadQueue/ # anonymous ftp uploads dak process-new dak process-policy new dak generate-packages-sources2 dak generate-release
We should remove packages from buster-backports suite when they are accepted into official archive.
dak rm -s buster-backports -C <email> <package name>
Mention 'Accepted into official buster I backports' as reason.
dak dominate dak clean-suites dak generate-packages-sources2 dak generate-release
Modifying Suite Configurations
To instruct package manager to assign priorities as defined here for a suite, do
dak admin s-cfg set <suite-name> notautomatic=True butautomaticupgrades=True
The changes will be reflected in the release file when release for the suite are generated on the next try. With the above option package manager will assign a priority of 100 for the packages from the release.
Add new architecture
Example for adding armhf for buster-fasttrack
$ dak admin architecture add armhf "Arm Hard Float Port" $ dak admin suite-architecture add buster-fasttrack armhf $ dak init-dirs
Add new OpenPGP keys for upload access
Download the keys on your local machine,
First find the OpenPGP keyid using wkd
$ gpg --locate-keys email@example.com # if they have setup wkd - see https://wiki.gnupg.org/WKD
or from keys.openpgp.org
$ gpg --search firstname.lastname@example.org # if the key is also available in keys.openpg.org, take keyid and download from keyring.debian.org
And download keys from keyring.debian.org
$ gpg --keyserver keyring.debian.org --recv-key 0xkeyid $ gpg --export --armor 0xF34F09744E9F5DD9 >name.key.asc $ scp name.key.asc email@example.com:keys
On fasttrack server,
# ~/keys# gpg --no-default-keyring --keyring /srv/dak/keyrings/upload-keyring.gpg --import name.key.asc # su - dak $ dak import-keyring -U '%s' /srv/dak/keyrings/upload-keyring.gpg
Allow all outgoing traffic
Block all incoming traffic
Open tcp ports 21 open for ftp.
Open few ports in the range 100xx to 10xxx for passive mode.
Open 80,443 port for http and https
Disable authentication via password for openssh-server
Add PasswordAuthentication no to /etc/ssh/sshd_config
Return 404 for files that shouldn't be publicly served
Set the following options in /etc/vsftpd.conf
anon_upload_enable=YES # Enables anonymous upload write_enable=YES # Enables write to be permitted pasv_enable=YES # Enables passive mode for ftp pasv_max_port=xxxxx pasv_min_port=xxxxx local_enable=NO # Disables login using local account in the server
The passive mode requires a small range of tcp ports (you can chose 10 as a range value) to be enabled. The pasv_max_port value should be greater than pasv_min_port value for the range to be proper.