Debian Fast Track is a repository that allows making “backports” of packages available to users of the stable distribution, if those packages cannot be maintained in testing and backported in the usual way.
See this proposal to create a fasttrack repo for packages like gitlab to understand the rationale and technical details.
This new unofficial service is being setup at http://fasttrack.debian.net
Server space is provided by Infomaniak (thanks to Zigo).
Add this to your ~/.dput.cf
[fasttrack] fqdn = fasttrack.debian.net incoming = /pub/UploadQueue/ login = anonymous allow_dcut = 1 method = ftp # Please, upload your package to the proper archive # http://fasttrack.debian.net allowed_distributions = (?!UNRELEASED|.*-security)
Sample changelog entry
gitlab (11.11.8+dfsg-1+fto10+1) buster-fasttrack; urgency=medium * Rebuild for buster-fasttrack. -- Pirate Praveen <email@example.com> Wed, 14 Aug 2019 17:39:22 +0530
Note: Since this package is not expected to be upgradable when next stable version is released (unlike backports), the version does not have to be lesser than the version in unstable/testing.
We have a buster-backports suite as well for temporarily uploading packages that otherwise qualify backports criteria but we want in backports before it hits testing (transitions, freeze or blocking security update of a package in fasttrack). Once it reaches official backports, it should be removed from fast track repo.
dak setup - Documentation for managing suites, granting permissions, accepting packages etc Note: Adding a new gpg key to upload-keyring.gpg requires root.
Add this to ~/.dput.cf for ssh upload (for unreliable connections)
[fasttrack-ssh] login = root # login = another_username fqdn = fasttrack.debian.net method = sftp incoming = /srv/dak/queue/unchecked/ allow_dcut = 1 # Please, upload your package to the proper archive # http://fasttrack.debian.net allowed_distributions = (?!UNRELEASED|.*-security)
dak process-upload -d /srv/dak/queue/unchecked # SSH uploads dak process-upload -d /srv/ftp/pub/UploadQueue/ # anonymous ftp uploads dak process-new dak process-policy new dak generate-packages-sources2 dak generate-release
We should remove packages from buster-backports suite when they are accepted into official archive.
dak rm -s buster-backports -C <email> <package name>
Mention 'Accepted into official buster I backports' as reason.
dak generate-packages-sources2 dak generate-release rm -rf /srv/dak/ftp/pool/<path to package>
Allow all outgoing traffic
Block all incoming traffic
Open tcp ports 21 open for ftp.
Open few ports in the range 100xx to 10xxx for passive mode.
Open 80,443 port for http and https
Disable authentication via password for openssh-server
Add PasswordAuthentication no to /etc/ssh/sshd_config
Return 404 for files that shouldn't be publicly served
Set the following options in /etc/vsftpd.conf
anon_upload_enable=YES # Enables anonymous upload write_enable=YES # Enables write to be permitted pasv_enable=YES # Enables passive mode for ftp pasv_max_port=xxxxx pasv_min_port=xxxxx local_enable=NO # Disables login using local account in the server
The passive mode requires a small range of tcp ports (you can chose 10 as a range value) to be enabled. The pasv_max_port value should be greater than pasv_min_port value for the range to be proper.