Contents

  1. List of Admins
  2. DAK documentation
    1. Upgrading dak
  3. SSH upload
  4. Accept packages
  5. Remove Packages
  6. Modifying Suite Configurations
  7. Add new architecture
  8. Add new suite
  9. When accepting golang packages in NEW
  10. Add new OpenPGP keys for upload access
  11. Server Configuration
    1. ufw
    2. ssh
    3. nginx-http
    4. vsftpd

List of Admins

Current list of admins: Pirate Praveen, Utkarsh Gupta, Abhijith PA, Akhil Varkey, Akshay S Dinesh, Sahil Dhiman, Gianfranco Costamagna, Mohd Bilal

DAK documentation

Please note that dak's documentation is not up-to-date. (dak has switched to python3 and dependencies are not documented)

fasttrack-team maintains a "federated" branch of dak https://salsa.debian.org/fasttrack-team/dak/-/tree/federated to allow binaries without source in the fasttrack dak instance (but for which source is present in upstream/official debian repos). See https://salsa.debian.org/fasttrack-team/support/-/issues/8 for why.

The federated branch is meant to be kept up-to-date with the upstream dak master.

Upgrading dak

git fetch origin
git checkout -b newbranch
git rebase origin/master
git diff newbranch oldbranch # inspect changes
# apt install new-dependencies
dak update-db

SSH upload

Add this to ~/.dput.cf for ssh upload (for unreliable connections) 

[fasttrack-ssh]
login   = root
# login = another_username
fqdn    = fasttrack.debian.net
method  = sftp
incoming        = /srv/dak/queue/unchecked/
allow_dcut      = 1
# Please, upload your package to the proper archive
# http://fasttrack.debian.net
allowed_distributions   = (?!UNRELEASED|.*-security)

Accept packages

dak process-upload -d /srv/dak/queue/unchecked # SSH uploads
dak process-upload -d /srv/ftp/pub/UploadQueue/ # anonymous ftp uploads
dak process-new
dak process-policy new
dak generate-packages-sources2
dak generate-release

Remove Packages

We should remove packages from buster-backports suite when they are accepted into official archive. 

dak rm -s buster-backports -C <email> <package name>

Mention 'Accepted into official buster I backports' as reason. 

dak dominate
dak clean-suites
dak generate-packages-sources2
dak generate-release

Modifying Suite Configurations

To instruct package manager to assign priorities as defined here for a suite, do 

dak admin s-cfg set <suite-name> notautomatic=True butautomaticupgrades=True

The changes will be reflected in the release file when release for the suite are generated on the next try. With the above option package manager will assign a priority of 100 for the packages from the release.

Add new architecture

Example for adding armhf for buster-fasttrack 

$ dak admin architecture add armhf "Arm Hard Float Port"
$ dak admin suite-architecture add buster-fasttrack armhf
$ dak init-dirs

Add new suite

Example for adding bookworm-fasttrack 

$ dak admin suite add-all-arches bookworm-fasttrack 12.0 origin=Debian label=BookwormFasttrack codename=bookworm-fasttrack
$ dak init-dirs

When accepting golang packages in NEW

You need to change the section of some golang packages to devel when accepting them from NEW. 

dak@fasttrack:~$ dak process-new && dak process-policy new

golang-github-hashicorp-go-retryablehttp_0.7.1-1~bpo11+1_amd64.changes
----------------------------------------------------------------------

   Target:     bullseye-backports-staging
   Changed-By: XYZ <xyz@debian.org>
   Date:       Fri, 10 Mar 2023 14:23:34 +0530

NEW

golang-github-hashicorp-go-retryablehttp-dev optional             golang [!]
dsc:golang-github-hashicorp-go-retryablehttp optional             misc
W: [!] marked entries must be fixed before package can be processed.
Edit overrides, Check, Manual reject, Note edit, Prod, [S]kip, Quit ?

You have to override the section by changing it to devel

Add new OpenPGP keys for upload access

Download the keys on your local machine,

First find the OpenPGP keyid using wkd 

$ gpg --locate-keys email@domain.tld # if they have setup wkd - see https://wiki.gnupg.org/WKD

or from keys.openpgp.org 

$ gpg --search email@domain.tld # if the key is also available in keys.openpg.org, take keyid and download from keyring.debian.org

Or from https://salsa.debian.org/debian-keyring/keyring/-/blob/master/keyids

And download keys from keyring.debian.org 

$ gpg --keyserver keyring.debian.org --recv-key 0xkeyid
$ gpg --export --armor 0xF34F09744E9F5DD9 >name.key.asc
$ scp name.key.asc root@fasttrack.debian.net:keys

On fasttrack server, 

# ~/keys# gpg --no-default-keyring --keyring /srv/dak/keyrings/upload-keyring.gpg --import name.key.asc
# su - dak
$ dak import-keyring -U '%s' /srv/dak/keyrings/upload-keyring.gpg

Server Configuration

ufw

Allow all outgoing traffic

Block all incoming traffic

Open tcp ports 21 open for ftp.

Open few ports in the range 100xx to 10xxx for passive mode.

Open 80,443 port for http and https

ssh

Disable authentication via password for openssh-server

Add PasswordAuthentication no to /etc/ssh/sshd_config

nginx-http

Return 404 for files that shouldn't be publicly served

vsftpd

Set the following options in /etc/vsftpd.conf 

anon_upload_enable=YES # Enables anonymous upload

write_enable=YES # Enables write to be permitted

pasv_enable=YES # Enables passive mode for ftp 

pasv_max_port=xxxxx

pasv_min_port=xxxxx

local_enable=NO # Disables login using local account in the server

The passive mode requires a small range of tcp ports (you can chose 10 as a range value) to be enabled. The pasv_max_port value should be greater than pasv_min_port value for the range to be proper.