Differences between revisions 16 and 17
Revision 16 as of 2020-11-18 12:42:42
Size: 4354
Editor: Praveen A
Comment: add note about building ruby native packages
Revision 17 as of 2020-11-25 15:51:16
Size: 4548
Editor: Praveen A
Comment: add sbuild sample command
Deletions are marked like this. Additions are marked like this.
Line 40: Line 40:

=== Building packages for fasttrack ===
 * [[https://git.fosscommunity.in/praveen/debian-scripts/-/blob/master/sbuild-fto|Sample sbuild command]] for building packages targetting fasttrack.

Debian Fast Track is a repository that allows making “backports” of packages available to users of the stable distribution, if those packages cannot be maintained in testing and backported in the usual way.

See this proposal to create a fasttrack repo for packages like gitlab to understand the rationale and technical details.

This new unofficial service is being setup at http://fasttrack.debian.net

Server space is provided by Infomaniak (thanks to Zigo).

Add this to your ~/.dput.cf

[fasttrack]
fqdn                    = fasttrack.debian.net
incoming                = /pub/UploadQueue/
login                   = anonymous
allow_dcut              = 1
method                  = ftp
# Please, upload your package to the proper archive
# http://fasttrack.debian.net
allowed_distributions   = (?!UNRELEASED|.*-security)

Sample changelog entry

gitlab (11.11.8+dfsg-1+fto10+1) buster-fasttrack; urgency=medium

  * Rebuild for buster-fasttrack.

 -- Pirate Praveen <praveen@debian.org>  Wed, 14 Aug 2019 17:39:22 +0530

Note: Since this package is not expected to be upgradable when next stable version is released (unlike backports), the version does not have to be lesser than the version in unstable/testing.

Packages temporarily blocked from official backports

We have a buster-backports suite as well for temporarily uploading packages that otherwise qualify backports criteria but we want in backports before it hits testing (transitions, freeze or blocking security update of a package in fasttrack). Once it reaches official backports, it should be removed from fast track repo.

Ruby packages that need rebuild against newer ruby version

Ruby team does not want to support newer ruby versions in -backports, so these are also uploaded in -fasttrack. When building ruby native packages that needs a rebuild against newer ruby versions, minimum version of gem2deb should be set to the version in -fasttrack (1.3+ for buster-fasttrack).

Building packages for fasttrack

Admins corner

DAK documentation

  • dak setup - Documentation for managing suites, granting permissions, accepting packages etc Note: Adding a new gpg key to upload-keyring.gpg requires root.

SSH upload

Add this to ~/.dput.cf for ssh upload (for unreliable connections)

[fasttrack-ssh]
login   = root
# login = another_username
fqdn    = fasttrack.debian.net
method  = sftp
incoming        = /srv/dak/queue/unchecked/
allow_dcut      = 1
# Please, upload your package to the proper archive
# http://fasttrack.debian.net
allowed_distributions   = (?!UNRELEASED|.*-security)

Accept packages

dak process-upload -d /srv/dak/queue/unchecked # SSH uploads
dak process-upload -d /srv/ftp/pub/UploadQueue/ # anonymous ftp uploads
dak process-new
dak process-policy new
dak generate-packages-sources2
dak generate-release

Remove Packages

We should remove packages from buster-backports suite when they are accepted into official archive.

dak rm -s buster-backports -C <email> <package name>

Mention 'Accepted into official buster I backports' as reason.

dak generate-packages-sources2
dak generate-release
rm -rf /srv/dak/ftp/pool/<path to package>

Server Configuration

ufw

Allow all outgoing traffic

Block all incoming traffic

Open tcp ports 21 open for ftp.

Open few ports in the range 100xx to 10xxx for passive mode.

Open 80,443 port for http and https

ssh

Disable authentication via password for openssh-server

Add PasswordAuthentication no to /etc/ssh/sshd_config

nginx-http

Return 404 for files that shouldn't be publicly served

vsftpd

Set the following options in /etc/vsftpd.conf

anon_upload_enable=YES # Enables anonymous upload

write_enable=YES # Enables write to be permitted

pasv_enable=YES # Enables passive mode for ftp 

pasv_max_port=xxxxx

pasv_min_port=xxxxx

local_enable=NO # Disables login using local account in the server

The passive mode requires a small range of tcp ports (you can chose 10 as a range value) to be enabled. The pasv_max_port value should be greater than pasv_min_port value for the range to be proper.