9653
Comment: add a contact team section
|
9659
|
Deletions are marked like this. | Additions are marked like this. |
Line 16: | Line 16: |
Contact fasttrack team via matrix/irc or opening salsa issues as mentioned at https://fasttrack.debian.net/#Contribute or write an email to team at fasttrack.debian.net | Contact fasttrack team via matrix/irc or opening salsa issues as mentioned at https://fasttrack.debian.net/#Contribute or write an email to '''team at fasttrack.debian.net''' |
For Users
Debian Fast Track is a repository that allows making “backports” of packages available to users of the stable distribution, if those packages cannot be maintained in testing and backported in the usual way.
Checkout https://fasttrack.debian.net for using packages from Debian FastTrack repository. Some of the software currently available via FastTrack include Gitlab, Virtual Box and Matrix Synapse.
Server space is provided by Infomaniak (thanks to Zigo).
For maintainers
See https://fasttrack.debian.net/#FAQ for frequently asked questions about Fast Track.
Contact FastTrack Team
Contact fasttrack team via matrix/irc or opening salsa issues as mentioned at https://fasttrack.debian.net/#Contribute or write an email to team at fasttrack.debian.net
Sample changelog entries
bullseye-fasttrack
gitlab (13.12.8+ds1-1~fto11+1) bullseye-fasttrack; urgency=medium * Rebuild for bullseye-fasttrack. -- Pirate Praveen <praveen@debian.org> Thu, 08 Jul 2021 22:56:17 +0530
buster-fasttrack
gitlab (11.11.8+dfsg-1~fto10+1) buster-fasttrack; urgency=medium * Rebuild for buster-fasttrack. -- Pirate Praveen <praveen@debian.org> Wed, 14 Aug 2019 17:39:22 +0530
Ruby team does not want to support newer ruby versions in official -backports, so these are also uploaded in -fasttrack. When building ruby native packages that needs a rebuild against newer ruby versions, minimum version of gem2deb should be set to the version in -fasttrack (1.3+ for buster-fasttrack). You will also need to lower the debhelper-compat to 11 to fix compatibility issues with dwz.
Since we started including newer ruby and ruby native libraries in fasttrack, we are now changing +fto suffix to ~fto.
Packages temporarily blocked from official backports
We have a suite for temporarily uploading packages that otherwise qualify backports criteria but we want in backports before it hits testing (transitions, freeze, backports-new or NEW blocking security update of a package in fasttrack).
Note: To avoid confusion with official backports, we are using -backports-staging suffix from bullseye.
ruby-marcel (1.0.1+dfsg-1~bpo11+1) bullseye-backports-staging; urgency=medium * Rebuild for bullseye-backports-staging. -- Pirate Praveen <praveen@debian.org> Mon, 10 May 2021 15:26:41 +0530
rails (2:6.0.3.1+dfsg-1~bpo10+1) buster-backports; urgency=medium * Rebuild for fasttrack/buster-backports. -- Pirate Praveen <praveen@debian.org> Sun, 31 May 2020 20:28:43 +0530
Once it qualifies for official backports, it should be uploaded to official backports. Once it is accepted into official backports, it should be removed from fast track repo. Follow BuildingFormalBackports instructions to build these packages.
Building packages for fasttrack
- Create buster-fasttrack branch from the last release tag (Example: git checkout -b buster-fasttrack debian/1.1.2-1. Use git log for finding last uploaded tag).
- Add new changelog entry: run dch --bpo and modify version s/~bpo/~fto/ and s/backports/fasttrack/)
- Optional: Update minimum version of gem2deb to 1.3 (and mention it in changelog), if it is a arch:any ruby package.
- Optional: Lower debhelper-compat to 11 (and mention it in changelog), if it is an arch:any package
- Add tag gbp tag --debian-branch=buster-fasttrack
- Sample sbuild command for building packages targetting fasttrack (you will have to download fasttrack-archive-key.asc from fasttrack.debian.net).
sbuild -A -s --force-orig-source -c buster-amd64-sbuild \ --extra-repository='deb http://deb.debian.org/debian buster-backports main' \ --extra-repository='deb http://incoming.debian.org/debian-buildd buildd-buster-backports main' \ --extra-repository='deb http://fasttrack.debian.net/debian buster-backports main' \ --extra-repository='deb http://fasttrack.debian.net/debian buster-fasttrack main' \ --extra-repository-key=$HOME/fasttrack-archive-key.asc \ --build-dep-resolver=aptitude -d buster-fasttrack --no-run-lintian "$@"
You can also check this package with buster-fasttrack branch
Uploading to Fast Track
Add this to your ~/.dput.cf
[fasttrack] fqdn = fasttrack.debian.net incoming = /pub/UploadQueue/ login = anonymous allow_dcut = 1 method = ftp # Please, upload your package to the proper archive # http://fasttrack.debian.net allowed_distributions = (?!UNRELEASED|.*-security)
$ dput fasttrack gitlab_11.11.8+dfsg-1~fto10+1_amd64.changes
Note: Source only uploads are not supported at this time. Help is welcome to setup a buildd instance.
For FastTrack Admins
DAK documentation
dak setup - Documentation for managing suites, granting permissions, accepting packages etc Note: Adding a new OpenPGP key to upload-keyring.gpg requires root.
Please note that dak's documentation is not up-to-date. (dak has switched to python3 and dependencies are not documented)
fasttrack-team maintains a "federated" branch of dak https://salsa.debian.org/fasttrack-team/dak/-/tree/federated to allow binaries without source in the fasttrack dak instance (but for which source is present in upstream/official debian repos). See https://salsa.debian.org/fasttrack-team/support/-/issues/8 for why.
The federated branch is meant to be kept up-to-date with the upstream dak master.
Upgrading dak
git pull # apt install new-dependencies dak update-db
SSH upload
Add this to ~/.dput.cf for ssh upload (for unreliable connections)
[fasttrack-ssh] login = root # login = another_username fqdn = fasttrack.debian.net method = sftp incoming = /srv/dak/queue/unchecked/ allow_dcut = 1 # Please, upload your package to the proper archive # http://fasttrack.debian.net allowed_distributions = (?!UNRELEASED|.*-security)
Accept packages
dak process-upload -d /srv/dak/queue/unchecked # SSH uploads dak process-upload -d /srv/ftp/pub/UploadQueue/ # anonymous ftp uploads dak process-new dak process-policy new dak generate-packages-sources2 dak generate-release
Remove Packages
We should remove packages from buster-backports suite when they are accepted into official archive.
dak rm -s buster-backports -C <email> <package name>
Mention 'Accepted into official buster I backports' as reason.
dak dominate dak clean-suites dak generate-packages-sources2 dak generate-release
Modifying Suite Configurations
To instruct package manager to assign priorities as defined here for a suite, do
dak admin s-cfg set <suite-name> notautomatic=True butautomaticupgrades=True
The changes will be reflected in the release file when release for the suite are generated on the next try. With the above option package manager will assign a priority of 100 for the packages from the release.
Add new architecture
Example for adding armhf for buster-fasttrack
$ dak admin architecture add armhf "Arm Hard Float Port" $ dak admin suite-architecture add buster-fasttrack armhf $ dak init-dirs
Add new OpenPGP keys for upload access
Download the keys on your local machine,
First find the OpenPGP keyid using wkd
$ gpg --locate-keys email@domain.tld # if they have setup wkd - see https://wiki.gnupg.org/WKD
or from keys.openpgp.org
$ gpg --search email@domain.tld # if the key is also available in keys.openpg.org, take keyid and download from keyring.debian.org
Or from https://salsa.debian.org/debian-keyring/keyring/-/blob/master/keyids
And download keys from keyring.debian.org
$ gpg --keyserver keyring.debian.org --recv-key 0xkeyid $ gpg --export --armor 0xF34F09744E9F5DD9 >name.key.asc $ scp name.key.asc root@fasttrack.debian.net:keys
On fasttrack server,
# ~/keys# gpg --no-default-keyring --keyring /srv/dak/keyrings/upload-keyring.gpg --import name.key.asc # su - dak $ dak import-keyring -U '%s' /srv/dak/keyrings/upload-keyring.gpg
Server Configuration
ufw
Allow all outgoing traffic
Block all incoming traffic
Open tcp ports 21 open for ftp.
Open few ports in the range 100xx to 10xxx for passive mode.
Open 80,443 port for http and https
ssh
Disable authentication via password for openssh-server
Add PasswordAuthentication no to /etc/ssh/sshd_config
nginx-http
Return 404 for files that shouldn't be publicly served
vsftpd
Set the following options in /etc/vsftpd.conf
anon_upload_enable=YES # Enables anonymous upload write_enable=YES # Enables write to be permitted pasv_enable=YES # Enables passive mode for ftp pasv_max_port=xxxxx pasv_min_port=xxxxx local_enable=NO # Disables login using local account in the server
The passive mode requires a small range of tcp ports (you can chose 10 as a range value) to be enabled. The pasv_max_port value should be greater than pasv_min_port value for the range to be proper.