Differences between revisions 39 and 40
Revision 39 as of 2021-07-31 20:20:11
Size: 9653
Editor: Praveen A
Comment: add a contact team section
Revision 40 as of 2021-08-05 17:07:20
Size: 9659
Editor: Praveen A
Comment:
Deletions are marked like this. Additions are marked like this.
Line 16: Line 16:
Contact fasttrack team via matrix/irc or opening salsa issues as mentioned at https://fasttrack.debian.net/#Contribute or write an email to team at fasttrack.debian.net Contact fasttrack team via matrix/irc or opening salsa issues as mentioned at https://fasttrack.debian.net/#Contribute or write an email to '''team at fasttrack.debian.net'''

For Users

Debian Fast Track is a repository that allows making “backports” of packages available to users of the stable distribution, if those packages cannot be maintained in testing and backported in the usual way.

Checkout https://fasttrack.debian.net for using packages from Debian FastTrack repository. Some of the software currently available via FastTrack include Gitlab, Virtual Box and Matrix Synapse.

Server space is provided by Infomaniak (thanks to Zigo).

For maintainers

See https://fasttrack.debian.net/#FAQ for frequently asked questions about Fast Track.

Contact FastTrack Team

Contact fasttrack team via matrix/irc or opening salsa issues as mentioned at https://fasttrack.debian.net/#Contribute or write an email to team at fasttrack.debian.net

Sample changelog entries

bullseye-fasttrack

gitlab (13.12.8+ds1-1~fto11+1) bullseye-fasttrack; urgency=medium

  * Rebuild for bullseye-fasttrack.

 -- Pirate Praveen <praveen@debian.org>  Thu, 08 Jul 2021 22:56:17 +0530

buster-fasttrack

gitlab (11.11.8+dfsg-1~fto10+1) buster-fasttrack; urgency=medium

  * Rebuild for buster-fasttrack.

 -- Pirate Praveen <praveen@debian.org>  Wed, 14 Aug 2019 17:39:22 +0530

Ruby team does not want to support newer ruby versions in official -backports, so these are also uploaded in -fasttrack. When building ruby native packages that needs a rebuild against newer ruby versions, minimum version of gem2deb should be set to the version in -fasttrack (1.3+ for buster-fasttrack). You will also need to lower the debhelper-compat to 11 to fix compatibility issues with dwz.

Since we started including newer ruby and ruby native libraries in fasttrack, we are now changing +fto suffix to ~fto.

Packages temporarily blocked from official backports

We have a suite for temporarily uploading packages that otherwise qualify backports criteria but we want in backports before it hits testing (transitions, freeze, backports-new or NEW blocking security update of a package in fasttrack).

Note: To avoid confusion with official backports, we are using -backports-staging suffix from bullseye.

ruby-marcel (1.0.1+dfsg-1~bpo11+1) bullseye-backports-staging; urgency=medium

  * Rebuild for bullseye-backports-staging.

 -- Pirate Praveen <praveen@debian.org>  Mon, 10 May 2021 15:26:41 +0530

rails (2:6.0.3.1+dfsg-1~bpo10+1) buster-backports; urgency=medium

  * Rebuild for fasttrack/buster-backports.

 -- Pirate Praveen <praveen@debian.org>  Sun, 31 May 2020 20:28:43 +0530

Once it qualifies for official backports, it should be uploaded to official backports. Once it is accepted into official backports, it should be removed from fast track repo. Follow BuildingFormalBackports instructions to build these packages.

Building packages for fasttrack

  1. Create buster-fasttrack branch from the last release tag (Example: git checkout -b buster-fasttrack debian/1.1.2-1. Use git log for finding last uploaded tag).
  2. Add new changelog entry: run dch --bpo and modify version s/~bpo/~fto/ and s/backports/fasttrack/)
  3. Optional: Update minimum version of gem2deb to 1.3 (and mention it in changelog), if it is a arch:any ruby package.
  4. Optional: Lower debhelper-compat to 11 (and mention it in changelog), if it is an arch:any package
  5. Add tag gbp tag --debian-branch=buster-fasttrack
  6. Sample sbuild command for building packages targetting fasttrack (you will have to download fasttrack-archive-key.asc from fasttrack.debian.net).

sbuild -A -s --force-orig-source -c buster-amd64-sbuild \
--extra-repository='deb http://deb.debian.org/debian buster-backports main' \
--extra-repository='deb http://incoming.debian.org/debian-buildd buildd-buster-backports main' \
--extra-repository='deb http://fasttrack.debian.net/debian buster-backports main' \
--extra-repository='deb http://fasttrack.debian.net/debian buster-fasttrack main' \
--extra-repository-key=$HOME/fasttrack-archive-key.asc \
--build-dep-resolver=aptitude -d buster-fasttrack --no-run-lintian "$@"

You can also check this package with buster-fasttrack branch

Uploading to Fast Track

Add this to your ~/.dput.cf

[fasttrack]
fqdn                    = fasttrack.debian.net
incoming                = /pub/UploadQueue/
login                   = anonymous
allow_dcut              = 1
method                  = ftp
# Please, upload your package to the proper archive
# http://fasttrack.debian.net
allowed_distributions   = (?!UNRELEASED|.*-security)

$ dput fasttrack gitlab_11.11.8+dfsg-1~fto10+1_amd64.changes

Note: Source only uploads are not supported at this time. Help is welcome to setup a buildd instance.

For FastTrack Admins

DAK documentation

  • dak setup - Documentation for managing suites, granting permissions, accepting packages etc Note: Adding a new OpenPGP key to upload-keyring.gpg requires root.

Please note that dak's documentation is not up-to-date. (dak has switched to python3 and dependencies are not documented)

fasttrack-team maintains a "federated" branch of dak https://salsa.debian.org/fasttrack-team/dak/-/tree/federated to allow binaries without source in the fasttrack dak instance (but for which source is present in upstream/official debian repos). See https://salsa.debian.org/fasttrack-team/support/-/issues/8 for why.

The federated branch is meant to be kept up-to-date with the upstream dak master.

Upgrading dak

git pull
# apt install new-dependencies
dak update-db

SSH upload

Add this to ~/.dput.cf for ssh upload (for unreliable connections)

[fasttrack-ssh]
login   = root
# login = another_username
fqdn    = fasttrack.debian.net
method  = sftp
incoming        = /srv/dak/queue/unchecked/
allow_dcut      = 1
# Please, upload your package to the proper archive
# http://fasttrack.debian.net
allowed_distributions   = (?!UNRELEASED|.*-security)

Accept packages

dak process-upload -d /srv/dak/queue/unchecked # SSH uploads
dak process-upload -d /srv/ftp/pub/UploadQueue/ # anonymous ftp uploads
dak process-new
dak process-policy new
dak generate-packages-sources2
dak generate-release

Remove Packages

We should remove packages from buster-backports suite when they are accepted into official archive.

dak rm -s buster-backports -C <email> <package name>

Mention 'Accepted into official buster I backports' as reason.

dak dominate
dak clean-suites
dak generate-packages-sources2
dak generate-release

Modifying Suite Configurations

To instruct package manager to assign priorities as defined here for a suite, do

dak admin s-cfg set <suite-name> notautomatic=True butautomaticupgrades=True

The changes will be reflected in the release file when release for the suite are generated on the next try. With the above option package manager will assign a priority of 100 for the packages from the release.

Add new architecture

Example for adding armhf for buster-fasttrack

$ dak admin architecture add armhf "Arm Hard Float Port"
$ dak admin suite-architecture add buster-fasttrack armhf
$ dak init-dirs

Add new OpenPGP keys for upload access

Download the keys on your local machine,

First find the OpenPGP keyid using wkd

$ gpg --locate-keys email@domain.tld # if they have setup wkd - see https://wiki.gnupg.org/WKD

or from keys.openpgp.org

$ gpg --search email@domain.tld # if the key is also available in keys.openpg.org, take keyid and download from keyring.debian.org

Or from https://salsa.debian.org/debian-keyring/keyring/-/blob/master/keyids

And download keys from keyring.debian.org

$ gpg --keyserver keyring.debian.org --recv-key 0xkeyid
$ gpg --export --armor 0xF34F09744E9F5DD9 >name.key.asc
$ scp name.key.asc root@fasttrack.debian.net:keys

On fasttrack server,

# ~/keys# gpg --no-default-keyring --keyring /srv/dak/keyrings/upload-keyring.gpg --import name.key.asc
# su - dak
$ dak import-keyring -U '%s' /srv/dak/keyrings/upload-keyring.gpg

Server Configuration

ufw

Allow all outgoing traffic

Block all incoming traffic

Open tcp ports 21 open for ftp.

Open few ports in the range 100xx to 10xxx for passive mode.

Open 80,443 port for http and https

ssh

Disable authentication via password for openssh-server

Add PasswordAuthentication no to /etc/ssh/sshd_config

nginx-http

Return 404 for files that shouldn't be publicly served

vsftpd

Set the following options in /etc/vsftpd.conf

anon_upload_enable=YES # Enables anonymous upload

write_enable=YES # Enables write to be permitted

pasv_enable=YES # Enables passive mode for ftp 

pasv_max_port=xxxxx

pasv_min_port=xxxxx

local_enable=NO # Disables login using local account in the server

The passive mode requires a small range of tcp ports (you can chose 10 as a range value) to be enabled. The pasv_max_port value should be greater than pasv_min_port value for the range to be proper.