5823
Comment: Document pkg-security-team repository
|
← Revision 26 as of 2021-11-16 00:49:09 ⇥
9087
|
Deletions are marked like this. | Additions are marked like this. |
Line 2: | Line 2: |
<<TableOfContents>> |
|
Line 8: | Line 10: |
* NOTE: If you want to be part of this Salsa team, you have to request it on the mailing list (see below). If you have some prior packaging experience, your request will be quickly processed. Otherwise, please contribute first (see "Get involved"). | |
Line 19: | Line 22: |
* Samuel Henrique is responsible for maintaining the page which has info about [[https://wiki.debian.org/Teams/pkg-security/kali-packages|kali packages and what lacks for them to be added to debian]] | * Samuel Henrique is owner on salsa.debian.org |
Line 25: | Line 28: |
== Get involved == | == How to join the team == === Introduce yourself === Subscribe to our mailing list and ideally send a short introductory message presenting you and letting us know on what you'd like to work. If you have any questions at this stage, use this opportunity to ask your questions. You can also ask your questions on the IRC channel if you prefer. === Find something to contribute === If you don't exactly know where to start, here are a few suggestions, sorted by increasing difficulty: |
Line 30: | Line 41: |
* <<Icon(star_on.png)>><<Icon(star_on.png)>><<Icon(star_on.png)>> Package new security related tools (the Kali bug tracker is [[https://bugs.kali.org/search.php?project_id=1&category=New%20Tool%20Requests&status_id[]=10&status_id[]=20&status_id[]=30&status_id[]=40&status_id[]=50&sticky_issues=on&sortby=last_updated&dir=DESC&hide_status_id=-2&match_type=0|full of suggestions]], please package something only if you use the tool or if it provides some interesting features not covered by existing packages) | * <<Icon(star_on.png)>><<Icon(star_on.png)>><<Icon(star_on.png)>> Package new security related tools (the Kali bug tracker is [[https://bugs.kali.org/search.php?project_id=1&category_id[]=New%20Tool%20Requests&category_id[]=Queued%20Tool%20Addition&status[]=10&status[]=20&status[]=30&status[]=40&status[]=50&sticky=on&sort=last_updated&dir=DESC&hide_status=-2&match_type=0|full of suggestions]], please package something only if you use the tool or if it provides some interesting features not covered by existing packages) In most cases, you will have to submit merge requests to submit the result of your work. For entirely new packages, you can prepare the git repositories in your own account and then ask some team admin to copy them in the team's group. Or you can ask a team member to create the repository for you in the pkg-security-team group and then grant you access to this repository only. === Get commit rights === After you have done a few good contributions to the team, you probably want to have git commit rights to be able to push your work directly without having to submit merge requests. If you are in this situation, please send a mail to the mailing list and give your salsa.debian.org username, one of the team administrators will add you as developer either to the pkg-security-team group or directly to the project where you are involved. |
Line 36: | Line 57: |
You can easily config "mr" to retrieve all repositories of the team: | You can retrieve all repositories of the team: |
Line 38: | Line 60: |
$ sudo apt install mr | $ sudo apt install myrepos $ mr bootstrap https://salsa.debian.org/pkg-security-team/pkg-security-team/raw/master/mrconfig pkg-security-team }}} Or you can do the same with the helper script provided in the pkg-security-team repository: {{{ $ sudo apt install myrepos |
Line 49: | Line 78: |
We use [[http://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gbp.html|git-buildpackage]] with full sources stored in the repository and with pristine-tar to be able to retrieve the orig tarball out of the git repository. We strive to respect [[https://dep-team.pages.debian.net/deps/dep14/|DEP-14|]] for the repository layout so the default branch should be "debian/master". | We use [[http://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gbp.html|git-buildpackage]] with full sources stored in the repository and with pristine-tar to be able to retrieve the orig tarball out of the git repository. We strive to respect [[https://dep-team.pages.debian.net/deps/dep14/|DEP-14]] for the repository layout so the default branch should be "debian/master". |
Line 64: | Line 93: |
debian-branch = debian/master | |
Line 75: | Line 105: |
{{{#!wiki note '''NOTE:''' This file is created automatically for you when you run bin/auto-update from the [[https://salsa.debian.org/pkg-security-team/pkg-security-team|pkg-security-team repository]]. }}} === Salsa-ci === * Create the file debian/salsa-ci.yml with the following content: {{{ --- include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml }}} {{{#!wiki note '''NOTE:''' This file is created automatically for you when you run bin/auto-update from the [[https://salsa.debian.org/pkg-security-team/pkg-security-team|pkg-security-team repository]]. }}} * Then enable it by going to the Salsa interface "Settings -> CI / CD" * Expand "General Pipelines" and set "Custom CI config path" to "debian/salsa-ci.yml" * Leave the rest as it is and "Save Changes" {{{#!wiki note '''NOTE:''' Those settings can be applied by running `bin/update-repos $repository_name` from the [[https://salsa.debian.org/pkg-security-team/pkg-security-team|pkg-security-team repository]]. }}} |
|
Line 77: | Line 134: |
[[https://salsa.debian.org/groups/pkg-security-team/-/group_members|Salsa team's masters and owners]] can create new repositories. If you don't have the required permissions, feel free to ask for a new repository on the project mailing list. Someone will set it up for you and grant you full access to it. | [[https://salsa.debian.org/groups/pkg-security-team/-/group_members|Salsa team's maintainers and owners]] can create new repositories. If you don't have the required permissions, feel free to ask for a new repository on the project mailing list. Someone will set it up for you and grant you full access to it. |
Line 82: | Line 139: |
* on the same page, click on "Irker (IRC gateway)" and enable it with the following settings: * Active: checked * Trigger: Push * Server host: ruprecht.snow-crash.org * Server port: (leave empty for default value) * Default IRC URI: ircs://irc.oftc.net:6697/ * Recipients: #debian-pkg-security * Colorize messages: checked * again on the same page, add a new webhook by filling the form in the following way: |
* Open the page "Settings > Webhooks", add a new webhook by filling the form in the following way: * URL: `http://kgb.debian.net:9418/webhook/?channel=debian-pkg-security&use_irc_notices=1&squash_threshold=5&pipeline_only_status=failure` * Check the following events: * Push Events * Tag Push Events * Issues Events * Note Events * Merge Requests Events * Pipeline Events * Wiki Page Events * Enable SSL verification: checked * All other entries: unchecked * On the same page, add another webhook by filling the form in the following way: |
Line 93: | Line 154: |
* Enable SSL verification: checked | * Enable SSL verification: checked |
Line 96: | Line 157: |
{{{#!wiki note | |
Line 97: | Line 159: |
}}} | |
Line 105: | Line 168: |
{{{#!wiki note '''NOTE:''' This changes is made automatically for you when you run bin/auto-update from the [[https://salsa.debian.org/pkg-security-team/pkg-security-team|pkg-security-team repository]]. }}} |
Debian Security Tools Packaging Team (pkg-security)
Contents
Infrastructure
Package tracker team: https://tracker.debian.org/teams/pkg-security/
- NOTE: Join this team to get the maintainer emails for all our packages.
Git repositories: https://salsa.debian.org/pkg-security-team
- NOTE: If you want to be part of this Salsa team, you have to request it on the mailing list (see below). If you have some prior packaging experience, your request will be quickly processed. Otherwise, please contribute first (see "Get involved").
Interacting with the team
Mailing list: debian-security-tools@lists.debian.org (subscription page)
Public IRC channel: #debian-pkg-security on irc.debian.org (OFTC)
Usual roles
RaphaelHertzog is owner on salsa.debian.org
- Gianfranco Costamagna is owner on salsa.debian.org
- Mika Prokop is owner on salsa.debian.org
- Samuel Henrique is owner on salsa.debian.org
Task description
Maintain correctly all security related tools. Merge back tools packaged by security-oriented Debian derivatives.
How to join the team
Introduce yourself
Subscribe to our mailing list and ideally send a short introductory message presenting you and letting us know on what you'd like to work. If you have any questions at this stage, use this opportunity to ask your questions. You can also ask your questions on the IRC channel if you prefer.
Find something to contribute
If you don't exactly know where to start, here are a few suggestions, sorted by increasing difficulty:
Prepare a patch for a bug on a team maintained package.
Write autopkgtests for any of our packages.
Import a Kali package and clean it up so that we can upload it to Debian, you can also have a look at Samuel's maintained page to check for the work needed on a given Kali package.
Package new security related tools (the Kali bug tracker is full of suggestions, please package something only if you use the tool or if it provides some interesting features not covered by existing packages)
In most cases, you will have to submit merge requests to submit the result of your work.
For entirely new packages, you can prepare the git repositories in your own account and then ask some team admin to copy them in the team's group. Or you can ask a team member to create the repository for you in the pkg-security-team group and then grant you access to this repository only.
Get commit rights
After you have done a few good contributions to the team, you probably want to have git commit rights to be able to push your work directly without having to submit merge requests.
If you are in this situation, please send a mail to the mailing list and give your salsa.debian.org username, one of the team administrators will add you as developer either to the pkg-security-team group or directly to the project where you are involved.
Packaging rules
Checking out all repositories
You can retrieve all repositories of the team:
$ sudo apt install myrepos $ mr bootstrap https://salsa.debian.org/pkg-security-team/pkg-security-team/raw/master/mrconfig pkg-security-team
Or you can do the same with the helper script provided in the pkg-security-team repository:
$ sudo apt install myrepos $ git clone git@salsa.debian.org:pkg-security-team/pkg-security-team.git $ cd pkg-security-team $ bin/setup-team-repos [...]
That repository also contain other helper scripts to create a new repository and to enforce common settings across all projects of the team.
Git packaging tool and repository layout
We use git-buildpackage with full sources stored in the repository and with pristine-tar to be able to retrieve the orig tarball out of the git repository. We strive to respect DEP-14 for the repository layout so the default branch should be "debian/master".
For a better experience you might want to set the following options in ~/.gbp.conf:
[DEFAULT] pristine-tar = True cleaner = /bin/true [buildpackage] sign-tags = True export-dir = ../build-area/ ignore-branch = True [import-orig] filter-pristine-tar = True debian-branch = debian/master [pq] patch-numbers = False [dch] multimaint-merge = True ignore-branch = True
The "ignore-branch" is important so that git-buildpackage doesn't complain of the unexpected name of the packaging branch. The "export-dir" setting ensures builds are done on a separate copy of the sources, thus avoiding to pollute/break the git repository with build artifacts.
NOTE: This file is created automatically for you when you run bin/auto-update from the pkg-security-team repository.
Salsa-ci
- Create the file debian/salsa-ci.yml with the following content:
--- include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
NOTE: This file is created automatically for you when you run bin/auto-update from the pkg-security-team repository.
Then enable it by going to the Salsa interface "Settings -> CI / CD"
- Expand "General Pipelines" and set "Custom CI config path" to "debian/salsa-ci.yml"
- Leave the rest as it is and "Save Changes"
NOTE: Those settings can be applied by running bin/update-repos $repository_name from the pkg-security-team repository.
Creating new repositories
Salsa team's maintainers and owners can create new repositories. If you don't have the required permissions, feel free to ask for a new repository on the project mailing list. Someone will set it up for you and grant you full access to it.
When you create a new repository, you should configure it in the following way:
open the page "settings > integration", now click on "Emails on push" and configure the project to send git commit notices to dispatch@tracker.debian.org
Open the page "Settings > Webhooks", add a new webhook by filling the form in the following way:
URL: http://kgb.debian.net:9418/webhook/?channel=debian-pkg-security&use_irc_notices=1&squash_threshold=5&pipeline_only_status=failure
- Check the following events:
- Push Events
- Tag Push Events
- Issues Events
- Note Events
- Merge Requests Events
- Pipeline Events
- Wiki Page Events
- Enable SSL verification: checked
- All other entries: unchecked
- On the same page, add another webhook by filling the form in the following way:
URL: https://webhook.salsa.debian.org/tagpending/<sourcepackage> (replace <sourcepackage> by the name of the source package)
- Push events: checked
- Enable SSL verification: checked
- All other entries: unchecked
All this can be automated with "bin/create-repo" or "bin/update-repos" from the pkg-security-team project.
Packaging helper
We use the "dh" command provided by debhelper to ensure we have short but expressive debian/rules files.
Maintainer field
The Maintainer field should be set to Debian Security Tools <team+pkg-security@tracker.debian.org>. That way the package will be automatically added to the pkg-security team on tracker.debian.org and the discussion mailing list is not polluted with bug reports and all other maintainer emails.
NOTE: This changes is made automatically for you when you run bin/auto-update from the pkg-security-team repository.