Skip to content

Creating a secure debian repository

Debian apt repositories can be made in so many ways, but they are really easy to set up, really. To demonstrate it, we will be creating a simple meta-package, so we have something to put in the repository. This will also demonstrate how easy it is to build meta-packages in Debian.

Creating a meta-package

We will be creating a meta-package today, because this is one of simplest kind of packages to create, and can be extremely useful for installing a bunch of other packages. I want to create a package I can install, that will let me communicate in the modern world. I think I’ll call it “danny-talkfoo”.

I create my packages in ~/packages/sources, so I will create a new folder in there for my new meta-package. Package directories have a folder that contain information, and customization to the package, this folder is named DEBIAN. For our talkfoo-danny package, we only need a single file, ~/packages/sources/danny-talkfoo/DEBIAN/control. This is the contents of my control file:

Package: mailnode-nsn
Version: 0.1
Section: main
Priority: optional
Architecture: all
Depends: postfix, ssh, ntp
Maintainer: NSN ASA
Description: A metapackage for a NSN Mailserver node
This package includes mailserver, antispam software, configuration, and other packages required for running on our mailcluster., and other packages required for running on our mailcluster., and other packages required for running on our mailcluster., and other packages required for running on our mailcluster.
Package: danny-talkfoo
Version: 0.1
Section: main
Priority: optional
Architecture: all
Depends: irssi, irssi-fish, mutt, mutt-patched, muttprint, gnupg
Maintainer: Daniel Bond
Description: A metapackage for Dannys usual communication tools (irc, mail)
 This package includes the mailclient mutt with some addons, gnupg for
email encryption, and irssi for Internet Relay Chat

And thats it. The important points here are:

  • Depends – Describes what packages this package are required. This is what makes our meta-package do anything when installed.
  • Long description – Note how the last line is prefixed with a single space, it means it’s the start of the long package description.
  • Version – If you change the package, increase the version, so people using it will see the updates.

To create the package, simply type the following commands:

# cd ~/packages/sources
# dpkg -b danny-talkfoo
# dpkg-deb: building package `danny-talkfoo' in `danny-talkfoo.deb'.

Cool, that was easy! Let’s continue to creating our own repository.

Creating a repository

I presume that you are familiar with Gnu Privacy Guard (GnuPG/GPG). Apt-repositories are normally signed with GnuPG, to verify the package provider. Strictly speaking, it is not necessary to sign your repository with GPG, but it is very good practice – and apt will complain if you don’t.

The GnuPG commands you need to know are:

Once you have created the key you want to sign packages as, you will need the following packages, to create the repository:

  • lighttpd
  • reprepro

In your ~/packages directory, create the following folders:

# mkdir repo
# cd repo
# mkdir conf incoming

Ok, you are doing well! Good job! :-) We need to configure reprepro, to understand our setup. Create the following configuration file in ~/packages/repo/conf/distributions:

Origin: http://www.danielbond.org
Label: Bond's apt repository
Suite: stable
Codename: lenny
Architectures: amd64 i386
Components: main
Description: A selection of meta-packages, free to use, without charge!
SignWith: your-gpg-identity@yourdomain.org

If you want to host several Debian releases, copy-paste this entry in the distributions-file, and change “codename” for each entry, to the appropriate value.

Populating the repository

For now we will just be adding the simple package we created earlier. Reprepro maintains database files over what it’s indexed in the repository, make sure to use the reprepro interface to maintain your repository (removing or replacing files, ie), to keep your repository healthy. To add the package, type:

# cd ~/packages
# reprepro -b ./repo includedeb lenny ./sources/danny-talkfoo.deb
 exporting indicies...
#

Reprepro has no populated ~/packages/repo/dists and ~/packages/repo/pool with files for us to publish in our repository. We can now create a network apt-mirror, using FTP or HTTP, etc. I will just be using a simple webserver, lighttpd, but any old webserver would do.

Publishing the repository with Lighty

# cd /var/www && rm /var/www/index.lighttpd.html
# ln -s /home/db/packages/repo/dists/
# ln -s /home/db/packages/repo/pool/
# if ! grep dir-listing.show-header /etc/lighttpd/lighttpd.conf
    then echo "dir-listing.show-header = \"enable\"" >> /etc/lighttpd/lighttpd.conf
 fi
# /etc/inet.d/lighttpd reload
# cat << EOF > /var/www/HEADER.txt
> Danny debian packages
> =====================
>
> The GPG key can be imported from http://keys.yourdomain.com/mainrepo.gpg.
> EOF 
# gpg --export -a "your-gpg-identity@yourdomain.org" > /var/www/mainrepo.gpg

Now you can add your repository to apt!

Posted in Debian.

By Daniel Bond
October 19, 2009

No comments

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

(required)

(required, but never shared)

or, reply to this post via trackback.