设为首页 - 加入收藏 焦点技术网
热搜:java
当前位置:首页 >

deb包构建手册

导读:COS标准构源建手册1.apt-get高级包管理工具1.1 软件包基本概念Debian的各个发布版本中上万个官方软件包都是由世界各地的志愿者维护的,他们遵照Debian Policy Manual 对软件包进行命名、打包,并设置软件包之间的依赖关系,之后经过严格的测试程序和bug跟踪机制才能逐步进入ustable, testing乃至stable发布。对于用户来说,就是在安装软件包的时候,如果有其...。。。

COS标准构源建手册

1.apt-get高级包管理工具

1.1 软件包基本概念

Debian的各个发布版本中上万个官方软件包都是由世界各地的志愿者维护的,他们遵照Debian Policy Manual 对软件包进行命名、打包,并设置软件包之间的依赖关系,之后经过严格的测试程序和bug跟踪机制才能逐步进入ustable, testing乃至stable发布。对于用户来说,就是在安装软件包的时候,如果有其他软件包被依赖或者冲突,就会得到apt的一个提示,让用户决定继续进行安装依赖,卸载冲突,还是放弃安装了。不会因为被报告缺少特定文件而手足无措了。

Debian 的软件包的命名方式是:

_.deb

这里的软件包名称是全局唯一的,而版本则是严格遵循规律,新版本的字符串值比旧版本的大的,这样就可以通过字符串比较,确定同一软件包的不同版本的新旧了。

ubuntudeb软件包中的信息:

Package: adduser

Priority: required

Section: admin

Installed-Size: 644

Maintainer: Ubuntu Core Developers

Original-Maintainer: Debian Adduser Developers

Architecture: all

Version: 3.113+nmu3ubuntu1

Replaces: manpages-it (<< 0.3.4-2), manpages-pl (<= 20051117-1)

Depends: perl-base (>= 5.6.0), passwd (>= 1:4.0.12), debconf | debconf-2.0

Recommends: ecryptfs-utils (>= 67-1)

Suggests: liblocale-gettext-perl, perl-modules

Filename: pool/main/a/adduser/adduser_3.113+nmu3ubuntu1_all.deb

Size: 168208

MD5sum: cfe970d660989b837e4ff9eca70c2421

SHA1: 597e4cabbb7cb7a40c42aaa2402fe1fe960e2d07

SHA256: 5a3be5248004b1f7d835aaa57ecc88f88450527fc47fca19515e4ef4d2630197

Description: add and remove users and groups

Multi-Arch: foreign

Homepage: http://alioth.debian.org/projects/adduser/

Description-md5: 7965b5cd83972a254552a570bcd32c93

Bugs: https://bugs.launchpad.net/ubuntu/+filebug

Origin: Ubuntu

Supported: 9m

Task: minimal

信息表中重要的属性会在后面的介绍。

1.1.1 Debian的软件包的优先级Priority

Debian的软件包的优先级Priority分为:

Required

优先级为required的包是系统的正常运行所必须的,缺少他们,系统就无法正

常工作。

Important

这个优先级的软件包都是一些几乎日常必备的东西,任何unix的系统都应该具

备这些软件,对于有经验的linux和unix的用户,缺少这些工具是不可接受的,

但是这个优先级的软件不能太大。

Standard

这个优先级是一些缺省的安装的软件包,他们不一定只是在字符模式下工作,

但是必须足够小而且是有用的。

Optional

这个优先级的软件包就包括很多比较大的工具了,只要是对用户有用,对系统没有什么不良的影响,都可以放在这个优先级。对于这个优先级的软件包,是不允许相互之间有冲突关系的。

Extra

其余的软件包就是extra 的了,他们肯能和其他软件包(包括其它优先级的)

有冲突或者功能重复,所以通常在知道这些软件包的用途的情况下才会安装这

些软件包。

通过这种根据重要性分出的层次,结合根据用途的分类,debian的软件包被十分良好的进行了分类组织。软件打包的时候,不仅指出软件包本身的优先级,还包括相互的依赖关系,正是依靠这些依赖关系,可以确定软件包进行安装、卸载、升级等维护操作时对周围其他软件包乃至整个系统所产生的影响和应该采取的相应操作。

Adduser包信息中的优先级Priority:Required。

1.1.2 Debian的软件包依赖关系

Debian的软件包依赖关系包括:

依赖

软件包在魔杖程度上依赖或需要某个软件包或者某个软件包的特定版本

 

depends

软件包依赖于另一个软件包,如果没有那个软件包,本软件包将无法工作。

recommends

虽然不是必须的,但是强烈建议安装那个软件包,否者软件包将失去很多重要特征。

suggests

建议安装的软件包,如果安装了可以得到更多的附加功能,但是没有也不影响使用。

enhances

本软件包增强这些软件包的功能,予以和suggest 的是相互的,比较少见。

pre-depends

一类特殊的强依赖关系,缺少depends包的软件包可以解包,但是无法成功运行安装脚本,然而缺少pre-depends 包的软件包甚至无法解包。

冲突

conflict

软件包与某个软件包或它的某个版本不能共存。

提供

provide

软件包中包含了某几款其它的软件包。

取代

replace

提供相同的文件和功能,会被覆盖replace的软件包。

Adduser包信息中依赖的信息如下所示:

Replaces: manpages-it (<< 0.3.4-2), manpages-pl (<= 20051117-1)

Depends: perl-base (>= 5.6.0), passwd (>= 1:4.0.12), debconf | debconf-2.0

Recommends: ecryptfs-utils (>= 67-1)

Suggests: liblocale-gettext-perl, perl-modules

1.2 apt软件包管理

1.2.1更新可用软件包列表

APT软件包管理工具使用一个文件列出可获得软件包的镜像站点地址,这个文件就是/etc/apt/sources.list

文件中的各项信息通常按如下格式列出:

deb http://host/debian distribution section1 section2 section3

deb-src http://host/debian distribution section1 section2 section3

Ubuntu信息格式跟debian一致,但是称呼有区别

deb http://host/ubuntucodenamecomponent1 component2 component3

deb-src http://host/ubuntucodename component1 component2 component3

软件包管理系统使用一个私有数据库跟踪列表中软件包的当前状态:已安装、未安装或可安装。apt-get通过该数据库来确定如何安装用户想用的软件包以及正常运行该软件包所必须的其它关联包。

用户使用apt-get update来更新数据库列表。

这个命令将扫描 /etc/apt/sources.list文件中所指路径中的软件包列表文件。

用户也可以通过修改/etc/apt/sources.list文件来更换软件源,例如国内网易,搜狐都有官方的源镜像

ubuntu13.04镜像源如下所示:

deb http://mirrors.163.com/ubuntu/ raring main universe restricted multiverse

deb-src http://mirrors.163.com/ubuntu/ raring main universe restricted multiverse

1.2.2安装软件包

准备好了sources.list和最新版的的可用软件包,你所需做的就是运行apt-get来安装你渴望已久的软件了

apt-get install nautilus

APT会扫描它的数据库找到最新的版本的软件包,并将它从sources.list中所指的地方下载到本地。如果该软件包需要其它软件包才能正常运行,APT会做关联性检查并自动安装所关联软件包。如下所示:

$ apt-get install nautilus

     Reading Package Lists... Done

     Building Dependency Tree... Done

     The following extra packages will be installed:

       bonobo libmedusa0 libnautilus0

     The following NEW packages will be installed:

       bonobo libmedusa0 libnautilus0 nautilus

     0 packages upgraded, 4 newly installed, 0 to remove and 1 not upgraded.

     Need to get 8329kB of archives. After unpacking 17.2MB will be used.

     Do you want to continue? [Y/n]

Nautilus软件包需要引用共享函数库,因此APT会从镜像源处下载相关共享函数库,如果你在apt-get命令行中手动指定了这些共享函数库的名称, APT不会询问你是否要继续;它会自动认为你希望安装所有这些软件包。也就是说APT只会在安装那些没有在命令行中指定的软件包时进行提示确认。

与apt-get 相关指令参数

-h

这个帮助信息

-d

只下载,不安装或解压档案

-f

即便完整性检查失败了仍然继续

-s

不做什么,只是按顺序模拟

-y

对于所有问题都假定为Yes,不询问

-u

显示一系列已经将要更新的包

可以用一条命令安装多个软件包,包文件从网络上下载到本地 /var/cache/apt/archives目录,稍后再安装。

可以用同样的命令行删除指定软件包,只需在软件包名称后紧跟一个“-”,如下所示:

$ apt-get install nautilus gnome-panel-      

     Reading Package Lists... Done

     Building Dependency Tree... Done

     The following extra packages will be installed:

       bonobo libmedusa0 libnautilus0

     The following packages will be REMOVED:

       gnome-applets gnome-panel gnome-panel-data gnome-session

     The following NEW packages will be installed:

       bonobo libmedusa0 libnautilus0 nautilus

     0 packages upgraded, 4 newly installed, 4 to remove and 1  not upgraded.

     Need to get 8329kB of archives. After unpacking 2594kB will be used.

     Do you want to continue? [Y/n]

假如用户不小心损坏了已安装的软件包而想修复它,或者仅仅想重新安装软件包中某些文件的最新版本,这是可以做到的,你可以用如下的--reinstall选项:

$ apt-get --reinstall install gdm

     Reading Package Lists... Done

     Building Dependency Tree... Done

     0 packages upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 1  not upgraded.

     Need to get 0B/182kB of archives. After unpacking 0B will be used.

     Do you want to continue? [Y/n]

 

1.2.3移除软件包

如果用户不再使用某些软件包,你可以用APT将其从系统中删除。要删除软件包只需输入:apt-get remove package。如下所示:

$ apt-get remove gnome-panel

     Reading Package Lists... Done

     Building Dependency Tree... Done

     The following packages will be REMOVED:

       gnome-applets gnome-panel gnome-panel-data gnome-session

     0 packages upgraded, 0 newly installed, 4 to remove and 1  not upgraded.

     Need to get 0B of archives. After unpacking 14.6MB will be freed.

     Do you want to continue? [Y/n]

由上例可知,APT会关注那些与被删除的软件包有依赖关系的软件包。使用APT删除一个软件包将会连带删除那些与该软件包有依赖关系的软件包。

上例中运行apt-get会删除指定软件包以及与之有依赖关系的软件包,但它们的配置文件,如果有的话,会完好无损地保留在系统里。如果想彻底删除这些包及其配置文件,运行:

$ apt-get --purge remove gnome-panel

     Reading Package Lists... Done

     Building Dependency Tree... Done

     The following packages will be REMOVED:

       gnome-applets* gnome-panel* gnome-panel-data* gnome-session*

     0 packages upgraded, 0 newly installed, 4 to remove and 1  not upgraded.

     Need to get 0B of archives. After unpacking 14.6MB will be freed.

     Do you want to continue? [Y/n]

注意:软件包名字后面的*表示该软件包所有的配置文件也将被删除。

就象install时一样,你可以在remove命令中用一个符号来指定安装某个软件包。在删除软件包时,如果你在软件包名字后面紧跟一个“+”,那么该软件包就会被安装而不是删除。

$ apt-get --purge remove gnome-panel nautilus+

     Reading Package Lists... Done

     Building Dependency Tree... Done

     The following extra packages will be installed:

       bonobo libmedusa0 libnautilus0 nautilus

     The following packages will be REMOVED:

       gnome-applets* gnome-panel* gnome-panel-data* gnome-session*

     The following NEW packages will be installed:

       bonobo libmedusa0 libnautilus0 nautilus

     0 packages upgraded, 4 newly installed, 4 to remove and 1  not upgraded.

     Need to get 8329kB of archives. After unpacking 2594kB will be used.

     Do you want to continue? [Y/n]

注意,apt-get列出了那些将要被安装的额外软件包(即保证该软件包正常运行的其它软件包)和将要被删除关联软件包,然后,再次列出了将要被安装的软件包(包括了额外的包)。

1.2.4更新软件包

软件包更新是APT最成功的特点。只需一条命令即可完成更新:apt-get upgrade。用户可以使用这条命令从相同版本号的发布版中更新软件包,也可以从新版本号的发布版中更新软件包,尽管实现后一种更新的推荐命令为apt-get dist-upgrade

在运行该命令时加上-u选项很有用。这个选项让APT显示完整的可更新软件包列表。不加这个选项,你就只能盲目地更新。APT会下载每个软件包的最新更新版本,然后以合理的次序安装它们。注意在运行该命令前应先运行 apt-get update更新数据库。请看下面的例子:

$ apt-get -u upgrade

     Reading Package Lists... Done

     Building Dependency Tree... Done

     The following packages have been kept back

       cpp gcc lilo

     The following packages will be upgraded

       adduser ae apt autoconf debhelper dpkg-dev esound esound-common ftp indent

       ipchains isapnptools libaudiofile-dev libaudiofile0 libesd0 libesd0-dev

       libgtk1.2 libgtk1.2-dev liblockfile1 libnewt0 liborbit-dev liborbit0

       libstdc++2.10-glibc2.2 libtiff3g libtiff3g-dev modconf orbit procps psmisc

     29 packages upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

     Need to get 5055B/5055kB of archives. After unpacking 1161kB will be used.

     Do you want to continue? [Y/n]

整个更新过程非常简单。注意在本例中头几行,apt-get报告有些软件包的更新被kept back,这表明这些软件包的更新版本因故无法安装,可能的原因有关联不同步(当前没有供下载的新版本关联包)或关联扩展(需要安装新的关联包以配合新版软件包)。

对于第一种原因没有很好的解决方法,对于第二次原因,运行apt-get intall安装所需的新关联包就可以。另一个更好的解决方法就是使用dist-upgrade。

1.2.5清除无用软件包文件

用户需要安装某个软件包时,APT从/etc/apt/sources.list中所列的主机下载所需的文件,将它们保存到本机软件库/var/cache/apt/archives/中,然后开始安装

本地软件库会不断膨胀占用大量硬盘空间,幸运的是,APT提供了工具来管理本地软件库:apt-get的clean方法和autoclean方法。

apt-getclean将删除/var/cache/apt/archives目录和

/var/cache/apt/archives/partial目录下锁文件以外的所有文件。这样当用户需要再次安装某个软件包时,APT将重新下载deb。

apt-getautoclean仅删除那些不需要再次下载的文件。

下面这个例子显示了apt-get autoclean如何工作:

$ ls /var/cache/apt/archives/logrotate* /var/cache/apt/archives/gpm*

     logrotate_3.5.9-7_i386.deb

     logrotate_3.5.9-8_i386.deb

     gpm_1.19.6-11_i386.deb

在/var/cache/apt/archives目录下有两个不同版本的logrotate 软件包文件以及一个gpm软件包文件。

$ apt-show-versions -p logrotate

     logrotate/stable uptodate 3.5.9-8

$ apt-show-versions -p gpm

     gpm/stable upgradeable from 1.19.6-11 to 1.19.6-12

其中apt-show-versions显示logrotate_3.5.9-8_i386.deb提供了logrotate的升级版本,所以logrotate_3.5.9-7_i386.deb没用了,同样 gpm_1.19.6-11_i386.deb也没有用了,因为可以下载该软件包的更新版本。

$ apt-get autoclean

     Reading Package Lists... Done

     Building Dependency Tree... Done

     Del gpm 1.19.6-11 [145kB]

     Del logrotate 3.5.9-7 [26.5kB]

1.2.6设置apt优先级preferences

当用户有这样一个需求,在使用apt的时候优先使用某个版本的软件包,或者优先使用某个特定软件源,那么可以设定首选发行版,还可以对软件包版本或者对特定软件源进行优先级设置,那么只需编辑/etc/apt/preferences文件就可以了

设置首选发行版在/etc/apt/apt.conf里面添加属性

APT::Default-Release "version";

Version对于debian来说是stable、unstable、test;对于ubuntu来说是raring 等,然后系统会优先下载使用首选发行版的软件包。

Apt优先级设置在文件/etc/apt/preferences:

     Package:

     Pin:

     Pin-Priority:

其中每个条目都要以空白行与其它条目分割开。例如,对sylpheed 软件包做了某些修改以使用“reply-to-list”功能,其版本为0.4.99。我想保留这些修改不被更新,可加上:

     Package: sylpheed

     Pin: version 0.4.99*

注意这里用了一个*(星号)。这是一个“通配符”标识所有以0.4.99打头的版本都暂停跟新,以防它们被下载并安装到系统上。Pin控制的是服务器端的更新软件包而非本地的已安装软件包。因为Debian使用“Debian版本号”那么* 可以阻止0.4.99-1版或0.4.99-10版软件包被安装。

Pin的优先级帮助用户检查一个与“Packages:”和“Pin:”相符合的软件包是否应该被安装。当优先级比较高时,符合的软件包将会被安装。

下面是apt-preference不同级别的含义

P >=1000

安装后永远不会被apt替换,即使之前安装过高版本的包也会被这个优先级的软件包所替换。

990 <= P < 1000

软件包只会被最新的版本替换,不会被首选发行版的高版本软件包替换

500 <= P < 990

软件包只会被最新的版本和首选发行版的高版本软件包替换

100 <= P < 500

任何发行版的高版本软件包都可以替换,但是相对低版本而言仍使用当前版本

0 < P < 100

任何发行版的高版本软件包都可以替换,只有没有其他版本软件包可以安装时才使用

P < 0

优先级为负,阻止这个软件被安装

在设置优先级中用户还可以修改Pin release 属性来得到想要的软件

release选项依赖于APT仓库上的或者系统CD中的Release文件。如果用户使用的 APT仓库并没有提供这个文件,就没通过APT仓库参数

在/var/lib/apt/lists/中看到Release文件的内容:

$ cat /var/lib/apt/lists/ftp.debian.org.br_debian_dists_potato_main_binary-i386_Release

ftp.debian.org.br_debian_dists_potato_main_binary-i386_Release

 Archive: stable

     Version: 2.2r3

     Component: main

     Origin: Debian

     Label: Debian

     Architecture: i386

release的参数对应关系是:

a = archive存档

c = component部件

v = version版本

o = origin起源

l = label标签

n = codename代号(这个参数在ubuntu的release文件中,13.04版本为raring)

举例修改Pin的参数

     Package: *

     Pin: release v=2.2*,a=stable,c=main,o=Debian,l=Debian

     Pin-Priority: 1001

在这个例子中,我们选择了Debian版本2.2*(可以为2.2r2、2.2r3——这些版本中通常包含了对安全问题的修复和其它重要更新),stable仓库,组件main (相应的还有contrib或者non-free)区段、起源和标签都是 Debian。origin(o=)定义了谁制作了这个Release文件,label(l=)定义了发行版的名字。

用户可以通过修改这些参数来确定,优先使用那些软件源,linuxmint中就是把mint自己软件源的优先级设置的比ubuntu要高,从而达到系统更新的是mint软件包的目的。

1.2.7apt相关查询工具

APT的查询方面,用户可以使用APT提供的相关工具进行查询。

apt-cache search package

用来搜索想要查找的软件包。

apt-cache show package

用来出这个软件包的详细信息及其用途的完整描述如果你的系统中已安装了某个软件包而系统又搜索到它的新版本,系统会将它们的详细信息一并列出。

apt-cache showpkpackage

用来获取某个软件包的常规信息

 

apt-cache dependspackage

可以查找到软件包的依赖关系

 

apt-cache showsrc package

查看软件源码包全部信息

 

apt-show-versions

可以告诉你系统中哪些包可以更新

 

apt-file search filename

可以通过输入程序的文件名或者包中包含的某些文件的来查找软件包的名称,而且还会列出包含该文件的已删除软件包

 

apt-file list package

可以列出软件包的内容

 

apt-file update

完成软件包信息数据库更新,apt-file用一个数据库来存放所有软件包的内容信息,和auto-apt 一样,这个数据库也需要实时更新。

当然在每个软件包被安装以后,都会在文档目录(/usr/share/doc/packagename) 生成一个changelog.Debian.gz的文件,用户可以通过查看这个文件来了解该软件

包最后一次更新对系统做了哪些修改,有一个工具能完成这项任务,apt-listchanges。

首先用户需要装上apt-listchanges软件包。安装了apt-listchanges后,每当apt下载软件包之后(不论来源是Internet、光盘或是硬盘)都会显示这些软件包的系统更新信息。

1.2.8apt源码包操作

在自由软件的世界里,经常需要学习源码或为程序除错,所以用户需要下载这些源码包,

APT提供了一套简便的方法帮你获得发布版中众多程序的源代码以及创建一个.debs所需的所有文件。

完成这些工作,首先修改/etc/apt/sources.list文件中deb-src所指引用镜像源如1.2.1中所示,deb-src是提供源码包的下载的站点地址。

然后用下面的命令下载源码包:

$ apt-get source packagename

通常会下载三个文件:一个.orig.tar.gz、一个.dsc和一个.diff.gz文件

apt-getdownload指令则用来下载deb包,但是并不安装。

dpkg-source通过.dsc文件中的信息,将源码包解包到 packagename-version目录,下载下来的源码包中有一个debian/目录,里面是创建.deb包所需的文件。

想要下载的源码包自动编译成软件包,只需在命令行中加上-b,如下:

$ apt-get -b source packagename

如果用户不打算在下载后就立刻创建.deb文件,可以在之后用下面的命令创建:

$ dpkg-buildpackage -rfakeroot -uc -b

上述命令应当在下载后为软件包创建的目录中执行。要安装用这种方式构建好的软件包,只能直接使用软件包管理器,例如:

$ dpkg -i file.deb

apt-get的source命令与它的其它命令有所不同,普通用户就可以运行source命令。文件被下载到用户调用apt-source package命令时所处的目录中。

通常,编译源码包时要用到某些头文件和共享库,所有的源码包的控制文件中都有一个域“Build-Depends:”,域中指出了编译该源码包需要哪些附加包。

APT提供了一个简单的方法下载这些附加包,你只需运行apt-get build-dep package,其中“package”就是你打算编译的源码包名称。见下例:

$ apt-get build-dep gmc

     Reading Package Lists... Done

     Building Dependency Tree... Done

     The following NEW packages will be installed:

       comerr-dev e2fslibs-dev gdk-imlib-dev imlib-progs libgnome-dev libgnorba-dev

       libgpmg1-dev

     0 packages upgraded, 7 newly installed, 0 to remove and 1  not upgraded.

     Need to get 1069kB of archives. After unpacking 3514kB will be used.

     Do you want to continue? [Y/n]

注意:这些将要被安装的包是用于正确编译gmc的。注意这个命令不能用来搜索某个软件的源码包。


 

2.apt软件源工具

2.1软件仓库的结构

APT的类型软件仓库都会有一个特定的结构,这个结构是根据apt包管理工具的原理而定制的,仓库中目录结构包含dist、pool两个文件目录:

dists用来存储软件包的相关信息,源码包的相关信息

pool  按照字母顺序储存所有的deb包文件以及源码包文件

具体的目录结构在reprepro配置属性,创建仓库时介绍。

 

2.2 apt-mirror工具创建本地源镜像

如果用户不想是使用官方的软件源(官方源在国外,速度较慢),除了可以把source.list中地址更换为国内源镜像,例如:网易,搜狐等,还可以自己在本地,或者本地的服务器上下载,配置官方源,从而提高使用效率。

2.2.1 apt-mirror工具

apt-mirror工具能够将官方镜像下载到本地,并保证目录结构与其一致,但是不能对镜像仓库进行修改。如果想要下载并修改镜像仓库,需要使用reprepro工具,将在下一章节介绍。

首先安装apt-mirror工具

sudo apt-get install apt-mirror

下载安装apt-mirror完成后,修改/etc/apt/mirror.list配置文件,修改内容如下:

############# config ##################

#

# set base_path    /var/spool/apt-mirror

#

# set mirror_path  $base_path/mirror

# set skel_path    $base_path/skel

# set var_path     $base_path/var

# set cleanscript $var_path/clean.sh

# set defaultarch 

# set postmirror_script $var_path/postmirror.sh

# set run_postmirror 0

set nthreads     20

set _tilde 0

#

############# end config ##############

 

deb http://packages.linuxmint.com olivia main upstream import 

deb http://archive.ubuntu.com/ubuntu raring main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu raring-updates main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu/ raring-security main restricted universe multiverse

deb http://archive.canonical.com/ubuntu/ raring partner

 

deb-src http://packages.linuxmint.com olivia main upstream import 

deb-src http://archive.ubuntu.com/ubuntu raring main restricted universe multiverse

deb-src http://archive.ubuntu.com/ubuntu raring-updates main restricted universe multiverse

deb-src http://security.ubuntu.com/ubuntu/ raring-security main restricted universe multiverse

deb-src http://archive.canonical.com/ubuntu/ raring partner

 

Config中的是下载镜像时的配置信息,基本按默认的就可以,后面添加用户想要下载的官方源地址信息。其中默认下载的事与用户操作系统一致的32 或64位软件包,但是可以指定在deb 的后面添加i386就指定下载32位, amd64就指定下载64位。

修改完成后执行命令sudo apt-mirror。该命令会启动20个线程去下面的源地址下载,命令执行完成后,/var/spool/apt-mirror目录下就有了所有需要的deb包、源码包和相应的apt配置文件。

当需要跟官方同步更新的时候,再次执行apt-mirror,就可以更新下载。

2.2.2 本地源镜像的网络服务

使用apt-mirror完成官方源下载后,需要提供网络服务才能使用,由于apache2服务器服务于静态文件时非常高效稳定,因此选择apache2服务器。

sudo apt-get install apache2

apache2服务器安装后,默认使用/var/www/目录作为Web的根目录,cd进入/var/www/目录后,运行以下命令:

ln /var/spool/apt-mirror/mirror/xxxxxx -s

建立一个软链接,将下载的源镜像链接到apache2的www目录下,用户可以根据下载的源镜像的不同,建立多个软链接。

之后启动apache2服务器,对应的相关apache2 的指令如下

sudo apache2ctl start/restart/stop/status

该命令可以管理apache2服务器,使用sudo apache2ctl start启动后,就可以提供软件源服务了。

2.3 reprepro工具创建本地软件仓库

2.3.1 reprepro的软件仓库目录结构

与apt-mirror不同,reprepro工具是用来创建用户本地的apt软件仓库的一款工具,可以用来储存.deb .udeb .dsc等。由于管理包和校验和文件存储在一个libdb4.3数据库(或者libdb4.4 libdb3,根据reprepro编译),所以reprepro不需要数据库服务器。

在使用reprepro创建软件仓库之前,先介绍一下reprepro创建的apt仓库的目录结构。以Cos软件源定制手册汇中的用于构建基础系统的Cos3为例:

URL地址后面的第一级目录为软件仓库的根目录(名称可自定),这里的4个仓库分别为canonical、mint、security、ubuntu。如下图所示:

以ubuntu为例:Ubuntu目录下有4个目录,conf、db、dists、pool如下图所示:

conf为repepro仓库的配置文件(正式发布的源需要将文件隐藏),其中包含distributions和options两个配置文件,其中distributions用于配置整个软件仓库的目录结构属性,options是操作功能上的配置文件。

db目录是配置好reprepro属性后自动生成的仓库的配置文件。(发布时需要隐藏)。

dists目录中是仓库的索引目录,根据distributions的配置属性自动生成。一级目录raring和raring-updates是配置属性中的codename(仓库的代号)。

Raring中包含的文件主要是4个目录,main、multiverse、restricted、universe是配置属性中components(组件)。

main:完全的自由软件。

restricted:不完全的自由软件。

universe:ubuntu官方不提供支持与补丁,全靠社区支持。

muitiverse:非自由软件,完全不提供支持和补丁。

Release文件是存储每一个components中全部Packages、Source、Release文件的MD5校验和的文件,用于保证数据完整性,Release.gpg是Release的签名文件。具体的安全机制在第三部分介绍。

 

以components中的main为例,里面有2个目录,binary-i386和source都是配置属性中的Architectures,binary-i386是存32位软件包信息的目录,source是存储软件包源码信息的目录。

在binary-i386目录中包含的Packages是存储deb包信息的文件,Packages.gz是apt-get update更新时下载使用的打包文件。

Packages包含deb的信息如下所示:

Pool目录中是实际存储deb包和源码包文件的目录,根据components分类,然后按照字母顺排序

2.3.2 reprepro创建本地软件仓库

1)安装reprepro创建仓库工具

sudo apt-get install reprepro

2)创建Cos软件仓库

首先创建Cos的根目录:/var/spool/apt-mirror/mirror/cos

然后创建Cos根目录下reprepro仓库所在的目录:

/var/spool/apt-mirror/mirror/cos/ubuntu,这个仓库用于存储ubuntu的重新构建软件。

在ubuntu/目录下创建conf目录/var/spool/apt-mirror/mirror/cos/ubuntu/conf

在conf目录下分别创建2个配置文件distributions和options,

ubuntu/conf/distributions和options

Distributions配置信息如下:

Origin: Cos   #来源

Label: Cos    #标签

Suite: raring   #套件

Version: 1.0    #版本

Codename: raring    #仓库的代号

Architectures: i386 source   #仓库的结构(32位,64位,源码)

Components: main restricted universe multiverse   #仓库存储软件的组件分类

Description: Cos 1.0 Ubuntu Raring 13.04       #描述说明

SignWith:

 

Origin: Cos

Label: Cos

Suite: raring-updates

Version: 1.0

Codename: raring-updates  #仓库的代号

Architectures: i386 source

Components: main restricted universe multiverse

Description: Cos 1.0 Ubuntu Raring Updates 13.04

SignWith:

在这里的属性与之前1.2.6中介绍的release文件中的属性含义是一样的,这里配置的属性会在仓库生成之后release文件中体现出来,软件源优先级设定的各个属性就是直接与这个配置信息相关,所以这个配置文件不能出错。

在distributions中配了两个软件仓库的信息,分别是raring和raring-updates它们同属于ubuntu的目录之下,但是却是两个相互独立的仓库,在进行添加删除等操作时,注意:Codename仓库代号,要确认名称是raring还是raring-updates再进行操作。

Reprepro的其他属性配置:详细见附录reprepro文档

Options的位置信息如下所示ubuntu/conf/options

verbose

ask-passphrase

basedir .(注意后面有空格和.)

 

配置信息完成后,仓库还没有建成,需要分别给仓库添加deb包,才能完成仓库的初始化,具体添加方法后面介绍。完成初始化之后,仓库的会自动生成相应的目录结构。

2.3.3软件仓库的签名

为了保证apt工具在数据传输中的完整性,需要对软件包进行签名。具体安全机制在第三部分debian的安全机制中介绍。

1)生成签名所需的密钥

sudo apt-get install gnupg-agent

gpg --gen-key

后面会对这个key的位数和使用期限进行一个设定,debian官方使用的key的有效期是一年,一年后会更换key从而安全性。

然后配置过程中需要输入一个用户名,以及一个密码,这个密码后面在签名是需要用到。

密钥生成后,记录生成的公钥的ID,keyid签名时需要用到。

当这个key生成之后也可以更换、添加、删除key的使用用户。

gpg --list-keys

列出系统的全部gpg的key。

gpg --export -a 6A9E1B52 > key.pub

将key-id 为6A9E1B52的公钥导出到key.pub文件中,发布者需要将这个文件提供下载渠道供用户使用。

sudo apt-key add key.pub

用户需要将这个公钥key.pub下载添加到系统的keyring中,才能下载使用这个软件仓库中的文件。

2)给deb软件包签名

安装签名工具gpg密钥工具和dpkg-sig签名工具

sudo apt-get install dpkg-sig

给软件包签名指令如下:

dpkg-sig -k keyid --sign builder /your_packages__.deb

Keyid为之前生成的公钥ID, --sign builder后面为deb全路径和deb包

此时还需要输入之前生成公钥时的密码,-p参数让软件包批量签名,只需要输入一次密码。

2.3.4reprepro软件仓库管理

1)添加deb到仓库中

reprepro –Vb . –C components–p priority includedeb codename /home/download/*.deb

说明:Codename是指仓库代号名称例如:raring  raring-updates olivia等

- v

verbose

输出更多的运行状态

-b

basedir

添加仓库根目录所在地

/var/spool/apt-mirror/mirror/cos/ubuntu

如果是当前目录就:b空格.空格

-C

component

仓库中的分类main restricted universe multiverse等

-A

architecture

软件仓库结构 i386 source

-p

priority

软件包的优先级 required 在1.1.1中有详细介绍

更多的reprepro的指令和参数详细见附录reprepro文档

2)添加dsc到仓库中

reprepro –vb . –C main includedsc olivia /*.dsc

操作会自动添加dsc文件和与其相关的源码包文件。

3)从仓库中删除软件

reprepro -vb . remove raring adduser

此处不用添加版本号,只需要包名,也可以

4)查询仓库的软件信息

reprepro -vb . list raring adduser

这样本地的仓库就完成了,可以进行添加,删除和查询。

 

2.4 reprepro工具创建官方源镜像

Reprepro工具功能全面,还可以用来下载配置官方镜像源,并且在此基础上通过reprepro命令对镜像进行修改。这样用户就可以在使用官方镜像源的同时,添加一些自己定制的软件到仓库里面一起使用。

以ubuntu的raring的软件仓库为例:软件仓库的conf目录下的distributions文件。

/conf/distributions

Origin: Ubuntu

Label: Ubuntu

Suite: raring

Version: 13.04

Codename: raring

Architectures: i386 source

Components: main restricted universe multiverse

Description: Ubuntu Raring 13.04

Contents: .gz

Update: - ubuntu-raring

Log: /var/spool/cos_repos/cos4/ubuntu/log/raring.log

SignWith: 4AB24B30

这里主要是配置了Update属性,这个属性会关联到conf中的更新配置文件updates ,log属性是为了记录用户对源仓库进行了那些修改。

/conf/updates

Name: ubuntu-raring

Method: http://archive.ubuntu.com/ubuntu

Components: main multiverse restricted universe

Suite: raring

Architectures: i386 source

VerifyRelease: 3B4FE6ACC0B21F32

Name属性要保证和distributions中的update一致才能关联到。

Method属性的是用户下载的官方源的地址,需要详细到dists和pool的上一级目录ubuntu(后面不要加/)。

Components属性是用户选择官方源中要下载的组件,并且需要distributions中的components属性和Architecture属性要与updates中保持一致。

Architecture属性选择要下载i386还是amd64,是否下载源码包source。

VerifyRelease是从官方得到的16位GPG 公钥,(一般公钥的id是8位)用来验证release文件完整性。如果缺少这个属性就会提示:该软件源没有认证,用户是否继续下载。

获取16位公钥的方法如下所示:

首先下载Release.gpg和Release,然后

cd /tmp

wget http://archive.ubuntu.com/ubuntu/dists/raring/Release.gpg

wget http://archive.ubuntu.com/ubuntu/dists/raring/Release

然后通过release文件得到公钥id,8位,有时会得到两个id

gpg Release.gpg #:

enter the name of data file:Release

然后去gpg的服务器查询16位的公钥id,如果8位公钥id已知并确定是其release文件的签名,则可以跳过之前两步,直接进行查询

gpg --keyserver subkeys.pgp.net --search-keys C0B21F32

查询到这个key之后输入“1”回车,会得到16位的公钥id: 3B4FE6ACC0B21F32,

下面指令可以看到这个16位的公钥信息

gpg --with-colons --list-key

sub:-:2048:16:251BEFF479164387:2004-09-12::::::e:

pub:-:4096:1:3B4FE6ACC0B21F32:2012-05-11:::-:Ubuntu Archive Automatic Signing Key (2012) ::scSC:

这里3B4FE6ACC0B21F32就是前面reprepro中配置updates文件中的VerifyRelease属性中的值。

如果用户需要将这个key加入到apt keyring中,输入

gpg --keyserver subkeys.pgp.net --recv 9AA38DCD55BE302B

gpg --export --armor 9AA38DCD55BE302B | apt-key add -

最后,所有的的配置文件属性配置完成后,在软件仓库的主目录ubuntu执行:

reprepro -V update

Reprepro工具会把这个ubuntu raring的仓库下载到本地,并且保留仓库中原始的release文件,用户做任何reprepro的操作会被保存到新的release文件中。

如果官方库有新的跟新,还可以执行这个指令来更新本地的镜像源。通过读取filelist进行比对,之前下载过的软件包不会被重新下载,只有新的软件包才会。但是之前对reprepro的所有修改都会被覆盖。Release,Packages等文件也会全部更新,所以需要更新要慎重。

如果用户不再更新,希望使用自己的软件包,就可以使用reprepro的添加、删除等命令对仓库进行修改,这种方法可以在自己的仓库里使用用户自己编译构建的包来替换官方的软件包,替换的相关日志则记录在相应的log中。


 

3 .Debian的安全机制

3.1 Debian 安全构建过程

Debian 有一个由五名成员和两位秘书组成的安全小组,来处理 stable 发行版的安全问题. 处理安全问题意味着他们要跟踪记录软件出现的问题(查看论坛譬如 bugtraq,或 vuln-dev) 并确定 stable版是否受其影响。一旦一个可能的问题被安全小组接受,将会被调查其是否对 stable 版造成影响,如果是,将会做一个基于源代码的修复. 这修复有时包括上游制作的移植补丁(它通常比 Debian发行的要高几个版本)。修复通过测试后,将会准备新的软件包,并在 security.Debian.org 站点上发布,这样就可以通过 apt 获取。同时,将会在web站点上发布Debian安全公告(DSA),并将其发送给包括 

debian-security-announce 和 bugtraq 在内的邮件列表。

Debian 安全公告的内容一般包括:

l  问题软件的版本号

l  问题类型

l  是会被远程攻击还是本地

l  软件包的简短描述

l  问题描述

l  攻击描述

l  修复描述

软件包是由安全小组完成上载的(并在完成上载后十五分钟内附带上载到

 security.debian.org:/org/security.debian.org/queue/unchecked 或 ftp://security.debian.org/pub/SecurityUploadQueue),完成后,它们将被加入自动构建清单(这不是每日的事务)。因此,软件包可以自动在它们被上载后的三十分钟货一个小时内完成基于各个平台的构建。然而,安全更新与平时的软件维护者完成的上载稍有不同,在某些情况下,在公布以前,需要等待进一步测试,得到测试报告,或者需要等待一个周,或者更久的时间,以避免与软件的原始开发者修正这一错误发生冲突。

安全更新工作包括以下步骤:

·        有人发现了安全问题.

·        某个人修正该问题,并上载到 security.debian.org 的incoming 区 (某个人 通常是安全小组成员,但也可能是一个以前与安全小组有过联系的软件维护者完成修正). 修改日志包括根据目标版本 testing-security 或 stable-security.

·        提交由一个Debian 系统完成检查和处理,然后将其转移到 queue/accepted,并在 builds 上通告. 这些文件可由安全小组和(间接的) builds 访问.

·        Security-enabledbuilds 对源码包进行整理,打包,然后将日志发送给安全小组.

·        安全小组对日志做出回应,最新构建的软件包将被上载到queue/unchecked,在这里它们由 Debian系统统一处理,然后转移到queue/accepted.

·        当安全小组发现源码包可以接受时(即,它可以在各种平台正确的构建,并且修复了安全漏洞,而自身不会产生新的问题),他们将会运行一个脚本来完成:

o   软件包安装到安全归档区

o   用通常的方式(dpkg-scanpackages, dpkg-scansources...)更新软件包,源代码并在 security.debian.org 上发布文件

o   设定安全小组完成的模板通告

o   将软件包转移到对应的proposed-updates,这样就可以尽快的进入真正的归档区

3.2 在Debian仓库进行包签名

包签名机制是Debian安全设施的重要一部分内容,可以防止有人恶意篡改镜像源中的包,或者避免包在下载过程中遭到中间人攻击。可以理解为如何安全地对Debian系统进行升级/更新。Debian自身并没有提供签名包,但自Debian 4.0 (codenameetch) 起,提供了一种机制来允许系统管理员测试通过上述计划下载的软件包的完整性,使用的工具为apt 0.6及以后版本。

当前Debian系统的包签名检测方案:

1)  使Release文件储存Packages.gz文件的MD5校验和(Packages.gz用于储存各个软件包的MD5校验和),然后对Release文件进行签名,生成Release.gpg。签名的来源要可靠。

2)  执行命令'apt-get update',签过名的Release文件被下载,与Packages.gz文件储存在一起。

3)  当用户准备安装一个Package时,首先会下载这个包,然后生成它的MD5校验和。

4)  在确认release文件签名正确之后,从release文件中提取Packages.gz文件的MD5校验和,再从Packages.gz文件中提取需要下载的软件包的MD5校验和。

5)  如果下载的软件包的MD5校验和与Packages.gz文件中的MD5校验和是一致的,这个软件才会被安装,否则,这个软件包也会被放到缓存中并提出警告,由管理员决定是否安装。如果这个软件包根本不在Packages.gz文件中,且管理员将系统配置为只安装经过检查的包,那么它也不会被安装。

通过以上MD5校验和的检查步骤,apt能够验证一个包是否来自于指定的发行版。虽然跟逐一签名方式比缺少了些灵活性,但是却能和aptitude和 synaptic(新力得)模式兼容。apt中的gpg用来sign文件和检查siguature。apt-key是为apt管理keyring工具(keyring保存在/etc/apt/trusted.gpg),用来查询、增加、删除keyring中的key。

3.3 分发版本(Distribution Release)检查机制工作过程

1)  Release文件校验和

一个Debian存档包含一个Release文件,每当存档中的一任何一个包改变时,都需要更新Release。Release文件也可以包括SHA1和SHA256校验和,它们在MD5校验被破坏时使用。某个Release文件示例的摘录如下:

     MD5Sum:

      6b05b392f792ba5a436d590c129de21f            3453 Packages

      1356479a23edda7a69f24eb8d6f4a14b            1131 Packages.gz

      2a5167881adc9ad1a8864f281b1eb959            1715 Sources

      88de3533bf6e054d1799f8e49b6aed8b             658 Sources.gz

在Packages文件里,每一个包都有其对应的MD5校验和。当单独下载这个包时,同样会将下载包与Packages文件中的校验和比对,这两个校验和可以用于验证您已下载的Package文件的副本是否与Release文件中的一致。例如:

Package: uqm

     Priority: optional

     …

     Filename: unstable/uqm_0.4.0-1_i386.deb

     Size: 580558

     MD5sum: 864ec6157c1eea88acfef44d0f34d219

验证Release文件

为了验证Release文件,将一个gpg签名加入Release文件,存入Release.gpg并与Release文件并存。Release.gpg文件样式如下:

     -----BEGIN PGP SIGNATURE-----

 Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQBCqKO1nukh8wJbxY8RAsfHAJ9hu8oGNRAl2MSmP5+z2RZb6FJ8kACfWvEx

UBGPVc7jbHHsg78EhMBlV/U=

=x6og

     -----END PGP SIGNATURE-----

2)  使用apt检查Release.gpg

当apt下载Release文件时,同时也下载Release.gpg,若不能下载Release.gpg,或者签名有误,apt发出警告,并将Release文件指向的Packages涉及的所有文件视为不可信任源。这种情况的apt-get update的执行示例:

W: GPG error: http://ftp.us.debian.org testing Release: The following signatures

couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

在debootstrap制作Debian基础系统时,虽然也有签名Release文件机制,但安装向导自行进行验证文件。

3)  如何告诉apt可以信任什么

检查签名时,apt知道公钥的位置,保存并管理apt自身的keyring

(/etc/apt/trusted.gpg)。默认情况下,Debian系统对Debian存档的key会有一个预配置,例如:

         # apt-key list

     /etc/apt/trusted.gpg

     --------------------

     pub   1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]

     uid    Debian Archive Automatic Signing Key (2005)

如果要增加其他的apt仓库到/etc/apt/sources.list,同时必须告诉apt仓库的key以使apt能够信任。使用命令apt-key add file增加一个key。

4)  如何下载软件仓库的key

包debian-archive-keyring用于向apt发布Debian仓库的key。更新这个包可以增加/删除Debian系统主存档的gpg key。其他Debian系统的存档没有约定的标准位置,可以找到指定apt仓库的key。

gpg自身有一个标准途径去分发key,即通过keyserver,gpg可以从其中下载和增加key到keyserver的keyring中。例如:

     $ gpg --keyserver pgpkeys.mit.edu --recv-key 2D230C5F

     gpg: requesting key 2D230C5F from hkp server pgpkeys.mit.edu

     gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006)

     aster@debian.org>" imported

     gpg: Total number processed: 1

     gpg:               imported: 1

接着,可以向apt的keyring导入下载的key:

  $ gpg -a --export 2D230C5F | sudo apt-key add -

     gpg: no ultimately trusted keys found

     OK

 

3.4非Debian源的Release检测

当使用的是 non-Debian 的源时,可以通过在non-Debian源中提供Release和 Release.gpg 来避免这种情况对apt的影响。Release文件可由apt-ftparchive

(apt-utils 0.5.0或更高版本中提供) 生成 Release.gpg文件仅是一个附加签名。

下边简单的步骤可以生成这两个文件:

     $ rm -f dists/unstable/Release

     $ apt-ftparchive release dists/unstable > dists/unstable/Release

     $ gpg --sign -ba -o dists/unstable/Release.gpg dists/unstable/Release

 


 

4.reprepro创建镜像仓库实例Cos4

在2.4中介绍了使用reprepro的来下载官方源镜像的方法,下面就以Cos4为例详细介绍构建步骤。

4.1. Cos4构建方案

Cos4采用的是使用reprepro工先下载ubuntu 13.04的raring和raring-updates

(2个)、mint15的olivia、security-ubuntu的raring-security以及canonical的raring这5个官方源,下载完成后使用reprepro指令(脚本)把官方源的软件包(deb)换成构建cos编译构建的软件包。Cos4可以用于构建Cos的基础系统,同时也可以提供软件下载服务。

4.2. Cos4构建步骤

4.2.1 第一步:下载官方源公钥

因为ubuntu、security-ubuntu和canonical的公钥相同,所以就下载ubuntu的release和release.gpg文件即可。

然后下载linuxmint15的release和release.gpg文件

cd /tmp

wget http://archive.ubuntu.com/ubuntu/dists/raring/Release.gpg

wget http://archive.ubuntu.com/ubuntu/dists/raring/Release

cd /tmp1

wgethttp://packages.linuxmint.com/dists/olivia/Release.gpg

wget http://packages.linuxmint.com/dists/olivia//Release

然后然后分别通过release文件得到ubuntu的公钥id和mint15的公钥id

gpg Release.gpg

Detached signature.

enter the name of data file:Release

然后得到ubuntu的两个key ID:437D05B5和C0B21F32,第一个是比较老的签名,我们选择下载第二个key ID对应的公钥

Mint15的key ID只有一个0FF405B2

下一步是去获取上图中的Primary key fingerprint;这里是之前已经下载了公钥所以会显示出来。如果没有Primary key fingerprint就输入下面指令查询:

gpg --keyserver subkeys.pgp.net --search-keys C0B21F32

查询结果为:

查询到这个key之后输入“1”回车来获取这个公钥:

下面指令可以看到这个16位的公钥信息

gpg --with-colons --list-key

Gpg的list里面可以看到ubuntu的16位公钥key-id

Mint15的公钥查查询方法与ubuntu的一样,mint15 key ID:3EE67F3D0FF405B2

这里不再详细描述。

将查询到的ubuntu和mint的key加入到apt-keyring中,输入

gpg --export --armor 3B4FE6ACC0B21F32 | sudo apt-key add –

gpg --export --armor 3EE67F3D0FF405B2 | sudo apt-key add –

Apt-keying中就有了这两个公钥。

 

 

 

4.2.2 第二步:配置属性文件下载官方源

首先创建cos4根目录,在cos4中创建4个ubuntu、mint、security、canonical

这4个软件仓库目录,并分别在各自目录中创建conf目录和log目录,然后再conf中创建distributions、options和updates三个文件,log目录中创建记录每个仓库日志的log文件。

目录结构:

cos4/ubuntu/conf/distributions

cos4/ubuntu/conf/options

cos4/ubuntu/conf/updates

cos4/ubuntu/log/raring.log

cos4/ubuntu/log/raring-updates.log

cos4/mint/conf/distributions

cos4/mint/conf/options

cos4/mint/conf/updates

cos4/mint/log/mint-olivia.log

cos4/security/conf/distributions

cos4/security/conf/options

cos4/security/conf/updates

cos4/security/log/raring-security.log

cos4/canonical/conf/distributions

cos4/canonical/conf/options

cos4/canonical/conf/updates

cos4/canonical/log/canonical.log

建好文件目录后编辑distributions、options和updates这三个文件,由于

所有仓库的options文件配置是一样的,后边不在重复。

 

cos4/ubuntu/conf/options

verbose

ask-passphrase

basedir .

 

 

cos4/ubuntu/conf/distributions

Origin: Ubuntu

Label: Ubuntu

Suite: raring

Version: 13.04

Codename: raring

Architectures: i386 source

Components: main restricted universe multiverse

Description: Ubuntu Raring 13.04

Contents: .gz

Update: - ubuntu-raring

Log: /var/spool/cos_repos/cos4/ubuntu/log/raring.log

SignWith: 4AB24B30

 

Origin: Ubuntu

Label: Ubuntu

Suite: raring-updates

Version: 13.04

Codename: raring-updates

Architectures: i386 source

Components: main restricted universe multiverse

Description: Ubuntu Raring 13.04

Contents: .gz

Update: - ubuntu-raring-updates

Log: /var/spool/cos_repos/cos4/ubuntu/log/raring-updates.log

SignWith: 4AB24B30

 

cos4/ubuntu/conf/updates

Name: ubuntu-raring

Method: http://archive.ubuntu.com/ubuntu

Components: main multiverse restricted universe

Suite: raring

Architectures: i386 source

VerifyRelease: 3B4FE6ACC0B21F32

 

Name: ubuntu-raring-updates

Method:  http://archive.ubuntu.com/ubuntu

Components: main multiverse restricted universe

Suite: raring-updates

Architectures: i386 source

VerifyRelease: 3B4FE6ACC0B21F32

 

cos4/mint/conf/distributions

Origin: Linuxmint

Label: Linuxmint

Suite: olivia

Version: 15

Codename: olivia

Architectures: i386 source

Components: main upstream import

Description: Linux Mint 15 repository

Contents: .gz

Update: - mint-olivia

Log: /var/spool/cos_repos/cos4/mint/log/mint-olivia.log

SignWith: 4AB24B30

 

cos4/mint/conf/updates

Name: mint-olivia

Method: http://packages.linuxmint.com/

Components: main upstream import

Suite: olivia

Architectures: i386 source

VerifyRelease: 3EE67F3D0FF405B2

 

cos4/security/conf/distributions

Origin: Ubuntu

Label: Ubuntu

Suite: raring-security

Version: 13.04

Codename: raring

Architectures: i386 source

Components: main restricted universe multiverse

Description: Ubuntu Raring Security

Contents: .gz

Update: - ubuntu-raring-security

Log: /var/spool/cos_repos/cos4/security/log/raring-security.log

SignWith: 4AB24B30

 

cos4/security/conf/updates

Name: ubuntu-raring-security

Method: http://security.ubuntu.com/ubuntu/

Components: main multiverse restricted universe

Suite: raring-security

Architectures: i386 source

VerifyRelease: 3B4FE6ACC0B21F32

 

cos4/canonical/conf/distributions

Origin: Canonical

Label: Partner archive

Suite: raring

Version: 13.04

Codename: raring

Architectures: i386 source

Components: partner

Description: Ubuntu Raring 13.04

Contents: .gz

Update: - canonical-ubuntu-raring

Log: /var/spool/cos_repos/cos4/canonical/log/canonical.log

SignWith: 4AB24B30

 

cos4/canonical/conf/updates

Name: canonical-ubuntu-raring

Method: http://archive.canonical.com/ubuntu/

Components: partner

Suite: raring

Architectures: i386 source

VerifyRelease: 3B4FE6ACC0B21F32

所有文件配置完成后执行更新指令:

reprepro -V update

Reprepro会到updates信息中记录的URL上将官方软件仓库下载到本地的reprepro仓库中,之后就可以使用reprepro指令对仓库进行修改。

4.2.3 第三步:更换为编译构建软件包

使用Cos软件源定制手册中的脚本remove_pkgs_from_repo.pl,将官方的中构建系统的1748基础软件包删除。

$ remove_pkgs_from_repo.pl repo_rootpkgs_class_file

然后使用脚本include_pkgs_tool.pl将用于cos系统构建的1748个软件包全部添加到Cos4中,具体软件包分类信息,优先级文件在Cos软件源定制手册中

$ include_pkgs_to_repo.pl repo_rootpkgs_class_file  [pkgs_prios_file]


    Cos4软件仓库就构建完成了。

参考文献

(1)debian官方文档http://www.debian.org/doc/manuals/

(2)debian官方Apt高级包管理工具的文档:

http://www.debian.org/doc/manuals/apt-howto/

(3)debian官方安全机制的文档,apt仓库的安全机制

http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-pack-sign

(4)reprepro creating a Ubuntu / Debian mirror

http://www.infrastructureanywhere.com/documentation/additional/mirrors.html#reprepro

(5)reprepro官方文档:见附录

 


 

附录:

REPREPRO

Section:REPREPRO (1)
Updated: 2009-06-02
Index 

NAME

reprepro- produce, manage and sync a local repository of Debian packages 

SYNOPSIS

reprepro --help

reprepro [ options ] command [ per-command-arguments] 

DESCRIPTION

repreprois a tool to manage a repository of Debian packages (.deb, .udeb, .dsc, ...).It stores files either being injected manually or downloaded from some otherrepository (partially) mirrored into a pool/ hierarchy. Managed packages andchecksums of files are stored in a libdb4.3 database (or libdb4.4 or libdb3,depending what reprepro was compiled with), so no database server is needed.Checking signatures of mirrored repositories and creating signatures of thegenerated Package indices is supported.

WARNING: Some functions are still quiteexperimental and not very heavily tested. Be careful.

Formerworking title of this program was mirrorer.  

GLOBAL OPTIONS

Optionscan be specified before the command. Each affects a different subset ofcommands and is ignored by other commands.

-h --help

Displaysa short list of options and commands with description.

-v, -V, --verbose

Bemore verbose. Can be applied multiple times.One uppercase -V counts as five lowercase -v.

--silent

Beless verbose. Can be applied multiple times. One -v and one -scanceleach other out.

-f, --force

Thisoption is ignored, as it no longer exists.

-b, --basedir basedir

Setsthe base-dir all other default directories are relative to. If none is suppliedand the REPREPRO_BASE_DIRenvironment variable is not set either, the current directory will be used.

--outdir outdir

Setsthe base-dir of the repository to manage, i.e. where the pool/ subdirectory resides. And inwhich the dists/ directory isplaced by default. The default for this isbasedir.

--confdir confdir

Setsthe directory where the configuration is searched in.

Ifnone is given, basedir/confwill be used.

--distdir distdir

Setsthe directory to generate index files relatively to. (i.e. things likePackages.gz, Sources.gz and Release.gpg)

Ifnone is given, outdir/distsis used.

Note: apt has distshard-coded in it, so this is mostly only useful for testing or when yourwebserver pretends another directory structure than your physical layout.

Warning: Beware when changing this forth and back between twovalues not ending in the same directory. Reprepro only looks if files it wantsare there. If nothing of the content changed and there is a file it will nottouch it, assuming it is the one it wrote last time, assuming any different --distdir ended in the same directory.So either clean a directory before setting --distdir to it or do an exportwith the new one first to have a consistent state.

--logdir logdir

Thedirectory where files generated by the Log:directive are stored if they have no absolute path.

Ifnone is given, basedir/logsisused.

--dbdir dbdir

Setsthe directory where reprepro keeps its databases.

Ifnone is given, basedir/dbis used.

Note: This is permanent data, no cache. One has almost toregenerate the whole repository when this is lost.

--listdir listdir

Setsthe directory where downloads it downloads indices to when importing from otherrepositories. This is temporary data and can be safely deleted when not in anupdate run.

Ifnone is given, basedir/listsisused.

--overridedir overridedir (OBSOLETE)

Setsthe directory where specified override-files will be searched in if they do notstart with a slash. If none is given,basedir/override is used.
This will be removed in a future version. Since reprepro 3.0.0, also thedirectory given to --confdir is searched for override files.

--methoddir methoddir

Lookin methoddir instead of /usr/lib/apt/methodsfor methods to call when importing from other repositories.

-C, --component component

Limitthe specified command to this component only. This will force added packages tothis component, limit removing packages from this component, only list packagesin this component, and/or otherwise only look at packages in this component,depending on the command in question.

-A, --architecturearchitecture

Limitthe specified command to this architecture only. (i.e. only list such packages,only remove packages from the specified architecture, or otherwise only lookat/act on this architecture depending on the specific command).

Notethat architecture all packagescan be included to each architecture but are then handled separately. Thususing -A correctly allows tohave different versions of an architecture all package in different architectures of the same distribution.

-T, --type dsc|deb|udeb

Limitthe specified command to this packagetype only. (i.e. only list such packages,only remove such packages, only include such packages, ...)

-S, --section section

Overridesthe section of inclusions. (Also override possible override files)

-P, --priority priority

Overridesthe priority of inclusions. (Also override possible override files)

--export=(never|changed|lookedat|force)

Thisoption specify whether and how the high level actions (e.g. install, update,pull, delete) should export the index files of the distributions they workwith.

--export=normal (default till 3.0.0)

--export=lookedat (alternative new namesince 3.0.1) In this mode every distribution the action handled will beexported, unless there was an error possibly corrupting it.
Note that only missing files and files whose intended content changed betweenbefore and after the action will be written. To get a guaranteed currentexport, use the export action.

--export=changed (default since 3.0.1)

Inthis mode every distribution actually changed will be exported, unless therewas an error possibly corrupting it. (i.e. if nothing changed, not even missingfiles will be created.)
Note that only missing files and files whose intended content changedbetween before and after the action will be written. To get a guaranteedcurrent export, use the exportaction.

--export=force

Alwaysexport all distributions looked at, even if there was some error possiblybringing it into a inconsistent state.

--export=never

Noindex files are exported. You will have to call export later.
Note that you most likely additionally need the --keepunreferencedfiles option, if you do want some of the filespointed to by the untouched index files to vanish.

--ignore=what

Ignoreerrors of type what. See the section ERROR IGNORING for possible values.

--nolistsdownload

Whenrunning update, checkupdate or predelete do not download any Release or index files. This ishardly useful except when you just run one of those command for the samedistributions. And even then reprepro is usually good in not downloading exceptRelease and Release.gpg files again.

--nothingiserror

Ifnothing was done, return with exitcode 1 instead of the usual 0.

Notethat "nothing was done" means the primary purpose of the action inquestion. Auxillary actions (opening and closeing the database, exportingmissing files with --export=lookedat, ...) usually do not count. Also note thatthis is not very well tested. If you find an action that claims to have donesomething in some cases where you think it should not, please let me know.

--keeptemporaries

Donot delete temporary .new fileswhen exporting a distribution fails. (reprepro first create .new files in the dists directory and only if everythingis generated, all files are put into their final place at once. If this optionis not specified and something fails, all are deleted to keep dists clean).

--keepunreferencedfiles

Donot delete files that are no longer used because the package they are from isdeleted/replaced with a newer version from the last distribution it was in.

--keepunusednewfiles

Theinclude, includedsc, includedeb and processincoming by default delete any filethey added to the pool that is not marked used at the end of the operation.While this keeps the pool clean and allows changing before trying to add again,this needs copying and checksum calculation every time one tries to add a file.

--keepdirectories

Donot try to rmdir parent directories after files or directories have beenremoved from them. (Do this if your directories have special permissions youwant keep, do not want to be pestered with warnings about errors to removethem, or have a buggy rmdir call deleting non-empty directories.)

--keeptemporaries

Ifan export of an distribution fails, this option causes reprepro to not deletethe temporary .new files in the dists/ directory, so one can look atthe partial result.

--ask-passphrase

Askfor passphrases when signing things and one is needed. This is a quick anddirty implementation using the obsoletegetpass(3) function with the description gpgme issupplying. So the prompt will look quite funny and support for passphrases withmore than 8 characters depend on your libc. I suggest using gpg-agent orsomething like that instead.

--noskipold

Whenupdating do not skip targets where no new index files and no files marked asalready processed are available.

Ifyou changed a script to preprocess downloaded index files or changed aListfilter, you most likely want to call reprepro with --noskipold.

--waitforlock count

Ifthere is a lockfile indicating another instance of reprepro is currently usingthe database, retrycount times after waiting for 10 seconds each time.The default is 0 and means to error out instantly.

--spacecheck full|none

Thedefault is full:
In the update commands, check for every to be downloaded file which filesystemit is on and how much space is left.
To disable this behaviour, use none.

--dbsafetymargin bytes-count

Ifchecking for free space, reserve byte-count bytes on the filesystemcontaining the db/ directory.The default is 104857600 (i.e. 100MB), which is quite large. But as there is noway to know in advance how large the databases will grow and libdb is extremelytouchy in that regard, lower only when you know what you do.

--safetymargin bytes-count

Ifchecking for free space, reserve byte-count bytes on filesystems notcontaining the db/ directory.The default is 1048576 (i.e. 1MB).

--noguessgpgtty

Don'tset the environment variable GPG_TTY,even when it is not set, stdin is terminal and /proc/self/fd/0 is a readable symbolic link.

--gnupghome

Setthe GNUPGHOME evnironmentvariable to the given directory as argument to this option. And your gpg willmost likely use the content of this variable instead of "~/.gnupg".Take a look atgpg(1) to be sure. This option in the commandline is usually not very useful, as it is possible to set the environmentvariable directly. Its main reason for existance is that it can be used in conf/options.

--oldfilesdb

Donot only create checksums.db but also older files.db file. This will make itpossible for reprepro versions before 3.3.0 to access this repository. Withoutthis versions before 3.0 will not recognize the database and destroy it.

Notethat future versions of reprepro will no longer support the old version.

--gunzip gz-uncompressor

Whilereprepro links against libz, itwill look for the program given with this option (or gunzip if not given) and use that when uncompressing index fileswhile downloading from remote repositories. (So that downloading anduncompression can happen at the same time). If the program is not found or is NONE (all-uppercase) thenuncompressing will always be done using the built in uncompression method. Theprogram has to accept the compressed file as stdin and write the uncompressedfile into stdout.

--bunzip2 bz2-uncompressor

Whenuncompressing downloaded index files or when not linked against libbz2 reprepro will use this programto uncompress .bz2 files. Thedefault value is bunzip2. If theprogram is not found or is NONE(all-uppercase) then uncompressing will always be done using the built inuncompression method or not be possible when not linked against libbz2. The program has to accept thecompressed file as stdin and write the uncompressed file into stdout.

--unlzma lzma-uncompressor

Whentrying to uncompress or read lzma compressed files, this program will be used.The default value is unlzma. Ifthe program is not found or is NONE(all-uppercase) then uncompressing lzma files will not be possible. The programhas to accept the compressed file as stdin and write the uncompressed file intostdout.

--list-format format

Setthe output format of list and listfilter commands. The format issimilar to dpkg-query's --showformat:fields are specified as ${fieldname} or ${fieldname;length}. Zero length or no length meansunlimited. Positive numbers mean fill with spaces right, negative fill withspaces left.

\n, \r, \t, \0 are new-line, carriage-return, tabulator and zero-byte.Backslash (\) can be used toescape every non-letter-or-digit.

Thespecial field names $identifier,$architecture, $component, $type, $codenamedenote where the package was found.

When--list-format is not given or NONE, then the default is equivalentto
${$identifier} ${package} ${version}\n.

Escapingdigits or letters not in above list, using dollars not escaped outsidespecified constructs, or any field names not listed as special and notconsisting entirely out of letters, digits and minus signs have undefinedbehaviour and might change meaning without any further notice.

 

COMMANDS

export [ codenames ]

Generateall index files for the specified distributions.

Thisregenerates all files unconditionally. It is only usefull if you want to besure dists is up to date, youcalled some other actions with --export=neverbefore or you want to create an initial empty but fully equipped dists/codename directory.

[ --delete ] createsymlinks [ codenames ]

Createssuite symbolic links in the dists/-directorypointing to the correspondingcodename.

Itwill not create links, when multiple of the given codenames would be linkedfrom the same suite name, or if the link already exists (though when --delete is given it will deletealready existing symlinks)

listcodename [ packagename]

Listall packages (source and binary, except when -T or -A is given)with the given name in all components (except when -C is given) and architectures (except when -A is given) of the specifieddistribution. If no package name is given, list everything. The format of the outputcan be changed with --list-format.

listfiltercodenamecondition

aslist, but does not list a single package, but all packages matching the givencondition.

Theformat of the formulas is those of the dependency lines in Debian packages'control files with some extras. That means a formula consists of names offields with a possible condition for its content in parentheses. These atomscan be combined with an exclamation mark '!' (meaning not), a pipe symbol '|'(meaning or) and a coma ',' (meaning and). Additionally parentheses can be usedto change binding (otherwise '!' binds more than '|' than ',').

Thevalues given in the search expression are directly alphabetically compared tothe headers in the respective index file. That means that each partFieldname (cmpvalue) of the formula will be true forexactly those package that have in the Packageor Sources file a line startingwithfieldname and a value is alphabetically cmp to value.

Examples:

reprepro -b . listfilter test2 'Section(== admin)'will list all packages in distribution test2 with a Section field and the valueof that field being admin.

reprepro -b . -T deb listfilter test2'Source (== blub) | ( !Source , Package (==blub))' will find all .deb Packages with either a Source field blub or no Sourcefield and a Package field blub. (That means all package generated by a sourcepackageblub, except those also specifying a version number with itsSource).

lspackage-name

Listthe versions of the the specified package in all distributions.

removecodenamepackage-names

Deleteall packages in the specified distribution, that have package name listed asargument. (i.e. remove all packages listwith the same arguments and options would list, except that an empty packagelist is not allowed.)

Notethat like any other operation removing or replacing a package, the oldpackage's files are unreferenced and thus may be automatically deleted if thiswas their last reference and no --keepunreferencedfilesspecified.

removefiltercodenamecondition

Deleteall packages listfilter with thesame arguments would list.

removesrccodenamesource-name [version]

Removeall packages in distribution codename belonging to source packagesource-name.(Limited to those with source version version if specified).

If packagetracking is activated, it will use that information to find the packages,otherwise it traverses all package indices for the distribution.

update [ codenames ]

Syncthe specified distributions (all if none given) as specified in the config withtheir upstreams. See the description of conf/updatesbelow.

checkupdate [ codenames ]

Samelike update, but will show whatit will change instead of actually changing it.

dumpupdate [ codenames ]

Samelike checkupdate, but lesssuiteable for humans and more suitable for computers.

predelete [ codenames ]

Thiswill determine which packages aupdatewould delete or replace and remove those packages. This can be useful forreducing space needed while upgrading, but there will be some time wherepackages are vanished from the lists so clients will mark them as obsolete.Plus if you cannot download a updated package in the (hopefully) followingupdate run, you will end up with no package at all instead of an old one. Thiswill also blow up .diff files ifyou are using the tiffany example or something similar. So be careful whenusing this option or better get some more space so that update works.

cleanlists

Deleteall files in listdir (default basedir/lists) that do not belong to any update rule for anydistribution. I.e. all files are deleted in that directory that no update command in the currentconfiguration can use. (The files are usually left there, so if they are neededagain they do not need to be downloaded again. Though in many easy cases noteven those files will be needed.)

pull [ codenames ]

pullin newer packages into the specified distributions (all if none given) fromother distributions in the same repository. See the description of conf/pulls below.

checkpull [ codenames ]

Samelike pull, but will show what itwill change instead of actually changing it.

dumppull [ codenames ]

Samelike checkpull, but lesssuiteable for humans and more suitable for computers.

includedebcodename.deb-filename

Includethe given binary Debian package (.deb) in the specified distribution, applyingoverride information and guessing all values not given and guessable.

includeudebcodename.deb-filename

Samelike includedeb, but for .udebfiles.

includedsccodename.dsc-filename

Includethe given Debian source package (.dsc, including other files like .orig.tar.gz,.tar.gz and/or .diff.gz) in the specified distribution, applying overrideinformation and guessing all values not given and guessable.

Notethat .dsc files do not contain section or priority, but the Sources.gz fileneeds them. reprepro tries to parse .diff and .tar files for it, but is onlyable to resolve easy cases. If reprepro fails to extract those automatically,you have to either specify a DscOverride or give them via -S and -P

includecodename.changes-filename

Includein the specified distribution all packages found and suitable in the.changesfile, applying override information guessing all values not given andguessable.

processincomingrulesetname [.changes-file]

Scanan incoming directory and process the .changes files found there. If a filenameis supplied, processing is limited to that file.rulesetname identifieswhich rule-set in conf/incomingdetermines which incoming directory to use and in what distributions to allowpackages into. See the section about this file for more information.

check [ codenames ]

Checkif all packages in the specified distributions have all files needed properlyregistered.

checkpool [ fast]

Checkif all files believed to be in the pool are actually still there and have theknown md5sum. When fast isspecified md5sum is not checked.

collectnewchecksums

Calculateall supported checksums for all files in the pool. (Versions prior to 3.3 didonly store md5sums, 3.3 added sha1).

rereference

Forgetwhich files are needed and recollect this information.

dumpreferences

Printout which files are marked to be needed by whom.

dumpunreferenced

Printa list of all filed believed to be in the pool, that are not known to beneeded.

deleteunreferenced

Removeall known files (and forget them) in the pool not marked to be needed byanything.

reoverride [ codenames ]

Reapplythe override files to the given distributions (Or only parts thereof given by -Af,-C or -T).

Note:only the control information is changed. Changing a section to a value, thatwould cause another component to be guessed, will not cause any warning.

dumptracks [ codenames ]

Printout all information about tracked source packages in the given distributions.

retrack [ codenames ]

Recreatea tracking database for the specified distributions. This contains ouf of threesteps. First all files marked as part of a source package are set to unused.Then all files actually used are marked as thus. Finally tidytracks is calledremove everything no longer needed with the new information about used files.

(Thisbehaviour, though a bit longsome, keeps even files only kept because oftracking mode keep and files nototherwise used but kept due to includechangesor its relatives. Before version 3.0.0 such files were lost by runningretrack).

removealltracks [ codenames ]

Removesall source package tracking information for the given distributions.

removetrackcodenamesourcenameversion

Removethe trackingdata of the given version of a given sourcepackage from a givendistribution. This also removes the references for all used files.

tidytracks [ codenames ]

Checkall source package tracking information for the given distributions for filesno longer to keep.

copydestination-codenamesource-codenamepackages...

Copythe given packages from one distribution to another. The packages are copiedverbatim, no override files are consulted. Only components and architecturespresent in the source distribution are copied.

copysrcdestination-codenamesource-codenamesource-package [versions]

lookat each package (where package means, as usual, every package be it dsc, deb orudeb) in the distribution specified bysource-codename and identifiesthe relevant source package for each. All packages matching the specifiedsource-packagename (and any version if specified) are copied to thedestination-codenamedistribution. The packages are copied verbatim, no override files areconsulted. Only components and architectures present in the source distributionare copied.

copyfilterdestination-codenamesource-codenameformula

Copypackages matching the given formula (see listfilter). (all versions if no version is specified). Thepackages are copied verbatim, no override files are consulted. Only componentsand architectures present in the source distribution are copied.

restorecodenamesnapshotpackages...

restoresrccodenamesnapshotsource-epackage [versions]

restorefilterdestination-codenamesnapshotformula

Likethe copy commands, but do not copy from another distribution, but from asnapshot generated with gensnapshot.Note that this blindly trusts the contents of the files in your dists/ directory and does no checking.

clearvanished

Removeall package databases that no longer appear in conf/distributions. If --deleteis specified, it will not stop if there are still packages left. Even without --delete it will unreference filesstill marked as needed by this target. (Use --keepunreferenced to not delete them if that was the lastreference.)

Donot forget to remove all exported package indices manually.

gensnapshotcodenamedirectoryname

Generatea snapshot of the distribution specified by codename in the directoryconf/codename/snapshots/directoryname/ and reference all needed files inthe pool as needed by that. No Content files are generated and no export hooksare run.

Notethat there is currently no automated way to remove that snapshot again (noteven clearvanished will unlock the referenced files after the distributionitself vanished). You will have to remove the directory yourself and tellreprepro to _removereferences s=codename=directoryname before deleteunreferenced will delete thefiles from the pool locked by this.

Toaccess such a snapshot with apt, add something like the following to yoursources.list file:
deb
method://as/without/snapshotcodename/snapshots/namemain

rerunnotifiers [ codenames ]

Runall external scripts specified in the Log:options of the specified distributions.

translatefilelists

Translatethe file list cache within db/contents.cache.dbinto the new format used since reprepro 3.0.0.

Makesure you have at least half of the space of the current db/contents.cache.db file size availablein that partition.

 

internal commands

Theseare hopefully never needed, but allow manual intervention. WARNING: Is is quite easy to get intoan inconsistent and/or unfixable state.

_detect[ filekeys ]

Lookfor the files, which filekey is given as argument or as a line of theinput (when run without arguments), and calculate their md5sum and add them tothe list of known files. (Warning: this is a low level operation, no inputvalidation or normalization is done.)

_forget[ filekeys ]

Like_detect but remove the given filekeyfrom the list of known files. (Warning: this is a low level operation, no inputvalidation or normalization is done.)

_listmd5sums

Printa list of all known files and their md5sums.

_listchecksums

Printa list of all known files and their recorded checksums.

_addmd5sums

aliasfor the newer

_addchecksums

Addinformation of known files (without any check done) in the strict format of_listchecksums output (i.e. don't dare to use a single space anywhere more thanneeded).

_dumpcontents identifier

Printoutall the stored information of the specified part of the repository. (Or inother words, the content the corresponding Packages or Sources file would get)

_addreference filekeyidentifier

Manuallymark filekey to be needed by identifier

_removereferences identifier

Removeall references what is needed by identifier.

__extractcontrol .deb-filename

Lookwhat reprepro believes to be the content of the control file of the specified .deb-file.

__extractfilelist .deb-filename

Lookwhat reprepro believes to be the list of files of the specified .deb-file.

_fakeemptyfilelist filekey

Insertan empty filelist for filekey. This is a evil hack around broken .debfiles that cannot be read by reprepro.

_addpackage codenamfilenamepackages...

Addpackages from the specified filename to part specified by -C-A and -T of the specified distribution. Very strange things can happenif you use it improperly.

__dumpuncompressors

Listwhat compressions format can be uncompressed and how.

__uncompress format compressed-fileuncompressed-file

Usebuiltin or external uncompression to uncompress the specified file of thespecified format into the specified target.

_listconfidentifiers identifier[ distributions... ]

Print- one per line - all identifiers of subdatabases as derived from theconfiguration. If a list of distributions is given, only identifiers of thoseare printed.

_listdbidentifiers identifier[ distributions... ]

Print- one per line - all identifiers of subdatabases in the current database. Thiswill be a subset of the ones printed by

_listconfidentifiersP or most commandsbut clearvanished will refuse to run, and depending on the database compatibilityversion, will include all those if reprepro was run since the config was lastchanged.

 

CONFIG FILES

reprepo uses three config files, which are searched in thedirectory specified with --confdiror in the conf/ subdirectory ofthebasedir.

If afile options exists, it isparsed line by line. Each line can be the long name of a command line option(without the --) plus an argument, where possible. Those are handled as if theywere command line options given before (and thus lower priority than) any othercommand line option. (and also lower priority than any environment variable).

Toallow command line options to override options file options, most booleanoptions also have a corresponding form starting with --no.

(Theonly exception is when the path to look for config files changes, the optionsfile will only opened once and of course before any options within the optionsfile are parsed.)

Thefile distributions is alwaysneeded and describes what distributions to manage, while updates is only needed when syncingwith external repositories and pullsis only needed when syncing with repositories in the same reprepro database.

Thelast three are in the format control files in Debian are in, i.e. paragraphsseparated by empty lines consisting of fields. Each field consists of afieldname, followed by a colon, possible whitespace and the data. A field endswith a newline not followed by a space or tab.

Linesstarting with

 # as first character are ignored, while inother lines the

#character and everything after it till the newline character are ignored. 

conf/distributions

Codename

Thisrequired field is the unique identifier of a distribution and used as directoryname within dists/It is alsocopied into the Release files.

Notethat this name is not supposed to change. You most likely never ever want a name like testing or stable here (those are suite names and supposed to point toanother distribution later).

Suite

Thisoptional field is simply copied into the Release files. In Debian it containsnames like stable, testing or unstable. To create symlinks from the Suite tothe Codename, use the createsymlinkscommandof reprepro.

FakeComponentPrefix

Ifthis field is present, its argument is added before every Component written tothe main Release file, and removed from the end of the Codename and Suitefields in that file.
So
 Codename: bla/updates
 Suite: foo/updates
 FakeComponentPrefix: updates
 Components: main bad will create a Release file with
 Codename: bla
 Suite: foo
 Components: updates/main updates/bad in it, butotherwise nothing is changed. This makes the distribution look more likeDebian's security archive, thus work around problems with apt's workarounds forthat.

AlsoAcceptFor

Alist of distribution names. When a .changesfile is told to be included into this distribution with the include command and the distributionheader of that file is neither the codename, nor the suite name, nor any namefrom the list, a wrongdistributionerror is generated. The process_incomingcommand will also use this field, see the description of Allow and Default from the conf/incomingfile for more information.

Version

Thisoptional field is simply copied into the Release files.

Origin

Thisoptional field is simply copied into the Release files.

Label

Thisoptional field is simply copied into the Release files.

NotAutomatic

Thisoptional field is simply copied into the Release files. (The value is handledas arbitrary string, though anything but yes does make much sense right now.)

Description

Thisoptional field is simply copied into the Release files.

Architectures

Thisrequired field lists the binary architectures within this distribution and ifit contains source (i.e. ifthere is an item source in thisline this Distribution has source. All other items specify things to be putafter "binary-" to form directory names and be checked against"Architecture:" fields.)

Thiswill also be copied into the Release files. (With exception of the source item, which will not occur inthe topmost Release file whether it is present here or not)

Components

Thisrequired field lists the component of a distribution. See GUESSING for rules which componentpackages are included into by default. This will also be copied into theRelease files.

UDebComponents

Componentswith a debian-installer subhierarchy containing .udebs. (E.g. simply"main")

Update

Whenthis field is present, it describes which update rules are used for thisdistribution. There also can be a magic rule minus ("-"), see below.

Pull

Whenthis field is present, it describes which pull rules are used for thisdistribution. Pull rules are like Update rules, but get their stuff from otherdistributions and not from external sources. See the description for conf/pulls.

SignWith

Whenthis field is present, a Release.gpg file will be generated. If the value is"yes" or "default", the default key of gpg is used.Otherwise the value will be given to libgpgme to determine to key to use.

Ifthere are problems with signing, you can try
gpg --list-secret-keys value
to see how gpg could interprete the value. If that command does not list anykeys or multiple ones, try to find some other value (like the keyid), that gpgcan more easily associate with a unique key.

Ifthis key has a passphrase, you need to use gpg-agent or the insecure option --ask-passphrase.

DebOverride

Whenthis field is present, it describes the override file used when including .debfiles.

UDebOverride

Whenthis field is present, it describes the override file used when including .udebfiles.

DscOverride

Whenthis field is present, it describes the override file used when including .dscfiles.

DebIndices, UDebIndices, DscIndices

Choosewhat kind of Index files to export. The first part describes what the Indexfile shall be called. The second argument determines the name of a Release fileto generate or not to generate if missing. Then at least one of ".", ".gz" or ".bz2"specifying whether to generate uncompressed output, gzipped output, bzip2edoutput or any combination. (bzip2 is only available when compiled with bzip2support, so it might not be available when you compiled it on your own). If anargument not starting with dot follows, it will be executed after all indexfiles are generated. (See the examples for what argument this gets). Thedefault is:
DebIndices: Packages Release . .gz
UDebIndices: Packages . .gz
DscIndices: Sources Release .gz

Contents

Enablethe creation of Contents files listing all the files within the binary packagesof a distribution. (Which is quite slow, you have been warned).

Inearlier versions, the first argument was a rate at which to extract file lists.As this did not work and was no longer easily possible after somefactorisation, this is no longer supported.

Thearguments of this field is a space separated list of options. If there is audebs keyword, .udebs are also listed (in a file called uContents-architecture.) If there is a nodebs keyword, .debs are not listed. (Only usefultogether with udebs) If there isat least one of the keywords ., .gz and/or .bz2, the Contents files are written uncompressed, gzipped and/orbzip2ed instead of only gzipped.

ContentsArchitectures

Limitgeneration of Contents files to the architectures given. If this field is notthere, all architectures are processed. An empty field means no architecturesare processed, thus not very useful.

ContentsComponents

Limitwhat components are processed for the Contents-archfiles to the components given. If this field is not there, all components areprocessed. An empty field is equivalent to specify nodebs in the Contentsfield, while a non-empty field overrides a nodebs there.

ContentsUComponents

Limitwhat components are processed for the uContents files to the components given.If this field is not there and there is the udebs keyword in the Contents field, all .udebs of all componentsare put in the uContents.archfiles. If this field is not there and there is no udebs keyword in the Contents field, no uContents-arch files are generated at all. A non-emptyfields implies generation of uContents-archfiles (just like the udebskeyword in the Contents field), while an empty one causes no uContents-arch files to begenerated.

Uploaders

Specifieda file (relative to confdir if not starting with a slash) to specify who isallowed to upload packages. With this there are no limits, and this file can beignored via --ignore=uploaders.See the section UPLOADERS FILESbelow.

Tracking

Enablethe (experimental) tracking of source packages. The argument list needs tocontain exactly one of the following:
keep Keeps all files of a givensource package, until that is deleted explicitly via removetrack. This is currently the only possibility to keep olderpackages around when all indices contain newer files.
all Keep all files belonging toa given source package until the last file of it is no longer used within thatdistribution.
minimal Remove files no longerincluded in the tracked distribution. (Remove changes, logs and includebyhandfiles once no file is in any part of the distribution).
And any number of the following (or none):
includechangesAdd the .changesfile to the tracked files of a source package. Thus it is also put into thepool.
includebyhand Add byhand and raw-* files to the tracked files and thus in the pool.
includelogs Add log files to thetracked files and thus in the pool. (Not that putting log files in changesfiles is a reprepro extension not found in normal changes files)
embargoalls Not yet implemented.
keepsources Even when usingminimal mode, do not remove source files until no file is needed any more.
needsources Not yet implemented.

Log

Specifya file to log additions and removals of this distribution into and/or externalscripts to call when something is added or removed. The rest of the Log: line is the filename, everyfollowing line (as usual, have to begin with a single space) the name of ascript to call. The name of the script may be preceded with options of the form--type=(dsc|deb|udeb), --architecture=name or --component=name to only call the script for some parts ofthe distribution. An script with argument --changes is called when a .changesfile was accepted by include or processincoming (and with otherarguments). Both type of scripts can have a --via=command specified, in which case it is only calledwhen caused by reprepro commandcommand.

Forinformation how it is called and some examples take a look at manual.html inreprepro's source or /usr/share/doc/reprepro/

Ifthe filename for the log files does not start with a slash, it is relative tothe directory specified with --logdir,the scripts are relative to --confdirunless starting with a slash.

ValidFor

Ifthis field exists, an Valid-Until field is put into generated Release files for this distributionwith an date as much in the future as the argument specifies.

Theargument has to be an number followed by one of the units d, m or y, where d means days, m means 31 days and ymeans 365 days. So ValidFor: 1m 11 dcauses the generation of a Valid-Until:header in Release files that points 42 days into the future.

ReadOnly

Disallowall modifications of this distribution or its directory in dists/codename (with theexception of snapshot subdirectories).

 

conf/updates

Name

Thename of this update-upstream as it can be used in the Update field in conf/distributions.

Method

AnURI as one could also give it apt, e.g. http://ftp.debian.de/debian which is simply given to the correspondingapt-get method. (So either apt-get has to be installed, or you have topoint with--methoddir to a place where such methods are found.

Fallback

(Stillexperimental:) A fallback URI, where all files are tried that failed the firstone. They are given to the same method as the previous URI (e.g. bothhttp://), and the fallback-server must have everything at the same place. No recalculationis done, but single files are just retried from this location.

Config

Thiscan contain any number of lines, each in the format apt-get --option would expect. (Multiple lines - as always -marked with leading spaces).

Forexample: Config: Acquire::Http::Proxy=http://proxy.yours.org:8080

From

Thename of another update rule this rules derives from. The rule containing the From may not contain Method, Fallback or Config.All other fields are used from the rule referenced in From, unless found in this containing the From. The rule referenced in From may itself contain a From.Reprepro will only assume two remote index files are the same, if both gettheir Method information fromthe same rule.

Suite

The suiteto update from. If this is not present, the codename of the distribution usingthis one is used. Also "*/whatever" is replaced by"/whatever"

Components

Thecomponents to update. Each item can be either the name of a component or a pairof a upstream component and a local component separated with ">".(e.g. "main>all contrib>all non-free>notall")

Ifthis field is not there, all components from the distribution to update aretried.

Anempty field means no source or .deb packages are updated by this rule, but only.udeb packages, if there are any.

Arule might list components not available in all distributions using this rule.In this case unknown components are silently ignored. (Unless you startreprepro with the --fast option,it will warn about components unusable in all distributions using that rule. Asexceptions, unusable components called noneare never warned about, for compatibility with versions prior to 3.0.0 whereand empty field had a different meaning.)

Architectures

Thearchitectures to update. If omitted all from the distribution to update from.(As with components, you can use ">" to download from onearchitecture and add into another one. (This only determine in which Packagelist they land, it neither overwrites the Architecture line in its description,nor the one in the filename determined from this one. In other words, it is noreally useful without additional filtering))

UDebComponents

LikeComponents but for the udebs.

VerifyRelease

Downloadthe Release.gpg file and checkif it is a signature of the Releasefilewith the key given here. (In the Format as "gpg --with-colons--list-key" prints it, i.e. the last 16 hex digits of the fingerprint)Multiple keys can be specified by separating them with a "|" sign. Then finding a signaturefrom one of the will suffice. To allow revoked or expired keys, add a "!" behind a key. (but to acceptsuch signatures, the appropiate --ignoreis also needed). To also allow subkeys of a specified key, add a "+" behind a key.

IgnoreRelease

Ifthis is present, no Release filewill be downloaded and thus the md5sums of the other index files will not bechecked.

Flat

Ifthis field is in an update rule, it is supposed to be a flat repository, i.e. arepository without a dists dirand no subdirectories for the index files. (If the corresponding sources.list line has the suite endwith a slash, then you might need this one.) The argument for the Flat: field is the Component to put thosepackages into. No Components or UDebComponents fields are allowed in aflat update rule. If the Architecturefield has any > items, thepart left of the ">"is ignored.
For example the sources.listline
 deb 
http://cran.r-project.org/bin/linux/debian etch-cran/
would translate to

 Name: R
 Method: 
http://cran.r-project.org/bin/linux/debian
 Suite: etch-cran
 Flat: whatevercomponentyoudlikethepackagesin

IgnoreHashes

Thisdirective tells reprepro to not check the listed hashes in the downloadedRelease file (and only in the Release file). Possible values are currently sha1 and sha256.

Notethat md5 is not possible asreprepro internally still always needs md5 hashes. Note that this does notspeed anything up in any measurable way. The only reason to specify this if theRelease file of the distribution you want to mirror from uses a faultyalgorithm implementation. Otherwise you will gain nothing and only losesecurity but not gain speed.

FilterFormula

Thiscan be a formula to specify which packages to accept from this source. Theformat is misusing the parser intended for Dependency lines. To get onlyarchitecture all packages use "architecture (== all)", to get only atleast important packages use "priority (==required) | priority(==important)".

FilterList

Thistakes at least two arguments: The first one is the default action whensomething is not found in the list, then a list of filenames (relative to --confdir, if not starting with aslash), in the format of dpkg --get-selections and only packages listed inthere as install or that arealready there and are listed with upgradeonlywill be installed. Things listed as deinstallor purge will ignored. Thingslisted with warning are alsoignored, but a warning message is printed to stderr. A package being hold will not be upgraded but also notdowngraded or removed by previous delete rules. To abort the whole upgrade/pullif a package is available, use error.

ListHook

Ifthis is given, it is executed for all downloaded index files with thedownloaded list as first and a filename that will be used instead of this.(e.g. "ListHook: /bin/cp" works but does nothing.)

If afile will be read multiple times, it is processed multiple times, with theenvironment variables REPREPRO_FILTER_CODENAME,REPREPRO_FILTER_PACKAGETYPE, REPREPRO_FILTER_COMPONENT and REPREPRO_FILTER_ARCHITECTURE set tothe where this file will be added and REPREPRO_FILTER_PATTERNto the name of the update rule causing it.

ListShellHook

Thisis like ListHook, but the whole argument is given to the shell as argument, andthe input and output file are stdin and stdout.

i.e.:
ListShellHook: cat
works but does nothing but useless use of a shell and cat, while
ListShellHook: grep-dctrl -X -S apt -o -X -S dpkg || [ $? -eq 1 ]
will limit the update rule to packages from the specified source packages.

DownloadListsAs

Thearguments of this field, which much be elements of the form ., .gz, .bz2, .lzma and .diff specify in which order reprepro will look for a useablevariant of needed index files in the downloaded Release file. (The default is .diff .lzma .bz2 .gz ., i.e. downloadPackages.diff if listed in the Release file, otherwise or if not useabledownload .lzma if listed in the Release file and there is a way to uncompressit, then .bz2 if useable, then .gz and then uncompressed).

Togetherwith IgnoreRelease reprepro willdownload the first in this list that could be unpacked.

Notethere is no way to see if an uncompressed variant of the file is available (asthe Release file always lists their checksums, even if not there), so putting '.' anywhere but as the last argumentcan mean trying to download a file that does not exist.

 

conf/pulls

Thisfile contains the rules for pulling packages from one distribution to another.While this can also be done with update rules using the file or copy method andusing the exported indices of that other distribution, this way is faster. Italso ensures the current files are used and no copies are made. (This alsoleads to the limitation that pulling from one component to another is notpossible.)

Eachrule consists out of the following fields:

Name

Thename of this pull rule as it can be used in the Pull field in conf/distributions.

From

Thecodename of the distribution to pull packages from.

Components

Thecomponents of the distribution to get from.

Ifthis field is not there, all components from the distribution to update aretried.

Arule might list components not available in all distributions using this rule.In this case unknown components are silently ignored. (Unless you startreprepro with the --fast option, it will warn about components unusable in alldistributions using that rule. As exception, unusable components called none are never warned about, forcompatibility with versions prior to 3.0.0 where and empty field had adifferent meaning.)

Architectures

Thearchitectures to update. If omitted all from the distribution to pull from. Asin conf/updates, you can use">" to download from one architecture and add into another one.(And again, only useful with filtering to avoid packages not architecture all to migrate).

UDebComponents

LikeComponents but for the udebs.

FilterFormula

FilterList

Thesame as with update rules.

 

OVERRIDE FILES

Overridefiles are yet only used when things are manually added, not when imported whileupdating from an external source. The format should resemble the extendedftp-archive format, to be specific it is:

packagenamefieldnamenew value

Forexample:
kernel-image-2.4.31-yourorga Sectionprotected/base
kernel-image-2.4.31-yourorga Prioritystandard
kernel-image-2.4.31-yourorga MaintainerThat's me <
me@localhost>
reprepro Priority required

Allfields of a given package will be replaced by the new value specified in theoverride file. While the field name is compared case-insensitive, it is copiedin exactly the form in the override file there. (Thus I suggest to keep to theexact case it is normally found in index files in case some other tool confusesthem.) More than copied is the Section header (unless -S is supplied), which is also used to guess the component (unless-C is there). There is noprotection against changing headers like Package, Filename, Size or MD5sum, though changing these functional fields may give the mostcurious results. (Most likely reprepro may error out in future invocations). 

conf/incoming

Everychunk is a rule set for the process_incomingcommand. Possible fields are:

Name

Thename of the rule-set, used as argument to the scan command to specify to usethis rule.

IncomingDir

TheName of the directory to scan for .changesfiles.

TempDir

Adirectory where the files listed in the processed .changes files are copiedinto before they are read. You can avoid some copy operatations by placing thisdirectory within the same moint point the pool hierachy is (at least partially)in. LogDirA directory where.changes files, .log files and otherwise unused .byhand files are stored uponprocession.

Allow arguments

Eachargument is either a pair name1>name2or simply name which is short for name>name. Each name2 must identify a distribution,either by being Codename, a unique Suite, or a unique AlsoAcceptFor from conf/distributions. Each upload haseach item in its Distribution:header compared first to last with each name1 in the rules and is put inthe first one accepting this package. e.g.:
Allow: local unstable>sid
or
Allow: stable>security-updates stable>proposed-updates
(Note that this makes only sense if Multiple is set to true or if there arepeople only allowed to upload to proposed-updates but not to security-updates).

Default distribution

Everyupload not put into any other distribution because of an Allow argument is putintodistribution if that accepts it.

Multiple

Allowputting an upload in multiple distributions if it lists more than one. (Withoutthis field, procession stops after the first success).

Permit options

Alist of options to allow things otherwise causing errors:
unused_files
Do not stop with error if there are files listed in the .changes file if it lists files not belonging to any package init.
older_version
Ignore a package not added because there already is a strictly newer versionavailable instead of treating this as an error.

Cleanup options

Alist of options to cause more files in the incoming directory to be deleted:
unused_files
If there is unused_files in Permit then also delete those fileswhen the package is deleted after successful processing.
on_deny
If a .changes file is deniedprocessing because of missing signatures or allowed distributions to be put in,delete it and all the files it references.
on_error
If a .changes file causes errorswhile processing, delete it.

 

UPLOADERS FILES

Thesefiles specified by the Uploadersheader in the distribution definition as explained above describe what key a .changes file as to be signed with tobe included in that distribution.

Emptylines and lines starting with a hash are ignored, every other line has to be ofone of this three forms:

allowcondition by anybody

whichallows everyone to upload packages matching condition,

allowcondition by unsigned

whichallows everything matching that has no pgp/gpg header,

allowcondition by any key

whichallows everything matching with any valid signature in or

allowcondition by key key-id

whichallows everything matching signed by this key-id (to be specifiedwithout any spaces). If thekey-id ends with a + (plus), a signature with a subkey of this primary key alsosuffices.

Theonly conditions currently supported are:

*

whichmeans any package,

source 'name'

whichmean any package with source name. (up to two asterisks are allowed inname).

sections 'name'(|'name')*

matchesan upload in which each section matches one of the names given. As uploadconditions are checked very early, this is the section listed in the .changesfile, not the one from the override file. (But this might change in the future,if you have the need for the one or the other behavior, let me know).

sections contain 'name'(|'name')*

Thesame, but not all sections must be from the given set, but at least one sourceor binary package needs to have one of those given.

binaries 'name'(|'name')*

matchesan upload in which each binary (type deb or udeb) matches one of the namesgiven.

binaries contain 'name'(|'name')*

againonly at least one instead of all is required.

architectures 'architecture'(|'name')*

matchesan upload in which each package has only architectures from the given set. source and all are treated as unique architectures. Wildcards are notallowed.

architectures contain 'architecture'(|'architecture')*

againonly at least one instead of all is required.

Puttingnot in front of a condition,inverses it's meaning. For example
allow not source 'r*' by anybody
means anybody may upload packages which source name does not start with an 'r'.

Multipleconditions can be connected with andand or, with or binding stronger (but both weakerthan not). That means
allow source 'r*' and source '*xxx' orsource '*o' by anybody
is equivalent to
allow source 'r*xxx' by anybody
allow source 'r*o' by anybody

(Otherconditions will follow once somebody tells me what restrictions are useful.Currently planned is only something for architectures). 

ERROR IGNORING

With--ignore on the command line oran ignore line in the options file, the following type of errors can beignored:

brokenold(hopefully never seen)

Ifthere are errors parsing an installed version of package, do not error out, butassume it is older than anything else, has not files or no source name.

brokensignatures

If a.changes or .dsc file contains at least one invalid signature and no validsignature (not even expired or from an expired or revoked key), repreproassumes the file got corrupted and refuses to use it unless this ignoredirective is given.

brokenversioncmp(hopefully never seen)

Ifcomparing old and new version fails, assume the new one is newer.

dscinbinnmu

If a.changes file has an explicit Source version that is different the to theversion header of the file, than reprepro assumes it is binary non maintainerupload (NMU). In that case, source files are not permitted in .changes filesprocessed by include or processincoming. Adding --ignore=dscinbinnmu allows it for theinclude command.

emptyfilenamepart(insecure)

Allowstrings to be empty that are used to construct filenames. (like versions,architectures, ...)

extension

Allowto includedeb files that do notend with .deb, to includedsc files not ending in .dsc and to include files not ending in .changes.

forbiddenchar(insecure)

Donot insist on Debian policy for package and source names and versions. Thusallowing all 7-bit characters but slashes (as they would break the filestorage) and things syntactically active (spaces, underscores in filenames in.changes files, opening parentheses in source names of binary packages). Toallow some 8-bit chars additionally, use 8bit additionally.

8bit (more insecure)

Allow8-bit characters not looking like overlong UTF-8 sequences in filenames andthings used as parts of filenames. Though it hopefully rejects overlong UTF-8sequences, there might be other characters your filesystem confuses withspecial characters, thus creating filenames possibly equivalent to /mirror/pool/main/../../../etc/shadow(Which should be safe, as you do not run reprepro as root, do you?) or simplyoverwriting your conf/distributions file adding some commands in there. So donot use this if you are paranoid, unless you are paranoid enough to havechecked the code of your libs, kernel and filesystems.

ignore(for forward compatibility)

Ignoreunknown ignore types given to --ignore.

flatandnonflat(only supresses a warning)

Donot warn about a flat and a non-flat distribution from the same source with thesame name when updating. (Hopefully never ever needed.)

malformedchunk(I hope you know what youdo)

Donot stop when finding a line not starting with a space but no colon(:) in it.These are otherwise rejected as they have no defined meaning.

missingfield(safe to ignore)

Ignoremissing fields in a .changes file that are only checked but not processed.Those include: Format, Date, Urgency, Maintainer, Description, Changes

missingfile(might be insecure)

Whenincluding a .dsc file from a .changes file, try to get files needed but notlisted in the .changes file (e.g. when someone forgot to specify -sa todpkg-buildpackage) from the directory the .changes file is in instead oferroring out. (--delete will notwork with those files, though.)

spaceonlyline(I hope you know what youdo)

Allowlines containing only (but non-zero) spaces. As these do not separate chunks asthus will cause reprepro to behave unexpected, they cause error messages bydefault.

surprisingarch

Donot reject a .changes file containing files for a architecture not listed inthe Architecture-header within it.

surprisingbinary

Donot reject a .changes file containing .deb files containing packages whose nameis not listed in the "Binary:" header of that changes file.

undefinedtarget(hope you are not usingthe wrong db directory)

Donot stop when the packages.db file contains databases forcodename/packagetype/component/architectures combinations that are not listedin your distributions file.

Thisallows you to temporarily remove some distribution from the config files,without having to remove the packages in it with the clearvanished command. You might even temporarily remove singlearchitectures or components, though that might cause inconsistencies in somesituations.

undefinedtracking(hope you are not usingthe wrong db directory)

Donot stop when the tracking file contains databases for distributions that arenot listed in your distributionsfile.

Thisallows you to temporarily remove some distribution from the config files,without having to remove the packages in it with the clearvanished command. You might even temporarily disable trackingin some distribution, but that is likely to cause inconsistencies in there, ifyou do not know, what you are doing.

unknownfield(for forwardcompatibility)

Ignoreunknown fields in the config files, instead of refusing to run then.

unusedarch(safe to ignore)

Nolonger reject a .changes file containing no files for any of the architectureslisted in the Architecture-header within it.

unusedoption

Donot complain about command line options not used by the specified action (like --architecture).

uploaders

Theinclude command will accept packages that would otherwise been rejected by theuploaders file.

wrongdistribution(safe to ignore)

Donot error out if a .changes file is to be placed in a distribution not listedin that files' Distributions: header.

wrongsourceversion

Donot reject a .changes file containing .deb files with a different opinion onwhat the version of the source package is.
(Note: reprepro only compares literally here, not by meaning.)

wrongversion

Donot reject a .changes file containing .dsc files with a different version.
(Note: reprepro only compares literally here, not by meaning.)

expiredkey(I hope you know what youdo)

Acceptsignatures with expired keys. (Only if the expired key is explicitlyrequested).

expiredsignature(I hope you know what youdo)

Acceptexpired signatures with expired keys. (Only if the key is explicitlyrequested).

revokedkey(I hope you know what youdo)

Acceptsignatures with revoked keys. (Only if the revoked key is explicitlyrequested).

 

GUESSING

Whenincluding a binary or source package without explicitly declaring a componentwith -C it will take the firstcomponent with the name of the section, being prefix to the section, beingsuffix to the section or having the section as prefix or any. (In this order)

Thushaving specified the components: "main non-free contrib non-US/mainnon-US/non-free non-US/contrib" should map e.g. "non-US" to"non-US/main" and "contrib/editors" to "contrib",while having only "main non-free and contrib" as components shouldmap "non-US/contrib" to "contrib" and "non-US" to"main".

NOTE: Always specify main as the first component, if youwant things to end up there.

NOTE: unlike in dak, non-US and non-us are differentthings...  

NOMENCLATURE

Codename the primary identifier of a given distribution. Thisare normally things like sarge, etch or sid.

basename

thename of a file without any directory information.

filekey

theposition relative to the mirrordir. (as found as "Filename:" inPackages.gz)

full filename

theposition relative to /

architecture

Theterm like sparc, i386, mips, ... . To refer to the source packages, source is sometimes also treated asarchitecture.

component

Thingslike main, non-free and contrib (by policy and some other programs also called section,reprepro follows the naming scheme of apt here.)

section

Thingslike base, interpreters, oldlibs and non-free/math(by policy and some other programs also called subsections).

md5sum

Thechecksum of a file in the format ""

 

Some note on updates

 

A version is not overwritten with thesame version.

reprepro will never update a package with a version it alreadyhas. This would be equivalent to rebuilding the whole database with everysingle upgrade. To force the new same version in, remove it and then update.(If files of the packages changed without changing their name, make sure thefile is no longer remembered by reprepro. Without --keepunreferencedfiled and without errors while deleting itshould already be forgotten, otherwise a deleteunreferenced or even some __forget might help.) 

The magic delete rule (-).

Aminus as a single word in the Update:line of a distribution marks everything to be deleted. The mark causes laterrules to get packages even if they have (strict) lower versions. The mark willget removed if a later rule sets the package on hold (hold is not yet implemented,in case you might wonder) or would get a package with the same version (Whichit will not, see above). If the mark is still there at the end of theprocessing, the package will get removed.

Thusthe line "Update: - rules " will cause all packages to beexactly the highest Version found inrules. The line "Update: near- rules " will do the same, except if it needs to downloadpackages, it might download it fromnear except when too confused. (Itwill get too confused e.g. when near orrules have multipleversions of the package and the highest in near is not the first one inrules,as it never remember more than one possible spring for a package.

Warning:This rule applies to all type/component/architecture triplets of adistribution, not only those some other update rule applies to. (That means itwill delete everything in those!) 

ENVIRONMENT VARIABLES

Environmentvariables are always overwritten by command line options, but overwrite optionsset in the options file. (Evenwhen the options file is obviously parsed after the environment variables asthe environment may determine the place of the options file).

REPREPRO_BASE_DIR

Thedirectory in this variable is used instead of the current directory, if no -b or --basedir options are supplied.
It is also set in all hook scripts called by reprepro (relative to the currentdirectory or absolute, depending on how reprepro got it).

REPREPRO_CONFIG_DIR

Thedirectory in this variable is used when no --confdir is supplied.
It is also set in all hook scripts called by reprepro (relative to the currentdirectory or absolute, depending on how reprepro got it).

REPREPRO_OUT_DIR

Thisis not used, but only set in hook scripts called by reprepro to the directoryin which the pool subdirectoryresides (relative to the current directory or absolute, depending on howreprepro got it).

REPREPRO_DIST_DIR

Thisis not used, but only set in hook scripts called by reprepro to the dists directory (relative to thecurrent directory or absolute, depending on how reprepro got it).

GNUPGHOME

Notused by reprepro directly. But reprepro uses libgpgme, which calls gpg forsigning and verification of signatures. And your gpg will most likely use thecontent of this variable instead of "~/.gnupg". Take a look atgpg(1) to be sure. You can also tell repreproto set this with the --gnupghomeoption.

GPG_TTY

Whenthere is a gpg-agent running that does not have the passphrase cached yet, gpgwill most likely try to start some pinentry program to get it. If that ispinentry-curses, that is likely to fail without this variable, because itcannot find a terminal to ask on. In this cases you might set this variable tosomething like the value of $(tty)or $SSH_TTY or anything elsedenoting a usable terminal. (You might also want to make sure you actually havea terminal available. With ssh you might need the -t option to get a terminal even when telling gpg to start aspecific command).

Bydefault, reprepro will set this variable to what the symbolic link /proc/self/fd/0 points to, if stdin isa terminal, unless you told with --noguessgpgttyto not do so.

 

BUGS

Increasedverbosity always shows those things one does not want to know. (Though thismight be inevitable and a corollary to Murphy)

Repreprouses berkley db, which was a big mistake. The most annoying problem not yetworked around is database corruption when the disk runs out of space. (Luckilyif it happens while downloading packages while updating, only the filesdatabase is affected, which is easy (though time consuming) to rebuild, see recovery file in the documentation).Ideally put the database on another partition to avoid that.

Whilethe source part is mostly considered as the architecture source some parts may still not usethis notation. 

WORK-AROUNDS TO COMMON PROBLEMS

gpgme returned an impossible condition

Withthe woody version this normally meant that there was no .gnupg directory in$HOME, but it created one and reprepro succeeds when called again with the samecommand. Since sarge the problem sometimes shows up, too. But it is no longerreproducible and it does not fix itself, neither. Try running gpg --verify file-you-had-problems-withmanually as the user reprepro is running and with the same $HOME. This alonemight fix the problem. It should not print any messages except perhaps
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
if it was an unsigned file.

not including .orig.tar.gz when a.changes file's version does not end in -0 or -1

Ifdpkg-buildpackage is run without the -saoption to build a version with a Debian revision not being -0 or -1, it doesnot list the .orig.tar.gz filein the .changes file. If youwant to include such a file withreprepro when the .orig.tar.gz file does not already exist in the pool,reprepro will report an error. This can be worked around by:
call dpkg-buildpackage with -sa (recommended)
copy the .orig.tar.gz file to the proper place in the pool before
call reprepro with --ignore=missingfile (discouraged)

leftover files in the pool directory.

repreprois sometimes a bit too timid of deleting stuff. When things go wrong and therehave been errors it sometimes just leaves everything where it is. To see whatfiles reprepro remembers to be in your pool directory but does not knowanything needing them right know, you can use
reprepro dumpunreferenced
To delete them:
reprepro deleteunreferenced

 

INTERRUPTING

Interruptingreprepro has its problems. Some things (like speaking with apt methods,database stuff) can cause problems when interrupted at the wrong time. Thenthere are design problems of the code making it hard to distinguish if thecurrent state is dangerous or non-dangerous to interrupt. Thus if repreproreceives a signal normally sent to tell a process to terminate itself softly,it continues its operation, but does not start any new operations. (I.e. itwill not tell the apt-methods any new file to download, it will not replace apackage in a target, unless it already had started with it, it will not deleteany files gotten dereferenced, and so on).

It only catches the first signal of eachtype. The second signal of a given type will terminate reprepro. You will riskdatabase corruption and have to remove the lockfile manually.

Alsonote that even normal interruption leads to code-paths mostly untested and thusexpose a multitude of bugs including those leading to data corruption. Betterthink a second more before issuing a command than risking the need forinterruption. 


 

 

reprepromanual

Thismanual documents reprepro, a tool to generate and administer Debian packagerepositories.

Otheruseful resources:

thehomepage of reprepro.

localdirectory with documentation and examples, if you have reprepro installed.

theFrequently Asked Questions

Tableof contents

Sectionsof this document:

Introduction

Firststeps

Repositorybasics

Generationof index files

Compressionand file names

Signing

Contentsfiles

Additionalindex files (like .diff)

Localpackages

Includingvia command line

Processingan incoming queue

Mirroring

Propagationof packages

Snapshots(TODO)

Sourcepackage tracking (TODO)

Extendingreprepro / Hooks and more

Maintenance

Internals

Disasterrecovery

Paranoia

Whatreprepro cannot do

Introduction

Whatreprepro does

Repreprois a tool to take care of a repository of Debian packages (.dsc,.deb and.udeb). It installs them to the proper places, generates indices of packages(Packages and Sources and their compressed variants) and of index files(Release and optionally Release.gpg), so tools like apt know what is availableand where to get it from. It will keep track which file belongs to where andremove files no longer needed (unless told to not do so). It can also make(partial) partial mirrors of remote repositories, including merging multiplesources and automatically (if explicitly requested) removing packages no longeravailable in the source. And many other things (sometimes I fear it got a fewfeatures too much).

Whatreprepro needs

Itneeds some libraries (zlib, libgpgme, libdb (Version 3, 4.3 or 4.4)) and can becompiled with some more for additional features (libarchive, libbz2). Otherwiseit only needs apt's methods (only when downloading stuff), gpg (only whensigning or checking signatures), and if compiled without libarchive it needstar and ar installed.

Ifyou tell reprepro to call scripts for you, you will of course need theinterpreters for these scripts: The included example to generate pdiff filesneeds python. The example to extract changelogs needs dpkg-source.

Whatthis manual aims to do

Thismanual aims to give some overview over the most important features, so peoplecan use them and so that I do not implement something a second time because Iforgot support is already there. For a full reference of all possible commandsand config options take a look at the man page, as this manual might miss someof the more obscure options.

Firststeps

generatea repository with local packages

Choosea directory (or create it).

Createa subdirectory called conf in there.

Inthe conf/ subdirectory create a file called distributions, with content like:

Codename:mystuff

Components:main bad

Architectures:sparc i386 source

 

orwith content like:

Codename:andy

Suite:rusty

Components:main bad

Architectures:sparc i386 source

Origin:myorg

Version:20.3

Description:my first little repository

 

(Multipledistributions are separated by empty lines, Origin, Version and Description arejust copied to the generated Release files, more things controlling repreprocan appear which are described later).

Ifyour conf/distributions file contained a Suite: and you are to lazy to generatethe symlinks yourself, call:

reprepro-b $YOURBASEDIR createsymlinks

 

Includesome package, like:

reprepro-b $YOURBASEDIR include mystuff mypackage.changes

 

or:

reprepro-b $YOURBASEDIR includedeb mystuff mypackage.deb

 

Takea look at at the generated pool and dists directories. They contain everythingneeded to apt-get from. Tell apt to include it by adding the following to yoursources.list:

debfile:///$YOURBASEDIR mystuff main bad

 

ormake it available via http or ftp and do the same http:// or ftp:// source.

mirroringpackages from other repositories

Thisexample shows how to generate a mirror of a single architecture with allpackages of etch plus security updates:

Choosea directory (or create it).

Createa subdirectory called conf in there (if not already existent).

Inthe conf/ subdirectory create a file called distributions, with content like(or add to that file after an empty line):

Origin:Debian

Label:Debian

Suite:stable

Version:4.0

Codename:etch

Architectures:i386

Components:main

Description:Debian 4.0 etch + security updates

Update:- debian security

Log:logfile

 

Actuallyonly Codename, Components, Architecture and Update is needed, the rest is justinformation for clients. The Update line tells to delete everything no longeravailable (-), then add the debian and security rules, which still have to bedefined:

Inthe conf/ subdirectory create a file called updates, with content like (or addto that file after an empty line:): or with content like:

Name:security

Method:http://security.debian.org/debian-security

Fallback:ftp://klecker.debian.org/debian-security

Suite:*/updates

VerifyRelease:A99951DAF9BB569BDB50AD90A70DAF536070D3A1|7EA391D72477203B58C04FBCB5D0C804ADB11277

Architectures:i386

Components:main

UDebComponents:none

 

Name:debian

Method:http://ftp2.de.debian.org/debian

Config:Acquire::Http::Proxy=http://proxy.myorg.de:8080

VerifyRelease:A99951DAF9BB569BDB50AD90A70DAF536070D3A1|7EA391D72477203B58C04FBCB5D0C804ADB11277

 

(Ifthere are no Architecture, Components or UDebComponents, it will try all thedistribution to update has. Fallback means a URL to try when the first cannotoffer some file (Has to be the same method)). Note that the none argument toUDebComponents: is only needed for version before 3.0.0. Since 3.0.0 an emptyfield does the same, though none is still ignored for backward compatibility.

Tellreprepro to update:

reprepro-b $YOURBASEDIR update etch

 

Takea look at at the generated pool and dists directories. They contain everythingneeded to apt-get from. Tell apt to include it by adding the following to yoursources.list:

debfile:///$YOURBASEDIR etch main

 

ormake it available via http or ftp.

Repositorybasics

Anapt-getable repository of Debian packages consists of two parts: the indexfiles describing what is available and where it is and the actual Debian binary(.deb), installer binary (.deb), and source (.dsc together with .tar.gz or.orig.tar.gz and .diff.gz) packages.

Whileyou do not know how these look like to use reprepro, it's always a good idea toknow what you are creating.

Indexfiles

Allindex files are in subdirectories of a directory called dists. Apt is verydecided what names those should have, including the name of dists. Includingall optional and extensional files, the hierarchy looks like this:

dists

CODENAME

Eachdistribution has it's own subdirectory here, named by it's codename.

Release

Thisfile describes what distribution this is and the checksums of all index filesincluded.

Release.gpg

Thisis the optional detached gpg signature of the Release file. Take a look at thesection about signing for how to active this.

Contents-ARCHITECTURE.gz

Thisoptional file lists all files and which packages they belong to. It'sdownloaded and used by tools like apt-file to allow users to determine whichpackage to install to get a specific file.

Toactivate generating of these files by reprepro, you need a Contents header inyour distribution declaration.

COMPONENT1

Eachcomponent has it's own subdirectory here. They can be named whatever users canbe bothered to write into their sources.list, but things like main, non-freeand contrib are common. But funny names like bad or universe are just aspossible.

source

Ifthis distribution supports sources, this directory lists which source packagesare available in this component.

Release

Thisfile contains a copy of those information about the distribution applicable tothis directory.

Sources

Sources.gz

Sources.bz2

Thesefiles contain the actual description of the source Packages. By default onlythe .gz file created, to create all three add the following to the declarationsof the distributions:

DscIndicesSources Release . .gz .bz2

 

Thatheader can also be used to name those files differently, but then apt will nolonger find them...

Sources.diff

Thisoptional directory contains diffs, so that only parts of the index file must bedownloaded if it changed. While reprepro cannot generate these so-called pdiffsitself, it ships with an example python script it can call to generate those.

binary-ARCHITECTURE

Eacharchitecture has its own directory in each component.

Release

Thisfile contains a copy of those information about the distribution applicable tothis directory.

Packages

Packages.gz

Packages.bz2

Thesefiles contain the actual description of the binary Packages. By default onlythe uncompressed and .gz files are created. To create all three, add thefollowing to the declarations of the distributions:

DebIndicesPackages Release . .gz .bz2

 

Thatheader can also be used to name those files differently, but then apt will nolonger find them...

Packages.diff

Thisoptional directory contains diffs, so that only parts of the index file must bedownloaded if it changed. While reprepro cannot generate these so-called pdiffsitself, it ships with an example python script it can call to generate those.

debian-installer

Thisdirectory contains information about the .udeb modules for theDebian-Installer. Those are actually just a very stripped down form of normal.deb packages and this the hierarchy looks very similar:

binary-ARCHITECTURE

Packages

Packages.gz

COMPONENT2

Thereis one dir for every component. All look just the same.

SUITE-> CODENAME

Toallow accessing distribution by function instead of by name, there are oftensymlinks from suite to codenames. That way users can write

debhttp://some.domain.tld/debian SUITE COMPONENT1 COMPONENT2

 

insteadof

debhttp://some.domain.tld/debian CODENAME COMPONENT1 COMPONENT2

 

intheir /etc/apt/sources.list and totally get surprised by getting something newafter a release.

Packagepool

Whilethe index files have a required filename, the actual files are given just asrelative path to the base directory you specify in your sources list. Thatmeans apt can get them no matter what scheme is used to place them. Theclassical way Debian used till woody was to just put them in subdirectories ofthe binary-ARCHITECTURE directories, with the exception of thearchitecture-independent packages, which were put into a artificial binary-alldirectory. This was replaced for the official repository with package pools,which reprepro also uses. (Actually reprepro stores everything in pool a bitlonger than the official repositories, that's why it recalculates all filenameswithout exception).

In apackage pool, all package files of all distributions in that repository arestored in a common directory hierarchy starting with pool/, only separated bythe component they belong to and the source package name. As everything thishas disadvantages and advantages:

disadvantages

differentfiles in different distributions must have different filenames

it'simpossible to determine which distribution a file belongs to by path andfilename (think mirroring)

packagescan no longer be grouped together in common subdirectories by having similarfunctions

advantages

theextremely confusing situation of having differently build packages with thesame version if different distributions gets impossible by design.

thesource (well, if it exists) is in the same directory as the binaries generatedfrom it

samefiles in different distributions need disk-space and bandwidth only once

eachpackage can be found only knowing component and sourcename

Nowlet's look at the actual structure of a pool (there is currently no differencebetween the pool structure of official Debian repositories and those generatedby reprepro):

pool

Thedirectory all this resides is is normally called pool. That's nowhere hardcoded in apt but that only looks at the relative directory names in the indexfiles. But there is also no reason to name it differently.

COMPONENT1

Eachcomponent has it's own subdirectory here. They can be named whatever users canbe bothered to write into their sources.list, but things like main, non-freeand contrib are common. But funny names like bad or universe are just aspossible.

a

Asthere are really many different source packages, the directory would be toofull when all put here. So they are separated in different directories. Sourcepackages starting with lib are put into a directory named after the first fourletters of the source name. Everything else is put in a directory having thefirst letter as name.

asource

Thenthe source package name follows. So this directory pool/COMPONENT1/a/asource/would contain all files of different versions of the hypothetical packageasource.

asource

a-source_version.dsc

a-source_version.tar.gz

Theactual source package consists of its description file (.dsc) and the filesreferences by that.

binary_version_ARCH1deb

binary_version_ARCH2.deb

binary2_version_all.deb

di-module_version_ARCH1.udeb

Binarypackages are stored here to. So to know where a binary package is stored youneed to know what its source package name is.

liba

Asdescribed before packages starting with lib are not stored in l but get a bitmore context.

COMPONENT2

Thereis one dir for every component. All look just the same.

Assaid before, you don't need to know this hierarchy in normal operation.reprepro will put everything to where it belong, keep account what is there andneeded by what distribution or snapshot, and delete files no longer needed.(Unless told otherwise or when you are using the low-level commands).

Configfiles

TOBE DOCUMENTED

Generationof index files

Decidingwhen to generate

Asreprepro stores all state in its database, you can decide when you want them tobe written to the dists/ directory. You can always tell reprepro to generatethose files with the export command:

reprepro-b $YOURBASEDIR export $CODENAMES

 

Thiscan be especially useful, if you just edited conf/distributions and want totest what it generates.

Whilethat command regenerates all files, in normal operation reprepro will onlyregenerate files where something just changed or that are missing. With--export option you can control when this fill happen:

 

never

Don'ttouch any index files. This can be useful for doing multiple operations in arow and not wanting to regenerate the indices all the time. Note that unlessyou do an explicit export or change the same parts later without that option,the generated index files may be permanently out of date.

changed

Thisis the default behaviour since 3.0.1. Only export distributions where somethingchanged (and no error occoured that makes an inconsistent state likely). And inthose distributions only (re-)generate files which content should have beenchanged by the current action or which are missing.

lookedat

Newname for normal since 3.0.1.

normal

Thiswas the default behaviour until 3.0.0 (changed in 3.0.1). In this mode alldistributions are processed that were looked at without error (where errormeans only errors hapening while the package was open so have a chance to causestrange contents). This ensures that even after a operation that had nothing todo the looked at distribution has all the files exported needed to access it.(But still only files missing or that content would change with this action areregenerated).

force

Alsotry to write the current state if some error occured. In all other modesreprepro will not write the index files if there was a problem. While thiskeeps the repository usable for users, it means that you will need an explicitexport to write possible other changes done before that in the same run.(reprepro will tell you that at the end of the run with error, but you shouldnot miss it).

Distributionspecific fields

Thereare a lot of conf/distributions headers to control what index files to generatefor some distribution, how to name them, how to postprocess them and so on. Themost important are:

Fieldsfor the Release files

Thefollowing headers are copied verbatim to the Release file, if they exist:Origin, Label, Codename, Suite, Architectures (excluding a possible value"source"), Components, Description, and NotAutomatic.

Choosingcompression and file names

Dependingon the type of the index files, different files are generated. No specifyinganything is equivalent to:

 DscIndices Sources Release .gz

 DebIndices Packages Release . .gz

 UDebIndices Packages . .gz

 

Thismeans to generate Release, Sources.gz for sources, Release, Packages andPackages.gz for binaries and Packages and Packages.gz for installer modules.

Theformat of these headers is the name of index file to generate, followed by theoptional name for a per-directory release description (when no name isspecified, no file is generated). Then a list of compressions: A single dot (.)means generating an uncompressed index, .gz means generating a gzipped output,while .bz2 requests and bzip2ed file. (.bz2 is not available when disabled atcompile time). After the compressions a script can be given that is called to generate/updateadditional forms, see "Additional index files".

Signing

Ifthere is a SignWith header, reprepro will try to generate a Release.gpg fileusing libgpgme. If the value of the header is yes it will use the first key itfinds, otherwise it will give the option to libgpgme to determine the key.(Which means fingerprints and keyids work fine, and whatever libgpgme supports,which might include most that gpg supports to select a key).

Thebest way to deal with keys needing passphrases is to use gpg-agent. The onlyway to specify which keyring to use is to set the GNUPGHOME enviromentvariable, which will effect all distributions.

Contentsfiles

Repreprocan generate files called dists/CODENAME/Contents-ARCHITECTURE.gz listing allfiles in all binary packages available for the selected architecture in thatdistribution and which package they belong to.

Thisfile can either be used by humans directly or via downloaded and searched withtools like apt-file.

Toactivate generating of these files by reprepro, you need a Contents header inthat distribution's declaration in conf/distributions, like:

Contents:

 

Versionsbefore 3.0.0 need a ratio number there, like:

Contents:1

 

Thenumber is the inverse ratio of not yet looked at and cached files to process inevery run. The larger the more packages are missing. 1 means to listeverything.

Thearguments of the Contents field and other fields control which Architectures togenerate Contents files for and which Components to include in those. Forexample

Contents:udebs nodebs . .gz .bz2

ContentsArchitectures:ia64

ContentsComponents:

ContentsUComponents:main

 

meansto not skip any packages, generate Contents for .udeb files, not generatingContents for .debs. Also it is only generated for the ia64 architecture andonly packages in component main are included.

Additionalindex files (like .diff)

Indexfiles reprepro cannot generate itself, can be generated by telling it to call ascript.

thetiffany example hook script (generates pdiff files)

Thisexample generates Packages.diff and/or Sources.diff directories containing aset of ed-style patches, so that people do not redownload the whole index forjust some small changes.

Touse it, copy tiffany.example from the examples directory into your conf directory.(or any other directory, then you will need to give an absolute path later).Unpack, if needed. Rename it to tiffany.py and make it executeable. Make sureyou have python-apt, diff and gzip installed. Then add something like thefollowing to the headers of the distributions that should use this inconf/distributions:

 DscIndices: Sources Release . .gz tiffany.py

 DebIndices: Packages Release . .gz tiffany.py

 

Moreinformation can be found in the file itself. You should read it.

thebzip2 example hook script

Thisis an very simple example. Simple and mostly useless, as reprepro has built in.bz2 generation support, unless you compiled it your own with --without-libbz2or with no libbz2-dev installed.

Touse it, copy bzip.example from the examples directory into your conf directory.(or any other directory, then you will need to give an absolute path later).Unpack, if needed. Rename it to bzip2.sh and make it executeable. Then addsomething like the following to the headers of the distributions that shoulduse this in conf/distributions:

 DscIndices: Sources Release . .gz bzip2.sh

 DebIndices: Packages Release . .gz bzip2.sh

 UDebIndices: Packages . .gz bzip2.sh

 

Thescript will compress the index file using the bzip2 program and tell repreprowhich files to include in the Release file of the distribution.

internals

 

 

Localpackages

Thereare two ways to get packages not yet in any repository into yours.

includedsc,includedeb, include

Theseare for including packages at the command line. Many options are available tocontrol what actually happens. You can easily force components, section andpriority and/or choose to include only some files or only in specific architectures.(Can be quite usefull for architecture all packages depending on some packagesyou will some time before building for some of your architectures). Files canbe moved instead of copied and most sanity checks overwritten. They are alsooptimized towards being fast and simply try things instead of checking a longtime if they would succeed.

processincoming

Thiscommand checks for changes files in an incoming directory. Being optimized forautomatic processing (i.e. trying to checking everything before actually doinganything), it can be slower (as every file is copied at least once to sure theowner is correct, with multiple partitions another copy can follow). Component,section and priority can only be changed via the distribution's override files.Every inclusion needs a .changes file.

Thismethod is also relatively new (only available since 2.0.0), thus optimisationfor automatic procession will happen even more.

Includingvia command line

Thereare three commands to directly include packages into your repository:includedeb, includedsc and includechanges. Each needs to codename of thedistribution you want to put your package into as first argument and a file ofthe appropiate type (.deb, .dsc or .changes, respectively) as second argument.

Ifno component is specified via --component (or short -C), it will be guessedlooking at its section and the components of that distribution.

Ifthere are no --section (or short -S) option, and it is not specified by the(binary or source, depending on the type) override file of the distribution,the value from the .changes-file is used (if the command is includechanges) orit is extracted out of the file (if it is a .deb-file, future versions mightalso try to extract it from a .dsc's diff or tarball).

Samewith the priority and the --priority (or short -P) option.

Withthe --architecture (or short -A) option, the scope of the command is limited tothat architecture. includdeb will add a Architecture all packages only to thatarchitecture (and complain about Debian packages for other architectures).include will do the same and ignore packages for other architectures (sourcepackages will only be included if the value for --architecture is source).

Tolimit the scope to a specify type of package, use the --packagetype or short -Toption. Possible values are deb, udeb and dsc.

Whenusing the --delete option, files will be moved or deleted after copying them.Repeating the --delete option will also delete unused files.

TOBE CONTINUED.

Processingan incoming queue

Usingthe processincoming command reprepro can automatically process incoming queues.While this is still improveable (reprepro still misses ways to send mails andespecially an easy way to send rejection mails to the uploader directly), itmakes it easy to have an directory where you place your packages and repreprowill automatically include them.

Toget this working you need three things:

afile conf/incoming describing your incoming directories,

aconf/distribution file describing your distributions (as always with reprepro)and

away to get reprepro called to process it.

Thefile conf/incoming

describesthe different incoming queues. As usual the different chunks are separated byempty lines. Each chunk can have the following fields:

Name

Thisis the name of the incoming queue, that processincoming wants as argument.

IncomingDir

Theactual directory to look for .changes files.

TempDir

Toensure integrity of the processed files and their permissions, every file isfirst copied from the incoming directory to this directory. Only the userreprepro runs as needs write permissions here. It speeds things up if thisdirectory is in the same partition as the pool.

Allow

Thisfield lists the distributions this incoming queue might inject packages into.Each item can be a pair of a name of a distribution to accept and adistribution to put it into. Each upload has each item in its Distribution:field compared first to last to each of this items and is put in the firstdistribution accepting it. For example

Allow:stable>etch stable>etch-proposed-updates mystuff unstable>sid

 

willput a .changes file with Distribution: stable into etch. If that is notpossible (e.g. because etch has a UploadersList option not allowing this) itwill be put into etch-proposed-updates. And a .changes file with Distribution:unstable will be put into sid, while with Distribution: mystuff will end up inmystuff.

Ifthere is a Default field, the Allow field is optional.

Default

Everyupload not catched by an item of the Allow field is put into the distributionspecified by this.

Ifthere is a Allow field, the Default field is optional.

Multiple

Thisfield only makes a difference if a .changes file has multiple distributions listedin its Distribution: field. Without this field every of this distributions istried according to the above rules until the package is added somewhere. Withthis field it is tried for each distribution, so a package can be upload tomultiple distributions at the same time.

Permit

Alist of options to allow things otherwise causing errors. (see the manpage forpossible values).

Thisfield os optional.

Cleanup

Determineswhen and what files to delete from the incoming queue. By default onlysucessfully processed .changes files and the files references by those aredeleted. For a list of possible options take a look into the man page.

Thisfield os optional.

conf/distributionfor processincoming

Thereare no special requirements on the conf/distribution file by processincoming.So even a simple

Codename:mystuff

Architectures:i386 source

Components:main non-free contrib bad

 

willwork.

TheUploaders field can list a file limiting uploads to this distribution tospecific keys and AlsoAcceptFor is used to resolve unknown names inconf/incoming's Allow and Default fields.

Gettingprocessincoming called.

Whileyou can just call reprepro processincoming manually, having an incoming queueneeding manual intervention takes all the fun out of having an incoming queue,so usually so automatic way is choosen:

Duploadand dput have ways to call an hook after an package was uploaded. This can bean ssh to the host calling reprepro. The disavantage is having to configurethis in every .dupload.conf on every host you want to upload and give everyoneaccess to ssh and permissions on the archive who should upload. The advantageis you can configure reprepro to have interactive scripts or ask forpassphrases.

Installa cron-job calling reprepro every 5 minutes. Cron is usually availableeverywhere and getting the output sent by mail to you or a mailing list iseasy. The annoying part is having to wait almost 5 minutes for the processing.

Usesomething like inoticoming. Linux has a syscall called inotify, allowing aprogram to be run whenever something happens to a file. One program making useof this is inoticoming. I watches a directory using this facility and whenevera .changes file is completed it can call reprepro for you. (As this happensdirectly, make sure you always upload the .changes file last, dupload and dputalways ensure this). This can be combined with Debian's cron-extension to havea program started at boot time with the @boot directive. For example with acrontab like:

MAILTO=myaddress@somewhere.tld

 

@rebootinoticoming --logfile /my/basedir/logs/i.log /my/basedir/incoming/--stderr-to-log --stdout-to-log --suffix '.changes' --chdir /my/basedirreprepro -b /my/basedir --waitforlock 100 processincoming local {} \;

 

Mirroring/ Updating

Repreprocan fetch packages from other repositories. For this it uses apt's methods from/usr/lib/apt/methods/ so everything (http, ftp, ...) that works with apt shouldalso work with reprepro. Note that this works on the level of packages, eventhough you can tell reprepro to create a distribution having always the samepackages as some remote repository, the repository as a whole may not lookexactly the same but only have the same set of packages in the same versions.

Youcan also only mirror a specific subset of packages, merge multiple repositoriesinto one distribution, or even have distributions mixing remote and localpackages.

Eachdistribution to receive packages from other repositories needs an Update: fieldlisting the update rules applied to it. Those update rules are listed inconf/updates. There is also the magic - update rule, which tells reprepro todelete all packages not readded by later rules.

Tomake reprepro to update all distributions call reprepro update without furtherarguments, or give the distributions to update as additional arguments.

Let'sstart with some examples:

Updatingexamples

Let'sassume you have the following conf/distributions

Codename:etch

Architectures:i386 source

Components:main contrib

Update:local - debian security

 

Codename:mystuff

Architectures:abacus source

Components:main bad

Update:debiantomystuff

 

andthe following conf/updates

Name:local

Method:http://ftp.myorg.tld/debian

 

Name:debian

Method:http://ftp.de.debian.org/debian

VerifyRelease:A70DAF536070D3A1

Config:Acquire::Http::Proxy=http://proxy.yours.org:8080

 

Name:security

Suite:*/updates

Method:http://security.eu.debian.org/

Fallback:http://security.debian.org/

VerifyRelease:A70DAF536070D3A1

Config:Acquire::Http::Proxy=http://proxy.yours.org:8080

 

Name:debiantomystuff

Suite:sid

Method:http://ftp.de.debian.org/debian

Architectures:i386>abacus source

Components:main non-free>bad contrib>bad

FilterFormula:Architecture (== all)| !Architecture

FilterList:deinstall list

 

anda file conf/list with some output as dpkg --get-selections is printing.

Ifyou then run reprepro update etch or reprepro checkupdate etch, reprepro looksat etch's Update: line and finds four rules. The first is the local rule, whichonly has a method, so that means it will download the Release file fromhttp://ftp.myorg.tld/debian/dists/etch/Release and (unless it already hasdownloaded them before or that repository does not have all of them) downloadsthe binary-i386/Packages.gz and source/Sources.gz files for main and contrib.The same is done for the debian and security rules. As they have aVerifyRelease field, Release.gpg is also downloaded and checked to be signedwith the given key (which you should have imported to you gpg keyring before).As security has a Suite: field, not the codename, but the content of this field(with an possible* replaced by the codename), is used as distribution to get.

Thenit will parse for each part of the distribution, parse the files it get fromleft to right. For each package it starts with the version currently in thedistribution, if there is a newer on in local it will mark this. Then there isthe delete rule -, which will mark it to be deleted (but remembers what wasthere, so if later the version in the distribution or the version in local arenewest, it will get them from here avoiding slow downloads from far away). Thenit will look into debian and then in security, if they have a newer version (orthe same version, clearing the deletion mark).

Ifyou issued checkupdate reprepro will print what it would do now, otherwise ittries to download all the needed files and when it got all, change the packagesin the distribution to the new ones, export the index files for thisdistribution and finaly delete old files no longer needed.

TOBE CONTINUED.

Propagationof packages

Youcan copy packages between distributions using the pull and copy commands.

Withthe copy command you can copy packages by name from one distribution to theother within the same repository.

Withthe pull command you can pull all packages (or a subset defined by some list,or exceptions by some list, or by some formula, or ...) from one distributionto another within the same formula.

Notethat both assume the filenames of the corresponding packages in the pool willnot differ, so you cannot move packages from one component to another.

Let'sjust look at a little example, more information can be found in the man page.

Assumeyou upload all new packages to a distribution and you want another so you cankeep using an old version until you know the newer works, too. One way would beto use something like the following conf/distributions:

Codename:development

Suite:unstable

Components:main extra

Architectures:i386 source

 

Codename:bla

Suite:testing

Components:main extra

Architectures:i386 source

Pull:from_development

 

andconf/pulls:

Name:from_development

From:development

 

i.e.you have two distributions, bla and development. Now you can just upload stuffto development (or it's alias unstable). And when you want a single package togo to testing, you can use the copy command:

repreprocopy bla development name1 name2 name3

 

Ifyou do not want to copy all pakages of a given name, but only some of them, youcan use -A, -T and -C:

reprepro-T deb -A i386 copy bla development name1

 

willcopy .deb packages called name1 from the i386 parts of the distribution.

TOBE CONTINUED

Snapshots

Thereis a gensnapshot command.

TOBE DOCUMENTED

Sourcepackage tracking

TOBE DOCUMENTED

Extendingreprepro / Hooks and more

Whenreprepro misses some functionality, it often can be be added by some kind ofhook.

Currentlyyou can execute your own scripts at the following occasions:

whencreating index files (Packages.gz, Sources.gz)

afteradding or removing packages

Scriptsto be run when adding or removing packages

Whenevera package is added or removed, you can tell reprepro to log that to some fileand/or call a script using the Log: directive in conf/distributions.

Thisscript can send out mails and do other logging stuff, but despite the name, itis not restricted to logging.

 

Automaticallyextracting changelog and copyright information

repreproships with an example script to extract debian/changelog and debian/copyrightfiles from source packages into a hierachy loosely resembling the waychangelogs are made available at http://packages.debian.org/changelogs/.

Allyou have to do is to copy (or unpack if compressed) the file changelogs.examplefrom the examples directory in the reprepro source or/usr/share/doc/reprepro/examples/ of your installed reprepro package into yourconf/ directory (or somewhere else, then you will need an absolute path later),perhaps change some directories specified in it and add something like thefollowing lines to all distributions in conf/distributions that should use thisfeature:

Log:

 --type=dsc changelogs.example

 

Ifyou still want to log to some file, just keep the filename there:

Log:mylogfilename

 --type=dsc changelogs.example

 

Thencause those files to be generated for all existing files via

repreprorerunnotifiers

 

andall future source packages added or removed will get this list automaticallyupdated.

Writingyour own Log: scripts

Youcan list an arbitrary amount of scripts, to be called at specified times (whichcan overlap or even be the same):

Log:logfilename

 --type=dscscript-to-run-on-source-package-changes

script-to-run-on-package-changes

another-script-to-run-on-package-changes

 --type=dsc --component=mainscript-to-run-on-main-source-packages

 --architecture=i386 --type=udebscript-to-run-on-i386-udebs

 --changesscript-to-run-on-include-or-processincoming

 

Thereare two kind of scripts: The first one is called when a package was added orremoved. Using the --archtecture=, --component= and --type= options you canlimit it to specific parts of the distribution. The second kind is marked with--changes and is called when a .changes-file was added with include orprocessincoming. Both are called asynchonous in the background after everythingwas done, but before no longer referenced files are deleted (so the files ofthe replaced or deleted package are still around).

Callingconventions for package addition/removal scripts

Thistype of script is called with a variable number of arguments. The firstargument is the action. This is either add, remove or replace. The next fourarguments are the codename of the affected distribution and the packagetype,component and architecture in that distribution affected. The sixth argument isthe package's name. After that is the version of the added package (add andreplace) and the version of the removed package (remove and replace). Finallythe filekeys of the new (add and replace) and/or removed (remove and replace)package are listed starting with the marker "--" followed by eachfilekey (the name of the file in the pool/ relative to the pool) as its ownargument.

Sincereprepro 3.4 there is additionally the environment variable REPREPRO_CAUSING_FILEwith the name of the file given at the command line causing this package to bechanged, if there is one. (i.e. with includedeb, includedsc and include).

Maintenance

Thissection lists some commands you can use to check and improve the health of yourepository.

Callingconventions for .changes scripts

Thistype of script is called with 5 or 6 arguments. The first is always"accepted", to make it easier to check it is configued the right way.The second argument is the codename of the distribution the .changes-file wasadded to. The third argument is the source name, the forth the version. Thefifth name is the .changes itself (in case of processingcoming the secure copyin the temporary dir). There is a sixth argument if the .changes-file was addedto the pool/. Then it is the name of the added file relative to the pool.

Sincereprepro 3.4 there is additionally the environment variableREPREPRO_CAUSING_FILE with the name of the file in the incoming dir or thecommand line argument to include.

Maintenance

Thissection lists some commands you can use to check and improve the health of yourepository.

Normallynothing of this should be needed, but taking a look from time to time cannotharm.

reprepro-b $YOURBASEDIR dumpunreferenced

 

Thislists all files reprepro knows about that are not marked as needed by anything.Unless you called reprepro with the --keepunreferenced option, those shouldnever occour. Though if reprepro is confused or interupted it may sometimesprefer keeping files around instead of deleting them.

reprepro-b $YOURBASEDIR deleteunreferenced

 

Thisis like the command before, only that such files are directly forgotten anddeleted.

reprepro-b $YOURBASEDIR check

 

Lookif all needed files are in fact marked needed and known.

reprepro-b $YOURBASEDIR checkpool

 

Makesure all known files are still there and still have the same checksum.

reprepro-b $YOURBASEDIR checkpool fast

 

Asthe command above, but do not compute checksums.

reprepro-b $YOURBASEDIR tidytracks

 

Ifyou use source package tracking, check for files kept because of this thatshould no longer by the current rules.

Ifyou fear your tracking data could have became outdated (and you have at leastversion 3.0.0 of reprepro), you can also try the retrack command:

reprepro-b $YOURBASEDIR retrack

 

Since3.0.0 that refreshes the tracking information about packages used and then runsa tidytracks. (Beware: before version 3.0.0 this will destroy your trackingdata and replace it with scratch information from your installed packages, soall information about prior versions or .changes files is lost.

Internals

repreprostores the data it collects in Berkeley DB file (.db) in a directory called db/or whatever you specified via command line. With a few exceptions, those filesare NO CACHES, but the actual data. While some of those data can be regainedwhen you lose those files, they are better not deleted.

packages.db

Thisfile contains the actual package information.

Itcontains a database for every (codename,component,architecture,packagetype)quadruple available.

Eachis indexed by package name and essentially contains the information written dothe Packages and Sources files.

Notethat if you change your conf/distributions to no longer list some codenames,architectures or components, that will not remove the associated databases inthis file. That needs an explicit call to clearvanished.

references.db

Thisfile contains a single database that lists for every file why this file isstill needed. This is either an identifier for a package database, an trackedsource package, or a snapshot.

Somelow level commands to access this are (take a look at the manpage for how touse them):

rereference

recreatereferences (i.e. forget old and create newly)

dumpreferences

printa list of all references

_removereferences

removeeverything referenced by a given identifier

_addreference

manuallyadd a reference

files.db/ checksums.db

Thesefiles contains what reprepro knows about your pool/ directory, i.e. what filesit things are there with what sizes and checksums. The file files.db is used byreprepro before version 3.3 and kept for backwards compatibility. If yourrepository was only used with newer versions you can safely delete it.Otherwise you should run collectnewchecksums before deleting it. The filechecksums.db is the new file used since version 3.3. It can store morechecksums types (files.db only contained md5sums, checksums.db can storearbitrary checksums and reprepro can even cope with it containing checksumtypes it does not yet know of) but for compatibility with pre-3.3 versions isnot the canonical source of information as long as a files.db file exists).

Ifyou manually put files in the pool or remove them, you should tell repreproabout that. (it sometimes looks for files there without being told, but itnever forgets files except when it would have deleted them anyway). Some lowlevel commands (take a look at the man page for how to use them):

collectnewchecksums

Makesure every file is listed in checksums.db and with all checksum types yourreprepro supports.

checkpoolfast

Makesure all files are still there.

checkpool

Makesure all files are still there and correct.

dumpunreferenced

Showall known files without reference.

deleteunreferenced

Deleteall known files without reference.

_listmd5sums

Dumpthis database (old style)

_listchecksums

Dumpthis database (new style)

_detect

Addfiles to the database

_forget

Forgetthat some file is there

_addmd5sums

Createthe database from dumped data

_addchecksums

dito

release.cache.db

Inthis file reprepro remembers what it already wrote to the dists directory, sothat it can write their checksums (including the checksums of the uncompressedvariant, even if that was never written to disk) in a newly to create Release filewithout having to trust those files or having to unpack them.

contents.cache.db

Thisfile contains all the lists of files of binary package files where repreproalready needed them. (which can only happen if you requested Contents files tobe generated).

tracking.db

Thisfile contains the information of the source package tracking.

Disasterrecovery

TOBE DOCUMENTED (see the recovery file until then)

Paranoia

Asall software, reprepro might have bugs. And it uses libraries not written bymyself, which I'm thus even more sure that they will have bugs. Some of thosebugs might be security relevant. This section contains some tips, to reduce theimpact of those.

Neverrun reprepro as root.

Allreprepro needs to work are permissions to files, there is no excuse for runningit as root.

Don'tpublish your db/ directory.

Thecontents of the db directory are not needed by everyone else. Having themavailable to everyone may make it easier for them to exploit some hypotheticalproblem in libdb and makes it easier to know in advance how exactly repreprowill act in a given circumstances, thus easier to exploit some hypotheticalproblem.

Don'taccept untrusted data without need.

Ifan attacker cannot do anything, they cannot do anything harmful, either. So ifthere is no need, don't offer an anonymous incoming queue. dput supportsuploading via scp, so just having an only group-writable incoming directory, oreven better multiple incoming directories can be a better alternative.

Externalstuff being used and attack vectors opened by it:

libgpgme/gpg

Almostanything is run through libgpgme and thus gpg. It will be used to check theRelease.gpg file, or to read .dsc and .changes files (even when there is no keyto look for specified, as that is the best way to get the data from the signedblock). Avoiding this by just accepting stuff without looking for signatures onuntrusted data is not really an option, so I know nothing to prefent this typeof problems.

libarchive

The.tar files within .deb files are normaly (unless that library was not availablewhile compiling) read using libarchive. This happens when a .deb file is to beadded (though only after deciding if it should be added, so if it does not havethe correct checksum or the .changes did not have the signatures you specified,it is not) or when the file list is to be extracted (when creating Contentsfiles). Note that they are not processed when only mirroring them (of courseunless Contents files are generated), as then only the information from thePackages file is copied.

dpkg-deb/tar

Ifreprepro was compiled without libarchive, dpkg-deb is used instead, which mostlikely will call tar. Otherwise just the same like the last item.

zlib

Whenmirroring packages, the downloaded Packages.gz and Sources.gz files are readusing zlib. Also the generated .gz files are generated using it. There is nooption but hoping there is no security relevant problem in that library.

libbz2

Onlyused to generate .bz2 files. If you fear simple blockwise writing using thatlibrary has a security problem that can be exploited by data enough harmlesslooking to be written to the generated index files, you can always decide to notell reprepro to generate .bz2 files.

Whatreprepro cannot do

Thereare some things reprepro does not do:

Verbatimmirroring

Repreproaims to put all files into a coherent pool/ hierarchy. Thus it cannot guaranteethat files will have the same relatives path as in the original repository(especially if those have no pool). It also creates the index files from itsown indices. While this leads to a tidy repository and possible savings ofdisk-space, the signatures of the repositories you mirror cannot be used toauthenticate the mirror, but you will have to sign (or tell reprepro to signfor you) the result. While this is perfect when you only mirror some parts orspecific packages or also have local packages that need local signing anyway,reprepro is no suitable tool for creating a full mirror that can beauthenticated without adding the key of this repository.

Placingyour files on your own

Repreprodoes all the calculation of filenames to save files as, bookkeeping what filesare there and what are needed and so on. This cannot be switched off ordisabled. You can place files where reprepro will expect them and reprepro willuse them if their md5sum matches. But reprepro is not suited if you want thosefiles outside of a pool or in places reprepro does not consider their canonicalones.

Havingdifferent files with the same name

takea look in the FAQ (currently question 1.2) why and how to avoid the problem.

 

(编辑: Michaelwubo)

网友评论
相关文章