Introduction

I wanted to set up my own apt repository to distribute packages to my own computers. This repository must be PGP-signed, but I want to use my regular PGP key rather than a PGP key stored on the server, because I don’t want to trust my server with root access to my laptop.

Further, I want to be able to add to my repo while offline, rather than dputting .changes files to my server.

The standard tools, mini-dinstall and reprepro, are designed to be executed on the same machine that will serve the apt repository. To satisfy the above, though, I need to be able to execute the repository generator offline, on my laptop.

Two new features of git-annex, git-annex-export and v6 repositories, can allow us to execute the repository generator offline and then copy the contents of the repository to the server in an efficient way.

(v6 repositories are not production-ready but the data in this repo is replaceable: I backup the reprepro config files, and the packages can be regenerated from the (d)git repositories containing the source packages.)

Schematic instructions

This should be enough to get you going if you have some experience with git-annex and reprepro.

In the following, athena is a host I can ssh to. On that host, I assume that Apache is set up to serve /srv/debian as the apt repository, with .htaccess rules to deny access to the conf/ and db/ subdirectories and to enable the following of symlinks.

  1. apt-get install git-annex reprepro
  2. git init a new git repository on laptop.
  3. Create conf/distributions, conf/options, conf/do-sync.sh and .gitattributes per below.
  4. Create other files such as README, sample foo.list, etc. if desired.
  5. git add the various plain text files we just created and commit.
  6. git annex init --version=6.
  7. Add an origin remote, git config remote.origin.annex-ignore true and git push -u origin master git-annex. I.e. store repository metadata somewhere.
  8. git config --local annex.thin true to save disc space.
  9. git config --local annex.addunlocked true so that reprepro can modify files.
  10. Tell git-annex about the /srv/debian directory on athena: git annex initremote athena type=rsync rsyncurl=athena:/srv/debian autoenable=true exporttree=yes encryption=none
  11. Tell git-annex that the /srv/debian directory on athena should track the contents of the master branch: git annex export --fast --to=athena --tracking master
  12. Now you can reprepro include foo.changes, reprepro export and git annex should do the rest: the do-sync.sh script calls git annex sync and gitannex knows that it should export the repo to /srv/debian on athena when told to sync.

Files

conf/distributions is an exercise for the reader – this is standard reprepro stuff.

conf/options:

endhook do-sync.sh

conf/do-sync.sh:

#!/bin/sh

git annex add
git annex sync --content

.gitattributes:

* annex.largefiles=anything
conf/* annex.largefiles=nothing
README annex.largefiles=nothing
\.gitattributes annex.largefiles=nothing

These git attributes tell git-annex to annex all files except the plain text config files, which are just added to git.

Bugs

I’m not sure whether these are fixable in git-annex-export, or not. Both can be worked around with hacks/scripts on the server.

  • reprepro exportsymlinks won’t work to create suite symlinks: git-annex-export will create plain files instead of symlinks.

  • git-annex-exports exports non-annexed files in git, such as README, as readable only by their owner.