Introduction
I wanted to set up my own apt repository to distribute packages to my own computers. This repository must be PGP-signed, but I want to use my regular PGP key rather than a PGP key stored on the server, because I don’t want to trust my server with root access to my laptop.
Further, I want to be able to add to my repo while offline, rather than dputting .changes files to my server.
The standard tools, mini-dinstall and reprepro, are designed to be executed on the same machine that will serve the apt repository. To satisfy the above, though, I need to be able to execute the repository generator offline, on my laptop.
Two new features of git-annex, git-annex-export and v6 repositories, can allow us to execute the repository generator offline and then copy the contents of the repository to the server in an efficient way.
(v6 repositories are not production-ready but the data in this repo is replaceable: I backup the reprepro config files, and the packages can be regenerated from the (d)git repositories containing the source packages.)
Schematic instructions
This should be enough to get you going if you have some experience with git-annex and reprepro.
In the following, athena
is a host I can ssh to. On that host,
I assume that Apache is set up to serve /srv/debian
as the apt
repository, with .htaccess rules to deny access to the conf/
and
db/
subdirectories and to enable the following of symlinks.
apt-get install git-annex reprepro
git init
a new git repository on laptop.- Create
conf/distributions
,conf/options
,conf/do-sync.sh
and.gitattributes
per below. - Create other files such as README, sample foo.list, etc. if desired.
git add
the various plain text files we just created and commit.git annex init --version=6
.- Add an origin remote,
git config remote.origin.annex-ignore true
andgit push -u origin master git-annex
. I.e. store repository metadata somewhere. git config --local annex.thin true
to save disc space.git config --local annex.addunlocked true
so that reprepro can modify files.- Tell git-annex about the /srv/debian directory on athena:
git annex initremote athena type=rsync rsyncurl=athena:/srv/debian autoenable=true exporttree=yes encryption=none
- Tell git-annex that the /srv/debian directory on athena should
track the contents of the master branch:
git annex export --fast --to=athena --tracking master
- Now you can
reprepro include foo.changes
,reprepro export
and git annex should do the rest: thedo-sync.sh
script callsgit annex sync
and gitannex knows that it should export the repo to /srv/debian on athena when told to sync.
Files
conf/distributions
is an exercise for the reader – this is standard
reprepro stuff.
conf/options
:
endhook do-sync.sh
conf/do-sync.sh
:
#!/bin/sh
git annex add
git annex sync --content
.gitattributes
:
* annex.largefiles=anything
conf/* annex.largefiles=nothing
README annex.largefiles=nothing
\.gitattributes annex.largefiles=nothing
These git attributes tell git-annex to annex all files except the plain text config files, which are just added to git.
Bugs
I’m not sure whether these are fixable in git-annex-export, or not. Both can be worked around with hacks/scripts on the server.
reprepro exportsymlinks
won’t work to create suite symlinks: git-annex-export will create plain files instead of symlinks.git-annex-exports exports non-annexed files in git, such as README, as readable only by their owner.