4.6 KiB


This is a guide for creating Debian packages for ceo. The instructions below probably do not follow best practices, but at least I am confident that they work.


Make sure your GPG key is in /srv/debian/gpg on potassium-benzoate. See here for instructions.

Make sure you are in the csc-mirror group too.

Creating the package

Use Docker/Podman to avoid screwing up your main system. For example, to create a package for bullseye (replace podman with docker in all instances below if you're using Docker):

podman run -it --name pyceo-packaging -v "$PWD":"$PWD":z -w "$PWD" --security-opt="label=disable" debian:bookworm bash
# if disconnected from shell, reconnect with:
podman start pyceo-packaging
podman exec -it pyceo-packaging bash

Important: Make sure to use a container image for the same distribution which you're packaging. For example, if you're creating a package for bullseye, you should be using the debian:bullseye Docker image (this is because the virtualenv symlinks python to the OS' version of python).

Here are some of the prerequisites you'll need to build the deb files (run this inside the container):

apt update
apt install -y devscripts debhelper git-buildpackage vim
apt install -y python3-dev python3-venv libkrb5-dev libpq-dev libaugeas0 scdoc  # dependencies for building ceo

Make sure to also install all of the packages in the 'Build-Depends' section in debian/control.

Update VERSION.txt to the next version, and do a git commit (or dpkg-source --commit).

Now run dch -i and edit the changelog (update version, add your uploader name/email, add changes).

Now you will build a signed package. Place your key ID after the -k argument, e.g.

# (pre-requisite) if container doesn't have your gpg key
## step 1: export from host/another computer with your keyring
gpg --armor --output private.key --export-secret-key <your pgp key's id email>
## step 2: import into build container
gpg --import private.key
## step 3: find your key's public key
gpg --list-secret-keys  # get key id
## step 4: trust ids (before building)
gpg --edit <pub key id>
gpg> trust # run when gpg editing prompt appears
   > 5     # "ultimate" trust
gpg> save  # gpg will report no changes were made, but trust of ids should be changed

# alternatively, sign with `debsign` after creating unsigned package

# build (signed) package
gbp buildpackage --git-upstream-branch=master -k8E5568ABB0CF96BC367806ED127923BE10DA48DC --lintian-opts --no-lintian

This will create a bunch of files (deb, dsc, tar.gz, etc.) in the parent directory.

Now do another git commit (since you edited the changelog file).

To clean the packages (run this after uploading, ie. do NOT run this if you just finished building):

rm ../*.{xz,gz,dsc,build,buildinfo,changes,deb}

Uploading the package

Inside the container, go up one directory, and create a tarball with all the package files:

cd ..  # within the container, generated files are in the parent directory of your git repo
tar zcvf pyceo.tar.gz *.{xz,gz,dsc,build,buildinfo,changes,deb}

Outside of the container (i.e. on your personal machine), copy the tarball out of the container into your current directory, e.g.

podman cp pyceo-packaging:/home/max/repos/pyceo.tar.gz .
# or generally, if you're in the pyceo repo:
podman cp pyceo-packaging:$(cd ../ && pwd)/pyceo.tar.gz .

(Replace /home/max/repos by the directory in the container with the tarball.) Now upload the tarball to a CSC machine, e.g.

# on "HOST" machine
scp pyceo.tar.gz mannitol:~

SSH into that machine and extract the tarball into a separate directory:

ssh mannitol
mkdir pyceo-parent && mv pyceo.tar.gz pyceo-parent/ && cd pyceo-parent
rm -iv *.{xz,gz,dsc,build,buildinfo,changes,deb}
tar zxvf pyceo.tar.gz

At this point, you will need a dupload.conf file. Ask someone on syscom for a copy. Place the dupload config at ~/.dupload.conf (as per manpage).

Now upload the package to potassium-benzoate:

dupload *.changes

Now SSH into potassium-benzoate and run the following:

# note: this is AUTOMATICALLY done (within 10-20 minutes by a cron job)
sudo /srv/debian/bin/rrr-incoming

To check if mirror has accepted the new package, visit:

<<<<<<< Updated upstream

To update CEO:

# repeat this for all systems, starting from ceod servers
sudo apt update
# NOTE: be careful of changing configs!!
sudo apt install --only-upgrade ceod

Stashed changes There, that wasn't so bad...right? :')