Debian/Ubuntu repositories for Pho
I've been wanting for a long time to make Debian and Ubuntu repositories so people can install pho with apt-get, but every time I try to look it up I get bogged down.But I got mail from a pho user who really wanted that, and even suggested a howto. That howto didn't quite do it, but it got me moving to look for a better one, which I eventually found in the Debian Repository Howto.
It wasn't complete either, alas, so it took some trial-and-error before it actually worked. Here's what finally worked:
I created two web-accessible directories, called hardy and etch. I copied all the files created by dpgk-buildpkg on each distro -- .deb, .dsc, .tar.gz, and .changes (I don't think this last file is used by anything) -- into each directory (renaming them to add -etch and -hardy as appropriate). Then:
% cd hardy/ % dpkg-scanpackages . /dev/null | gzip > Packages.gz % dpkg-scansources . /dev/null | gzip > Sources.gz % cd ../etch/ % dpkg-scanpackages . /dev/null | gzip > Packages.gz % dpkg-scansources . /dev/null | gzip > Sources.gzIt gives an error,
** Packages in archive but missing from override file: **
but seems to work anyway.
Now you can use one of the following /etc/apt/sources.list lines:
deb http://shallowsky.com/apt/hardy ./
deb http://shallowsky.com/apt/etch ./
After an apt-get update, it saw pho, but it warned me
WARNING: The following packages cannot be authenticated! pho Install these packages without verification [y/N]?There's some discussion in the SecureAPT page on the Debian wiki, but it's a bit involved and I'm not clear if it helps me if I'm not already part of the official Debian keychain.
This page on Release check of non Debian sources was a little more helpful, and told me how to create the Release and Release.gpg file -- but then I just get a different error,
The following signatures couldn't be verified because the public key is not available: NO_PUBKEYAnd worse, it's an error now, not just a warning, preventing any apt-get update.
Going back to the SecureApt page, under Setting up a secure apt repository they give the two steps the other page gave for creating Release and Release.gpg, with a third step: "Publish the key fingerprint, that way your users will know what key they need to import in order to authenticate the files in the archive."
So apparently if users don't take steps to import the key manually, they can't update at all. Whereas if I leave out the Release and Release.gpg files, all they have to do is type y when they see the warning. Sounds like it's better to leave off the key. I wish, though, that there was a middle ground, where I could offer the key for those who wanted it without making it harder for those who don't care.
[ 21:14 Jan 13, 2009 More linux | permalink to this entry | ]