-
-
Notifications
You must be signed in to change notification settings - Fork 565
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better distribution of deb packages via a repository #1497
Comments
One important caveat though that I failed to mention! The script uses Debian specific tools such as |
It looks like there are three different projects following this to setup their own PPAs, and it would likely be useful to many more. Do you feel it would be easier if there was a coordinated PPA that contained multiple packages? Or should they all just use this as a template to setup their own? Basically if it makes sense at all to setup a single 3rd party repo that was easier to add packages to than the official Debian ones. |
Content warning: veering heavily off-topic and into opinion as well, but the question is worth covering. There's a handful of problems with shared repos or repo collections I'm aware of, but am in no way an expert on the matter.
There is one "official" way to do PPAs, which is Launchpad: https://launchpad.net/ubuntu/+ppas .. For example see https://launchpad.net/~adiscon/+archive/ubuntu/v8-stable. They also have issues though:
While it would be great that we had something like crates.io, pypi.org flathub.org, homebrew, chocolatey etcetera, the fact is that Debian predates all of them and no one seems to have stepped up to make a more radical shift within that ecosystem. Of course we could all move to flatpaks and just ignore the whole problem. That's definitely how I deal with Discord being annoying to install and update. :-) Long story short, I prefer and propose the KISS approach. A per project repo tightly controlled by the project owners provides the best guarantees after official repos and is still relatively low maintenance, given the right tooling. I was a bit surprised how simple it is in the end, the only hard part is doing key management (which you'd need to do anyway) and hosting the damn files somewhere stable. |
FYI, I finally did finish the RELEASE_README with Docker instructions to make it easier to cut a release even if one does not use Debian: https://jinnatar.github.io/atuin_demo_ppa/RELEASE_README |
Problem statement
While the oneliner installer is nice and can be re-run for updates, it suffers in that one has to know and remember to go re-run it, and find through their history how they ran it the last time. The solution is packages installed through standard or unofficial package managers.
For Debian derivatives the releases do contain a prebuilt deb and in the past there's been interest in getting that distributed through
apt
repositories, but the process and policy of official Debian repos is Hard and not worth the limited effort available.Proposed solution
A project specific package repository owned, operated and signed by project owners is a fairly common and well supported method of deb distribution and is directly compatible with
apt
. There's ready-made tooling to turn debs & a signing key into respository files that are then hosted on any static website.Demo repository
To demonstrate the tooling needed to easily create and update such a repository and have it hosted on GitHub Pages, I've borrowed liberally from what's been done in https://github.com/kanidm/kanidm_ppa and stood up https://github.com/jinnatar/atuin_demo_ppa. The public facing view of it via GitHub Pages is: https://jinnatar.github.io/atuin_demo_ppa/
GPG_KEY_ID=yourGpgKeyIdHere ./update.sh git add debian/ git commit -m "Push latest release" git push
How could this be official?
KEY.gpg
. It can be generated withgpg --armor --export $GPG_KEY_ID > KEY.gpg
. There's so many best practices around that that I won't pretend to be able to give advice on it. The script supports using a subkey as best as I could test it, so even the most paranoid secure options should work here.amd64
packages are attached to releases. If others are added, the repo scripts can already handle that.Obviously if we find an official path, I'll decom the demo repo. Already using it myself on several Debian 12 machines and it's working beautifully from a user perspective. The problem with it is that it's signed with my keys, so the packages are only as trustworthy as anyone is willing to trust myself. :-)
The text was updated successfully, but these errors were encountered: