Package Hub

The seemingly simple and practical task of distributing software you develop yourself can turn out to be time consuming and complex. On Debian and Ubuntu, keeping packages in a repository facilitates installations and upgrades for the user. The reprepro tool [1] helps administrators establish and manage a repository. It provides an easy option for setting up a repository and installing packages. A web server uses the HTTP protocol to distribute the packages to the users. The authenticity of the packages is ensured by GPG signatures.

An Ubuntu server can be transformed into a repository in a few steps. All the required software components are in the official Ubuntu repositories, and no third-party software is needed. Simply type

sudo apt-get install reprepro

to set up Ubuntu 12.04 LTS for the install. Afterward, useful information on the reprepro package can be found in the default documentation path, /usr/share/doc/reprepro/, such as short-howto.gz, which provides a brief introduction to the configuration.

The following example uses a separate repository user account for the configuration. The conf folder serves as a central location for the configuration files. The most important file, distributions, specifies the distribution, architecture, and so on for which the repository is used (Listing 1).

$ pwd
/home/repository
$ mkdir -p packages/conf
$ vi packages/conf/distributions
Origin: TKmon
Label: tkmon
Codename: precise
Suite: stable
Architectures: i386 amd64 source
Components: main optional
SignWith: 0B8738CA
$ vi packages/conf/options
verbose
ask-passphrase

Several parameters in this file define the repository layout [2] [3], as follows:

• Origin: An optional field that describes the origin of the repository. You can select a free line of text.
• Label: Optional, user-defined text that serves as an identifier for the repository.
• Codename: The name of the distribution for which the packets are provided. For Ubuntu, for example, oneiric or quantal; for Debian, squeeze or wheezy. This parameter is mandatory and is used as a folder name in the dists/ tree.
• Suite: Qualifiers such as stable or testing create an alternative path to the code names through symbolic links.
• Architectures: A mandatory parameter that specifies the architectures included in the repo. The source option in Listing 1 indicates that there are also source packages in the repo.
• Components: The components of the distribution are listed here (e.g., main or optional). Components implement the distribution of packets in different groups. Users can then type the corresponding Apt command lines to install only a specific group.
• SignWith: This parameter is essential for creating GPG signatures, specifying the ID of the GPG key with which the signatures are created in the InRelease file or the Release file in Release.gpg [4]. Listing 1 shows a further important step in configuring the GPG setup: In the options file, the ask-passphrase parameter stipulates that the password for the private key is required. A further possibility would be gpg-agent, for private key management.

Filling the Repo

The initial directory structure for the repository can be created using the createsymlinks command. Figure 1 uses the tree command to show which folders are created in this step. This completes the configuration; the next steps are for adding and removing packages.

Figure 1: The createsymlinks command generates the basic structure of the repository.

To simplify working with the repo, it makes sense to point the environment variable REPREPRO_BASE_DIR at the repo directory:

$ echo $REPREPRO_BASE_DIR
/home/repository/packages

The following two steps now bind a new Ubuntu package to the repo:

reprepro --verbose includedeb precise tkmon_1.2.1~rc2-1_all.deb
reprepro --verbose includedsc precise tkmon_1.2.1~rc2-1.dsc

When you run these commands, you need to enter the password for the secret GPG key twice in each case – once each for the files Release.gpg and InRelease. Listing 2 provides the results or, if you prefer, checks whether the package has made its way into the repository. You can do:

reprepro remove precise tkmon

to remove a package just as easily.

$ reprepro list precise
precise|main|i386: tkmon 1.2.1~rc2-1
precise|main|amd64: tkmon 1.2.1~rc2-1
precise|main|source: tkmon 1.2.1~rc2-1

Providing Access

Several options are available for distributing the repository via a web server. For all variants, the internal configuration folders conf and db must be protected against unauthorized access. The setup described here uses the Apache mod userdir module for publishing in the home directory of the previously mentioned repository user account.

To do this, you can enable the userdir module, create a public_html folder, and there, create a symbolic link to packages. Finally, the file permissions are modified for security reasons (Listing 3).

$ sudo a2enmod userdir
$ mkdir public_html
$ cd public_html/
~/public_html$ ln -s ../packages packages
~/public_html/packages$ chmod 750 conf/
~/public_html/packages$ chmod 750 db/

GPG Key

To enable a user to use the repository in just a few easy steps, you need to provide the Apt URL and the public GPG key. In this context, a list file is generated and the public key is exported:

~/public_html$ gpg --armor --output tk-archive.gpg.pub --export 0B8738CA
~/public_html$ vi tkmon.list
deb http://192.168.56.102/~repository/packages precise main

An Apache rewrite rule ensures that the public key is only accessible via HTTPS:

RewriteEngine on
RewriteBase /home/repository/public_html
RewriteCond %{REQUEST_URI} ^/tk-archive\.gpg-\.pub$
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

The tkmon.list file provided on the server is used on the client side to integrate the repository. You just need to put the file in the /etc/apt/sources.list.d directory to place and update apt:

$ cd /etc/apt/sources.list.d/
/etc/apt/sources.list.d$ sudo wget http://192.168.56.102/tk-main.list
/etc/apt/sources.list.d$ sudo apt-get update

Without correctly importing the GPG key, warnings still appear indicating that the authenticity of the packages could not be checked.

These security warnings should not be ignored; if the repository is set up correctly with the associated public key, these messages should not occur. Listing 4 shows how the key is imported.

01 $ sudo apt-get install tkmon
02 [...]
03 The following NEW packages will be installed:
04   tkmon
05 [...]
06 WARNING: The following packages cannot be authenticated!
07   tkmon
08 Install these packages without verification [y/N]? n
09 E: Some packages could not be authenticated
10 $ wget -O - https://192.168.56.102/tk-archive.gpg.pub | sudo apt-key add -
11 $ sudo apt-key list
12 /etc/apt/trusted.gpg
13 --------------------
14 [...]
15 pub   4096R/0B8738CA 2013-04-17
16 uid                  Thomas-Krenn.AG Ubuntu Archive <ubuntu-release@thomas-krenn.com>
17 sub   4096R/F6685248 2013-04-17
18 $ sudo apt-get update
19 [...]
20 $ sudo apt-get install tkmon
21 [...]
22 The following NEW packages will be installed:
23   tkmon
24 [...]