debian-specific.rst 8.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250
  1. DEBIAN-SPECIFIC NOTES
  2. =====================
  3. Git, Salsa Project, Workflow
  4. General
  5. -------
  6. Our git repositories are hosted by the Salsa_ Service and available in
  7. the FTP-Team_ group. The team has all FTPMasters_ set as owner, all
  8. other team members are developers. The team and most of our repositories
  9. are visible to the public, one exception is an internal repository for
  10. notes used within the team only.
  11. dak.git_
  12. --------
  13. This project contains the main code running the Debian archive,
  14. processing uploads, managing the various suites and releases.
  15. Contributing and workflow
  16. ~~~~~~~~~~~~~~~~~~~~~~~~~
  17. Development is done in the **master** branch, be it direct commits
  18. from FTPMasters_ or via merges from other people (anyone is welcome to
  19. contribute!).
  20. If you want to contribute, please fork the code using the functions
  21. offered by Salsa_ and work in a branch ideally named after the
  22. feature/bugfix/whatever your attention is on. Try creating a
  23. meaningful history - it may be a single commit is all that is needed,
  24. it may be you need a dozen. No worry, git and its rebase function can
  25. help you to arrive at that easily.
  26. Please write meaningful commit messages. "Change", "Bugfix" is not
  27. one. It may be obvious to you now, but how about in a year? The git
  28. log is our changelog, *what* is changed is visible by the diff, so
  29. please describe *why* it changed.
  30. Whenever you arrive at something you want to merge into ``master`` (and
  31. consequently later into ``deploy`` to actually have it live), create a
  32. merge request out of it. Use the Salsa_ web interface, describe what
  33. it is and off it goes. You may want to allow removal of the source
  34. branch at merge time, then your own forked project gets cleaned up
  35. when the |MR| is accepted. A more detailed write up on how to navigate
  36. the web UI of Salsa_ for this is available at the `gitlab MR
  37. documentation`_ page.
  38. Next someone will review your |MR| - this can be anyone and is not
  39. limited to the FTPTeam_ or even FTPMasters_. Discussions may be opened
  40. for (parts) of your changes, please be ready to engage in them, and -
  41. if warranted, adjust your merge request.
  42. When all discussions are resolved and everyone is happy with the |MR|,
  43. one of the FTPMasters_ will merge it into the ``master`` branch.
  44. From there, an action from one of the FTPMasters_ will move it into
  45. ``deploy``, which then gets installed on the Debian machines running
  46. the archive.
  47. The famous ``deploy`` branch
  48. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  49. This branch is the code actually in use on the Debian machines, and it
  50. gets deployed (hence the name) on them automatically.
  51. To not make that a complete nightmare, the commits need to be signed
  52. with a gpg key from an active FTPMaster_. As such it consists of
  53. manual merges from the ``master`` branch, followed by a push.
  54. The cronjob for deploying the code run(s) every 5 minutes.
  55. Todo/Fixme: We want to provide a script so that fetching the latest
  56. changes in master as well as preparing the merge commit into
  57. ``deploy`` is one single action.
  58. Deployment details
  59. -------------------
  60. As of today (2020-04-13) the code gets deployed on the following
  61. machines: coccia fasolo respighi seger suchon usper
  62. Also, to seperate code and actual runtime, the code is deployed (and
  63. owned by) the seperate user dak-code
  64. General
  65. ~~~~~~~
  66. Rotating Secure Boot Keys
  67. -------------------------
  68. Four keys are used: dak signs a JSON file used by the signing service
  69. (one key for main archive and security archive), the code-signing
  70. service signs files trusted by Debian's Secure Boot CA and uploads
  71. using a key trusted by dak.
  72. To rotate keys used by dak:
  73. - Generate new key::
  74. export GNUPGHOME=${base}/s3kr1t/dot-gnupg
  75. gpg --list-secret-keys
  76. gpg --homedir --full-generate-key
  77. gpg --keyring /srv/keyring.debian.org/keyrings/debian-keyring.gpg \
  78. --local-user ${OLD_FINGERPRINT} --edit-key ${NEW_FINGERPRINT}
  79. gpg -a --export ${NEW_FINGERPRINT}
  80. When editing key, run `sign` command and `addrevoker` to add current
  81. FTP masters as designated revokers.
  82. - Tell dak to use new key. Edit dak.conf, update fingerprint used in
  83. `ExportSigningKeys`.
  84. - Tell code-signing to use new key (in `code-signing` project)::
  85. gpg --no-default-keyring --keyring etc/external-signature-requests.kbx \
  86. --import
  87. To rotate Secure Boot key (in `code-signing` project):
  88. - Get new key installed in YubiKey and `etc/debian-prod-cert.pem`
  89. - Update `trusted_keys` in `etc/debian-prod.yaml` using::
  90. openssl x509 -in etc/debian-prod-cert.pem -noout -text
  91. openssl x509 -in etc/debian-prod-cert.pem -outform der | openssl dgst -sha256
  92. - Update certificate comman name in `etc/debian-prod.yaml`; there are
  93. two occurances in the `efi` group: `token` and part of `pkcs11_uri`.
  94. To rotate upload key for code-signing service:
  95. - Generate new key (as above for dak keys), except::
  96. export GNUPGHOME=$HOME/secret/gnupg
  97. - Update `maintainer.key_id` in `etc/debian-prod.yaml` (in `code-signing`
  98. project).
  99. - Tell dak about new key::
  100. gpg --no-default-keyring \
  101. --keyring config/debian-common/keyrings/automatic-source-uploads.kbx \
  102. --import
  103. and update fingerprint `AllowSourceOnlyNewKeys` setting in
  104. `config/debian/external-signatures.conf`
  105. - Import key on `ftp-master` and `security-master`::
  106. dak import-keyring -U "%s" \
  107. ${base}/config/debian-common/keyrings/automatic-source-uploads.kbx
  108. - Update ACL on `ftp-master` and `security-master`::
  109. dak acl export-per-source automatic-source-uploads
  110. dak acl allow automatic-source-uploads ${NEW_FINGERPRINT} ${SOURCES}
  111. dak acl deny automatic-source-uploads ${OLD_FINGERPRINT} ${SOURCES}
  112. security archive
  113. ~~~~~~~~~~~~~~~~
  114. Switch suite to Long Term Support (LTS)
  115. ---------------------------------------
  116. ::
  117. cronoff
  118. ::
  119. \set codename 'stretch'
  120. begin;
  121. update suite set
  122. policy_queue_id = null,
  123. announce = array['debian-lts-changes@lists.debian.org', 'dispatch@tracker.debian.org']
  124. where codename = :'codename';
  125. commit;
  126. ::
  127. suite=oldstable
  128. codename=stretch
  129. mkdir ~/${codename}-lts
  130. cd ~/${codename}-lts
  131. dak control-suite -l ${suite} > ${codename}.list
  132. awk '$3 !~ "^source|all|amd64|arm64|armel|armhf|i386$"' < ${codename}.list > ${codename}-remove-for-lts.list
  133. dak control-suite --remove ${suite} < ${codename}-remove-for-lts.list
  134. dak control-suite --remove buildd-${suite} < ${codename}-remove-for-lts.list
  135. for arch in mips mips64el mipsel ppc64el s390x; do
  136. dak admin suite-architecture rm ${suite} ${arch}
  137. dak admin suite-architecture rm buildd-${suite} ${arch}
  138. done
  139. cd ${ftpdir}/dists/${suite}/updates
  140. for arch in mips mips64el mipsel ppc64el s390x; do
  141. rm -r \
  142. main/binary-${arch} main/debian-installer/binary-${arch} \
  143. main/Contents-${arch}.gz main/Contents-udeb-${arch}.gz \
  144. contrib/binary-${arch} contrib/debian-installer/binary-${arch} \
  145. contrib/Contents-${arch}.gz contrib/Contents-udeb-${arch}.gz \
  146. non-free/binary-${arch} non-free/debian-installer/binary-${arch} \
  147. non-free/Contents-${arch}.gz non-free/Contents-udeb-${arch}.gz
  148. done
  149. cd ${base}/build-queues/dists/buildd-${suite}/updates
  150. rm -r main contrib non-free
  151. dak generate-packages-sources2 -s ${suite},buildd-${suite}
  152. dak generate-releases -s ${suite} buildd-${suite}
  153. ::
  154. cronon
  155. NEW processing
  156. --------------
  157. ::
  158. cronoff
  159. CHANGES=FILENAME.changes
  160. dak process-new ${CHANGES}
  161. cd /srv/security-master.debian.org/queue/new/COMMENTS
  162. echo $'NOTOK\n\nMoving back to unchecked' > "REJECT.${CHANGES%.changes}"
  163. rm "ACCEPT.${CHANGES%.changes}"
  164. dak process-policy new; dak clean-suites
  165. cd /srv/security-master.debian.org/queue/reject
  166. # Careful! This is only correct if there are no previous uploads!
  167. dak admin forget-signature ${CHANGES}
  168. dcmd mv -nt ../unchecked -- ${CHANGES}
  169. /srv/security-master.debian.org/dak/config/debian-security/cronscript unchecked
  170. cronon
  171. Built-Using
  172. -----------
  173. Source packages referred to via Built-Using need to be included in the
  174. security archive:
  175. - Obtain & verify .dsc
  176. - ``dak import built-using updates/<component> <.dsc...>``
  177. If the .dsc is signed by an old key no longer in the keyring, use
  178. ``--ignore-signature``. Make **extra sure** the .dsc is *correct*.
  179. .. _Salsa: http://salsa.debian.org/
  180. .. _FTP-Team: https://salsa.debian.org/ftp-team/
  181. .. _FTPMasters: https://www.debian.org/intro/organization#ftpmasters
  182. .. _FTPTeam: https://www.debian.org/intro/organization#ftpmaster
  183. .. _dak.git: https://salsa.debian.org/ftp-team/dak
  184. .. _gitlabsmrdocs: https://docs.gitlab.com/ce/gitlab-basics/add-merge-request.html
  185. .. _gitlab MR documentation: https://docs.gitlab.com/ce/gitlab-basics/add-merge-request.html
  186. .. |MR| replace:: Merge request