herpiko/gist:e85e26980c23b2544669473b2e77132f

## gistfile1.md

      
    Raw
  

              gistfile1.md
            
          
    IRGSH-GO

DAK

🔥
Reprepro

https://github.com/BlankOn/lumbung-base-reprepro
arsipdev@alynne:~/verbeek-repo$ tree -L 3
.
├── conf
│   ├── blacklist.pkg
│   ├── blacklist.unstable
│   ├── bzip.example
│   ├── changelogs
│   ├── distributions
│   ├── options
│   ├── pulls
│   ├── tiffany.py
│   └── updates
├── db
│   ├── checksums.db
│   ├── contents.cache.db
│   ├── packages.db
│   ├── references.db
│   ├── release.caches.db
│   └── version
├── gnupg
│   ├── gpg.conf
│   ├── pubring.kbx
│   ├── random_seed
│   └── trustdb.gpg
├── lists
│   ├── merge%2Esid_sid_contrib_amd64_Packages
│   ├── merge%2Esid_sid_contrib_Sources
│   ├── merge%2Esid_sid_InRelease
│   ├── merge%2Esid_sid_main_amd64_Packages
│   ├── merge%2Esid_sid_main_amd64_uPackages
│   ├── merge%2Esid_sid_main_Sources
│   ├── merge%2Esid_sid_non-free_amd64_Packages
│   ├── merge%2Esid_sid_non-free_Sources
│   └── _verbeek_lastseen
├── logs
│   └── verbeek.log
├── README.md
└── rilis
    ├── changelogs
    │   └── pool
    ├── dists
    │   └── verbeek
    └── pool
        ├── extras
        ├── main
        └── restricted

14 directories, 30 files
arsipdev@alynne:~/verbeek-repo$

conf

blacklist.pkg

courier purge
openvpn purge
r-cran-v8 purge

Saat ini, berkas ini mengandung courier, openvpn dan r-cran-v8. Belum tahu kenapa paket ini di-blacklist pada rilis BlankOn sebelumnya.
blacklist.unstable

libgnome-desktop-3-7 hold
ayat-semesta hold
bakso-theme hold
base-files hold
battery-icon hold
battery-status hold
blankfox hold
blankon-artwork hold
blankon-avatar hold
blankon-branding hold
blankon-branding-fans hold
blankon-colour-palette hold
blankon-contextual-desktop hold
blankon-default-applications hold
blankon-default-font-configuration hold
blankon-desktop hold
blankon-desktop-meta hold
blankon-docs hold
blankon-example-content hold
blankon-extra-desktop hold
blankon-extra-dvd hold
blankon-fontconfig hold
blankon-gksu-configuration hold
blankon-gsettings-desktop-schemas hold
blankon-icon-theme hold
...

Berisi daftar paket khas BlankOn dan beberapa paket upstream seperti libgnome-desktop-3-7.
bzip.example

Seperti yang didefinisikan di dalam berkas.
changelogs

Sesuai namanya.
distributions

# WARNING
# Avoid giving - string into Update field as it could removing blankon specific packages

Origin: BlankOn
Label: BlankOn
Codename: verbeek
Suite: verbeek
Components: main restricted extras extras-restricted
UDebComponents: main
Architectures: amd64 source
Version: 12.0
Description: BlankOn 12.0 Verbeek
Update: merge.sid
SignWith: 9120A048
DebIndices: Packages Release . .gz .bz2 tiffany.py
UDebIndices: Packages . .gz .bz2 
DscIndices: Sources Release . .gz .bz2 tiffany.py
Pull: pull.verbeek
Contents: udebs nodebs . .gz
ContentsArchitectures: amd64 source
ContentsComponents: main restricted extras extras-restricted
ContentsUComponents: main
Log: verbeek.log
 --type=dsc changelogs

Origin: BlankOn
Label: BlankOn
Codename: verbeek-security
Suite: verbeek-security
Components: main restricted extras extras-restricted 
UDebComponents: main 
Architectures: amd64 source
Version: 12.0
Description: BlankOn 12.0 Verbeek Security
Update: 
SignWith: 9120A048
DebIndices: Packages Release . .gz .bz2 tiffany.py
UDebIndices: Packages . .gz .bz2
DscIndices: Sources Release . .gz .bz2 tiffany.py
Contents: udebs nodebs . .gz 
ContentsArchitectures: amd64 
ContentsComponents: main restricted extras extras-restricted 
ContentsUComponents: main 
Log: verbeek-security.log
 --type=dsc changelogs

Origin: BlankOn
Label: BlankOn
Codename: verbeek-updates
Suite: verbeek-updates
Components: main restricted extras extras-restricted
UDebComponents: main
Architectures: amd64 source
Version: 12.0
Description: BlankOn 12.0 Verbeek Updates
Update:
SignWith: 9120A048
DebIndices: Packages Release . .gz .bz2 tiffany.py
UDebIndices: Packages . .gz .bz2
DscIndices: Sources Release . .gz .bz2 tiffany.py
Contents: udebs nodebs . .gz
ContentsArchitectures: amd64
ContentsComponents: main restricted extras extras-restricted
ContentsUComponents: main
Log: verbeek-security.log 
 --type=dsc changelogs

Definisi lumbung. Secara umum, lumbung turunan debian mengandung 3 sub lumbung :

releasename - Lumbung utama dari rilis
releasename-security - Lumbung yang berisi pembaruan keamanan. Paketnya masuk setelah rilis.
releasename-updates - Lumbung yang berisi pembaruan yang tidak terkait ke keamanan. Paketnya masuk setelah rilis.

Beberapa catatan :

Nilai Origin dan Label sesuai nama distribusi.
Ketika memulai rilis baru, ganti string releasename (dalam kasus ini, verbeek) dengan nama rilis baru. Sesuaikan juga nilai Description.
Untuk SignWith, lihat bagian gnupg
Perhatikan catatan, Avoid giving any - string into Update fields as it could removing blankon specific packages

options

basedir /home/arsipdev/verbeek-repo
confdir /home/arsipdev/verbeek-repo/conf
dbdir /home/arsipdev/verbeek-repo/db
outdir /home/arsipdev/verbeek-repo/rilis
gnupghome /home/arsipdev/verbeek-repo/gnupg
#ignore brokensignatures

Berisi konfigurasi path. Belum tahu kenapa ada catatan ignore brokensignatures
pulls

Sebenarnya berkas ini tidak diperlukan?
pulls adalah konfigurasi penarikan lumbung. Sesuai yang terdefinisi di berkas ini, reprepro akan menarik paket terakhir dari lumbung Sid ke lumbung verbeek, sebagai mana yang bisa kita lihat, pull.verbeek sudah didefinisikan di berkas distributions. Target mau pun sumber bisa disesuaikan.
tiffany.py

Belum paham persis fungsi si tiffany, ngomong-ngomong berkas ini disebut di distributions.
updates

Name: merge.sid
Suite: sid
VerifyRelease: blindtrust
Method: http://kartolo.sby.datautama.net.id/debian
Architectures: amd64 source
Components: main non-free>restricted contrib>extras
# main restricted extras extras-restricted
#FilterList: install blacklist.unstable
FilterList: install blacklist.pkg

Berkas ini mengandung konfigurasi untuk update, salah satunya endpoint dari lumbung yang akan kita tarik. Berkas-berkas blacklist juga dipanggil di sini.
db

Berkas di bawah ini di-generate oleh reprepro. Jika ada proses reprepro yang sedang jalan atau dimatikan paksa, akan ada berkas lock yang mengunci proses di direktori ini (bisa dihapus bila diperlukan).
gnupg

???
Direktori ini barangkali seharusnya tidak di sini, tetapi mengacu ke path bawaan gnugpg di ./gnugpg.
lists

Berkas di bawah ini di-generate oleh reprepro
release

Berkas di bawah ini di-generate oleh reprepro. Berkas lumbung yang sebenarnya.
Q


What is blacklist.pkg ? How it differentiate from blacklist.unstable?
Why is there blankon specefic pkg in blacklist.unstable?
Have no idea where is the original source of this structure
When the blacklist files should be defined? Is it before repo initializion or when we starting to submitting our paket khas?
If we want to include src as well, where and how it should be defined?

Pratical Guide

Booo!
This doc need to be rewritten in detailed manner, https://github.com/BlankOn/wiki/blob/master/TimPengembang/Infrastruktur/Repositori.md
Persiapan ruang kerja


Tambahkan pengguna khusus lumbung, adduser arsipdev
Tambahkan pengguna tersebut ke /etc/sudoers

arsipdev	ALL=(ALL) NOPASSWD:ALL

Persiapan kunci penanda tangan paket

Keaslian paket di lumbung turunan Debian dibantu oleh verifikasi tanda tangan digital dengan kunci GPG (sebabnya alamat lumbung tersebut tidak perlu lagi dilindungi oleh HTTPS/TLS, lihat https://whydoesaptnotusehttps.com/). Kita memerlukan kunci GPG untuk menandatangani paket-paket khas nantinya. Setelah dibuat sesuati panduan di bawah, kunci-kunci ini akan tersimpan di /.gnugpg.
Mempersiapkan rng untuk mempercepat generate entropy.
$ sudo apt-get install rng-tools
$ sudo rngd -r /dev/urandom

Membuat kunci GPG utama. Abaikan permintaan passphrase untuk menunjang otomasi penandatanganan paket.

gpg --full-generate-key

gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Wed Jan 24 04:58:41 2024 EST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: BlankOn Developer
Email address: blankon-dev@googlegroups.com
Comment: 
You selected this USER-ID:
    "BlankOn Developer <blankon-dev@googlegroups.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: key 17963DC67219B965 marked as ultimately trusted
gpg: revocation certificate stored as '/home/arsipdev-reboot/.gnupg/openpgp-revocs.d/9584C1230204D624A15D215117963DC67219B965.rev'
public and secret key created and signed.
pub   rsa4096 2019-01-25 [SC] [expires: 2024-01-24]
      9584C1230204D624A15D215117963DC67219B965
      9584C1230204D624A15D215117963DC67219B965
uid                      BlankOn Developer <blankon-dev@googlegroups.com>
sub   rsa4096 2019-01-25 [E] [expires: 2024-01-24]

Membuat sub kunci untuk keperluan penandatanganan paket. Parameternya adalah identitas kunci master.

gpg --edit-key 05657D94F29BDACB99F6CE7D0B352C08D746A9A6

gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2021-01-24
sec  rsa2048/0B352C08D746A9A6
     created: 2019-01-25  expires: 2021-01-24  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/BE8FF591E6569748
     created: 2019-01-25  expires: 2021-01-24  usage: E   
[ultimate] (1). BlankOn Developer <blankon-dev@googlegroups.com>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Wed Jan 24 05:06:05 2024 EST
Is this correct? (y/N) y
Really create? (y/N) y

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa2048/0B352C08D746A9A6
     created: 2019-01-25  expires: 2021-01-24  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/BE8FF591E6569748
     created: 2019-01-25  expires: 2021-01-24  usage: E   
ssb  rsa4096/1C608FE2ECC8842B
     created: 2019-01-25  expires: 2024-01-24  usage: S   
[ultimate] (1). BlankOn Developer <blankon-dev@googlegroups.com>

gpg> save

Identitas kunci anak ini (string 0B352C08D746A9A6) yang akan dipakai di konfigurasi lumbung nantinya.
Memisahkan kunci master. Tujuan penggunaan subkey dan pemisahan kunci master adalah supaya bila kunci tanda tangan terkena kompromi, kunci penanda tangan baru masih bisa diterbitkan dan paket lama masih bisa diverifikasi.
$ gpg --export-secret-key 05657D94F29BDACB99F6CE7D0B352C08D746A9A6 > private.key
$ gpg --export 05657D94F29BDACB99F6CE7D0B352C08D746A9A6 >> private.key

Simpan berkas private.key ini ke tempat yang aman.
Pisahkan kunci publik master dan kunci privat anak.
$ gpg --export 05657D94F29BDACB99F6CE7D0B352C08D746A9A6 > public.key
$ gpg --export-secret-subkeys 0B352C08D746A9A6 > signing.key

Hapus kunci privat master dari gnupg.
$ gpg --delete-secret-key 05657D94F29BDACB99F6CE7D0B352C08D746A9A6

Impor kembali kunci publik master dan kunci privat anak.
$ gpg --import public.key signing.key

Pastikan kunci privat master sudah tidak terdaftar di gnupg.
$ gpg --list-secret-keys
/home/arsipdev/.gnupg/pubring.kbx
----------------------------------------
sec#  rsa4096 2019-01-25 [SC] [expires: 2024-01-24]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid           [ultimate] BlankOn Developer <blankon-dev@googlegroups.com>
ssb   rsa4096 2019-01-25 [E] [expires: 2024-01-24]
ssb   rsa4096 2019-01-25 [S] [expires: 2024-01-24]

Simbol # setelah sec menandakan tidak ada kunci privat master di gnupg.
Konfigurasi dasar lumbung (reprepro)

Kloning lumbung kode berikut ke ~/, lalu ganti namanya menjadi nama rilis, misalnya di sini, lumbung-verbeek.
$ cd
$ git clone https://github.com/BlankOn/lumbung-base
$ mv lumbung-base lumbung-verbeek

Konfigurasi dasar yang perlu dilakukan antara lain :

foo
bar
boo!

Penarikan lumbung

reprepro 
Mengekpos lumbung

Catatan :

https://whydoesaptnotusehttps.com/

Maintaining Cycle

Injecting new package

Freezing

Maintaining Security and Update

Packaging

Penomoran versi BlankOn

Pabrik CD

Release

Package Automation (IRGSH)