releases.wikimedia.org
releases.wikimedia.org hosts software releases (primarily packaged as tars). Currently served by releases1003 (standby: releases2003) (formerly: releases1001/releases2001/releases2002/releases1002) behind ATS through the DNS record 'releases.discovery.wmnet'.
Debian repository
Upload a package
On releasesX002:
cd /srv/deployment/parsoid/deploy/ dpkg-buildpackage -b deb-upload ../parsoid_0.1.12_amd64.changes
Alternatively, build locally and copy .changes and .deb to releasesX002:
scp parsoid_0.4.1_* deploy1001.eqiad:/tmp deb-upload /tmp/parsoid_0.4.1_*.changes
Check the repository: https://releases.wikimedia.org/debian/
Use the repository
Import the repository gpg key:
sudo apt-key advanced --keyserver pgp.mit.edu --recv-keys AF380A3036A03444
It should say:
gpg: key AF380A3036A03444: public key "MediaWiki releases repository <wikitech-l@lists.wikimedia.org>" imported gpg: Total number processed: 1 gpg: imported: 1
Add the repository:
sudo apt-add-repository "deb https://releases.wikimedia.org/debian jessie-mediawiki main"
Add a distro
If you need to add a new distro version, 238348 shows how 'jessie' was added in addition to trusty.
238525 shows how the default was switched.
Running reprepro commands
When running reprepro commands for general purpose ops tasks, use the "reprepro" user (e.g. sudo su -c /bin/bash reprepro
) To run reprepro command you also need to run
export REPREPRO_BASE_DIR=/srv/org/wikimedia/reprepro
GPG operations
The private gpg key used by reprepro to sign distribution files lives in private.git, the public keyring lives in the public puppet repo, both are installed by puppet on the relevant machines.
Generate a new key
It might be necessary to generate a new key, it can be done by creating a temporary "gpg home", generate a new key, and replace the secure keyring in private.git, as follows:
# install -d -m 700 gpg_releases # gpg --homedir gpg_releases --gen-key gpg: WARNING: unsafe permissions on homedir `gpg_releases' gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: keyring `gpg_releases/secring.gpg' created gpg: keyring `gpg_releases/pubring.gpg' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 150w Key expires at Wed 12 Jun 2019 09:19:52 AM UTC Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: MediaWiki releases repository Email address: wikitech-l@lists.wikimedia.org Comment: You selected this USER-ID: "MediaWiki releases repository <wikitech-l@lists.wikimedia.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o pub 4096R/22250DD7 2016-07-27 [expires: 2019-06-12] Key fingerprint = A6FD 76E2 A61C 5566 D196 D2C0 90E9 F83F 2225 0DD7 uid MediaWiki releases repository <wikitech-l@lists.wikimedia.org> # mv gpg_releases/secring.gpg /srv/private/releases/files/secring.gpg # cd /srv/private/releases/files/ && git commit secring.gpg
The public keyring pubring.gpg
must be updated in the public puppet repo at modules/releases/files
.
When updating the public keyring, import it in your local machine and send the public key to keyring servers with gpg --keyserver hkps.pool.sks-keyservers.net --send-keys KEYID
.
Also remember to delete gpg_releases temporary directory once done.
Refresh signatures
It is sufficient to ask reprepro to export its files again once the new keyrings are in place (as user reprepro! see above):
cd /srv/org/wikimedia/reprepro reprepro -v export jessie-mediawiki
And make sure to purge releases.wikimedia.org urls as outlined in https://wikitech.wikimedia.org/wiki/Multicast_HTCP_purging