Jump to content

releases.wikimedia.org

From Wikitech

releases.wikimedia.org hosts software releases (primarily packaged as tars). Currently served by releases1003 (standby: releases2003) (formerly: releases1001/releases2001/releases2002/releases1002) behind ATS through the DNS record 'releases.discovery.wmnet'.

Debian repository

Upload a package

On releasesX002:

cd /srv/deployment/parsoid/deploy/
dpkg-buildpackage -b
deb-upload ../parsoid_0.1.12_amd64.changes

Alternatively, build locally and copy .changes and .deb to releasesX002:

scp parsoid_0.4.1_* deploy1001.eqiad:/tmp
deb-upload /tmp/parsoid_0.4.1_*.changes

Check the repository: https://releases.wikimedia.org/debian/

Use the repository

Import the repository gpg key:

sudo apt-key advanced --keyserver pgp.mit.edu --recv-keys AF380A3036A03444

It should say:

gpg: key AF380A3036A03444: public key "MediaWiki releases repository <wikitech-l@lists.wikimedia.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Add the repository:

sudo apt-add-repository "deb https://releases.wikimedia.org/debian jessie-mediawiki main"

Add a distro

If you need to add a new distro version, 238348 shows how 'jessie' was added in addition to trusty.

238525 shows how the default was switched.

Running reprepro commands

When running reprepro commands for general purpose ops tasks, use the "reprepro" user (e.g. sudo su -c /bin/bash reprepro) To run reprepro command you also need to run

 export REPREPRO_BASE_DIR=/srv/org/wikimedia/reprepro

GPG operations

The private gpg key used by reprepro to sign distribution files lives in private.git, the public keyring lives in the public puppet repo, both are installed by puppet on the relevant machines.

Generate a new key

It might be necessary to generate a new key, it can be done by creating a temporary "gpg home", generate a new key, and replace the secure keyring in private.git, as follows:

# install -d -m 700 gpg_releases
# gpg --homedir gpg_releases --gen-key
gpg: WARNING: unsafe permissions on homedir `gpg_releases'
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `gpg_releases/secring.gpg' created
gpg: keyring `gpg_releases/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 150w
Key expires at Wed 12 Jun 2019 09:19:52 AM UTC
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: MediaWiki releases repository
Email address: wikitech-l@lists.wikimedia.org
Comment: 
You selected this USER-ID:
    "MediaWiki releases repository <wikitech-l@lists.wikimedia.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
pub   4096R/22250DD7 2016-07-27 [expires: 2019-06-12]
      Key fingerprint = A6FD 76E2 A61C 5566 D196  D2C0 90E9 F83F 2225 0DD7
uid                  MediaWiki releases repository <wikitech-l@lists.wikimedia.org>

# mv gpg_releases/secring.gpg /srv/private/releases/files/secring.gpg
# cd /srv/private/releases/files/ && git commit secring.gpg

The public keyring pubring.gpg must be updated in the public puppet repo at modules/releases/files. When updating the public keyring, import it in your local machine and send the public key to keyring servers with gpg --keyserver hkps.pool.sks-keyservers.net --send-keys KEYID.

Also remember to delete gpg_releases temporary directory once done.

Refresh signatures

It is sufficient to ask reprepro to export its files again once the new keyrings are in place (as user reprepro! see above):

cd /srv/org/wikimedia/reprepro
reprepro -v export jessie-mediawiki

And make sure to purge releases.wikimedia.org urls as outlined in https://wikitech.wikimedia.org/wiki/Multicast_HTCP_purging