Optional Setup¶
Updating Pakste¶
To update Pakste in your repository, run:
make update
From there, review and commit the change,
Sudoers Configuration¶
Building in chroot requires root permission.
If make deb_chroot
/make rpm_chroot
is run as a standard user, sudo will be used for cowbuilder calls.
If you want to avoid password promt add the following line to the sudoers configuration:
# replace build-user with the user used to generate the packages
<BUILD_USER> ALL=(ALL) NOPASSWD: /usr/sbin/cowbuilder
<BUILD_USER> ALL=(ALL) NOPASSWD: /usr/sbin/pbuilder
<BUILD_USER> ALL=(ALL) NOPASSWD: /usr/sbin/mock
<BUILD_USER> ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /var/cache/pbuilder/*
<BUILD_USER> ALL=(ALL) NOPASSWD: /usr/bin/rm -rf -- /var/cache/pbuilder/*
Adding Vulnerability Monitoring¶
You can scan for vulnerabilities using the following target:
make vulncheck
This target works at the package and root level (check all packages).
CPE & filter parameters can be tweaked in the package Makefile
:
# NIST Vulnerability Database CPE pattern
NVD_CPE_PATTERN=cpe:2.3:*:*freecade:*
# Comma separated list of CVEs to ignore
NVD_IGNORE_CVES=CVE-2023-1234,CVE-2023-5678
# Minimum Version for CVEs, defaults to $(VERSION)
NVD_MIN_VERSION=0
Visit https://kakwa.github.io/cpe-search/ to find filters.
To validate/troubleshoot (assuming the package has past CVEs):
make vulncheck NVD_MIN_VERSION=0 NVD_IGNORE_CVES= --trace
To enable daily vulnerability check Github Action:
Go to repository Settings → Secrets and variables → Actions → Variables
Create a new variable named
NVD_CHECK_ENABLED
with valuetrue
Internet Access During Build¶
By default, mock
/pbuilder
build environments don’t have internet access.
If you need access (for example, to use go get or npm install), add the following in your package Makefile
:
COWBUILD_BUILD_ADDITIONAL_ARGS=--use-network yes
MOCK_BUILD_ADDITIONAL_ARGS=--enable-network
TMPFS¶
If you have RAM to spare, using tmpfs mounts can significantly accelerate the build process.
One-time mount:
# Mount tmpfs (as root)
mount -t tmpfs -o size=16G tmpfs /var/cache/pbuilder/ # For cowbuilder/DEB builds
fstab:
# Or add to /etc/fstab for persistence
tmpfs /var/cache/pbuilder/ tmpfs defaults,size=16G 0 0 # For combuilder/DEB builds
GPG Key¶
Packages are signed with a GPG key. Here are essential commands for key management:
GPG_KEY="GPG_SIGNKEY"
# Generate a new GPG key
gpg --gen-key
# List available keys
gpg -K
# Export private key (for multiple build hosts)
gpg --export-secret-key -a "${GPG_KEY}" > priv.gpg
# Import private key on another system
gpg --import priv.gpg
# Export public key
gpg --armor --output $(OUT_DIR)/GPG-KEY.pub --export "${GPG_KEY}"
# Import public key into apt (for testing)
cat public.gpg | apt-key add -
Embedding Pakste in your project¶
It’s possible to leverage Pakste directly in your project.
To do so, setup a standalone Pakste in a dedicated directory:
# Create and enter packaging directory, download pakste
mkdir pkg/ && cd pkg/ && wget -qO- https://github.com/kakwa/pakste/archive/refs/heads/main.tar.gz | tar --strip-components=1 -xz
# Setup Pakste in standalone mode
cp -r common/skel/* .
rm -rf buildenv
cp -r common/buildenv .
rm -rf common/ Makefile* README.rst .github/
Then Create the package Makefile:
# Extract package name and URL from git repository
REPO_URL=$(git config --get remote.origin.url)
PACKAGE_NAME=$(basename "$REPO_URL" .git)
cat > Makefile << EOF
NAME=${PACKAGE_NAME}
VERSION=\$(shell {git describe --tags --dirty || echo '0.0.0';}|sed 's/-/./g')
RELEASE=1
URL=${REPO_URL}
SUMMARY=\$(NAME)
DESCRIPTION=\$(SUMMARY)
LICENSE=Unknown
#SKIP=<=:deb:8 <=:el:6 <=:fc:29 <=:ubu:18.4
COWBUILD_BUILD_ADDITIONAL_ARGS=--use-network yes
# Including common rules and targets
include buildenv/Makefile.common
# Source Preparation
\$(SOURCE_ARCHIVE): \$(SOURCE_DIR) \$(CACHE) Makefile MANIFEST
@rm -rf -- \$(SOURCE_DIR)
@rsync -ap --ignore-errors --force --exclude pkg --exclude .git ../ \$(SOURCE_DIR)
@\$(SOURCE_TAR_CMD)
EOF
sed -i 's/^ /\t/' Makefile
From there, fill in the Makefile metadata and do the usual .deb and .rpm packaging.