At this time, this doesn't include pre-built packages of our own open-source software. This is packaged third-party software, packaged for our local conventions, built for our needs and around our scheduling. This repository is also provided to the public as a convenience, but with no warranty for the content or for continued availability of this repository, or any other kind of warranty.
We'll shut this down as a public service if offering it causes more problems than it solves.
For software bundled here, our approach is to package “as close to upstream as
possible, but perhaps with newer configuration or important patches.”; we
explicitly do not guarantee backwards compatibility stability.
If you need backwards compatibility, use the OS vendored packages or package
yourself.
As an example: when GnuPG switched private keyring format, that created
backwards compatibility issues for some. If you're using these packages,
that's on you to manage. We flow with them.
Defining important patches: entirely at our discretion; sometimes software
needs a patch to integrate with service management layers, or we happen to see
an important fix on the relevant mailing-lists (security, regression), but
we do not commit to tracking all such patches and bias strongly towards
"just what was shipped".
These packages are thus convenient for some use-cases, but without a contractual relationship or other warranty, they're unsuitable for baking in as dependencies of your systems. They'll help you make progress and move forward with some actions without interfering with official system packages, but should be regarded as a crutch until you can arrange something more suitable for longer-term dependencies: either upstream by the OS or managing packages yourself or through a support contract with an appropriate organization.
The current apt repo OpenPGP signing key is available within this repo (in ASCII-armored form and unarmored form). It's also in keyservers, and has a signature from the operator, using a key in the Strong Set. Thus the key should be independently verifiable for many. The key fingerprint is 5CAF09C9C79F88B5D526D4058AC8EE39F0C68907; this key was most recently re-signed 2023-08-02, to expire on 2026-01-18. (The time before, this key was re-signed 2020-01-08 to use SHA256 for the self-signature, then expiring 2024-01-07.)
The setup instructions below are compliant with Debian's UseThirdParty guidance and only trusts this key for these repos.
All of these are currently amd64-only, although they declare as ready for more. Other architectures added as it suits us.
Platform removal policy:
There are no guarantees here.
Tentatively, our expectation is that Ubuntu LTS releases will get updates
for as long as upstream supports them at “standard support” levels,
while Ubuntu non-LTS releases will be more aggressively pruned,
probably “the latest release, and a little grace period
for the next one”.
If you want stability, run LTS.
We are not paying for extended support, so “End of Life” is not the correct
date to look at.
For Debian, tentatively: as long as Debian are supporting it.
On 2020-06-02 we removed support for Debian Jessie 8, Ubuntu Trusty 14.04 and Ubuntu Disco 19.04, per stated policy.
It was no longer possible to build for those platforms.
For the time being, the historical apt repositories still exist and can be pulled from if configured.
In the near future, the apt repositories will be removed too.
These were removed 2022-02-09.
On 2022-02-09, Ubuntu Eoan was removed from the storage bucket; this had been listed here as removed since 2020-12-21.
This requires a new enough version of the apt package management tools.
Any supported version of Debian or Ubuntu is new enough for this approach.
Historically, Debian Jessie and Ubuntu Trusty were not new enough.
# This example uses Focal, but only the 'echo' line changes # These commands are run as root; if not root, then use sudo first to run # these commands; using 'sudo' at the front won't help for the redirection # lines. apt install apt-transport-https printf > /etc/apt/preferences.d/pennocktech.pref 'Package: *\nPin: origin public-packages.pennock.tech\nPin-Priority: 100\n' mkdir -pv /etc/apt/keys curl -Ss https://public-packages.pennock.tech/apt-repo-key.raw > /etc/apt/keys/pennocktech.gpg echo 'deb [signed-by=/etc/apt/keys/pennocktech.gpg] https://public-packages.pennock.tech/pt/ubuntu/focal/ focal main' > /etc/apt/sources.list.d/pennocktech.list apt update apt install optgnupg-gnupg
Refer to Debian's UseThirdParty documentation for more depth on what is happening here. Note that the pinning step is keeping this repository for being used for any packages if they've already been installed from elsewhere, thus we don't get to replace system packages.
Beware capitalization: the parser for apt repo lists is case-sensitive! The Signed-By: directive, mixed-case, is for the “deb822-style format” files with extension “.sources”. For the “one-line-style format” used in “.list” files, use signed-by= in all-lower-case.
[Service]
ExecStart=
ExecStart=/opt/gnupg/bin/gpg-agent --supervised
ExecReload=
ExecReload=/opt/gnupg/bin/gpgconf --reload gpg-agent
Beware that ExecStart flags vary between components (agent vs directory manager) and OS distributions,
so look at the flags from the configuration which you are overridding to see which to keep. You only want to change the executable path
(and hope/pray that the distribution has not added new flags of their own).
Note that you need the empty definitions to reset the values to empty, instead of appending to a list.
systemctl --user restart gpg-agent.service
systemctl --user restart dirmngr.service
gpg --version
gpg-connect-agent 'scd getinfo version' /bye
gpg-connect-agent --dirmngr 'getinfo version' /bye