PennockTech Public Packages

At this time, this doesn't include pre-built packages of our own open-source software. This is packaged third-party software, packaged for our local conventions, built for our needs and around our scheduling. This repository is also provided to the public as a convenience, but with no warranty for the content or for continued availability of this repository, or any other kind of warranty.

We'll shut this down as a public service if offering it causes more problems than it solves.

For software bundled here, our approach is to package “as close to upstream as possible, but perhaps with newer configuration or important patches.”; we explicitly do not guarantee backwards compatibility stability. If you need backwards compatibility, use the OS vendored packages or package yourself.
As an example: when GnuPG switched private keyring format, that created backwards compatibility issues for some. If you're using these packages, that's on you to manage. We flow with them.
Defining important patches: entirely at our discretion; sometimes software needs a patch to integrate with service management layers, or we happen to see an important fix on the relevant mailing-lists (security, regression), but we do not commit to tracking all such patches and bias strongly towards "just what was shipped".

These packages are thus convenient for some use-cases, but without a contractual relationship or other warranty, they're unsuitable for baking in as dependencies of your systems. They'll help you make progress and move forward with some actions without interfering with official system packages, but should be regarded as a crutch until you can arrange something more suitable for longer-term dependencies: either upstream by the OS or managing packages yourself or through a support contract with an appropriate organization.


The current apt repo OpenPGP signing key is available within this repo (in ASCII-armored form and unarmored form). It's also in keyservers, and has a signature from the operator, using a key in the Strong Set. Thus the key should be independently verifiable for many. The key fingerprint is 5CAF09C9C79F88B5D526D4058AC8EE39F0C68907; this key was most recently re-signed 2023-08-02, to expire on 2026-01-18. (The time before, this key was re-signed 2020-01-08 to use SHA256 for the self-signature, then expiring 2024-01-07.)

The setup instructions below are compliant with Debian's UseThirdParty guidance and only trusts this key for these repos.

Ubuntu Impish (21.10)
deb impish main
Ubuntu Focal (20.04.x; LTS)
deb focal main
Ubuntu Bionic (18.04.x; LTS)
deb bionic main
Debian Buster (Debian 10)
deb buster main
Debian Stretch (Debian 9)
deb stretch main
Ubuntu Xenial (16.04.x; LTS)
deb xenial main

All of these are currently amd64-only, although they declare as ready for more. Other architectures added as it suits us.

Platform removal policy: There are no guarantees here.
Tentatively, our expectation is that Ubuntu LTS releases will get updates for as long as upstream supports them at “standard support” levels, while Ubuntu non-LTS releases will be more aggressively pruned, probably “the latest release, and a little grace period for the next one”. If you want stability, run LTS.
We are not paying for extended support, so “End of Life” is not the correct date to look at.
For Debian, tentatively: as long as Debian are supporting it.

On 2020-06-02 we removed support for Debian Jessie 8, Ubuntu Trusty 14.04 and Ubuntu Disco 19.04, per stated policy. It was no longer possible to build for those platforms. For the time being, the historical apt repositories still exist and can be pulled from if configured.
In the near future, the apt repositories will be removed too.
These were removed 2022-02-09.

On 2022-02-09, Ubuntu Eoan was removed from the storage bucket; this had been listed here as removed since 2020-12-21.

Setup for minimal trust

This requires a new enough version of the apt package management tools.
Any supported version of Debian or Ubuntu is new enough for this approach. Historically, Debian Jessie and Ubuntu Trusty were not new enough.

# This example uses Focal, but only the 'echo' line changes
# These commands are run as root; if not root, then use sudo first to run
# these commands; using 'sudo' at the front won't help for the redirection
# lines.
apt install apt-transport-https
printf > /etc/apt/preferences.d/pennocktech.pref 'Package: *\nPin: origin\nPin-Priority: 100\n'
mkdir -pv /etc/apt/keys
curl -Ss > /etc/apt/keys/pennocktech.gpg
echo 'deb [signed-by=/etc/apt/keys/pennocktech.gpg] focal main' > /etc/apt/sources.list.d/pennocktech.list
apt update
apt install optgnupg-gnupg

Refer to Debian's UseThirdParty documentation for more depth on what is happening here. Note that the pinning step is keeping this repository for being used for any packages if they've already been installed from elsewhere, thus we don't get to replace system packages.

Beware capitalization: the parser for apt repo lists is case-sensitive! The Signed-By: directive, mixed-case, is for the “deb822-style format” files with extension “.sources”. For the “one-line-style format” used in “.list” files, use signed-by= in all-lower-case.