At this time, this doesn't include pre-built packages of our own open-source software. This is packaged third-party software, packaged for our local conventions, provided to the public as a convenience but with no warranty for the content or for continued availability of this repository.
We'll shut this down as a public service if offering it causes more problems than it solves.
For software bundled here, our approach is to package “as close to upstream as
possible, but perhaps with newer configuration or important patches.”; we
explicitly do not guarantee backwards compatibility stability.
If you need backwards compatibility, use the OS vendored packages or package
As an example: when GnuPG switched private keyring format, that created backwards compatibility issues for some. If you're using these packages, that's on you to manage. We flow with them.
Defining important patches: entirely at our discretion; sometimes software needs a patch to integrate with service management layers, or we happen to see an important fix on the relevant mailing-lists (security, regression), but we do not commit to tracking all such patches and bias strongly towards "just what was shipped".
These packages are thus convenient for some use-cases, but without a contractual relationship or other warranty, they're unsuitable for baking in as dependencies of your systems. They'll help you make progress and move forward with some actions without interfering with official system packages, but should be regarded as a crutch until you can arrange something more suitable for longer-term dependencies: either upstream by the OS or managing packages yourself or through a support contract with an appropriate organization.
The current apt repo OpenPGP signing key is available within this repo (in ASCII-armored form and unarmored form). It's also in keyservers, and has a signature from the operator, using a key in the Strong Set. Thus the key should be independently verifiable for many. The key fingerprint is 5CAF09C9C79F88B5D526D4058AC8EE39F0C68907; while this is usable in Signed-By/signed-by directives for apt, ideally, you'll instead use Debian's UseThirdParty setup instructions and only trust this key for these repos, per the first setup instructions below. If you do need to use the shared keyring (older OS), then use the second sample configuration.
All of these are currently amd64-only, although they declare as ready for more. Other architectures added as it suits us.
This requires a new enough version of the apt package management tools.
Debian Stretch and Ubuntu Xenial & Bionic are new enough. Debian Jessie and Ubuntu Trusty are not.
# This example uses Xenial, but only the 'echo' line changes # These commands are run as root; if not root, then use sudo first to run # these commands; using 'sudo' at the front won't help for the redirection # lines. apt install apt-transport-https printf > /etc/apt/preferences.d/pennocktech.pref 'Package: *\nPin: origin public-packages.pennock.tech\nPin-Priority: 100\n' mkdir -pv /etc/apt/keys curl -Ss https://public-packages.pennock.tech/apt-repo-key.raw > /etc/apt/keys/pennocktech.gpg echo 'deb [signed-by=/etc/apt/keys/pennocktech.gpg] https://public-packages.pennock.tech/pt/ubuntu/xenial/ xenial main' > /etc/apt/sources.list.d/pennocktech.list apt update apt install optgnupg-gnupg
Refer to Debian's UseThirdParty documentation for more depth on what is happening here. Note that the pinning step is keeping this repository for being used for any packages if they've already been installed from elsewhere, thus we don't get to replace system packages.
This grants more trust to us.
Use the above mechanism if you can.
If you're on Debian Jessie (8) or earlier, (or Ubuntu Trusty (14.04) or earlier) then you'll need to use the global keyring because the signed-by option is not supported and is ignored.
Note that writing to files in /etc/apt/trusted.gpg.d/ instead of importing to apt-key does not change the security posture.
jessie# apt install apt-transport-https jessie# echo 'deb https://public-packages.pennock.tech/pt/debian/jessie/ jessie main' > /etc/apt/sources.list.d/pennocktech.list jessie# curl -Ss https://public-packages.pennock.tech/apt-repo-key.asc | apt-key add - jessie# apt update jessie# apt install optgnupg-gnupg
While you can write:
echo 'deb [signed-by=5CAF09C9C79F88B5D526D4058AC8EE39F0C68907] https://public-packages.pennock.tech/pt/debian/jessie/ jessie main' > /etc/apt/sources.list.d/pennocktech.listnote that Jessie and Trusty do not support the signed-by directive, so you're just fooling yourself about the level of security provided. With this form, an unsupported signed-by is no restriction, so any key can be used. With the file-path form, an unsupported signed-by without the key in the global apt keyring means that there is no usable trust anchor, and things break.