PennockTech Public Packages

At this time, this doesn't include pre-built packages of our own open-source software. This is packaged third-party software, packaged for our local conventions, provided to the public as a convenience but with no warranty for the content or for continued availability of this repository.

We'll shut this down as a public service if offering it causes more problems than it solves.

For software bundled here, our approach is to package “as close to upstream as possible, but perhaps with newer configuration or important patches.”; we explicitly do not guarantee backwards compatibility stability. If you need backwards compatibility, use the OS vendored packages or package yourself.
As an example: when GnuPG switched private keyring format, that created backwards compatibility issues for some. If you're using these packages, that's on you to manage. We flow with them.
Defining important patches: entirely at our discretion; sometimes software needs a patch to integrate with service management layers, or we happen to see an important fix on the relevant mailing-lists (security, regression), but we do not commit to tracking all such patches and bias strongly towards "just what was shipped".

These packages are thus convenient for some use-cases, but without a contractual relationship or other warranty, they're unsuitable for baking in as dependencies of your systems. They'll help you make progress and move forward with some actions without interfering with official system packages, but should be regarded as a crutch until you can arrange something more suitable for longer-term dependencies: either upstream by the OS or managing packages yourself or through a support contract with an appropriate organization.


Repositories

The current apt repo OpenPGP signing key is available within this repo (in ASCII-armored form and unarmored form). It's also in keyservers, and has a signature from the operator, using a key in the Strong Set. Thus the key should be independently verifiable for many. The key fingerprint is 5CAF09C9C79F88B5D526D4058AC8EE39F0C68907; while this is usable in Signed-By/signed-by directives for apt, ideally, you'll instead use Debian's UseThirdParty setup instructions and only trust this key for these repos, per the first setup instructions below. If you do need to use the shared keyring (older OS), then use the second sample configuration.

Ubuntu Disco (19.04)
deb https://public-packages.pennock.tech/pt/ubuntu/disco/ disco main
Ubuntu Bionic (18.04.x; LTS)
deb https://public-packages.pennock.tech/pt/ubuntu/bionic/ bionic main
Debian Buster (Debian 10)
deb https://public-packages.pennock.tech/pt/debian/buster/ buster main
Debian Stretch (Debian 9)
deb https://public-packages.pennock.tech/pt/debian/stretch/ stretch main
Ubuntu Xenial (16.04.x; LTS)
deb https://public-packages.pennock.tech/pt/ubuntu/xenial/ xenial main
Debian Jessie (Debian 8)
deb https://public-packages.pennock.tech/pt/debian/jessie/ jessie main
Ubuntu Trusty (14.04.x; LTS; support ending soon)
deb https://public-packages.pennock.tech/pt/ubuntu/trusty/ trusty main

All of these are currently amd64-only, although they declare as ready for more. Other architectures added as it suits us.

Setup for minimal trust

This requires a new enough version of the apt package management tools.
Debian Stretch and Ubuntu Xenial & Bionic are new enough. Debian Jessie and Ubuntu Trusty are not.

# This example uses Xenial, but only the 'echo' line changes
# These commands are run as root; if not root, then use sudo first to run
# these commands; using 'sudo' at the front won't help for the redirection
# lines.
apt install apt-transport-https
printf > /etc/apt/preferences.d/pennocktech.pref 'Package: *\nPin: origin public-packages.pennock.tech\nPin-Priority: 100\n'
mkdir -pv /etc/apt/keys
curl -Ss https://public-packages.pennock.tech/apt-repo-key.raw > /etc/apt/keys/pennocktech.gpg
echo 'deb [signed-by=/etc/apt/keys/pennocktech.gpg] https://public-packages.pennock.tech/pt/ubuntu/xenial/ xenial main' > /etc/apt/sources.list.d/pennocktech.list
apt update
apt install optgnupg-gnupg

Refer to Debian's UseThirdParty documentation for more depth on what is happening here. Note that the pinning step is keeping this repository for being used for any packages if they've already been installed from elsewhere, thus we don't get to replace system packages.

Setup with global keyring

This grants more trust to us. Use the above mechanism if you can.
If you're on Debian Jessie (8) or earlier, (or Ubuntu Trusty (14.04) or earlier) then you'll need to use the global keyring because the signed-by option is not supported and is ignored.
Note that writing to files in /etc/apt/trusted.gpg.d/ instead of importing to apt-key does not change the security posture.

jessie# apt install apt-transport-https
jessie# echo 'deb https://public-packages.pennock.tech/pt/debian/jessie/ jessie main' > /etc/apt/sources.list.d/pennocktech.list
jessie# curl -Ss https://public-packages.pennock.tech/apt-repo-key.asc | apt-key add -
jessie# apt update
jessie# apt install optgnupg-gnupg

While you can write:

echo 'deb [signed-by=5CAF09C9C79F88B5D526D4058AC8EE39F0C68907] https://public-packages.pennock.tech/pt/debian/jessie/ jessie main' > /etc/apt/sources.list.d/pennocktech.list
note that Jessie and Trusty do not support the signed-by directive, so you're just fooling yourself about the level of security provided. With this form, an unsupported signed-by is no restriction, so any key can be used. With the file-path form, an unsupported signed-by without the key in the global apt keyring means that there is no usable trust anchor, and things break.


Packages