1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
|
---
stage: Package
group: Package Registry
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
# Debian packages in the package registry
DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed
**Status:** Experiment
> - [Deployed behind a feature flag](../../feature_flags.md), disabled by default.
WARNING:
The Debian package registry for GitLab is under development and isn't ready for production use. This [epic](https://gitlab.com/groups/gitlab-org/-/epics/6057) details the remaining
work and timelines to make it production ready. Support for [Debian packages is an experiment](../package_registry/supported_package_managers.md), and has known security vulnerabilities.
Publish Debian packages in your project's package registry. Then install the
packages whenever you need to use them as a dependency.
Project and Group packages are supported.
For documentation of the specific API endpoints that Debian package manager
clients use, see the [Debian API documentation](../../../api/packages/debian.md).
Prerequisites:
- The `dpkg-deb` binary must be installed on the GitLab instance.
This binary is usually provided by the [`dpkg` package](https://wiki.debian.org/Teams/Dpkg/Downstream),
installed by default on Debian and derivatives.
- Support for compression algorithm ZStandard requires version `dpkg >= 1.21.18`
from Debian 12 Bookworm or `dpkg >= 1.19.0.5ubuntu2` from Ubuntu
18.04 Bionic Beaver.
## Enable the Debian API
Debian repository support is still a work in progress. It's gated behind a feature flag that's
**disabled by default**.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
can opt to enable it.
WARNING:
Understand the [stability and security risks of enabling features still in development](../../../administration/feature_flags.md#risks-when-enabling-features-still-in-development).
To enable it:
```ruby
Feature.enable(:debian_packages)
```
To disable it:
```ruby
Feature.disable(:debian_packages)
```
## Enable the Debian group API
The Debian group repository is also behind a second feature flag that is disabled by default.
WARNING:
Understand the [stability and security risks of enabling features still in development](../../../administration/feature_flags.md#risks-when-enabling-features-still-in-development).
To enable it:
```ruby
Feature.enable(:debian_group_packages)
```
To disable it:
```ruby
Feature.disable(:debian_group_packages)
```
## Build a Debian package
Creating a Debian package is documented [on the Debian Wiki](https://wiki.debian.org/Packaging).
## Authenticate to the Debian endpoints
Authentication methods differs between [distributions APIs](#authenticate-to-the-debian-distributions-apis)
and [package repositories](#authenticate-to-the-debian-package-repositories).
### Authenticate to the Debian distributions APIs
To create, read, update, or delete a distribution, you need one of the following:
- [Personal access token](../../../api/rest/authentication.md#personalprojectgroup-access-tokens),
using `--header "PRIVATE-TOKEN: <personal_access_token>"`
- [Deploy token](../../project/deploy_tokens/index.md)
using `--header "Deploy-Token: <deploy_token>"`
- [CI/CD job token](../../../ci/jobs/ci_job_token.md)
using `--header "Job-Token: <job_token>"`
### Authenticate to the Debian Package Repositories
To publish a package, or install a private package, you need to use basic authentication,
with one of the following:
- [Personal access token](../../../api/rest/authentication.md#personalprojectgroup-access-tokens),
using `<username>:<personal_access_token>`
- [Deploy token](../../project/deploy_tokens/index.md)
using `<deploy_token_name>:<deploy_token>`
- [CI/CD job token](../../../ci/jobs/ci_job_token.md)
using `gitlab-ci-token:<job_token>`
## Create a Distribution
At the project level, Debian packages are published with **Debian distributions**. At the
group level, Debian packages are aggregated from the projects in the group provided that:
- The project visibility is set to `public`.
- The Debian `codename` for the group matches the Debian `codename` for the project.
To create a project-level distribution using a personal access token:
```shell
curl --fail-with-body --request POST --header "PRIVATE-TOKEN: <personal_access_token>" \
"https://gitlab.example.com/api/v4/projects/<project_id>/debian_distributions?codename=<codename>"
```
Example response with `codename=sid`:
```json
{
"id": 1,
"codename": "sid",
"suite": null,
"origin": null,
"label": null,
"version": null,
"description": null,
"valid_time_duration_seconds": null,
"components": [
"main"
],
"architectures": [
"all",
"amd64"
]
}
```
More information on Debian distribution APIs:
- [Debian project distributions API](../../../api/packages/debian_project_distributions.md)
- [Debian group distributions API](../../../api/packages/debian_group_distributions.md)
## Publish a package
Once built, several files are created:
- `.deb` files: the binary packages
- `.udeb` files: lightened .deb files, used for Debian-Installer (if needed)
- `.ddeb` files: Ubuntu debug .deb files (if needed)
- `.tar.{gz,bz2,xz,...}` files: Source files
- `.dsc` file: Source metadata, and list of source files (with hashes)
- `.buildinfo` file: Used for Reproducible builds (optional)
- `.changes` file: Upload metadata, and list of uploaded files (all the above)
To upload these files, you can use `dput-ng >= 1.32` (Debian bullseye).
`<username>` and `<password>` are defined
[as above](#authenticate-to-the-debian-package-repositories):
```shell
cat <<EOF > dput.cf
[gitlab]
method = https
fqdn = <username>:<password>@gitlab.example.com
incoming = /api/v4/projects/<project_id>/packages/debian
EOF
dput --config=dput.cf --unchecked --no-upload-log gitlab <your_package>.changes
```
## Upload a package with explicit distribution and component
> - Upload with explicit distribution and component [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/101838) in GitLab 15.9.
When you don't have access to `.changes` file, you can directly upload a `.deb` by passing
distribution `codename` and target `component` as parameters with
your [credentials](#authenticate-to-the-debian-package-repositories).
For example, to upload to component `main` of distribution `sid` using a personal access token:
```shell
curl --fail-with-body --request PUT --user "<username>:<personal_access_token>" \
"https://gitlab.example.com/api/v4/projects/<project_id>/packages/debian/your.deb?distribution=sid&component=main" \
--upload-file /path/to/your.deb
```
## Install a package
To install a package:
1. Configure the repository:
If you are using a private project, add your [credentials](#authenticate-to-the-debian-package-repositories) to your apt configuration:
```shell
echo 'machine gitlab.example.com login <username> password <password>' \
| sudo tee /etc/apt/auth.conf.d/gitlab_project.conf
```
Download your distribution key using your [credentials](#authenticate-to-the-debian-distributions-apis):
```shell
sudo mkdir -p /usr/local/share/keyrings
curl --fail-with-body --header "PRIVATE-TOKEN: <your_access_token>" \
"https://gitlab.example.com/api/v4/projects/<project_id>/debian_distributions/<codename>/key.asc" \
| \
gpg --dearmor \
| \
sudo tee /usr/local/share/keyrings/<codename>-archive-keyring.gpg \
> /dev/null
```
Add your project as a source:
```shell
echo 'deb [ signed-by=/usr/local/share/keyrings/<codename>-archive-keyring.gpg ] https://gitlab.example.com/api/v4/projects/<project_id>/packages/debian <codename> <component1> <component2>' \
| sudo tee /etc/apt/sources.list.d/gitlab_project.list
sudo apt-get update
```
1. Install the package:
```shell
sudo apt-get -y install -t <codename> <package-name>
```
## Download a source package
To download a source package:
1. Configure the repository:
If you are using a private project, add your [credentials](#authenticate-to-the-debian-package-repositories) to your apt configuration:
```shell
echo 'machine gitlab.example.com login <username> password <password>' \
| sudo tee /etc/apt/auth.conf.d/gitlab_project.conf
```
Download your distribution key using your [credentials](#authenticate-to-the-debian-distributions-apis):
```shell
sudo mkdir -p /usr/local/share/keyrings
curl --fail-with-body --header "PRIVATE-TOKEN: <your_access_token>" \
"https://gitlab.example.com/api/v4/projects/<project_id>/debian_distributions/<codename>/key.asc" \
| \
gpg --dearmor \
| \
sudo tee /usr/local/share/keyrings/<codename>-archive-keyring.gpg \
> /dev/null
```
Add your project as a source:
```shell
echo 'deb-src [ signed-by=/usr/local/share/keyrings/<codename>-archive-keyring.gpg ] https://gitlab.example.com/api/v4/projects/<project_id>/packages/debian <codename> <component1> <component2>' \
| sudo tee /etc/apt/sources.list.d/gitlab_project-sources.list
sudo apt-get update
```
1. Download the source package:
```shell
sudo apt-get source -t <codename> <package-name>
```
|
