Want to distribute your Debian packages? Bintray is the tool for you!
Now it’s even better with improved support, including the current Debian repository format (a.k.a. “automatic” layout), in addition to the deprecated “trivial” layout, and signing metadata with GPG. All you need to do is upload your .deb files, and Bintray will calculate and sign the metadata (index) automatically for you. We took the excellent debian support in Artifactory and reapplied it in Bintray.
Debian Repository Formats, What Do You Mean?
A Debian repository contains metadata files with information on the packages it includes and their structure within the repository. The main ones are the “Packages” and “Release” files. Debian clients, such as apt-get, seek out these metadata files.
There are two supported repository metadata layouts:
This is the deprecated repository layout, however it is still used quite commonly. In this layout all the metadata files are stored in the root directory of the repository, so it can be useful when you are only hosting a bunch of files with no well defined structure in the repository.
This is the default layout, and it contains information on the included distributions. Each distribution can include multiple components (e.g. “main”, “free”, …), each component can include multiple architectures (e.g. “amd64”, “i386”, …).
Signing a Debian Distribution
Debian has a great feature to increase your clients’ trust – for them to be sure they are downloading your packages and not some other phony packages. This is done by using GPG to sign the “Release” file. Each “Release” file includes hash values of all the relevant “Packages” files in the distribution. The “Packages” files include hash values of all the included .deb files. So by signing the “Release” file it actually signs the entire distribution!
You can have Bintray automatically sign your metadata with GPG for you. All you need to do is set the GPG key for the the user or organization who owns the repository. You can even have your GPG key require a passphrase (read on). Don’t want to set a GPG key? No worries – your metadata is still there, just not signed. Bear in mind that your clients will need to approve using your unsigned repository.
Uploading and Publishing Debian Files
You can upload files using the REST API or from Bintray’s UI. If your repository has the “automatic” layout, Bintray needs to know which .deb file is included in each distribution, so each uploaded .deb file must be assigned with the distributions, components and architectures to which it should be included.
Have a look under your repository’s “Set me up!” link for some quick tips on how to configure this:
For example, let’s consider an organization called myorg with a distribution called mydist that maintains the main component. Now let’s say that for version 0.0.1 we developed a new package called mypack for i386 architecture, but it is also supported by amd64. In Bintray, we will store this package in a Bintray package called mypack, and for consistency, we will call the version 0.0.1 (although this is not strictly required). According to the convention of the “Automatic” layout, we will store the .deb files in the following path:
Using the REST API, it is very simple to upload the .deb file, specify the target file path, and set the distribution-related information:
curl -X PUT -T libmypack_0.0.1_i386.deb -umyuser:<API_KEY> https://api.bintray.com/content/myorg/myrepo/mypack/0.0.1/pool/main/m/mypack/libmypack_0.0.1_i386.deb;deb_distribution=mydist;deb_component=main;deb_architecture=i386,amd64
In order to publish your artifacts, just add the “publish=1” HTTP matrix parameter to the request above, or use the publish REST API:
curl -X POST -umyuser:<API_KEY> https://api.bintray.com/content/myorg/myrepo/mypack/0.0.1/publish
Your GPG key requires a passphrase? not a problem – just add an “X-GPG-PASSPHRASE” request header with your passphrase. This can be done in both the upload API (with “publish=1”) and publish API:
Triggering Metadata Calculation
If your GPG key requires a passphrase, but it’s not provided, then your metadata will be calculated, but it won’t be signed (for example, when uploading packages using the Bintray UI where the passphrase cannot be currently specified). To get around this, you should use the REST API where you can specify the passphrase and trigger the metadata calculation:
curl -X POST -H “X-GPG-PASSPHRASE: passphrase” -umyuser:<API_KEY> https://api.bintray.com/calc_metadata/myorg/myrepo/
More information on the REST API can be found in the Bintray documentation.
Downloading Debian Packages
If you’re using the default “automatic” layout, your Debian repository in Bintray can be used as a Personal Package Archive (PPA). For users to get your packages, all they need to do is add your repository to their sources list. For example, when using apt-get, to add the myrepo repository of myorg, the following line should be added to the “sources.list” file (found under “/etc/apt/sources.list”):
deb http://dl.bintray.com/v1/content/myorg/myrepo mydist main
Alternatively, you could just add the repository URL using the “Software Sources” admin UI:
Once the “sources.list” is set, your users can get and install your mypack package from your mydist distribution and main component using:
$ apt-get install mypack
So, Debian and Bintray just go hand-in-hand. You get everything you need for your Debian distribution – automatic metadata calculation, GPG signing, download statistics, new release notifications, and a fully-automated, super reliable and fast download platform. This is in addition to all the other great features Bintray has. Now you can focus on developing your packages – Bintray will take care of distribution!