Security updates for stable and (old)+stable in a clean chroot.

Sep 2, 2016 (last updated on Sep 22, 2018), by Hugo Lefeuvre.

Preparing security uploads for Debian stable requires a slightly different packaging workflow as the one required for unstable, especially when it comes to building packages. In fact, security updates and backports should necessarily be built and tested in the environment they are prepared for.

In this blog post we'll speak about a specific pbuilder configuration which makes build of backports and security uploads easier.

Command line arguments

pbuilder already allows you to set up several system tarballs, which you can build via

$ pbuilder create --basetgz <path for the tarball> --distribution <distribution>

e.g.

$ pbuilder create --basetgz /var/cache/pbuilder/oldoldstable-amd64-base.tgz --distribution oldoldstable

to build a Wheezy system tarball.

These tarballs can be updated via pbuilder update --basetgz <tarball path>.

That way, you can create a tarball for each version of Debian you want to build for, and specify the path of the tarball via the --basetgz option when building packages.

Configuration

Naturally, you don't have to pass --basetgz for every single build. With a bit of configuration, pbuilder can choose the right tarball for you!

The Debian wiki already suggests a configuration file which enables automatic detection of the goal distribution in the general case. My changes allow the support of -security archives for security uploads as well the support for oldoldstable (useful for LTS work) and UNRELEASED targets.

# Codenames for Debian suites according to their alias. Update these when
# needed.
UNSTABLE_CODENAME="sid"
TESTING_CODENAME="buster"
STABLE_CODENAME="stretch"
OLDSTABLE_CODENAME="jessie"
OLDOLDSTABLE_CODENAME="wheezy"

STABLE_BACKPORTS_SUITE="$STABLE_CODENAME-backports"
STABLE_SECURITY_SUITE="$STABLE_CODENAME-security"
OLDSTABLE_SECURITY_SUITE="$OLDSTABLE_CODENAME-security"
OLDOLDSTABLE_SECURITY_SUITE="$OLDOLDSTABLE_CODENAME-security"

# List of Debian suites.
DEBIAN_SUITES=($UNSTABLE_CODENAME $TESTING_CODENAME $STABLE_CODENAME
               $OLDSTABLE_CODENAME $OLDOLDSTABLE_CODENAME
               $STABLE_BACKPORTS_SUITE $STABLE_SECURITY_SUITE
               $OLDSTABLE_SECURITY_SUITE $OLDOLDSTABLE_SECURITY_SUITE
               "unstable" "testing" "stable" "oldstable" "oldoldstable")

# Mirrors to use. Update these to your preferred mirror.
DEBIAN_MIRROR="ftp.de.debian.org"

# Optionally use the changelog of a package to determine the suite to use
# if none set.
if [ -z "${DIST}" ] && [ -r "debian/changelog" ]; then
    DIST=$(dpkg-parsechangelog --show-field=Distribution)

    # Use the unstable suite for Debian experimental packages.
    if [ "${DIST}" == "experimental" ]; then
        DIST="unstable"
    fi

    # Use the unstable suite for unreleased packages.
    if [ "${DIST}" == "UNRELEASED" ]; then
        DIST="unstable"
    fi
fi

# Optionally set a default distribution if none is used. Note that you can
# set your own default (i.e. ${DIST:="unstable"}).
: ${DIST:="$(lsb_release --short --codename)"}

# Optionally change Debian codenames in $DIST to their aliases.
case "$DIST" in
    $UNSTABLE_CODENAME)
        DIST="unstable"
        ;;
    $TESTING_CODENAME)
        DIST="testing"
        ;;
    $STABLE_CODENAME)
        DIST="stable"
        ;;
    $STABLE_SECURITY_SUITE)
        DIST="stable"
        ;;
    $OLDSTABLE_CODENAME)
        DIST="oldstable"
        ;;
    $OLDSTABLE_SECURITY_SUITE)
        DIST="oldstable"
        ;;
    $OLDOLDSTABLE_CODENAME)
        DIST="oldoldstable"
        ;;
    $OLDOLDSTABLE_SECURITY_SUITE)
        DIST="oldoldstable"
        ;;
esac

# Optionally set the architecture to the host architecture if none set.
# Note that you can set your own default (i.e. ${ARCH:="i386"}).
: ${ARCH:="$(dpkg --print-architecture)"}

NAME="$DIST"
if [ -n "${ARCH}" ]; then
    NAME="$NAME-$ARCH"
    DEBOOTSTRAPOPTS=("--arch" "$ARCH" "${DEBOOTSTRAPOPTS[@]}")
fi
BASETGZ="/var/cache/pbuilder/$NAME-base.tgz"
DISTRIBUTION="$DIST"
BUILDRESULT="/var/cache/pbuilder/$NAME/result/"
APTCACHE="/var/cache/pbuilder/$NAME/aptcache/"
BUILDPLACE="/var/cache/pbuilder/build/"

if $(echo ${DEBIAN_SUITES[@]} | grep -q $DIST); then
    # Debian configuration
    MIRRORSITE="http://$DEBIAN_MIRROR/debian/"
    COMPONENTS="main contrib non-free"
    if $(echo "$STABLE_CODENAME stable" | grep -q $DIST); then
        OTHERMIRROR=
    "$OTHERMIRROR | deb $MIRRORSITE $STABLE_BACKPORTS_SUITE $COMPONENTS"
    fi
else
    echo "Unknown distribution: $DIST"
    exit 1
fi