Housekeeping after the Debian bullseye release

For mini-buildd 1.0.x only.

The Debian bullseye release implicitly inflicts some mandatory (new apt keys!) as well as some minor recommended housekeeping on an existing mini-buildd installation.

So this is what I would recommend you to do -- assuming a basic setup, near to what the wizards would set up automatically.

Preliminary

Given how the configuration currently works (i.e., affecting dependencies when you change things), you might want

to stop the daemon before starting your housekeeping
and try to get all your changes done in one flow (to minimize the costly "PCA action" on repos and chroots later...)

Update to >= 1.0.49 and run Source wizards

1.0.49 adds wizard-support for new sources now available (like bullseye-backports, buster-backports-sloppy, and also possibly new Ubuntu releases). Obviously not mandatory, but it will really helps in housekeeping.

With 1.0.49 installed, run (in the admin configuration):

Sources:Sources Debian wizard: Will get you new Debian sources the wizard knows about.
Sources:Priority sources Extras wizard: Adds prio sources for new sources from last step.

Sources: Fix apt keys

There are three new keys from Debian:

"73A4F27B8DD47936": Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
"605C66F00D6C9793": Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
"A48449044AAD5C5D": Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>

Chances are they have already been added by the source wizard run before. Make sure you have these as AptKeys instances, verify and make them shiny green.

With the release of bullseye, repo signaturs have also changed in other codenames. As in 1.0.x, any signatures a Release is signed with needs to be in a Source, here is a list to help in manually fixing this mess up:

[stretch/updates]: Success: EDA0D2388AE22BA9 (AA8E81B4331F7F50): Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
[stretch/updates]: Success: 4DFAB270CAA96DFA (112695A0E562B32A): Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[sid]: Success: DC30D7C23CBBABEE (648ACFD622F3D138): Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[sid]: Success: 73A4F27B8DD47936 (0E98404D386FA1D9): Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
[buster/updates]: Success: 4DFAB270CAA96DFA (112695A0E562B32A): Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[buster/updates]: Success: A48449044AAD5C5D (54404762BBB6E853): Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
[bullseye-security]: Success: 4DFAB270CAA96DFA (112695A0E562B32A): Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[bullseye-security]: Success: A48449044AAD5C5D (54404762BBB6E853): Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
[stretch]: Success: E0B11894F66AEC98 (04EE7237B7D453EC): Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
[stretch]: Success: DC30D7C23CBBABEE (648ACFD622F3D138): Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[stretch]: Success: 73A4F27B8DD47936 (0E98404D386FA1D9): Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
[stretch]: Success: EF0F382A1A7B6500 (): Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>
[bullseye]: Success: E0B11894F66AEC98 (04EE7237B7D453EC): Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
[bullseye]: Success: DC30D7C23CBBABEE (648ACFD622F3D138): Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[bullseye]: Success: 73A4F27B8DD47936 (0E98404D386FA1D9): Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
[bullseye]: Success: 605C66F00D6C9793 (): Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
[buster]: Success: E0B11894F66AEC98 (04EE7237B7D453EC): Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
[buster]: Success: DC30D7C23CBBABEE (648ACFD622F3D138): Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[buster]: Success: 73A4F27B8DD47936 (0E98404D386FA1D9): Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
[buster]: Success: DCC9EFBF77E11517 (): Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>
[stretch-backports-sloppy]: Success: DC30D7C23CBBABEE (648ACFD622F3D138): Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[stretch-backports-sloppy]: Success: 73A4F27B8DD47936 (0E98404D386FA1D9): Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
[stretch-backports]: Success: DC30D7C23CBBABEE (648ACFD622F3D138): Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[stretch-backports]: Success: 73A4F27B8DD47936 (0E98404D386FA1D9): Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
[buster-backports-sloppy]: Success: DC30D7C23CBBABEE (648ACFD622F3D138): Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[buster-backports-sloppy]: Success: 73A4F27B8DD47936 (0E98404D386FA1D9): Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
[buster-backports]: Success: DC30D7C23CBBABEE (648ACFD622F3D138): Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[buster-backports]: Success: 73A4F27B8DD47936 (0E98404D386FA1D9): Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
[bullseye-backports]: Success: DC30D7C23CBBABEE (648ACFD622F3D138): Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
[bullseye-backports]: Success: 73A4F27B8DD47936 (0E98404D386FA1D9): Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>

This manual update process is currently a PITA really, and there will be something much more convenient in 2.0.x.

See: https://ftp-master.debian.org/keys.html, debian-archive-keyring package, apt-key.

Source bullseye: Fix release version

Bullseye's release version (as configured in the bullseye Source) should currently be "BULLSEYE" or "~BULLSEYE". Now with bullseye released, this must be replaced by the actual release version.

FWIW: This default scheme will put you in the position to distinguish between packages build while bullseye was rolling, and after bullseye was released, just via the package version -- hinting you on what packages you might want/need to rebuild on the actual finsihed stable release.

To do this, just go the the bullseye Source instance, reveal the "Extra" section, and either

Recommended: Override with "11" (this is the current Debian scheme using only one number as main release version. New default in development mini-buildd).
Override with "110" or remove the override string (this let's mbd guess on check, which will lead to "110" for 1.0.x).

Note that using option 1 may lead to dist-upgrade issues for packages from, for example, a stretch distribution using "90" -- for packages with otherwise the very same versioning. So only use that if you (understand this and) are up to instruct your repo users on remedies, or if you are using the new scheme consistently already anyway.

Distributions: New extra sources you might want to add

bullseye: bullseye-backports
buster: buster-backports-sloppy

Also, you might now opt to add Security Sources (named '<codename>/updates' before bullseye) to your distribution (since 1.0.37, there is support to add these and they should also have been created by the wizard run). Note that like any other prio sources, wizards create Security Sources with prio=1 (i.e., opt-in via package dependency). If you want security updates always to be used in builds, update your Security Prio Sources to prio=500.

Update chroots

Run Chroots:Default wizard (on the backend you are using). This might yield new chroots if new base sources were added.

Optionally recreate some or all your chroots

... now that you are at it anyway :).

mini-buildd always keeps the base chroots up to date, so this is actually not strictly really necessary. However ;), as a safeguard against any possible evilry that might have crept into your existing base chroots, you might want to do this; there are no drawbacks, it just take some time.

Just Remove the chroots you want to recreate, and then run PCA on it again.

Restart Daemon, Final Touches

Be sure everything you want is finally "green" in the admin config overview (merciless run "PCA" on everything that's not ;).

Then, don't forget to restart the Daemon once (either by clicking an stop/start as admin in the web app) or just by just restarting the service:

# service mini-buildd restart

-- else you might experience subtle misbehaviours ;).

In case you have mutiple instances, you unfortunately need to do these manual updates (or at least parts of it) on each of these.

In case you created new Distributions, you should build new keyring packages (and migrate the new packages up to stable, at least for new Distributions).

Hth!