Housekeeping after the Debian buster release

The Debian buster release implicitly inflicts some mandatary (new apt keys!) as well as some minor recommended housekeeping on an existing mini-buildd installation.

So this is what I would recommend you to do -- assuming a basic setup, near to what the wizards would set up automatically.


Given how the configuration currently works (i.e., affecting dependencies when you change things), you might want

  • to stop the daemon before starting your housekeeping
  • and try to get all your changes done in one flow (to minimize the costly "PCA action" on repos and chroots later...)

Update to >= 1.0.42 and run Source wizards

1.0.42 adds wizard-support for new sources now available (like buster, buster-backports, stretch-backports-sloppy, and also the new Ubuntu release). Obviously not mandatory, but it will really helps in housekeeping.

Please read why and where 1.0.x maintenance has moved to and check the home page overview if that version is available for the system your mini-buildd runs on.

With 1.0.42 installed, run (in the admin configuration):

  • Sources:Sources Debian wizard: Will get you new Debian sources the wizard knows about.
  • Sources:Priority sources Extras wizard: Adds prio sources for new sources from last step.

Sources: Fix apt keys

There are three new keys from Debian:

Chances are they have already been added by the source wizard run before. Make sure you have these as AptKeys instances, verify and make them shiny green.

With the release of buster, repo keys have also changed in non-buster|bullseye|sid sources. Previously existing sources need to be updated manually. For convenience, here is a list you will likely need to fix up:

  • sid: DC30D7C23CBBABEE, E0B11894F66AEC98
  • buster: E0B11894F66AEC98, EF0F382A1A7B6500, DCC9EFBF77E11517, DC30D7C23CBBABEE
  • buster/updates: EDA0D2388AE22BA9, 4DFAB270CAA96DFA
  • stretch: 7638D0442B90D010, E0B11894F66AEC98, EF0F382A1A7B6500
  • stretch-backports: 7638D0442B90D010, E0B11894F66AEC98
  • stretch/updates: 9D6D8F6BC857C906, EDA0D2388AE22BA9
  • jessie/updates: 9D6D8F6BC857C906, EDA0D2388AE22BA9

This manual update process is currently a PITA really, and there should be something way more convenient eventually.

See:, debian-archive-keyring package, apt-key.

Source buster: Fix release version

Buster's release version (as configured in the buster Source) should currently be "BUSTER" or "~BUSTER". Now with buster released, this must be replaced by the actual release version.

FWIW: This default scheme will put you in the position to distinguish between packages build while buster was rolling, and after buster was released, just via the package version -- hinting you on what packages you might want/need to rebuild on the actual finsihed stable release.

To do this, just go the the buster Source instance, reveal the "Extra" section, and either

  1. Recommended: Override with "100" or remove the override string (this let's mbd guess on check, which will lead to "100" for 1.0.x).
  2. Override with "10" (this is the current Debian scheme using only one number as main release version. New default in development mini-buildd).

Note that using option 2 may lead to dist-upgrade issues for packages from, for example, a stretch distribution using "90" -- for packages with otherwise the very same versioning. So only use that if you (understand this and) are up to instruct your repo users on remedies, or if you are using the new scheme consistently already anyway.

New Distributions

bullseye should be available as new testing. Be sure to have the new bullseye Source activated (PCA):

  • Run Repositories:Distributions:Default wizard, which should give you the new Distribution for bullseye.
  • Add the new bullseye Distribution to the resp. repositories.

Distributions: New extra sources you might want to add

  • buster: buster-backports
  • stretch: stretch-backports-sloppy

Also, you might now opt to add Security Sources (named '<codename>/updates' before bullseye) to your distribution (since 1.0.37, there is support to add these and they should also have been created by the wizard run). Note that like any other prio sources, wizards create Security Sources with prio=1 (i.e., opt-in via package dependency). If you want security updates always to be used in builds, update your Security Prio Sources to prio=500.

Update chroots

  • Run Chroots:Default wizard (on the backend you are using). Thus should give new buster chroots.

Optionally recreate some or all your chroots

... now that you are at it anyway :).

mini-buildd always keeps the base chroots up to date, so this is actually not strictly really necessary. However ;), as a safeguard against any possible evilry that might have crept into your existing base chroots, you might want to do this; there are no drawbacks, it just take some time.

Just Remove the chroots you want to recreate, and then run PCA on it again.

Restart Daemon, Final Touches

Be sure everything you want is finally "green" in the admin config overview (merciless run "PCA" on everything that's not ;).

Then, don't forget to restart the Daemon once (either by clicking an stop/start as admin in the web app) or just by just restarting the service:

# service mini-buildd restart

-- else you might experience subtle misbehaviours ;).

In case you have mutiple instances, you unfortunately need to do these manual updates (or at least parts of it) on each of these.

In case you created new Distributions, you should build new keyring packages (and migrate the new packages up to stable, at least for new Distributions).