On Debian-based distros, when an app is available as a DEB or an AppImage (that doesn’t self-update), but no APT repository, PPA or Flatpak, the only option is to manually download each update, and usually manually check even whether there are updates.
But, what if those would be upgraded at the same time as everything else using the tools you’re familiar with ?
dynapt is a local web server that fetches those DEBs (and AppImages to be wrapped into DEBs) wherever those are, then serves these to APT like any package repository does.
I started building it a few months ago, and after using it to upgrade apps on my computers and servers for some time, I pre-released it for the first time last week.
The stable version will come with a CLI wizard to avoid this manual configuration.
Feedback is welcome :)
Obtainium but for Debian, nice
Such a security risk though, but still better than curling scripts into sudo
I mean they could add a diff thing, like how AUR helpers do it. It’s not much, but it’s something.
I’d say going directly to a developer’s github page for packages isnt too bad, especially now with all of the security features github has in the background, but yea technically true.
Thanks !
If I’d decide to implement something like this, I’d consider two options: local repo with
file://scheme or custom apt-transport. HTTP server is needless here. (But I’ll never do this because I prefer to rebuild packages myself if there’s no repo for my distro.)local repo with
file://schemeWith that, I couldn’t trigger a download when
apt updateis ran, I could only do a cron, i.e. a delay, that I do not want.custom apt-transport
I thought about that, but found no documentation on how to do it. If you have any, I’m interested.
Even just finding documentation on how to generate DEBs and APT repository metadata files was very hard.
It is documented in
libapt-pkg-doc(/usr/share/doc/libapt-pkg-doc/method.html/index.html).In an APT package OMG 😂
I found an online version though, which I would never have found through my search engine (and on a site that doesn’t even support HTTPS) 😅
Looks like difficult reading too 😭
Thanks anyway.
Yeah, I don’t have the skill for this. I’d be very happy if someone else would make this, but if not then I’m sticking to HTTP.
I went way down the rabbit hole on this one and ended up with a proof of concept that’s probably close enough to be able to wire it up: https://gitlab.com/-/snippets/3745244
I guess it didn’t end up too much code, but I’m not entirely sure it’s worth it.
(it’s after 3 AM? oh no what have I done)
differently hacky idea:
since you do end up with all the packages in a repository on the filesystem, and you just want to have it do this just-in-time updating when the Packages file is accessed…
what if you list it as a normal
fileapt source, but you make the Packages file a FIFO?it’s a cursed idea but I’m not sure it is any less cursed than the other options we’ve come up with.
it may or may not help to have systemd.socket manage creating the FIFO and running the service.
Neat! Thanks for sharing!
Thank you for your appreciation !
Looks great, well done.
Personally, the
deb-related annoyance that I have encountered most often in recent years is that there is an APT repo but I have to jump thru hoops to add it. An example issignal-desktop, where the handy one-click installation goes like this:# 1. Install our official public software signing key: wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg cat signal-desktop-keyring.gpg | sudo tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null # 2. Add our repository to your list of repositories: echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' |\ sudo tee /etc/apt/sources.list.d/signal-xenial.list # 3. Update your package database and install Signal: sudo apt update && sudo apt install signal-desktopWhy does Debian-Ubuntu not provide a simple command for this? Yes there is
add-apt-repositorybut for some reason it doesn’t deal with keys. I’ve had to deal with this PITA on multiple occasions, what’s up with this?Thanks, and agreed !
Fortunately, copy/pasting works and you only have to do it once.
I like it. Wonder if this could be retooled to work on
rpm-ostreesystems, because any layered packages installed from RPM files have the same limitation of needing to be manually upgraded.I don’t know anything about RPMs, but if you or anyone is familiar with it then perhaps !
Great idea!
Thanks !
Willing to give this a go. My go-to for getting non-repo debs automatically has been deb-get which works well but seems susceptible to issues when changes in the software it lists causes it to break and whilst the fix itself is usually made pretty quickly, it seems to go long periods of time between PR merges and releases (which includes adding new software). If this is a viable replacement for it then i’d love to start using it.
Willing to give this a go.
Alright, don’t hesitate to ask questions if you have any and request help if you need any
My go-to for getting non-repo debs automatically has been deb-get
Yes, I mentioned it in the Differences with deb-get & AM section of my tutorial.
it seems to go long periods of time between PR merges and releases (which includes adding new software)
Yeah, I could reiterate in that section that my app allows the user to add apps themselves.
Sorry to be that guy, but this sounds like a cybersecurity nightmare. While everybody was busy to come up with schemes that make absolutely sure that only trusted sources can update a system to avoid having malicious players push their code to users, this one just takes any rando’s pile of whatever and injects it straight into the system’s core? Like, that doesn’t sound like a good idea.
Well, I’m just automating what people currently have to do manually : visit GitHub and download DEB and install DEB.
If the automated process would be dangerous then the manual process also would be, and that would be on the maintainer for not providing an APT repository or a Flatpak, not on the user for just downloading from GitHub.
Well, I’m just automating what people currently have to do manually : visit GitHub and download DEB and install DEB.
Yeah. You should never do that. Like ever. Build from source; or use a vendored tarball. https://wiki.debian.org/DontBreakDebian
.deb is a terribly insecure nightmare thats held up by the excellent debian packagers, gpg , and checksums, and stable release model. don’t use .deb files.
I’m and end user working for end users.
I’m and end user
Yeah, we all are. What’s your point?
End users are also developers. All computer users are developers. You are developing.
user working for end users
By making a script that lets me get backdoors and shitty packages with ease? The linux package distribution system is a nightmare, Debian is the least bad approach. There is basically always a better option to using a .deb file. If you come across something that isn’t packaged, I recommend Flatpak, building from source (and installing unprivileged), or using the developers vendored tarball (installing unprivileged).
https://wiki.debian.org/SecureApt
By using local .debs you lose the benefit of:
Reproducible builds
GPG checksums
Stable release model
debian security team
My point is that I’m working a solution for end users.
The solutions you’re offering are not user-friendly.
No matter where you install from, you have to trust the source. Indeed, you have to trust every step in the supply chain.
If you are getting your code straight from the author, you are eliminating an exploit that’s introduced by a compromised account of a packager.
Carry on.
This might be for the better, but Discord was so infuriating about updates and forcing you to download them what felt like 50% of the time I opened it, I gave up and just use it in Ungoogled Chromium now. I’m pretty sure within a few months I ended up having 15+ debs of Discord in my Downloads folder.
For anyone else trying to use the native Discord app on Debian, I think they’ll find this a major treat.
This is 100% of the reason that I use the discord flatpak.
Sorry to ask, but isn’t this basically the same thing as apt-cacher-ng?
Sorry to ask
Don’t be. I would love to know that an existing and more experienced program does what mine does.
I’ve been looking for it myself for a long time before deciding to build it.
isn’t this basically the same thing as apt-cacher-ng?
Here’s what I’m reading :
Apt-Cache-ng is A caching proxy. Specialized for package files from Linux distributors, primarily for Debian (and Debian based) distributions but not limited to those.
A caching proxy have the following benefits:
- Lower latency
- Reduce WAN traffic
- Higher speed for cached contents
+------------+ +------------+ +------------+ | Apt Client | <------+ Apt Cache | <------+ Apt Mirror | +------------+ +------------+ +------------+So, not the same thing.
It locally mirrors existing repositories containing existing packages, it doesn’t locally create a new repository for new packages from standalone DEBs.
OK yeah, I wasn’t sure if it had a way to collect debs from other sources. I’ve been using it for years to locally cache the standard Debian repos so I don’t need to re-download packages every time I update my various servers and VMs, but I haven’t really tried using it for anything beyond that.
