I'm currently running Debian's rolling release (aka "testing") on my main
machine and have added some stuff to make that nicer.
First thing I have is configuration and package management.
Since I have relatively few machines, I am using a metapackage per machine that
installs some configuration files with changes that I want.
The metapackages depend on packages that I need installed so that I can mark
all other packages as being automatically installed.
The metapackages are also useful for documenting why I have things installed.
It depends on things like task-laptop from tasksel, hardware support packages,
the GUI I use, games I play often and so on.
My laptop does not have a CD/DVD drive so I have some metapackages to fool
apt into ignoring dependencies on CD/DVD related packages I don't need.
I'm building the metapackages using equivs-build and a small Makefile.
I use the File: header supported by equivs-build for installing config files.
I have popcon installed and enabled but I don't want it to leak the names of the
metapackages so I have added a prefix to my metapackages and modified
the popcon cron job to remove anything containing that prefix.
I also don't want apt to ever remove the metapackages so I mark them as
Important: yes and configure apt to never autoremove them.
/etc/apt/apt.conf.d/99metapackages:
I am using Raphael Geissert's mirror redirector in order to automatically
use up-to-date and hopefully non-broken mirrors.
Unfortunately this often causes apt to complain about hash sum mismatches
and then proceed to forget about all packages.
I work around this by always running apt-get update in a loop until it succeeds.
A lot of the time I need to install packages from outside of testing.
So my sources.list contains lines for testing, unstable and experimental.
I have some apt pinning so that by default I only have packages from
testing but if I manually upgrade some packages to unstable or experimental,
then I will get upgrades within that suite until those packages migrate down to
unstable or testing.
The apt pinning needs priorities between 1000 and 500 for this to work nicely.
I also pin some things like lintian, debian-policy and devref
to unstable/experimental since having old versions of those is not useful.
/etc/apt/sources.list:
/etc/apt/preferences.d/system:
/etc/apt/preferences.d/packages:
I have a few configuration files and a cron job to make all programs dump
core files when they crash so that I can file bugs, even for random crashes
that are not easy to reproduce.
I enabled some kernel settings with sysctl,
lifted some security limits to enable core dumps,
and added a cron job to delete old core dumps and
notify me of new core dumps.
In my shell configuration I also turn on two glibc options to cause
programs to crash when they have improper memory management.
I also have a second machine I use for bug discovery where I have lots of stuff
installed and everything apt pinned in the opposite way; experimental > unstable > testing.
When I have time I use this machine to do testing of packages I use, classes of
packages that I care about (such as games) and sometimes packages I do not use.
/etc/sysctl.d/corefiles.conf:
/etc/security/limits.d/corefiles.conf:
/etc/cron.daily/corefiles:
~/.bash.d/malloc:
I unfortunately need some packages from contrib/non-free, so
I have a cron job to let me know when I accidentally install new packages from
contrib/non-free.
I backup my dpkg package selections and debconf databases.
I notify myself of changes to the list of new packages so that I can review them,
install any useful/interesting ones and tell aptitude to forget them all.
I notify myself of changes to the list of packages I have installed that are not
up-to-date packages from testing.
This helps me catch packages removed from testing/unstable/etc that I use.
I notify myself of packages that I maintain that are having issues migrating to testing.
I considered doing the same for teams I am involved in but they aren't particularly
functional teams so there would be a lot of noise.
I notify myself of RC bugs that apply to testing and are installed.
The list is so long that it just makes me depressed instead of
motivated to help fix RC bugs so I only notify myself of changes.
Even then I rarely do anything other than delete the notifications.
If you are looking for ways to help Debian, fixing RC bugs is a great choice.
I notify myself of packages that are orphaned or need a new maintainer.
There are usually so many packages in this list that it is not useful,
so I only notify myself of changes to the list.
I rarely adopt packages because I feel overloaded already.
If you are looking for ways to help Debian, adopting packages is a good choice.
One of my packages is for interacting with servers on the Internet,
so I need to run tests periodically to ensure the package works.
I do that with a simple Makefile but maybe I need to move to
autopkgtest, need to find out if it saves data between runs first.
I install debsecan so that I get notified of security updates in unstable
and new security issues that are not fixed yet.
The way debsecan works is that it notifies about changes in security issues
and updates and also includes a full list of all known unfixed issues.
I generally install security updates from unstable when I see them.
The list of unchanged issues is so long that it makes me wonder
how many times I've been cracked already.
The oldest issue goes back to 2002 but most of them are 2010 or later.
The various parts of WebKit are by far the worst security offenders.
I don't bother with the white-listing functionality due to the
quantity of security issues and because it isn't possible to
add a comment about each white-list item.
If you want to get involved with the security team, reporting issues
with the data in the security tracker is a good idea.
I subscribe to the ftpmaster RSS feeds for new and removed packages
to keep up to date with changes in the archive.
A lot of the above applies to running systems based on Debian stable too.
If you have any other thoughts about running Debian systems, please blog about them.
The diffcmdoutput command used above is a simple shell script: