Chapter 6. Building the package

In order to perform a complete (re)build of a package properly, you need to make sure you have installed

Then you issue the following command in the source directory:

$ dpkg-buildpackage -us -uc

This will do everything to make full binary and source packages for you. It will:

If the build result is satisfactory, sign the .dsc and .changes files with your private GPG key using the debsign command. You need to enter your secret pass phrase, twice. ^[62]

For a non-native Debian package, e.g., gentoo, you will see the following files in the parent directory (~/gentoo) after building packages:

The gentoo_0.9.12-1.dsc and gentoo_0.9.12-1_i386.changes files must be signed using the debsign command with your private GPG key in the ~/.gnupg/ directory, before uploading them to the Debian FTP archive. The GPG signature provides the proof that these files are really yours, using your public GPG key.

The debsign command can be made to sign with your specified secret GPG key ID (good for sponsoring packages) with the following in the ~/.devscripts file:

DEBSIGN_KEYID=Your_GPG_keyID

The long strings of numbers in the .dsc and .changes files are SHA1/SHA256 checksums for the files mentioned. Anyone downloading your files can test them with sha1sum(1) or sha256sum(1) and if the numbers don't match, they'll know the file is corrupt or has been tampered with.

Debian supports many ports with the autobuilder network running buildd daemons on computers of many different architectures. Although you do not need to do this yourself, you should be aware of what will happen to your packages. Let's look into roughly how they rebuild your packages for multiple architectures. ^[64]

For Architecture: any packages, the autobuilder system performs a rebuild. It ensures the installation of

Then it issues the following command in the source directory:

$ dpkg-buildpackage -B

This will do everything to make architecture dependent binary packages on another architecture. It will:

This is why you see your package for other architectures.

Although packages listed in the Build-Depends-Indep field are required to be installed for our normal packaging work (see Section 6.1, “Complete (re)build”), they are not required to be installed for the autobuilder system since it builds only architecture dependent binary packages. ^[65] This distinction between normal packaging and autobuilding procedures is what dictates whether you should record such required packages in the Build-Depends or Build-Depends-Indep fields of the debian/control file (see Section 4.1, “control”).

You can automate the build activity around executing the dpkg-buildpackage command package further with the debuild command. See debuild(1).

The debuild command executes the lintian command to make a static check after building the Debian package. The lintian command can be customized with the following in the ~/.devscripts file:

DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc -I -i"
DEBUILD_LINTIAN_OPTS="-i -I --show-overrides"

Cleaning the source and rebuilding the package from your user account is as simple as:

$ debuild

You can clean the source tree as simply as:

$ debuild -- clean

For a clean room (chroot) build environment to verify the build dependencies, the pbuilder package is very useful. ^[66] This ensures a clean build from the source under the sid auto-builder for different architectures and avoids a severity serious FTBFS (Fails To Build From Source) bug which is always in the RC (release critical) category. ^[67]

Let's customize the pbuilder package as follows:

First let's initialize the local pbuilder chroot system as follows:

$ sudo pbuilder create

If you already have a completed source package, issue the following commands in the directory where the foo.orig.tar.gz, foo.debian.tar.gz, and foo.dsc files exist to update the local pbuilder chroot system and to build binary packages in it:

$ sudo pbuilder --update
$ sudo pbuilder --build foo_version.dsc

The newly built packages without the GPG signatures will be located in /var/cache/pbuilder/result/ with non-root ownership.

The GPG signatures on the .dsc file and the .changes file can be generated as:

$ cd /var/cache/pbuilder/result/
$ debsign foo_version_arch.changes

If you have an updated source tree but have not generated the matching source package, issue the following commands in the source directory where the debian directory exists, instead:

$ sudo pbuilder --update
$ pdebuild

You can log into its chroot environment with the pbuilder --login --save-after-login command and configure it as you wish. This environment can be saved by leaving its shell prompt with ^D (Control-D).

The latest version of the lintian command can be executed in the chroot environment using the hook script /var/cache/pbuilder/hooks/B90lintian configured as follows: ^[68]

#!/bin/sh
set -e
install_packages() {
        apt-get -y --allow-downgrades install "$@"
        }
install_packages lintian
echo "+++ lintian output +++"
su -c "lintian -i -I --show-overrides /tmp/buildd/*.changes" - pbuilder
# use this version if you don't want lintian to fail the build
#su -c "lintian -i -I --show-overrides /tmp/buildd/*.changes; :" - pbuilder
echo "+++ end of lintian output +++"

You need to have access to the latest sid environment to build packages properly for sid. In practice, sid may be experiencing issues which makes it undesirable for you to migrate your whole system. The pbuilder package can help you to cope with this kind of situation.

You may need to update your stable packages after their release for stable-proposed-updates, stable/updates, etc. ^[69] For such occasions, the fact that you may be running a sid system is not a good enough excuse for failing to update them promptly. The pbuilder package can help you to access environments of almost any Debian derivative distribution of the same architecture.

See http://www.netfort.gr.jp/~dancer/software/pbuilder.html, pdebuild(1), pbuilderrc(5), and pbuilder(8).

If your upstream uses a source code management system (VCS) ^[70] to maintain their code, you should consider using it as well. This makes merging and cherry-picking upstream patches much easier. There are several specialized wrapper script packages for Debian package building for each VCS.

Use of git-buildpackage is becoming quite popular for Debian Developers to manage Debian packages with the Git server on alioth.debian.org. ^[71] This package offers many commands to automate packaging activities:

These commands use 3 branches to track packaging activity:

You can configure git-buildpackage with ~/.gbp.conf. See gbp.conf(5). ^[73]

With a large package, you may not want to rebuild from scratch every time while you're tuning details in debian/rules. For testing purposes, you can make a .deb file without rebuilding the upstream sources like this^[74]:

$ fakeroot debian/rules binary

Or simply do the following to see if it builds or not:

$ fakeroot debian/rules build

Once you are finished with your tuning, remember to rebuild following the proper procedure. You may not be able to upload correctly if you try to upload .deb files built this way.

Here is a quick summary of how many commands to build packages fit together in the command hierarchy. There are many ways to do the same thing.

• debian/rules = maintainer script for the package building

• dpkg-buildpackage = core of the package building tool

• debuild = dpkg-buildpackage + lintian (build under the sanitized environment variables)

• pbuilder = core of the Debian chroot environment tool

• pdebuild = pbuilder + dpkg-buildpackage (build in the chroot)

• cowbuilder = speed up the pbuilder execution

• git-pbuilder = the easy-to-use commandline syntax for pdebuild (used by gbp buildpackage)

• gbp = manage the Debian source under the git repo

• gbp buildpackage = pbuilder + dpkg-buildpackage + gbp

Although use of higher level commands such as gbp buildpackage and pbuilder ensures the perfect package building environment, it is essential to understand how lower level commands such as debian/rules and dpkg-buildpackage are executed under them.