Creating my own pkgbase distribution

[martin_b]

I have a git clone of FreeBSD's sources, with minor local patches in a private branch based on stable/15 and my own kernel configuration files (a few different ones for different systems, so not just GENERIC). So far, I have been using "make buildworld buildkernel" (most of the time with -DWITHOUT_CLEAN) and "make installkernel installworld distribution" to build the system and install it in a temporary directory. Using some scripts, I find the differences to the installation currently running in one of my systems and apply only these to upgrade the system. This way I am doing an upgrade of only the changed parts.

I want to switch this process to use locally generated base packages instead, so that it becomes easier to upgrade multiple machines. I have switched to /usr/src/release and run "make real-release", which gives me a bunch of packages in
/usr/obj/usr/src/amd64.amd64/release/pkgbase-repo/FreeBSD:15:amd64. From here, I have several questions:
- These packages are not signed. How could they be created using my existing signing key?
- These packages are tagged with the exact time "make real-release" was run. I suspect that when redoing "make real-release", I'll get a completely new set of packages, and if I somehow were to use this to update my systems using "pkg upgrade", everything would be upgraded instead of only the changed parts. How can I create these packages in a way that only changed packages will be recreated?

I am already upgrading my ports using locally generated packages, there the version reflects that of the port, hence only changed ports get upgraded. I would like to achieve the same with base packages.

Finally, how do the packages distributed by FreeBSD work, specifically for stable/15? - Do they also reflect the creation date and hence will lead to an upgrade of the whole base system whenever they are recreated? - How often are they recreated?

-- Martin

 

[martin_b]

I have now consulted the build(7) manual page and seen that it is possible to run "make packages" and "make update-packages" directly in /usr/src, which then places packages under /usr/obj/usr/src/repo. I'll try this. Still, how can I sign such packages? Also, how can I convert my existing installations in the various systems to use these packages?

 

[drhowarddrfine]

Chapter 4. Installing Applications: Packages and Ports

FreeBSD provides two complementary technologies for installing third-party software: the FreeBSD Ports Collection, for installing from source, and packages, for installing from pre-built binaries

docs.freebsd.org

 

[vermaden]

You can do that with verimg(8) available here:

- https://github.com/vermaden/verimg

 

[martin_b]

Thank you, I'll have a look.

 

[anguisette]

how can I sign such packages?

set $PKG_REPO_SIGNING_KEY when running make update-packages. the value of that variable is passed to pkg-repo(8) as the second argument, which specifies the private key or a signing command.

Also, how can I convert my existing installations in the various systems to use these packages?

pkgbasify is the supported way to do this.

 

[anguisette]

Finally, how do the packages distributed by FreeBSD work, specifically for stable/15? - Do they also reflect the creation date and hence will lead to an upgrade of the whole base system whenever they are recreated?

for development branches (main, stable/*), the packages are the output of make update-packages. since update-packages only increments the version number when the package has changed, only packages which contain new or updated files will be upgraded. some changes can cause a lot of packages to be updated; the most common is changes to __FreeBSD_version, because that is embedded in the ELF header of all executables, but changes to __FreeBSD_version in stable are fairly uncommon.

packages for release branches (releng/*) are built and distributed by the security team in broadly the same way, but each update is processed by hand and they might decide not to update a particular package if the update isn't necessary. i'm not aware of whether that's ever been done so far.

How often are they recreated?

for development branches, "base_latest" is built twice a day, and "base_weekly" is built once a week on Sunday.

 

[martin_b]

for development branches (main, stable/*), the packages are the output of make update-packages. since update-packages only increments the version number when the package has changed, only packages which contain new or updated files will be upgraded. some changes can cause a lot of packages to be updated; the most common is changes to __FreeBSD_version, because that is embedded in the ELF header of all executables, but changes to __FreeBSD_version in stable are fairly uncommon.

packages for release branches (releng/*) are built and distributed by the security team in broadly the same way, but each update is processed by hand and they might decide not to update a particular package if the update isn't necessary. i'm not aware of whether that's ever been done so far.



for development branches, "base_latest" is built twice a day, and "base_weekly" is built once a week on Sunday.

Thank you for your detailed explanations!