Who builds the Debian packages?

Question

I'm interested in who builds the Debian main packages for distribution. I'm aware that packages need to be reproducably buildable and I'm not asking about any specific individuals but the process in general (e.g. how "trust" would be involved here and how decentralized it is).

At https://lwn.net/Articles/676799/ it says:

More generally, Mozilla trusts the Debian packagers to use their best judgment to achieve the same quality as the official Firefox binaries.

At https://wiki.debian.org/Packaging it says:

Debian packages are maintained by a community of Debian Developers and volunteers.

I'm new to Debian so please edit this question if that's needed.

The specific individual would be Mike Hommey. See the Debian Package Index, Maintainers in the right sidebar. — muru, May 29 '17 at 11:59
@PierreB Well that's just a synonym for "Debian packagers" - I was asking it in the sense of who those people are in general. I was interested in the build process and e.g. how "trust" might play a role. I don't think that the question's title needs to be rephrased. — mYnDstrEAm, May 29 '17 at 13:59

score 3 · Answer 1 · answered May 29 '17 at 10:10

What I know, I am not an insider, or expert, so read the links at the end.

I know that packages are cryptographically signed, by the packager/developers. This allows your system to know who it came from. Your system has the public key of every Debian packager/developer. Therefore there is end to end authentication between developer and end user.

Developer keys are swapped between developers, and then added to the system, by adding them to a developer key package.

Developers have to show ID: passport etc to be added as a developer. They also have to build up trust. See difference between maintainer and developer.

see here for more info: https://wiki.debian.org/DebianDeveloper and https://wiki.debian.org/DebianMaintainer

score 2 · Accepted Answer · edited May 29 '17 at 13:16

It's a little unclear what you really want to know, since you seem to have found good resources, but I'll try to give a short (and not accurate in every detail) description of the process and hope I get the right parts included (I haven't worked with this in Debian's own repositories, but in different iterations of a setup at work, that grew ever bigger and more automated getting more and more like - how I understand - Debian's system). Every (maintained) package in Debian has a developer (or a team of developers), who locally (i.e. on his own machine(s) takes the upstream source code and makes some files that details how a Debian package should be made. He then collects that into a source package, which he signs with GPG and uploads to one of Debian's systems. If that system can verify the the source package came from a developer (by virtue of having a valid signature), it then sends the source package to a build host for each relevant architecture. Those packages, along with any binary packages uploaded directly by the developer, are then uploaded to the relevant repositories, and distributed to mirrors, from where you download and install them. The build host also signs the build packages (with some common key, it obviously can not sign stuff with developers's private keys), and the repository verifies those signatures.

This is exactly what I wanted to know. Thank you. How are the developers chosen / assigned to specific packages? Is it open for everyone to do and people simply come forward to volunteer? Also are there already mechanisms built in that allow people to build packages themselves and verify the dev-build's integrity (e.g. verification counters with public keys of people who verified next to packages in Synaptic)? — mYnDstrEAm, May 29 '17 at 12:48
Debian is volunteer-based; packages are not "assigned" so much as "taken", though the Debian QA team occasionally needs to take over abandoned packages. Maybe google "wnpp". — tripleee, May 29 '17 at 13:09

Who builds the Debian packages?

2 Answers2

Linked