Package management

You have just created your first package, be it on Python, Node.js or Debian. Each one have several ways they can be distributed to users and each community has its preferred method for installing software. It can be a bit daunting to find the right place to upload your package, so we will talk about one the options here, which is the one we are following with the WLAN Pi project.

For the past few weeks we have been playing around with PackageCloud.io and its various features. It’s a complete solution for cloud package repository, while still being simple to use. It can handle several types of packages on a common interface and API. In this blog I’ll explain our journey until this point.

Debian repository

Our main requirement on WLAN Pi is an online repository for Debian packages. There are only a few offerings available as hosted solutions on the cloud, and this was an important requirement for us because we wanted to avoid the hassle of managing our on self-hosted repository, handling security updates, configuration management, load balancing and that comes with it. After some research, we were between two options, GemFury and PackageCloud.

Initial usage

We used GemFury for quite some time, as it had a free tier so we setup the account and started using it. WLAN Pi 2.0 was shipped with this configuration and our custom packages are installed from there. While it does work, there were some limitations that made us consider moving to another provider. Specifically, those were the main limitations:

  • GemFury didn’t have the option to setup SSL, so everything was plaintext HTTP;
  • The web interface was confusing and hard to manage the packages online;
  • No option to promote a package from a development repository to a final deploy.

The move to a better solution

That made us consider moving to another provider and then we applied for the OSS (Open Source Software) plan on PackageCloud. This plan provides a good amount of resources free of cost for Open Source projects. While this is great, it’s more important to fulfill our needs and requirements – not everything that’s free is good.

PackageCloud offers an out-of-the-box solution with SSL enabled by default for HTTPS, packages can be signed with GPG for extra security, the interface is straightforward and promoting a package from development to deployment repository takes 3 clicks. This is a lot of added value hosted solution and it solved all the problems we had before.

Package uploaded in one of the repositories

CI integration

We use GitHub Actions for our CI pipeline, which is not supported by default by PackageCloud. To facilitate integration in our pipeline, I created a new Action and published it on GitHub Action marketplace, you can find it here. This encapsulates the upload commands and can handle any type of package supported by PackageCloud, only needs an account already set up.

GitHub Action for uploading packages to PackageCloud

With accounts set up, configuring our CI environment to upload our packages took about 1 hour, including creating the GitHub Action, publishing it and testing the setup with a demo repository.

Final thoughts

PackageCloud has checked all the boxes so far. It has improved the security for all our users installing and upgrading our packages, even if they are not aware of this. Now we can also upload packages to a development environment, where we can test all the new features without fear that someone might upgrade for a broken version of the software. When we consider it stable, with 3 clicks the package is promoted to our deployment repository, where all users can then download it and enjoy all the new features and bug fixes.

Let’s work to get those updates out there now.