A package repository is a collection of packages and extra data detailing what packages are available and more information about them. They offer an easy way for remote machines to download and install packages via a package manager.
Each package repository created by PKG Deploy is private and can only be accessed using the access keys generated when the repository is created.
To go from nothing to deploying your code via one of our package repositories you need to:
- Create a package repository to host the packages you create
- Add the package repository to a machine that you want to install packages on
- Use APT or YUM to install your packages
PKG Deploy supports two types of repositories.
- APT repositories are used to host
debpackages. APT handles the installation and removal of software on Debian, Ubuntu, and other related Linux distributions
- YUM repositories are used to host
rpmpackages. YUM handles install, updates and dependency management on RPM-based distributions such as RHEL, Centos and Fedora
All our repositories are private
All repositories created via PKG deploy are private and require access keys to be provided before we return any information.
These access keys are generated when the package repository is first created and are automatically bundled into the created installer.
If it is believed a set of access keys for a repository have been compromised, they can be rolled and new ones generated. This will remove access to any machine with the old access keys configured. To help with this when new keys are generated a new version of the installer is also created. To update the access keys on a machine you need to update the installer.
All our repositories are secure
Repository metadata is signed via GPG allowing you to ensure that the metadata we provide is generated by us and not by anyone else. If you follow the documentation to add the package repository to a machine, GPG checks will be automatically carried out.
rpm packages are also signed before they are published, YUM also runs GPG verification on these packages.
deb packages are not signed as APT does not come with an easy way to verify package signatures by default.
An export of our public key can always be found at https://www.pkgdeploy.com/pkgdeploy_gpg.asc