Binary Package Maintenance
See Release Process for information on how to create a new source release. This page only documents how to update the the binary packages for our releases.
We use the OpenSuse Build Service (OBS) to create binary releases for a multitude of different Linux distributions. Our packages are located in the security::zeek project in OBS.
Currently we maintain the following packages:
-
The zeek package contains our current feature release. The package gets installed to
/opt/zeek/and conflicts with the zeek-lts package. -
These are our currently maintained LTS release trains. The package gets installed to
/opt/zeek/and conflicts with thezeekpackage. These packages stick to a given release train, i.e., installing e.g. azeek-6.0package will provide the latest patch version on the 6.0 release train, but never pull you to 6.1 or newer. -
The zeek-nightly package contains our nightly builds. The package gets installed to
/opt/zeek-nightlyand can be installed simultaneously with other packages.The package gets automatically updated once a day by a cron-job running on
bro-ids.icir.org. The cron-job executes thebuild.nightly.shscript that is included in the package. -
The zeek-rc package contains the last release-candidate version of Zeek. It is only updated before we release a new major version of Zeek.
The package gets installed to
/opt/zeek-rcand can be installed simultaneously with other packages.
We currently provide packages for rpm and deb-based distributions. When updating a package to a new version, you will have to update the files for rpm and deb package generation separately.
To do these updates, you should branch the package, try your updates in your branch, and then submit the update to the parent package.
To checkout and commit the package, use the osc command-line utility; in many operating systems there is a package for it (Fedora:osc).
To update to a new version, you will also have to update the VERSION file before running the build.release.sh script, which generates the rpm and deb rule files from the templates. The script mostly updates the version numbers in all files.
Note: for the nightly packages, the version file is automatically updated.
After updating the packages, you also should upload the new build artifacts to the binary-packages folder of download.zeek.org.
RPM packages are created using the rpm specfile of the respective package. We generate this file from a template, called zeek[-lts/nightly/rc].spec.template. When updating a major version of Zeek, you probably will have to update this file. This mostly means that you will have to make sure that file changes since the last version have been added to the specfile. This mostly affects new/removed executables/folders.
The RPM utilities typically are quite good about failing the build when you forget to update the files correctly.
To convert the template file to the final spec file, run the build.release.sh script in the directory. This script will generate the final spec-file, substituting the version and release numbers with the current version.
Updating deb packages is a bit more involved than updating RPMs. For debian, the debian.* files are responsible for package generation. Some of these files are templated - in this case, only edit the .template file; the final file will be generated by the build.release.sh script which replaces the version numbers contained in the file.
You typically have to at least update the .install files - they should mirror the changes to the rpm .spec file. For details on OBS and debian packages, see the OBS page about debian packages. Also see the debian packaging documentation.
Unlike for rpm files, debian typically does not warn you about errors like missing/extra files.
Here's an example set of commands used to update from Zeek 3.2.1 to 3.2.2. Updating a LTS version would be similar.
# If you already have a checkout, can just do `osc up` in it instead of `osc co`.
osc co security:zeek zeek
cd security\:zeek/zeek
echo 3.2.2 > VERSION
bash build.release.sh
cp /path/to/zeek-3.2.2.tar.gz .
osc add zeek-3.2.2.tar.gz
osc rm zeek-3.2.1.tar.gz
osc ci -m "Update to 3.2.2"
See OSC documentation for more
information on how to use osc.
After the artifacts are built (which can take a few hours - check the webpage), you can upload them to download.zeek.org. First - set up the aws cli and rclone with access keys that can access the ```www.zeek.org`` bucket. Afterwards use a machine with a quick internet connection to perform:
# Download the packages from OBS. They also have a rsync server - but that one is not secured with TLS. So we just use https...
# We skip nightlies here
wget -r -np -c -A "*.rpm,*.deb" -R "*nightly*" https://download.opensuse.org/repositories/security:/zeek/
# create an empty file
touch empty
# create a file disabling our directory index lambda.
aws s3 cp empty s3://download.zeek.org/aaa-disable-lambda
rm empty
# change in the correct directory for uploading...
cd download.opensuse.org/repositories/security:/zeek/
# use rclone to update the new files
rclone -v --size-only copy . s3:download.zeek.org/binary-packages/
# remove the file disabling the directory index lambda
aws s3 rm s3://download.zeek.org/aaa-disable-lambda
Note that we currently do not invalidate directory indexes for build artifacts - so it can take a while till they show up in the index of download.zeek.org.
When disabling a distribution (because we dropped support), note that you will manually have to remove the old build artifacts. Otherwise the last build version will remain on the server.
The command to do this is osc wipebinaries --build-disabled -- but don't trust it -- check if the package is still there after a few hours. Sometimes it doesn't work.