Foundry is a distributed build system that automatically builds Debian packages from git repositories and distributes built packages through apt repositories. I developed foundry to automate the distribution of toolbox and other packages published through

The build system consists of four workers, called bots, each of which performs one small step of the build process. The bots use pub-sub messaging for communication, reducing coupling between bots and increasing scalability.

Bot Purpose
watchbot Watch git repositories for changes
buildbot Build Debian packages from a git repository
signbot Sign Debian packages
distbot Add signed packages to a Debian repository

The pub-sub topics and their meaning is shown in the following table.

Topic Message type Description
commits commit A change was detected on a git repository
builds build A build has completed successfully
signs sign The packages from a build message have been successfully signed
dists dist The packages from a sign message have been successfully published

The following diagram gives an overview how the individual foundry components interact. For understandability’s sake each bot is shown only once, but the foundry architecture does not impose a limit on the number of bots. The messaging system that foundry is based on (toolbox’s ipc module) performs automatic load-balancing, allowing bots to be added or removed on demand.


The architecture is explained in more detail in the sources.

Installation using apt

If you are using a Debian-based distribution, you can install foundry through apt. First, import the GPG key used to sign packages in the repository and make sure you have apt-transport-https installed.

# wget -O - -- | apt-key add -
# apt-get install apt-transport-https

Then add the following line to your /etc/apt/sources.lst.

deb stable main

If you prefer to use a development build, use the unstable suite instead.

deb unstable main

Next, update your package index using the following command.

# apt-get update

Now you can install and update foundry with apt.

# apt-get install foundry

Installation from the sources

If you would prefer to install foundry from the sources, first install toolbox, then run the following commands.

$ git clone
$ cd foundry
$ sudo make install

For the latest development version, switch to the unstable branch using git checkout unstable or specify the branch with -b when cloning the repository.

Finally, create the foundry group and a directory for foundry to keep build contexts.

# groupadd foundry
# mkdir -p /var/lib/foundry/contexts
# chown -R root.foundry /var/lib/foundry/contexts
# chmod -R 770 /var/lib/foundry/contexts


The user that runs foundry has to be member of the toolbox, toolbox_ipc, and foundry groups. You can add a user to these groups using the following command.

# usermod -a -G toolbox,toolbox_ipc,foundry USER

The user further needs to have GPG keys for IPC messaging, package signing, and repository metadata signing. Ideally you should create three keypairs, the default key being used for IPC messaging. Keys can be generated using the following command.

$ gpg --full-generate-key

Starting foundry

The following example shows how to build toolbox with foundry.

Starting watchbot

First, we will start a watchbot to watch the toolbox repository’s stable branch. This can be achieved with the following command.

$ watchbot --repository

A single watchbot can watch an arbitrary number of repositories. If you want to watch more than one repository, pass --repository multiple times, as shown below.

$ watchbot --repository   \

Watchbot supports watching of remote repositories (via git’s dumb and smart HTTP transports) as well as local repositories.

Starting buildbot

This one is really simple.

$ buildbot

By default, buildbot will use the IPC endpoint pub/buildbot to subscribe to commits. This means, by default build jobs will be balanced over all buildbots. If you would prefer multiple buildbots to build the same job in parallel, for example because you are building for multiple architectures, you need to pass the --endpoint parameter. You can think of the IPC endpoint as a load-balancing group. For example, consider you have started four buildbots as shown below.

$ buildbot --endpoint pub/buildbot_i386
$ buildbot --endpoint pub/buildbot_i386
$ buildbot --endpoint pub/buildbot_amd64
$ buildbot --endpoint pub/buildbot_amd64

In this scenario, if a new commit is published, it is sent to either IPC endpoint. This means, one of the buildbots listening on pub/buildbot_i386 and one of the buildbots listening on pub/buildbot_amd64 will see the message.

Starting signbot

Signbots are started as shown below.

$ signbot --gpg-key <keyid>

The purpose of signbot is to sign Debian packages, so you need to tell it which key to use using the --gpg-key option. The key must be a key-id from the default GPG key ring. By default, signbots are load-balanced the same way as the buildbots. If you want to sign packages going to one repository with a different key than packages going to a different repository, you will have to start two signbots with differing --endpoint and --publish-to options.

Starting distbot

Distbot has a few more options, but most of them are fairly self-explanatory.

$ distbot --name        \
          --output /srv/www/deb         \
          --arch amd64                  \
          --arch i386                   \
          --gpg-key <keyid>             \
          --description "My repository"

Like signbot, distbot needs a GPG key id. Unlike the signbot key, which is used to sign packages, this key is used to sign the metadata in the repository. You are strongly encouraged not to use the same key for both. If the path passed via --output contains an existing repository, distbot will reuse it. Otherwise, it will create a new repository in that path.

Note: If you have multiple signbots publishing messages to more than one topic, you can change the topic that a distbot watches by passing --watch and the name of the topic that your signbot is publishing messages on.

Herding the bots

If you want to see a list of the running bots, pass --list to the bot you’re interested in. For example, the following command will list all running watchbots.

$ watchbot --list

If you want to stop a particular bot, use --stop.

$ watchbot --stop 12345

That’s all you need to know to get started. If everything went well, you should be seeing built packages in your Debian repository. If not, the logs within $HOME/.toolbox/log might tell you what’s going on. This is also a good opportunity to mention that you can tell each of the bots to be more talkative by passing --verbose one or more times.