The mempo-deb is a subproject of Mempo that has goal of bringing fast fixes and patches into Debian in topic of security and privacy.
The work is part of Debian community and FOSS development.
Patches/fixes will be easy to apply quickly:
- without waiting for official Debian release, just run small script
- verify if binary versions distributed are trusted to not contain any backdoor added by the builder/maintainer - everyone can check if binary matches the known source code
All the source (2 packages fixes, as of 2014-03) are on github, git clone https://github.com/mempo/mempo-deb.git.
Building for other architectures then the host, is done using #virtualized. Tested (as of 2014-03) on i386 for gnupg package, works fine.
There are several possible tools to build in "virtualized" environment (chroot, VM, LXC, and so on).
Currently we prefer: debootstrap (and soon we want to switch e.g. to pbuilder).
Used now as easy quick fix to e.g. support i386. We create build env and then chroot into it, and there use the normal method of building (e.g. even the simple run.sh type scripts will work).
This will create i386 env:
# as root (on host, outside chroot): # create user "build", and his subdir /home/build/chroot export http_proxy="http://proxy.l:3128/" # use your proxy - or use "" or skip this line If you have /home mounted with option ''nodev'', remount it: mount /home/ -o remount,dev debootstrap --arch i386 wheezy /home/build/chroot http://ftp.pl.debian.org/debian/ chroot /home/build/chroot # now as the root in guest: # re-create same user "build" with same UID and GID as it had on host echo "Enter the UID (user) of the user build (as seen on host os). To find out, use command: id build - on the host" read uid echo "Enter the GID (group) of the user build (as seen on host os). To find out, use command: id build - on the host" read gid addgroup --gid $gid build adduser --uid $uid --gid $gid build --disabled-password # install general tools: aptitude install mc vim gcc make cmake build-essential git faketime subversion # done - now follow instruction for given package # as root (here in chroot) install the package's dependencies # su build - and then you are user build, but in chroot, e.g. you are in i386 environment #Install all dependencies for package: Add sources repository in /etc/apt/sources.list: deb-src http://ftp.pl.debian.org/debian/ wheezy main apt-get update apt-get build-dep <package>
TODO: we need to use faketime for most packages, and set some env var for others too (like SameKernel). Idea: use hooks.
And create first our source-package with our patches applied.
In security&privacy project Mempo we assume you should always be vigilant, and it is wise to even verify this software (mempo-deb).
There are 2 ways for this.
Chain of trust for build-from-source:
- We trust the Debian (apt-get PGP keys)
- Download the Debian official sources using apt-get sources - trust from apt-get
- Apply small .diff patch that should be easy to inspect manually and should be verifiable by FOSS community, and signed by reviewers later on
- Run trivial build script
- Obtain the *.deb
When we succeed in ?making the builds deterministic then you should publish checksums of the .deb and other users will publish the same one
- This is partially working (2013-12)
Chain of trust for install-from-unofficial-deb:
- Get the .deb file in any way
- Verify the checksum with ones posted by people you trust, resulting from previous method
- This is not done yet
We take and build https://alioth.debian.org/anonscm/git/reproducible/dpkg.git
We used to patch it even more, however later it was not needed.
fms (using this version) did crash was reported, with backtrace relating to the library in question. Therefore users should be very careful using this software and are strongly advised to run "gdm ./fms" and report if they would had any crash
https://github.com/vyrly/mempo-deb/tree/master/pack/poco (rename to libpoco?)
Fixed poco library against the lib pcre related bug
Improve GnuPG with more paranoid options: extend max keylength x4, use stronger entropy (read eg twice as much entropy).
Work in progress (2013-12-13)
Pack with script that automatically builds gnupg (reproducible way) with longer key generation support: https://github.com/mempo/mempo-deb
Changes were necessary only in key-generator. Gnupg fully supports keys to 16k bits (tested).
We've been inspired by this post: http://gagravarr.livejournal.com/137173.html
Reproducible and hardened kernel - see SameKernel