Differences between revisions 19 and 20
Revision 19 as of 2014-04-08 10:22:31
Size: 5455
Editor: ?Mempo
Comment:
Revision 20 as of 2019-09-15 09:50:50
Size: 0
Editor: nodiscc
Comment: abandoned page/project, last activity from 2015 on github/project sites, no valuable info
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
The mempo-deb is a subproject of [[Mempo]] that has goal of bringing fast fixes and patches into Debian in topic of security and privacy.

The work is part of Debian community and FOSS development.

Patches/fixes will be easy to apply quickly:
 * without waiting for official Debian release, just run small script
 * verify if binary versions distributed are trusted to not contain any backdoor added by the builder/maintainer - everyone can check if binary matches the known source code

== Download ==

All the source (2 packages fixes, as of 2014-03) are on github, '''git clone https://github.com/mempo/mempo-deb.git'''.

<<Anchor(arch)>>
<<Anchor(i386)>>
<<Anchor(arm)>>
== Other architecture ==

Building for other architectures then the host, is done using [[#virtualized]].
Tested (as of 2014-03) on i386 for gnupg package, works fine.

<<Anchor((virtualized))>>

== virtualized ==

There are several possible tools to build in "virtualized" environment (chroot, VM, LXC, and so on).

Currently we prefer: '''debootstrap''' (and soon we want to switch e.g. to pbuilder).

=== debootstrap ===

Used now as easy quick fix to e.g. support i386.
We create build env and then chroot into it, and there use the normal method of building (e.g. even the simple run.sh type scripts will work).

This will create '''i386''' env:

{{{
# as root (on host, outside chroot):

# create user "build", and his subdir /home/build/chroot
export http_proxy="http://proxy.l:3128/" # use your proxy - or use "" or skip this line

If you have /home mounted with option ''nodev'', remount it:
mount /home/ -o remount,dev
debootstrap --arch i386 wheezy /home/build/chroot http://ftp.pl.debian.org/debian/
chroot /home/build/chroot

# now as the root in guest:
# re-create same user "build" with same UID and GID as it had on host

echo "Enter the UID (user) of the user build (as seen on host os). To find out, use command: id build - on the host"
read uid
echo "Enter the GID (group) of the user build (as seen on host os). To find out, use command: id build - on the host"
read gid

addgroup --gid $gid build
adduser --uid $uid --gid $gid build --disabled-password

# install general tools:

aptitude install mc vim gcc make cmake build-essential git faketime subversion

# done - now follow instruction for given package
# as root (here in chroot) install the package's dependencies
# su build - and then you are user build, but in chroot, e.g. you are in i386 environment

#Install all dependencies for package:
Add sources repository in /etc/apt/sources.list:
deb-src http://ftp.pl.debian.org/debian/ wheezy main

apt-get update
apt-get build-dep <package>

}}}


=== pbuilder ===

TODO: we need to use faketime for most packages, and set some env var for others too (like SameKernel). Idea: use hooks.

And create first our source-package with our patches applied.

== Trust ==

In security&privacy project [[Mempo]] we assume you should always be vigilant, and it is wise to even verify this software (mempo-deb).

There are 2 ways for this.

Chain of trust for build-from-source:
 * We trust the Debian (apt-get PGP keys)
 * Download the Debian official sources using apt-get sources - trust from apt-get
 * Apply small .diff patch that should be easy to inspect manually and should be verifiable by FOSS community, and signed by reviewers later on
 * Run trivial build script
 * Obtain the *.deb
 * When we succeed in [[ReproducibleBuildsKernel|making the builds deterministic]] then you should publish checksums of the .deb and other users will publish the same one
 * This is partially working (2013-12)

Chain of trust for install-from-unofficial-deb:
 * Get the .deb file in any way
 * Verify the checksum with ones posted by people you trust, resulting from previous method
 * This is not done yet

== Packages ==

<<Anchor(dpkg)>>
=== dpkg ===
[[https://github.com/mempo/mempo-deb/tree/master/pack/dpkg]]

We take and build [[https://alioth.debian.org/anonscm/git/reproducible/dpkg.git]]

We used to patch it even more, however later it was not needed.

Needed for [[SameKernel]] and other [[ReproducibleBuilds]].

<<Anchor(libpoco)>>
=== libpoco ===

 /!\ fms (using this version) did crash was reported, with backtrace relating to the library in question. Therefore users should be very careful using this software and are strongly advised to run "gdm ./fms" and report if they would had any crash /!\

[[https://github.com/vyrly/mempo-deb/tree/master/pack/poco]] (rename to libpoco?)

libpoco-dev 1.3.6p1-4+mempo1.2

Fixed poco library against the lib pcre related bug

Program [[FMS_application]] was not working (hang/slowdown - sometimes)
DebianBug:671477

<<Anchor(gnupg)>>
=== gnupg ===
[[https://github.com/vyrly/mempo-deb/tree/master/pack/gnupg]]

Improve GnuPG with more paranoid options: extend max keylength x4, use stronger entropy (read eg twice as much entropy).

Work in progress (2013-12-13)

Pack with script that automatically builds gnupg (reproducible way) with longer key generation support:
https://github.com/mempo/mempo-deb

Changes were necessary only in key-generator. Gnupg fully supports keys to 16k bits (tested).

We've been inspired by this post:
http://gagravarr.livejournal.com/137173.html

=== hardened kernel ===
Reproducible and hardened kernel - see [[SameKernel]]