Differences between revisions 18 and 19
Revision 18 as of 2014-03-12 11:41:12
Size: 5197
Editor: vyrly
Comment: Installing all dependencies for package
Revision 19 as of 2014-04-08 10:22:31
Size: 5455
Editor: Mempo
Comment:
Deletions are marked like this. Additions are marked like this.
Line 116: Line 116:

 /!\ fms (using this version) did crash was reported, with backtrace relating to the library in question. Therefore users should be very careful using this software and are strongly advised to run "gdm ./fms" and report if they would had any crash /!\

The mempo-deb is a subproject of Mempo that has goal of bringing fast fixes and patches into Debian in topic of security and privacy.

The work is part of Debian community and FOSS development.

Patches/fixes will be easy to apply quickly:

  • without waiting for official Debian release, just run small script
  • verify if binary versions distributed are trusted to not contain any backdoor added by the builder/maintainer - everyone can check if binary matches the known source code

Download

All the source (2 packages fixes, as of 2014-03) are on github, git clone https://github.com/mempo/mempo-deb.git.

Other architecture

Building for other architectures then the host, is done using #virtualized. Tested (as of 2014-03) on i386 for gnupg package, works fine.

virtualized

There are several possible tools to build in "virtualized" environment (chroot, VM, LXC, and so on).

Currently we prefer: debootstrap (and soon we want to switch e.g. to pbuilder).

debootstrap

Used now as easy quick fix to e.g. support i386. We create build env and then chroot into it, and there use the normal method of building (e.g. even the simple run.sh type scripts will work).

This will create i386 env:

# as root (on host, outside chroot):

# create user "build", and his subdir /home/build/chroot
export http_proxy="http://proxy.l:3128/" # use your proxy - or use "" or skip this line

If you have /home mounted with option ''nodev'', remount it:
mount /home/ -o remount,dev
debootstrap --arch i386 wheezy /home/build/chroot  http://ftp.pl.debian.org/debian/
chroot /home/build/chroot

# now as the root in guest:
# re-create same user "build" with same UID and GID as it had on host

echo "Enter the UID (user) of the user build (as seen on host os). To find out, use command: id build - on the host"
read uid
echo "Enter the GID (group) of the user build (as seen on host os). To find out, use command: id build - on the host"
read gid

addgroup --gid $gid build  
adduser  --uid $uid --gid $gid build --disabled-password

# install general tools:

aptitude install mc vim gcc make cmake build-essential git faketime subversion

# done - now follow instruction for given package
# as root (here in chroot) install the package's dependencies
# su build - and then you are user build, but in chroot, e.g. you are in i386 environment

#Install all dependencies for package:
Add sources repository in /etc/apt/sources.list:
deb-src http://ftp.pl.debian.org/debian/ wheezy main

apt-get update
apt-get build-dep <package>

pbuilder

TODO: we need to use faketime for most packages, and set some env var for others too (like SameKernel). Idea: use hooks.

And create first our source-package with our patches applied.

Trust

In security&privacy project Mempo we assume you should always be vigilant, and it is wise to even verify this software (mempo-deb).

There are 2 ways for this.

Chain of trust for build-from-source:

  • We trust the Debian (apt-get PGP keys)
  • Download the Debian official sources using apt-get sources - trust from apt-get
  • Apply small .diff patch that should be easy to inspect manually and should be verifiable by FOSS community, and signed by reviewers later on
  • Run trivial build script
  • Obtain the *.deb
  • When we succeed in making the builds deterministic then you should publish checksums of the .deb and other users will publish the same one

  • This is partially working (2013-12)

Chain of trust for install-from-unofficial-deb:

  • Get the .deb file in any way
  • Verify the checksum with ones posted by people you trust, resulting from previous method
  • This is not done yet

Packages

dpkg

https://github.com/mempo/mempo-deb/tree/master/pack/dpkg

We take and build https://alioth.debian.org/anonscm/git/reproducible/dpkg.git

We used to patch it even more, however later it was not needed.

Needed for SameKernel and other ReproducibleBuilds.

libpoco

  • /!\ fms (using this version) did crash was reported, with backtrace relating to the library in question. Therefore users should be very careful using this software and are strongly advised to run "gdm ./fms" and report if they would had any crash /!\

https://github.com/vyrly/mempo-deb/tree/master/pack/poco (rename to libpoco?)

libpoco-dev 1.3.6p1-4+mempo1.2

Fixed poco library against the lib pcre related bug

Program FMS_application was not working (hang/slowdown - sometimes) 671477

gnupg

https://github.com/vyrly/mempo-deb/tree/master/pack/gnupg

Improve GnuPG with more paranoid options: extend max keylength x4, use stronger entropy (read eg twice as much entropy).

Work in progress (2013-12-13)

Pack with script that automatically builds gnupg (reproducible way) with longer key generation support: https://github.com/mempo/mempo-deb

Changes were necessary only in key-generator. Gnupg fully supports keys to 16k bits (tested).

We've been inspired by this post: http://gagravarr.livejournal.com/137173.html

hardened kernel

Reproducible and hardened kernel - see SameKernel