mempo-deb is a software project aimed at bringing quick fixes and patches into Debian from the area of security and privacy (as part of ?Mempo project).

The work is obviously part of Debian community FOSS development.

Patches/fixes will be easy to apply quickly: * without waiting for official Debian release, just run small script * verify if binary versions distributed are trusted to not contain any backdoor added by the builder/maintainer - everyone can check if binary matches the known source code

All the source (2 packages fixes, as of 2013-12 - we are just starting) are on github, git clone https://github.com/mempo/mempo-deb.git

Trust

In security&privacy project ?Mempo we assume you should always be vigilant, and it is wise to even verify this software (mempo-deb).

There are 2 ways for this.

Chain of trust for build-from-source: * We trust the Debian (apt-get PGP keys) * Download the Debian official sources using apt-get sources - trust from apt-get * Apply small .diff patch that should be easy to inspect manually and should be verifiable by FOSS community, and signed by reviewers later on * Run trivial build script * Obtain the *.deb * When we succeed in ?making the builds deterministic then you should publish checksums of the .deb and other users will publish the same one * This is partially working (2013-12)

Chain of trust for install-from-unofficial-deb: * Get the .deb file in any way * Verify the checksum with ones posted by people you trust, resulting from previous method * This is not done yet

Packages

libpoco

libpoco-dev 1.3.6p1-4+mempo1.2

Fixed poco library against the lib pcre related bug

Program FMS was not working (hang/slowdown - sometimes) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671477

gnupg

Improve GnuPG with more paranoid options: extend max keylength x4, use stronger entropy (read eg twice as much entropy).

Work in progress (2013-12-12)

hardened kernel

Reproducible and hardened kernel - see ?ReproducibleBuildsKernel