This allows to build Kernel in verificable way to know if .deb indeed matches the source code of kernel without added backdoors/viruses.

To use it just execute the 2 simple commands described in section "Install" below.

To get all needed files, on Debian use command: git clone https://github.com/mempo/deterministic-kernel.git

This is work in progress, ?Mempo team will help you in using/testing this software, contact us on #mempo and #debian-kernel on irc.oftc.net (see http://www.oftc.net/) or use this chat-webpage (for anon. use I2P irc #mempo) or see ?Mempo-Contact

As of now (2014-01-28) this work is:

Progress

(!) Issues currenty worked on:

Steps of this project:

(some steps where removed as plans changed)

See general instructions: ReproducibleBuilds .

We are trying to create a script that does this deterministic build in a bit more automated way with added:

This page should be usable for everyone in Debian, and script we're writing will be later easy to run in pure-Debian mode too.

Install

You can help yourself and this project easily!

/!\ Current extra tools needed:

Install dependencies

As root :

apt-get install faketime time git build-essential libncurses5-dev libncursesw5-dev kernel-package md5deep gcc-4.7-plugin-dev g++ make time

Create user for kernel build (preferably)

/!\ At this moment, to get the same *.deb kernel files on different machines, build must be run on the same user!

Create unix user kernelbuild preferably (or, on any user).

Get and build dpkg

Use Lunar's branch of dpkg: pu/reproducible_builds dpkg branch:

"Because we need GNU gettext >= 0.18.2, on wheezy please add

http://YOURMIRROR.debian.orgdebian wheezy-backports

to /etc/apt/sources.list and run:

# aptitude update
# aptitude install -t wheezy-backports gettext autopoint

Get and run srypt https://github.com/vyrly/mempo-deb/tree/master/pack/dpkg It will fetch, build and install that dpkg locally.

Run kernel compilation

In home directory run:

rm -rf deterministic-kernel/ ; git clone https://github.com/mempo/deterministic-kernel.git && cd deterministic-kernel/  && bash run.sh

press ENTER to confirm (e.g. the download) and then kernel should build :)

/!\ (Or better execute this by hand and check sha1sum of git version)

How this works

Following fixes are applied:

Trust chain

For ?Mempo-Kernel: obtain the .deb from mempo repository, then check checksum of it with trustworthy people who did build .deb from source and seen it produces same binary as in repository.

So the full chain trust is:

In time, we will upgrade the build script to have the final .deb file identical, then procedure is even faster (just run run.sh and publish sha512 of your .deb).

?Mempo project might release the .deb in own repository for easy installation for people that want this.

Ultimately, Debian.org might one day officially include Mempo-kernel in Debian repository (though, even then checksum based verification will be more secure, in case of ftp master key being compromised).

Test

Tests - please test this script and report any problems to ?Mempo and on IRC #mempo also add here to wiki in /Test

CategoryKernel