- For better security, ideally, we wouldn't pull binary packages from Debian's repository during the build of Whonix, but compile all packages from source code.
- sponsor-B would pay a bounty for implementing this. We agreed to try bountysource to get offers.
- For building packages from source code, there is apt-get source --compile pkg-name. But for it to work, one has to run apt-get build-dep pkg-name beforehand, which downloads binary packages. Is it possible to get to a point, where all packages that are installed/updated, are compiled from source code beforehand? Seems difficult to break the dependency loops. Some more info: https://unix.stackexchange.com/questions/184812/how-to-update-all-debian-packages-from-source-code
- The debootstrap system has a fair number of circular dependencies, and no trivial way to break them. Is it allowed to have a leap of faith, to trust some minimal amount of binary packages for the initial bootstrap. Use local system packages and set of "known-good" binaries to do the initial bootstrap build, then rebuild up from there. (One loop that is non-trivial to break for instance is GCC; which requires an Ada compiler to build the Ada compiler. Another one I can think of is OpenJDK, and ghc.) (modified quote by @NCommander)
- The user should be able to build Debian / Whonix from scratch from source code. (Whonix already got a functional build script, using debootstrap [binary packages] and apt-get [binary packages], that can be used by anyone to build from source.)
- The user should be able to run self rebuilds. For one, apt-build world in theory would work nicely for rebuilds from within the running system for us. (Useful to add more compile flags.) Unfortunately, apt-build is unmaintained, world is broken and written in perl. apt-build's feature set and man page looks very good.
- Do you think you could re-implement all the features of apt-build as an apt [download] method, if that makes sense? Aka "apt-build re-implementation in apt". So upstream apt devs get eager to merge and maintain this? So anyone could install any package from Debian sources repository, build and install from source code?
- rebootstrap is a nice project, but I don't see how that implements the TODO part.
- If helpful, this ticket could be split into smaller tasks.
- add an option to debootstrap to install the compile all source packages rather than downloading binary ones
- add an option to or wrapper around apt-get to allow installation/upgrade of packages from source code
- It is essential, that patches should be upstreamed to and merged by Debian!
- have an option to modify compile flags per package, so we can for example enable compiling as PIE
- Yes, there is really a $ 3000 USD bounty on this ticket.
- We do not want to use EC2 and/or remotely rebuild/maintain the binary archive.
- We don't think we can host our own [binary] repository of the whole Debian package archive anytime soon.
- We are aware of reproducible builds. We still want this. Also because we are also after the compiler hardening enhancements.
- apt-get source verification is not the issue here. Verifying the signature of the maintainer may fail indeed, but apt-get source is also always verified against the apt repository singing key. (See also for explanation.) If you want to discuss this further, let's move this to the forums or a separate ticket.
- Port to Gentoo. No. (We've been through this (Gentoo) and decided no. (https://github.com/Whonix/Gentoo-Port/issues) Would trade this feature against new issues, including security issues [unsigned files]. [off-topic - if you want to discuss this further, please move it to the Whonix forums])
- Port to other Distributions. No.
- Debian only. Not Ubuntu.
previous / more / archived discussion:
Bounty too low?:
- Go to https://www.bountysource.com/issues/9115540-build-debian-packages-from-source-code
- Click on "Developers"
- Click on "Get Started"
- Select Status "Bounty too low"
- Enter your offer and press "Save".
On bountysource [*]:
[*] Contains full history discussion. When you are reading on bountysource.com, to save time, I recommend to skip everything up to I have rewritten the original ticket description..