Page MenuHomePhabricator

Build Debian Packages from Source Code
Open, NormalPublic

Description

Info:

  • For better security, ideally, we wouldn't pull binary packages from Debian's repository during the build of Whonix, but compile all packages from source code.
  • sponsor-B would pay a bounty for implementing this. We agreed to try bountysource to get offers.
  • The debootstrap system has a fair number of circular dependencies, and no trivial way to break them. Is it allowed to have a leap of faith, to trust some minimal amount of binary packages for the initial bootstrap. Use local system packages and set of "known-good" binaries to do the initial bootstrap build, then rebuild up from there. (One loop that is non-trivial to break for instance is GCC; which requires an Ada compiler to build the Ada compiler. Another one I can think of is OpenJDK, and ghc.) (modified quote by @NCommander)
  • The user should be able to build Debian / Whonix from scratch from source code. (Whonix already got a functional build script, using debootstrap [binary packages] and apt-get [binary packages], that can be used by anyone to build from source.)
  • The user should be able to run self rebuilds. For one, apt-build world in theory would work nicely for rebuilds from within the running system for us. (Useful to add more compile flags.) Unfortunately, apt-build is unmaintained, world is broken and written in perl. apt-build's feature set and man page looks very good.
  • Do you think you could re-implement all the features of apt-build as an apt [download] method, if that makes sense? Aka "apt-build re-implementation in apt". So upstream apt devs get eager to merge and maintain this? So anyone could install any package from Debian sources repository, build and install from source code?
  • rebootstrap is a nice project, but I don't see how that implements the TODO part.
  • If helpful, this ticket could be split into smaller tasks.

TODO:

  • add an option to debootstrap to install the compile all source packages rather than downloading binary ones
  • add an option to or wrapper around apt-get to allow installation/upgrade of packages from source code
  • It is essential, that patches should be upstreamed to and merged by Debian!
  • have an option to modify compile flags per package, so we can for example enable compiling as PIE

Non-Topics:

  • Yes, there is really a $ 3000 USD bounty on this ticket.
  • We do not want to use EC2 and/or remotely rebuild/maintain the binary archive.
  • We don't think we can host our own [binary] repository of the whole Debian package archive anytime soon.
  • We are aware of reproducible builds. We still want this. Also because we are also after the compiler hardening enhancements.
  • apt-get source verification is not the issue here. Verifying the signature of the maintainer may fail indeed, but apt-get source is also always verified against the apt repository singing key. (See also for explanation.) If you want to discuss this further, let's move this to the forums or a separate ticket.
  • Port to Gentoo. No. (We've been through this (Gentoo) and decided no. (https://github.com/Whonix/Gentoo-Port/issues) Would trade this feature against new issues, including security issues [unsigned files]. [off-topic - if you want to discuss this further, please move it to the Whonix forums])
  • Port to other Distributions. No.
  • Debian only. Not Ubuntu.

previous / more / archived discussion:
http://www.webcitation.org/6gTIAk6Yj


Bounty too low?:

  1. Go to https://www.bountysource.com/issues/9115540-build-debian-packages-from-source-code
  2. Click on "Developers"
  3. Click on "Get Started"
  4. Select Status "Bounty too low"
  5. Enter your offer and press "Save".

Mirrored from:
https://phabricator.whonix.org/T207


Mirrored to (restarted the discussion):
https://github.com/Whonix/Whonix/issues/400


On bountysource [*]:
https://www.bountysource.com/issues/9115540

[*] Contains full history discussion. When you are reading on bountysource.com, to save time, I recommend to skip everything up to I have rewritten the original ticket description..

Details

Impact
Needs Triage

Event Timeline

Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added a subscriber: Patrick.
Patrick updated the task description. (Show Details)
Patrick renamed this task from build debian packages from source code to Build Debian Packages from Source Code.Mar 2 2015, 6:06 PM
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)
Patrick set Impact to Needs Triage.