Page MenuHomePhabricator

Build Debian Packages from Source Code
Open, NormalPublic

Description

Info:

  • For better security, ideally, we wouldn't pull binary packages from Debian's repository during the build of Whonix, but compile all packages from source code.
  • sponsor-B would pay a bounty for implementing this. We agreed to try bountysource to get offers.
  • The debootstrap system has a fair number of circular dependencies, and no trivial way to break them. Is it allowed to have a leap of faith, to trust some minimal amount of binary packages for the initial bootstrap. Use local system packages and set of "known-good" binaries to do the initial bootstrap build, then rebuild up from there. (One loop that is non-trivial to break for instance is GCC; which requires an Ada compiler to build the Ada compiler. Another one I can think of is OpenJDK, and ghc.) (modified quote by @NCommander)
  • The user should be able to build Debian / Whonix from scratch from source code. (Whonix already got a functional build script, using debootstrap [binary packages] and apt-get [binary packages], that can be used by anyone to build from source.)
  • The user should be able to run self rebuilds. For one, apt-build world in theory would work nicely for rebuilds from within the running system for us. (Useful to add more compile flags.) Unfortunately, apt-build is unmaintained, world is broken and written in perl. apt-build's feature set and man page looks very good.
  • Do you think you could re-implement all the features of apt-build as an apt [download] method, if that makes sense? Aka "apt-build re-implementation in apt". So upstream apt devs get eager to merge and maintain this? So anyone could install any package from Debian sources repository, build and install from source code?
  • rebootstrap is a nice project, but I don't see how that implements the TODO part.
  • If helpful, this ticket could be split into smaller tasks.

TODO:

  • add an option to debootstrap to install the compile all source packages rather than downloading binary ones
  • add an option to or wrapper around apt-get to allow installation/upgrade of packages from source code
  • It is essential, that patches should be upstreamed to and merged by Debian!
  • have an option to modify compile flags per package, so we can for example enable compiling as PIE

Non-Topics:

  • Yes, there is really a $ 3000 USD bounty on this ticket.
  • We do not want to use EC2 and/or remotely rebuild/maintain the binary archive.
  • We don't think we can host our own [binary] repository of the whole Debian package archive anytime soon.
  • We are aware of reproducible builds. We still want this. Also because we are also after the compiler hardening enhancements.
  • apt-get source verification is not the issue here. Verifying the signature of the maintainer may fail indeed, but apt-get source is also always verified against the apt repository singing key. (See also for explanation.) If you want to discuss this further, let's move this to the forums or a separate ticket.
  • Port to Gentoo. No. (We've been through this (Gentoo) and decided no. (https://github.com/Whonix/Gentoo-Port/issues) Would trade this feature against new issues, including security issues [unsigned files]. [off-topic - if you want to discuss this further, please move it to the Whonix forums])
  • Port to other Distributions. No.
  • Debian only. Not Ubuntu.

previous / more / archived discussion:
http://www.webcitation.org/6gTIAk6Yj


Bounty too low?:

  1. Go to https://www.bountysource.com/issues/9115540-build-debian-packages-from-source-code
  2. Click on "Developers"
  3. Click on "Get Started"
  4. Select Status "Bounty too low"
  5. Enter your offer and press "Save".

Mirrored from:
https://phabricator.whonix.org/T207


Mirrored to (restarted the discussion):
https://github.com/Whonix/Whonix/issues/400


On bountysource [*]:
https://www.bountysource.com/issues/9115540

[*] Contains full history discussion. When you are reading on bountysource.com, to save time, I recommend to skip everything up to I have rewritten the original ticket description..

Details

Impact
Needs Triage

Event Timeline

Patrick created this task.Mar 2 2015, 5:34 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added a subscriber: Patrick.
Patrick updated the task description. (Show Details)Mar 2 2015, 5:48 PM
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)Mar 2 2015, 5:51 PM
Patrick updated the task description. (Show Details)Mar 2 2015, 5:54 PM
Patrick updated the task description. (Show Details)Mar 2 2015, 5:56 PM
Patrick updated the task description. (Show Details)Mar 2 2015, 5:58 PM
Patrick renamed this task from build debian packages from source code to Build Debian Packages from Source Code.Mar 2 2015, 6:06 PM
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)Mar 2 2015, 6:26 PM
Patrick updated the task description. (Show Details)Mar 2 2015, 6:39 PM
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)Apr 2 2016, 6:27 PM
Patrick set Impact to Needs Triage.
Patrick updated the task description. (Show Details)Apr 2 2016, 7:46 PM