- For better security, ideally, we wouldn't pull binary packages from Debian's repository during the build of Whonix, but compile all packages from source code.
- sponsor-B would pay a bounty for implementing this. We agreed to try bountysource to get offers.
- For building packages from source code, there is `apt-get source --compile pkg-name`. But for it to work, one has to run `apt-get build-dep pkg-name` beforehand, which downloads binary packages. Is it possible to get to a point, where all packages that are installed/updated, are compiled from source code beforehand? Seems difficult to break the dependency loops. Some more info: https://unix.stackexchange.com/questions/184812/how-to-update-all-debian-packages-from-source-code
- The debootstrap system has a fair number of circular dependencies, and no trivial way to break them. Is it allowed to have a leap of faith, to trust some minimal amount of binary packages for the initial bootstrap. Use local system packages and set of "known-good" binaries to do the initial bootstrap build, then rebuild up from there. (One loop that is non-trivial to break for instance is GCC; which requires an Ada compiler to build the Ada compiler. Another one I can think of is OpenJDK, and ghc.) (modified quote by @NCommander)
- The user should be able to build Debian / Whonix from scratch from source code. (Whonix already got a functional build script, using debootstrap [binary packages] and apt-get [binary packages], that can be used by anyone to build from source.)
sponsor-B would pay a bounty for implementing this- The user should be able to run self rebuilds. For one, `apt-build world` in theory would work nicely for rebuilds from within the running system for us. (Useful to add more compile flags.) Unfortunately, `apt-build` is unmaintained, `world` is broken and written in perl. We agreed to try bountysource to get offers`apt-build`'s feature set and man page looks very good.
For building packages from source code, there is- Do you think you could re-implement all the features of `apt-get source --compile pkg-name`.build` as an apt [download] method, But for it to work,if that makes sense? one has to run `Aka "apt-get build-dep pkg-name` beforehand, re-implementation in apt". which downloads binary packages.So upstream apt devs get eager to merge and maintain this? Is it possible to get to a pointSo anyone could install any package from Debian sources repository, where all packages that are installed/updated, are compiled from source code beforehand? Seems difficult to break the dependency loops.build and install from source code?
- [rebootstrap](https://wiki.debian.org/HelmutGrohne/rebootstrap) is a nice project, Some more info:
https://unix.stackexchange.com/questions/184812/how-to-update-all-debian-packages-from-source-codebut I don't see how that implements the TODO part.
- [apt-build](https://www.whonix.org/wiki/Dev/apt-build) [...](http://askubuntu.com/questions/29856/how-to-build-all-my-installed-package-from-sources/45257#45257) could help. Unfortunately it is an [orphaned package](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365427). And might have a [security issue](https://lists.debian.org/debian-security/2015/03/msg00020.html).
- If helpful, this ticket could be split into smaller tasks.
* add an option to `debootstrap` to install the compile all source packages rather than downloading binary ones
* add an option to or wrapper around `apt-get` to allow installation/upgrade of packages from source code
* It is essential, that patches should be upstreamed to and merged by Debian!
* have an option to modify compile flags per package, so we can for example enable compiling as PIE
- Yes, there is really a $ 3000 USD bounty on this ticket.
- We do not want to use EC2 and/or remotely rebuild/maintain the binary archive.
- We don't think we can host our own [binary] repository of the whole Debian package archive anytime soon.
- We are aware of [reproducible builds](https://wiki.debian.org/ReproducibleBuilds). We still want this. Also because we are also after the compiler hardening enhancements.
- apt-get source verification is not the issue here. Verifying the signature of the maintainer may fail indeed, but apt-get source is also always verified against the apt repository singing key. ([See also for explanation](http://askubuntu.com/a/509816/389275).) If you want to discuss this further, let's move this to the [forums](https://www.whonix.org/forum/) or a separate [ticket](http://phabricator.whonix.org/).
- Port to Gentoo. No. (We've been through this (Gentoo) and decided no. (https://github.com/Whonix/Gentoo-Port/issues) Would trade this feature against new issues, including security issues [unsigned files]. [off-topic - if you want to discuss this further, please move it to the Whonix forums])
- Port to other Distributions. No.
- Debian only. Not Ubuntu.
previous / more / archived discussion:
__Bounty too low?__:
1) Go to https://www.bountysource.com/issues/9115540-build-debian-packages-from-source-code
2) Click on "Developers"
3) Click on "Get Started"
4) Select Status "Bounty too low"
5) Enter your offer and press "Save".