Build Debian Packages from Source Code

Phabricator Tickets
1

Information

ID: 207
PHID: PHID-TASK-wksg25ygbvhnvmibndbm
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal

Description

Info:

  • For better security, ideally, we wouldn’t pull binary packages from Debian’s repository during the build of Whonix, but compile all packages from source code.

  • sponsor-B would pay a bounty for implementing this. We agreed to try bountysource to get offers.

  • For building packages from source code, there is apt-get source --compile pkg-name. But for it to work, one has to run apt-get build-dep pkg-name beforehand, which downloads binary packages. Is it possible to get to a point, where all packages that are installed/updated, are compiled from source code beforehand? Seems difficult to break the dependency loops. Some more info: security - How to update all Debian packages from source code? - Unix & Linux Stack Exchange

  • The debootstrap system has a fair number of circular dependencies, and no trivial way to break them. Is it allowed to have a leap of faith, to trust some minimal amount of binary packages for the initial bootstrap. Use local system packages and set of “known-good” binaries to do the initial bootstrap build, then rebuild up from there. (One loop that is non-trivial to break for instance is GCC; which requires an Ada compiler to build the Ada compiler. Another one I can think of is OpenJDK, and ghc.) (modified quote by @NCommander)

  • The user should be able to build Debian / Whonix from scratch from source code. (Whonix already got a functional build script, using debootstrap [binary packages] and apt-get [binary packages], that can be used by anyone to build from source.)

  • The user should be able to run self rebuilds. For one, apt-build world in theory would work nicely for rebuilds from within the running system for us. (Useful to add more compile flags.) Unfortunately, apt-build is unmaintained, world is broken and written in perl. apt-build’s feature set and man page looks very good.

  • Do you think you could re-implement all the features of apt-build as an apt [download] method, if that makes sense? Aka “apt-build re-implementation in apt”. So upstream apt devs get eager to merge and maintain this? So anyone could install any package from Debian sources repository, build and install from source code?

  • rebootstrap is a nice project, but I don’t see how that implements the TODO part.

  • apt-build could help. Unfortunately it is an orphaned package. And might have a security issue.

  • If helpful, this ticket could be split into smaller tasks.

TODO:

  • add an option to debootstrap to install the compile all source packages rather than downloading binary ones
  • add an option to or wrapper around apt-get to allow installation/upgrade of packages from source code
  • It is essential, that patches should be upstreamed to and merged by Debian!
  • have an option to modify compile flags per package, so we can for example enable compiling as PIE

Non-Topics:

  • Yes, there is really a $ 3000 USD bounty on this ticket.

  • We do not want to use EC2 and/or remotely rebuild/maintain the binary archive.

  • We don’t think we can host our own [binary] repository of the whole Debian package archive anytime soon.

  • We are aware of reproducible builds. We still want this. Also because we are also after the compiler hardening enhancements.

  • apt-get source verification is not the issue here. Verifying the signature of the maintainer may fail indeed, but apt-get source is also always verified against the apt repository singing key. (See also for explanation.) If you want to discuss this further, let’s move this to the forums or a separate ticket.

  • Port to Gentoo. No. (We’ve been through this (Gentoo) and decided no. (Issues · Whonix/Gentoo-Port · GitHub) Would trade this feature against new issues, including security issues [unsigned files]. [off-topic - if you want to discuss this further, please move it to the Whonix forums])

  • Port to other Distributions. No.

  • Debian only. Not Ubuntu.

previous / more / archived discussion:
http://www.webcitation.org/6gTIAk6Yj

Bounty too low?:

  1. Go to https://www.bountysource.com/issues/9115540-build-debian-packages-from-source-code
  2. Click on “Developers”
  3. Click on “Get Started”
  4. Select Status “Bounty too low”
  5. Enter your offer and press “Save”.

Mirrored from:
https://phabricator.whonix.org/T207

Mirrored to (restarted the discussion):
https://github.com/Whonix/Whonix/issues/400

On bountysource [*]:
https://www.bountysource.com/issues/9115540

[*] Contains full history discussion. When you are reading on bountysource.com, to save time, I recommend to skip everything up to I have rewritten the original ticket description..

Comments