Using curl / networking during apt updates is bad.
- Either fail open and miss kernel upgrades or fail closed and break apt.
- Networking dependent: if networking is down, slow, etc. the update will fail. Package will exit non-zero break updating or update will be ignored.
- (I plan to merge
tb-starter,tb-updater,tb-default-browserandopen-link-confirmationpackages, add Tor Browser archive (and signature) tobinaries-freedompackage to make the only required networking APT and nothing else. I.e. once packages are fetched, there are no more networking dependencies. This simplifies the build environment, tunneling all connections through Tor/onions during build and whatnot.)
- (I plan to merge
- gpg verification is a major hassle and security risk.
Why do we need to use linux-hardened as patch? Their git repository looks like as if they imported whole Linux source code from kernel.org and then modified it. Looking at Release 5.4.6.a · anthraxx/linux-hardened · GitHub they offer patch and source code. Maybe we could git clone linux-hardened, then git checkout the tag and build the tag instead? Thereby we could safe one step: downloading from kernel.org. (Both would have to be gpg verified. Double work.
If my above idea is working (getting complete kernel source from linux-hardened) then maybe it would be better to git(hub) fork GitHub - anthraxx/linux-hardened: Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening and add our compile script and config there? That would also be a good chance to merge our modifications upstream to get more eyes on it and to reduce/nullify the delta between our fork and upstream.