search

mempo / mempo-kernel

Deterministic kernel build scripts, for Linux, mainly for Debian
BSD 3-Clause "New" or "Revised" License
47 stars 24 forks source link

avoid code duplication - upstream to Debian? #31

Open adrelanos opened 9 years ago

adrelanos commented 9 years ago

Do you think you could avoid code duplication?

I don't think it's a good way to have kernel-sources/grsecurity/grsecurity-3.1-3.2.67-201502271837.patch inside this source code repository. When I clone the mempo-kernel repository, how am I supposed to audit, that I got the original file? Ideally, wouldn't have to trust you for this, but just the grsecurity team. Embedding another projects code within your own project is most times not great.

Other options would be downloading it as required by a script by the user who builds it or perhaps a git submodule. Both options are not ideal, since it would not be fit for inclusion into official Debian repository.

Could you just rely on https://packages.debian.org/sid/linux-patch-grsecurity2 as a build dependency to get the grsecurity code?

Do you think you can upstream the deterministic-build.patch to Debian? Now, that there is the active, awesome https://wiki.debian.org/ReproducibleBuilds project, your efforts would fall into open arms?

There has not been a lot discussion on mempo/mempo-kernel on the Debian mailing lists.

Can you get this project into shape so we can in future install a grsecurity kernel from official Debian repository?

mempo commented 9 years ago

Thank you for your interest (and sorry for late reply).

We mirror here the grsecurity patches because they are deleted from the grsecurity.net site (they do not wish to host outdated code, and we wish to host the history for auditing reasons).

There is no other place that holds this files with history (or no more official one).

As for auditing, we also have here copy of the PGP signatures made by grsecurity upstream. And the build script that we have here, run.sh does check signature on all files - both mirrored here grsecurity, as well as kernel.org file (which we do NOT mirror here).

We know about reproducible builds though no one yet had time to properly used their work. Perhaps you could? If you would wok on this please contact us in the irc channel #mempo on irc.oftc.net or irc.freenode.org or irc in i2p.

The main site with repository is now best accessed on the Freenet network, directly with using freenetproject.org program, or via gateway like:

https://d6.gnutella2.info/freenet/USK@oRy7ltZLJM-w-kcOBdiZS1pAA8P-BxZ3BPiiqkmfk0E,6a1KFG6S-Bwp6E-MplW52iH~Y3La6GigQVQDeMjI6rg,AQACAAE/deb.mempo.org/35/