├── README.md
├── How-to-build-distribution.md
└── how-to-build-stig4debian-package.md


/README.md:
--------------------------------------------------------------------------------
1 | # harbian-doc
2 | Harbian distribution build documents.
3 | 


--------------------------------------------------------------------------------
/How-to-build-distribution.md:
--------------------------------------------------------------------------------
  1 | # 创建基于Debian的发行版harbian的方法 
  2 | 
  3 | ## 总述 
  4 | 
  5 | 所有发行版大体都遵循这个流程：源码版本控制-> 打包制作安装包 -> 归档入库 -> 制作安装介质.创建一个GNU/Linux发行版，核心关注点个人理解就是三个，安装包，仓库，安装介质：
  6 | 
  7 | * 安装包：这项的关注点是如何从源码生成安装包，保证安装包间的依赖关系正确.
  8 | * 仓库：这项的关注点是如何把安装包导入仓库，并保证仓库中索引和数据一致正确.
  9 | * 安装介质：这项的关注点是从仓库同步获取最新的软件包，制作成可用可引导介质，比如安装光盘，安装U盘.
 10 | 
 11 | 
 12 | ## 准备工作 
 13 | 由于debian上游仓库至少有130G的大小，故对于存储空间的分配则必须等于130+100G的大小；
 14 | 
 15 | ## 如何同步上游仓库
 16 | 
 17 | 创建参考配置，如下所示：
 18 | 
 19 | * 执行命令 `gpg --gen-key`创建签名密钥对，导入当前管理仓库所在的机器，若已经有密钥对，可以使用命令gpg --list-signatures进行查看。 
 20 | * 在repo目录 创建`reprepro`需要的配置:  
 21 | 
 22 | * conf/distributions
 23 | 
 24 | ```
 25 | Origin: harbian
 26 | Label: harbian Linux Server Main Repo
 27 | Codename: harbian
 28 | Suite: stable
 29 | Architectures: i386 amd64 source
 30 | Components: main non-free contrib
 31 | UDebComponents: main
 32 | Contents: udebs percomponent allcomponents
 33 | Description: harbian Linux Server 
 34 | SignWith: 35AB332DCEEDF90A9EAE1D717A087DAA168064B5
 35 | Log: harbian.log
 36 | Update: upstream-main
 37 | ```
 38 | 
 39 | * conf/updates
 40 | 
 41 | ```
 42 | Name: upstream-main
 43 | Method: http://mirrors.163.com/debian/
 44 | Suite: stretch
 45 | Components: main contrib non-free
 46 | Architectures: i386 amd64 source
 47 | GetInRelease: no
 48 | FilterSrcList: install filterlist/debian-stretch-src
 49 | VerifyRelease: blindtrust
 50 | ```
 51 | 
 52 | * conf/incoming
 53 | 
 54 | ```
 55 | Name: default
 56 | IncomingDir: incoming/
 57 | TempDir: temp/
 58 | MorgueDir: morgue/
 59 | LogDir: incoming-logs/
 60 | Allow: harbian stretch>harbian
 61 | Permit: unused_files older_version
 62 | Cleanup: unused_files on_deny on_error
 63 | ```
 64 | 
 65 | * 最后执行命令 
 66 | ```
 67 | harbian@debian:~/harbian-repo$ reprepro -V update  > ~/log 2>&1
 68 | ```
 69 | 
 70 | 查看执行结果：
 71 | ```
 72 | harbian@debian:~/harbian-repo$ tailf ~/log 
 73 | Reading filelist for pool/main/l/linux/xfs-modules-4.9.0-6-amd64-di_4.9.82-1+deb9u3_amd64.udeb
 74 | Reading filelist for pool/main/x/xfsprogs/xfsprogs-udeb_4.9.0+nmu1_amd64.udeb
 75 | Reading filelist for pool/main/x/xorg-server/xserver-xorg-core-udeb_1.19.2-1+deb9u2_amd64.udeb
 76 | Reading filelist for pool/main/x/xserver-xorg-input-evdev/xserver-xorg-input-evdev-udeb_2.10.5-1_amd64.udeb
 77 | Reading filelist for pool/main/x/xserver-xorg-input-libinput/xserver-xorg-input-libinput-udeb_0.23.0-2_amd64.udeb
 78 | Reading filelist for pool/main/x/xserver-xorg-video-fbdev/xserver-xorg-video-fbdev-udeb_0.4.4-1+b5_amd64.udeb
 79 | Reading filelist for pool/main/z/zlib/zlib1g-udeb_1.2.8.dfsg-5_amd64.udeb
 80 |  generating uContents-amd64...
 81 | Successfully created './dists/harbian/Release.gpg.new'
 82 | Successfully created './dists/harbian/InRelease.new'
 83 | ```
 84 | 
 85 | 
 86 | ## 如何打包
 87 | 
 88 | ### 准备工作  
 89 | 为保证完整的软件包 (重) 构建能顺利进行,你必须保证系统中已经安装： 
 90 | 
 91 | * build-essential 软件包;  
 92 | * Build-Depends域的软件包;  
 93 | * Build-Depends-indep域的软件包  
 94 | 
 95 | 然后在源代码目录中执行以下命令:
 96 | ```
 97 | $ dpkg-buildpackage -us -uc
 98 | ``` 
 99 | 会自动完成所有从源代码包构建二进制包的工作.
100 | 
101 | ### 全新的包的方法 
102 | 
103 | ### 已有的包的方法 
104 | 
105 | ## 制作安装介质 
106 | 
107 | 
108 | ## Reference  
109 | 
110 | https://www.debian.org/mirror/list  
111 | https://github.com/panhaitao/TheRoadToLinuxDistributions  
112 | 
113 | 


--------------------------------------------------------------------------------
/how-to-build-stig4debian-package.md:
--------------------------------------------------------------------------------
  1 | # 如何对stig-4-debian项目进行打包 
  2 | 
  3 | ## 安装需要的包 
  4 | 
  5 | ```
  6 | ~$ sudo apt-get install build-essential dh-make debhelper lintian git
  7 | ```
  8 | 
  9 | ## 配置dh_make所需要的环境变量 
 10 | 
 11 | ```
 12 | $ cat >>~/.bashrc <<EOF
 13 | DEBEMAIL="sccxboy@gmail.com"
 14 | DEBFULLNAME="Samson W"
 15 | export DEBEMAIL DEBFULLNAME
 16 | EOF
 17 | $ . ~/.bashrc
 18 | ```
 19 | 
 20 | ## 下载源代码 
 21 | 
 22 | 新建一个目录stig-deb-test，将STIG-4-Debian源代码下载到此目录，并进行初始化：
 23 | 
 24 | ```
 25 | ~$ cd stig-deb-test
 26 | ~/stig-deb-test$ git clone https://github.com/hardenedlinux/STIG-4-Debian.git
 27 | ```
 28 | 
 29 | ## 修改源代码 
 30 | 
 31 | 为了使在主脚本中调用的脚本存放至/usr/lib目录下面，对原始代码进行添加与修改： 
 32 | 
 33 | 为了满足FHS（Filesystem Hierarchy Standard，具体可见参考1），需要将执行文件、使用到的库等放置到对应的目录中。
 34 | ```
 35 | stig4debian-0.1.0$ sed -i '/\/usr\/share\/doc\/gnome\/copyright/iSCRIPTS_DIR="/usr/lib/stig4debian/"' stig-4-debian.sh
 36 | stig4debian-0.1.0$ sed -i 's/scripts/${SCRIPTS_DIR}\/scripts/g' stig-4-debian.sh 
 37 | stig4debian-0.1.0$ sed -i 's/html\//\/usr\/lib\/stig4debian\/html\//g' stig-4-debian.sh 
 38 | stig4debian-0.1.0$ sed -i 's/stig-debian-9.txt/\/usr\/lib\/stig4debian\/stig-debian-9.txt/g' stig-4-debian.sh 
 39 | stig4debian-0.1.0$ sed -i 's/_LOG=/_LOG=\/var\/log\/stig4debian\//g' stig-4-debian.sh 
 40 | stig4debian-0.1.0$ sed -i '$s/STIG-for-Debian-/\/var\/log\/stig4debian\/STIG-for-Debian-/g' stig-4-debian.sh  
 41 | stig4debian-0.1.0$ sed -i 's/manual.txt/\/usr\/lib\/stig4debian\/manual.txt/g' stig-4-debian.sh
 42 | stig4debian-0.1.0$ mv stig-4-debian.sh stig4debian
 43 | ```
 44 | 
 45 | 
 46 | ## 对原始代码打包并进行初始化  
 47 | 
 48 | ```
 49 | ~/stig-deb-test$ tar zcvf STIG-4-Debian.tar.gz STIG-4-Debian/
 50 | ~/stig-deb-test$ cd STIG-4-Debian
 51 | ~/stig-deb-test$ dh_make -f ../STIG-4-Debian.tar.gz
 52 | ``` 
 53 | 
 54 | 如上所示进行初始化时，会因为没有遵循Debian Free Software Guidelines的规定而不能够在dh_make进行初始化时成功，根据DFSG规则，对于软件包名的构成只能含有小写字母 (a-z), 数字 (0-9), 加号 (+) 和减号 (-) ,以及点号 (.)。软件包名最短长度两个字符;
 55 | 它必须以字母开头;它不能与仓库软件包名发生冲突。
 56 | 
 57 | 故需要对原来的工程名称进行修改，返回第三步tar的操作处先进行修改名称 
 58 | 
 59 | ```
 60 | ~/stig-deb-test$ mv STIG-4-Debian stig4debian-0.1.0/
 61 | ~/stig-deb-test$  tar -czvf stig4debian_0.1.0.tar.gz --exclude=.git stig4debian-0.1.0/
 62 | ~/stig-deb-test$ cd stig4debian-0.1.0/
 63 | ~/stig-deb-test/stig4debian-0.1.0$ dh_make -f ../stig4debian_0.1.0.tar.gz
 64 | ```
 65 | 
 66 | ## 修改debian目录下的相关文件  
 67 | 
 68 | 在使用dh_make命令进行了初始化工作后，多了一个debian目录，此目录下有许多文件，这些文件是和定制软件包行为相关的文件。
 69 | 
 70 | 在此目录下必需的文件主要是control、copyright、changelog、rules这四个文件。根据实际情况进行文件的修改，除changelog、compat、control、copyright、rules等文件及source目录保留外，其它删除掉。
 71 | 
 72 | ### control文件  
 73 | 
 74 | ```
 75 | Source: stig4debian
 76 | Section: admin
 77 | Priority: optional
 78 | Maintainer: Samson W <sccxboy@gmail.com>
 79 | Build-Depends: debhelper (>= 9)
 80 | Standards-Version: 3.9.8
 81 | Homepage: https://github.com/hardenedlinux/STIG-4-Debian
 82 | Vcs-Git: https://github.com/hardenedlinux/STIG-4-Debian.git
 83 | Vcs-Browser: https://github.com/hardenedlinux/STIG-4-Debian.git
 84 | 
 85 | Package: stig4debian
 86 | Architecture: all
 87 | Depends: ${misc:Depends}
 88 | Description: DISA STIG for Debian 9 Porting from DISA RHEL 7 STIG V1 R1.
 89 |  DISA STIG(Security Technical Implementation Guides) for Debian 9 Porting from DISA RHEL 7 STIG V1 R1.
 90 | ```
 91 | 
 92 | ### rules 
 93 | 
 94 | ```
 95 | #!/usr/bin/make -f
 96 | # See debhelper(7) (uncomment to enable)
 97 | # output every command that modifies files on the build system.
 98 | export DH_VERBOSE = 1
 99 | 
100 | 
101 | # see FEATURE AREAS in dpkg-buildflags(1)
102 | #export DEB_BUILD_MAINT_OPTIONS = hardening=+all
103 | 
104 | # see ENVIRONMENT in dpkg-buildflags(1)
105 | # package maintainers to append CFLAGS
106 | #export DEB_CFLAGS_MAINT_APPEND  = -Wall -pedantic
107 | # package maintainers to append LDFLAGS
108 | #export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
109 | 
110 | 
111 | %:
112 | 	dh $@
113 | 
114 | 
115 | # dh_make generated override targets
116 | # This is example for Cmake (See https://bugs.debian.org/641051 )
117 | #override_dh_auto_configure:
118 | #	dh_auto_configure -- #	-DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH)
119 | 
120 | override_dh_install:
121 | 	install -d debian/stig4debian/usr/bin/
122 | 	install -g root -o root -m 755 -p stig4debian debian/stig4debian/usr/bin/stig4debian
123 | 	install -d debian/stig4debian/usr/lib/stig4debian/scripts/
124 | 	install -g root -o root -m 644 -p scripts/* debian/stig4debian/usr/lib/stig4debian/scripts/
125 | 	install -d debian/stig4debian/usr/lib/stig4debian/html/
126 | 	install -g root -o root -m 644 -p html/*  debian/stig4debian/usr/lib/stig4debian/html/
127 | 	install -g root -o root -m 644 -p stig-debian-9.txt  debian/stig4debian/usr/lib/stig4debian/
128 | 	install -g root -o root -m 644 -p manual.txt  debian/stig4debian/usr/lib/stig4debian/
129 | 	install -d debian/stig4debian/var/log/stig4debian/
130 | 	install -d debian/stig4debian/usr/share/man/man1/
131 | 	install -g root -o root -m 644 -p README.md debian/stig4debian/usr/share/man/man1/stig4debian.1
132 | ```
133 | 
134 | 以上的override_dh_install表示忽略掉默认的dh_install的操作，而使用
135 | override_dh_install定义的动作；
136 | 
137 | 
138 | ## copyright
139 | ```
140 | Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
141 | Upstream-Name: stig4debian
142 | Source: https://github.com/hardenedlinux/STIG-4-Debian
143 | 
144 | Files: *
145 | Copyright: 2015-2017 Samson sccxboy@gmail.com
146 | License: GPL-3.0+
147 | 
148 | Files: debian/*
149 | Copyright: 2017 Samson W <sccxboy@gmail.com>
150 | License: GPL-3.0+
151 | 
152 | License: GPL-3.0+
153 |  This program is free software: you can redistribute it and/or modify
154 |  it under the terms of the GNU General Public License as published by
155 |  the Free Software Foundation, either version 3 of the License, or
156 |  (at your option) any later version.
157 |  .
158 |  This package is distributed in the hope that it will be useful,
159 |  but WITHOUT ANY WARRANTY; without even the implied warranty of
160 |  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
161 |  GNU General Public License for more details.
162 |  .
163 |  You should have received a copy of the GNU General Public License
164 |  along with this program. If not, see <https://www.gnu.org/licenses/>.
165 |  .
166 |  On Debian systems, the complete text of the GNU General
167 |  Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".
168 | ```
169 | 
170 | ##  编译  
171 | 
172 | ### 编译签名的包 
173 | ```
174 | stig4debian-0.1.0$ dpkg-buildpackage 
175 | ```
176 | 
177 | ### 编译不进行签名的包 
178 | ```
179 | stig4debian-0.1.0$ dpkg-buildpackage -us -uc
180 | ```
181 | 
182 | 编译不进行签名的包主要是为了让没有签名密钥的用户安装方便，但是必须进行sha512sum的计算，并提供给用户sha512sum的值的文件，以保证安装包没有被篡改过。
183 | 
184 | ### 生成sha512sum文件   
185 | ``` 
186 | $ sha512sum stig4debian_0.1.0-1_all.deb  > stig4debian_0.1.0-1_all.deb.sha512sum
187 | ```
188 | 
189 | 查看编译出deb包：
190 | 
191 | ```
192 | stig4debian-0.1.0$ ls ../*.deb
193 | ../stig4debian_0.1.0-1_all.deb
194 | ```
195 | 
196 | ## 编译环境的清理
197 | ```
198 | stig4debian-0.1.0$ dh_clean
199 | ```
200 | 
201 | 
202 | ## 静态分析生成的deb包 
203 | 
204 | ```
205 | stig4debian-0.1.0$ lintian ../stig4debian_0.1.0-1_all.deb 
206 | W: stig4debian: new-package-should-close-itp-bug
207 | E: stig4debian: copyright-contains-dh_make-todo-boilerplate
208 | W: stig4debian: extended-description-line-too-long
209 | W: stig4debian: script-with-language-extension usr/bin/stig4debian
210 | W: stig4debian: manpage-has-bad-whatis-entry usr/share/man/man1/stig4debian.1.gz
211 | W: stig4debian: binary-without-manpage usr/bin/stig4debian
212 | ```
213 | 
214 | ## 本地安装包 
215 | 
216 | 若是对于没有签名密钥的用户进行安装未进行签名的包的安装时，首先要进行sha512sum什值的检查，以保证安装包的安全性；  
217 | 
218 | ### sha512sum值的检查 
219 | ```
220 | sha512sum -c stig4debian_0.1.0-1_all.deb.sha512sum
221 | stig4debian_0.1.0-1_all.deb: OK
222 | ```
223 | 
224 | ### 进行安装 
225 | ```
226 | stig4debian-0.1.0# dpkg -i ../stig4debian_0.1.0-1_all.deb 
227 | Selecting previously unselected package stig4debian.
228 | (Reading database ... 41091 files and directories currently installed.)
229 | Preparing to unpack ../stig4debian_0.1.0-1_all.deb ...
230 | Unpacking stig4debian (0.1.0-1) ...
231 | Setting up stig4debian (0.1.0-1) ...
232 | Processing triggers for man-db (2.7.6.1-2) ...
233 | ```
234 | 
235 | ## 本地卸载包 
236 | 
237 | ```
238 | stig4debian-0.1.0# dpkg -r stig4debian
239 | (Reading database ... 41096 files and directories currently installed.)
240 | Removing stig4debian (0.1.0-1) ...
241 | Processing triggers for man-db (2.7.6.1-2) ...
242 | ```
243 | 
244 | ## 参考
245 | 
246 | (1) https://www.debian.org/doc/packaging-manuals/fhs/fhs-2.3.html  
247 | (2) https://www.debian.org/doc/manuals/maint-guide/index.en.html  
248 | (3) https://debian-handbook.info/download/stable/debian-handbook.pdf   
249 | 
250 | 
251 | 
252 | 


--------------------------------------------------------------------------------