├── How-to-build-distribution.md ├── README.md ├── build-your-own-debian-mini-buildd-autobuilder.md ├── build_your_own_debian_distro_iso.md └── how-to-build-stig4debian-package.md /How-to-build-distribution.md: -------------------------------------------------------------------------------- 1 | # 创建基于Debian的发行版harbian的方法 2 | 3 | ## 总述 4 | 5 | 所有发行版大体都遵循这个流程:源码版本控制-> 打包制作安装包 -> 归档入库 -> 制作安装介质.创建一个GNU/Linux发行版,核心关注点个人理解就是三个,安装包,仓库,安装介质: 6 | 7 | * 安装包:这项的关注点是如何从源码生成安装包,保证安装包间的依赖关系正确. 8 | * 仓库:这项的关注点是如何把安装包导入仓库,并保证仓库中索引和数据一致正确. 9 | * 安装介质:这项的关注点是从仓库同步获取最新的软件包,制作成可用可引导介质,比如安装光盘,安装U盘. 10 | 11 | 12 | ## 准备工作 13 | 由于debian上游仓库至少有130G的大小,故对于存储空间的分配则必须等于130+100G的大小; 14 | 15 | ## 如何同步上游仓库 16 | 17 | 创建参考配置,如下所示: 18 | 19 | * 执行命令 `gpg --gen-key`创建签名密钥对,导入当前管理仓库所在的机器,若已经有密钥对,可以使用命令gpg --list-signatures进行查看。 20 | * 在repo目录 创建`reprepro`需要的配置: 21 | 22 | * conf/distributions 23 | 24 | ``` 25 | Origin: harbian 26 | Label: harbian Linux Server Main Repo 27 | Codename: harbian 28 | Suite: stable 29 | Architectures: i386 amd64 source 30 | Components: main non-free contrib 31 | UDebComponents: main 32 | Contents: udebs percomponent allcomponents 33 | Description: harbian Linux Server 34 | SignWith: 35AB332DCEEDF90A9EAE1D717A087DAA168064B5 35 | Log: harbian.log 36 | Update: upstream-main 37 | ``` 38 | 39 | * conf/updates 40 | 41 | ``` 42 | Name: upstream-main 43 | Method: http://mirrors.163.com/debian/ 44 | Suite: stretch 45 | Components: main contrib non-free 46 | Architectures: i386 amd64 source 47 | GetInRelease: no 48 | FilterSrcList: install filterlist/debian-stretch-src 49 | VerifyRelease: blindtrust 50 | ``` 51 | 52 | * conf/incoming 53 | 54 | ``` 55 | Name: default 56 | IncomingDir: incoming/ 57 | TempDir: temp/ 58 | MorgueDir: morgue/ 59 | LogDir: incoming-logs/ 60 | Allow: harbian stretch>harbian 61 | Permit: unused_files older_version 62 | Cleanup: unused_files on_deny on_error 63 | ``` 64 | 65 | * 最后执行命令 66 | ``` 67 | harbian@debian:~/harbian-repo$ reprepro -V update > ~/log 2>&1 68 | ``` 69 | 70 | 查看执行结果: 71 | ``` 72 | harbian@debian:~/harbian-repo$ tailf ~/log 73 | Reading filelist for pool/main/l/linux/xfs-modules-4.9.0-6-amd64-di_4.9.82-1+deb9u3_amd64.udeb 74 | Reading filelist for pool/main/x/xfsprogs/xfsprogs-udeb_4.9.0+nmu1_amd64.udeb 75 | Reading filelist for pool/main/x/xorg-server/xserver-xorg-core-udeb_1.19.2-1+deb9u2_amd64.udeb 76 | Reading filelist for pool/main/x/xserver-xorg-input-evdev/xserver-xorg-input-evdev-udeb_2.10.5-1_amd64.udeb 77 | Reading filelist for pool/main/x/xserver-xorg-input-libinput/xserver-xorg-input-libinput-udeb_0.23.0-2_amd64.udeb 78 | Reading filelist for pool/main/x/xserver-xorg-video-fbdev/xserver-xorg-video-fbdev-udeb_0.4.4-1+b5_amd64.udeb 79 | Reading filelist for pool/main/z/zlib/zlib1g-udeb_1.2.8.dfsg-5_amd64.udeb 80 | generating uContents-amd64... 81 | Successfully created './dists/harbian/Release.gpg.new' 82 | Successfully created './dists/harbian/InRelease.new' 83 | ``` 84 | 85 | 86 | ## 如何打包 87 | 88 | ### 准备工作 89 | 为保证完整的软件包 (重) 构建能顺利进行,你必须保证系统中已经安装: 90 | 91 | * build-essential 软件包; 92 | * Build-Depends域的软件包; 93 | * Build-Depends-indep域的软件包 94 | 95 | 然后在源代码目录中执行以下命令: 96 | ``` 97 | $ dpkg-buildpackage -us -uc 98 | ``` 99 | 会自动完成所有从源代码包构建二进制包的工作. 100 | 101 | ### 全新的包的方法 102 | 103 | ### 已有的包的方法 104 | 105 | ## 制作安装介质 106 | 107 | 108 | ## Reference 109 | 110 | https://www.debian.org/mirror/list 111 | https://github.com/panhaitao/TheRoadToLinuxDistributions 112 | 113 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # harbian-doc 2 | Harbian distribution build documents. 3 | -------------------------------------------------------------------------------- /build-your-own-debian-mini-buildd-autobuilder.md: -------------------------------------------------------------------------------- 1 | Debian official autobuilder is `wanna-build`, but it's too heavy for our purpose. We only need to rebuild package from source. Which download from debian official repositories. And the main reason is `wanna-build` is not well-documented. So we choose `mini-buildd` 2 | 3 | ### Compile mini-buildd package 4 | 5 | #### Add unstable repo 6 | 7 | Edit `/etc/apt/source.list` and add following repositories 8 | 9 | ``` 10 | deb http://ftp.cn.debian.org/debian sid main 11 | deb-src http://ftp.cn.debian.org/debian sid main 12 | deb http://ftp.cn.debian.org/debian experimental main 13 | deb-src http://ftp.cn.debian.org/debian experimental main 14 | ``` 15 | 16 | Update apt cache 17 | 18 | ``` 19 | apt update 20 | apt upgrade 21 | ``` 22 | 23 | #### Install dependencies 24 | 25 | ``` 26 | apt install build-essential git debhelper-compat po-debconf python3-sphinx python3-pygraphviz help2man python3-dateutil python3-argcomplete python3-keyring python3-daemon python3-pyftpdlib python3-django python3-django-registration python3-bs4 python3-setuptools 27 | apt install -t buster dh-python 28 | apt install -t experimental python3-twisted 29 | ``` 30 | 31 | #### Download source and build packages 32 | 33 | ``` 34 | cd ~ 35 | git clone https://salsa.debian.org/debian/mini-buildd.git 36 | cd mini-buildd 37 | git checkout debian/1.1.36 38 | dpkg-buildpackage 39 | ``` 40 | 41 | 42 | 43 | Install mini-buildd package 44 | 45 | ``` 46 | cd ../ 47 | sudo dpkg -i mini-buildd_1.1.36_all.deb mini-buildd-doc_1.1.36_all.deb mini-buildd-utils_1.1.36_all.deb python3-mini-buildd_1.1.36_all.deb 48 | ``` 49 | 50 | Fix broken dependencies and setting mini-buildd password 51 | 52 | ``` 53 | apt --fix-broken install -y 54 | ``` 55 | Modify for ipv4: 56 | ``` 57 | sed -i 's/tcp6:port/tcp:port/' /usr/sbin/mini-buildd 58 | systemctl stop mini-buildd.service 59 | systemctl start mini-buildd.service 60 | ``` 61 | Now we can visit `http://:8066/` for further configuration 62 | 63 | ### configurate mini-buildd autobuilder server 64 | 65 | 66 | Choose `configurate` tab and login 67 | 68 | #### Configurate Daemon Section 69 | 70 | Click `Daemon` option -> `mini-buildd: Serving 0 repositories, 0 chroots, using 0 remotes` 71 | 72 | change `Email address:` to proper value 73 | change `Sbuild jobs:` based on your CPU cores 74 | 75 | And save changes 76 | 77 | Select the box of `mini-buildd: Serving 0 repositories, 0 chroots, using 0 remotes` and click `Prepare` 78 | Select the box again and Click `Check` 79 | Select the box again and Click `Activate` 80 | 81 | Return to the `Configuration homepage` 82 | 83 | #### Configurate Sources Section 84 | 85 | Click the `local` of `Archives` row. This action will add local repositories inside `/etc/apt/source.list` to mini-buildd 86 | You can Click `Archives` to check. Or you can add it manually via `+Add` button. 87 | 88 | 89 | | ARCHIVE | 90 | | ------------------------------------------------------ | 91 | | http://mirrors.163.com/debian-security/ (ping -1.0 ms) | 92 | | http://mirrors.163.com/debian/ (ping -1.0 ms) | 93 | 94 | Click the `Debian` of `Sources` row. This action will add well-known debian source。 95 | There's number `18` with `RED` background. 96 | 97 | | COLORED STATUS | SOURCE | 1 ORIGIN | 2 CODEVERSION | 3 CODENAME | 98 | | -------------- | ------------------------------------------- | ---------------- | ------------- | ----------------------- | 99 | | Removed (-) | Debian 'bullseye' | Debian | | bullseye | 100 | | Removed (-) | Debian 'bullseye-security' | Debian | | bullseye-security | 101 | | Removed (-) | Debian 'buster' | Debian | | buster | 102 | | Removed (-) | Debian 'buster/updates | Debian | | buster/updates | 103 | | Removed (-) | Debian 'jessie' | Debian | | jessie | 104 | | Removed (-) | Debian 'jessie/updates' | Debian | | jessie/updates | 105 | | Removed (-) | Debian 'sid' | Debian | | sid | 106 | | Removed (-) | Debian 'stretch' | Debian | | stretch | 107 | | Removed (-) | Debian 'stretch/updates' | Debian | | stretch/updates | 108 | | Removed (-) | Debian 'wheezy' | Debian | | wheezy | 109 | | Removed (-) | Debian 'wheezy/updates' | Debian | | wheezy/updates | 110 | | Removed (-) | Debian Backports 'buster-backports' | Debian Backports | | buster-backports | 111 | | Removed (-) | Debian Backports 'jessie-backports' | Debian Backports | | jessie-backports | 112 | | Removed (-) | Debian Backports 'jessie-backports-sloppy' | Debian Backports | | jessie-backports-sloppy | 113 | | Removed (-) | Debian Backports 'stretch-backports' | Debian Backports | | stretch-backports | 114 | | Removed (-) | Debian Backports 'stretch-backports-sloppy' | Debian Backports | | stretch-backports-sloppy | 115 | | Removed (-) | Debian Backports 'wheezy-backports' | Debian Backports | | wheezy-backports | 116 | | Removed (-) | Debian Backports 'wheezy-backports-sloppy' | Debian Backports | | wheezy-backports-sloppy | 117 | 118 | We can delete the release that we don't need. by click release name , like "wheezy" and click `delete`. 119 | In this example, we only choose 120 | 121 | | COLORED STATUS | SOURCE | 1 ORIGIN | 2 CODEVERSION | 3 CODENAME | 122 | | -------------- | ------------------------------------------- | ---------------- | ------------- | ----------------------- | 123 | | Removed (-) | Debian 'buster' | Debian | | buster | 124 | | Removed (-) | Debian 'buster/updates | Debian | | buster/updates | 125 | | Removed (-) | Debian 'sid' | Debian | | sid | 126 | | Removed (-) | Debian Backports 'buster-backports' | Debian Backports | | buster-backports | 127 | 128 | Then we select all the box, and click `Prepare` and then `Check` and then `Activate` following contents 129 | 130 | You can add priority source by click the `Extras` of `Priority sources` row. 131 | 132 | Click the `Apt keys` of `Source` section. You can remove the keys that marked `removed` 133 | 134 | | COLORED STATUS | APT KEY | 135 | | -------------- | ----------------- | 136 | | Removed (-) | CBF8D6FD518E17E1: | 137 | | Removed (-) | 9D6D8F6BC857C906: | 138 | | Removed (-) | 7638D0442B90D010: | 139 | | Removed (-) | 6FB2A1C265FFB764: | 140 | | Removed (-) | 8B48AD6246925553: | 141 | 142 | delete it one by one. 143 | 144 | #### Configurate Repositories Section 145 | 146 | Click the `Defaults` of `Layouts` row to add default layouts 147 | Click the `Layouts` to configurate `Default` layout,Click `Show` of `Version Options` 148 | 149 | Change 150 | ``` 151 | Mandatory version regex: ~%IDENTITY%%CODEVERSION%\+[1-9] 152 | Experimental mandatory version regex: ~%IDENTITY%%CODEVERSION%\+0 153 | ``` 154 | to 155 | 156 | ``` 157 | Mandatory version regex: .* 158 | Experimental mandatory version regex: .* 159 | ``` 160 | 161 | 162 | Click the `Distributions` to add distributions information 163 | Click the `test: sid buster` row to check repositories information, and select `Available distributions` choose from left box to right box. 164 | 165 | And then click `Repositories`, select `test: sid buster` row and click `Prepare` and then `Check` and then `Activate` 166 | 167 | The `parepare` in this action would take about 1 mins. 168 | 169 | Click the `Uploaders` of `Repositories` Section. 170 | Click `'admin' may upload to '' with key ': '`, you can put your GPG public key in `Key:` 171 | 172 | for example 173 | 174 | ``` 175 | gpg --gen-key 176 | 177 | Real name: hardenedlinux Archive Team 178 | Email address: hardenedlinux_archive_team@hardenedlinux.org 179 | ``` 180 | Note: for convenient, please choose empty passphrase 181 | 182 | show the key id and export the public key. 183 | 184 | list key 185 | ``` 186 | gpg -k 187 | 188 | /root/.gnupg/pubring.kbx 189 | ------------------------ 190 | pub rsa3072 2020-08-01 [SC] [expires: 2022-08-01] 191 | 7D492015C7A54E339866843048B077394958138D 192 | uid [ultimate] hardenedlinux Archive Team 193 | sub rsa3072 2020-08-01 [E] [expires: 2022-08-01] 194 | ``` 195 | 196 | export public key 197 | 198 | ``` 199 | gpg --armor --export 7D492015C7A54E339866843048B077394958138D 200 | -----BEGIN PGP PUBLIC KEY BLOCK----- 201 | 202 | mQGNBF8lGHwBDADxjXXFVrOd5//VcP6OSrNiCYJ+ma2FKYIPnequHdYrggmhf9/g 203 | V0jrQydTPb9U6SLad99nPTr/QqdYgiIcCy3ouuw5TIvZX1C1ND+T8H8ogKfEJlmC 204 | i09jDUlnoq96pvZ1RLpz5wQHbwvGOHQcmu359yeUNL9gMp44xQv/i4BVTNHaYxMk 205 | UD4Tm4FcVliYP4/yyQY9i01cwaKeFKtjgyd09XUTQhxC+OO98sIx85kWEwtWYEWU 206 | Vheak5j6LCQ0Ynoqs54M4mfIsdaK/rbFD0jgtSbBq+7uzDVsQcapbvwC4FsOD4bJ 207 | IgBHgU5lDthhvJGWwewub7/1unyFTiQ2TIjSci5WhZzW39nynLafwtsgRTvu9lhR 208 | IQXf/AZX/7FLR5ocbE8qPOgj6kox0btNneQT7H80PFxPBw+2ADzPACn1XEJDUuHG 209 | rFw7FkC6QrKmQrpYhY9K/zhHBSACAVq6x3iimN3D7j8zM22HeDpqTUEqEl4U877K 210 | l6PnjaAJQdWO6wEAEQEAAbRJaGFyZGVuZWRsaW51eCBBcmNoaXZlIFRlYW0gPGhh 211 | cmRlbmVkbGludXhfYXJjaGl2ZV90ZWFtQGhhcmRlbmVkbGludXgub3JnPokB1AQT 212 | AQoAPhYhBH1JIBXHpU4zmGaEMEiwdzlJWBONBQJfJRh8AhsDBQkDwmcABQsJCAcC 213 | BhUKCQgLAgQWAgMBAh4BAheAAAoJEEiwdzlJWBONw3kMANTiT6LYQMaV0nyPc2ZH 214 | M/EjX2XmyrzYF6hYC4MNT/Qh3FZCcIdOFUpxo/1e1WFHwF0cLV2Wr80eoOh7pCXF 215 | Cw7nuaWUMQy93dW0FU8Kp5YS+Xg7KK8eQy5B4PKQd2zqGlcV7Dz6zosjKwN/adOj 216 | hphYDANlI2PyH0p0fQoIkBLQK8N16Dm+FrY+UQ1xQ9GIn0orrTRgLUwFntQvVI1Y 217 | O2FQZ6tmdUJqkBV8o/iu8ZXmTmf25/2oENp+IQtK0dyO2dXNDqUWqmoldPD/ItgO 218 | s3QKEQEZHVsK8Mh1MsGdIesiKcx3F8llcJE9/eza702xezUYnoiIqY4rOAC+JEmS 219 | Sz+LkJrjP/KMnV5hkxJTT0UABNxoHEpNDOjep1XO+E1ucZi0nYM0yFcf3Z5agFjl 220 | OqCb2a9ZE2TXsz1+c44WYLR7qFrrFTQwWEZGTIeyQfMASn4IZMF3kcWB9cd6UZDJ 221 | R/aGuWNrdAMnB0aJnJDCUp9U4KOJb0kHOxOp0fVAnzh46LkBjQRfJRh8AQwA60cx 222 | 7R+TAZsDAimK0gRoSuDeQdHoP9qmOXWTwTKbYu+NYV+abnL7cFkjiuUBfLiq8iY0 223 | 0OhgTHzjtscKPWXJD29od4tFvsg61aXo7lXbcNtRPissStTC6qgysbBZpWEg60Fk 224 | MNxR8dkuu2W1ApWozZicPZjS77WFPmt2482qxMnCeXjQD+RTM4mIyhdUkhPHWrAZ 225 | xdBMce+c6vlUgwDbLmg0Tp0dupxEneMDIndKcDucdcXUuwJ+NvwyPDubpxLF/+NM 226 | 0cRGOk7Cbae2AVLjOnsG6BItW/cA6OdUY5uIEqOrsf4pXqXOTknnvNmcoev7937M 227 | TpV9Mc+pBw005WezDNDiwBOYTJqxJ3IqfRz2HwXSExKmOqNrL4hyDS31gFI3XC/2 228 | cV2VCuMfoFhEN+G+MGx+41XxWjhHcxvLgvTssKYXOMKwQzZ1X6ih/BxzW4xU671k 229 | ZKQzalztZw0xKZ2CeS7v5Oek7XIuLHinWp5+qeYbckCeKwyEXN5vOugjpGoxABEB 230 | AAGJAbwEGAEKACYWIQR9SSAVx6VOM5hmhDBIsHc5SVgTjQUCXyUYfAIbDAUJA8Jn 231 | AAAKCRBIsHc5SVgTjU6uC/460HpFTqhfZtrELq5347YCrcrBpN+cqwb0W3WauSiB 232 | DiN3Mslei+aZrkIPRhr5PDCLdwC6heBBXeDkB+tbsqUovl4jxq0JhAocvVtEcwcN 233 | YCi2u29EZcNVRXBJzxzztMEkq/vFCfxM74jX/856vmICpxZCxGhpZ/Fbth6L/yP9 234 | OzVi1ntLj07Och4wvfcu7athfjU+U3VFjZvgz1l6vXX0QAR69oSsI+Zl0H6x/VzX 235 | dl7Ps7StulhwBsq0dtvk47XF+aT2IaouZFtXrwNykOfKvqTt/ODl212aQj+AV15p 236 | ECLJeG4OZwi3LahNF+TFc9kwCqrIeNAAgE3rkqhzwc/kbL3pcAqsdaHgJgs5t0MV 237 | dTOOQYV8MAPKJdqry+61nSQBG3hLCMuymlJOcUN9aVNiacJYtT038t/6i9zcRloD 238 | Ce9Xz0X72bMqvFCWs9vZePOkUlS1otw70LH4kIXoITAkhdE7qSkn0N9LXOLvRRv2 239 | Lj14sW+fFJTpUGnfOPPmei4= 240 | =NFNm 241 | -----END PGP PUBLIC KEY BLOCK----- 242 | ``` 243 | 244 | after putting PGP Public key Block in `Key:` 245 | 246 | In `May upload to:` row, Click `Choose all`. This action will allow user to upload to this autobuilder server, which using this PGP public key to sign `changes` file and `dsc` file. 247 | 248 | And then click `Save` 249 | 250 | Then we select all the box, and click `Prepare` and then `Check` and then `Activate` 251 | 252 | 253 | #### Configurate Chroots Section 254 | 255 | We can simply click `Default` in `Dir chroots` row to create `dir chroot`, or you could choose other chroot methods 256 | 257 | and click `Dir chroots` for further configuration. 258 | 259 | Select all box, and click `Prepare` and then `Check` and then `Activate` 260 | 261 | The `parepare` in this action would take about 15 to 20 mins. 262 | 263 | 264 | #### Testing mini-buildd service 265 | 266 | visit `http://:8066/mini_buildd/` click `Toolbox` and click `keyringpackages` 267 | 268 | And Click `Yes, run keyringpackages` to build keyring packages 269 | 270 | After built keyring packages, click `Toolbox` and click `testpackages` to build test packages 271 | 272 | You can see the building status from `http://:8066/mini_buildd/` and see build log from `Events` tab 273 | 274 | We can see some of package are mark `FAILED` while some package are mark `INSTALLED`, We can check the details by checking the buildlog 275 | 276 | ### Using mini-buildd service 277 | 278 | We are using dput to upload `changes` file and `dsc` file and source tarball 279 | 280 | ``` 281 | apt install dput 282 | ``` 283 | 284 | visit the mini-buildd homepage to get dput configuration. 285 | 286 | visit `http://:8066/mini_buildd/` click `Toolbox` and click `getdputconf` 287 | 288 | ``` 289 | [mini-buildd-mini-buildd] 290 | method = ftp 291 | fqdn = mini-buildd:8067 292 | login = anonymous 293 | incoming = /incoming 294 | ``` 295 | 296 | and putting this configuration into `/etc/dput.cf` 297 | 298 | Download source code from repository 299 | ``` 300 | apt source htop 301 | ``` 302 | get the package directory name 303 | ``` 304 | PKG_NAME=$(find -type d -name "htop*" | head -n1 | awk -F / '{print $2}') 305 | ``` 306 | 307 | generate `changes` file, and change `Distribution` to `sid-test-unstable`, and make sure change file will include original source by `-sa` 308 | 309 | ``` 310 | cd $PKG_NAME 311 | dpkg-genchanges -S -sa -DDistribution=sid-test-unstable > ../"$PKG_NAME"_source.changes 312 | ``` 313 | 314 | Using `debsign` to sign `changes` and `dsc` file 315 | ``` 316 | debsign -k 7D492015C7A54E339866843048B077394958138D --re-sign ../"$PKG_NAME"_source.changes 317 | ``` 318 | Using dput to upload `changes` file, source and dsc file 319 | ``` 320 | dput mini-buildd-mini-buildd ../"$PKG_NAME"_source.changes 321 | ``` 322 | 323 | ### Using mini-buildd repositories service 324 | 325 | visit `http://:8066/mini_buildd/` click `repositories` 326 | 327 | you can find `test: sid buster (Overview)` 328 | 329 | we can using `deb+src` to export APT source.list option. 330 | 331 | ``` 332 | deb http://mini-buildd:8066/repositories/test/ sid-test-unstable main contrib non-free 333 | deb http://mini-buildd:8066/repositories/test/ sid-test-testing main contrib non-free 334 | deb http://mini-buildd:8066/repositories/test/ sid-test-stable main contrib non-free 335 | ``` 336 | 337 | please change `mini-buildd:8066` to `:8066` 338 | you can find repositories public key by visit `http://:8066/mini_buildd/` click `Toolbox` and click `getkey` 339 | 340 | you can save it to a file, and using apt-key to trust this public 341 | 342 | ``` 343 | apt-key add mini-buildd.gpg 344 | ``` 345 | 346 | right now, you can update the apt cache 347 | 348 | ``` 349 | apt update 350 | ``` 351 | Check the htop package by using apt search 352 | ``` 353 | apt search htop 354 | 355 | aha/unstable 0.5-1+b1 amd64 356 | ANSI color to HTML converter 357 | 358 | bashtop/unstable 0.9.25-1 all 359 | Resource monitor that shows usage and stats 360 | 361 | htop/unstable 2.2.0-3 amd64 362 | interactive processes viewer 363 | 364 | htop-dbgsym/sid-test-unstable 2.2.0-3 amd64 365 | debug symbols for htop 366 | 367 | libauthen-oath-perl/stable,unstable 2.0.1-1 all 368 | Perl module for OATH One Time Passwords 369 | 370 | pftools/stable,unstable 3+dfsg-3 amd64 371 | build and search protein and DNA generalized profiles 372 | ``` 373 | 374 | Install htop's package with our mini-buildd repositories 375 | 376 | ``` 377 | root@mini-buildd:~# apt install -t sid-test-unstable htop-dbgsym 378 | Reading package lists... Done 379 | Building dependency tree 380 | Reading state information... Done 381 | The following packages were automatically installed and are no longer required: 382 | geoip-database libbind9-161 libdns1104 libdns1110 libgeoip1 libicu63 libisc1100 libisc1105 libisccc161 libisccfg163 liblwres161 libmpdec2 libperl5.28 libpython3.7-minimal libpython3.7-stdlib libreadline7 python3-asn1crypto python3.7-minimal 383 | Use 'apt autoremove' to remove them. 384 | The following additional packages will be installed: 385 | htop 386 | The following NEW packages will be installed: 387 | htop htop-dbgsym 388 | 0 upgraded, 2 newly installed, 0 to remove and 18 not upgraded. 389 | Need to get 286 kB of archives. 390 | After this operation, 462 kB of additional disk space will be used. 391 | Do you want to continue? [Y/n] Y 392 | Get:1 http://mini-buildd:8066/repositories/test sid-test-unstable/main amd64 htop-dbgsym amd64 2.2.0-3 [193 kB] 393 | Get:2 http://mirrors.163.com/debian sid/main amd64 htop amd64 2.2.0-3 [92.9 kB] 394 | Fetched 286 kB in 0s (905 kB/s) 395 | Selecting previously unselected package htop. 396 | (Reading database ... 71198 files and directories currently installed.) 397 | Preparing to unpack .../htop_2.2.0-3_amd64.deb ... 398 | Unpacking htop (2.2.0-3) ... 399 | Selecting previously unselected package htop-dbgsym. 400 | Preparing to unpack .../htop-dbgsym_2.2.0-3_amd64.deb ... 401 | Unpacking htop-dbgsym (2.2.0-3) ... 402 | Setting up htop (2.2.0-3) ... 403 | Setting up htop-dbgsym (2.2.0-3) ... 404 | Processing triggers for man-db (2.9.3-2) ... 405 | Processing triggers for mime-support (3.64) ... 406 | ``` 407 | 408 | 409 | ### Reference 410 | 411 | https://salsa.debian.org/debian/mini-buildd/ 412 | -------------------------------------------------------------------------------- /build_your_own_debian_distro_iso.md: -------------------------------------------------------------------------------- 1 | # What is Harbian? 2 | 3 | The full name of Harbian is Hardened Debian GNU/Linux. We provides some extra [packages](https://github.com/harbian/harbian_packages) and [configurations](https://github.com/hardenedlinux/hardenedlinux_profiles) for hardening purpose in Harbian. The current version of Harbian is only ship with [harbian-audit](https://github.com/hardenedlinux/harbian-audit) to comply with CIS/STIG. 4 | 5 | 6 | # Build your own Debian GNU/Linux Base Installation ISO 7 | 8 | Give a lady/gentleman an ISO, and you help her/him for a day. Teach a lady/gentleman to build their own distro, and you feed her/him for the whole maintainence life cycle. This is literally what we do on Harbian. To make a Custom Debian GNU/Linux Based Install ISO, you should build your own archive repositories 9 | 10 | DAK (Debian Archive Kit) is use to hosting the official Debian repositories 11 | 12 | The pros is this is the official solution, but the cons is lack of documentation. 13 | 14 | Inclusion of `.deb` need `.changes` file 15 | 16 | In our case, we using `reprepro` to host our own repositories. And to include a `.deb` file, we don't need a '.changes' file. 17 | 18 | For make a cd image, we using `simple-cdd`. This is a very simple tool that you can make a cd image with `debian-cd` package 19 | 20 | To using simple-cdd, our repositories must have following Components that reprepro can't provide. 21 | We have to manually install it. 22 | Under base directory in repositories 23 | 24 | ``` 25 | doc #doc directory 26 | README* #README files 27 | extrafiles #hash with signature for other file 28 | dists/buster/main/installer-amd64 #Installer for amd64 29 | ``` 30 | 31 | ## Configurate Reprepro 32 | 33 | Install Reprepro 34 | 35 | ``` 36 | apt install reprepro 37 | ``` 38 | 39 | Untill Apr 9 2020, we need about 130GB storage space for full mirror (only amd64 and source) 40 | If you include `i386` and more architectures you should prepare more disk space. 41 | 42 | 43 | Making directories for repositories 44 | ``` 45 | mkdir /data/mirror/debian/conf -p 46 | ``` 47 | go to the base directory 48 | 49 | ``` 50 | cd /data/mirror/debian/ 51 | mkdir -p ./conf/filterlist/ 52 | touch ./conf/filterlist/debian-buster-src 53 | ``` 54 | 55 | edit `conf/distributions` 56 | 57 | ``` 58 | Origin: harbian 59 | Label: harbian Linux Server Main Repo 60 | Codename: buster 61 | Suite: stable 62 | Architectures: amd64 source 63 | Components: main 64 | UDebComponents: main 65 | Contents: udebs percomponent allcomponents 66 | Description: harbian Linux Server 67 | SignWith: CE7044058CA25835BA2E1ABFA7055AEC9ED4F04C 68 | Log: harbian.log 69 | Update: upstream-main 70 | 71 | Origin: harbian 72 | Label: harbian Linux Server Main Repo 73 | Codename: buster-updates 74 | Suite: stable 75 | Architectures: amd64 source 76 | Components: main 77 | UDebComponents: main 78 | Contents: udebs percomponent allcomponents 79 | Description: harbian Linux Server updates 80 | SignWith: CE7044058CA25835BA2E1ABFA7055AEC9ED4F04C 81 | Log: harbian.log 82 | Update: upstream-main-updates 83 | 84 | Origin: harbian 85 | Label: harbian Linux Server Main Repo 86 | Codename: buster/updates 87 | Suite: stable 88 | Architectures: amd64 source 89 | Components: main 90 | UDebComponents: main 91 | Contents: udebs percomponent allcomponents 92 | Description: harbian Linux Server updates 93 | SignWith: CE7044058CA25835BA2E1ABFA7055AEC9ED4F04C 94 | Log: harbian.log 95 | Update: security 96 | ``` 97 | 98 | ``` 99 | SignWith: 100 | ``` 101 | You can get it from `gpg -k`, if you don't have a key yet. you can use`gpg --gen-key` to get one 102 | 103 | In my case, I'm using a testing key id: CE7044058CA25835BA2E1ABFA7055AEC9ED4F04C 104 | 105 | And we need 3 `Codename` for our repositories work properly with `reprepro` 106 | ``` 107 | buster # main repository 108 | buster-updates # normal update 109 | buster/updates # security updates 110 | ``` 111 | So we have three part above. 112 | 113 | 114 | edit `conf/updates` 115 | 116 | ``` 117 | Name: upstream-main 118 | Method: http://deb.debian.org/debian/ 119 | Suite: buster 120 | Components: main 121 | Architectures: amd64 source 122 | GetInRelease: no 123 | FilterSrcList: install filterlist/debian-buster-src 124 | VerifyRelease: blindtrust 125 | 126 | Name: upstream-main-updates 127 | Method: http://deb.debian.org/debian/ 128 | Suite: buster-updates 129 | Components: main 130 | Architectures: amd64 source 131 | GetInRelease: no 132 | FilterSrcList: install filterlist/debian-buster-src 133 | VerifyRelease: blindtrust 134 | 135 | Name: security 136 | Method: http://deb.debian.org/debian-security 137 | Suite: buster/updates 138 | Components: main 139 | UDebComponents: main 140 | VerifyRelease: blindtrust 141 | ``` 142 | We using `VerifyRelease: blindtrust` just for test, you should using public key for production. 143 | 144 | edit `conf/incoming` 145 | ``` 146 | Name: default 147 | IncomingDir: incoming/ 148 | TempDir: temp/ 149 | MorgueDir: morgue/ 150 | LogDir: incoming-logs/ 151 | Allow: buster buster>buster-updates 152 | Permit: unused_files older_version 153 | Cleanup: unused_files on_deny on_error 154 | ``` 155 | 156 | 157 | sync the repro 158 | ``` 159 | reprepro -V update 160 | ``` 161 | 162 | If you miss the time to enter the passphrase of the private key, the following error appears: 163 | ``` 164 | gpgme gave error Pinentry:62: Timeout 165 | ERROR: Could not finish exporting 'buster/updates'! 166 | This means that from outside your repository will still look like before (and 167 | should still work if this old state worked), but the changes intended with this 168 | call will not be visible until you call export directly (via reprepro export) 169 | Changes will also get visible when something else changes the same file and 170 | thus creates a new export of that file, but even changes to other parts of the 171 | same distribution will not! 172 | There have been errors! 173 | ``` 174 | Use the following command to re-enter the passphrase of the private key and complete the update repro: 175 | ``` 176 | reprepro -V export 177 | ``` 178 | 179 | ## Manually install missing components 180 | 181 | ### Installer-amd64 182 | 183 | ``` 184 | cd /data/mirror/debian/dists/buster/main 185 | lftp -c mirror http://deb.debian.org/debian/dists/buster/main/installer-amd64 186 | ``` 187 | 188 | ### README* 189 | ``` 190 | cd /data/mirror/debian 191 | wget http://deb.debian.org/debian/README 192 | wget http://deb.debian.org/debian/README.CD-manufacture 193 | wget http://deb.debian.org/debian/README.html 194 | wget http://deb.debian.org/debian/README.mirrors.html 195 | wget http://deb.debian.org/debian/README.mirrors.txt 196 | ``` 197 | 198 | ### Doc 199 | 200 | ``` 201 | cd /data/mirror/debian 202 | lftp -c mirror http://deb.debian.org/debian/doc 203 | ``` 204 | 205 | you should verify the hash from the upstream repo 206 | 207 | 208 | ### Generate and sign hash 209 | 210 | for installer 211 | ``` 212 | cd /data/mirror/debian/dists/buster 213 | MD5=$(md5sum main/installer-amd64/current/images/SHA256SUMS | awk '{print $1}' ) 214 | SHA1=$(sha1sum main/installer-amd64/current/images/SHA256SUMS | awk '{print $1}' ) 215 | SHA256=$(sha256sum main/installer-amd64/current/images/SHA256SUMS | awk '{print $1}' ) 216 | SIZE=$(ls -al main/installer-amd64/current/images/SHA256SUMS | awk '{print $5}') 217 | sed -i "/MD5Sum:/a \ $MD5 $SIZE main/installer-amd64/current/images/SHA256SUMS" Release 218 | sed -i "/SHA1:/a \ $SHA1 $SIZE main/installer-amd64/current/images/SHA256SUMS" Release 219 | sed -i "/SHA256:/a \ $SHA256 $SIZE main/installer-amd64/current/images/SHA256SUMS" Release 220 | gpg -u harbian-repo-maintainer -bao Release.gpg Release 221 | ``` 222 | 223 | for `extrafiles`(other files) 224 | 225 | ``` 226 | cd /data/mirror/debian/ 227 | rm -f extrafiles 228 | sha256sum $(find * -type f | egrep -v '(pool|i18n|dep11|source)/|Contents-.*\.(gz|diff)|installer|binary-|(In)?Release(.gpg)?|\.changes' | sort | sed -e "/^conf/d" -e "/^db/d") > /tmp/extrafile 229 | gpg --no-options --batch --no-tty --armour --personal-digest-preferences=SHA256 --no-options --batch --no-tty --armour --default-key 9ED4F04C --clearsign --output extrafiles /tmp/extrafile 230 | ``` 231 | 232 | ## Setting up the http access 233 | 234 | Install apache2 235 | ``` 236 | apt install apache2 237 | ``` 238 | 239 | edit the /etc/apache2/sites-available/000-default.conf 240 | ``` 241 | 242 | # The ServerName directive sets the request scheme, hostname and port that 243 | # the server uses to identify itself. This is used when creating 244 | # redirection URLs. In the context of virtual hosts, the ServerName 245 | # specifies what hostname must appear in the request's Host: header to 246 | # match this virtual host. For the default virtual host (this file) this 247 | # value is not decisive as it is used as a last resort host regardless. 248 | # However, you must set it for any further virtual host explicitly. 249 | #ServerName www.example.com 250 | 251 | ServerAdmin webmaster@localhost 252 | DocumentRoot /data/mirror 253 | 254 | # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, 255 | # error, crit, alert, emerg. 256 | # It is also possible to configure the loglevel for particular 257 | # modules, e.g. 258 | #LogLevel info ssl:warn 259 | 260 | ErrorLog ${APACHE_LOG_DIR}/error.log 261 | CustomLog ${APACHE_LOG_DIR}/access.log combined 262 | 263 | # For most configuration files from conf-available/, which are 264 | # enabled or disabled at a global level, it is possible to 265 | # include a line for only one particular virtual host. For example the 266 | # following line enables the CGI configuration for this host only 267 | # after it has been globally disabled with "a2disconf". 268 | #Include conf-available/serve-cgi-bin.conf 269 | 270 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet 271 | # /etc/apache2/conf.d/repos 272 | 273 | 274 | # We want the user to be able to browse the directory manually 275 | Options Indexes FollowSymLinks Multiviews 276 | Require all granted 277 | 278 | 279 | # This syntax supports several repositories, e.g. one for Debian, one for Ubuntu. 280 | # Replace * with debian, if you intend to support one distribution only. 281 | 282 | Require all denied 283 | 284 | 285 | 286 | Require all denied 287 | 288 | 289 | 290 | Require all denied 291 | 292 | 293 | ``` 294 | 295 | check the config file 296 | ``` 297 | /usr/sbin/apachectl configtest 298 | ``` 299 | restart apache2 service for changes to take effect 300 | ``` 301 | systemctl restart apache2 302 | ``` 303 | 304 | 305 | ## Using Simple-CDD to make a cd image 306 | 307 | Install simple-cdd packages 308 | ``` 309 | apt install simple-cdd 310 | ``` 311 | import your public key to apt-key 312 | 313 | ``` 314 | gpg --armor --output cert.gpg --export harbian-repo-maintainer@hardenedlinux.org 315 | sudo apt-key add cert.gpg 316 | sudo mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/harbian-archive.gpg 317 | ``` 318 | note: make sure trusted.gpg only have one gpg key under the mail: `harbian-repo-maintainer@hardenedlinux.org` 319 | 320 | 321 | Build image 322 | 323 | ``` 324 | cd ~/ 325 | mkdir my-images 326 | cd my-images 327 | build-simple-cdd --profiles-udeb-dist buster --debian-mirror http://192.168.3.17/debian/ --dist buster --security-mirror http://192.168.3.17/debian --keyring /etc/apt/trusted.gpg.d/harbian-archive.gpg 328 | ``` 329 | should output 330 | 331 | ``` 332 | /home/debian/my-images/images/debian-10-amd64-CD-1.iso 333 | ``` 334 | 335 | Custom Profiles 336 | 337 | ### custom preceed with one shell command 338 | because every build with simple-cdd will be using /usr/share/simple-cdd/profiles/default* profile 339 | so we should edit /usr/share/simple-cdd/profiles/default.preseed 340 | 341 | add following content at the end of config file 342 | ``` 343 | d-i preseed/late_command string \ 344 | in-target /bin/bash -c 'echo "harbian...." > /root/harbian' 345 | ``` 346 | so we can execute `/bin/bash -c 'echo "harbian...." > /root/harbian'` at the end of installation 347 | 348 | ### add a custom deb package 349 | 350 | for example using harbianaudit package 351 | 352 | ``` 353 | cd ~/my-images 354 | mkdir custompkg 355 | mkdir profiles 356 | touch profiles/harbian.packages 357 | ``` 358 | add package name to the `profiles/harbian.packages` 359 | in my case: 360 | 361 | ``` 362 | harbianaudit 363 | ``` 364 | copy the deb file to local-packages directory 365 | 366 | ``` 367 | cp harbianaudit_0.4.1-1_all.deb ~/my-images/custompkg 368 | ``` 369 | 370 | command example: 371 | ``` 372 | build-simple-cdd --local-packages /path/to/your/deb/files -p myprofile 373 | ``` 374 | in my case: 375 | ``` 376 | build-simple-cdd --profiles-udeb-dist buster --debian-mirror http://192.168.3.17/debian/ --dist buster --security-mirror http://192.168.3.17/debian --keyring /etc/apt/trusted.gpg.d/harbian-archive.gpg --local-packages custompkg/ -p harbian 377 | ``` 378 | `--local-packages custompkg` specific the local-packages directory is `custompkg` 379 | `-p harbian` specific the `harbian.*` under the `profiles` directory in your directory. 380 | 381 | 382 | ### Custom harbian profile full-step 383 | 384 | making necessary directories 385 | 386 | ``` 387 | mkdir ~/harbian/profiles -p 388 | mkdir ~/harbian/custompkg 389 | ``` 390 | 391 | copy harbianaudit package to `custompkg` 392 | 393 | ``` 394 | wget https://raw.githubusercontent.com/harbian/harbian_packages/master/2020/harbianaudit_0.4.1-1_all.deb 395 | cp harbianaudit_0.4.1-1_all.deb ~/harbian/custompkg 396 | ``` 397 | 398 | configure `~/harbian/profiles/harbian.packages` 399 | add necessary package 400 | 401 | ``` 402 | less 403 | net-tools 404 | bc 405 | openssh-server 406 | pciutils 407 | network-manager 408 | man-db 409 | harbianaudit 410 | ``` 411 | 412 | according to (debian installer internal)[https://d-i.debian.org/doc/internals/] and debian official install image. We can know the difference betweent `debian official install image` and the image made from `simple-cdd` is simple-cdd's `default.preseed`. So in the `preseed` file, we should modify `profiles-releated`. And leave everything untouched. 413 | 414 | So configure `/usr/share/simple-cdd/profiles/default.preseed` 415 | and remove all default `preseed` configuration but `anna-install simple-cdd-profiles` 416 | 417 | ``` 418 | cp /usr/share/simple-cdd/profiles/default.preseed /usr/share/simple-cdd/profiles/default.preseed.bak 419 | 420 | echo "d-i preseed/early_command string anna-install simple-cdd-profiles" > /usr/share/simple-cdd/profiles/default.preseed 421 | ``` 422 | 423 | In order to run the script at the end of installation. 424 | 425 | go to `~/harbian/` and configure `profiles/harbian.preseed` 426 | 427 | ~/harbian/profiles/harbian.preseed 428 | 429 | ``` 430 | d-i preseed/late_command string \ 431 | in-target /bin/bash -c '/opt/harbianaudit/bin/harbianaudit.sh' 432 | ``` 433 | 434 | making custom image 435 | 436 | ``` 437 | cd ~/harbian 438 | build-simple-cdd --profiles-udeb-dist buster --debian-mirror http://192.168.3.17/debian/ --dist buster --security-mirror http://192.168.3.17/debian --keyring /etc/apt/trusted.gpg.d/harbian-archive.gpg --local-packages custompkg/ -p harbian 439 | ``` 440 | `--local-packages custompkg` specific the local-packages directory is `custompkg` 441 | `-p harbian` specific the `harbian.*` under the `profiles` directory in your directory. 442 | 443 | 444 | ## Easy to build 445 | 446 | We provide a [set of scripts](https://github.com/hardenedlinux/hardenedlinux_profiles/tree/master/harbian-build) can build the ISO automatically for those who don't have interest to learn how to "fish". 447 | 448 | 449 | ## Reference 450 | 451 | http://web.archive.org/web/20140218013924/http://anonscm.debian.org/gitweb/?p=mirrorer/reprepro.git;a=blob_plain;f=docs/short-howto;hb=HEAD 452 | https://wiki.debian.org/DebianRepository/Setup?action=show&redirect=HowToSetupADebianRepository 453 | https://computermouth.com/tutorials/custom-debian-distro-simple-cdd/ 454 | https://www.debian.org/releases/buster/amd64/apbs04.en.html 455 | https://d-i.debian.org/doc/internals/ch02.html 456 | -------------------------------------------------------------------------------- /how-to-build-stig4debian-package.md: -------------------------------------------------------------------------------- 1 | # 如何对stig-4-debian项目进行打包 2 | 3 | ## 安装需要的包 4 | 5 | ``` 6 | ~$ sudo apt-get install build-essential dh-make debhelper lintian git 7 | ``` 8 | 9 | ## 配置dh_make所需要的环境变量 10 | 11 | ``` 12 | $ cat >>~/.bashrc < 79 | Build-Depends: debhelper (>= 9) 80 | Standards-Version: 3.9.8 81 | Homepage: https://github.com/hardenedlinux/STIG-4-Debian 82 | Vcs-Git: https://github.com/hardenedlinux/STIG-4-Debian.git 83 | Vcs-Browser: https://github.com/hardenedlinux/STIG-4-Debian.git 84 | 85 | Package: stig4debian 86 | Architecture: all 87 | Depends: ${misc:Depends} 88 | Description: DISA STIG for Debian 9 Porting from DISA RHEL 7 STIG V1 R1. 89 | DISA STIG(Security Technical Implementation Guides) for Debian 9 Porting from DISA RHEL 7 STIG V1 R1. 90 | ``` 91 | 92 | ### rules 93 | 94 | ``` 95 | #!/usr/bin/make -f 96 | # See debhelper(7) (uncomment to enable) 97 | # output every command that modifies files on the build system. 98 | export DH_VERBOSE = 1 99 | 100 | 101 | # see FEATURE AREAS in dpkg-buildflags(1) 102 | #export DEB_BUILD_MAINT_OPTIONS = hardening=+all 103 | 104 | # see ENVIRONMENT in dpkg-buildflags(1) 105 | # package maintainers to append CFLAGS 106 | #export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic 107 | # package maintainers to append LDFLAGS 108 | #export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed 109 | 110 | 111 | %: 112 | dh $@ 113 | 114 | 115 | # dh_make generated override targets 116 | # This is example for Cmake (See https://bugs.debian.org/641051 ) 117 | #override_dh_auto_configure: 118 | # dh_auto_configure -- # -DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH) 119 | 120 | override_dh_install: 121 | install -d debian/stig4debian/usr/bin/ 122 | install -g root -o root -m 755 -p stig4debian debian/stig4debian/usr/bin/stig4debian 123 | install -d debian/stig4debian/usr/lib/stig4debian/scripts/ 124 | install -g root -o root -m 644 -p scripts/* debian/stig4debian/usr/lib/stig4debian/scripts/ 125 | install -d debian/stig4debian/usr/lib/stig4debian/html/ 126 | install -g root -o root -m 644 -p html/* debian/stig4debian/usr/lib/stig4debian/html/ 127 | install -g root -o root -m 644 -p stig-debian-9.txt debian/stig4debian/usr/lib/stig4debian/ 128 | install -g root -o root -m 644 -p manual.txt debian/stig4debian/usr/lib/stig4debian/ 129 | install -d debian/stig4debian/var/log/stig4debian/ 130 | install -d debian/stig4debian/usr/share/man/man1/ 131 | install -g root -o root -m 644 -p README.md debian/stig4debian/usr/share/man/man1/stig4debian.1 132 | ``` 133 | 134 | 以上的override_dh_install表示忽略掉默认的dh_install的操作,而使用 135 | override_dh_install定义的动作; 136 | 137 | 138 | ## copyright 139 | ``` 140 | Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 141 | Upstream-Name: stig4debian 142 | Source: https://github.com/hardenedlinux/STIG-4-Debian 143 | 144 | Files: * 145 | Copyright: 2015-2017 Samson sccxboy@gmail.com 146 | License: GPL-3.0+ 147 | 148 | Files: debian/* 149 | Copyright: 2017 Samson W 150 | License: GPL-3.0+ 151 | 152 | License: GPL-3.0+ 153 | This program is free software: you can redistribute it and/or modify 154 | it under the terms of the GNU General Public License as published by 155 | the Free Software Foundation, either version 3 of the License, or 156 | (at your option) any later version. 157 | . 158 | This package is distributed in the hope that it will be useful, 159 | but WITHOUT ANY WARRANTY; without even the implied warranty of 160 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 161 | GNU General Public License for more details. 162 | . 163 | You should have received a copy of the GNU General Public License 164 | along with this program. If not, see . 165 | . 166 | On Debian systems, the complete text of the GNU General 167 | Public License version 3 can be found in "/usr/share/common-licenses/GPL-3". 168 | ``` 169 | 170 | ## 编译 171 | 172 | ### 编译签名的包 173 | ``` 174 | stig4debian-0.1.0$ dpkg-buildpackage 175 | ``` 176 | 177 | ### 编译不进行签名的包 178 | ``` 179 | stig4debian-0.1.0$ dpkg-buildpackage -us -uc 180 | ``` 181 | 182 | 编译不进行签名的包主要是为了让没有签名密钥的用户安装方便,但是必须进行sha512sum的计算,并提供给用户sha512sum的值的文件,以保证安装包没有被篡改过。 183 | 184 | ### 生成sha512sum文件 185 | ``` 186 | $ sha512sum stig4debian_0.1.0-1_all.deb > stig4debian_0.1.0-1_all.deb.sha512sum 187 | ``` 188 | 189 | 查看编译出deb包: 190 | 191 | ``` 192 | stig4debian-0.1.0$ ls ../*.deb 193 | ../stig4debian_0.1.0-1_all.deb 194 | ``` 195 | 196 | ## 编译环境的清理 197 | ``` 198 | stig4debian-0.1.0$ dh_clean 199 | ``` 200 | 201 | 202 | ## 静态分析生成的deb包 203 | 204 | ``` 205 | stig4debian-0.1.0$ lintian ../stig4debian_0.1.0-1_all.deb 206 | W: stig4debian: new-package-should-close-itp-bug 207 | E: stig4debian: copyright-contains-dh_make-todo-boilerplate 208 | W: stig4debian: extended-description-line-too-long 209 | W: stig4debian: script-with-language-extension usr/bin/stig4debian 210 | W: stig4debian: manpage-has-bad-whatis-entry usr/share/man/man1/stig4debian.1.gz 211 | W: stig4debian: binary-without-manpage usr/bin/stig4debian 212 | ``` 213 | 214 | ## 本地安装包 215 | 216 | 若是对于没有签名密钥的用户进行安装未进行签名的包的安装时,首先要进行sha512sum什值的检查,以保证安装包的安全性; 217 | 218 | ### sha512sum值的检查 219 | ``` 220 | sha512sum -c stig4debian_0.1.0-1_all.deb.sha512sum 221 | stig4debian_0.1.0-1_all.deb: OK 222 | ``` 223 | 224 | ### 进行安装 225 | ``` 226 | stig4debian-0.1.0# dpkg -i ../stig4debian_0.1.0-1_all.deb 227 | Selecting previously unselected package stig4debian. 228 | (Reading database ... 41091 files and directories currently installed.) 229 | Preparing to unpack ../stig4debian_0.1.0-1_all.deb ... 230 | Unpacking stig4debian (0.1.0-1) ... 231 | Setting up stig4debian (0.1.0-1) ... 232 | Processing triggers for man-db (2.7.6.1-2) ... 233 | ``` 234 | 235 | ## 本地卸载包 236 | 237 | ``` 238 | stig4debian-0.1.0# dpkg -r stig4debian 239 | (Reading database ... 41096 files and directories currently installed.) 240 | Removing stig4debian (0.1.0-1) ... 241 | Processing triggers for man-db (2.7.6.1-2) ... 242 | ``` 243 | 244 | ## 参考 245 | 246 | (1) https://www.debian.org/doc/packaging-manuals/fhs/fhs-2.3.html 247 | (2) https://www.debian.org/doc/manuals/maint-guide/index.en.html 248 | (3) https://debian-handbook.info/download/stable/debian-handbook.pdf 249 | 250 | 251 | 252 | --------------------------------------------------------------------------------