[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Seeking assistance/tips on building Debian!



On Mon, Mar 01, 1999 at 01:10:34PM -0500, Phillip R. Jaenke (prj@nls.net) wrote
> In two weeks from today, I start my new job. First task is to build remote
> monitoring servers and design workstations. I've already decided I'm going
> to do this with Debian Linux. Unsurprisingly, my new employer already
> supports unix in general, and Linux like you wouldn't believe.
> Unfortunately, they're currently using RedHat. 
> 
> This is a secure environment. Can't have RedHat. Matter of personal
> preference. ;)  Anyways, I *have* to do a trusted build of Debian. 
> 
> For those of you not familiar with the term, a trusted build is an
> in-house build done by one person who is extremely familiar with the
> product being compiled, on a single machine, using a single set of sources
> that are carefully checked for possible security holes. It's a very long,
> tedious, and painful process. But necessary for security reasons. 
> 
> Personally, it's not that I don't trust people. It's just policy. ;P Plus,
> I have to do some serious modifications in boot and install stuff to
> automate the process as much as possible. (I expect to be adding
> workstations at the rate of >10/week, Linux servers at the rate of
> 2/week.) 
> 
> Anyways, has anyone done something like this? If so, what's the best way
> to build Debian? So far, I'm guessing it's best to do it on some flavor of
> Linux (I'm planning on Slackware. Easy source directory.;). Is there any
> specific order I have to build everything in? About how long would it
> likely take to build using multi-threaded GCC on a dual pII-400 w/128M? 

Sounds like you have a couple of requrements:

1 - you look over the code yourself (good luck -- so, do you have to
    check over the gcc code you'll be compiling everything with?  How
    about the kernel code?  Are you using X?  There's another 10
    million lines of code...).

2 - You'll be installing on lots of servers and workstations

3 - eventually, you'll probably want to upgrade, fix known bugs, etc
    on all of the machines under your control.


Here are my recomendations.  This may be a bit more start-up work, but
it will make later maintainence of the whole project _much_ easier.

1 - Make a standard out-of-the-net debian machine using the regular
    binaries on which to build of your secure packages.

2 - Get the source code for all the packages you want, and the debian
    diff file.  Uncompress the code, patch it, check it over, and
    re-build a new debian package.  For original package xxx, I'd call
    the new one xxx-secure.  Don't forget to update and fix all the
    dependency information to point to yyy-secure instead of yyy.  If
    you want to modify the boot stuff, you can change the default boot
    scripts in sysvinit when you repackage that.

3 - You'll now have secure binary packages you can distribute to all
    of the machines you want to create.  You can even create a package
    file for them if you want, and update all the machines over the
    net -- or a simpler method where you put all the new/updated
    packages into a "new" directory, and all of the machines just grab
    everything from that directory every night/hour/whatever.  Using
    aptget et cetera you can even set up a cron job which will
    auto-magically update your machines to new packages from a
    centeral server (assuming this server is secure, and the link
    between machines is secure.  I'd use ssh with some good
    authentication...).



John


Reply to: