Re: Seeking assistance/tips on building Debian!
On Mon, Mar 01, 1999 at 01:10:34PM -0500, Phillip R. Jaenke (prj@nls.net) wrote
> In two weeks from today, I start my new job. First task is to build remote
> monitoring servers and design workstations. I've already decided I'm going
> to do this with Debian Linux. Unsurprisingly, my new employer already
> supports unix in general, and Linux like you wouldn't believe.
> Unfortunately, they're currently using RedHat.
>
> This is a secure environment. Can't have RedHat. Matter of personal
> preference. ;) Anyways, I *have* to do a trusted build of Debian.
>
> For those of you not familiar with the term, a trusted build is an
> in-house build done by one person who is extremely familiar with the
> product being compiled, on a single machine, using a single set of sources
> that are carefully checked for possible security holes. It's a very long,
> tedious, and painful process. But necessary for security reasons.
>
> Personally, it's not that I don't trust people. It's just policy. ;P Plus,
> I have to do some serious modifications in boot and install stuff to
> automate the process as much as possible. (I expect to be adding
> workstations at the rate of >10/week, Linux servers at the rate of
> 2/week.)
>
> Anyways, has anyone done something like this? If so, what's the best way
> to build Debian? So far, I'm guessing it's best to do it on some flavor of
> Linux (I'm planning on Slackware. Easy source directory.;). Is there any
> specific order I have to build everything in? About how long would it
> likely take to build using multi-threaded GCC on a dual pII-400 w/128M?
Sounds like you have a couple of requrements:
1 - you look over the code yourself (good luck -- so, do you have to
check over the gcc code you'll be compiling everything with? How
about the kernel code? Are you using X? There's another 10
million lines of code...).
2 - You'll be installing on lots of servers and workstations
3 - eventually, you'll probably want to upgrade, fix known bugs, etc
on all of the machines under your control.
Here are my recomendations. This may be a bit more start-up work, but
it will make later maintainence of the whole project _much_ easier.
1 - Make a standard out-of-the-net debian machine using the regular
binaries on which to build of your secure packages.
2 - Get the source code for all the packages you want, and the debian
diff file. Uncompress the code, patch it, check it over, and
re-build a new debian package. For original package xxx, I'd call
the new one xxx-secure. Don't forget to update and fix all the
dependency information to point to yyy-secure instead of yyy. If
you want to modify the boot stuff, you can change the default boot
scripts in sysvinit when you repackage that.
3 - You'll now have secure binary packages you can distribute to all
of the machines you want to create. You can even create a package
file for them if you want, and update all the machines over the
net -- or a simpler method where you put all the new/updated
packages into a "new" directory, and all of the machines just grab
everything from that directory every night/hour/whatever. Using
aptget et cetera you can even set up a cron job which will
auto-magically update your machines to new packages from a
centeral server (assuming this server is secure, and the link
between machines is secure. I'd use ssh with some good
authentication...).
John
Reply to: