RFS: fsprotect (try #3)

To: debian-mentors@lists.debian.org
Subject: RFS: fsprotect (try #3)
From: Stefanos Harhalakis <v13@v13.gr>
Date: Mon, 27 Apr 2009 22:34:07 +0300
Message-id: <200904272234.07736.v13@v13.gr>
Mail-followup-to: v13@v13.gr

Dear mentors,

I am looking for a sponsor for my package "fsprotect". In this message there 
is also a summary of everything that was discussed in this list.

* Package name    : fsprotect
  Version         : 1.0.2
  Upstream Author : Stefanos Harhalakis <v13@v13.gr> (me)
* URL             : http://www.v13.gr/proj/fsprotect/
* License         : GPL
  Section         : admin

It builds these binary packages:
fsprotect  - Helper scripts to make filesystems immutable

The package appears to be lintian clean (with an override, but see bellow).

Description:
------------
fsprotect is a set of scripts that make immutable the root and other 
filesystems. Using aufs they pack a tmpfs filesystem and the filesystem 
forcing changes to be written to the tmpfs.

The root filesystem is protected by an initramfs script. Other filesystems
are protected by an init script. All protected filesystems become read-only
ensuring their immutability even on power-offs.

This can be used for public computers to prevent damage or changes.

It is ideal for:
* Public computers. It keeps all files intact, no matter what the user does.
* Testing. i.e. KDE3 -> KDE4 or etch -> lenny upgrades
* Security (also requires adequate paranoia)

Fsprotect can be seen as an opensource alternative to deepfreeze for linux.

Example usage:
--------------
* apt-get install aufs-modules-2.6-amd64 fsprotect
* read /usr/share/doc/fsprotect/README.Debian	and/or 
/usr/share/doc/fsprotect/fsprotect.pdf.gz
* add line "fsprotect=1000M" to /boot/grub/menu.lst as a kernel parameter
* run "update-grub"
* possible modify /etc/default/fsprotect to include a line like: 
PROTECT="/var=1000M /home=2000M"
* reboot

At this point you can do rm -rf /bin/* -or- upgrade to KDE4 -or- do 
"apt-get dist-upgrade -t unstable" -or- perform whatever destructive action 
you never dared to (except messing with the partitions and doing raw writes on 
block devices). To check that the filesystems are actually protected, just run 
'is_aufs / && echo "OK"'

After rebooting, the system will be in the same condition as when it was 
before the fsprotect installation.

Debian native:
--------------
fsprotect is 100% tied to a distribution. It cannot be an independent program 
that is packaged for debian or other distributions. The core functionality is 
provided by one init script and one initramfs script/hook and those are 
depending very much to the distribution. I.e the init script must run 
immediately after the filesystems are mounted and before anything else is 
ran.

fsprotect cannot be practically spliced to .orig and .diff. There is no clear 
distinction between what will go in debian/ and what will be left out. 
Attempting to make it a non-native package will result in a package that does 
one or more of the following: 

a) includes debian specific scripts outside of debian/
b) contains debian specific scripts in .orig.tar.gz
c) uploads a new .orig.tar.gz when other debian packages change

 The source code is small and the most part of it is inside debian/. 
The output of the du is:

$ du -sk fsprotect/*
264     fsprotect/debian
156     fsprotect/doc
56      fsprotect/initramfs-tools
20      fsprotect/lib
20      fsprotect/sbin

while doc/ contains debian-specific documentation in pdf form.

NMUs may use versions like "1.0.2+nmu1"

Lintian overrides:
------------------
fsprotect overrides the "virtual-package-depends-without-real-package-depends" 
lintian warning. This is done because it depends on aufs modules which are 
provided as debian packages and it isn't a good idea (or even possible) to 
depend on packages like this one: aufs-modules-2.6.29-v2-v (which for example, 
is the module compiled for the custom kernel of my system). I've made 
fsprotect depend on aufs-modules which is provided my aufs-modules-* packages. 

In general, it isn't possible to depend on a specific modules version.

Changes:
--------
fsprotect used to create the directory /fsprotect upon installation. This is 
no longer happening. The directory is created in the volatile space whenever 
fsprotect is active. This means that such a directory will never be written in 
the disk and will never be visible when fsprotect isn't active.


The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/f/fsprotect
- Source repository: deb-src http://mentors.debian.net/debian unstable main 
contrib non-free
- dget 
http://mentors.debian.net/debian/pool/main/f/fsprotect/fsprotect_1.0.2.dsc


I would be glad if someone uploaded this package for me.

Kind regards
Stefanos Harhalakis

Reply to:

Follow-Ups:
- Re: RFS: fsprotect (try #3)
  - From: LI Daobing <lidaobing@debian.org>

Prev by Date: Re: Question about README.source
Next by Date: Re: Bug#523338: ITP: radare -- Free advanced command line hexadecimal editor
Previous by thread: Re: Writing debian/watch for project located at ohloh
Next by thread: Re: RFS: fsprotect (try #3)
Index(es):
- Date
- Thread