RFS: fsprotect (try #3)
Dear mentors,
I am looking for a sponsor for my package "fsprotect". In this message there
is also a summary of everything that was discussed in this list.
* Package name : fsprotect
Version : 1.0.2
Upstream Author : Stefanos Harhalakis <v13@v13.gr> (me)
* URL : http://www.v13.gr/proj/fsprotect/
* License : GPL
Section : admin
It builds these binary packages:
fsprotect - Helper scripts to make filesystems immutable
The package appears to be lintian clean (with an override, but see bellow).
Description:
------------
fsprotect is a set of scripts that make immutable the root and other
filesystems. Using aufs they pack a tmpfs filesystem and the filesystem
forcing changes to be written to the tmpfs.
The root filesystem is protected by an initramfs script. Other filesystems
are protected by an init script. All protected filesystems become read-only
ensuring their immutability even on power-offs.
This can be used for public computers to prevent damage or changes.
It is ideal for:
* Public computers. It keeps all files intact, no matter what the user does.
* Testing. i.e. KDE3 -> KDE4 or etch -> lenny upgrades
* Security (also requires adequate paranoia)
Fsprotect can be seen as an opensource alternative to deepfreeze for linux.
Example usage:
--------------
* apt-get install aufs-modules-2.6-amd64 fsprotect
* read /usr/share/doc/fsprotect/README.Debian and/or
/usr/share/doc/fsprotect/fsprotect.pdf.gz
* add line "fsprotect=1000M" to /boot/grub/menu.lst as a kernel parameter
* run "update-grub"
* possible modify /etc/default/fsprotect to include a line like:
PROTECT="/var=1000M /home=2000M"
* reboot
At this point you can do rm -rf /bin/* -or- upgrade to KDE4 -or- do
"apt-get dist-upgrade -t unstable" -or- perform whatever destructive action
you never dared to (except messing with the partitions and doing raw writes on
block devices). To check that the filesystems are actually protected, just run
'is_aufs / && echo "OK"'
After rebooting, the system will be in the same condition as when it was
before the fsprotect installation.
Debian native:
--------------
fsprotect is 100% tied to a distribution. It cannot be an independent program
that is packaged for debian or other distributions. The core functionality is
provided by one init script and one initramfs script/hook and those are
depending very much to the distribution. I.e the init script must run
immediately after the filesystems are mounted and before anything else is
ran.
fsprotect cannot be practically spliced to .orig and .diff. There is no clear
distinction between what will go in debian/ and what will be left out.
Attempting to make it a non-native package will result in a package that does
one or more of the following:
a) includes debian specific scripts outside of debian/
b) contains debian specific scripts in .orig.tar.gz
c) uploads a new .orig.tar.gz when other debian packages change
The source code is small and the most part of it is inside debian/.
The output of the du is:
$ du -sk fsprotect/*
264 fsprotect/debian
156 fsprotect/doc
56 fsprotect/initramfs-tools
20 fsprotect/lib
20 fsprotect/sbin
while doc/ contains debian-specific documentation in pdf form.
NMUs may use versions like "1.0.2+nmu1"
Lintian overrides:
------------------
fsprotect overrides the "virtual-package-depends-without-real-package-depends"
lintian warning. This is done because it depends on aufs modules which are
provided as debian packages and it isn't a good idea (or even possible) to
depend on packages like this one: aufs-modules-2.6.29-v2-v (which for example,
is the module compiled for the custom kernel of my system). I've made
fsprotect depend on aufs-modules which is provided my aufs-modules-* packages.
In general, it isn't possible to depend on a specific modules version.
Changes:
--------
fsprotect used to create the directory /fsprotect upon installation. This is
no longer happening. The directory is created in the volatile space whenever
fsprotect is active. This means that such a directory will never be written in
the disk and will never be visible when fsprotect isn't active.
The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/f/fsprotect
- Source repository: deb-src http://mentors.debian.net/debian unstable main
contrib non-free
- dget
http://mentors.debian.net/debian/pool/main/f/fsprotect/fsprotect_1.0.2.dsc
I would be glad if someone uploaded this package for me.
Kind regards
Stefanos Harhalakis
Reply to: