|devrandom 684f6c9427 Use lxcbr0 as bridge||pirms 7 gadiem|
|bin||pirms 7 gadiem|
|doc||pirms 9 gadiem|
|etc||pirms 7 gadiem|
|libexec||pirms 7 gadiem|
|share||pirms 8 gadiem|
|target-bin||pirms 7 gadiem|
|.gitignore||pirms 9 gadiem|
|README.md||pirms 7 gadiem|
Read about the project goals at the “project home page”:https://gitian.org/ .
This package can do a deterministic build of a package inside a VM.
This performs a build inside a VM, with deterministic inputs and outputs. If the build script takes care of all sources of non-determinism (mostly caused by timestamps), the result will always be the same. This allows multiple independent verifiers to sign a binary with the assurance that it really came from the source they reviewed.
sudo apt-get install apt-cacher-ng python-vm-builder ruby
If you want to use kvm:
sudo apt-get install qemu-kvm
or alternatively, lxc (no need for hardware support):
sudo apt-get install debootstrap lxc
Create the base VM for use in further builds (requires sudo, please review the script):
bin/make-base-vm bin/make-base-vm --arch i386
or for lxc:
bin/make-base-vm --lxc bin/make-base-vm --lxc --arch i386
Copy any additional build inputs into a directory named inputs.
Then execute the build using a YAML description file (can be run as non-root):
export USE_LXC=1 # LXC only bin/gbuild <package>.yml
or if you need to specify a commit for one of the git remotes:
bin/gbuild --commit <dir>=<hash> <package>.yml
The resulting report will appear in result/<package>-res.yml
To sign the result, perform:
bin/gsign --signer <signer> --release <release-name> <package>.yml
Where is your signing PGP key ID and is the name for the current release. This will put the result and signature in the sigs//. The sigs/ directory can be managed through git to coordinate multiple signers.
After you’ve merged everybody’s signatures, verify them:
bin/gverify --release <release-name> <package>.yml
start-target 32 lucid-i386or
start-target 64 lucid-amd64
on-target -u root
lxc-start, which may require root. If you are in the admin group, you can add the following sudoers line to prevent asking for the password every time:
%admin ALL=NOPASSWD: /usr/bin/lxc-start
Recent distributions allow lxc-start to be run by non-priviledged users, so you might be able to rip-out the
sudo calls in
If you have a runaway
lxc-start command, just use
kill -9 on it.
The machine configuration requires access to lxcbr0 and assumes that the host address is 10.0.3.1 . If lxc does not configure lxcbr0 on boot, you can do so manually:
sudo brctl addbr lxcbr0 sudo ifconfig lxcbr0 10.0.3.1/24 up
Not very extensive, currently.
python -m unittest discover test