#!/bin/sh
# Before running, rename to build-7.5.sh
set -e
DIRNAME=build-heimdal-7.5
rm -rf $DIRNAME
mkdir $DIRNAME
cd $DIRNAME
# Download the Debian package source for stretch
wget http://http.debian.net/debian/pool/main/h/heimdal/heimdal_7.1.0+dfsg-13+deb9u2.dsc
wget http://http.debian.net/debian/pool/main/h/heimdal/heimdal_7.1.0+dfsg.orig.tar.gz
wget http://http.debian.net/debian/pool/main/h/heimdal/heimdal_7.1.0+dfsg-13+deb9u2.debian.tar.xz
# Import the just-downloaded source
gbp import-dsc heimdal_7.1.0+dfsg-13+deb9u2.dsc
# Download the Debian package source for sid
mkdir debian-sid-source
cd debian-sid-source
apt-get source --download-only heimdal
gbp import-dsc *.dsc
# change back to the top-level directory and download the upstream source.
cd ..
wget https://github.com/heimdal/heimdal/releases/download/heimdal-7.5.0/heimdal-7.5.0.tar.gz
# Change the name of the upstream source so that it will be found when building
mv heimdal-7.5.0.tar.gz heimdal_7.5.0+dfsg.orig.tar.gz
# Merge the latest source you just downloaded with the Debian source package:
cd heimdal
git checkout upstream
gbp import-orig ../heimdal_7.5.0+dfsg.orig.tar.gz -u7.5.0
git checkout master
# Remove some of the patch files that are already merged with the upstream source
rm debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch
rm debian/patches/CVE-2017-17439-KDC-remote-DoS.patch
rm debian/patches/CVE-2017-6594
rm debian/patches/check_iprop_races
rm debian/patches/0018-Add-back-in-base64_encode-and-base64_decode.patch
# Copy some Debian package build files from the sid version including patch files
# that have not yet been merged with the upstream source or else are Debian-specific.
/bin/cp ../debian-sid-source/heimdal/debian/patches/canonical_host debian/patches/canonical_host
/bin/cp ../debian-sid-source/heimdal/debian/patches/0016-Add-back-in-base64_encode-and-base64_decode.patch debian/patches/
/bin/cp ../debian-sid-source/heimdal/debian/patches/series debian/patches/series
/bin/cp ../debian-sid-source/heimdal/debian/libhdb9-heimdal.symbols debian/libhdb9-heimdal.symbols
# Do a commit
git add .
git commit -m "updated patch files from 7.5.0 Debian package source"
# Change the version number in the change log file:
dch --force-distribution -v 7.5.0+dfsg-13.1~sbp90+1 -D stable-kdc -b 'Backport to stretch.'
function merge_patch()
{
patch_file_path=$1
patch_name=$2
patch_description=$3
echo "merging patch '${patch_name}'"
patch -p1 --fuzz=0 < $patch_file_path
dpkg-source --commit . $patch_name
git add debian/patches debian/changelog
git commit -m "merged patch ${patch_name}: ${patch_description}"
git reset --hard
git clean -f -d
}
# Download some patch files
cd ..
# Download the krb5-sync plugin hook patch
wget https://raw.githubusercontent.com/rra/krb5-sync/master/patches/heimdal-7.4.0
# Download the "quality-check-always" patches. There are three patch
# files:
# 1. make the quality check always hapen even for admin changes
# 2. a patch to a test script so that the test script uses strong enough
# password, otherwise the test would fail due to the quality-check-always
# patch.
# 3. Stock random password are too short to meet the Stanford quality check, so make random
# password stronger.
wget https://code.stanford.edu/acs-linux-public/heimdal-patches/raw/master/quality-check-always-7.5.0
wget https://code.stanford.edu/acs-linux-public/heimdal-patches/raw/master/kadmin-password-check-7.5.0
wget https://code.stanford.edu/acs-linux-public/heimdal-patches/raw/master/stronger-random-password-7.5.0
cd heimdal
merge_patch ../quality-check-always-7.5.0 quality-check-always "created quality-check-always patch file"
merge_patch ../kadmin-password-check-7.5.0 kadmin-password-check "created quality-check-always test script patch file"
merge_patch ../heimdal-7.4.0 krb5-sync-plugin-hook "created krb5-sync plugin hook patch file"
merge_patch ../stronger-random-password-7.5.0 stronger-random-password "make random passwords longer"
# Last step.
echo 'Change directory into build-heimdal-7.5/heimdal and run "pbuild stretch"'