#!/bin/sh
# Before running, rename to build-7.7.sh
# Script to build Heimdal from the "heimdal-7-1-branch" branch of the
# GitHub repository incorporating fixes to the iprop function.
set -e
DIRNAME=heimdal-build-7.7
REPONAME=oldstable-heimdal-dev
DISTRO=stretch
SRC_VERSION=7.7.1+dfsg
DEBIAN_VERSION="1"
VERSION="${SRC_VERSION}-${DEBIAN_VERSION}"
rm -rf $DIRNAME
mkdir -p $DIRNAME
cd $DIRNAME
## STAGE 1: Download and import the Debian source package for stretch.
# Download the Debian package source for stretch
rm -f heimdal_7.1.0+dfsg*
wget http://http.debian.net/debian/pool/main/h/heimdal/heimdal_7.1.0+dfsg-13+deb9u3.dsc
wget http://http.debian.net/debian/pool/main/h/heimdal/heimdal_7.1.0+dfsg.orig.tar.gz
wget http://http.debian.net/debian/pool/main/h/heimdal/heimdal_7.1.0+dfsg-13+deb9u3.debian.tar.xz
# Import the just-downloaded source
gbp import-dsc heimdal_7.1.0+dfsg-13+deb9u3.dsc
## STAGE 2: Download the upstream source.
#wget https://github.com/heimdal/heimdal/releases/download/heimdal-7.7.0/heimdal-7.7.0.tar.gz
# Change the name of the upstream source so that it will be found when building
#mv heimdal-7.7.0.tar.gz heimdal_7.7.0+dfsg.orig.tar.gz
## STAGE 3: Merge the latest source you just downloaded with the stretch
## Debian source.
cd heimdal
git checkout master
# STAGE 3A: Merge the source code via tarball file:
#gbp import-orig ../heimdal_7.7.0+dfsg.orig.tar.gz -u7.7.0+dfsg --upstream-vcs-tag=
# STAGE 3B: Merge the source code via GitHub tarball URL:
gbp import-orig --upstream-vcs-tag= -u$SRC_VERSION https://github.com/heimdal/heimdal/tarball/heimdal-7-1-branch
## STAGE 4: Remove some of the no-longer-needed patches from the stretch
## source directory.
# Remove some of the patch files that are already merged with the upstream source
rm -f debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch
rm -f debian/patches/CVE-2017-17439-KDC-remote-DoS.patch
rm -f debian/patches/CVE-2017-6594
rm -f debian/patches/check_iprop_races
rm -f debian/patches/0018-Add-back-in-base64_encode-and-base64_decode.patch
## STAGE 5: Download the Debian package source for sid and copy some of
## the patches into the stretch Debian source directory.
cd ..
mkdir -p debian-sid-source
cd debian-sid-source
#apt-get source --download-only heimdal
wget http://deb.debian.org/debian/pool/main/h/heimdal/heimdal_7.5.0+dfsg-3.dsc
wget http://deb.debian.org/debian/pool/main/h/heimdal/heimdal_7.5.0+dfsg.orig.tar.gz
wget http://deb.debian.org/debian/pool/main/h/heimdal/heimdal_7.5.0+dfsg-3.debian.tar.xz
gbp import-dsc *.dsc
# Change back into the stretch source directory
cd ../heimdal
# Copy some Debian package build files from the sid version including
# patch files that have not yet been merged with the upstream source or
# else are Debian-specific or else have different names(!).
/bin/cp -p ../debian-sid-source/heimdal/debian/patches/canonical_host debian/patches/canonical_host
/bin/cp -p ../debian-sid-source/heimdal/debian/patches/0016-Add-back-in-base64_encode-and-base64_decode.patch debian/patches/
/bin/cp -p ../debian-sid-source/heimdal/debian/patches/fix-missing-headers debian/patches/
/bin/cp -p ../debian-sid-source/heimdal/debian/libhdb9-heimdal.symbols debian/libhdb9-heimdal.symbols
# Copy the sid "series" file but remove some patches from the sid "series"
# file we just copied as these patches are already incorporated in the
# upstream source.
sed '/0017-CVE\|0018-CVE\|0020\|0021/d' ../debian-sid-source/heimdal/debian/patches/series > debian/patches/series
## STAGE 6: Do a git commit.
git add .
git commit -m "updated patch files from 7.7.0 Debian package source"
## STAGE 7: Change the version number in the change log file:
dch --force-distribution -v $VERSION -D $REPONAME -b "Backport to $DISTRO."
# # # # # # # # # # # # # # # # # #
function merge_patch()
{
patch_file_path=$1
patch_name=$2
patch_description=$3
echo "merging patch '${patch_name}'"
patch -p1 --fuzz=0 --no-backup-if-mismatch < $patch_file_path
dpkg-source --commit . $patch_name
git add debian/patches debian/changelog
git commit -m "merged patch ${patch_name}: ${patch_description}"
git reset --hard
git clean -f -d
}
# # # # # # # # # # # # # # # # # #
## STAGE 8: Add some Stanford-specific patches.
# Change back to the top-level directory.
cd ..
# Download the krb5-sync plugin hook patch
rm -f heimdal-7.4.0
wget https://raw.githubusercontent.com/rra/krb5-sync/master/patches/heimdal-7.4.0
# Download the "quality-check-always" patches. There are three patch
# files:
# 1. make the quality check always hapen even for admin changes
# 2. a patch to a test script so that the test script uses strong enough
# password, otherwise the test would fail due to the quality-check-always
# patch.
# 3. Stock random password are too short to meet the Stanford quality check, so make random
# password stronger.
function download_patch()
{
rm -f $1
wget https://code.stanford.edu/acs-linux-public/heimdal-patches/raw/master/$1
}
download_patch quality-check-always-7.5.0
download_patch kadmin-password-check-7.5.0
download_patch stronger-random-password-7.7.0
download_patch libkrb5-26-heimdal.symbols-7.7.1
download_patch libkadm5srv8-heimdal.symbols-7.7.1
cd heimdal
merge_patch ../quality-check-always-7.5.0 quality-check-always "created quality-check-always patch file"
merge_patch ../kadmin-password-check-7.5.0 kadmin-password-check "created quality-check-always test script patch file"
merge_patch ../heimdal-7.4.0 krb5-sync-plugin-hook "created krb5-sync plugin hook patch file"
merge_patch ../stronger-random-password-7.7.0 stronger-random-password "make random passwords longer"
# Note that libkrb5-26-heimdal.symbols-7.7.0 does not need to be merged, merely copied.
cp ../libkrb5-26-heimdal.symbols-7.7.1 debian/libkrb5-26-heimdal.symbols
cp ../libkadm5srv8-heimdal.symbols-7.7.1 debian/libkadm5srv8-heimdal.symbols
# Last step.
echo "Change directory into ${DIRNAME}/heimdal and run 'pbuild $DISTRO'"