#!/bin/sh
# Before running, rename to build-7.7.sh
# Script to build Heimdal from the "heimdal-7-1-branch" branch of the
# GitHub repository incorporating fixes to the iprop function.
# This build script is quite different than previous build scripts. This
# one does not use "pbuilder" or "gbp buildpackage", rather it uses
# "dpkg-buildpackage" so it must be run on a buster machine with a bunch
# of extra packages installed.
set -e
# ### #### ### #### ### #### ### #### ### #### ### #### ### ###
progress () {
echo "progress: $1"
}
# ### #### ### #### ### #### ### #### ### #### ### #### ### ###
CACHING=0
DIRNAME=heimdal-build-7.7
REPONAME=stable-heimdal-dev
DISTRO=buster
## Settings related to downloading Debian soruce packages
DEB_SRC_URL=http://http.debian.net/debian/pool/main/h/heimdal/
# Debian package source information
SRC_VERSION=7.5.0+dfsg-3
# Need the version that stops at "+dfsg".
SRC_BASE_VERSION=$(echo $SRC_VERSION | cut -f1 -d'-')
# sid version of source package
DEBIAN_PKG_SID_VERSION="7.7.0+dfsg-1"
# Need the version that stops at "+dfsg".
DEBIAN_PKG_SID_BASE_VERSION=$(echo $DEBIAN_PKG_SID_VERSION | cut -f1 -d'-')
# The upstream source file. This is NOT the tip we want to use. We use
# this as the base and then merge in the tip with the changes we need.
#UPSTREAM_SRC_URL=https://github.com/heimdal/heimdal/releases/download/heimdal-7.7.0/heimdal-7.7.0.tar.gz
#UPSTREAM_BASENAME=$(basename $UPSTREAM_SRC_URL)
UPSTREAM_BRANCH=heimdal-7-1-branch
VERSION="7.7.2"
if [[ "$CACHING" != "1" ]] ; then
progress "removing $DIRNAME"
rm -rf $DIRNAME
else
progress "not removing $DIRNAME [CACHED]"
fi
mkdir -p $DIRNAME
cd $DIRNAME
## STAGE A: Download and import the Debian source package for $DISTRO
progress "Stage A"
if [ "$CACHING" != "1" ] || [ ! -d "heimdal" ]; then
progress "need to download and import source"
## STEP A.1: Download the Debian package source for buster.
wget --no-clobber "${DEB_SRC_URL}heimdal_${SRC_VERSION}.dsc"
wget --no-clobber "${DEB_SRC_URL}heimdal_${SRC_BASE_VERSION}.orig.tar.gz"
wget --no-clobber "${DEB_SRC_URL}heimdal_${SRC_VERSION}.debian.tar.xz"
## Step A.2: Import the just-downloaded source.
progress "importing package source"
gbp import-dsc "heimdal_${SRC_VERSION}.dsc"
else
progress "skipping download and import of Debian source package [CACHED]"
fi
## STAGE B:
progress "Stage B"
# Import upstream branch
if [ "$CACHING" != "1" ]; then
progress "merging upstream source"
cd heimdal
gbp import-orig --upstream-vcs-tag= -u$VERSION https://github.com/heimdal/heimdal/tarball/heimdal-7-1-branch
cd ..
else
progress "skipping merging upstream source [CACHED]"
fi
## STAGE C:
progress "Stage C"
## Delete some patch file from the series file that are not needed.
progress "removing some patch files and patching others"
cd heimdal
sed -i '/^0018-CVE-2019-12098-krb5-always/d' debian/patches/series
sed -i '/^0020-Fixes-https-github.com-heimdal-heimdal-issues-533.patch/d' debian/patches/series
sed -i '/^0021-Regenerate-certs-so-that-they-expire-before-the-2038.patch/d' debian/patches/series
cd ..
## STAGE D:
progress "Stage D"
## Download some patch files and patch.
wget https://raw.githubusercontent.com/rra/krb5-sync/master/patches/heimdal-7.4.0
### ###### ###### ###### ###### ###### ###### ###### ###
function download_patch()
{
rm -f $1
wget https://code.stanford.edu/acs-linux-public/heimdal-patches/raw/master/$1
}
function patch_me()
{
patch_file_path=$1
echo "merging patch '${patch_file_path}'"
patch -p1 --fuzz=0 --no-backup-if-mismatch < $patch_file_path
}
### ###### ###### ###### ###### ###### ###### ###### ###
progress "downloading patches ..."
download_patch quality-check-always-7.5.0
download_patch kadmin-password-check-7.5.0
download_patch stronger-random-password-7.7.0
download_patch libkrb5-26-heimdal.symbols.patch-7.7.2
download_patch libkadm5srv8-heimdal.symbols.patch-7.7.2
download_patch libroken18-heimdal.symbols.patch-7.7.2
download_patch rules.patch-7.7.2
progress "patching ..."
cd heimdal
patch_me "../heimdal-7.4.0"
patch_me "../quality-check-always-7.5.0"
patch_me "../kadmin-password-check-7.5.0"
patch_me "../stronger-random-password-7.7.0"
patch_me "../libkrb5-26-heimdal.symbols.patch-7.7.2"
patch_me "../libkadm5srv8-heimdal.symbols.patch-7.7.2"
patch_me "../libroken18-heimdal.symbols.patch-7.7.2"
patch_me "../rules.patch-7.7.2"
cd ..
## STAGE E:
progress "Stage E"
## Increment debian version
cd heimdal
dch --force-distribution -v $VERSION -D $REPONAME -b "Backport to $DISTRO."
echo ""
echo "now run 'cd ${DIRNAME}/heimdal; dpkg-buildpackage -rfakeroot -b -us -uc'"
exit 0
################################################################
################################################################
################################################################
################################################################
################################################################
## STAGE B:
progress "Stage B"
## Download the Debian package source for sid and copy some of
## the patches into the stretch Debian source directory.
if [[ "$CACHING" != "1" ]] ; then
progress "downloading sid package source"
mkdir -p debian-sid-source
cd debian-sid-source
wget --no-clobber "${DEB_SRC_URL}heimdal_${DEBIAN_PKG_SID_VERSION}.dsc"
wget --no-clobber "${DEB_SRC_URL}heimdal_${DEBIAN_PKG_SID_BASE_VERSION}.orig.tar.xz"
wget --no-clobber "${DEB_SRC_URL}heimdal_${DEBIAN_PKG_SID_VERSION}.debian.tar.xz"
gbp import-dsc *.dsc
cd ..
else
progress "skipping download of sid package source [CACHED]"
fi
exit 0
## STAGE C: Merge with the upstream source tip (not an official release but has some
## important fixes.)
progress "Stage C"
if [[ "$CACHING" != "1" ]] ; then
progress "merging with upstream branch $UPSTREAM_BRANCH"
cd heimdal
gbp import-orig --upstream-vcs-tag= -u$SRC_VERSION https://github.com/heimdal/heimdal/tarball/$UPSTREAM_BRANCH
cd ..
else
progress "skipping merge with upstreaqm branch $UPSTREAM_BRANCH [CACHED]"
fi
exit 0
## STAGE D:
progress "Stage D"
# Remove some of the patch files that are already merged with the upstream source
cd heimdal
progress "removing some patches that are no longer needed"
rm -f debian/patches/0018-CVE-2019-12098-krb5-always-confirm-PA-PKINIT-KX-for-.patch
# Remove the files from the series file as well
sed -i '/^0018-CVE-2019-12098-krb5-always/d' debian/patches/series
progress "commiting changes due to removing patch files"
git add .
git commit -m "updated patch files from 7.7.0 Debian package source"
cd ..
## STAGE E:
progress "Stage E"
# Change the version number in the change log file:
progress "changing the version number in the change log file"
cd heimdal/
dch --force-distribution -v $VERSION -D $REPONAME -b "Backport to $DISTRO."
cd ..
# # # # # # # # # # # # # # # # # #
function merge_patch()
{
patch_file_path=$1
patch_name=$2
patch_description=$3
echo "merging patch '${patch_name}'"
patch -p1 --fuzz=0 --no-backup-if-mismatch < $patch_file_path
dpkg-source --commit . $patch_name
git add debian/patches debian/changelog
git commit -m "merged patch ${patch_name}: ${patch_description}"
git reset --hard
git clean -f -d
}
# # # # # # # # # # # # # # # # # #
## STAGE F:
# Download the krb5-sync plugin hook patch
progress "downloading the krb5-sync plugin hook patch"
rm -fr heimdal-7.4.0
wget https://raw.githubusercontent.com/rra/krb5-sync/master/patches/heimdal-7.4.0
# Download the "quality-check-always" patches. There are three patch
# files:
# 1. make the quality check always hapen even for admin changes
# 2. a patch to a test script so that the test script uses strong enough
# password, otherwise the test would fail due to the quality-check-always
# patch.
# 3. Stock random password are too short to meet the Stanford quality check, so make random
# password stronger.
function download_patch()
{
rm -f $1
wget https://code.stanford.edu/acs-linux-public/heimdal-patches/raw/master/$1
}
download_patch quality-check-always-7.5.0
download_patch kadmin-password-check-7.5.0
download_patch stronger-random-password-7.7.0
download_patch libkrb5-26-heimdal.symbols-7.7.1
download_patch libkadm5srv8-heimdal.symbols-7.7.1
cd heimdal
merge_patch ../quality-check-always-7.5.0 quality-check-always "created quality-check-always patch file"
merge_patch ../kadmin-password-check-7.5.0 kadmin-password-check "created quality-check-always test script patch file"
merge_patch ../heimdal-7.4.0 krb5-sync-plugin-hook "created krb5-sync plugin hook patch file"
merge_patch ../stronger-random-password-7.7.0 stronger-random-password "make random passwords longer"
# Note that libkrb5-26-heimdal.symbols-7.7.0 does not need to be merged, merely copied.
cp ../libkrb5-26-heimdal.symbols-7.7.1 debian/libkrb5-26-heimdal.symbols
cp ../libkadm5srv8-heimdal.symbols-7.7.1 debian/libkadm5srv8-heimdal.symbols
# Last step.
echo "Change directory into ${DIRNAME}/heimdal and run 'pbuild $DISTRO'"
exit 0
# ## STEP A.2: Download and merge the upstream source.
# if [[ "$USE_UPSTREAM" == "1" ]]; then
# # Import the just-downloaded source
# progress "importing Debian apckage source"
# gbp import-dsc heimdal_${SRC_VERSION}.dsc
#
# # Change the name of the upstream source so that it will be found when building
# mv heimdal-7.7.0.tar.gz heimdal_7.7.0+dfsg.orig.tar.gz
#
# progress "importing upstream version"
# cd heimdal
# git checkout master
# gbp import-orig ../$UPSTREAM_BASENAME -u$UPSTREAM_VERSION
# cd ..
# else
# progress "skipping the download and import of source"
# fi
# Make a tag to show where the stock Debian import is.
cd heimdal
git tag debian-original
cd ..
# Change the name of the upstream source so that it will be found when building
#mv heimdal-7.7.0.tar.gz heimdal_7.7.0+dfsg.orig.tar.gz
## STAGE 3: Merge the latest source you just downloaded with the stretch
## Debian source.
cd heimdal
git checkout master
# STAGE 3A: Merge the source code via tarball file:
#gbp import-orig ../heimdal_7.7.0+dfsg.orig.tar.gz -u7.7.0+dfsg --upstream-vcs-tag=
# STAGE 3B: Merge the source code via GitHub tarball URL:
gbp import-orig --upstream-vcs-tag= -u$SRC_VERSION https://github.com/heimdal/heimdal/tarball/heimdal-7-1-branch
## STAGE 4: Remove some of the no-longer-needed patches from the stretch
## source directory.
# Remove some of the patch files that are already merged with the upstream source
rm -f debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch
rm -f debian/patches/CVE-2017-17439-KDC-remote-DoS.patch
rm -f debian/patches/CVE-2017-6594
rm -f debian/patches/check_iprop_races
rm -f debian/patches/0018-Add-back-in-base64_encode-and-base64_decode.patch
## STAGE 5: Download the Debian package source for sid and copy some of
## the patches into the stretch Debian source directory.
cd ..
mkdir -p debian-sid-source
cd debian-sid-source
#apt-get source --download-only heimdal
wget http://deb.debian.org/debian/pool/main/h/heimdal/heimdal_7.5.0+dfsg-3.dsc
wget http://deb.debian.org/debian/pool/main/h/heimdal/heimdal_7.5.0+dfsg.orig.tar.gz
wget http://deb.debian.org/debian/pool/main/h/heimdal/heimdal_7.5.0+dfsg-3.debian.tar.xz
gbp import-dsc *.dsc
# Change back into the stretch source directory
cd ../heimdal
# Copy some Debian package build files from the sid version including
# patch files that have not yet been merged with the upstream source or
# else are Debian-specific or else have different names(!).
/bin/cp -p ../debian-sid-source/heimdal/debian/patches/canonical_host debian/patches/canonical_host
/bin/cp -p ../debian-sid-source/heimdal/debian/patches/0016-Add-back-in-base64_encode-and-base64_decode.patch debian/patches/
/bin/cp -p ../debian-sid-source/heimdal/debian/patches/fix-missing-headers debian/patches/
/bin/cp -p ../debian-sid-source/heimdal/debian/libhdb9-heimdal.symbols debian/libhdb9-heimdal.symbols
# Copy the sid "series" file but remove some patches from the sid "series"
# file we just copied as these patches are already incorporated in the
# upstream source.
sed '/0017-CVE\|0018-CVE\|0020\|0021/d' ../debian-sid-source/heimdal/debian/patches/series > debian/patches/series
## STAGE 6: Do a git commit.
git add .
git commit -m "updated patch files from 7.7.0 Debian package source"
## STAGE 7: Change the version number in the change log file:
dch --force-distribution -v $VERSION -D $REPONAME -b "Backport to $DISTRO."
# # # # # # # # # # # # # # # # # #
function merge_patch()
{
patch_file_path=$1
patch_name=$2
patch_description=$3
echo "merging patch '${patch_name}'"
patch -p1 --fuzz=0 --no-backup-if-mismatch < $patch_file_path
dpkg-source --commit . $patch_name
git add debian/patches debian/changelog
git commit -m "merged patch ${patch_name}: ${patch_description}"
git reset --hard
git clean -f -d
}
# # # # # # # # # # # # # # # # # #
## STAGE 8: Add some Stanford-specific patches.
# Change back to the top-level directory.
cd ..
# Download the krb5-sync plugin hook patch
rm -f heimdal-7.4.0
wget https://raw.githubusercontent.com/rra/krb5-sync/master/patches/heimdal-7.4.0
# Download the "quality-check-always" patches. There are three patch
# files:
# 1. make the quality check always hapen even for admin changes
# 2. a patch to a test script so that the test script uses strong enough
# password, otherwise the test would fail due to the quality-check-always
# patch.
# 3. Stock random password are too short to meet the Stanford quality check, so make random
# password stronger.
function download_patch()
{
rm -f $1
wget https://code.stanford.edu/acs-linux-public/heimdal-patches/raw/master/$1
}
download_patch quality-check-always-7.5.0
download_patch kadmin-password-check-7.5.0
download_patch stronger-random-password-7.7.0
download_patch libkrb5-26-heimdal.symbols-7.7.1
download_patch libkadm5srv8-heimdal.symbols-7.7.1
cd heimdal
merge_patch ../quality-check-always-7.5.0 quality-check-always "created quality-check-always patch file"
merge_patch ../kadmin-password-check-7.5.0 kadmin-password-check "created quality-check-always test script patch file"
merge_patch ../heimdal-7.4.0 krb5-sync-plugin-hook "created krb5-sync plugin hook patch file"
merge_patch ../stronger-random-password-7.7.0 stronger-random-password "make random passwords longer"
# Note that libkrb5-26-heimdal.symbols-7.7.0 does not need to be merged, merely copied.
cp ../libkrb5-26-heimdal.symbols-7.7.1 debian/libkrb5-26-heimdal.symbols
cp ../libkadm5srv8-heimdal.symbols-7.7.1 debian/libkadm5srv8-heimdal.symbols
# Last step.
echo "Change directory into ${DIRNAME}/heimdal and run 'pbuild $DISTRO'"
### STAGE B: Download the upstream source.
#progress "Stage B"
#if [[ "$CACHING" != "1" ]] ; then
# progress "downloading upstream version of Heimdal"
# wget --no-clobber $UPSTREAM_SRC_URL
#else
# progress "skipping download of upstream version of Heimdal"
#fi