修改原生 deb 包并重新打包

以构建 wget 为例。

安装构建 wget 所需的依赖:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
~$ sudo apt build-dep wget
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
...
The following NEW packages will be installed:
  libidn11-dev libtext-unidecode-perl tex-common texinfo
The following packages will be upgraded:
  libidn11 libidn11:i386
2 upgraded, 4 newly installed, 0 to remove and 381 not upgraded.
Need to get 1,498 kB of archives.
After this operation, 8,750 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Setting up texinfo (6.5.0.dfsg.1-2) ...
Setting up libidn11:amd64 (1.33-2.1ubuntu1.2) ...
Setting up libidn11:i386 (1.33-2.1ubuntu1.2) ...
Setting up libidn11-dev (1.33-2.1ubuntu1.2) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...

下载构建 wget 所需的源代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
~$ apt source wget
Reading package lists... Done
Need to get 3,833 kB of source archives.
Get:1 http://mirrors.ustc.edu.cn/ubuntu xenial-updates/main wget 1.17.1-1ubuntu1.5 (dsc) [1,935 B]
Get:2 http://mirrors.ustc.edu.cn/ubuntu xenial-updates/main wget 1.17.1-1ubuntu1.5 (tar) [3,801 kB]
Get:3 http://mirrors.ustc.edu.cn/ubuntu xenial-updates/main wget 1.17.1-1ubuntu1.5 (diff) [29.5 kB]
Fetched 3,833 kB in 33s (116 kB/s)                                                       
dpkg-source: info: extracting wget in wget-1.17.1
dpkg-source: info: unpacking wget_1.17.1.orig.tar.gz
dpkg-source: info: unpacking wget_1.17.1-1ubuntu1.5.debian.tar.xz
dpkg-source: info: applying wget-doc-remove-usr-local-in-sample.wgetrc
dpkg-source: info: applying wget-doc-remove-usr-local-in-wget.texi
dpkg-source: info: applying wget-passive_ftp-default
dpkg-source: info: applying wget-doc-CRLs.patch
dpkg-source: info: applying CVE-2016-4971.patch
dpkg-source: info: applying Sanitize-value-sent-to-memset-to-prevent-SEGFAULT.patch
dpkg-source: info: applying CVE-2016-7098-1.patch
dpkg-source: info: applying CVE-2016-7098-2.patch
dpkg-source: info: applying CVE-2016-7098-3.patch
dpkg-source: info: applying CVE-2017-6508.patch
dpkg-source: info: applying CVE-2017-13089.patch
dpkg-source: info: applying CVE-2017-13090.patch
dpkg-source: info: applying CVE-2018-0494.patch
dpkg-source: info: applying CVE-2019-5953-pre.patch
dpkg-source: info: applying CVE-2019-5953-1.patch
dpkg-source: info: applying CVE-2019-5953-2.patch

自动解压并打上 patch 得到最终的源代码如下:

1
2
3
~$ ls
wget-1.17.1                           wget_1.17.1-1ubuntu1.5.dsc
wget_1.17.1-1ubuntu1.5.debian.tar.xz  wget_1.17.1.orig.tar.gz

注意:需要使能 deb-src apt 源。

如果有需要,可以手工下载所有的源代码文件,包括:dsc 描述文件,origin 上游原始源代码文件,以及 debian 打包文件。

首先校验下载的 dsc 文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
~$ gpg --verify wget_1.17.1-1ubuntu1.5.dsc 
gpg: Signature made Tue 09 Apr 2019 03:56:48 AM CST using RSA key ID 840B1F69
gpg: Can't check signature: No public key

~$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 840B1F69
gpg: key 840B1F69: 10 signatures not checked due to missing keys
gpg: key 840B1F69: public key "Leonidas S. Barbosa <leo.barbosa@canonical.com>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2021-04-12
gpg: Total number processed: 1
gpg:               imported: 1

~$ gpg --edit-key 840B1F69
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/840B1F69
     created: 2017-06-09  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/428BA46A
     created: 2017-06-09  expires: never       usage: E   
[ unknown] (1). Leonidas S. Barbosa <leo.barbosa@canonical.com>
[ unknown] (2)  Leonidas S. Barbosa <lndsbarbosa@gmail.com>
[ unknown] (3)  Leonidas S. Barbosa <leo.leonidas@canonical.com>

gpg> uid 1

pub  rsa4096/840B1F69
     created: 2017-06-09  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/428BA46A
     created: 2017-06-09  expires: never       usage: E   
[ unknown] (1)* Leonidas S. Barbosa <leo.barbosa@canonical.com>
[ unknown] (2)  Leonidas S. Barbosa <lndsbarbosa@gmail.com>
[ unknown] (3)  Leonidas S. Barbosa <leo.leonidas@canonical.com>

gpg> lsign

pub  rsa4096/840B1F69
     created: 2017-06-09  expires: never       usage: SC  
     trust: unknown       validity: unknown
 Primary key fingerprint: 7FE7 9B44 5728 C8EA 0042  839E 45BC E75B 840B 1F69

     Leonidas S. Barbosa <leo.barbosa@canonical.com>

Are you sure that you want to sign this key with your
key "luo.runbing (https://www.example.com/) <luo.runbing@example.com>" (C7E8A950)

The signature will be marked as non-exportable.

Really sign? (y/N) y

gpg> lsign 
Really sign all text user IDs? (y/N) y
"Leonidas S. Barbosa <leo.barbosa@canonical.com>" was already locally signed by key C7E8A950

pub  rsa4096/840B1F69
     created: 2017-06-09  expires: never       usage: SC  
     trust: full          validity: full
 Primary key fingerprint: 7FE7 9B44 5728 C8EA 0042  839E 45BC E75B 840B 1F69

     Leonidas S. Barbosa <lndsbarbosa@gmail.com>
     Leonidas S. Barbosa <leo.leonidas@canonical.com>

Are you sure that you want to sign this key with your
key "luo.runbing (https://www.example.com/) <luo.runbing@example.com>" (C7E8A950)

The signature will be marked as non-exportable.

Really sign? (y/N) y

gpg> trust 
pub  rsa4096/840B1F69
     created: 2017-06-09  expires: never       usage: SC  
     trust: unknown       validity: full
sub  rsa4096/428BA46A
     created: 2017-06-09  expires: never       usage: E   
[  full  ] (1). Leonidas S. Barbosa <leo.barbosa@canonical.com>
[  full  ] (2)  Leonidas S. Barbosa <lndsbarbosa@gmail.com>
[  full  ] (3)  Leonidas S. Barbosa <leo.leonidas@canonical.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 4

pub  rsa4096/840B1F69
     created: 2017-06-09  expires: never       usage: SC  
     trust: full          validity: full
sub  rsa4096/428BA46A
     created: 2017-06-09  expires: never       usage: E   
[  full  ] (1). Leonidas S. Barbosa <leo.barbosa@canonical.com>
[  full  ] (2)  Leonidas S. Barbosa <lndsbarbosa@gmail.com>
[  full  ] (3)  Leonidas S. Barbosa <leo.leonidas@canonical.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

~$ gpg --verify wget_1.17.1-1ubuntu1.5.dsc
gpg: Signature made Tue 09 Apr 2019 03:56:48 AM CST using RSA key ID 840B1F69
gpg: Good signature from "Leonidas S. Barbosa <leo.barbosa@canonical.com>" [full]
gpg:                 aka "Leonidas S. Barbosa <lndsbarbosa@gmail.com>" [full]
gpg:                 aka "Leonidas S. Barbosa <leo.leonidas@canonical.com>" [full]

然后指定 dsc 文件进行解压:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
~$ dpkg-source -x wget_1.17.1-1ubuntu1.5.dsc 
gpgv: Signature made Tue 09 Apr 2019 03:56:48 AM CST
gpgv:                using RSA key 45BCE75B840B1F69
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./wget_1.17.1-1ubuntu1.5.dsc
dpkg-source: info: extracting wget in wget-1.17.1
dpkg-source: info: unpacking wget_1.17.1.orig.tar.gz
dpkg-source: info: unpacking wget_1.17.1-1ubuntu1.5.debian.tar.xz
dpkg-source: info: applying wget-doc-remove-usr-local-in-sample.wgetrc
dpkg-source: info: applying wget-doc-remove-usr-local-in-wget.texi
dpkg-source: info: applying wget-passive_ftp-default
dpkg-source: info: applying wget-doc-CRLs.patch
dpkg-source: info: applying CVE-2016-4971.patch
dpkg-source: info: applying Sanitize-value-sent-to-memset-to-prevent-SEGFAULT.patch
dpkg-source: info: applying CVE-2016-7098-1.patch
dpkg-source: info: applying CVE-2016-7098-2.patch
dpkg-source: info: applying CVE-2016-7098-3.patch
dpkg-source: info: applying CVE-2017-6508.patch
dpkg-source: info: applying CVE-2017-13089.patch
dpkg-source: info: applying CVE-2017-13090.patch
dpkg-source: info: applying CVE-2018-0494.patch
dpkg-source: info: applying CVE-2019-5953-pre.patch
dpkg-source: info: applying CVE-2019-5953-1.patch
dpkg-source: info: applying CVE-2019-5953-2.patch

对上游源代码进行打包

1
~$ sudo apt install dh-make

TODO

参考资料

Packaging

https://wiki.debian.org/Packaging

Debian Packaging Tutorial

https://www.debian.org/doc/manuals/packaging-tutorial/packaging-tutorial.en.pdf

Introduction to Debian Packaging

https://wiki.debian.org/Packaging/Intro?action=show&redirect=IntroDebianPackaging

Debian packaging tutorials for the modern developer

https://github.com/phusion/debian-packaging-for-the-modern-developer

Debian New Maintainers’ Guide

https://www.debian.org/doc/manuals/maint-guide/