Open Source Comes to Campus/Curriculum/Saturday/Getting modifying and verifying

Pre-requisites: ?

Learning objectives: Know how to download a tarball and apply a patch. Understand what a patch file looks like. Understand the idea of "-p0" "-p1" fiddling. Understand how to verify a tarball against a SHA1 checksum, and why it matters. Understand how to use GPG to verify a SHA1SUMS file! Understand the basic idea of why version control could be useful, and know how to create a patch file.

Lecture/discussion

• Begin by showing the web page for some program that has a tarball (e.g. nano)
• Download it, compile it, and run it.

• Ask the question aloud: How can we verify that this is the real GNU nano?
  • Use http://ftp.gnu.org/gnu/nano/nano-2.2.6.tar.gz.sig to verify it

• Create a new, customized GNU nano where "New Buffer" in the title bar is replaced with "Be careful, this file is not yet saved!"
  • Use 'grep "New Buffer" src/*.c' to find the string (in src/winio.c)
  • modify src/winio.c and rebuild
  • also make a patch!
  • Roll up a new tarball, and then try to verify it with the GPG signature.
  • Rebuild the Debian package with the patch added
  • Notice that, once the new package is installed, the string change takes effect.

• More about verifying tarballs
  • Explain why authenticity is desirable
    • Possible example: Linux driver with a uid=0 vs. uid == 0 bug introduced (reference)
  • Provide an example of md5sum or sha1sum
  • Explain why they're not adequate, without GPG

• Case study: Explain signing in Debian

• Quick introduction to the web of trust

• Are tarballs and patches enough? Explain why people use version control
  • You can check if your patch is in the main tree or not
  • Version control tools make it easy to create patches
  • Version control tools make it easy to jump between versions

• Quick mention of packaging systems

• Quick introduction to installing build dependencies

• Dissect a small patch submission, such as https://bugs.freedesktop.org/show_bug.cgi?id=51883

Individual work

• Have students go through the patch training mission.
• Provide a download link for students, with a few tarballs and gpg signatures, and identify which ones do not verify.
• Provide a download link for students, with a few tarballs and SHA1SUM files, and identify which ones do not verify.

Assessment elements

• The training missions includes their own assessments.

Note

• We should test that this works great on Windows and Mac, and make sure that they have the dependencies they need to make it work. (Or declare that some of this work is best-done using the shared Linux server.)