Open Source Comes to Campus/Curriculum/Saturday/Getting modifying and verifying: Difference between revisions
Content added Content deleted
imported>Paulproteus No edit summary |
imported>Paulproteus No edit summary |
||
Line 1: | Line 1: | ||
'''Pre-requisites''': ? |
'''Pre-requisites''': ? |
||
'''Learning objectives''': Know how to download a tarball and apply a patch. Understand what a patch file looks like. Understand the idea of "-p0" "-p1" fiddling. Understand how to verify a tarball against a SHA1 checksum, and why it matters. Understand how to use GPG to verify a SHA1SUMS file! Understand the basic idea of why version control could be useful, and know how to create a patch file. |
'''Learning objectives''': Know how to download a tarball and apply a patch. Understand what a patch file looks like. Understand the idea of "-p0" "-p1" fiddling. Understand how to verify a tarball against a SHA1 checksum, and why it matters. Understand how to use GPG to verify a SHA1SUMS file! Understand the basic idea of why version control could be useful, and know how to create a patch file. |
||
=== Lecture/discussion === |
|||
* Begin by showing the web page for some program that has a tarball (e.g. nano) |
|||
* Download it, compile it, and run it. |
|||
* Look at its ChangeLog, and show that different people were involved. |
|||
* Ask the question aloud: How can we verify that this is the ''real'' GNU nano? |
|||
** Use http://ftp.gnu.org/gnu/nano/nano-2.2.6.tar.gz.sig to verify it |
|||
* Create a new, customized GNU nano where "New Buffer" in the title bar is replaced with "Be careful, this file is not yet saved!" |
|||
** modify src/winio.c and rebuild |
|||
** also make a patch! |
|||
** Roll up a new tarball, and then try to verify it with the GPG signature. |
|||
** Rebuild the Debian package with the patch added |
|||
* More about verifying tarballs |
|||
⚫ | |||
⚫ | |||
⚫ | |||
** Explain why they're not adequate, without GPG |
|||
* Case study: Explain signing in Debian |
|||
* Question: Where do tarballs come from? |
|||
** Answer: Someone takes a snapshot of a directory. But how did things get in there? |
|||
* Quick overview of a patch file |
|||
⚫ | |||
* Verifying tarballs |
|||
⚫ | |||
⚫ | |||
⚫ | |||
** verifying md5sum + sha1sum lists with gpg |
|||
⚫ | |||
* Are tarballs and patches enough? |
|||
* |
** Explain why people use version control |
||
** You can check if your patch is in the main tree or not |
** You can check if your patch is in the main tree or not |
||
** |
** Version control tools make it easy to create patches |
||
** |
** Version control tools make it easy to jump between versions |
||
* Quick mention of packaging systems |
* Quick mention of packaging systems |
||
Line 26: | Line 39: | ||
* Quick introduction to installing build dependencies |
* Quick introduction to installing build dependencies |
||
=== Individual work === |
|||
* Have students go through the |
* Have students go through the patch training mission. |
||
* |
* Provide a download link for students, with a few tarballs and gpg signatures, and identify which ones do not verify. |
||
* Provide a download link for students, with a few tarballs and SHA1SUM files, and identify which ones do not verify. |
|||
'''Assessment elements''' |
'''Assessment elements''' |
||
Line 35: | Line 49: | ||
* The training missions includes their own assessments. |
* The training missions includes their own assessments. |
||
=== Note === |
|||
'''Possible problems''' |
|||
* We should test that this works great on Windows and Mac, and make sure that they have the dependencies they need to make it work. |
|||
* ? |
Revision as of 23:09, 23 February 2012
Pre-requisites: ?
Learning objectives: Know how to download a tarball and apply a patch. Understand what a patch file looks like. Understand the idea of "-p0" "-p1" fiddling. Understand how to verify a tarball against a SHA1 checksum, and why it matters. Understand how to use GPG to verify a SHA1SUMS file! Understand the basic idea of why version control could be useful, and know how to create a patch file.
Lecture/discussion
- Begin by showing the web page for some program that has a tarball (e.g. nano)
- Download it, compile it, and run it.
- Look at its ChangeLog, and show that different people were involved.
- Ask the question aloud: How can we verify that this is the real GNU nano?
- Use http://ftp.gnu.org/gnu/nano/nano-2.2.6.tar.gz.sig to verify it
- Create a new, customized GNU nano where "New Buffer" in the title bar is replaced with "Be careful, this file is not yet saved!"
- modify src/winio.c and rebuild
- also make a patch!
- Roll up a new tarball, and then try to verify it with the GPG signature.
- Rebuild the Debian package with the patch added
- More about verifying tarballs
- Explain why authenticity is desirable
- Possible example: Linux driver with a uid=0 vs. uid == 0 bug introduced (I'd like to find a reference, but can't)
- Provide an example of md5sum or sha1sum
- Explain why they're not adequate, without GPG
- Explain why authenticity is desirable
- Case study: Explain signing in Debian
- Quick introduction to the web of trust
- Are tarballs and patches enough?
- Explain why people use version control
- You can check if your patch is in the main tree or not
- Version control tools make it easy to create patches
- Version control tools make it easy to jump between versions
- Quick mention of packaging systems
- Quick introduction to installing build dependencies
Individual work
- Have students go through the patch training mission.
- Provide a download link for students, with a few tarballs and gpg signatures, and identify which ones do not verify.
- Provide a download link for students, with a few tarballs and SHA1SUM files, and identify which ones do not verify.
Assessment elements
- The training missions includes their own assessments.
Note
- We should test that this works great on Windows and Mac, and make sure that they have the dependencies they need to make it work.