Open Source Comes to Campus/Curriculum/Saturday/Getting modifying and verifying: Difference between revisions

← Older edit

Open Source Comes to Campus/Curriculum/Saturday/Getting modifying and verifying (view source)

Revision as of 15:16, 15 September 2012

1,258 bytes added , 11 years ago

no edit summary

Anonymous user

imported>Stump

Revision as of 22:31, 23 February 2012 (view source) imported>Paulproteus No edit summary ← Older edit		Latest revision as of 15:16, 15 September 2012 (view source) imported>Stump No edit summary
(6 intermediate revisions by one other user not shown)
Line 1: '''Pre-requisites''': ? '''Learning objectives''': Know how to download a tarball and apply a patch. Understand what a patch file looks like. Understand the idea of "-p0" "-p1" fiddling. Understand how to verify a tarball against a SHA1 checksum, and why it matters. Understand how to use GPG to verify a SHA1SUMS file! Understand the basic idea of why version control could be useful, and know how to create a patch file. ~~'''Group~~=== Lecture/discussion~~'''~~ === * Begin by showing the web page for some program that has a tarball (e.g. nano) * Question: Where do tarballs come from? * Download it, compile it, and run it. ** Answer: Someone takes a snapshot of a directory. But how did things get in there? * Quick overview of a patch file * Ask the question aloud: How can we verify that this is the ''real'' GNU nano? * Verifying tarballs Use http://ftp.gnu.org/gnu/nano/nano-2.2.6.tar.gz.sig to verify it Why authenticity is desirable▼ * Example: Linux driver with a uid=0 vs. uid == 0 bug introduced▼ md5sum + sha1sum▼ verifying md5sum + sha1sum lists with gpg Quick introduction to the web of trust▼ * Create a new, customized GNU nano where "New Buffer" in the title bar is replaced with "Be careful, this file is not yet saved!" * Why people use version control ** Use 'grep "New Buffer" src/.c' to find the string (in src/winio.c) * modify src/winio.c and rebuild also make a patch! Roll up a new tarball, and then try to verify it with the GPG signature. Rebuild the Debian package with the patch added Notice that, once the new package is installed, the string change takes effect. * More about verifying tarballs ▲ ~~Why~~Explain why authenticity is desirable ▲* ~~Example~~Possible example: Linux driver with a uid=0 vs. uid == 0 bug introduced ([http://kerneltrap.org/node/1584 reference]) ▲ Provide an example of md5sum +or sha1sum Explain why they're not adequate, without GPG * Case study: Explain signing in Debian ▲** Quick introduction to the web of trust * Are tarballs and patches enough? Explain why people use version control You can check if your patch is in the main tree or not ItVersion ~~makes~~control ittools ~~super~~make it easy to create patches ** ItVersion iscontrol tools make it easy to jump between versions * Quick mention of packaging systems Line 26 ⟶ 38: * Quick introduction to installing build dependencies * Dissect a small patch submission, such as https://bugs.freedesktop.org/show_bug.cgi?id=51883 '''Individual work'''▼ ▲~~'''~~=== Individual work~~'''~~ === * Have students go through the ~~git~~patch training mission. * ~~Have~~Provide ~~students~~a download link for students, with a few tarballs and gpg signatures, and identify which ones do not verify. * Provide a download link for students, with a few tarballs and SHA1SUM files, and identify which ones do not verify. '''Assessment elements''' Line 35 ⟶ 50: * The training missions includes their own assessments. === Note === ~~'''Possible problems'''~~ * We should test that this works great on Windows and Mac, and make sure that they have the dependencies they need to make it work. (Or declare that some of this work is best-done using the shared Linux server.) * ?