OpenHatch wiki

Open Source Comes to Campus/Curriculum/Saturday/Getting modifying and verifying: Difference between revisions

Page Discussion

Open Source Comes to Campus/Curriculum/Saturday/Getting modifying and verifying (view source)

Revision as of 23:09, 23 February 2012

999 bytes added ,  12 years ago
no edit summary
imported>Paulproteus
No edit summary
imported>Paulproteus
No edit summary
Line 1:
 
'''Pre-requisites''': ?
 
'''Learning objectives''': Know how to download a tarball and apply a patch. Understand what a patch file looks like. Understand the idea of "-p0" "-p1" fiddling. Understand how to verify a tarball against a SHA1 checksum, and why it matters. Understand how to use GPG to verify a SHA1SUMS file! Understand the basic idea of why version control could be useful, and know how to create a patch file.
 
'''Group=== Lecture/discussion''' ===
 
* Begin by showing the web page for some program that has a tarball (e.g. nano)
* Download it, compile it, and run it.
 
* Look at its ChangeLog, and show that different people were involved.
 
* Ask the question aloud: How can we verify that this is the ''real'' GNU nano?
** Use http://ftp.gnu.org/gnu/nano/nano-2.2.6.tar.gz.sig to verify it
 
* Create a new, customized GNU nano where "New Buffer" in the title bar is replaced with "Be careful, this file is not yet saved!"
** modify src/winio.c and rebuild
** also make a patch!
** Roll up a new tarball, and then try to verify it with the GPG signature.
** Rebuild the Debian package with the patch added
 
* More about verifying tarballs
** WhyExplain why authenticity is desirable
*** ExamplePossible example: Linux driver with a uid=0 vs. uid == 0 bug introduced (I'd like to find a reference, but can't)
** Provide an example of md5sum +or sha1sum
** Explain why they're not adequate, without GPG
 
* Case study: Explain signing in Debian
* Question: Where do tarballs come from?
** Answer: Someone takes a snapshot of a directory. But how did things get in there?
* Quick overview of a patch file
 
** Quick introduction to the web of trust
* Verifying tarballs
** Why authenticity is desirable
*** Example: Linux driver with a uid=0 vs. uid == 0 bug introduced
** md5sum + sha1sum
** verifying md5sum + sha1sum lists with gpg
** Quick introduction to the web of trust
 
* Are tarballs and patches enough?
** WhyExplain why people use version control
** You can check if your patch is in the main tree or not
** ItVersion makescontrol ittools supermake it easy to create patches
** ItVersion iscontrol tools make it easy to jump between versions
 
* Quick mention of packaging systems
Line 26 ⟶ 39:
* Quick introduction to installing build dependencies
 
'''=== Individual work''' ===
 
* Have students go through the gitpatch training mission.
* HaveProvide studentsa download link for students, with a few tarballs and gpg signatures, and identify which ones do not verify.
* Provide a download link for students, with a few tarballs and SHA1SUM files, and identify which ones do not verify.
 
'''Assessment elements'''
Line 35 ⟶ 49:
* The training missions includes their own assessments.
 
=== Note ===
'''Possible problems'''
 
* We should test that this works great on Windows and Mac, and make sure that they have the dependencies they need to make it work.
* ?
Anonymous user
Retrieved from "https://wiki.openhatch.org/wiki/Special:MobileDiff/9181"