Open Source Comes to Campus/Curriculum/Saturday/Getting modifying and verifying
Pre-requisites: ?
Learning objectives: Know how to download a tarball and apply a patch. Understand what a patch file looks like. Understand the idea of "-p0" "-p1" fiddling. Understand how to verify a tarball against a SHA1 checksum, and why it matters. Understand how to use GPG to verify a SHA1SUMS file! Understand the basic idea of why version control could be useful, and know how to create a patch file.
Lecture/discussion
- Begin by showing the web page for some program that has a tarball (e.g. nano)
- Download it, compile it, and run it.
- Look at its ChangeLog, and show that different people were involved.
- Ask the question aloud: How can we verify that this is the real GNU nano?
- Use http://ftp.gnu.org/gnu/nano/nano-2.2.6.tar.gz.sig to verify it
- Create a new, customized GNU nano where "New Buffer" in the title bar is replaced with "Be careful, this file is not yet saved!"
- modify src/winio.c and rebuild
- also make a patch!
- Roll up a new tarball, and then try to verify it with the GPG signature.
- Rebuild the Debian package with the patch added
- More about verifying tarballs
- Explain why authenticity is desirable
- Possible example: Linux driver with a uid=0 vs. uid == 0 bug introduced (I'd like to find a reference, but can't)
- Provide an example of md5sum or sha1sum
- Explain why they're not adequate, without GPG
- Explain why authenticity is desirable
- Case study: Explain signing in Debian
- Quick introduction to the web of trust
- Are tarballs and patches enough?
- Explain why people use version control
- You can check if your patch is in the main tree or not
- Version control tools make it easy to create patches
- Version control tools make it easy to jump between versions
- Quick mention of packaging systems
- Quick introduction to installing build dependencies
Individual work
- Have students go through the patch training mission.
- Provide a download link for students, with a few tarballs and gpg signatures, and identify which ones do not verify.
- Provide a download link for students, with a few tarballs and SHA1SUM files, and identify which ones do not verify.
Assessment elements
- The training missions includes their own assessments.
Note
- We should test that this works great on Windows and Mac, and make sure that they have the dependencies they need to make it work.