Open Source Comes to Campus/Curriculum/Saturday/Getting modifying and verifying

• Begin by showing the web page for some program that has a tarball (e.g. nano)
• Download it, compile it, and run it.

• Look at its ChangeLog, and show that different people were involved.

• Ask the question aloud: How can we verify that this is the real GNU nano?
  • Use http://ftp.gnu.org/gnu/nano/nano-2.2.6.tar.gz.sig to verify it

• Create a new, customized GNU nano where "New Buffer" in the title bar is replaced with "Be careful, this file is not yet saved!"
  • modify src/winio.c and rebuild
  • also make a patch!
  • Roll up a new tarball, and then try to verify it with the GPG signature.
  • Rebuild the Debian package with the patch added

• More about verifying tarballs
  • Explain why authenticity is desirable
    • Possible example: Linux driver with a uid=0 vs. uid == 0 bug introduced (I'd like to find a reference, but can't)
  • Provide an example of md5sum or sha1sum
  • Explain why they're not adequate, without GPG

• Case study: Explain signing in Debian

• Quick introduction to the web of trust

• Are tarballs and patches enough?
  • Explain why people use version control
  • You can check if your patch is in the main tree or not
  • Version control tools make it easy to create patches
  • Version control tools make it easy to jump between versions

• Quick mention of packaging systems

• Quick introduction to installing build dependencies

• Have students go through the patch training mission.
• Provide a download link for students, with a few tarballs and gpg signatures, and identify which ones do not verify.
• Provide a download link for students, with a few tarballs and SHA1SUM files, and identify which ones do not verify.

Assessment elements

• The training missions includes their own assessments.

• We should test that this works great on Windows and Mac, and make sure that they have the dependencies they need to make it work.