A distribution of GNU Linux-libre ====================================== 1. Introduction and instructions This repository contains a distribution of GNU Linux-libre. It uses the majority of Debian's kernel patches. The source tarball is pulled from https://www.fsfla.org/ikiwiki/selibre/linux-libre/index.en.html and then repacked so that dpkg-buildpackage can directly use it to build binaries. It should be drop-in replacement of linux shipped by Debian. To browse the source code of the source package "linux-libre": https://git.jing.rocks/cgit/jing/linux-libre.git/ https://forgejo.jing.rocks/jing/linux-libre https://git.jing.rocks/gitweb/?p=jing/linux-libre.git;a=summary The APT repository is signed with my GPG key: 4E09 8D19 00AA 3F72 1899 2614 09B3 316E 13A1 1EFC You can also install the gnu-linux-libre-keyring package, but you will need to configure /etc/apt/sources.list yourself first, as this package doesn't configure for you (mainly because it violates Debian policy and is unsafe): (1) Manually download the gnu-linux-libre-keyring package here (e.g. using wget): https://apt.jing.rocks/linux-libre/pool/main/g/gnu-linux-libre-keyring/gnu-linux-libre-keyring_1.0.2_all.deb then as root or with sudo, run `dpkg -i gnu-linux-libre-keyring_1.0.2_all.deb`. This will install the GPG public keys to /usr/share/keyrings/jing.asc, but you can also download my public keys from https://jing.rocks/pub.gpg. Alternatively, you can put `jing.asc` under /etc/apt/trusted.gpg.d/, but this is dangerous and not recommended, unless you ultimately trust this key. (2) Add these two lines to /etc/apt/sources.list, or a separate file under /etc/apr/sources.list.d/: deb [signed-by=/usr/share/keyrings/jing.asc] http://apt.jing.rocks/linux-libre sid main deb-src [signed-by=/usr/share/keyrings/jing.asc] http://apt.jing.rocks/linux-libre sid main Note that you may need to adjust the "suite" unless you are running Debian sid. As of June 2024, bookworm (stable) has the same packages as bookworm-security (stable-security). The second line is optional if you don't need the source packages. There are many other ways to do this. You may also opt to use a deb822 format sources.list, but that's an "expert option" which is omitted here. See the sources.list(5) man page. (3) You may also want to "pin" the APT repository, by adjusting the "priority". This way, you can avoid your linux-libre install being upgraded and overwritten by a binary package with the same name from Debian. To do this, create a new file (e.g. "linux-libre") under /etc/apt/preferences.d, with the content of these three lines: Package: src:linux-libre Pin: origin jing.rocks Pin-Priority: 950 Note that you can also specify the Package line with *, which means "all packages". You may also want to adjust the Pin-Priority according to your needs. See apt_preferences(5) for more. (4) Install packages. Run as root or with sudo, `apt update` then `apt install `, with these (meta-)package names for your choice (non-exhaustive list): linux-image-gnu-$flavour-$(DEB_BUILD_ARCH) linux-image-gnu-$flavour-$(DEB_BUILD_ARCH)-dbg linux-image-rt-gnu-$flavour-$(DEB_BUILD_ARCH) linux-image-rt-gnu-$flavour-$(DEB_BUILD_ARCH)-dbg linux-headers-gnu-$(DEB_BUILD_ARCH) linux-kbuild-$(upstream_version)-gnu linux-kbuild-$(upstream_version)-gnu-dbgsym linux-libre-doc linux-libre-source linux-libre-support bpftool linux-cpupower linux-libc-dev linux-perf ... The realtime kernel is a feature set; DEB_BUILD_ARCH is the architecture of your running system (written in Debian convention) like `amd64` or `riscv64`. You can check it with `dpkg --print-architecture`, or if you have dpkg-dev installed, `dpkg-architecture -qDEB_BUILD_ARCH`. Also note that immediately before $(DEB_BUILD_ARCH) and after `-gnu` in the package name, there may be "flavours" of kernels. amd64 and arm64 have "qemu" flavour. renamed from Debian's "cloud" flavour. arm64 also has another two flavours with 16K and 64K page size. Most people would simply install `linux-image-gnu-amd64`. 2. How to build from source It's very simple if you are already using a Debian or Debian-based system. But first, you must decide if you want to build from a clean chroot (recommended) or ad hoc. Building from a clean chroot has multiple benefits, such as isolation from your working system, so that your system doesn't have too many packages installed. This applies to building all deb packages, more or less. If you want to build from a clean chroot, you need to setup the chroot first: (1) Install dpkg-dev and sbuild, if not already installed. sbuild depends on schroot, which you can use to manage chroots. (2) Create a chroot as root or with sudo, e.g. sbuild-createchroot sid /srv/chroots/sid http://repo.jing.rocks/debian The last argument is a Debian mirror URL. It's optional, but can speed up things. This command will create a chroot for you using debootstrap, with a minimal amount of packages installed, no kernel, but with build-essential. Follow the instructions to finish the setup, like adding user to sbuild group. (3) If you don't need to make changes to the source code, you can simply run: apt source linux-libre sbuild -d sid linux-libre_6.8.12-1+gnu2.dsc This will download the linux-libre source and start the build in the schroot. You need to have `deb-src` line enabled in /etc/apt/sources.list to make `apt source` to work. When the build is finished, you will see a lot of deb and udeb files in the current directory. Next, I'm going to describe "the hard way". (1) Install git if not already installed. Clone and checkout the git repo. git clone git://git.jing.rocks/git/linux-libre.git cd linux-libre && git checkout gnu/sid You may also want to checkout a tag or another branch. The "main" branch is never used for releases. (2) If you want to build from a clean chroot, enter the chroot and install dependencies. Note that once you are in the chroot, you won't be able to access your home directory (/home), so you may consider changing the schroot config under `/etc/schroot/chroot.d/`. The last part can be `sid-amd64-sbuild-2pHNz`, for example. Then, change the line `profile=sbuild` to `profile=default`. If you enter the schroot to manually build packages, you are likely need to install sudo and an editor as well. `sbuild-apt sid-amd64-sbuild apt-get install sudo nano` can do that. schroot -c sid-amd64-sbuild sudo apt build-dep linux-libre `apt build-dep linux` or `apt build-dep .` (if the current directory is the cloned git repo) will also work. This command will install all the build-deps. (3) Make changes to the source code if you like. (4) From now on, the current working directory must be the root of the cloned git repo. Optionally, to verify upstream tarball's GPG signature, get Freedo's signing key. It needs to be placed outside the cloned git repo ("linux-libre" directory). # some env var you may need. export LC_ALL=C.UTF-8 # we don't support secure boot, so disable signed image for secure boot export DEBIAN_KERNEL_DISABLE_SIGNED=1 # if cross compile and not using dpkg-buildpackage: # export ARCH=arm64 # export CROSS_COMPILE=aarch64-linux-gnu- # export CC=aarch64-linux-gnu-gcc # export $(dpkg-architecture -a$ARCH) # export DEB_BUILD_PROFILES="cross nocheck" # other profiles to choose: pkg.linux.nokernel pkg.linux.nokerneldbg # pkg.linux.nometa pkg.linux.quick nopython nodoc pkg.linux.notools # Download an upstream vanilla (pristine) linux-libre source tarball # and repack the upstream source tarball debian/bin/librerepack.sh -r "https://repo.jing.rocks/linux-libre/releases/6.8.12-gnu/linux-libre-6.8.12-gnu.tar.xz" # Prepend "fakeroot" to every "make" command, if not building sid make -f debian/rules clean # This will generate debian/control files, among other files # Unpack the orig tarball and apply Debian patches make -f debian/rules orig source If all goes well, there are two ways of continuing the build: using debian/rules.gen or dpkg-buildpackage. # build the source package (not GPG-singed, so `-us -uc`) dpkg-buildpackge -S -uc -us # or, build everything: source and binary packages # dpkg-buildpackage -F -us -uc # or, only build the binary packages # dpkg-buildpackage -b -us -uc # or, cross compile to arm64, but don't build arch=all pcakages # dpkg-buildpackage -aarm64 -B -us -uc However, dpkg-buildpackage will build every feature set and flavours of your architecture. You can also use debian/rules.gen Makefile targets instead: export DEB_BUILD_OPTIONS="parallel=$(nproc)" make -f debian/rules.gen setup_amd64_none_amd64 # or other targets, e.g. setup_amd64_rt_amd64, setup_amd64_none_qemu-amd64, # setup_amd64_none_amd64_image setup_amd64_rt_amd64_headers make -f debian/rules.gen binary-arch_amd64_none_amd64 # or just the image: binary-arch_amd64_none_amd64_image 3. Why? There is an origin story. I'm making kernel binaries for my own use. I purchased a few ARM and RISC-V SBCs that have terrible support in mainline linux. To make these SBCs boot, I have to backport a few patches from v6.10-rc1 to v6.8.y, then forward-port some "vendor" patches ("vendor" means hardware seller here). Those "vendor kernels" often have nonfree bits smuggled in, besides the subpar quality of their kernel code. I decided to patch the kernel myself and make my own binaries. Then I think, hey, I'm making release anyway, might as well just release them to the public. Sharing is caring, the more the merrier, which is true in the realm of free software. On the other hand, I don't think the experimental (some untested) patches are suitable for the general public, so I will hold those for now, only make a clean, 100% free kernel release, one complies with GNU's GFSD and aims to follow Debian's packaging philosophy. Then this was born, using Debian's patches and build system, with minimal changes. The only "feature" I added was the arm64 16K and 64K page size kernel builds. The build system is based on Debian's linux package. Debian's linux package is in "3.0 (quilt)" format, which makes the switch from linux to linux-libre source tarball much easier than Trisquel's current packaging: using Ubuntu's source, run the deblob script, then make the source package with dpkg-source. And it's faster too, since there is no need to run the deblob script. The most important benefit is that the quilt format allows easier tracking of changes and audits. 4. Caveats (1) only very minimal testing is done, since this is derived from linux shipped by Debian. (2) slower release than Debian. My time is limited, and compiling takes long. (3) poor support anticipated, since my skills are severly limited. (4) cross compile support is limited. (5) no secure boot support. Secure boot is a jail anyway. 5. TODO (1) make an avatar/logo for the git repo on forgejo. (2) make a libre debian installer. (3) solve FTBFS: sid: ppc64, sh4, sparc64 (4) can we use the name freed-ebian? ----> No. (5) reproducibility problem. (6) udeb FTBFS: bookworm, bullseye, because rebranding changes package names. (7) cross compile does not work for bookworm, bullseye, or sid debian-ports. (8) rsync support. -- Jing Luo Wed, 19 Jun 2024 22:52:41 +0900