Saturday, December 10, 2011

Building a Debian/Ubuntu Package for DNSCrypt-proxy

Referring to X4's issue for Linux compiling, the following are instructions for builiding a debian package.

Create a working directory. Then acquire the source by cloning the repository. Create a source tarball in the Debian package naming format.

    $ cd ~
    $ mkdir dnscryptworkdir
    $ cd dnscryptworkdir
    $ git clone https://github.com/opendns/dnscrypt-proxy
    $ mv dnscrypt-proxy dnscrypt-proxy-0.1
    $ tar cvfz dnscrypt-proxy_0.1.orig.tar.gz dnscrypt-proxy-0.1
    $ cd dnscrypt-proxy-0.1

Now it's time to lay the groundwork for the package. Use DebHelper to generate the package framework. If you haven't built a package before, install the necessary packages.

    $ sudo apt-get install build-essential devscripts ubuntu-dev-tools debhelper dh-make diff patch cdbs quilt gnupg \
     fakeroot lintian  pbuilder piuparts

Use DebHelper to lay the package framework. This will generate the debian/ directory and associated files. Go ahead and remove the defaults. The README.Debian file is also unnecessary

    $ dh_make -f ../dnscrypt-proxy_0.1.orig.tar.gz -s -b
    $ cd debian
    $ rm *.ex *.EX
    $ rm README.Debian

Edit the control file with your favorite editor. It should look like this

    Source: dnscrypt-proxy
    Section: misc
    Priority: optional
    Maintainer: pinowudi
    Build-Depends: cdbs, debhelper (>= 7), automake
    Standards-Version: 3.8.3
    Homepage: https://github.com/opendns/dnscrypt-proxy
   
    Package: dnscrypt-proxy
    Architecture: all
    Depends: ${shlibs:Depends}, ${misc:Depends}
    Description: A tool for securing communications between a client and a DNS resolver.
     DNSCrypt is a slight variation on DNSCurve.
     .
     DNSCurve improves the confidentiality and integrity of DNS requests using high-speed high-security elliptic-curve cryptography. Best of all, DNSCurve has very low overhead and adds virtually no latency to queries.
     .
     DNSCurve aims at securing the entire chain down to authoritative servers. However, it only works with authoritative servers that explicitly support the protocol. And unfortunately, DNSCurve hasn't received much adoption yet.
     .
     The DNSCrypt protocol is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver. While not providing end-to-end security, it protects the local network (which is often the weakest link in the chain) against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.
     .
     The DNSCrypt daemon acts as a DNS proxy between a regular client, like a DNS cache or an operating system stub resolver, and a DNSCrypt-aware resolver, like OpenDNS.


Now edit the rules file. Using the CDBS packager makes implementing the autoconf features easy, with one exception. Since the autoconf has not been run already, it must be done before the package build. This will require the extra 'autoreconf' as a preconfiguration action. The rules file should look akin to the following.

    #!/usr/bin/make -f
    include /usr/share/cdbs/1/class/autotools.mk   
    include /usr/share/cdbs/1/rules/debhelper.mk
    include /usr/share/cdbs/1/class/makefile.mk
    # Add here any variable or target overrides you need.
    makebuilddir/dnscrypt-proxy-0.1::
        autoreconf --install

Update the changelog file using the dce tool. Mark the issue as change number zero.

    $ dch -e
    dnscrypt-proxy (0.1-1) unstable; urgency=low
   
      * Initial release (Closes: #0) 
   
     -- pinowudi   Sat, 10 Dec 2011 14:11:02 -0500

Edit the copyright file with the copyright information from the package.

    This work was packaged for Debian by:
   
        pinowudi on Sat, 10 Dec 2011 14:01:36 -0500
   
    It was downloaded from
   
    Upstream Author(s):
   
        Frank Denis
   
    Copyright:
   
        Copyright (c) 2011 OpenDNS, Inc.
   
    License:
       
       Permission to use, copy, modify, and distribute this software for any
       purpose with or without fee is hereby granted, provided that the above
       copyright notice and this permission notice appear in all copies.
     
       THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
       WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
       MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
       ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
       WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
       ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
       OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
    
   
       ====
   
       This license applies to all parts of dnscrypt-proxy that are not externally
       maintained libraries.
   
       The externally maintained libraries used by dnscrypt-proxy are:
   
      - NaCl (http://nacl.cr.yp.to/). Public domain.
   
      - libuv (https://github.com/joyent/libuv). MIT license.
        + libuv dependencies, see src/libuv/LICENSE.
   
      - alt_arc4random.c reuses code from OpenBSD. BSD license,
        see the alt_arc4random.c header.
   
    The Debian packaging is:
   
        Copyright (C) 2011 pinowudi
   
       Permission to use, copy, modify, and distribute this software for any
       purpose with or without fee is hereby granted, provided that the above
       copyright notice and this permission notice appear in all copies.
     
       THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
       WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
       MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
       ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
       WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
       ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
       OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.


The software package does not have a .config file yet, so making one modification is necessary to get the CDBS manager to handle the package. Run autoreconfig to generate the autoconf files. Then execute the package build. The package should be produced in the directory below the current build dir.

    $ autoreconf --install
    $ debuild -us -uc
    $ ls ..
    dnscrypt-proxy-0.1  dnscrypt-proxy_0.1-1_all.deb  dnscrypt-proxy_0.1-1.diff.gz  dnscrypt-proxy_0.1-1.dsc  dnscrypt-proxy_0.1-1_i386.build  dnscrypt-proxy_0.1-1_i386.changes  dnscrypt-proxy_0.1.orig.tar.gz

Now test the package installation.

    $ cd ..
    $ sudo dpkg -i dnscrypt-proxy_0.1-1_all.deb
    [sudo] password :
    Selecting previously deselected package dnscrypt-proxy.
    (Reading database ... 122394 files and directories currently installed.)
    Unpacking dnscrypt-proxy (from dnscrypt-proxy_0.1-1_all.deb) ...
    Setting up dnscrypt-proxy (0.1-1) ...
    Processing triggers for man-db ...
    $ whereis dnscrypt-proxy
    dnscrypt-proxy: /usr/sbin/dnscrypt-proxy /usr/share/man/man8/dnscrypt-proxy.8.gz
    $ dnscrypt-proxy -h
    dnscrypt-proxy 0.8
    Copyright (C) 2011 OpenDNS, Inc.
   
    Options:
   
      -a    --local-address=...
      -d    --daemonize
      -e    --edns-payload-size=...
      -h    --help
      -k    --provider-key=...
      -l    --logfile=...
      -n    --max-active-requests=...
      -p    --pidfile=...
      -r    --resolver-address=...
      -t    --tcp-port=...
      -u    --user=...
      -N    --provider-name=...
      -P    --local-port=...
      -V    --version
   
    Please consult the dnscrypt-proxy(8) man page for details.

Good to go!