[Whonix-devel] #19409 [Circumvention/Snowflake]: Make a deb of snowflake and get into Debian

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 17 14:39:13 CET 2020

#19409: Make a deb of snowflake and get into Debian
 Reporter:  adrelanos                |          Owner:  cohosh
     Type:  enhancement              |         Status:  assigned
 Priority:  High                     |      Milestone:
Component:  Circumvention/Snowflake  |        Version:
 Severity:  Major                    |     Resolution:
 Keywords:                           |  Actual Points:
Parent ID:                           |         Points:
 Reviewer:                           |        Sponsor:

Comment (by anarcat):

 >  Maybe there's a way to package it with some of the dependencies (using
 go mod vendor)?

 That's certainly possible, but frowned upon in Debian. In general, we try
 to package libs separately to alleviate the maintenance burden on the
 release and security teams (as they may need to update those packages in
 the future). Golang is special, unfortunately, there are a number of
 issues with Debian packaging of golang that make that harder:


 ... nothing you need to worry about here, though: we should still pretend
 that golang is like everyone else and that we can't just vendor everything
 that way.

 > And then you will pull in all eighteen-or-whatever go lib debs when you
 install your snowflake deb.

 That, however, is not quite accurate: golang is still statically linked in
 Debian, just like everywhere else, because the upstream tooling for
 dynamic linking is non-existent (or at least non-existent enough that it
 just doesn't work - Ubuntu tried it and failed). So everything is, in
 fact, "vendored in", from a binary perspective.

 >  We can't be the only group in Debian considering packaging a go thing
 that pulls in a bunch of dependencies. We should figure out who in Debian
 is maintaining the go lib debs, and see what their plans are. Maybe there
 is already a critical mass somewhere of people who want to package and
 maintain go libs.

 The trick here is to open a bug report in the Debian BTS
 (https://bugs.debian.org/) for each package and each of its dependencies.
 That way duplicate efforts are avoided.

 There's a magic command called `dh-make-golang` which will build a
 skeleton debian package of your golang module, and will show which
 dependencies are missing. Then you run `dh-make-golang` on those,
 recursively, until you're done. Each of those invocations gives you an
 "ITP" (Intent To Package) email template that you then send to the BTS and
 use to update your progress. When you're done with a package, you find a
 sponsor (ie. a debian member, e.g. yes me or weasel, or talk to
 https://mentors.debian.net) to get your package into unstable, and you're
 basically done (until you need an update).

 >  One of the awesome things about a snowflake deb (i.e. a deb that lets
 people become snowflakes) would be that you just install the deb and it
 magically works from there -- no editing text files, no opening ports, no
 installing tor, etc. Basically all the features of having a Snowflake
 browser extension, but now also in the (headless) deb package world.

 ... that sometimes involves a lot of tricky debian packaging tricks. It is
 much easier to do this when upstream already provides tools to do that
 hard stuff ("edit text file", "open port" (?), "configure tor")...

 > Debian teams have a standardized package template and workflow. It is
 important to follow these, otherwise you will not receive maintenance work
 from the team. Custom packaging methods are just too time consuming to

 Ideally, yes, you get the golang team involved and the package is assigned
 to the team so it falls under their umbrella. This is particularly
 relevant for dependencies that might be used by other packages as well.
 However I'm not sure it's relevant for snowflake itself, because it's
 specific to us (tor).

 Let me know if you have any other questions: I have packaged a few golang
 libraries and one binary in Debian and learned some of the ropes, so I can
 help. (Hey, and look at that - I *am* part of the golang team, so you got
 a team member to ask right here. ;)


Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19409#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the Whonix-devel mailing list