Score:0

Ubuntu

Modify source code of packages, so that future security updates keep applying with included modifications when running 'apt update && apt upgrade'?

Daniel Krajnik

12/31/23, 6:29 PM

I take that Ubuntu honours the "freedom to modify software", but how should one go about modifying source code of Ubuntu packages without breaking the system? By breaking it I mean for example creating unresolvable dependencies or blocking future apt update updates, especially security updates.

Is there a way to save a "patch" of modifications and apply it to any future apt updates? I'd prefer to avoid "forking" a package completely.

Is it something that "apt pinning" is for? Or does Ubuntu's "stability model" (I'm not sure if that's the correct term) just not support user modifications? I'd be grateful for a hint if other distros handle it any differently (Arch/Gentoo).

1 + 2

package-management

apt

software-installation

ᅙᄉᅙ

12/31/23, 6:59 PM

I'm not aware of a feature like this in `apt`. I think something like Gentoo will be more suited to this usecase

Daniel Krajnik

1/1/24, 12:58 PM

@ՕլՁՅԿ thanks, if you knew about any other distro/package manager that makes this type of modifications any easier please let me know. I'm looking at Gentoo, but I can't find any way to apply patches when "emerging" its packages.

Score:4

Ubuntu

HuHa

12/31/23, 6:59 PM

How this works in general is that package maintainers of a distribution take the original sources from the official source (GitHub, SourceForge etc.; the upstream code) which usually come as a tarball (a compressed tar archive). And those remain as they are; pristine as it is called.

But typically some adaptations need to be made so everything works well together with the overall distribution. So the package maintainer unpacks those pristine sources into a working directory and changes the source as needed; and then uses the diff command to generate the change set, i.e. the few places that were really changed between the original and the now modified ("patched") version.

This change set is called a diff or a patch. For each package, there can be one of them, or multiple; typically they are organized by topic; i.e. one for paths that are different on the target distribution, another one to work around quirks of another program that is called by this software etc.; you get the idea.

That original tarball and the diffs / patches are then put into another archive (a source package), but kept separate enough so everything remains transparent.

When the package is now built, that means that first the original tarball is unpacked, then the first patch is applied (using the patch program), then the second etc.; and when that patching stage is complete, the compile process is really started (calling make and make install and whatever else is necessary).

That is done in all Linux distributions that I know; Ubuntu, Debian, SUSE, Red Hat, you name it. Probably it's the same for all, and probably also for BSD variants.

So, there are the source packages; and this is where you come in. Nothing prevents you from taking a source package and add another patch or two on top of it; and generate your own source package based on that.

The caveat is that now you'll have to rebuild the package yourself; and to make sure to add your patches to a new version of the source package whenever a new one is released, i.e. for every package update.

That can be done, but it's tedious. Chances are that you run out of motivation to do that all the time; depending on how often the package really changes.

One tool to ease the pain is the openSUSE Build System (OBS) that supports automating at least part of it. But you still have to take care of re-importing source packages and adding your own patches. It's available for free on the web, and it can build packages for various distributions, including not only openSUSE, but also Ubuntu, Debian and others.

So, if you have a change that is of general interest, you might want to approach the package maintainers of your distribution if they don't want to include your changes in their source package. Or you might contact the upstream authors (those who wrote the software originally) if they don't want to publish your changes for everyone.

If it's something very specific for your use case, that won't work, obviously. In that case, think about a different strategy.

+ 9

Daniel Krajnik

12/31/23, 7:22 PM

Thanks for an exhaustive explanation. This definitely addresses most of my concerns, but I still can't think of a way to add patches that can be easily reapplied when running "apt update && apt upgrade". I was looking at "suckless software", which requires you to modify source code to configure it, but it seems to me that it creates your own "fork" of the package as well and doesn't provide an "easy" mechanism to pull future security updates. I feel like there's something I'm missing though, I assumed that modifying source code will be more commonplace (more supported).

user535733

12/31/23, 9:46 PM

@DanielKrajnik You didn't get a straight answer to a real-world problem because you asked a hypothetical question. This answer is an excellent overview of packaging and versioning for the question that you asked.

Daniel Krajnik

12/31/23, 11:53 PM

Can't deny that this was very informative, but I'm still wondering if there is a way to automatically apply patches of changes of packages' source code when running "apt update && apt upgrade". Apologies for the vague question, but I'm not sure what to call this "mechanism" (although HuHa's answer helped a lot already).

HuHa

1/1/24, 12:32 AM

Basically you'll have to set up your own repository to get that one package from, and you'll have to do the whole process of getting the original sources and then applying your patch on top of it again and again; just like a package maintainer does when a new upstream version is released. You can bet that when you get that automated, that's the time when your patch doesn't cleanly apply anymore because something subtly changed in the upstream tarball or one of the maintainer patches. This is not something to rely blindly on; it needs constant monitoring and manual work.

Daniel Krajnik

1/1/24, 1:18 PM

@HuHa thanks again, that makes sense. I'm struggling for a day now to make a sensible reply, so here it goes: is it better to abandon the idea of patching distro's packages altogether and instead compile directly from upstream? I understand that by default "make install" will copy binaries to /usr/local, so it shouldn't conflict with apt dependencies? The problem of patching any future updates would be then handled by git, which I assume could alarm of any "merge conflicts"? I just never saw anyone do this, so I'm really uncertain if that's "correct".

Daniel Krajnik

1/1/24, 1:21 PM

PS I'm also worried that lack of an easy way to modify packages is intentional to encourage users to contribute updates upstream rather than keeping their own versions locally?

HuHa

1/1/24, 5:13 PM

You'll have to choose your poison. Depending on how heavily the package maintainers of the distro needed to patch the package, you could get by with simply using the clean upstream version and forget any distro-specific patches; or that might break integration into the distro massively. But what you probably do want is get all the security patches if there ever are any. It's a fine balance. And no, there is no malicious part of the distro to make you contribute directly; it's simply a very complex thing to do.

HuHa

1/1/24, 5:15 PM

Having said all that, it might be easier to help you if you told us what specific changes you want from what package.

Daniel Krajnik

1/2/24, 11:55 PM

@HuHa thanks again, I will look further into this and update with a concrete example. Meanwhile I've learnt that AUR packages for ArchLinux are usually built from source, so in case debian apt-src or apt-build method of building from source proved to be too complex I may resort to AUR (I hope not though).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Modify source code of packages, so that future security updates keep applying with included modifications when running 'apt update && apt upgrade'?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.