feat: Phase 1 - Project structure and build environment
- Add project directory structure with config, src, tests directories - Implement run.sh host wrapper script for Docker-based workflow - Create Dockerfile for build/test environment with live-build - Add basic live-build configuration with preseed and package lists - Add .gitignore and .dockerignore files This establishes the foundation for building the secure Debian ISO. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
This commit is contained in:
73
plan/PreFlightDiscussion-03.md
Normal file
73
plan/PreFlightDiscussion-03.md
Normal file
@@ -0,0 +1,73 @@
|
||||
# Pre-Flight Discussion - Round 3
|
||||
|
||||
## Final Clarification Needed:
|
||||
|
||||
### Package Management Implementation Details
|
||||
- **Your Feedback**: Remove apt execution permissions, use chattr +i, concerned about core system packages
|
||||
- **Question**: How should we handle this in the live-build hooks?
|
||||
|
||||
**Implementation Options:**
|
||||
1. **In `config/hooks/live/`** - Modify the live system during build
|
||||
2. **In `config/hooks/installed/`** - Modify after installation but before reboot
|
||||
3. **Both** - Ensure comprehensive removal/disable
|
||||
|
||||
|
||||
**Specific Questions:**
|
||||
- Should we attempt to remove `apt` and `dpkg` entirely (if possible)?
|
||||
- Or just remove execute permissions and make immutable with `chattr +i`?
|
||||
- What about package management metadata in `/var/lib/apt/` and `/var/lib/dpkg/`?
|
||||
- Should we also remove package management tools like `aptitude`, `synaptic`, etc.?
|
||||
|
||||
Lets remove the permissions and make immutable after install before reboot.
|
||||
Yes remove synaptic aptitude etc (or better yet dont install them at all)
|
||||
|
||||
## All Other Items ✅ RESOLVED:
|
||||
|
||||
### Compliance Framework
|
||||
- ✅ CMMC Level 3
|
||||
- ✅ CIS Benchmark for Debian Linux + Debian STIG (last for Debian 11)
|
||||
- ✅ Adapt Debian 11 STIG for Debian 13
|
||||
|
||||
### QR Code Implementation
|
||||
- ✅ zbar for scanning (no generation needed)
|
||||
- ✅ Shell script for scan and config update
|
||||
- ✅ Standard WireGuard QR format
|
||||
|
||||
### Testing Strategy
|
||||
- ✅ Include test suite in ISO
|
||||
- ✅ Command line execution
|
||||
|
||||
### Package Management
|
||||
- ✅ Remove execute permissions
|
||||
- ✅ Use `chattr +i` for immutability
|
||||
- ? Need clarification on implementation approach
|
||||
|
||||
### Preseed Configuration
|
||||
- ✅ Timezone: US/Chicago
|
||||
- ✅ Keyboard: Standard US English
|
||||
- ✅ Password complexity in preseed
|
||||
|
||||
### Secure Boot
|
||||
- ✅ Include secure boot keys in ISO
|
||||
- ✅ UEFI only (no Legacy BIOS)
|
||||
- ✅ Measured boot
|
||||
|
||||
### Documentation
|
||||
- ✅ No user guides in ISO
|
||||
- ✅ No inline help for shortcuts
|
||||
- ✅ Technical documentation in repo only
|
||||
|
||||
---
|
||||
|
||||
### Package Management Implementation ✅ RESOLVED
|
||||
- ✅ Use `config/hooks/installed/` - modify after installation before reboot
|
||||
- ✅ Remove execute permissions from apt, dpkg, and package management tools
|
||||
- ✅ Make immutable with `chattr +i`
|
||||
- ✅ Don't install synaptic, aptitude, etc. in the first place
|
||||
- ✅ Handle package management metadata in `/var/lib/apt/` and `/var/lib/dpkg/`
|
||||
|
||||
---
|
||||
|
||||
**Status**: All items resolved - ready to update specification
|
||||
**Next Action**: Update football-spec.md with all decisions from pre-flight discussions
|
||||
**Ready for Implementation**: YES - all questions and concerns resolved
|
||||
Reference in New Issue
Block a user