A few days ago I was awarded official Debian Developer status. Many thanks to:

• Thomas Viehmann
• Ana Beatriz Guerrero L pez
• Daniel Baumann
• Christoph Berg
• Thomas Bushnell, BSG
• Stephen Gran
• Steve McIntye
• Neil McGovern
• Cyril Brulebois
• Matthew Johnson
• Sune Vuorela
• Peter Palfrader
• Jonathan McDowell
• Tim Retout

For posterity, my first experience with the Debian development process was with #400550. Never underestimate the importance of giving credit in changelog entries.

You can now try the “Nouveau” free software nVidia video drivers from Debian experimental. If you would like to try them:

• Ensure you are using Debian sid.
• Add experimental sources to your /etc/apt/sources.list.
• Run:
  • sudo apt-get update
  • sudo m-a update
  • sudo m-a a-i drm
  • sudo apt-get install xserver-xorg-video-nouveau
• Edit your /etc/X11/xorg.conf and specify the nouveau driver in the Device section.
• Restart X. You will need to remove the binary nvidia kernel module.

Editing your xorg.conf may be as simple as the replacing nvidia or nv with nouveau; nouveau won’t be chosen automatically over nv yet. If your xorg.conf has collected a lot of cruft over the years, see this wiki page for some pointers on what you can remove. For the status of the drivers with your particular card, please see upstream’s compatibility matrix. My experience has been positive; I have been using them for about two months on my dual-head 8600GT (NV50) setup with only a few small issues and a generally superior Gnometris experience. Some notes:

• If you find bugs (unrelated to the packaging), please report the problem upstream and not in the Debian bug tracker.
• At request of upstream, we are not providing 3D support. Please do not ask for it, as a wontfix tag often offends.
• Bonus points are awarded for removing the non-free nVidia driver; although installation of xserver-xorg-video-nouveau will remove nvidia-glx, purging nvidia-kernel-common and nvidia-kernel-source should remove all the module-assistant generated kernel modules. rms would be proud.

Many thanks to:

• Matthew Johnson (mjj29) for uploading.
• Julien Cristau (jcristau) for advice.
• Christopher Halse Rogers (ROAF) for his Ubuntu packages.
• The rest of the XStrikeForce, who do rather a lot of work you don’t really notice.

I have just uploaded javatools 0.5 to unstable and it is currently waiting in NEW. Anyone wishing to try it out earlier can find source and packages (it's arch: all) at http://www.srcf.ucam.org/~mjj29/javatools/ . Javatools replaces the existing jarwrapper package and also contains programs to help packagers in creating packages for Java programs and libraries. Packaging tools The javahelper package consists of several small programs which make packaging Java programs and libraries easier. They are generally designed to work in the same fashion as the debhelper programs, but start with the jh_ prefix. All of the programs have their command line arguments documented in manpages. jh_build Many Java programs and libraries are distributed without sane build systems. jh_build provides a simple interface for building Java source code into Jars, including setting the appropriate entries in the manifest. In almost all cases all that needs to be done to call jh_build is to set JAVA_HOME and CLASSPATH and then call jh_build with the name of the jar and the directory containing the source.

JAVA_HOME=/usr/lib/jvm/java-gcj
CLASSPATH=/usr/share/java/esd.jar:/usr/share/java/jsch.jar
jh_build weirdx.jar src
   

This command will compile all the Java files under src , set the classpath in the manifest and build it all into weirdx.jar. A couple of other options are worth mentioning. If this jar contains an application rather than a library then the -m or --main option can be used to set the Main-Class attribute in the manifest which will allow the resulting jar file to be be executed jh_build also provides a --clean parameter which should be called in the clean target of debian/rules . jh_libs For library packages Debian Java policy currently requires that the libraries be installed to /usr/share/java in a versioned format and with an unversioned symlink. jh_libs will take a jar and correctly install it. As with debhelper programs, this can either take a jar as a parameter, or read a list of jars from a file in the Debian directory. It also follows the -p , -i and -s semantics of debhelper for selecting which packages to install the jar to. When operating on a package, jh_libs will read the list of library jars from debian/package.jlibs or debian/jlibs . The jlibs file is a list of jars to install, one per line, and works exactly the same as listing them on the command line. Each jar is installed to debian/package/usr/share/java/ in the appropriate versioned and unversioned forms. jh_depends jh_depends works like dpkg-shlibdeps, but for jar files. For each jar in the package it takes the jars on which it depends and finds the packages to which they belong. These are included in the debhelper substvars as $ java:Depends . The control file can then just list that variable which is filled in automatically. This is done by reading the Class-Path attribute from the manifest of each jar. Jar files should include this attribute to prevent applications which use them from needing a full recursive classpath in their startup scripts and to prevent unneccessary transitions when the library changes its dependencies. If the package is not built with jh_build and the upstream build system doesn't set it correctly then jh_manifest can be used to fix this. If the application uses executable jars (see Runtime support below) then jh_depends will also add the appropriate depends on jarwrapper and the correct Java runtime. jh_manifest Many upstream build systems do not set the Class-Path attribute in the jars they create. This leads to several unwanted problems, such as expanding the classpath which applications have to use and introducing unneccessary transitions. They also may not set the Main-Class attribute. Both of these are required for running jars with the -jar parameter. jh_manifest can fix the manifest files of jars. It can either read from a manifest file in the Debian directory or run in a mode which updates all the jars with the CLASSPATH environment variable. The manifest files can either be debian/package.manifest or debian/manifest . The format of this file is a list of jars and indented below each one a list of manifest elements to set:

usr/share/weirdx/weirdx.jar:
 Main-Class: com.jcraft.weirdx.WeirdX
 Debian-Java-Home: /usr/lib/jvm/java-gcj
   

jh_exec The Runtime support section below describes running executable jars directly. jh_exec will scan package directories for jars in the paths, or symlinks to jar from the paths, and ensure that they have been set executable if necessary. jh_makepkg jh_makepkg will create template Debian packages for Java programs and libraries similar to dh-make . It should be run in the source directory and it will create the orig.tar.gz and most of the files in the Debian directory, which need only small changes neccessary to build the package. java-propose-classpath Some upstreams have complicated classpaths which may not be obvious to the packager when using jh_manifest to set the Class-Path attribute. java-propose-classpath will unpack a jar and look at the symbols imported to the class files, then scan all the jars in /usr/share/java . This shouldn't be run in the build since it is slow, and there may be ambiguities that the packager must resolve. It is still very useful for the packager as most of the time it will get it right automatically. Runtime support Javatools also provides some runtime support. Unlike compiled programs, or purely interpreted programs with hash-bang lines, Java programs cannot be directly executed. Many upstreams expect them to be run using java -jar jarname or java classname . This is not generally acceptible in systems which expect to just be able to run the command or launch it from a menu. As a result, many packagers are writing wrapper scripts which just call java with the correct classpath, jar and main class. jarwrapper There is an alternative to wrapper scripts, however. The binfmt_misc kernel module allows the kernel to call out to a program in userspace to execute specific types of file. jarwrapper registers itself as a handler for executable jars. This is done by reading values from the manifest file. In order for executable jars to work the following attributes must or may be defined in the manifest. These attributes can be set using jh_build and jh_manifest .

• Main-Class: The name of the class to be run when the application starts. (REQUIRED)
• Class-Path: The path to all the jar files on which this jar depends. (REQUIRED unless empty)
• Debian-Java-Home: A Debian-specific property if this application depends on a specific runtime. Specify the path to the runtime which should be used. (OPTIONAL)
• Debian-Java-Parameters: A Debian-specific property if this application needs extra options to the JVM. (OPTIONAL)

Putting it together This section shows the debian packaging generated by jh_makepkg for an application and a library using jh_build . Sample Library Packaging debian/control

Source: jsch
Section: libs
Priority: optional
Maintainer: Matthew Johnson 
Build-Depends: debhelper (>= 5), javahelper, java-gcj-compat-dev, libzlib-java
Standards-Version: 3.7.3
Homepage: http://www.jcraft.com/jsch/
Package: libjsch-java
Architecture: all
Depends: $ java:Depends , $ misc:Depends 
Description: Java secure channel
 JSch is a pure Java implementation of SSH2. JSch allows you to
 connect to an sshd server and use port forwarding, X11 forwarding,
 file transfer, etc., and you can integrate its functionality
 into your own Java programs. JSch is licensed under a BSD style
 license.
   

debian/rules

#!/usr/bin/make -f
export JAVA_HOME=/usr/lib/jvm/java-gcj
export CLASSPATH=/usr/share/java/zlib.jar
build: build-stamp
build-stamp:
	dh_testdir
	jh_build jsch.jar src
	touch $@
clean:
	dh_testdir
	dh_testroot
	jh_build --clean
	dh_clean
	rm -f build-stamp jsch.jar
install: build
	dh_testdir
	dh_testroot
	dh_clean -k
	dh_installdirs
binary-arch: build install
	# Java packages are arch: all, nothing to do here
binary-indep: build install
	# Create the package here
	dh_testdir
	dh_testroot
	dh_clean -k
	dh_install -i
	dh_installdocs -i
	dh_installchangelogs -i
	dh_javadoc -i --sourcedir=src 
	jh_libs -i
	jh_depends -i
	dh_compress -i
	dh_fixperms -i
	dh_installdeb -i
	dh_gencontrol -i
	dh_md5sums -i
	dh_builddeb -i
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install
   

debian/libjsch-java.jlibs

jsch.jar
   

Sample Application Packaging debian/control

Source: salliere
Section: misc
Priority: optional
Maintainer: Matthew Johnson 
Build-Depends: debhelper (>= 5), java-gcj-compat-dev, fastjar, 
               libmatthew-debug-java, libcsv-java,
               libitext-java, javahelper
Standards-Version: 3.7.3
Package: salliere
Architecture: all
Depends: $ java:Depends , $ misc:Depends 
Description: Short Description
 Long Description
   

debian/rules

#!/usr/bin/make -f
export JAVA_HOME=/usr/lib/jvm/java-gcj
export CLASSPATH=/usr/share/java/csv.jar:/usr/share/java/debug-disable.jar:/usr/share/java/itext.jar
build: build-stamp
build-stamp:
   dh_testdir
   # Build the package
   jh_build salliere.jar src
   touch $@
clean:
   dh_testdir
   dh_testroot
   jh_build --clean
   dh_clean
   rm -f build-stamp salliere.jar
install: build
   dh_testdir
   dh_testroot
   dh_clean -k
   dh_installdirs
binary-arch: build install
   # Java packages are arch: all, nothing to do here
binary-indep: build install
   # Create the package here
   dh_testdir
   dh_testroot
   dh_clean -k
   dh_install -i
   dh_installdocs -i
   dh_installchangelogs -i
   jh_manifest -i
   dh_link -i
   jh_exec -i
   jh_depends -i
   dh_compress -i
   dh_fixperms -i
   dh_installdeb -i
   dh_gencontrol -i
   dh_md5sums -i
   dh_builddeb -i
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install
   

debian/salliere.install

salliere.jar usr/share/salliere
   

debian/salliere.links

usr/share/salliere/salliere.jar usr/bin
   

If, like me, you wanted both an encrypted root filesystem and some form of bootsplash you may have discovered that this is tricky. You need to enter the decryption passphrase on the terminal which means exiting the bootsplash. I decided it must be possible to use a USB token with the key on it rather than a passphrase to decrypt the drive and while this seems supported upstream, it is not supported out of the box on Debian. This is a short howto explaining my solution. Pre-requisites You will need a USB hard disk and a computer using Debian with an encrypted root filesystem. I am assuming that you are using a stock kernel with an initramfs image and have a luks encrypted LVM containing the root filesystem. You will have to change some of the details below to match your specific system. In the examples below /dev/hda5 is the encrypted partition and /dev/sda2 is the partition on the USB disk holding the key. Setting up the key First we need to generate a random key and put it on the disk. To save having to mount things in the initramfs, I chose to use a partition at the end of the USB flash disk. This means repartitioning and reformatting your USB disk. I recommend allocating the last cylinder in fdisk to primary partition 2. Once you have the second, small partition (you are only going to use 1k, so as small a partition as possible) you can put a key on it. This is as simple as dd if=/dev/urandom of=/dev/sda2 bs=1M . Adding the key to the luks partition Next, you need to add your new key as able to decrypt the partition. Luks allows several keys to be able to unlock the partition. The real key is decrypted under each of the user keys or passphrases and stored in a key slot' in the partition. To add your key type:

touch /tmp/keyfile
chmod 600 /tmp/keyfile 
dd if=/dev/sda2 bs=1k count=1 of=/tmp/keyfile
cryptsetup luksAddKey /dev/hda5 /tmp/keyfile
wipe /tmp/keyfile

Note the careful handling of the temporary key file (luksKeyAdd won't read from stdin, whereas luksOpen will), I recommend storing it on a ramdisk and you should certainly use wipe rather than rm if you don't. Once you have added your USB key you could remove the passphrase from the key list with luksDelKey, but if for any reason you lose the USB hdd you will be unable to decrypt the partition; I recommend leaving both keys available. Booting automatically In order to boot using the USB key we need to provide a couple of helper scripts in order for the initramfs to work. We also need to set some parameters on the kernel command line. In Debian these scripts can be added to the initramfs by putting them in /etc/initramfs-tools/. The first script is a helper script used when building the initramfs. This writes a second script into the initramfs itself which takes the partition as a parameter and prints the key on stdout. This should be written to /etc/initramfs-tools/hooks/cryptkey (executable) and contain:

#!/bin/sh --
PREREQ=""
prereqs()
 
   echo "$PREREQ"
 
case $1 in
prereqs)
   prereqs
   exit 0
   ;;
esac
. /usr/share/initramfs-tools/hook-functions
cat > $ DESTDIR /bin/loadkey 

The second script runs immediately before the cryptsetup script in the initramfs and ensures that the USB disk is available. This will cause the boot sequence to block until the USB disk is inserted and the device nodes created by udev. It can be provided directly in /etc/initramfs-tools/scripts/local-top/00ensureusb (executable) and should contain:

#!/bin/sh --
PREREQ=""
prereqs()
 
   echo "$PREREQ"
 
case $1 in
   prereqs)
      prereqs
      exit 0
   ;;
esac
if ! grep cryptopts /proc/cmdline >/dev/null; then return; fi
. /scripts/functions
log_begin_msg "Waiting for USB to become available..."
modprobe usbcore
modprobe uhci_hcd
modprobe ehci_hcd
modprobe usb_storage
while [ ! -b /dev/sda2 ]; do
   sleep 1
done
log_end_msg
exit 0

The cryptsetup script itself reads configuration from the kernel command line. Here you can give it a script which will read the key and the source for the key to read. Edit your grub or lilo config and append the following to the kernel command line: cryptopts=keyscript=/bin/loadkey,key=/dev/sda2,source=/dev/hda5,target=hda5_crypt,lvm=hecate-root You will obviously have to change the name of your lvm root partition (volumegroup-logicalvolume). I recommend having two entries in the boot menu, one with the cryptopts and one without to allow easy decryption using the passphrase instead. Conclusion That should be everything. Boot your computer and inset the usb hdd. When the boot process passes decryption you can remove it again. You may have to replug it if you boot with it inserted to start with.