When running fetch from a fresh clone I get the following error

+ repo init -u /home/build/manifests -m base.xml
gpg: keybox '/home/build/.repoconfig/gnupg/pubring.kbx' created
gpg: /home/build/.repoconfig/gnupg/trustdb.gpg: trustdb created
gpg: key 16530D5E920F5C65: public key "Repo Maintainer <[email protected]>" imported
gpg: key 67B7E448692B382C: public key "Conley Owens <[email protected]>" imported
gpg: Total number processed: 2
gpg:               imported: 2

Traceback (most recent call last):
  File "/usr/bin/repo", line 886, in <module>
    main(sys.argv[1:])
  File "/usr/bin/repo", line 854, in main
    _Init(args, gitc_init=(cmd == 'gitc-init'))
  File "/usr/bin/repo", line 348, in _Init
    _Clone(url, dst, opt.quiet, not opt.no_clone_bundle)
  File "/usr/bin/repo", line 616, in _Clone
    if clone_bundle and _DownloadBundle(url, local, quiet):
  File "/usr/bin/repo", line 550, in _DownloadBundle
    dest = open(os.path.join(local, '.git', 'clone.bundle'), 'w+b')
IOError: [Errno 2] No such file or directory: '/home/build/base/.repo/repo/.git/clone.bundle'
Makefile:36: recipe for target 'fetch' failed
make: *** [fetch] Error 1

running rm -r build/base/.repo and running make fetch again fixes the issue. Not sure why it's having a problem right after it creates the directory.

Are these the right steps for custom OTA server

Thank you!

Right now our Tested column is a simple boolean and doesn't really mark any real issues with certain builds.

We should move this to be a more fine grained table of core functionality that should be tested on every OTA and build we do.

Currently the updater app will poll os.hashbang.sh for the latest release. If a release is found it will download it. The updater app should have the added functionality to check for m of n signatures on a release prior to downloading and applying the OTA

Google Factory images contain:

• abl.img
• aop.img
• boot.img
• bootloader-crosshatch-b1c1-0.1-4948814.img
• cmnlib64.img
• cmnlib.img
• devcfg.img
• dtbo.img
• hyp.img
• keymaster.img
• modem.img
• product.img
• qupfw.img
• radio-crosshatch-g845-00023-180815-b-4956438.img
• system.img
• system_other.img
• tz.img
• vbmeta.img
• vendor.img
• xbl_config.img
• xbl.img

Many of these are currently unidentified. Some of them that are generated by the build system are not copied to factory images by device/common/generate-factory-images-common.sh

In particular boot.img and radio.img are currently not in paths the script detects and don't make it into the build.

When building Blueline on d0cec21, it appears that there is an image needed by the kernel that is missing due to a make rule missing.

build/make/core/Makefile:28: warning: overriding commands for target `out/target/product/blueline/vendor/lib64/soundfx/libvolumelistener.so'
build/make/core/base_rules.mk:412: warning: ignoring old commands for target `out/target/product/blueline/vendor/lib64/soundfx/libvolumelistener.so'
build/make/core/Makefile:28: warning: overriding commands for target `out/target/product/blueline/vendor/lib64/[email protected]'
build/make/core/base_rules.mk:412: warning: ignoring old commands for target `out/target/product/blueline/vendor/lib64/[email protected]'
build/make/core/Makefile:28: warning: overriding commands for target `out/target/product/blueline/vendor/lib64/[email protected]'
build/make/core/base_rules.mk:412: warning: ignoring old commands for target `out/target/product/blueline/vendor/lib64/[email protected]'
[ 99% 1159/1160] glob tools/tradefederation/core/atest/**/*.py
ninja: error: 'device/google/crosshatch-kernel/Image.lz4-dtb', needed by 'out/target/product/blueline/kernel', missing and no known rule to make it
11:47:57 ninja failed with: exit status 1
make: *** [Makefile:43: build] Error 1

I looked into Seedvault. They provide prebuilds that can be included into the Android source tree. The prebuilds are generated in some cloud CI build pipeline. Regardless of that, we don’t want prebuilds so I checked how to build from source and it seems it worked (at least a app/build/outputs/apk/release/app-release-unsigned.apk fell out). I build it in a buster container with openjdk 11 as the build failed with the jdk in ubuntu:cosmic.

I will test this in my next Android build in a few days and report back and automate the build and inclusion. I just want to track it here for coordination. I am not yet sure what build environment to use. I would suggest we include another Docker image Debian buster (to which we want to switch to anyway, ref: hashbang/aosp-build#4).

It looks like we only have an /etc/gitconfig.

Repo will not honor that and ask interactively for you to fill out the correct information. To bypass this there should be a $HOME/.gitconfig. Repo will honor that

Our docs are already starting to blow up a bit and I think it might make more sense to move the large bulk of these documents into a wiki. This will allow us to provide more fine grained linking and a TOC.

I think it is desirable to cache source code downloads and not delete them by running make clean. In all other projects I know, running make clean only removes the output files. Why remove base/.repo? Maybe it makes sense to have this configurable?

I am starting to update the docs and adding my workflow. @lrvick you call the project #!os which is a creative name that all Unix people will understand.

One issue I thought exists is that #!os is tricky to search. I have some background with Elasticsearch and by default, you will have a hard time to search for #!os in a text field. I just tried it with Google and duckduckgo.com. Google actually found this GitHub repo with "!#os but not consistently depending on the personalized search.

I think when we stick to some norm, the project will be easier for people to approach. In the AOSP based hardening community, the space before "OS" is often omitted (1) so "HashbangOS" would be the natural option. !#os can still be used as an internal code name. Also the Wallpaper is still nice https://github.com/hashbang/os/blob/master/branding/wallpaper.png with references to the code name.

@lrvick What do you think?

See: https://source.android.com/setup/build/downloading

Sorry for this question

I am aware of robotnix at least since 2020-11-05 (git reflog of my local checkout). Back then I decided to stick with stuff I know, namely Bash, Python and docker, so I ended up with HashbangMobile.

As I was preparing to get this project up-to-date again, I took a more serious look at https://github.com/danielfullmer/robotnix. I dedicated the past weeks to learn Nix and I am fascinated by it. I feel robotnix has more potential than HashbangMobile. Especially when I look at the goals of HashbangMobile, Nix and robotnix provide a far better foundation than our ways with Docker. All I did was basically trying to rebuild Nix with stuff like http://snapshot.debian.org/ and it did not work as well as Nix does.

I deeply dislike redundant work so my goal is to fully understand robotnix, get it up-to-date and integrate stuff from HashbangMobile into robotnix. Unfortunately as I read robotnix I noticed that this will take me realistically a few months (I do this in my spare time). I cannot commit that much time right now so I delay getting robotnix up-and-running until I can block that much time.

Cc: @danielfullmer, @lrvick

When attempting to make a call using the system phone app, no audio is pass through in either direction. When receiving a call, depending on the device (Physical Device or Google Voice) the caller may never get connected.

Speaker and Microphone work outside of Phone app

The first clean build of chromium seems to always fail. If you do a second clean build it doesn't.

when running make DEVICE=taimen keys
I get the output

mkdir -p build
Unable to find image 'hashbang-os:latest' locally
docker: Error response from daemon: pull access denied for hashbang-os, repository does not exist or may require 'docker login'.
See 'docker run --help'.
Makefile:36: recipe for target 'fetch' failed
make: *** [fetch] Error 125

The makefile is trying to pull the image hashbang-os instead of hashbang/os

I would propose to have a common repository containing additional patches which can be included into a #!os build. https://github.com/RattlesnakeOS/community_patches seems like a good place. git submodule uses SHA1 commit hash references under the hood so when we include community_patches as ./patches/additional/ for example, it is still pinned. Then the patches could be enabled in config.yml individually. config.yml could then be published alongside to allow reproducibility and verification.

./patches/additional/ would contain additional hardening patches but which are optional (not required) for building AOSP.

00004-increase-default-maximum-password-length.patch should be enabled by default. I am not sure about the other once by default.

Also, I would propose to move ./patches/platform/add-backup.patch into community_patches because I find this very helpful and others could profit from this as well.

Maybe it would be easier to fork https://github.com/RattlesnakeOS/community_patches to https://github.com/hashbang/os-additional-patches and use that so that you have control over it. This would make handling easier. https://github.com/RattlesnakeOS/community_patches could still pull from it then.

Orbot should be a system package as we advocate for privacy and security.

We can also kill 2 birds with one stone and ensure that on the first download of the repositories is already through Tor.

Just to let you know, I will started on Android building/(development) with the intent to get Android 11 supported. A bit late I know but I had to get my build machine up and running. My philosophy on basing on https://grapheneos.org/ is that I would like to understand all patches I apply to AOSP, so I guess I will only take a small set of patches from GrapheneOS for now.

I guess it makes most sense for me to update #40 to Android 11 and then get this PR eventually ready to be merged.

Depends on: hashbang/aosp-build#26

Edit: Android 12 is supported.

First of all think you so much for this robust looking local build system! I come from building Copperhead OS and later Rattlesnake OS on my private infrastructure. With Rattlesnake OS it was really messy because it was basically manual. I reviewed your scripts. Not in depth yet but so far I could not find any flaws.

To the question. When I tried to sideload the Hashbang OS ota update, I got:

E:Update package is older than the current build, expected a build newer than timestamp 1547037537 but package has timestamp 1543792453 and downgrade not allowed.

Apparently the datetime in https://github.com/hashbang/os/blob/master/config.yml#L5 seems static. Is this how it is supposed to be? Does the Hashbang OS recovery not have downgrade protection?

Also, currently my build failed to boot, do you know if someone tested this upgrade path Rattlesnake OS -> Hashbang OS on a Google Pixel (sailfish)?

I am interested in using https://github.com/hashbang/aosp-build to build GrapheneOS. I think this makes a great base to work on HashbangOS specific goals. This means that https://github.com/hashbang/aosp-build could be used to automate and help audit (using reproducible builds and possibly additional helpers) the solid work that GrapheneOS devs are doing.

Current status: WIP. Using hashbang/aosp-build#31 I successfully built GrapheneOS and tested on the Pixel 3a.

Closes: #41

Edit: @sempervictus do you already have build scripts ready? If not, here are some. Ref: GrapheneOS/os-issue-tracker#408

When running

make DEVICE=xxxx config manifest followed by make DEVICE=xxx clear build release

The repo folder in base does not properly get cleaned up and the build fails

Trying to build image for Pixel XL per instructions in Readme.md files. First attempt to build ended with the first error. Second attempt ended up with with the second error. The second error seems related to possibly signing error but I am pretty sure I entered the right password when prompted. Any thing else I should try?

Commands Issued
make DEVICE=sailfish keys
make DEVICE=sailfish clean build release

First Error
ERROR at //third_party/libaom/options.gni:5:24: Undefined identifier enable_av1_decoder = checkout_libaom && !is_android && !is_ios && ^-------------- See //media/filters/BUILD.gn:7:1: whence it was imported. import("//third_party/libaom/options.gni") ^---------------------------------------- See //media/media_options.gni:22:3: which caused the file to be included. "//media/filters", ^---------------- Makefile:49: recipe for target 'build' failed make: *** [build] Error 1

Second Error
ERROR: signapk.jar failed: return code 1 Makefile:80: recipe for target 'release' failed make: *** [release] Error 1

I created/maintain a CVE patcher program and repository of Linux CVE patches.
It is primarily for use with my project DivestOS.
However it can with little changes be used with any similar projects.

I emailed this to @lrvick back in April to no response.

This is more to start a discussion about possible implementation.
Questions/Feedback welcome.

Links:

• Program (GPLv3): https://github.com/Divested-Mobile/cve_checker
• Patches (GPLv2): https://github.com/Divested-Mobile/kernel_patches
• Patch List (GPLv2): https://raw.githubusercontent.com/Divested-Mobile/kernel_patches/master/Kernel_CVE_Patch_List.txt
• Known Patch Incompatibilities (GPLv3): https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Fix_CVE_Patchers.sh

Examples:

• https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-14.1/CVE_Patchers
• https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-15.1/CVE_Patchers
• https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-16.0/CVE_Patchers
• https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-17.1/CVE_Patchers

Other Discussions:

• https://gitlab.com/calyxos/calyxos/-/issues/205
• https://gitlab.com/postmarketOS/pmbootstrap/-/issues/1746
• ubports/ubuntu-touch#1566

See:

• https://twitter.com/DanielMicay/status/1066495737716822016
• https://gist.github.com/thestinger/72ddd8ceaca1811d995667f104d86e9e

mkdir tmp
cd tmp
git clone https://github.com/hashbang/os.git
cd os
make DEVICE=crosshatch
Makefile:74: warning: overriding recipe for target 'clean'
Makefile:66: warning: ignoring old recipe for target 'clean'
Sending build context to Docker daemon 351.2kB
Step 1/11 : FROM ubuntu:bionic
---> 93fd78260bd1
Step 2/11 : MAINTAINER Hashbang Team [email protected]
---> Using cache
---> 7e974edc4d0e
Step 3/11 : ENV HOME=/home/build
---> Using cache
---> ced8215a73f6
Step 4/11 : ENV PATH=/home/build/out/host/linux-x86/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
---> Using cache
---> a9c481f0c72d
Step 5/11 : ARG DEBIAN_FRONTEND=noninteractive
---> Using cache
---> 52ed31037040
Step 6/11 : RUN useradd -G plugdev,sudo -ms /bin/bash build && apt-get update && apt-get install -y repo aapt sudo openjdk-8-jdk android-tools-adb bc bsdmainutils cgpt bison build-essential curl flex git g++-multilib gcc-multilib gnupg gperf imagemagick lib32ncurses5-dev lib32readline-dev lib32z1-dev liblz4-tool libncurses5-dev libsdl1.2-dev libssl-dev libwxgtk3.0-dev libxml2 libxml2-utils lzop pngcrush python3 python3-git rsync schedtool squashfs-tools xsltproc yasm zip zlib1g-dev wget && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
---> Using cache
---> f1a2abf53529
Step 7/11 : USER build
---> Using cache
---> 3e7dafffe81e
Step 8/11 : WORKDIR /home/build
---> Using cache
---> 27ad991d408d
Step 9/11 : ADD scripts/ /usr/local/bin/
---> 968fb1474159
Step 10/11 : ADD ./ /opt/android/
---> 32bcfb8534ab
Step 11/11 : CMD [ "/bin/bash", "/usr/local/bin/build.sh" ]
---> Running in e3c020c6f291
Removing intermediate container e3c020c6f291
---> 14ba658bfadf
Successfully built 14ba658bfadf
Successfully tagged hashbang/os:latest
standard_init_linux.go:190: exec user process caused "permission denied"
make: *** [Makefile:11: build] Error 1

Are there assumptions being made about the host OS's directory structure? (Anything special about /home/build?)

Is this a dead project?

Building for blueline. Cloned the repo and issued:
make DEVICE=blueline keys
make DEVICE=blueline clean build release.

It fails with

Applying patch: /opt/android/patches/platform/add-fdroid.patch
patching file build/make/target/product/core.mk
Hunk #1 succeeded at 39 (offset 2 lines).
patching file packages/apps/F-Droid/Android.mk
Hunk #1 FAILED at 10.
1 out of 1 hunk FAILED -- saving rejects to file packages/apps/F-Droid/Android.mk.rej
patching file packages/apps/F-Droid/app/local.properties
patching file packages/apps/F-Droid/local.properties
Makefile:49: recipe for target 'build' failed
make: *** [build] Error 1

F-Droid's Android.mk is not as the patch expects it to be.
edit: add output

build@android:~$ cat base/packages/apps/F-Droid/Android.mk.rej
--- packages/apps/F-Droid/Android.mk
+++ packages/apps/F-Droid/Android.mk
@@ -10,13 +10,13 @@ fdroid_root  := $(LOCAL_PATH)
 fdroid_dir   := app
 fdroid_out   := $(PWD)/$(OUT_DIR)/target/common/obj/APPS/$(LOCAL_MODULE)_intermediates
 fdroid_build := $(fdroid_root)/$(fdroid_dir)/build
-fdroid_apk   := build/outputs/apk/$(fdroid_dir)-release-unsigned.apk
+fdroid_apk   := build/outputs/apk/full/release/app-full-release-unsigned.apk

 $(fdroid_root)/$(fdroid_dir)/$(fdroid_apk):
        rm -Rf $(fdroid_build)
        mkdir -p $(fdroid_out)
        ln -sf $(fdroid_out) $(fdroid_build)
-       cd $(fdroid_root)/$(fdroid_dir) && gradle assembleRelease
+       cd $(fdroid_root)/$(fdroid_dir) && ../gradlew assembleRelease

 LOCAL_CERTIFICATE := platform
 LOCAL_SRC_FILES := $(fdroid_dir)/$(fdroid_apk)

Android.mk looks like:

build@android:~$ cat base/packages/apps/F-Droid/Android.mk
LOCAL_PATH:= $(call my-dir)

include $(CLEAR_VARS)

LOCAL_MODULE := F-Droid
LOCAL_MODULE_TAGS := optional
LOCAL_PACKAGE_NAME := F-Droid

fdroid_root  := $(LOCAL_PATH)
fdroid_dir   := app
fdroid_out   := $(PWD)/$(OUT_DIR)/target/common/obj/APPS/$(LOCAL_MODULE)_intermediates
fdroid_build := $(fdroid_root)/$(fdroid_dir)/build
fdroid_apk   := build/outputs/apk/full/release/$(fdroid_dir)-full-release-unsigned.apk

$(fdroid_root)/$(fdroid_dir)/$(fdroid_apk):
        rm -Rf $(fdroid_build)
        mkdir -p $(fdroid_out)
        ln -sf $(fdroid_out) $(fdroid_build)
        cd $(fdroid_root)/$(fdroid_dir) && gradle assembleRelease

LOCAL_CERTIFICATE := platform
LOCAL_SRC_FILES := $(fdroid_dir)/$(fdroid_apk)
LOCAL_MODULE_CLASS := APPS
LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)

include $(BUILD_PREBUILT)

Hi,

I need to customize this Android ROM so it can have a specific requirement before installation !

As an example, when someone Flash the Android ROM into the phone, he will be asked to enter a password and to confirm it, then 10 PIN will be given for him and be written into a paper so if someday he forgot the password, he can recover it by using this PINs just like Google do it for Gmail.

And all this will occure while configuring the new installed ROM (When you enter an email for Google Play, and set Timezone etc.).

And the password can be stored so it can't be stolen by hacker ?

Is this possible please ? If yes, can you purpose me a path to follow in order to achieve this ? Of course I don't ask to make it etc. Just to give me a similar things already done in the past by someone else etc.

Big thanks in advance for your help !

Hi, in the README it states that you include "Minor OS changes made to allow backing up any app" for Seedvault but I wasn't able to find the patch(es) for it. Could you give me a pointer?

When signing target_files for blueline, I get the following warning :
build/make/tools/releasetools/common.py:1200: UserWarning: Duplicate name: 'IMAGES/product.img'

And there is actually multiple entries for IMAGES/product.img in the zip.

Then i get this from avbtool :
Verifying image vbmeta.img using key at /home/jeremy/Android/keys/avb.pem
vbmeta: Successfully verified SHA256_RSA2048 vbmeta struct in vbmeta.img
system: Successfully verified chain partition descriptor matches expected data
vendor: Successfully verified sha1 hashtree of vendor.img for image of 792514560 bytes
hashtree of product.img does not match descriptor
/home/jeremy/Android/aosp/external/avb/avbtool: Error verifying descriptor.

Obviously avb is refusing to boot.
If I unzip the signed target files to remove duplicate product.img, it kinda pass avb verification but bootloops on the android splashscreen.

docker image broken

doesn't build

irc server down

The error message:

make groupid=100 DEVICE=sailfish tools
[...]
[ 99% 573/574] finishing build rules ...
FAILED:
build/make/core/main.mk:1402: warning:  build/target/product/aosp_arm.mk produces files inside build/target/product/mainline_system.mks artifact path requirement. 
Offending entries:
system/etc/default-permissions/default-permissions_app.seamlessupdate.client.xml
system/etc/permissions/permissions_app.seamlessupdate.client.xml
system/etc/permissions/permissions_com.stevesoltys.backup.xml
system/etc/permissions/permissions_org.fdroid.fdroid.privileged.xml
system/etc/sysconfig/whitelist_app.seamlessupdate.client.xml
system/etc/sysconfig/whitelist_com.stevesoltys.backup.xml
system/priv-app/Backup/Backup.apk
system/priv-app/F-DroidPrivilegedExtension/F-DroidPrivilegedExtension.apk
system/priv-app/Updater/Updater.apk
build/make/core/main.mk:1402: error: Build failed.
20:26:42 ckati failed with: exit status 1
Makefile:79: recipe for target 'tools' failed
make: *** [tools] Error 1

Any idea? I already did some digging but was unable to find the issue. Note that I commented out F-Droid from the products list for debugging this issue, thats why it is missing from the list.

Getting the following error, seems the string /opt/android/manifests is getting picked up as a git repository.

~/os$ make DEVICE=marlin keys
docker run
-it
-h "android"
-v android:/home/build
-v /home/elproducto/os:/opt/android
hashbang/os bash -c "fetch"
Get /opt/android/manifests
fatal: '/opt/android/manifests' does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: '/opt/android/manifests' does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: cannot obtain manifest /opt/android/manifests
Makefile:28: recipe for target 'fetch' failed
make: *** [fetch] Error 1