Install git From Source on Ubuntu
When apt doesn’t give you the latest version on an AWS EC2 Ubuntu instance
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: GitHub Security | Application Security | Secure Code | Ubuntu on AWS
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So I reinstall git and run the clone command above in the folder where I want to download the git repository.
Next I check out the read me (scroll down):
Which sends me to an install file which has a lot of instructions but the pertinent ones to me are:
Normally you can just do “make” followed by “make install”, and that will install the git programs in your own ~/bin/ directory.
Sounds simple right? (ahahahaha)
Let’s try it. I get into the change to the git directory and run the commands.
I have to install make. Having make on your host can be a security weakness if you don’t need it, but I need it.
Let the fun begin. I’m missing some requirements for the build. Why do I need oss-fuzz to build git for source code management? Hmm. Ok. Maybe for some commands that perform testing of some kind.
The instructions and Make file are, as one would expect, complicated for this app. I grep the Makefile for oss-fuzz.
Then I check some of the code around the first line to see what it’s doing. As expected, I can see that this code is not really required. It is for testing. A comment says to install it anyway to prevent “bit-rot” ??
What is bit rot?
Data degradation is the gradual corruption of computer data due to an accumulation of non-critical failures in a data storage device. The phenomenon is also known as data decay, data rot or bit rot.
https://en.wikipedia.org/wiki/Data_degradation
Well I’m not sure how much I have to worry about bit rot on this temp VM. Maybe I can remove this section of code. This particular comment is really very interesting to me but I don’t have time to explore it further right now. I’m curious about the security implications of this existing on developer machines if this is truly included in every build…but I digress.
I could just comment it out but this doesn’t solve all my problems.
Well, scrolling down further in the install instructions (because nothing is ever easy with Linux and Make, etc.) I find a bunch of things I need to install or change and to avoid boring you with the details here are the changes I made.
I run locate zlib and a bunch of things come up so I hope that one is covered. I don’t know if those are the correct versions of zlib. Apt can’t find zlib. I’ll hope for the best.
I think these are covered:
I don’t think I need this PERL functionality.
NO_PERL basically depends on a PERL_PATH so comment out the section that sets the Perl path to a default if undefined:
I’m not going to and do not want any email sending functionality. But pretty sure I have OpenSSL anyway and I can get the latest version of libcurl. If I set NO_OPENSSL perhaps the mail functionality is still there but unencrypted. That’s not good. I’ll leave it but make sure I have an updated version of libcurl and open ssl.
I installed apt-show-versions so I can see what versions I have running.
sudo apt install apt-show-versionsWell it doesn’t show the packages are available, but they seem to be installed when I use locate (installed in an earlier post in this Ubuntu series.) However, the version of libcurl is 3 or 4. Hmm. But just out of curiosity I checked the version of curl:
This shows that libcurl is at version 7.81.0. Aha. There’s zlib.
Open SSL is at version 3.0.2.
We don’t really need these if they cause a problem:
In my case, I could also disable localization:
I’ve got python.
Well it seems like I should have most everything but when I run make again I get this:
This page hints at some development version of this library:
When I try to install it I get this error:
OK let’s install the first one:
Next error — daemon.o — something is missing. It’s not super clear.
Random internet searching led me to this page cached page of a now deprecated google group (the page no longer exists) which hints I need to install gcc:
So I did:
sudo apt-get install gccNext error:
By the way I also added V=1 at the top of the make file to get more verbose output. I didn’t see any additional information from the error message initially but perhaps installing gcc let to this more verbose output.
Anyway, I have OpenSSL installed. Hmm. Don’t ask me how but I guessed I needed this:
sudo apt-get install libssl-devNext:
sudo apt-get install libz-devProgress. Next time I run make I’m getting a bunch of output like this:
So close, and yet so far.
I read at the top of the make file I can skip expat. It’s an XML-parsing library. But we can also just install it as explained here:
Except that the library is not found.
Also, if you don’t install it you can’t use http push with Git.
Might want that. Hmm. aha.
sudo apt-get install -y libexpat1-devBut is that actually safe to install? What is libexpat1-dev?
I can search “libexpat1-dev security” in Google for security issues.
I can probably uninstall the libraries after I’m done since they weren’t required initially when I installed git. That would require some testing to ensure I didn’t break anything in the process.
Back in business until — some issues with Bulgarian language:
Well, as noted above I can set NO_GETTEXT for English only.
By the way I added all these flags to the top of my Makefile, including disabling IPV6 since I don’t allow it on my network.
Now I’m watching the long list of objects scroll by once again…
Woot! Make ran. But we’re not out of the woods yet. Now for make install.
Does all this mean it worked? I mean it says “done.”
If I just try to run “git” at this point it will fail. Git is installed but not in my path. I can see from the path that it is installed at:
/home/ubuntu/bin
So I can cd over to that directory and list the files to confirm.
Then I can execute git as a file with the version option to see which version is installed:
Yay! Phew.
That was hideous. What a thrilling way to spend a Friday night.
There may be a better way but I like to see exactly what I’m installing rather than have some magic random tool install everything for me — along with the “gifts I don’t want” as I like to say in my security classes.
I tried using a command with apt to install the dependencies and it didn’t work. A tool called aptitude wanted me to add some repositories I wasn’t real keen on adding so I just stepped through all this instead. I didn’t actually need those other repositories, as you can see, so I find that tool a bit questionable at the moment. Perhaps it was related to the languages.
By the way I did remove the extraneous expat library.
sudo apt remove libexpat1-devYou can do that with the other development libraries as well most likely.
Now I want to be able to run git from anywhere on my file system. But this post is long enough! I’ll get to that next.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab