Switch to the workshop PPA and disable the build of the image for Pi5

Example usage, after dd-ing to /dev/sdb:

    ./number /dev/sdb 42

WARNING: Make sure you get the right device: no checks, no prompts!

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at hello@pts-project.org. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

.github/FUNDING.yml

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: pts # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: U_039b # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

.github/SECURITY.md

@@ -0,0 +1,58 @@
+<div align="center">
+<img width="60px" src="https://pts-project.org/android-chrome-512x512.png">
+<h1>Defensive Lab Agency Vulnerability Disclosure Policy</h1>
+<p>
+<samp>contact[at]defensive-lab.agency</samp>
+</p>
+</div>
+
+## Introduction
+Defensive Lab Agency welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.
+
+## Systems in Scope
+This policy applies to any digital assets owned, operated, or maintained by Defensive Lab Agency.
+
+## Out of Scope
+* Assets or other equipment not owned by parties participating in this policy. 
+
+Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
+
+## Our Commitments
+When working with us, according to this policy, you can expect us to:
+
+* Respond to your report promptly, and work with you to understand and validate your report;
+* Strive to keep you informed about the progress of a vulnerability as it is processed;
+* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; 
+* Extend Safe Harbor for your vulnerability research that is related to this policy.
+
+## Our Expectations
+In participating in our vulnerability disclosure program in good faith, we ask that you:
+
+* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
+* Report any vulnerability you’ve discovered promptly;
+* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
+* Use only the Official Channels to discuss vulnerability information with us;
+* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;
+* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
+* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
+* You should only interact with test accounts you own or with explicit permission from the account holder; 
+* Do not engage in extortion.  
+
+## Official Channels 
+In order for the vulnerability reports to reach maintainers as soon as possible, the preferred way is to use the `Report a vulnerability` button on the `Security` tab in the respective GitHub repository. It creates a private communication channel between the reporter and the maintainers.
+
+If you are absolutely unable to or have strong reasons not to use GitHub reporting workflow, please reach out to the maintainers at `contact[at]defensive-lab.agency`, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.
+
+## Safe Harbor
+When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
+
+* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
+* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
+* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; 
+* Lawful, helpful to the overall security of the Internet, and conducted in good faith.
+
+You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
+
+If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
+
+Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.

.gitignore

@@ -1 +1,2 @@
 .DS_Store
+.idea/

README.md

@@ -1,5 +1,18 @@
-PiRogue images
-==============
+<div align="center">
+<img width="60px" src="https://pts-project.org/android-chrome-512x512.png">
+<h1>PiRogue OS images</h1>
+<p>
+PiRogue OS is a slightly modified version of Debian you can flash on an SD card to quickly turn a Raspberry Pi into a PiRogue. Want to build one? Follow the guide "<a href="https://pts-project.org/guides/g1/" alt="How to setup a PiRogue">How to set up a PiRogue</a>".
+</p>
+<p>
+License: GPLv3
+</p>
+<p>
+<a href="https://pts-project.org">Website</a> | 
+<a href="https://pts-project.org/docs/pirogue/overview/">Documentation</a> | 
+<a href="https://discord.gg/qGX73GYNdp">Support</a>
+</p>
+</div>
 
 This repository contains the tools required to build “historical” PiRogue images,
 targeting Raspberry Pi 3 and Raspberry Pi 4.
@@ -13,3 +26,11 @@ It operates by turning pristine
 [Debian-provided images for Raspberry Pi](https://raspi.debian.net/) into
 images ready to deploy PiRogue Tool Suite packages. In the future the same might
 happen for [Debian-provided cloud images](https://cloud.debian.org/images/cloud/).
+
+Package requirements:
+
+ - fdisk
+ - kpartx
+ - qemu-system-arm
+ - qemu-user-static
+ - zerofree

build-images

@@ -13,8 +13,8 @@ RASPBERRYPI_SHA_URL="$RASPBERRYPI_IMG_URL.sha256"
 RASPBERRYPI_IMG=raspi_4_bookworm.img
 
 # Basename for the target images:
-PIROGUE34_IMG="PiRogue-OS-12-Pi3_and_Pi4-$NOW.img"
-PIROGUE5E_IMG="PiRogue-OS-12-Pi5-Experimental-$NOW.img"
+PIROGUE34_IMG="PiRogue-OS-12-Pi3_and_Pi4-$NOW-workshop.img"
+PIROGUE5E_IMG="PiRogue-OS-12-Pi5-Experimental-$NOW-workshop.img"
 
 # List of things we produce:
 MANIFEST=$(realpath MANIFEST.txt)
@@ -25,14 +25,32 @@ TOP_DIR=$(pwd)
 #  - prefer parallel compression if available:
 xz_compress() {
   FILE="$1"
+
+  # PTS images are published as compressed images alongside checksums for those
+  # compressed images (as opposed to checksums for the uncompressed images). To
+  # make sure everything is consistent, compare checksum of the original file
+  # vs. checksum of a decompressed compressed image:
+  echo "Computing checksum for $FILE..."
+  SUM1=$(sha256sum "$FILE" | awk '{print $1}')
+  echo "  $SUM1"
+
   if which pixz >/dev/null 2>&1; then
-    printf 'Compressing %s with pixz...' "$FILE"
+    echo "Compressing $FILE with pixz..."
     pixz "$FILE"
-    echo ' done'
+    echo '  done'
   else
-    printf 'Compressing %s with xz...' "$FILE"
+    echo "Compressing $FILE with xz..."
     xz "$FILE"
-    echo ' done'
+    echo '  done'
+  fi
+
+  echo "Computing checksum for $FILE after decompression..."
+  SUM2=$(xz -c -d "$FILE.xz" | sha256sum | awk '{print $1}')
+  if [ "$SUM1" = "$SUM2" ]; then
+    echo "  $SUM2 (match)"
+  else
+    echo "  $SUM2 (NO MATCH), exiting!"
+    exit 1
   fi
 }
 
@@ -47,7 +65,7 @@ checksum_and_publish() {
 
 
 # Start afresh, manifest-wise:
-rm -f $MANIFEST
+rm -f "$MANIFEST"
 
 # We might need to descend into different directories, subshells are
 # a way to do that:
@@ -61,9 +79,9 @@ rm -f $MANIFEST
 
   # Modify, compress, and checksum:
   sudo ./toaster $RASPBERRYPI_IMG.xz "$PIROGUE34_IMG" recipes/pi3-pi4.sh
-  sudo ./toaster $RASPBERRYPI_IMG.xz "$PIROGUE5E_IMG" recipes/pi5.sh
+#  sudo ./toaster $RASPBERRYPI_IMG.xz "$PIROGUE5E_IMG" recipes/pi5.sh
   xz_compress "$PIROGUE34_IMG"
-  xz_compress "$PIROGUE5E_IMG"
+#  xz_compress "$PIROGUE5E_IMG"
   checksum_and_publish "$PIROGUE34_IMG.xz"
-  checksum_and_publish "$PIROGUE5E_IMG.xz"
+#  checksum_and_publish "$PIROGUE5E_IMG.xz"
 )

number

@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Tweak hostname and SSID
+set -e
+
+DEV="$1"
+N="$2"
+if [ -z "$DEV" ] || [ -z "$N" ]; then
+  echo "E: $0 /dev/sd-card number"
+  exit 1
+fi
+
+MNT=/mnt
+
+sudo mount ${DEV}2 $MNT
+
+sudo sed "s/pirogue/pirogue-$N/"  -i $MNT/etc/hostname
+sudo sed "s/pirogue/pirogue-$N/g" -i $MNT/etc/hosts
+
+sudo mkdir -p $MNT/var/lib/pirogue/config/
+echo "WIFI_NETWORK_NAME=PiRogue$N" | sudo tee -a $MNT/var/lib/pirogue/config/pirogue.user.env
+
+sudo umount $MNT

raspberrypi/files/avoid-debconf-prompts

@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# A number of packages are going to ask questions via debconf prompts. Since we
+# know which answers are the right ones, set the right values and mark those
+# questions as seen, instead of having users follow documentation.
+#
+# See https://github.com/PiRogueToolSuite/pirogue-images/issues/3
+#
+# Reminder: debconf-set-selections comes with debconf, debconf-get-selections is
+# shipped in the debconf-utils package (not installed by default).
+set -e
+
+cat <<EOF | debconf-set-selections -v
+iptables-persistent iptables-persistent/autosave_v4 boolean false
+iptables-persistent iptables-persistent/autosave_v4 seen true
+iptables-persistent iptables-persistent/autosave_v6 boolean false
+iptables-persistent iptables-persistent/autosave_v6 seen true
+
+wireshark-common wireshark-common/install-setuid boolean true
+wireshark-common wireshark-common/install-setuid seen true
+EOF

raspberrypi/recipes/pi3-pi4.sh

@@ -1,5 +1,9 @@
 # This recipe is sourced by the toaster, don't try to run it!
 
+resize_me() {
+  echo "2000"
+}
+
 # shellcheck disable=SC2086
 toast_me() {
   echo "nameserver 1.1.1.1" > $MNT/etc/resolv.conf
@@ -31,6 +35,14 @@ toast_me() {
   echo "pirogue" > $MNT/etc/hostname
 
   # Add PTS PPA
-  chroot $MNT wget -O /etc/apt/sources.list.d/pirogue.list https://pts-project.org/debian-12/pirogue.list
-  chroot $MNT wget -O /etc/apt/trusted.gpg.d/pirogue.asc   https://pts-project.org/debian-12/Key.gpg
+  chroot $MNT wget -O /etc/apt/sources.list.d/pirogue.list https://pts-project.org/debian-12-workshop/pirogue.list
+  chroot $MNT wget -O /etc/apt/trusted.gpg.d/pirogue.asc   https://pts-project.org/debian-12-workshop/Key.gpg
+
+  # Make initial installation easier on users:
+  install -m 755 -o root -g root files/avoid-debconf-prompts $MNT/root/avoid-debconf-prompts
+  chroot $MNT /root/avoid-debconf-prompts && rm -f $MNT/root/avoid-debconf-prompts
+
+  # Update and provision cache
+  chroot $MNT apt-get update
+  chroot $MNT apt-get install -y pirogue-base --download-only
 }

raspberrypi/recipes/pi5.sh

@@ -1,5 +1,9 @@
 # This recipe is sourced by the toaster, don't try to run it!
 
+resize_me() {
+  echo "2000"
+}
+
 # shellcheck disable=SC2086
 toast_me() {
   echo "nameserver 1.1.1.1" > $MNT/etc/resolv.conf
@@ -31,11 +35,20 @@ toast_me() {
   echo "pirogue" > $MNT/etc/hostname
 
   # Add PTS PPA
-  chroot $MNT wget -O /etc/apt/sources.list.d/pirogue.list https://pts-project.org/debian-12/pirogue.list
-  chroot $MNT wget -O /etc/apt/trusted.gpg.d/pirogue.asc   https://pts-project.org/debian-12/Key.gpg
+  chroot $MNT wget -O /etc/apt/sources.list.d/pirogue.list https://pts-project.org/debian-12-workshop/pirogue.list
+  chroot $MNT wget -O /etc/apt/trusted.gpg.d/pirogue.asc   https://pts-project.org/debian-12-workshop/Key.gpg
+
+  # Make initial installation easier on users:
+  install -m 755 -o root -g root files/avoid-debconf-prompts $MNT/root/avoid-debconf-prompts
+  chroot $MNT /root/avoid-debconf-prompts && rm -f $MNT/root/avoid-debconf-prompts
 
   ### BEGIN: Pi 5 section
 
+  # Add a third directory with packages required for Pi 5 support (which would
+  # otherwise be problematic on regular PiRogue installations, due to the file
+  # conflicts between raspi-firmware and firmware-brcm80211):
+  echo 'deb https://pts-project.org/debian-12/pirogue-3rd-party-pi5 ./' >> $MNT/etc/apt/sources.list.d/pirogue.list
+
   # Preconfigure raspi-firmware to disable the default cma= setting on the
   # kernel command line. Don't run the hook manually, the linux-image install
   # below will take care of it.
@@ -50,25 +63,6 @@ toast_me() {
   install -m 755 -o root -g root files/rpi-resizerootfs.script \
       $MNT/etc/initramfs-tools/scripts/local-bottom/rpi-resizerootfs
 
-  # Configure Raspberry Pi repository
-  cat > $MNT/etc/apt/sources.list.d/raspberrypi.list <<EOF
-# Only some specific packages are installed from there (see pirogue.pref):
-
-deb http://archive.raspberrypi.com/debian/ bookworm main
-EOF
-  cat > $MNT/etc/apt/preferences.d/pirogue.pref <<EOF
-# Make sure to only install specific packages from there (see raspberrypi.list):
-
-Package: *
-Pin: origin archive.raspberrypi.com
-Pin-Priority: -1
-
-Package: linux-image-* firmware-brcm80211
-Pin: origin archive.raspberrypi.com
-Pin-Priority: 500
-EOF
-  cp files/raspberrypi-archive-stable.gpg $MNT/etc/apt/trusted.gpg.d
-
   # Install required packages. The firmware-brcm80211 package ships some files
   # already owned by raspi-firmware, hence the dpkg option.
   chroot $MNT apt-get update
@@ -80,4 +74,8 @@ EOF
   rm -f $MNT/etc/initramfs-tools/scripts/local-bottom/rpi-resizerootfs
 
   ### END: Pi 5 section
+
+  # Update and provision cache
+  chroot $MNT apt-get update
+  chroot $MNT apt-get install -y pirogue-base --download-only
 }

raspberrypi/toaster

@@ -91,5 +91,12 @@ zerofree "/dev/mapper/${loop}p2"
 kpartx -dsv "$out"
 rmdir "$MNT"
 
+# Adjust metadata: instead of leaving generated files owned by root:root, use
+# the current directory's uid and gid.
+echo "🍞 Adjusting metadata"
+uid=$(stat -c '%u' .)
+gid=$(stat -c '%u' .)
+chown "$uid:$gid" "$out"
+
 echo "🍞 Toasted!"
 echo " → $out"