LFS Maintenance Resources

Ken Moffat ken at kenmoffat.uklinux.net
Mon Dec 1 16:29:56 PST 2003


On Mon, 1 Dec 2003, John Green wrote:

> Hi,
>
> I am considering adopting (B)LFS, though I'll need a new PC to get enough
> disk
> space :-(
>
> I *can* adopt (B)LFS because I have a programming background and time on my
> hands.
>
[snip]
> Mandrake no longer support release 8.2, for understandable commercial
> reasons.
> Therefore I can no longer get security fixes and bug fixes from them.  To
> understand
> whether (B)LFS will be better, I need to understand its maintenance process.
>   Is it
> as described in
>
> "Linux lab raises awareness of kernel development process"
> (http://linuxdevices.com/news/NS4704459814.html)
>
> or as described in
>
> "Ending the Free Lunch"
> (http://www.securityfocus.com/columnists/200)?
>

 Would you believe neither ?  For starters, most of us don't use the
vast numbers of packages offered by most of the distros.  Secondly, the
distros' packagers tend to prize stability (yes, even mdk sometimes) so
with the recent ssh vulnerabilities they back-port them to the old
versions, whereas we just upgrade to the new versions.

 Beyond that, it's mostly a case of keeping your own eyes open for
security announcements, and sometimes picking up patches.

 As to our maintenance progress, you can probably best describe it as
"keep using it with occasional changes and piecemeal upgrades, until you
decide it's time to redo it with the latest stuff."  For example, my
firewall is still running approx lfs-3.3, and it's even stuck on
kernel-2.4.19 despite the fixes for various exploits in more recent
kernels.  But then I'm the only user on it, and it isn't particularly
exposed to the internet (everything from outside gets dropped or
forwarded).  We don't have "developers" the way even gentoo seems to,
and we expect you to have some understanding of what you are running.
For graphical desktops, which seem to come with new vulnerabilities in
each upgrade, consider installing them in e.g. /opt/kde-3.1.4 and then
later replacing it all with e.g. /opt/kde-3.2.0 which means you can test
the new one (if you have enough disk space) and then simply alter your
PATH and discard the old one.

 After all that, if you want to stay then you may find mdk-8.2 is a poor
host for building lfs, depending on how much you installed.  I used to
have mdk-8.2 on my 'doze box, and in the end I had to install a backup
of the (binary) files from lfs-3.3 because I discovered I couldn't even
compile a kernel with Mandrake.  At least we don't have bogus codebases
that screw up ssh ;)

Ken
-- 
I'm as free as a bird now, and this bird you cannot chain.



More information about the lfs-chat mailing list