For those of us who use a BLFS-derived systems, it seems to me that
the 'Security' section of the book is deficient. Yes, we have
various packages to enhance security, but we never point out that
(unlike most distros) we don't have a security team.
Moreover, even when tickets have been raised for known
vulnerabilities, it often takes us a long while to address them.
[ no, I don't particularly want to discuss *why* it takes so long to
update a package in BLFS in this thread, beyond saying that we tend
to go with whatever another editor thought was a useful dependency,
whereas at least some of us actually use much *slimmer* systems. ].
So, I think we ought to be doing (t least) two things to help
protect our users -
1. Point out that there are always new vulnerabilities, and that
anyone who uses a {B,}LFS system is their own security 'team'. We
could point to useful lists for tracking what is happening [ if this
proposal meets with approval ], but the only source I follow is
lwn.net - I'm a subscriber there, I suspect details are only
available to subscribers for the first week or two, and it has
actually become a little less comprehensive in the last year or so
(because most people have distros to handle this for them). So,
what other websites or lists do people *use* ?
2. Point to distros - most of them have security teams, some of them
are even paid to work on security. But, the devil is in the detail
- people need to find fixes that apply to the version they are
building. Some of this overlaps with building newer versions (and,
since LFS has always been *near* the bleeding edge, we ought to be
encouraging people who stick with BLFS to move to try versions,
no ?
I've got the following :
fedora - in theory, http://pkgs.fedoraproject.org/gitweb/ - just to
spite me, I've managed to connect there now. When I had (non
security) issues building my current test system, it was
unresponsive, so I ended up downloading srpms to look at (needs
rpm2cpio script - I thought we had one in the BOOK, but I can't see
it in longindex). Generally on the bleeding edge, but the git
branches for previous releases (in gitweb) are sometiems useful.
debian - ftp.??.debian.org/pool/ - old-style debian is just a
.orig.tar.gz and gzipped patch [ in which patches are two-levels
down and need to be removed from the files they are in (remove
headers and the initial '+' before applying) ], new-style seem to
package the debian/ stuff, including patches, separately.
Occasionally useful.
pld - sometimes using newer things than us, sometimes older -
http://cvs.pld-linux.org/cgi-bin/cvsweb/packages/
ubuntu, I suppose (in practice the packages I've been interested in
seem to be caught between the versions in debian-stable and the
current versions in debian-unstable, so too old to be relevant), at
ftp://ftp.ubuntu.com/ubuntu/pool/
arch (http://www.archlinux.org/packages).
gentoo - I have difficulty finding mirrors that continue to work,
and that give their .ebuild files the correct mime information so
that e.g. firefox will open them as text. Any current suggestions ?
Any others ? Also, I appreciate that if we do add this, the wording
will be difficult - just because a distro has a patch that fixes one
of their bugs doesn't mean that _our_ builders will need it.
Alternatively, perhaps people here don't care about security ? Or
maybe there is some other alternative which I'm overlooking ?
ĸen
--
das eine Mal als Tragödie, das andere Mal als Farce
--
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
