--- Em seg, 9/1/12, Ken Moffat escreveu: > De: Ken Moffat > Assunto: Re: [blfs-dev] Security LFS7.0 > Para: "BLFS Development List" <blfs-dev@linuxfromscratch.org> > Data: Segunda-feira, 9 de Janeiro de 2012, 21:03 > On Mon, Jan 09, 2012 at 11:35:56AM > -0800, Fernando de Oliveira wrote: > > > > I would like to know if the choice "--enable-shared > --disable-static" is safe, and what are the consequences of > "--disable-nis". > > > Noting your $subject, you do realise that in blfs you are > responsible for your own security ?
Yes. ... > > For --enable-shared --disable-static : anything linked to > this will > be linked to the shared library, so if you later update it > (for same > major version) to fix an as-yet-unknown vulnerability, or > to provide > better functionality, you don't have to recompile its > users. Also, > you don't have to *find* the users (e.g. for static nettle, > I'm > build-testing NetworkManager on one of my machines where > nettle was > only built statically : as well as gnutls, it turns out > that > everything linked to gnutls - hence NetworkManager - needs > the > static libnettle (and presumably libhogweed - at that point > I > rebuilt nettle and its existing users for a shared lib). To avoid future problems, I will check and rebuid nettle and gnutls. > If you don't care about security (people do build lfs, and > perhaps > some of blfs, without caring), then I doubt that this pair > of > options will adversely impact anything. If you do > care about > security - "What's not to like ?" I do care about security, so I should be worried abou that? Anyway, I will remove PAM (after your and Bruce's comments). … > And for --disable-nis : if you don't intend to use nis the > result > is positive : you can compile the package with current > glibc. Ok, I do not intend to have a nis server. My doubt was if other packages, like ssh, apache-ant or rsync would need it. Please, notice that I have no knowledge about the subject, so probably I will not need it. > Like > Bruce, I don't use PAM. It appears to me to be > something that needs > a lot more effort (to set it up *correctly*) than I'm > willing to > offer it. As I wrote in other post, I believe some packages would need it. But for the moment, PAM will be removed. Thanks, Ken. []s, Fernando -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
