So how do I get packages??
carsten at rollinghorse.com
Wed Nov 20 12:12:02 PST 2002
At 23:41 19-11-02, you wrote:
>Did I miss something in LFS?
>Is it presumed that any package you need as part of BLFS you need to
>download from your original host environment until you get enough
>network packages installed (ftp etc...) to be able to talk to the
>outside world on your LFS platform?
>Is there a package or a step I missed?
>In order to bypass the initial inability to talk to the outside world on
>lfs, do people continually boot back and forth from original host to
>lfs, or do they boot their original host system, and then do their lfs
>stuff in a chrooted window?
>Or, do they do something else?
I installed LFS on bare metal, i.e. a machine that had no other OS. One of
the first things I added was set up iptables and then an FTP client to be
able to download other packages. That was earlier this year, and I would
simply download the tarball, build and install.
After upgrading my system with new CPUs, I had some problems getting the
hardware to work, and let it sit for a while. During that time the
sendmail trojan was found, and I became suspicious of any source code. I
now check PGP signatures if available, and MD5 fingerprints if a sig is not
provided. But I try to get the fingerprint from a different source than
the tarball. In fact, just last week I downloaded the tcpdump package from
tcpdump.org, and since no PGP signature was available, I posted a message
on their mailing list asking for one, or at least another MD5 fingerprint
(I had downloaded the one from the server along with the tarball, but
didn't trust it even though it matched). Imagine my surprise when later
that same day I received an alert from CERT regarding the tcpdump
package. The CERT message provided an alter location for the tcpdump code,
as well as new MD5 fingerprints. I downloaded those files, and just for
grins unpacked both the original tarball and the new one. Sure enough, the
original package contained the trojan code.
Moral of the story: Make sure you have md5sum and gpg installed on your
system, and do _not_ install anything you can't verify.
Carsten Gehrke LFS No.: 190 using Linux since kernel 0.98
carsten at gehrke.org
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message
More information about the blfs-support