So how do I get packages??

Carsten Gehrke carsten at rollinghorse.com
Wed Nov 20 12:12:02 PST 2002


At 23:41 19-11-02, you wrote:
>Did I miss something in LFS?
>
>Is it presumed that any package you need as part of BLFS you need to
>download from your original host environment until you get enough
>network packages installed (ftp etc...) to be able to talk to the
>outside world on your LFS platform?
>
>Is there a package or a step I missed?
>
>In order to bypass the initial inability to talk to the outside world on
>lfs, do people continually boot back and forth from original host to
>lfs, or do they boot their original host system, and then do their lfs
>stuff in a chrooted window?
>
>Or, do they do something else?

I installed LFS on bare metal, i.e. a machine that had no other OS.  One of 
the first things I added was set up iptables and then an FTP client to be 
able to download other packages.  That was earlier this year, and I would 
simply download the tarball, build and install.

After upgrading my system with new CPUs, I had some problems getting the 
hardware to work, and let it sit for a while.  During that time the 
sendmail trojan was found, and I became suspicious of any source code.  I 
now check PGP signatures if available, and MD5 fingerprints if a sig is not 
provided.  But I try to get the fingerprint from a different source than 
the tarball.  In fact, just last week I downloaded the tcpdump package from 
tcpdump.org, and since no PGP signature was available, I posted a message 
on their mailing list asking for one, or at least another MD5 fingerprint 
(I had downloaded the one from the server along with the tarball, but 
didn't trust it even though it matched).  Imagine my surprise when later 
that same day I received an alert from CERT regarding the tcpdump 
package.  The CERT message provided an alter location for the tcpdump code, 
as well as new MD5 fingerprints.  I downloaded those files, and just for 
grins unpacked both the original tarball and the new one.  Sure enough, the 
original package contained the trojan code.

Moral of the story:  Make sure you have md5sum and gpg installed on your 
system, and do _not_ install anything you can't verify.


-- 
Carsten Gehrke     LFS No.: 190    using Linux since kernel 0.98
carsten at gehrke.org

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list