releases and stuff

Bennett Todd bet at rahul.net
Tue Nov 9 07:04:24 PST 2004


2004-11-09T03:42:14 Archaic:
> FWIW, the extra step of a destdir->final install can be eliminated.

I understand.

> I understand you consider packaging in the decision, but for a
> book, does it really need to be there?

I really don't know.

If HLFS is an educational exercise in seeing how many/much hardening
tools can be incorporated in an LFS-like build, then no, packaging
contributes no more than it does in plain LFS, it's something for
follow-on users, who start by learning from LFS then go on to
develop applied distros to suit their own individual tastes.

If, however, HLFS is intended to be a practical high-security basis
for building firewalls, DMZ servers, and other such boxes, then
perhaps at least some simple sort of software packaging may have a
role even early on. It doesn't have to be complex; indeed, I think
simpler is better. The decoupling between build and install does
add value, particularly since it becomes practical to distinguish
between build machines (which can be built by bootstrapping HLFS,
From Scratch), and prod machines, created by selective package
installation, perhaps without the whole development tool suite.

And, as we've been discussing, it's appealing doing the entire
build as a non-priv user. I recently had my nose rubbed in how far
we've changed over time; I tried (and so far failed) to resurrect a
project last published in 1992, that was archived as a collection of
sharchive postings to usenet. I ended up hacking up a one-off
de-archiver that could parse the subset of shell language the
archive actually used, I couldn't bring myself to take something I'd
downloaded and feed it into a real shell. Back in the day, people
ran completely automated de-archivers. What we'd now call public
shell servers:-). I think building as a non-priv user is another
step along this same path, make it harder for someone to sneak a
trojan in.

Another advantage of software packaging, that might be worth
considering, is that the tooling automation it provides can help in
tracking and incorporating updates to upstream versions --- such as
security fixes. It can also make it easier to partition work,
maintaining individual packages, perhaps by different people.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20041109/f11e091b/attachment.sig>


More information about the hlfs-dev mailing list