0.2 Roadmap

Robert Connolly robert at linuxfromscratch.org
Wed Jul 26 07:54:55 PDT 2006


On July 26, 2006 09:11 am, Sebastian Faulborn wrote:
> What about adding blowfish passwords which is a major improvement in
> security.

I've been planning to port the Owl blowfish patch for Glibc to uClibc. There 
was also some debate about adding blowfish to HLFS a year or two ago, that's 
why it became a hint. I don't know if anyone still has objections. As far as 
I know Owl's blowfish patch is transparent after Glibc and Shadow, so its 
really easy to make it optional.

> If you don't do the last step, OpenSSH will segfault when trying to login.
> OpenSSH has a function xcrypt() which calls crypt() which is defined in
> xcrypt.h and hence in crypt.h as a #define to xcrypt() which
> causes OpenSSH to call xcrypt() in an infinte loop until the stack
> overflows.
> A few other packages also have problems compiling without the patch.

I don't run sshd personally, so I didn't realize this was happening. But I 
prefer Owl's patch to xcrypt. All my hints need updating, but I never get 
around to it... I'll try to.

> I also think we should add gradm. After all one of the most important 
security 
> features (RBAC) cannot be activated without it. There is no need to have
> rules - gradm generates them automatically (although you might want to
> change some of them manually). That's one of the major advantages of 
> grsecurity over other security systems (such as SELINUX).

Fair enough. The gradm package can be added to chapter 6.

> Also don't forget to also add chpax (or at least mention it somewhere in the
> book!). It's needed when you want to change PAX settings for precompiled
> binaries which don't use the new PAX style ELF headers (eg. Java,
> precompiled MySQL, etc.)

Paxctl is in chapter 6. It's the last package, after udev. It gets run on 
grub.

I want to shuffle the chapter 6 packages to match LFS, and add the utf8 stuff. 
I also want to remove the blfs packages and maybe the network (inetutils and 
iproute2) packages, to make HLFS a purely development system. I don't want to 
add new packages, like gradm, until that's done.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060726/a69b312a/attachment.sig>


More information about the hlfs-dev mailing list