Onward branch development

Robert Connolly robert at linuxfromscratch.org
Tue Feb 3 16:43:06 PST 2009


> Is there any part of the project with which you could use any extra
> help?
>
> --Joey

I need help getting the temporary system to reboot. It will need modified boot 
scripts. I don't know if the boot scripts from CLFS's temporary system will 
work for us, but if they work then it's less for us to maintain.

I would like packages in /tools to use /tools exclusively, so no symbolic 
links from /tools/bin to /bin are needed to boot. CLFS does not do this... 
they install some packages to /mnt/clfs/, so this might be a problem if the 
boot scripts use full path names for /sbin/udevd (for example).

It would be usefull if this temporary system reboot is compatible with a cdrom 
boot, with a read-only file system, but it's not necessary right away. I 
would like this even when booting from writable media, because it sets a good 
example for minimizing privileges. If I remember correctly, from the 
readonly_rootfs, glibc can be configured to use a different path 
for /etc/mtab, so that /etc can be read-only, or a symbolic link might work.

The main goal for rebooting is to minimize host kernel dependencies, so we 
reboot to a new host which supports extended attributes, so we can setup suid 
programs, and so we have ideal expectations from Glibc's test suite because 
we booted a kernel with all the drivers Glibc's test need. A secondary goal 
is to build from a trusted system/host, one that is hardened to the farthest 
extreme that our final system will be.

There's also plans for add-ons for the reboot, for things like networking or 
braille. This is not only add-ons for the temporary system, but also bhlfs. 
This would include firewalling, network tunneling, encrypted filesystems, 
intrusion detection, and is a huge animal I have never had time for. I do 
most of this stuff on my desktop at home, but documenting it is different.

There are a lot of other details to add, to harden the temporary system, but 
rebooting is the first thing.

There are also a lot of packages to upgrade, but I prefer to do that myself.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20090203/21ffd1b6/attachment.sig>


More information about the hlfs-dev mailing list