Kaladix Linux

Kaladis kaladis at gmx.de
Tue Jun 19 09:58:05 PDT 2001


>Are you going to provide the security patches to packages seperately?

I am not yet going to do that since I think that continuing to work on the
Linux itself is of more advantage as for now rather than trying to supply
source codes. I will however try to release all sourcecodes for 0.5 and am
promising them to be completely for 1.0.

Most security patches that are LFS related packages have been taken from
Trustix Linux. So you might want to take a look around there.

>One thing that is on LFS-BOOK's todo list is addign security patches to
>the book, but since you are already concentrating on a secure LFS system
>(more or less) it would make more sense for the book just to contain a
>note in the order of "For security patches visist Kaladix".

Hmm... more less then more more I would say...

My project does not aim to make LFS in intself secure but rather to create a
new distro out of that which has additional server and security features
that was based on LFS but has since then majorly changed.

To elaborate this a little bit more.

I started creating the distro out of LFS Intel 3-pre2. Now it does not
contain much packages from pre2 and neither from pre3 anymore since I
updated everything myself. For example For 0.4 I'm running GCC 3.0, Bash
2.05 etc. I did my own kernel patch compilation, installed server software,
security related software and monitoring facilities. Some standards have
been replaced, like inetd with xinetd or syslog with syslog-ng. And lots of
other things have been done thus making LFS differ from Kaladix Linux.

I don't know in what way our software versions will match in the future.

Right now I took care of known security issues in the two following ways:
- For old software packes from GNU that are never updated I have taken the
SRPMS from Trustix Linux and recompiled them
- For new software I have installed the latest patches and or updated them.

Things that I remember to be vulnerable from head:
modutils
man
ed


To sum up:

Full sources will be available for my distro. These sources are most likely
to be the latest available packages or patched sources from other Distros
like Trustix for example. Some of them might be pretty usefull for LFS'ers I
think, however someone would have to mark all still LFS related sources for
LFS users to update which takes time or that every user compares for
himself.


The thing about LFS and security:
LFS usually is pretty new with their software so there are not many new
vulnerabilities.
LFS has the problem that old packages from GNU are pretty vulnearble,
especially to /tmp race conditions. There are no patches provided by GNU and
every Distro used to patch for themselves (or copied from others ;).
LFS has no remote vulnerabilities at all.

What do you think?


- Kaladis

-- 
Unsubscribe: send email to lfs-security-request at linuxfromscratch.org
and put unsubscribe in the subject header of the message



More information about the lfs-security mailing list