HLFS Future ?

robert baker robertmbaker at gmail.com
Wed Jan 25 11:30:44 PST 2017


There have been other developments along the way that could change or
impact the mission of HLFS if it were to continue.

The smashing stack protector is on in GCC by default in version 4.8.3 and
later. Fortify source is integrated into GCC these days. I'm not sure it is
on by default in the GCC default spec, but many distros turn it on. The
difference between the HLFS toolchain and the mainstream distros is
narrowing.

The other side of the issue 5 years on is what the public has learned in
this time. With hardware interdiction and government sanctioned hardware
weaknesses in mass manufactured hardware I can't say whether a project like
this is more important, or moot.

The mission could come down to a book that instructs users on enabling more
hardened defaults. Perhaps even instructions on managing RBAC policies or
other advanced topics would fit. I tend to side with the argument that the
project still makes sense in its niche in as much as it differs from LFS
mainline.

Robert

On Wed, Jan 25, 2017 at 1:05 AM, Steve Thomas <steve at a530.co.uk> wrote:

> Joining those dots a little, HLFS stated that its aim was to produce a
> hardened system suitable for use in a production environment; it used the
> stable branch of grsec.
>
> Grsec stable is now commercial. Grsec state the test branch should not be
> used on production systems. Gentoo uses the test branch for exactly that
> purpose.
>
> In the spirit of how HLFS operated, should we be trusting the test branch ?
>
> I don't see anything on the grsec website regarding end users having the
> option to pay for the stable branch if they want to; it seems more geared
> towards commercial organisations/companies.
>
> If everything is true regarding those embedded linux companies taking
> advantage of grsec's work and violating the GPL, thats pretty disaapointing
> since they have spoilt it for the rest of us.
>
> Where does this leave us going forward in respect of hardening options ?
>
> From my own perspective, I never used or applied HLFS in any commercial
> setting; I used it for personal use to learn about the process of building
> from the ground up, knowing every package that was installed and building a
> small but very capable server that was used to securely store mass data. It
> never failed me once, and the learning experience was both fun and
> educational.
>
>
> On 25/01/2017 02:29, robert baker wrote:
>
> I would be interesting in reviving the project as well.
>
> I am familiar both with how the book is built, and approximately where we
> left off.
>
> There have been at least one notable change that will have an effect on
> the project. Stable Grsecurity patches are for paying customers only now.
> https://grsecurity.net/announce.php
>
> To my knowledge Gentoo uses the test version of the grsec patch.
>
> I'm not sure who exactly to reach out to about an svn account but I can
> drop a line on one of the other LFS lists.
>
> On Tue, Jan 24, 2017 at 1:20 PM, Jason Stevens <jastev at alumni.rice.edu>
> wrote:
>
>> Agree.  I have time to donate, but I'll need help coming up to speed on
>> the specific technical chops.
>>
>> -jps
>>
>> On Jan 24, 2017, at 10:00 AM, Steve Thomas <steve at a530.co.uk> wrote:
>>
>> I would sure like to see this project get some life again. I don't have
>> the technical knowledge to test packages and hunt down errors and bugs
>> though, so can only offer end user testing in respect of the processes in
>> the book.
>>
>> I have a small server sat here that is just begging for a decent and
>> secure OS, which I would like to be linux. I would run HLFS on this in a
>> heartbeat if it was up to date.
>>
>> The changes I have seen in the last few years with other mainstream OSes
>> don't give me much confidence.  Knowing and building the system from the
>> ground up would be perfect and why I originally got started with HLFS.
>>
>> I hope some consideration can be given to breathing life back into HLFS.
>>
>> On 24/01/2017 00:43, robert baker wrote:
>>
>> The last person who worked on the project to my knowledge was Robert
>> Connolly. Perhaps he is still subscribed to the list.
>>
>> I once tried to contribute myself, but I didn't get to devote a great
>> deal of time and I believe my SVN account has since been disabled.
>>
>> It should be reasonable to bring things in the book up to date borrowing
>> from a modern hardened Gentoo.
>>
>> Robert
>>
>> On Mon, Jan 23, 2017 at 6:22 PM, Steve Thomas <steve at a530.co.uk> wrote:
>>
>>> Its now well over 5 years since any update.
>>>
>>> Are we to assume this project is now officially abandoned ?
>>>
>>> Thanks.
>>> --
>>> http://lists.linuxfromscratch.org/listinfo/hlfs-dev
>>> FAQ: http://www.linuxfromscratch.org/blfs/faq.html
>>> Unsubscribe: See the above information page
>>>
>>
>>
>>
>>
>> --
>> http://lists.linuxfromscratch.org/listinfo/hlfs-dev
>> FAQ: http://www.linuxfromscratch.org/blfs/faq.html
>> Unsubscribe: See the above information page
>>
>>
>> --
>> http://lists.linuxfromscratch.org/listinfo/hlfs-dev
>> FAQ: http://www.linuxfromscratch.org/blfs/faq.html
>> Unsubscribe: See the above information page
>>
>>
>
>
>
>
> --
> http://lists.linuxfromscratch.org/listinfo/hlfs-dev
> FAQ: http://www.linuxfromscratch.org/blfs/faq.html
> Unsubscribe: See the above information page
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20170125/05591d36/attachment.html>


More information about the hlfs-dev mailing list