[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Seeking assistance/tips on building Debian!



-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 1 Mar 1999, John T. Larkin wrote:

> Sounds like you have a couple of requrements:
> 
> 1 - you look over the code yourself (good luck -- so, do you have to
>     check over the gcc code you'll be compiling everything with?  How
>     about the kernel code?  Are you using X?  There's another 10
>     million lines of code...).

Actually, gcc, I'm so immensely familiar with it's sick. Happens when you
have to get it working on weird PowerPC's. ;)  And truthfully, I have ZERO
intention of going over EVERY line of code. I'm planning on using some
shell scripts and lots of grep just to do basic checks for obvious
things. ;)
 
> 2 - You'll be installing on lots of servers and workstations

Yep. One image. One original CD. And LOTS of copies. ;)

> 3 - eventually, you'll probably want to upgrade, fix known bugs, etc
>     on all of the machines under your control.

*nods* Internal APT machine. I'm going to grab updated package source, and
compile it myself, and put it on the internal APT serving machine. Crontab
in every machine to update from it once a week. I did my homework. };)
 
> Here are my recomendations.  This may be a bit more start-up work, but
> it will make later maintainence of the whole project _much_ easier.
> 1 - Make a standard out-of-the-net debian machine using the regular
>     binaries on which to build of your secure packages.
> 2 - Get the source code for all the packages you want, and the debian
>     diff file.  Uncompress the code, patch it, check it over, and
>     re-build a new debian package.  For original package xxx, I'd call
>     the new one xxx-secure.  Don't forget to update and fix all the
>     dependency information to point to yyy-secure instead of yyy.  If
>     you want to modify the boot stuff, you can change the default boot
>     scripts in sysvinit when you repackage that.
> 3 - You'll now have secure binary packages you can distribute to all
>     of the machines you want to create.  You can even create a package
>     file for them if you want, and update all the machines over the
>     net -- or a simpler method where you put all the new/updated
>     packages into a "new" directory, and all of the machines just grab
>     everything from that directory every night/hour/whatever.  Using
>     aptget et cetera you can even set up a cron job which will
>     auto-magically update your machines to new packages from a
>     centeral server (assuming this server is secure, and the link
>     between machines is secure.  I'd use ssh with some good
>     authentication...).

I'm going to be counting on standard security measures. The actual machine
that will be doing the building is going to be NIC-less. I'm going to
throw a 56k modem on it, and upload the packages by hand. Much safer than
ssh. ;)  

Thanks for the advice! :)

+-------------------------+--------------------------------------+
| Phillip R. Jaenke       | "Not all wisdom comes from without;  |
| prj@nls.net             |  much wisdom can only come from      |
| InterNIC: PRJ5          |  within. Only you can teach yourself |
| Professional Unix Guru  |  some of the most important lessons  | 
+-------------------------+  of life." --Takes-Many-Roads,       |
Project Head              |              Silent Strider Theurge  |
the Linux-RS/6000 Project +--------------------------------------+
- - http://www.nls.net/mp/prj/linux/ -- http://www.nls.net/mp/prj/ -

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNtrkesES8LwwGtVlAQEXhwP9EfRdw7lwfLuM272I++gd+g0uWIJx7QRF
lIPMfGP600R2yb0VTvP0sepCxLfHmI1AJhBxDo3xhVma+mR2fFeX73u9AFJfmQ57
Fe2JCr0bFPdjTMYB8wzokJDzMzCoxPPu/IdWRTubiyjd4x9EjAHsdGvsK9dGBwD3
1sW4+3hnnsE=
=rjbW
-----END PGP SIGNATURE-----


Reply to: